On 5/20/14, 10:59 PM, The Wanderer wrote:
I would have expected that each module involved - Firefox, the sandbox,
and the CDM - would be running as a separate process, with at least the
last one nested inside the previous.
I'm not sure what you mean by nesting one process inside the other.
What's possible to do is to have a process start, drop privileges as
needed, then load a shared library (the CDM). This is how typical
sandbox processes work. But at that point the CDM is in fact running in
the (now low-privilege) process.
I wouldn't have expected effective sandboxing of black-box code
to be practically possible any other way. (If there are resources on the
topic which I could use to educate myself on relevant principles, beyond
the glaringly obvious, I'd be glad to learn of them.)
http://dev.chromium.org/developers/design-documents/sandbox#TOC-The-target-process
and
http://www.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design
are some resources for a commonly used sandbox.
http://en.wikipedia.org/wiki/Seccomp is another commonly used thing.
Will that be enough? That is, is that (for practical purposes)
impossible to effectively fake?
If it turns out that it's not, I expect the address space could contain
a digital signature of the expected address space with a key that the
CDM trusts. The drawback is then that whoever is building the sandbox
binary needs to have one of the corresponding private keys (the CDM
would obviously contain the public keys).
-Boris
_______________________________________________
governance mailing list
governance@lists.mozilla.org
https://lists.mozilla.org/listinfo/governance
