Bug 140072

Summary: [GTK] Enable seccomp filters by default
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKitGTKAssignee: Michael Catanzaro <mcatanzaro>
Status: RESOLVED WONTFIX    
Severity: Enhancement CC: cgarcia, gyuyoung.kim, lantw44, mcatanzaro, ossy, tmpsantos, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
Bug Depends on: 110014, 140062, 140071, 140073, 140075, 140131, 140132, 142980, 142982, 142983, 142986, 142987, 146993, 153235    
Bug Blocks: 89874    
Attachments:
Description Flags
Patch
none
[GTK] Enable seccomp filters by default
none
[GTK] Enable seccomp filters by default none

Michael Catanzaro
Reported 2015-01-04 20:42:58 PST
Don't commit this yet :)
Attachments
Patch (3.16 KB, patch)
2015-01-04 20:45 PST, Michael Catanzaro 		no flags
DetailsFormatted DiffDiff
[GTK] Enable seccomp filters by default (3.26 KB, patch)
2015-03-23 15:45 PDT, Michael Catanzaro 		no flags
DetailsFormatted DiffDiff
[GTK] Enable seccomp filters by default (3.20 KB, patch)
2015-03-23 15:48 PDT, Michael Catanzaro 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2015-01-04 20:45:32 PST
Created attachment 243961 [details] Patch
Michael Catanzaro
Comment 2 2015-03-23 15:45:11 PDT
Created attachment 249291 [details] [GTK] Enable seccomp filters by default
Michael Catanzaro
Comment 3 2015-03-23 15:48:04 PDT
Created attachment 249292 [details] [GTK] Enable seccomp filters by default
Michael Catanzaro
Comment 4 2016-01-18 19:02:01 PST
The current seccomp filters code does not provide any meaningful security, and is certainly worse than no sandbox at all due to the high likelihood that it will unexpectedly break something by inappropriately denying access to a file. We might be better off deleting all this code and starting from scratch (perhaps using mount namespaces), rather than try to enforce a filesystem access policy with seccomp filters. We should use seccomp filters to enforce a short syscall blacklist regardless, but that is much simpler than what we have now, and none of the current code is useful for that. (A syscall whitelist -- the approach I attempted -- is far to fragile.)
Thiago Marcos P. Santos
Comment 5 2016-02-10 16:13:54 PST
The idea of trying something with seccomp was because at the time it was the only mechanism available in many distros that wouldn't require special privileges to create the sandbox. Obviously trapping just a few syscalls won't give much, but the plan was to incrementally grow and add more filters.
Note You need to log in before you can comment on or make changes to this bug.