880797 - Mandatory sandboxing tracker (Linux/B2G)

Status: RESOLVED FIXED

(Firefox OS Graveyard :: General, defect)

Description

[Guillaume Destuynder [:kang] [this account is no longer active]]

Reminder to revert the patch from bug 790923.
The patch make sure we don't fail if the kernel of the host doesn't support seccomp-bpf.
When all kernels support this, we should actually fail if enabling support fails (this should never happen).

This is a security measure for the seccomp-bpf sandbox.

Comment 1

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Perhaps we should change the "--enable-content-sandbox" option to "--content-sandbox=disabled|required|when-available" and then change the #ifdefs to account for all three cases appropriately.

Comment 2

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

I think the original idea of this bug was to get seccomp-bpf onto all supported B2G devices and then make Gecko require it, but we now know that that isn't going to happen until all ICS- and JB-based devices hit EOL.  Bug 1009995 will take care of KitKat-based devices and up, so we'll get there eventually.

But there's also non-B2G sandboxing now: x86 desktop is using seccomp-bpf for Gecko Media Plugins.  Because this is for a specific feature, we can do something that isn't meaningful for content processes: require seccomp-bpf by disabling the feature if it isn't available, which is bug 1043733.

As for this bug, I'll try making it a tracker for bugs that add that kind of sandboxing requirement.  If that's not actually useful it could be dup'ed onto bug 1009995 instead.

Comment 3

[Paul Theriault [:pauljt] (no longer reading bugmail)]

We have sandbox on linux now (and its tracked elsewhere).

Comment 4

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

More to the point, we're done with B2G, and on desktop we're not currently planning any kind of “Firefox won't start unless there's content sandboxing” thing.  Media plugins *do* require seccomp-bpf (bug 1043733) but that happened in 2014 and doesn't need further work.