Security/Sandbox/2017-11-30

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »

gcp

  • bug 1257276 Allow specification of environment variables when creating child processes
  • And the cascade of bugs that can be fixed by this
  • bug 1405877 Cubeb audioipc requires a named Unix-domain socket

bobowen

  • bug 1400637 - Crash in mozilla::layers::ImageBridgeChild::InitForContent
    • Looking into not having to create the window at all.
  • bug 1403931 - USER_RESTRICTED for content.
    • After pre-loading a DWrite font and some other rules, got a running process.
    • Audio and some rendering broken.
    • USER_LOCKDOWN and untrusted integrity don't seem add any more issues, in fact untrusted only seems to break audio at the moment.
    • Chromium uses some other hooking, which might mean we don't need to pre-load the font.
  • bug 1419739 - Make printing a selection not terrible.
    • This landed, but I've just found some issues, so may have to back out.

handyman

  • bug 1382251 - Brokering https in NPAPI process
    • Adobe is helping with some additional tests (for now)
    • Finishing reviews / cleanup
  • bug 1415162 - Set USER_LIMITED on NPAPI proc
    • WIP
  • bug 1415160 - Set process mitigations on NPAPI proc
    • Most seem fine. One (no dynamic code) totally fails and a few are suspicious but haven't failed anything yet

Alex_Gaynor

  • bug 1419811 - fixed file icons in file:// directory listings - landed
  • bug 1421372 - cleanup macOS sandbox policy rules for file content process - landed
  • bug 1414834 - reland print IPC changes - pending confirmation that bob's print selection changes are good
  • bug 1407693 - do not create files in content process for crash reporting - patch up
  • Handful of IPC secbugs

haik

  • bug 1393259 - [Mac] Remote access to fonts from custom directories, font managers
    • Converting prototype from PBackground to top-level protocol
    • Investigating security impact

jld

  • Has been fighting with Vidyo. For days.
    • The glitchy audio you're hearing (and I'm hearing), from using a full VM because it won't even start with just a chroot/container/flatpak, is the best I've been able to do so far.
    • Firefox WebRTC works fine though….
  • bug 1409895 - The getcwd bug: wrote some JS to fix the tests that were being a problem.
  • bug 1401062 - clone()ify: adjusting patches to make this preffable, because it'll probably break stuff
    • Also I might steal Chrome's longjmp thing instead of doing the syscall directly — it *should* work, but why take the risk.
    • bug 1421146 - Also I found a bug in the build system, but there's a workaround which is what I should've been doing anyway.
  • Trying to comment usefully on all the font bugs.

Roundtable

  • Good uses for sandboxed utility processes?
    • Making sure a file-system read/write operation stays within the intended dir
      • Example: make sure remoted loads for an unpacked extension never load a resource outside of the extension dir
    • Look at PDFium
  • [tjr] Enforcing container isolation in content processes?
    • [jld] Assigning tab children to appropriate processes is one thing; enforcing origin restrictions in IPC (like we did — or at least tried to do? — on B2G) is another.
    • [tjr] Definetly interested in the enforcing-origin-restrictions-in-IPC aspect :)
    • [Alex_Gaynor] this wouldn't be full origin, just OriginAttributes or something like that? Would be easier, since it doesn't require sorting out iframes.
      • [jld] Yes, just OriginAttributes, so no problems with iframes or navigation. This is why I was trying to get people interested in it at the London All-Hands, before e10s-multi shipped
      • [tjr] Even less that OA, just userContextId (container identifier, an int). Each container has its own cookie jar and it's own 'view' of all origin data. And yea, no problems with iframes/nav
    • [tjr] files ... https://bugzilla.mozilla.org/show_bug.cgi?id=1422049
  • Meetings in Austin