Chrome 20 On Linux Gets Flash Seccomp Filter

Discussion in 'all things UNIX' started by Hungry Man, Jul 12, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Chrome 20 seemed really unexciting and this particular Linux release got overlooked so here you go.
    http://scarybeastsecurity.blogspot.com/2012/07/chrome-20-on-linux-and-flash-sandboxing.html

    tl;dr:

    PPAPI Flash now runs in a Chroot, PID namespace, and has seccomp filters applied. The combination of these makes for a seriously secure Flash plugin.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I wrote an explanation of seccomp filters on as low a level as I could. If one of the programmers wants to look at it and tell me where I messed up I'd be really happy to hear about it. I basically just explained what the kernel is, what least privilege is, what a system call is, and why they're dangerous.

    Here's the article.
     
  3. tlu

    tlu Guest

    As noted on your blog, the seccomp sandbox is NOT enabled for Chrome v. [FONT=Ubuntu, Arial, sans-serif]21.0.1180.41 beta [/FONT]if the --enable-seccomp-sandbox switch is removed (although it should be enabled by default). Perhaps a regression.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Potentially a UI fault of the chrome://sandbox page. I assume that's what you're using to confirm.
     
  5. tlu

    tlu Guest

    Yes. Is there another way to check that?
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Not that I know of. I would file a feature request for better Linux documentation as the current documentation is 2 years old and severely out of date.
     
  7. tlu

    tlu Guest

    Thanks. I reported that bug.
     
  8. tlu

    tlu Guest

Loading...
Thread Status:
Not open for further replies.