Security/Sandbox/2017-10-19

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »

gcp

  • bug 1386404 Stop allowing Linux content processes to access /tmp
  • 57 regression hunting
    • nice bug where freeing 6000 nsTArrays hangs shutdown
    • minor feature breakage like addon compat and private browsing

haik

  • bug 1404919 - Fonts don't display correctly since update due to content-process sandboxing on macOS
    • Landed, Beta uplift
  • bug 1403260 - Remove access to print server from content process sandbox
    • Finishing up, should post for review today
    • Printing refactoring big job
  • bug 1398908 - Add automated test that uses nonexistent script from extension JAR file
    • Landed
  • bug 1393259 - Tighten font rules in the Mac content sandbox
    • A bit more research, needs more debugging

Alex_Gaynor

  • bug 1319423 - Don't create files on disk from content from print IPC
    • Landed
    • Just this morning someone filed a regression in printing to PDF... so that's going to require some debugging
  • Write up a plan for the macOS GPU lockdown work
  • bug 1409747 - Fixed compilation on macOS with --disable-sandbox
  • bug 1407693 - Don't create files from content process on process crash
    • Had a working patch, except the approach is non-workable for windows, so back to the drawing board

bobowen

  • bug 1400637 - Crash in mozilla::layers::ImageBridgeChild::InitForContent
    • Attempt to reduce occurences by ... bug 1410073 - Load user32.dll immediately after the DLL Blocklist is in place.
  • bug 1401095 - Can not open any web page if Firefox is launched from a new desktop
    • This appears to be broken from Fx50 (level 1), the alternate desktop actually fixes it, I want to work out why.
  • bug 1372823 - Extend BaseThreadInitThunk gatekeeping to support Windows 64-bit
    • Finally tracked down all gtest threading/timing issues and landed, hopefully fixes bug 1397301.
  • bug 1407766 - Nightly 58 displays blank pages in the browser after Symantec Endpoint is installed
    • This was because we were blocking a DLL that they inject as a static import and so we crash.
  • Started working on chromium sandbox update, hope to have patches up tomorrow.

jld

  • Landed the bug 227246 workaround / fix for bug 1406971 and bug 678369 and bug 147659
  • Fixed ioctl fallout
  • bug 1408568 — rejected syscall reporting XPCOM bindings assert-failed with file content processes
  • bug 1408487 — WebRTC STUN is still calling getifaddrs; filed bug
  • Continuing to get old patches out of my local topic branches
  • Filed more chroot blockers
    • bug 1408497 — inotify; MIME service again
    • bug 1409895 — getcwd; probably just tests
    • bug 1409900 — statfs and quotactl; unsure because this goes back to the original strace-scraping
  • Got audio remoting + bug 1385258 + future sandboxing semi-working on Try
    • Just did namespace/chroot, not corresponding seccomp-bpf tightening (yet)
    • chroot breaks a few tests because the cwd is different
      • I thought I saw someone recently suggest that CurWorkD shouldn't even exist....
    • pidns causes mysterious timeouts that I'm still trying to diagnose
      • opt-only, yay

handyman

  • bug 1382251 - Brokering https in NPAPI process
    • Finishing up actor work
    • need to determine importance of shmem work
    • will punt on initial thread pool idea (could produce deadlocks without)

Round table