[ubuntu-hardened] Firefox: Seccomp-BPF - User-Namespaces (false) and Seccomp Thread Synchronization (false)

Seth Arnold seth.arnold at canonical.com
Tue Mar 14 02:33:35 UTC 2017


On Sun, Mar 12, 2017 at 06:00:48PM +0100, daniel curtis wrote:
> Here are these options: Seccomp-BPF (filtering system calls) and Plugins
> separation. I would like to ask why Firefox in Ubuntu does not have all
> four options enabled? (Just as it is in Fedora 23. [1]) It depends on
> Firefox maintainer or Mozilla is not ready yet to turn on these options?
> 
> Seccomp is a simple sandboxing tool in the Linux kernel, available since
> Linux version 2.6.12. However, using Firejail which is an easy to use and
> simple tool for sandboxing applications, changes/enable flag in the process
> status. It can be checked via:

Hello Daniel,

This is probably due to the kernel in 12.04 LTS being quite old at this
point. On my 16.04 LTS laptop all four options are enabled.

The user namespace support wasn't in the Linux kernel until Linux 3.8:
http://man7.org/linux/man-pages/man7/user_namespaces.7.html This feature
has seen significant changes since its introduction, Firefox may not
use it even on 3.8 systems as a result.

The seccomp framework has seen even greater changes over its lifetime. The
early days, 2.6.12, was far less useful and as far as I know only ever
had one application use it. The seccomp(2) syscall was added in Linux
3.17: http://man7.org/linux/man-pages/man2/seccomp.2.html This feature
has also seen significant changes since its introduction, Firefox may
not even use it on 3.17 systems as a result.

Once you upgrade to 16.04 LTS or newer you'll probably see all four of
these values report True.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170313/d8f0f79a/attachment.pgp>


More information about the ubuntu-hardened mailing list