Security/Sandbox/2014-05-22
From MozillaWiki
« previous week | index | next week »
22 may 2014
OpenH264:
- Windows sandboxing - patch got f+, working on review comments. To do: 1) Investigate build test failures with gmp-sandbox patch. 2) Post to dev-platform about building sandboxing code. 3) Implement some combination of build flags and prefs that make sense for enabling/disabling sandboxing of content and gmp processes. 4) (after landing initial patch) Followup bugs for ratcheting down security of gmp process sandbox
- Mac sandboxing - New bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1012949 Smichaud is taking the lead on investigation thus far. Good discussions happening there.
- Linux sandboxing - New bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1012951 No discussion yet. Karlt may be available for this soon - Maire is confirming. In the meantime, will be looking to Ekr to get the initial work jumpstarted.
- Hoping the same guys can then work on EME sandboxing. New bugs for EME work will be opening soon; initially they will just be placeholders until folks are available to start this work (after OpenH264 sandboxing).
- GMP = Gecko Media Plugins : https://bugzilla.mozilla.org/show_bug.cgi?id=957928 More info: https://wiki.mozilla.org/GeckoMediaPlugins
Linux/B2G:
- We can filter on system call arguments now / the Chromium seccomp compiler landed. (https://bugzilla.mozilla.org/show_bug.cgi?id=920372 )
OPEN:
- not very far yet
- another library skia in gecko makes use of open() and we can't modify it
- What does Chromium do, since they use the same code?
- Reach out to Google to find out (Sid to follow up? - Maire will ping him)
- NOTE: Chromium makes calls to GL in a separate process which is a win from a security perspective but can hurt performance -- This may affect how much we can model what Chromium does (its the GL proxy)
- What does Chromium do, since they use the same code?
