On 01/23/2015 09:29 AM, Daniel J Walsh wrote:
On 01/23/2015 10:25 AM, poma wrote:
Until this is resolved, is this a valid way:
$ sandbox -X -T tmp -t sandbox_web_t firefox
to cover this security issue, or can we isolate only libflashplayer.so,
not the entire browser.
Daniel, can you comment.
libflashplayer.so runs within the Mozilla-plugin I believe. If so it
would be confined
if you have not turned on the unconfined_mozilla_plugin_transition boolean.
If this is the case we are somewhat protected, and of course you run
with setenforce 1.
sandbox -X will also add more protection.
Is that boolean just very badly named/described, because it certainly
sounds like it works the opposite of what you said above:
"Allow unconfined users to transition to the Mozilla plugin domain when
running xulrunner plugin-container."
The only possible way I can read that is to say that with the boolean
_set_ execution will transition to the confined plugin domain, and with
the boolean _unset_ it will remain unconfined.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
