Follow
Be sure to test this! jcs@ has done the seemingly impossible, in addition to further refining the pledges for Firefox, and adding new pledges for the GPU process, he's also done the heavy lifting to add unveil(2) support! Reducing the very broad {r,w,c}path filesystem access.
RT @jcs@twitter.com I've been working on enhancing the security of OpenBSD's Firefox port over the past couple weeks and would like some wider testing https://jcs.org/patches/ff-port-unveil6.diff
@brynet I looked at the Firefox sandboxing code when I PoC'd getting VCVRack sandboxed. The (MacOS) code was easy enough to comprehend that I could see porting pledge/unveil over very easily. The Windows and Linux implementations of the abstraction were… not good.
@brynet does unveil actually work in this, unlike in the chrome package?