Security/Sandbox/2015-02-12

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »

Standup/Status

Windows

  • GMP/EME Sandboxing
    • bug 1129369 - Turn on DEP_NO_ATL_THUNK, BOTTOM_UP_ASLR and MITIGATION_STRICT_HANDLE_CHECKS process-level mitigations - landed.
  • NPAPI Sandboxing
    • bug 1132021 - Add a new sandbox level for Windows NPAPI to use USER_LIMITED access token level. - landed

Linux/B2G

  • Content Sandboxing
    • Still looking like it can't happen on desktop.
  • GMP/EME Sandboxing
    • Can get chroot + network namespace isolation relatively easily, if user namespaces supported, then follow up with pid namespaces.
  • Other Linux work
    • bug 1088387 is finally ready for review.
      • (But it needs a better title…)

Mac

  • Content Sandboxing
    • addressed issues mentioned in the past meeting:
    • hopefully printing and printing to pdf on 10.10 based on logs sent by smichaud
    • allowed file read/write access inside $HOME minus $HOME/Library
    • added "security.sandbox.macos.content.moreStrict" preference, 1 enables sandbox and should be default
    • waiting for review of 1083344

Chromium

  • bug 1102195 - Update security/sandbox/chromium/ to Chromium stable channel version 40.0.2214.111 - landed.

Round Table

  • EME:
    • The EME team plans to ship in 38. We have twice-weekly EME standup meetings (Monday/Thursday).
      • Do we still want our EME sandboxing meeting? cpeterson to follow up in email.
    • OS X CDM may start in a couple months.