Changes

Gecko on the desktop and in B2G use seccomp when running on Linux.The code is in mozilla-central at /security/sandbox/linux. Files of interest:

'''File''' security/* Sandbox.h: the public interface; used when a child process is ready to enter sandboxed mode* SandboxFilter.cpp: the sandbox policy definitions* SandboxAssembler.{h,cpp}: implements the policies in terms of the Chromium CodeGen module* Sandbox.cpp: the code that starts the sandbox/linux/seccomp_filterand handles violations (note: this is changing soon; see {{bug|1041886}}).* {arm,x86_{32,64}}_linux_syscalls.h: syscall number definitions; grep these to translate syscall numbers seen in error messages (use the file corresponding to the architecture in question)

Contains a whitelist We also have an import of allowed system calls. '''File''' the Chromium seccomp-bpf libraries at security/sandbox/chromium/sandbox/linux/Sandbox.cpp Contains seccomp-bpf; we're currently using the sandbox installation codeCodeGen/BasicBlock/Instruction layer, called by:  SetCurrentProcessSandboxbut not ErrorCode or SandboxBPF (voidyet).

The reporter is an option which will log exactly which system call has been denied by seccomp. It is enabled by default in engineering builds ("eng" builds).The option is --content-sandbox-reporter. When seccomp denies a system call, it sends a signal (SIGSYS) which is caught handled by the reporter. The reporter then kills itself (and thus logs information about the content-process).The report kill itself because syscall, invokes the content process may not handle crash reporter, tries to log the denied system call properly current JS stack if any, and be in a non-working state anywayfinally terminates the process.

When the reporter is enabled, the The log message looks like this:

There is a seccomp flag in the process status: Replace . Use this command, replacing <pid> by with the process's PID.:

* 1: Seccomp "strict mode" is enabled (shouldn't happen)