Re: firefox sandboxing

To: Thomas Klausner <tk%giga.or.at@localhost>
Subject: Re: firefox sandboxing
From: Jason Thorpe <thorpej%me.com@localhost>
Date: Wed, 16 May 2018 13:57:31 -0700

> On May 14, 2018, at 6:38 AM, Thomas Klausner <tk%giga.or.at@localhost> wrote:
> 
> We already support chroot(2). Are user namespaces
> (http://man7.org/linux/man-pages/man7/user_namespaces.7.html - looks
> like capabilities) something that would be good to have for NetBSD?

IMO, chroot(2) is a pretty poor way to do sandboxing.  For everything that you want to sandbox with chroot(2), you essentially have to duplicate-and-strip the standard run-time environment for that application / daemon / whatever.

I may be biased, but I think a nicer way to do this stuff is along the lines of what macOS does … wrapping an expressive language around Mandatory Access Controls (called a sandbox profile), which provides restrictions on file system access, network access, other-pid access, etc.  There is an inheritance model for these profiles (for any spawned / forked children), and a way for an unrestricted process to adopt a profile at run-time to restrict itself.

For other things that aren’t typically granted by default, there is another thing called an “entitlement” that’s part of the program’s code signature that grants special privileges that wouldn’t be granted to even root under usual circumstances.

The two things are distinct, but using them together can be extremely powerful to provide tightly controlled specific-privilege escalation when necessary.

-- thorpej

References:
- firefox sandboxing
  - From: Thomas Klausner

Prev by Date: Re: firefox sandboxing
Next by Date: Re: CVS commit: src/sys/dev/pci
Previous by Thread: Re: firefox sandboxing
Indexes:

Home | Main Index | Thread Index | Old Index