Confirmed users
334
edits
Security/Sandbox: Difference between revisions
Jump to navigation
Jump to search
Add logging env var.
(Add link to filesystem policy on Linux.) |
(Add logging env var.) |
||
| Line 308: | Line 308: | ||
== Linux == | == Linux == | ||
== Overview == | |||
[http://en.wikipedia.org/wiki/Seccomp Seccomp] stands for secure computing mode. It's a simple sandboxing tool in the Linux kernel, available since Linux version 2.6.12. When enabling seccomp, the process enters a "secure mode" where a very small number of system calls are available (exit(), read(), write(), sigreturn()). Writing code to work in this environment is difficult; for example, dynamic memory allocation (using brk() or mmap(), either directly or to implement malloc()) is not possible. | [http://en.wikipedia.org/wiki/Seccomp Seccomp] stands for secure computing mode. It's a simple sandboxing tool in the Linux kernel, available since Linux version 2.6.12. When enabling seccomp, the process enters a "secure mode" where a very small number of system calls are available (exit(), read(), write(), sigreturn()). Writing code to work in this environment is difficult; for example, dynamic memory allocation (using brk() or mmap(), either directly or to implement malloc()) is not possible. | ||
| Line 318: | Line 320: | ||
* [http://mxr.mozilla.org/mozilla-central/source/security/sandbox/linux/SandboxFilter.cpp seccomp-bpf filtering rules for various processes] | * [http://mxr.mozilla.org/mozilla-central/source/security/sandbox/linux/SandboxFilter.cpp seccomp-bpf filtering rules for various processes] | ||
=== Environment variables === | |||
{| | |||
|Enable sandbox logging | |||
|MOZ_SANDBOX_VERBOSE | |||
|} | |||
= Bug Lists = | = Bug Lists = | ||