Security/Sandbox/2016-08-11

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »

haik

  • bug 1228022 - Trigger print jobs from the parent instead of the child for OSX - it's working, but font nametable part not done yet
  • bug 1290619 - Content sandbox rules should use actual profile directory, not Profiles/*/ regex's - should have patch out todayish
  • bug 1286480 - [10.12] Widevine CDM always crashes on Amazon since upgrade to macOS Sierra - 1-line plugin sandbox fix, want to investigate a bit more

bobowen

  • bug 1287446 - Print progress dialog, [Cancel] button is truncated with long document title - uplifted
  • bug 1287426 - Update security/sandbox/chromium/ to Chromium stable channel version 49.0.2623.112 - problem with USER_NON_ADMIN access token level - impersonation token on main thread (initial weaker token before lockdown) gets replaced when ::CoInitializeSecurity is called in MainThreadRuntime::InitializeSecurity with one for NT AUTHORITY\ANONYMOUS LOGON with untrusted integrity, so other reads after that fail. Haven't worked out why this happens when USER_NON_ADMIN is used as the lockdown token. Only changes I can see in that area are around lifetime management of token handles, so wondered if the token is getting deleted somehow.
  • bug 1288194 - [e10s] Some SVG images do not print - two separate issues - landed and uplifted

tedd

gcp

jld

  • bug 1290896 — Fixed the mysterious Skylake bug by allowing readlink.
  • Filed some bugs from the syscall meeting Tuesday
    • bug 1294286 — clock_getres is a pid/tid lookup; handle like clock_gettime
    • bug 1294288 — getdents fact-finding mission

Roundtable

  • Bug 942698 - Remove syscalls operating on filesystem paths and network addresses from seccomp-bpf whitelist for Linux/Desktop
    • meta?
  • Bug 983358 - Get an early sense of how hard it will be to sandbox open() calls
    • fixed?
  • The Linux temp file thing
    • Action: file bug for maybe someday removing the content temp dir
    • Action: file bug for using memfd_create where available