Created attachment 239789 [details] Chromium port basic Capsicum support The patchset already supports different backends for OpenBSD and FreeBSD sandboxing, but some files were still including the OpenBSD-specific headers and the preprocessor guards in the FreeBSD header were the same as the OpenBSD ones. So this patch clears that up. And it adds rudimentary Capsicum support for the renderer processes (which IIUC should be the most important processes to sandbox). It limits the stdio FDs (important since they could be TTYs), but does not limit any other FDs. And tbh, I do not know what kind of FDs they could be passed and how dangerous their ioctls could be. But it seems to work without issues (so far) and should be better than nothing.
Created attachment 239957 [details] Chromium port basic Capsicum support 2 Update patch, turns out some of the utility processes can be sandboxed as well.
Created attachment 240119 [details] update for 110.0.5481.77