On Fri, Sep 20, 2019 at 10:00:32AM -0500, joshua stein wrote: <snip>
> These patches are being tracked upstream and landry@ will help to > get them integrated once they are stable, although this review > process may take a while and it will probably take a while before > they reach a mainline release: > > - sandbox GPU process on OpenBSD with pledge(): > https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580268 > > - enhance sandbox on OpenBSD with unveil(): > https://bugzilla.mozilla.org/show_bug.cgi?id=3D1580271 > > As for testing, please try all of your normal Firefox usage as > everything should still work. I've tested all of these things: > > - Launching with an existing profile or letting it create a new one > in ~/.mozilla > - Basic multi-tabbed and multi-window browsing > - Add-ons (Bitwarden, uBlock Origin, Tunnelbear VPN, etc.) > - Playing a YouTube video with sound > - Webcam access > - Accelerated graphics with MOZ_ACCELERATED=3D1 (verifying > about:support shows HW_COMPOSITING enabled and detailed GPU #1 > info), viewing some WebGL benchmark sites > - File->Open, can only view ~/Downloads (this is the main process) > - When a file is selected, it is able to be opened as a file:// > URL (this is a content process reading it) > - When uploading a file, only ~/Downloads can be seen (or a > read-only directory like ~/Photos specifically added to the > security.sandbox.unveil.main list) > - Executing a 3rd party app via GIO/XDG such as mupdf for opening > PDFs > - Executing a 3rd party app from ~/.mailcap such as xpdf for PDFs > - Printing via CUPS Everyone using firefox should definitely add its own usecases on top and test this. The idea is to refine the paths list until we have something we're confident with, then defaults will be pushed upstream. In the meantime, we'll work with upstream to get the plumbing/logic commited, as it can be done independentely from the paths list. If ppl have a hard time building with the patches, my beta pkgs for 70 available as usual at https://packages.rhaalovely.net/snapshots/amd64/ have some variation of the patches built from this git branch: https://cgit.rhaalovely.net/mozilla-firefox/?h=unveil I will keep this git branch updated with the patches posted upstream at https://bugzilla.mozilla.org/show_bug.cgi?id=1580268 & https://bugzilla.mozilla.org/show_bug.cgi?id=1580271 Many thanks jcs@ for working on this, and i hope to get them tested/polished enough by november so that it can get commited around p2k19. Landry
