Confirmed users
502
edits
B2G/Architecture/System Security: Difference between revisions
B2G/Architecture/System Security (view source)
Revision as of 23:10, 2 November 2012
, 2 November 2012no edit summary
Gdestuynder (talk | contribs) (added rlimit sandbox) |
Gdestuynder (talk | contribs) mNo edit summary |
||
| Line 71: | Line 71: | ||
* All access to resources <b>must</b> happen via IPDL, this means: | * All access to resources <b>must</b> happen via IPDL, this means: | ||
** No filesystem access | ** No filesystem access | ||
** Very limited access to the kernel's system calls (no ioctl(), etc.) | ** Very limited access to the kernel's system calls (no ioctl(), etc.). By restriction system calls, the attack surface exposed by the kernel to web applications is greatly reduced | ||
** No execution of native code | ** No execution of native code | ||
** Fuzzing of IPDL | ** Fuzzing of IPDL | ||
| Line 80: | Line 80: | ||
==== Seccomp ==== | ==== Seccomp ==== | ||
Secure computing mode (seccomp) is a Linux kernel system call that allow us to limit which system calls (and any sub-process spawned from that point forward) can be used the process. | Secure computing mode (seccomp) is a Linux kernel system call that allow us to limit which system calls (and any sub-process spawned from that point forward) can be used the process. | ||
This is the | This is the most secure sand-box implementation. | ||
* Seccomp mode 2: | * Seccomp mode 2: | ||
| Line 203: | Line 203: | ||
|} | |} | ||
=== Linux DAC | === Linux DAC === | ||
The Linux DAC | The Linux DAC represents the well-known Linux filesystem permission model. (The traditional User/group/others - NOT Linux POSIX 1.e ACLs). | ||
* The app_0/nobody user has no write access to any file | * The app_0/nobody user has no write access to any file | ||