Confirm
502
edits
Changes
added rlimit sandbox
** Requires a custom kernel with SELinux enabled, or other kernel patch based solution built and enabled
** WebGL requires some security sensitive system calls such as ioctl()
==== rlimit ====
rlimit() is a system call that can be used to deny file and process creation. Like chroot(), this may be used as long as no privileged user (such as root) is running any process that is being rlimit'ed.
* Very easy to implement, well support by various operating systems
* Does not require kernel modifications
* Used as fall-back sand-box in other programs, such as OpenSSH
* Sand-box escape scenario:
** Kernel vulnerability (any)
** Loading code directly in memory (instead of executing, for example, /bin/sh), then finding user-space vulnerabilities in other processes
** Privilege escalation to root/privileged user, then disable rlimits
** User-land vulnerability via any kind of IPC
** b2g process vulnerability triggered via IPDL
==== chroot ====
