Page MenuHomeSolus

Enable subprocess sandboxing for libwebkit-gtk
Needs ReviewPublic

Authored by Jacalz on Sat, Nov 30, 2:57 PM.

Details

Reviewers
None
Group Reviewers
Triage Team
Summary

Packaging Changes:

  • Build with bubbelwrap sandbox to support running subprocesses in a sandbox. This should (in theory) lead to better web security for applications leveraging libwebkit-gtk.

Depends on D7750

Test Plan
  • Browse different sites to verify that everything works as expected.
  • Verify that performace doesn't regress with running sandboxed compared to running without.

Diff Detail

Repository
R3336 libwebkit-gtk
Branch
master
Lint
No Linters Available
Unit
No Unit Test Coverage

Event Timeline

Jacalz created this revision.Sat, Nov 30, 2:57 PM
Jacalz requested review of this revision.Sat, Nov 30, 2:57 PM

Build with bubbelwrap sandbox. This should lead to better web security for applications leveraging webkit-gtk.

So how are we testing that we're actually running these webkit instances in a sandboxed environment?

Jacalz added a comment.Wed, Dec 4, 4:13 PM

Build with bubbelwrap sandbox. This should lead to better web security for applications leveraging webkit-gtk.

So how are we testing that we're actually running these webkit instances in a sandboxed environment?

Well, I haven't find any good way to test it. Can't possibly be less secure than without it though.

Jacalz edited the summary of this revision. (Show Details)Wed, Dec 4, 4:13 PM
Jacalz retitled this revision from Make libwebkit-gtk sandboxed to Enable subprocess sandboxing for libwebkit-gtk.Thu, Dec 5, 6:06 PM
Jacalz edited the summary of this revision. (Show Details)

Build with bubbelwrap sandbox. This should lead to better web security for applications leveraging webkit-gtk.

So how are we testing that we're actually running these webkit instances in a sandboxed environment?

Well, I haven't find any good way to test it. Can't possibly be less secure than without it though.

Well unless you have a way to verifiably ensure it even works in the first place, it isn't any more secure, which is the point of it.