[ubuntu-hardened] Firefox: Seccomp-BPF - User-Namespaces (false) and Seccomp Thread Synchronization (false)
daniel curtis
sidetripping at gmail.com
Sun Mar 12 17:00:48 UTC 2017
Hi.
Some time ago I've noticed that Firefox 43.0.3 version running on Fedora
23. has enabled ("true") all options related to Seccomp (Everyone can check
this via 'about:support'.) Anyway, Firefox 52.0 and previous version also,
have enabled ("true") only two of the four options.
Here are these options: Seccomp-BPF (filtering system calls) and Plugins
separation. I would like to ask why Firefox in Ubuntu does not have all
four options enabled? (Just as it is in Fedora 23. [1]) It depends on
Firefox maintainer or Mozilla is not ready yet to turn on these options?
Seccomp is a simple sandboxing tool in the Linux kernel, available since
Linux version 2.6.12. However, using Firejail which is an easy to use and
simple tool for sandboxing applications, changes/enable flag in the process
status. It can be checked via:
[~]$ grep Seccomp /proc/<pid>/status
# Firefox launched directly:
$ grep Seccomp /proc/$(pidof firefox)/status
Seccomp: 0
# Firefox launched via Firejail:
$ grep Seccomp /proc/$(pidof firefox/status
Seccomp: 2
The importance of these values: if '0' it's bad - Seccomp is not enabled.
If '2' - it's correct because Seccomp-bpf is enabled. Are there any plans
for enabling all four options? Does someone know something about this?
Best regards.
_____________
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1297204#c2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170312/d5cceff7/attachment.html>
More information about the ubuntu-hardened
mailing list