On Fri, Sep 20, 2019 at 10:00:32AM -0500, joshua stein wrote:
> (I'm going to keep trying to send this until I get it right!)
>
>
> I've been working on enhancing the security of our Firefox port over
> the past couple weeks and would like some wider testing.
>
> - Firefox's GPU process gains pledge(2) support, now all three
> process types (main, content, and gpu) are pledged.
>
> - The inet permission is removed from content processes as they work
> without it.
>
> - All three process types gain unveil(2) support to limit filesystem
> access. Similar to our Chrome port, ~/Downloads and /tmp become
> the only major directories that the main process can read from and
> write to (aside from some other Firefox- and Gtk-specific
> cache/support directories like ~/.mozilla) and that the content
> process can read from for viewing files as file:// URLs.
Aftter light testing this works for me as intended. Also my settings
of XDG env variables seem to work.
Personnaly I don't like the restriction on reading files from a
usability point of view (but I understand the security reasoning), and
since Chrome users seeem to have accepted it, I will do the same with
Firefox.
A better solution would involve some confirmation dialog, telling
which file is read for which purpose (internal use by a web app, or
uploading to an external site, like nextcloud or mastodon, instagram
whatever). But this may not always be possible with modern web
technologies and is not in the scope of local patches to the OpenBSD
port. sigh.
--
Matthieu Herrb
No comments:
Post a Comment