Security/Sandbox/2017-11-02
From MozillaWiki
« previous week | index | next week »
gcp
- Landed tmpdir handling, got backed out
- bug 1386404 Stop allowing Linux content processes to access /tmp
- Subtle issue (well maybe not so subtle) with env lifetimes
- There's issue with leaktest as well, it seems to write logs to /tmp from the child and expects to collect them afterwards
- Will need to rebase to jld patches
Alex_Gaynor
- bug 1411984 - Use buffered IO when writing data for print IPC
- bug 1412643 - Fixed "print selection"
bobowen
- bug 1399787 - Create a new sandboxed process to run pdfium
- This is going to be used for PDF printing on Windows (and potentially all printing by going via PDF in the future).
- In review process.
- bug 1412827 - Block Symantec DLLs causing ImageBridgeChild::InitForContent with alternate desktop.
- Landed this to try and reduce Crash in InitForContent bug 1400637.
- Looks like there has been a reduction, but there is probably a long tail of AVs still causing them.
- Need to decide if we want to let this roll to Beta and see how bad the problem is there. If not we should move Alternate Desktop to level 5 and let other things in level 4 roll out.
- bug 1368268 - Crash in `anonymous namespace::ActiveVerifier::StartTracking
- Had another look at this, the crash level is now very low.
- Can't see how it is happening, possible change in chromium update will help.
- bug 1409063 - FF 56.0.1 x64 on W7x64: now creating events in "Microsoft-Windows-Known Folders/ Operational" event log, "Error 0x80070005 occurred while creating known folder" for all known folders, upon each FF startup.
- I see similar errors to this and it could be sandbox related, but haven't had time to investigate further.
- Chromium sandbox update.
- Had a few problems on try that are now all fixed.
- Tidying up patches now to get them ready for review, won't land until Fx59.
haik
- bug 1403260 - Remove access to print server from content process sandbox
- Landed
- bug 1393259 - Tighten font rules in the Mac content sandbox
- Planning to use PBackground for messaging, use IO thread for reading font file
- bug 1404298 - When Running Firefox Stable and Firefox Developer Edition together, eventually tabs begin crashing
- No luck with minidump so far, not sure it will be useful
- Reporter ran debug build which provided a bit more info
- Installed Sophos (Mac Antivirus) and testing locally
jld
- bug 1411115 - F_SETLK fcntl regression; fixed
- Yak shaving sequence:
- bug 1409900 - statfs; backed out for getting the statfs64 args wrong; fixed and relanded
- Resolved: file a bug so we can actually write tests for this kind of thing
- bug 1412480 - syscall argument size mistake; fixed (waiting for review)
- bug 1413312 - sched_get_priority_* mistake; sent patch
- bug 1413313 - scheduling pid/tid restrictions for content; investigated
- Chromium did this, discovered later that priority changes were more broken than normal, & changed their threading APIs to accommodate
- bug 1409900 - statfs; backed out for getting the statfs64 args wrong; fixed and relanded
- bug 1412480 - LaunchOptions; finally sent for review
- bug 1412464 - inotify regression; fixed (waiting for review)
- bug 1409895 - getcwd; found solution, maybe: change mochitests to chrome
- Reviews (mainly /tmp blocking)
- Had an opinion on the font bug (bug 1412090; BTW, that affects 57 and we probably can't land anything nontrivial now?)
- Resolved: relnotes it for 57
- Also: discovered and filed bug 1412114 -
handyman
- bug 1382251 - Brokering https in NPAPI process
- clang-static analyzer and mingw-gcc builds
Round table
- QA Firefox 59 feature testing pi-requests deadline is Nov 3
- https://chromium.googlesource.com/chromium/src/+/a5c5b124d0824a541434024f9521f583d87028b8%5E%21/#F0