Security/Sandbox/2016-09-01

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »

haik

  • bug 1228022 - Trigger print jobs from the parent instead of the child for OSX - working on code review feedback
  • bug 1290619 - Content sandbox rules should use actual profile directory, not Profiles/*/ regex's - addressing xpcshell-test breakage, out for re-review
  • bug 1299329 - Remove printing-related privileges from content process sandbox - testing with things that sound print-related removed

bobowen

  • bug 1287426 - Update security/sandbox/chromium/ to Chromium stable channel version 49.0.2623.112 - problem with USER_NON_ADMIN access token level - still have issue with USER_NON_ADMIN access level token.
  • bug 1259601 - Add sandbox status to about:support (added security.sandbox.content.level for all OS) - landed, waiting for aurora patch review.
  • bug 1259087 - Add Windows sandboxing information to Telemetry (added security.sandbox.content.level to environment for all OS) - on inbound.

cr

(more to come)

gcp

  • [Bug 1289718] Construct a seccomp-bpf policy for file access on Linux Desktop
  • Adding syscalls to file broker
  • tried removing umask (fail, PA), wait4 (ask jld), times (ok)

jld

  • Filed bug 1299581 on the mysterious wait4 thing
  • Has been poking at file broker patches…

pauljt


handyman

  • bug 1251202 - Implement Default Audio Device Notifications for NPAPI plugins on Windows.
    • Started.
    • Haven't learned yet how to test this.
  • bug 1241250 - Prezi frozen at loading on fresh profile with latest Nightly 64 bits
    • Issue is network communication
  • bug 1171393 - Remove requirement for TEMP dir write access for Windows NPAPI process sandbox
    • Tried the tests locally with 6/4/2015 repo to see why build fails. A quick look was unable to figure what broke.
    • I'm done trying to be thorough. Believe issue is resolved. Will discuss and close the bug.
  • bug 1299611 - Adding policy rules to the Windows sandbox can cause a buffer overrun
    • Didn't realize this code was from upstream. Will report issue with patch to Chromium.

spohl

  • bug 1202910 - Content sandboxing issues due to NPAPI plug-ins.
    • Read up on NPN_PostURLNotify and NPN_PostURL to understand what needs to be done here.
    • need-info'd jld to confirm my understanding of what needs to be done

Roundtable

  • Potential plan for security.sandbox.content.level after write access is removed:
    • Nightly right now has level=1, no ~/Library read/write access, no Profile dir read/write access (except /extensions, /weave)
    • Proposed changes:
      • level = 1: no home write access
      • level = 2: no home write access + no ~/Library read or write + no Profile dir read or write (excluding /extensions)
      • Nightly would be set to 2. While level=1 could ride the trains.
      • Changes definition of levels over time.
      • If there is a Mac problem with remote printing, would need to set print_via_parent=false, level=0.