Security/Sandbox/2017-09-14

=bobowen

bug 1385207 - Audio over RDP connections not working in 57
- Currently they're saying this should block, so we'd have to pull USER_LIMITED from 56, seems a bit late notice to decide this. Maybe we could add something to the release notes?
bug 1397301 - Crash in sandbox::SharedMemIPCClient::DoCall
- Look like it is something injecting threads into our process to load DLLs and screwing up the stack address alignment. Possible fix by using same blocking technique as 32-bit in BaseThreadInitThunk hooking. Mainly seemed to be triggered by 64-bit migration.
bug 1314801 - Enable PROCESS_MITIGATION_IMAGE_LOAD_POLICY
- Landed.
bug 1380609 - Make Win10 SDK (minimum v10.0.10586.0) required for building Firefox
- Landed.
bug 1347867 - Crash in CrashReporter::OOPInit (Quick Heal Antivirus SCDETOUR.DLL)
- Not sandboxing but spent a fair bit of time diagnosing this, it's for the 64-bit migration.
bug 1395952 - Improve telemetry for failed launch of Windows sandboxed process.
- Landed
- Some data coming in, highest offender so far seems to be down to the exe not being there.

win32k syscall lockdown
- Attempted to improve performance of data collection, without much luck. Appears there's no way to disable printing to the windbg console (with the exception of a hack using .shell, however .shell's quoting rules are incompatible with breakpoints')
- Running some potentially interesting test suites under instrumentation -- still reviewing stacktraces to see what manual testing missed

bug 1363378 - Tab processes not killed on parent crash; turned out to be close-on-exec problem. Fixed.
The big clone() thing:
- Removing ChildPrivileges
- Removing kUnexpectedThreads
- LaunchApp will take a LaunchOptions struct like upstream
  - Which might mean that some of the sandboxing-related things can go there, and maybe GeckoChildProcessHost can be less terrifying?
- Spent days throwing stuff at Try for what turned out to be missing initializers
  - (Which weren't missing before I had to fight the C++ stdlib, but anyway.)
  - But now I know how to add extra stuff to the “timed out after 330 seconds thing”, like dumping everything's kernel stack via procfs
  - tl;dr: Iff the uninitialized int was 0, a process would read stdin & the entire test run would get SIGTTIN and stop and time out
- I still have a bunch of bugs to file…
- Also somewhere in here I mentioned the fd inheritance race condition I commented about in bug 1259852 (and haven't filed bugs for yet)
  - …which led into Mac using posix_spawn to do architecture selection on fat binaries
  - …which we seem to use only for NPAPI, which might not be a problem now that it's only Flash?
bug 1381653 - syscall telemetry in main-summary
- https://github.com/mozilla/telemetry-batch-view/pull/299 — there's a comment about how we're doing the telemetry wrong (?) that I need to make sense of

bug 1391186 - Thunderbird loses setting as default email client when "mailto" triggered by Firefox 56/57
- landed/uplifted
bug 1397257 - [Windows] Awesome Screenshot removing error for a second uninstallation
- landed/uplifted
bug 1393805 - Changes for bug 1332190 broke temporary installations of legacy addons with framescripts
- Kris didn't like the idea of using the per-user extensions dir, got feedback from #testpilot
bug 1388922 - browser_content_sandbox_fs.js fails to detect $PROFILE/extensions not readable on Linux
- Closed wont fix. The profile is on /tmp issue. Have bug 1386404 to address.

bug 1382251 - Brokering https in NPAPI process
- Adobe and Comcast use cases now working
bug 1395321 - Print to file in Flash bug
- Issue is low integrity. No simple fix (easing sandbox settings or brokering) will work.
bug 1394024 - Flash crashes when last microphone removed
- Landed. Uplifting.
bug 1397445 - Remove FILE_EMBEDDED_SERVICEWORKERS telemetry probe
- Landed