Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧ Assignee
	Description • 10 years ago

There are Linux kernel changes that have been sent upstream (but not yet accepted) from Chromium to allow atomically applying seccomp filters to all threads in a process: https://lkml.org/lkml/2014/4/17/637

Chromium already has code to do this, intended for use on Android: http://git.chromium.org/gitweb/?p=chromium/src.git;a=commitdiff;h=8c215f5b965930c1faa004834491e4e11c6b26d8

It would be nice if we could use this where available (and, perhaps, backport the patches to our own seccomp-enabled B2G devices) instead of our current signal-based approach.

	Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧ Assignee
	Comment 1 • 10 years ago

Move process sandboxing bugs to the new Bugzilla component.

(Sorry for the bugspam; filter on 3c21328c-8cfb-4819-9d88-f6e965067350.)

	Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧ Assignee
	Comment 2 • 9 years ago

WIP; tested locally on nexus5-l and Ubuntu 14.04; will r? when/if it passes Try.

	Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧ Assignee
	Comment 3 • 9 years ago

The last patch made chrooting not work, which is bad.  This fixes that, does a little cleanup, and adds some more assertions.

	Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧ Assignee
	Comment 4 • 9 years ago

https://treeherder.mozilla.org/#/jobs?repo=try&revision=18d436e65e6e

	Pulsebot
	Comment 5 • 9 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/d9a56e97c6b1

	Ryan VanderMeulen [:RyanVM]
	Comment 6 • 9 years ago

https://hg.mozilla.org/mozilla-central/rev/d9a56e97c6b1