With two recent commits by deraadt@, it is now possible to find in ps(1)'s STAT column which processes have unveiled (u/U), much like the existing support for pledge (p). In addition to that, a new '-o pledge' keyword was added to show a comma-separated list of active pledges.
Conversation
With this you can clearly see the 'U' unveil installed/locked state of the chrome processes, in addition to the active pledges for the different chromium process types (main/renderer/gpu).
2
1
8
By comparison, here's Firefox. You can see only two process types, the main browser process and two content processes. And due to not being privsep from the start, the pledges are incredibly broad and do not afford you as much protection as with chromium. Also note, no unveil(2).
1
3
1
Replying to
Firefox also lacks an implementation of site isolation for the sandbox, so it doesn't protect sites from each other. If an attacker compromises a renderer, they gain access to all the data for other sites among other things. It can only sandbox the content as a whole, if that.
It means that it's missing proper mitigation of Spectre v1 and similar side channel attacks. It only has the flawed case-by-case mitigations.
Chromium has those weaker mitigations, and in fact they're further along, but they don't consider it to work: v8.dev/blog/spectre.
1
1
The Firefox sandbox on Windows lacks site isolation, but it's a better implementation with a compositor process and GPU process among other differences. It also doesn't have the issues tied to infrastructure like X11 and pulseaudio not being designed to support app sandboxing.
1
1
Show replies