[Webkit-unassigned] [Bug 140132] New: [GTK] SeccompFilters: trap more filesystem access system calls

Tue Jan 6 11:06:27 PST 2015

https://bugs.webkit.org/show_bug.cgi?id=140132

            Bug ID: 140132
           Summary: [GTK] SeccompFilters: trap more filesystem access
                    system calls
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Enhancement
          Priority: P2
         Component: WebKit Gtk
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at igalia.com

Before we enable seccomp filters by default in the GTK+ port, we should trap more system calls. Currently, we trap open, openat, and creat so that we only allow access to particular files. Research the other system calls that operate on the filesystem to determine what we need to trap and what we don't.

The Chrome sandbox blocks all system calls that Chrome doesn't use, to reduce the kernel attack space. That would be great theoretically, but I think it's too ambitious for our purposes, as it would be quite difficult to maintain unless we start bundling all of our dependencies like Chrome does. For now, let's simply trap filesystem system calls so that a compromised web process needs a separate kernel exploit if it wants to vacuum up the user's personal data.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150106/f8cb46af/attachment-0002.html>