[Bug 269234] www/chromium: Sandboxing cleanup and basic Capsicum support for renderer processes

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 29 Jan 2023 19:39:28 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269234

            Bug ID: 269234
           Summary: www/chromium: Sandboxing cleanup and basic Capsicum
                    support for renderer processes
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: chromium@FreeBSD.org
          Reporter: sigsys@gmail.com
          Assignee: chromium@FreeBSD.org
             Flags: maintainer-feedback?(chromium@FreeBSD.org)

Created attachment 239789
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=239789&action=edit
Chromium port basic Capsicum support

The patchset already supports different backends for OpenBSD and FreeBSD
sandboxing, but some files were still including the OpenBSD-specific headers
and the preprocessor guards in the FreeBSD header were the same as the OpenBSD
ones. So this patch clears that up.

And it adds rudimentary Capsicum support for the renderer processes (which IIUC
should be the most important processes to sandbox). It limits the stdio FDs
(important since they could be TTYs), but does not limit any other FDs. And
tbh, I do not know what kind of FDs they could be passed and how dangerous
their ioctls could be. But it seems to work without issues (so far) and should
be better than nothing.

-- 
You are receiving this mail because:
You are the assignee for the bug.