RESOLVED WONTFIX 140072
[GTK] Enable seccomp filters by default
https://bugs.webkit.org/show_bug.cgi?id=140072
Summary [GTK] Enable seccomp filters by default
Michael Catanzaro
Reported 2015-01-04 20:42:58 PST
Don't commit this yet :)
Attachments
Patch (3.16 KB, patch)
2015-01-04 20:45 PST, Michael Catanzaro
no flags
[GTK] Enable seccomp filters by default (3.26 KB, patch)
2015-03-23 15:45 PDT, Michael Catanzaro
no flags
[GTK] Enable seccomp filters by default (3.20 KB, patch)
2015-03-23 15:48 PDT, Michael Catanzaro
no flags
Michael Catanzaro
Comment 1 2015-01-04 20:45:32 PST
Michael Catanzaro
Comment 2 2015-03-23 15:45:11 PDT
Created attachment 249291 [details] [GTK] Enable seccomp filters by default
Michael Catanzaro
Comment 3 2015-03-23 15:48:04 PDT
Created attachment 249292 [details] [GTK] Enable seccomp filters by default
Michael Catanzaro
Comment 4 2016-01-18 19:02:01 PST
The current seccomp filters code does not provide any meaningful security, and is certainly worse than no sandbox at all due to the high likelihood that it will unexpectedly break something by inappropriately denying access to a file. We might be better off deleting all this code and starting from scratch (perhaps using mount namespaces), rather than try to enforce a filesystem access policy with seccomp filters. We should use seccomp filters to enforce a short syscall blacklist regardless, but that is much simpler than what we have now, and none of the current code is useful for that. (A syscall whitelist -- the approach I attempted -- is far to fragile.)
Thiago Marcos P. Santos
Comment 5 2016-02-10 16:13:54 PST
The idea of trying something with seccomp was because at the time it was the only mechanism available in many distros that wouldn't require special privileges to create the sandbox. Obviously trapping just a few syscalls won't give much, but the plan was to incrementally grow and add more filters.
Note You need to log in before you can comment on or make changes to this bug.