Security/Sandbox/2017-12-21

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »

haik

  • bug 1404298 - Crashes with read-access content sandboxing triggered by mounted volumes
    • Landed on Nightly, will uplift, this was the Sophos bug, turned out not to be Sophos-related
  • bug 1421262 - Firefox renders garbage viewing PDFs or Google Docs with nVidia driver
    • Appears we need to whitelist an NVIDIA driver, add a sysctl
  • bug 1393259 - [Mac] Remote access to fonts from custom directories, font managers
    • Looking into using sandbox extensions to add access to individual fonts after content has started
  • bug 1421957 - [mac] "Open in Preview" sometimes triggers a "Load the following paper into the rear tray" popup then fails
    • Talked to :jwatt, seems specific to his printer driver, will test with that driver

gcp

  • Landing the enviroment variable patches
    • Failures with clang + win, mingw, macOS
    • macOS looks trivial, would like mingw setup
  • Rebased the other patches in the cascade

jld

  • bug 1393287 sigaction sa_mask filtering — ran into “interesting” JS hazard failure, but eventually landed
    • I'm glad our GC hazard analysis is very thorough, but, wow.
  • Not my bug: bug 1394163, the WebRTC cleanup I've been talking about for months, is finally done
    • And I've verified that it unblocks everything that was blocked on it
  • Also not my bug, but I reviewed part of it: bug 1405877, the audioipc named socket thing, is fixed
    • This removes the 1½-year-old workaround from bug 1259508.
  • bug 1401062: clone(); almost done cleaning up the patches....
  • bug 1213998: chroot() / net namespace isolation for content: works on Try now that WebRTC is fixed
  • bug 1401053: pid namespaces: still have mysterious timeouts on try, but they seem reproducible
  • bug 1411629: the mysterious dbus bug… I have an idea, but I need to ask someone who knows GTK if it makes any sense
  • bug 1421201: mystery EOFs are not sendmsg() failures and I have no idea what's going on here

Alex_Gaynor

  • bug 1359566 - Drop all audio permissions from the content process on mac!
  • Arbitrary Code Guard
    • Scope out the design space for a Out of Process JIT
    • Starting to feel pretty confident about what the path looks like
    • Sent a draft over to the JIT team

handyman

  • bug 1382251 - Brokering https in NPAPI process
    • Back in reviews
  • bug 1415160 - Set process mitigations on NPAPI proc
    • WIP
  • bug 1421944 - Cubeb audio device notification failure
    • Issue was not the old IAudioSession bug. No obvious good solutions -- I'm hoping for a cheap fix.

Round Table

  • win32ksys lockdown
  • q1 planning (okrs) email