Bug 269234 - www/chromium: Sandboxing cleanup and basic Capsicum support for renderer processes
Summary: www/chromium: Sandboxing cleanup and basic Capsicum support for renderer proc...
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-chromium (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-29 19:39 UTC by sigsys
Modified: 2023-09-28 07:56 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (chromium)


Attachments
Chromium port basic Capsicum support (18.58 KB, patch)
2023-01-29 19:39 UTC, sigsys
no flags Details | Diff
Chromium port basic Capsicum support 2 (18.32 KB, patch)
2023-02-06 19:16 UTC, sigsys
no flags Details | Diff
update for 110.0.5481.77 (17.42 KB, patch)
2023-02-12 22:32 UTC, sigsys
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description sigsys 2023-01-29 19:39:28 UTC
Created attachment 239789 [details]
Chromium port basic Capsicum support

The patchset already supports different backends for OpenBSD and FreeBSD sandboxing, but some files were still including the OpenBSD-specific headers and the preprocessor guards in the FreeBSD header were the same as the OpenBSD ones. So this patch clears that up.

And it adds rudimentary Capsicum support for the renderer processes (which IIUC should be the most important processes to sandbox). It limits the stdio FDs (important since they could be TTYs), but does not limit any other FDs. And tbh, I do not know what kind of FDs they could be passed and how dangerous their ioctls could be. But it seems to work without issues (so far) and should be better than nothing.
Comment 1 sigsys 2023-02-06 19:16:17 UTC
Created attachment 239957 [details]
Chromium port basic Capsicum support 2

Update patch, turns out some of the utility processes can be sandboxed as well.
Comment 2 sigsys 2023-02-12 22:32:15 UTC
Created attachment 240119 [details]
update for 110.0.5481.77