Security/Sandbox/Deny Filesystem Access: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Removed old cruft)
 
(47 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Status =
= Status =
{| class="wikitable"
{| class="wikitable"
Line 5: Line 4:
! Platform !! Current Status of Content Filesystem Sandboxing
! Platform !! Current Status of Content Filesystem Sandboxing
|-
|-
| Windows || TBD
| Windows/Mac/Linux ||
|-
Read and write filesystem access restrictions are now shipping on all platforms. See
| OS X || Some directories are read/write protected, but this will not provide real security until the bulk of the $HOME directory is fully write protected.
[[Security/Sandbox#Current Status|the main sandboxing wiki page]] for more information.
 
On OS X, the Firefox Profile directory is stored within ~/Library/Application Support/Firefox/Profiles/. ~/Library is read/write protected with a few exceptions for some specific subdirectories. Access to $HOME and other areas of the filesystem is not restricted. i.e., the content process can read and write to/from anywhere the OS permits: $HOME and temporary directories. The ~/Library read/write prevention could be bypassed because the rest of the $HOME is read/write accessible. For example, a compromised process could add malicious commands to ~/.login-type files to copy data from ~/Library when a user logs in.
|-
| Linux || No filesystem policy enabled
|-
| Other || No filesystem policy enabled
|}
|}
= Blockers =
== Cross-Platform Blockers ==
* {{bug|1196384}} - (sandbox-fs) [meta] Cross-platform blockers for default-deny filesystem policy for content processes
** [https://bugzilla.mozilla.org/showdependencytree.cgi?id=1196384&hide_resolved=1 Dependency Tree]
== Windows Blockers ==
== OS X Blockers ==
== Linux Blockers ==
== Other Blockers ==

Latest revision as of 17:22, 16 November 2017

Status

Platform Current Status of Content Filesystem Sandboxing
Windows/Mac/Linux

Read and write filesystem access restrictions are now shipping on all platforms. See the main sandboxing wiki page for more information.

Retrieved from "https://wiki.allizom.org/index.php?title=Security/Sandbox/Deny_Filesystem_Access&oldid=1184311"