Security/Sandbox/2017-08-31

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »

bobowen

  • bug 1385928 - Mozregression launched nightly after 2017-07-30 don't load start page
    • Chromium change landed and uplifted to Beta.
  • bug 1392570 - Firefox fails to launch on Windows 7 when already running in a job.
    • Waiting for data collection review.
  • no bug yet - improve telemetry when sandbox child fails to launch.
    • Should have patch for this tomorrow.
  • Widevine issue solved by hooking function and thanks to help from dmajor, aklotz and handyman with the hooking.
  • bug 1394370 - Sandbox security level 3 makes GetClipBox WinAPI function to return NULLREGION for desktop.
    • Weird side effect of using JOB_OBJECT_UILIMIT_HANDLES in the content process, seems like a Windows bug maybe.
    • Goes away once we start using an alternate desktop, which possibly explains why it isn't seen with chromium.

haik

  • bug 1391186 - Thunderbird loses setting as default email client when "mailto" triggered by Firefox 56/57 on 10.11
    • Root caused, working on fix
  • bug 1392988 - Firefox 55.02 on macOS High Sierra cannot play AES encrypted video
    • Landed, will uplift to 55
  • Not sandboxing bug 1350642 - Remove the PBrowser::Msg_GetTabCount sync IPC
  • A little sick, may be taking PTO

jld

  • Tried to have fun with the AudioIPC prototype (bug 1391523)
    • Ran into bug 1394163 — WebRTC is still doing PulseAudio
    • Might not be *using* it, but it's starting it
    • I wonder if we have sandbox rules for an unused extra instance of PA….
  • And then wound up buried in child process handling
    • Was trying to just get rid of SandboxEarlyInit before we accumulate even more technical debt there
      • Original plan: clone() processes directly
      • But I thought I had a way to make wrappers (like chrome-sandbox) work without confusing IPC about multiple PIDs
        • I was wrong. So very, very wrong.
        • But know I know more things about IPC
    • Also had an idea about bug 227246, but actually no.
    • bug 1259852 is sort of related, but also, I found bugs on Mac and BSD; need to file
    • Almost but didn't quite comment on bug 1348361
      • I'm wondering if fork() is starting to be a perf bottleneck
      • vfork is scary and would force sandboxing to use wrappers (and async pid)
      • Chromium uses a low-overhead “zygote” process to fork (-> async pid)

Alex_Gaynor

  • bug 1229829 - Alternate desktops on Windows
    • Finally identified the cause of the GMP failures!
    • Patch up which is green, patch to Chromium's sandbox to fix the issue
  • win32k lockdown
    • Hit frustrating roadblocks in collecting stacks from test
    • Did more manual stack collection to make sure we had coverage

handyman

  • bug 1382251 - Brokering https in NPAPI process
    • Eliminated runtime ASSERT hacks with deeper template metaprogramming.
  • bug 1388903 - invalid HWND in PrintDlg
    • Removing the dialog parent HWND (using DLLInterceptor). This will not survive some

sandbox hardening e.g. Alternative Desktop.

    • Brokering also works but ignores Adobe's callback, which is probably just styling.

I like this for a long-term solution (it works with automatic brokering).

    • Expect to uplift

Roundtable

  • IPC base::ChildPrivileges — does anyone need it?
    • B2G doesn't; Linux was going to but might not; Windows uses it for the “is a file process” bit
      • I'm probably going to remove Windows dependency here and pass in a sub-process type string into GeckoChildProcessHost, so that it can be used for policy differences.
      • Linux might use it after all
      • bug 1316153 for removing the B2G leftovers
  • 3 weeks to 57 beta merge
    • projects status