Bug 140072 - [GTK] Enable seccomp filters by default
Summary: [GTK] Enable seccomp filters by default
Status: RESOLVED WONTFIX
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Enhancement
Assignee: Michael Catanzaro
URL:
Keywords:
Depends on: 110014 140062 140071 140073 140075 140131 140132 142980 142982 142983 142986 142987 146993 153235
Blocks: 89874
  Show dependency treegraph
 
Reported: 2015-01-04 20:42 PST by Michael Catanzaro
Modified: 2016-09-21 05:18 PDT (History)
7 users (show)

See Also:

Attachments
Patch (3.16 KB, patch)
2015-01-04 20:45 PST, Michael Catanzaro 		no flags Details | Formatted Diff | Diff
[GTK] Enable seccomp filters by default (3.26 KB, patch)
2015-03-23 15:45 PDT, Michael Catanzaro 		no flags Details | Formatted Diff | Diff
[GTK] Enable seccomp filters by default (3.20 KB, patch)
2015-03-23 15:48 PDT, Michael Catanzaro 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2015-01-04 20:42:58 PST 
Don't commit this yet :)
Comment 1 Michael Catanzaro 2015-01-04 20:45:32 PST 
Created attachment 243961 [details]
Patch
Comment 2 Michael Catanzaro 2015-03-23 15:45:11 PDT 
Created attachment 249291 [details]
[GTK] Enable seccomp filters by default
Comment 3 Michael Catanzaro 2015-03-23 15:48:04 PDT 
Created attachment 249292 [details]
[GTK] Enable seccomp filters by default
Comment 4 Michael Catanzaro 2016-01-18 19:02:01 PST 
The current seccomp filters code does not provide any meaningful security, and is certainly worse than no sandbox at all due to the high likelihood that it will unexpectedly break something by inappropriately denying access to a file. We might be better off deleting all this code and starting from scratch (perhaps using mount namespaces), rather than try to enforce a filesystem access policy with seccomp filters.

We should use seccomp filters to enforce a short syscall blacklist regardless, but that is much simpler than what we have now, and none of the current code is useful for that. (A syscall whitelist -- the approach I attempted -- is far to fragile.)
Comment 5 Thiago Marcos P. Santos 2016-02-10 16:13:54 PST 
The idea of trying something with seccomp was because at the time it was the only mechanism available in many distros that wouldn't require special privileges to create the sandbox. Obviously trapping just a few syscalls won't give much, but the plan was to incrementally grow and add more filters.