Conversation

Notices

1. Embed this notice
   Solène :flan_hacker: (solene@bsd.network)'s status on Monday, 13-Jan-2025 16:42:28 JST Solène :flan_hacker:

   in reply to

   • Farooq Karimi Zadeh

   @farooqkz the security features are named pledge and unveil, the first restricts system calls the process can do, the latter restricts filesystem access.

   Chromium and Firefox received both on OpenBSD, they are limited in term of system calls (not really visible for the end user), but also in term of filesystem, they can write in the directory ~/Downloads/ and read a ton of other directories useful for the runtime (settings, fonts, shared libraries etc...), nothing more.

   FreeBSD has an equivalent named capsicum but they did not implement it into web browsers (checked a few months ago).

   Linux has sandboxing using multiple methods:

   - web browsers installed with snap or flatpak are sandboxed
   - web browsers started with firejail are sandboxed

   • Embed this notice
     Farooq Karimi Zadeh (farooqkz@blackrock.city)'s status on Monday, 13-Jan-2025 16:42:30 JST Farooq Karimi Zadeh

     As I was talking with a friend, he told me about a cool security feature #OpenBSD has got. That is, limits scope of the browser. In the case Javascript escaped the sandbox, the damage is limited.

     But really, is there a security bug in #Gecko or #Webkit with which Javascript can escape? :)

     Disclaimer: I know very little about security, BSDs, and kernel level stuff.

     #FOSS #OS #BSD #Security