Security/Sandbox/2018-01-18
From MozillaWiki
« previous week | index | next week »
Contents
haik
- bug 1431441 - [Mac] Start the content sandbox earlier
- Hacked together a build that passes sandbox arguments on the command line and starts sandbox very early
- Had to add in if filesystem read access for now to workaround ICU issue stati'ing files
- Add in some new services, some implicit services are blocked
- Many test failures to debug
- https://treeherder.mozilla.org/#/jobs?repo=try&revision=bea657178916ca24fab7c311c8a954f8b68ac19a
gcp
- bug 1430118 Child process logging doesn't work (again) when sandboxing is on
- Problems attaching debugger to sandboxed content processes
- bug 1386404 Stop allowing Linux content processes to access /tmp
- investigating with #ateam, might be shutdown hang
Alex_Gaynor
- bug 1407693 - Don't create files in crash reporter; working through failing tests
- bug 1426807 - crash in printing with a11y on Windows; waiting for feedback
- Reviewed Nika's process-per-origin doc
bobowen
- bug 1423628 - Stop processing native events in the content process
- bug 1396984 - Scrollbar becomes black on first connection of second screen
- Tracked it down to failing NtGdiDrawStream calls in DrawThemeBackground, can't see why they're failing at the moment.
- bug 1430744 - Stop processing native events in the content process on Windows in Nightly
- Just realised my patch doesn't check for NIghtly so need to add that and land.
- bug 1396984 - Scrollbar becomes black on first connection of second screen
- bug 1421944 - Webrtc microphone input broken in Windows Insider Preview Build 17046
- Fix in insider build and confirmed by original reporter.
jld
- bug 1243108 - Tried to repro the sendmsg bug in rr; rr is (understandably) slow on it; failed to repro. Might try running in a loop overnight.
- bug 1151624 - Realized why pid namespace isolation was failing on Try, after it failed locally while dogfooding
- The profiler / BackgroundHangMonitor uses tgkill(getpid(), …); I remapped in seccomp-bpf, but that doesn't help pre-sandbox
- (It got ESRCH, failed a debug-only assertion, and locked up in a complicated way involving 3 different threads)
- bug 1401062 - The clone bug could land, but I'm deferring it until post-59-freeze
- Risk would be GMP-only, so we could easily miss problems until release
- bug 1430949 - Filed separate bug for network namespace isolation
- Investigated with LD_PRELOAD shim whether we're doing other socket stuff pre-sandbox (e.g., DBus), but I see only X
- bug 1386019 - Wrote the rest of the miscellaneous-audio-stuff patch
- bug 1430274 - …and realized that I broke ALSA in 58, but there's a bug from a few days ago with a patch
- …which Telemetry would've told us if we'd been monitoring it in a more organized way
- I have some ideas for tooling here.
handyman
- bug 1382251 - Brokering https in NPAPI process
- landing (in 60)
- bug 1429643 - Limit SSL brokering to 64-bit
- ready
- bug 1358372 - sndvol.exe shows multiple volume sliders for browser
- WIP tests
- Writing up the bug report for MS
- bug 1411379 - Flash needs registry access to run updater at reboot
- bug 1429032 - Flash cannot launch AIR installer
- Not granting special permissions
Tor Dev Meeting - March 11th
- Especially https://bugzilla.mozilla.org/show_bug.cgi?id=1322426