Firefox: Seccomp-BPF - User-Namespaces (false) and Seccomp Thread Synchronization (false)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Firefox: Seccomp-BPF - User-Namespaces (false) and Seccomp Thread Synchronization (false)

daniel curtis

Hi.

Some time ago I've noticed that Firefox 43.0.3 version running on Fedora 23. has enabled ("true") all options related to Seccomp (Everyone can check this via 'about:support'.) Anyway, Firefox 52.0 and previous version also, have enabled ("true") only two of the four options.

Here are these options: Seccomp-BPF (filtering system calls) and Plugins separation. I would like to ask why Firefox in Ubuntu does not have all four options enabled? (Just as it is in Fedora 23. [1]) It depends on Firefox maintainer or Mozilla is not ready yet to turn on these options?

Seccomp is a simple sandboxing tool in the Linux kernel, available since Linux version 2.6.12. However, using Firejail which is an easy to use and simple tool for sandboxing applications, changes/enable flag in the process status. It can be checked via:

[~]$ grep Seccomp /proc/<pid>/status

# Firefox launched directly:
$ grep Seccomp /proc/$(pidof firefox)/status
Seccomp:    0

# Firefox launched via Firejail:
$ grep Seccomp /proc/$(pidof firefox/status
Seccomp:    2

The importance of these values: if '0' it's bad - Seccomp is not enabled. If '2' - it's correct because Seccomp-bpf is enabled. Are there any plans for enabling all four options? Does someone know something about this?


--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: Firefox: Seccomp-BPF - User-Namespaces (false) and Seccomp Thread Synchronization (false)

Seth Arnold
On Sun, Mar 12, 2017 at 06:00:48PM +0100, daniel curtis wrote:
> Here are these options: Seccomp-BPF (filtering system calls) and Plugins
> separation. I would like to ask why Firefox in Ubuntu does not have all
> four options enabled? (Just as it is in Fedora 23. [1]) It depends on
> Firefox maintainer or Mozilla is not ready yet to turn on these options?
>
> Seccomp is a simple sandboxing tool in the Linux kernel, available since
> Linux version 2.6.12. However, using Firejail which is an easy to use and
> simple tool for sandboxing applications, changes/enable flag in the process
> status. It can be checked via:

Hello Daniel,

This is probably due to the kernel in 12.04 LTS being quite old at this
point. On my 16.04 LTS laptop all four options are enabled.

The user namespace support wasn't in the Linux kernel until Linux 3.8:
http://man7.org/linux/man-pages/man7/user_namespaces.7.html This feature
has seen significant changes since its introduction, Firefox may not
use it even on 3.8 systems as a result.

The seccomp framework has seen even greater changes over its lifetime. The
early days, 2.6.12, was far less useful and as far as I know only ever
had one application use it. The seccomp(2) syscall was added in Linux
3.17: http://man7.org/linux/man-pages/man2/seccomp.2.html This feature
has also seen significant changes since its introduction, Firefox may
not even use it on 3.17 systems as a result.

Once you upgrade to 16.04 LTS or newer you'll probably see all four of
these values report True.

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (484 bytes) Download Attachment