Date: Sun, 29 Jan 2023 19:39:28 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 269234] www/chromium: Sandboxing cleanup and basic Capsicum support for renderer processes Message-ID: <bug-269234-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D269234 Bug ID: 269234 Summary: www/chromium: Sandboxing cleanup and basic Capsicum support for renderer processes Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: chromium@FreeBSD.org Reporter: sigsys@gmail.com Assignee: chromium@FreeBSD.org Flags: maintainer-feedback?(chromium@FreeBSD.org) Created attachment 239789 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D239789&action= =3Dedit Chromium port basic Capsicum support The patchset already supports different backends for OpenBSD and FreeBSD sandboxing, but some files were still including the OpenBSD-specific headers and the preprocessor guards in the FreeBSD header were the same as the Open= BSD ones. So this patch clears that up. And it adds rudimentary Capsicum support for the renderer processes (which = IIUC should be the most important processes to sandbox). It limits the stdio FDs (important since they could be TTYs), but does not limit any other FDs. And tbh, I do not know what kind of FDs they could be passed and how dangerous their ioctls could be. But it seems to work without issues (so far) and sho= uld be better than nothing. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-269234-7788>