Security/Sandbox/2018-02-15
From MozillaWiki
« previous week | index | next week »
Contents
tjr
- bug 1435296 [Spectre] Landed the 2ms bump in Nightly and Beta
- A lot of my time
- bug 1425462 [Spectre] Timer Fuzzing
- Moved this forward and cleaned things up
- TODO: Float Fuzziness, Replace SHA() with AES-CTR, Probably Thread Safety
- bug 1430841 [Spectre] Float Fuzziness
- Think I have defined all the correct invariants of how things should behave
- Then I think I proved they contradict each other and can't be satisfied.
- Most of the rest of my time
Alex_Gaynor
- bug 1407693 CrashReporter no longer creates files in content!
- bug 1438209 Small regression with dummy CrashReporter, patch up
- bug 1405088 Remove final file-write permissions from macOS content sandbox!
- Note sent to dev-platform
- bug 1348361 Remove sync IPC from process launch, taking over from :spohl
- Not much progress to report yet, tons of nasty merge conflicts
- bug 1435434 Remove several usages of enablePrivilege from talos
gcp
- Some more fiddling with X11 interception
- Linux distros and unpriviledged namespaces
- Recovered the fglrx machine
- We don't work correctly, investigating:
- bug 1438215 Sandbox breaks ATI fglrx driver
handyman
- bug 1415160 - Set process mitigations on NPAPI proc
- landed
- bug 1366256 - NPAPI sandbox level 3
- plan to submit next week if all goes well with bug 1415160
- bug 1358372 - sndvol.exe shows multiple volume sliders for browser
- beta uplift issues
- bug 1358372 - Crash in _EH_prolog3
- Turned out not to be from bug 1358372. Looks to me to be COM related but I see no issues on our end
haik
- bug 1436566 - [Mac] Land disabled-by-default sandboxing for the Flash NPAPI plugin process
- Landed, Softvision to test it this week, behind pref security.sandbox.mac.flash.enabled
- bug 1433577 - [Mac] Enable sandboxing for the Flash NPAPI plugin process
- Working on understanding plugin code enough to enable both Flash versions
- Planning to use option-click to disable "safe mode", posted some UI mockups to the bug
- Will wait to see how Softvision's testing goes
- Try to lock down the process more
- Linux?
jld
- bug 701083 - I found why Vidyo wasn't working outside a VM for me
- But that might not be everyone's bug
- bug 1436882 - I broke gdb by forgetting the signal number in clone(), but it's fixed now
- bug 1434927 - The mysterious performance regression has been "fixed" by adding a time.sleep to the test runner
- I managed to reproduce something similar by experimenting with the unshare(1) shell command, & studied it with perf(1)
- Creating network namespaces is... barely noticeable in cpstartup & insignificant otherwise
- Destroying network namespaces is more expensive, and async, and entangled with various kernel synchronization things
- And so the kernel cleaning up the *last* test run is blocking the clone()s
- bug 1434528 - The AppArmor / LightDM guest session bug
- Will land my workaround & file a bug upstream
- (Was going to attempt a PR, but the profiles are... nontrivial)
- SysV IPC still has problems
- bug 1438394 - fglrx isn't always being detected
- No idea what this is.
- bug 1438391 - VirtualGL is using SysV SHM early
- bug 1438401 - surprise shmget from Cairo
- Maybe Cairo using XCB instead of Xlib?
- Which also means maybe we didn't need to duplicate the XShm thing, but oh well
- bug 1438394 - fglrx isn't always being detected
- nvidia is still causing problems
- bug 1438389 - chown()
- connect() - not filed; going to email them when everything else isn't breaking
round table
- note, Bob and David on PTO next week, jimm offline mostly in Toronto
- Americans off on Monday (Presidents' Day!)
- Site Isolation