Page MenuHomeSolus
Differential D7751

Enable subprocess sandboxing for libwebkit-gtk
ClosedPublic
Actions

Authored by Jacalz on Nov 30 2019, 2:57 PM.
Tags
None
Referenced Files
F11050413: D7751.id18600.diff
Thu, Aug 10, 7:01 PM
F11050411: D7751.id19225.diff
Thu, Aug 10, 7:01 PM
F11050410: D7751.id.diff
Thu, Aug 10, 7:01 PM
F11035825: D7751.diff
Wed, Aug 9, 6:27 PM
F10852537: D7751.id19225.diff
Jun 13 2023, 1:34 AM
F10848286: D7751.id18600.diff
Jun 11 2023, 2:16 PM
F10827463: D7751.diff
Jun 4 2023, 5:28 AM
F10818850: D7751.id19225.diff
Jun 1 2023, 3:48 PM
View All 11 Files
Subscribers
JoshStrobl

Details

Reviewers
JoshStrobl
Group Reviewers
Triage Team
Commits
R3336:4faa4dc67a8d: Enable subprocess sandboxing for libwebkit-gtk
Summary

Packaging Changes:

  • Build with bubbelwrap sandbox to support running subprocesses in a sandbox. This should (in theory) lead to better web security for applications leveraging libwebkit-gtk.

Depends on D7750

Test Plan
  • Browse different sites to verify that everything works as expected.
  • Verify that performace doesn't regress with running sandboxed compared to running without.

Diff Detail

Repository
R3336 libwebkit-gtk
Branch
master
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

Jacalz created this revision.Nov 30 2019, 2:57 PM
Herald added a reviewer: Triage Team. · View Herald TranscriptNov 30 2019, 2:57 PM
Jacalz requested review of this revision.Nov 30 2019, 2:57 PM
JoshStrobl added a subscriber: JoshStrobl.Dec 4 2019, 8:11 AM

Build with bubbelwrap sandbox. This should lead to better web security for applications leveraging webkit-gtk.

So how are we testing that we're actually running these webkit instances in a sandboxed environment?

Jacalz added a comment.Dec 4 2019, 4:13 PM
In D7751#124126, @JoshStrobl wrote:

Build with bubbelwrap sandbox. This should lead to better web security for applications leveraging webkit-gtk.

So how are we testing that we're actually running these webkit instances in a sandboxed environment?

Well, I haven't find any good way to test it. Can't possibly be less secure than without it though.

Jacalz edited the summary of this revision. (Show Details)Dec 4 2019, 4:13 PM
Jacalz retitled this revision from Make libwebkit-gtk sandboxed to Enable subprocess sandboxing for libwebkit-gtk.Dec 5 2019, 6:06 PM
Jacalz edited the summary of this revision. (Show Details)
JoshStrobl added a comment.Dec 5 2019, 9:16 PM
In D7751#124213, @Jacalz wrote:
In D7751#124126, @JoshStrobl wrote:

Build with bubbelwrap sandbox. This should lead to better web security for applications leveraging webkit-gtk.

So how are we testing that we're actually running these webkit instances in a sandboxed environment?

Well, I haven't find any good way to test it. Can't possibly be less secure than without it though.

Well unless you have a way to verifiably ensure it even works in the first place, it isn't any more secure, which is the point of it.

Jacalz added a comment.EditedDec 20 2019, 4:18 PM

@JoshStrobl I have now verified that it is being used by libwebkit-gtk, using pstree. The following picture is without bwrap support:

image.png (46×394 px, 10 KB)

The next image is with. Notice how WebKitWebProces is a child process of bwrap:

image.png (65×500 px, 14 KB)

Jacalz added a comment.EditedJan 10 2020, 4:35 PM

Per the comment above, are there any news on getting this merged? ? @JoshStrobl

JoshStrobl accepted this revision.Jan 10 2020, 5:23 PM

Nope, looks good! Sorry for the delay and thanks again for the patch and validation.

This revision is now accepted and ready to land.Jan 10 2020, 5:23 PM
Closed by commit R3336:4faa4dc67a8d: Enable subprocess sandboxing for libwebkit-gtk (authored by Jacalz, committed by JoshStrobl). · Explain WhyJan 10 2020, 5:27 PM
This revision was automatically updated to reflect the committed changes.
JoshStrobl added a commit: R3336:4faa4dc67a8d: Enable subprocess sandboxing for libwebkit-gtk.

Revision Contents
Changeset List

PathSize
1 line
9 lines
14 lines

Diff 18600

View Options

abi_used_libs

Loading...
View Options

package.yml

Loading...
View Options

pspec_x86_64.xml

Loading...
Copyright © 2015-2021 Solus Project. The Solus logo is Copyright © 2016-2021 Solus Project. All Rights Reserved.