Date: Sun, 29 Jan 2023 19:39:28 +0000 From: bugzilla-noreply@freebsd.org To: chromium@FreeBSD.org Subject: maintainer-feedback requested: [Bug 269234] www/chromium: Sandboxing cleanup and basic Capsicum support for renderer processes Message-ID: <bug-269234-28929-PouyaAh1rc@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-269234-28929@https.bugs.freebsd.org/bugzilla/> References: <bug-269234-28929@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
Bugzilla Automation <bugzilla@FreeBSD.org> has asked freebsd-chromium (Nobo= dy) <chromium@FreeBSD.org> for maintainer-feedback: Bug 269234: www/chromium: Sandboxing cleanup and basic Capsicum support for renderer processes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D269234 --- Description --- The patchset already supports different backends for OpenBSD and FreeBSD sandboxing, but some files were still including the OpenBSD-specific headers and the preprocessor guards in the FreeBSD header were the same as the Open= BSD ones. So this patch clears that up. And it adds rudimentary Capsicum support for the renderer processes (which = IIUC should be the most important processes to sandbox). It limits the stdio FDs (important since they could be TTYs), but does not limit any other FDs. And tbh, I do not know what kind of FDs they could be passed and how dangerous their ioctls could be. But it seems to work without issues (so far) and sho= uld be better than nothing.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-269234-28929-PouyaAh1rc>