Security/Sandbox/2018-03-08

bug 1411401 MinGW Build Doesn't Run
- Thought I could reproduce crashes, then it started running ??)
- Tried running tests. Zero passed. Need to go back to the drawing board.
bug 1425462 Timer Fuzzing landed
- Followup: Fixed 3 intermittents and a heap out of bounds read
Working on Context Seed bug 1440195
- Almost have it, but I'm initializing NSS too early for xpcshell again...
Now that we're close to release, people are concerned about the 2ms timer bump, going to probably have meetings...
Met with De Tar to try to put Memory Partitioning and JIT Constant Blinding on their schedule
Halved build times (I think) in bug 1443252
bug 521435 is the 'Let's use LTO on Linux' bug.
I worked on Mingw x64 builds, but have a symbol error here: bug 1443823 if anyone has any suggestions
- And I filed a bug to add -Wa,-mbig-obj to solve 'too many sections' errors for Mingw x64 bug 1440013

bug 1441598 - Crash in IPCError-content | PPrintProgressDialog::Msg_CancelledCurrentJob Route error: message sent to unknown actor ID
- Patch landed - decided not to uplift to release so close, but might ride along on a dot release.

bug 1438394 The fglrx detection from bug 1376910 is sometimes not working.
- Repro, distro specific, fix on try
bug 1438215 Sandbox breaks ATI fglrx driver
- Not fixable on our side without sandbox disable
bug 1420282 MESA-LOADER: failed to retrieve device information
bug 1416016 WebGL creation failed on some websites on Linux

Audio is broken (if PulseAudio isn't already running and if not remoted)
- bug 1443612 - cubeb preload should've been preffed, not removed (broke in 59)
- bug 1434392 - inotify woes with inherited LD_PRELOAD (broke in 58)
  - Fallout from the MIME service workarounds.
- https://github.com/mozilla/gecko-dev/compare/release...jld:pulseaudio-for-59 is what needs to be uplifted
GL is broken (for some hybrid GPU setups)
- (Still need to update bugs)
- Plan: broker connect() for pathname (non-abstract) addresses; allow local X and bumblebee
- Have patch; confirmed with someone who has Primus working that it does in fact fix things
- Tried getting this stuff to work on a MacBook and a desktop
  - On the MacBook I had trouble getting the kernel to talk to gmux (Apple custom display mux) to use the iGPU
  - (Also you need EFI hacks to do the things you'd do in a PC's BIOS config UI.)
  - On the desktop, monitors aren't a problem, but I still had crashes, *but* late enough to get the policy figured out
- nvidia is fine; the socket is for stuff we're not doing in content
Re bug 1438394 being distro-specific: Debian & Ubuntu have /proc/sys/kernel/unprivileged_userns_clone
- (Ubuntu defaults to 1 (at least on “desktop” installs), Debian defaults to 0, and people who aren't me probably don't change it.)

bug 1348361 - make spawning new content processes not block the main thread
- Failing linux tests from last week are fixed
- Still a handful of failing tests on Android
- Ask me about all the bugs you run into trying to run tests in the Android emulator (bug 1433279, bug 1443816, ...)

bug 1437281 - OSX dragging image to desktop changes OSX File associations
- Have a fix uses a sync message
- Have a fix that doesn't add an IPC message, getting feedback on it
bug 1433577 - [Mac] Enable sandboxing for the Flash NPAPI plugin process
- Should be out for review today
- Using file-dialog read access extensions--turns out the services needed for this are also needed with global read access allowed.
- Enable for Nightly in 61

bug 1366256 - NPAPI sandbox level 3
- camera works but has shutdown issues
bug 1427011 - Crash in CAudioSessionControl::QueueStreamSwitch
- Looks like stale IMMNotificationClient. Probably cubeb.

Roundtable