On Fri, Sep 20, 2019 at 10:00:32AM -0500, joshua stein wrote: > (I'm going to keep trying to send this until I get it right!) > > > I've been working on enhancing the security of our Firefox port over > the past couple weeks and would like some wider testing. > > - Firefox's GPU process gains pledge(2) support, now all three > process types (main, content, and gpu) are pledged. > > - The inet permission is removed from content processes as they work > without it. > > - All three process types gain unveil(2) support to limit filesystem > access. Similar to our Chrome port, ~/Downloads and /tmp become > the only major directories that the main process can read from and > write to (aside from some other Firefox- and Gtk-specific > cache/support directories like ~/.mozilla) and that the content > process can read from for viewing files as file:// URLs.
I'm running Firefox with this patch, I did not encounter any issue with my typical daily usage.
