Security/Sandbox/2017-07-27

« previous week | index | next week »

haik

• Landed:
  • bug 1380690 - [Mac] Automatically determine the repo dir so that MOZ_DEVELOPER_REPO_DIR isn't needed
  • bug 1376496 - Follow-up fixes to moz-extension remoting support in 1334550
  • bug 1380156 - Loading temporary an unpacked extension breaks extension page's CSS in OOP Extensions
  • bug 1383841 - [Mac] Disable sandbox violation logging by default
    • Perf-related
• bug 1384153 - Artifact builds broken crashing content tabs on latest autoland to m-c merge
• bug 1384209 - [Mac] Remove com.apple.coreservices.appleevents from the content process sandbox
• Researching iokit use

Alex_Gaynor

• bug 1383818 - Remove access to ocspd mach service
• bug 1384677 - Remove access to cookied mach service
• bug 1384941 - Remove access to mach services related to cameras
• bug 1382739, bug 1384224 Hardlinks in the build process
• win32k
  • Scripts now in a real repo: https://github.com/alex/win32k-stuff
  • Working on instrumenting a test run

bobowen

• landed
  • bug 1383611 - Widevine CDM 984 x64 and x86 blocked by sandbox on Win10
  • bug 1364137 - Windows SDK directory not detected properly on 64-bit python
    • Should be able to move to requiring Win10 SDK now and so fix bug 1314801.
• bug 1384327 - Nightly & kaspersky antivirus cause a big issue at start-up
  • Looks like injected code is now failing in the content process and causing issues.
• bug 1369669 - Unable to preview files from google drive
  • Patch to resolve the child exe path before launching on try (or at least I think it is).
• bug 1379951 - a11y crashes [@ GetProxiedAccessibleInSubtree ]
  • Couldn't reproduce this now, but I noticed that the pre-Beta report suggested it was down to firefox being run from a symlink/junction point, so might be same issue as bug 1369669.

gcp

• Landed bug 1308400 Construct a file broker policy for default-deny read access on the Linux Desktop
• Some fallout: WebGL, userChrome.css
• bug 1384483 userContent.css gets blocked with sandbox level 3 on Linux
• Testing wrt MOZ_DEV_REPO_DIR and out of tree builds: looks like it's working fine, had some orange, but probably not from sandboxing
• Updated documentation

jld

• Everything is broken.
• socketpair
  • SOCK_CLOEXEC: bug 1383888
• bind() et al.
  • The NIS thing: some Mesa drivers call getpwuid_r on getuid() to put the username in a shader cache dir
    • Can set MESA_GLSL_CACHE_DIR; need to file bug (see also Bug 1380051)
• SysV (backed out)
  • ALSA broke again, because (1) no AC_DEFINE(MOZ_ALSA), and (2) it uses shm as well as semaphores
  • fglrx uses semaphores (& maybe also shm?)
    • Do I need to requisition a test machine with an AMD GPU? (what do you need to know?)
    • Should be easy enough to check for “Catalyst” (or probe libs with RTLD_NO_LOAD) and set a flag to allow shm
  • Mysterious graphics things where Cairo (maybe via our GTK stuff) talks directly to X and uses shm
    • (My unease about all the conditionals in that code is vindicated....)
    • Can't reproduce; #gfx had some reasonable-sounding suggestions but they didn't help.
    • Might need to ask karlt
• read restrictions
  • The DRI sysfs thing from yesterday (bug 1384718)
  • (Are we noticing a theme of GPU drivers causing problems?)
• ioctl et al.
  • Going for default-deny ioctl; found some surprises.
    • Side effect: FFMPEG log messages will probably stop using ANSI colors
  • bug 1384292 - “sctp_userspace_get_mtu_from_ifn is broken and useless on non-Windows platforms”
    • Media people filed upstream bug; might not be useless upstream, but definitely broken
• link/symlink/rename removal
  • Seems to work; merge conflicts with symlink magic, but fixed
• Filed bug 1383888 when I noticed we'd forgotten readlinkat; needs to be part of “read restrictions” deliverable.
• Small adjustments to big syscall spreadsheet (https://docs.google.com/spreadsheets/d/12wk_5n5PDzgqXCjmCUnblsXw5QdR5gGYroBxtCrYVBU/edit)
  • This may not be the best way to visualize this information
  • (e.g., fussing over syscalls that are mostly harmless because there are a lot of them and each of them is a line, while ignoring the X11 socket, is… not ideal)
• Haven't been approached about Widevine v984 yet.

handyman

• bug 1382251 - Brokering https in NPAPI process
  • Made more generic. Brokers all calls through 1 IPDL method.
  • Both IPDL sides (client/server) are now automatic.

Round Table

• Bug 1344776 - MOZ_LOG doesn't work for child processes because of sandboxing, other OS but Windows
  • Bug 1345046 - Create a low level API for logging that is sandbox friendly.
• VMP - new "verified media path" for widevine issue
• Do we still need bug 1343283 before roll-out - perhaps we should have it in 55, but might be too late.
• Remove MOZ_DEV_REPO_DIR from tree, ExtensionProtocolHandler dependency