Security/Sandbox/2014-07-31

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »

31 July 2014

Standup/status

  • Windows sandboxing
    • OpenH264
      • Patch for lowering permissions on GMP sandbox has r+ (with comments). Will address comments by EOW. :cpearce is working through issues that this patch causes for EME, but he's supportive of the changes since they represent much better security for plugins
      • Test failures for other apps (SeaMonkey - bug 1040939, Thunderbird, Firefox OS Simulator on Windows - bug 1045533) caused by patch in bug 985252 resolved by their respective engineers
    • Logging
      • Bug 1018966 - Warn only sandbox - failing on Windows XP, because it was trying to load dbghelp.dll and couldn't resolve SymGetSearchPathW, so adding DELAYLOAD_DLLS for dbghelp.dll to the sandboxbroker.dll and plugin-container.exe seems to fix this.
  • Linux/B2G
    • GMP sandboxing got backed out for bustage on LSan builds. Investigating.
      • Bugs: 1046538, 1046539, 1046541
    • Seccomp on the last of the B2G KitKats to not have it: have patches.
      • Bug: 1046525
    • Yet more B2G 2.0 bustage from our friends at Qualcomm QA. Patch out for review.
      • Bug: 1046210
    • Also someone reported breakage on Flame (mremap, apparently) but didn't file a bug yet.
  • Mac sandboxing
    • Steven has updated his patch to current trunk. Andre is working on tightening up its sandboxing rules.
    • Steven tried but failed to increase the number of testcases available (by updating Josh Aas's patch from bug 957928 comment #32). Chris Pearce and others are working on a GMP plugin that could be used to test EME code, but that won't be ready for a while. In the meantime, Brad suggested, why don't we just land what we have? Steven will try to get this done.
    • How about EME plugins? Brad suggested that they will need more access than the OpenH264 plugin (for example to uniquely identify the particular machine they're running on). For the Mac, we'll probably have to loosen our rules, which are already quite restrictive.

Round table

Actions

  • Tim to follow up with :cpearce to see if I can help out with EME sandboxing on Windows