Security/Sandbox/2017-11-02

From MozillaWiki
< Security‎ | Sandbox
Revision as of 15:54, 9 November 2017 by Bobowen (talk | contribs) (Created page with "<!-- Maybe don't screw with these links unless you've read this blog post: http://blog.johnath.com/2011/01/20/automatic-date-links-in-mediawiki/ Just copy them to new pages an...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

« previous week | index | next week »

gcp

  • Landed tmpdir handling, got backed out
  • bug 1386404 Stop allowing Linux content processes to access /tmp
  • Subtle issue (well maybe not so subtle) with env lifetimes
  • There's issue with leaktest as well, it seems to write logs to /tmp from the child and expects to collect them afterwards
  • Will need to rebase to jld patches

Alex_Gaynor

bobowen

  • bug 1399787 - Create a new sandboxed process to run pdfium
    • This is going to be used for PDF printing on Windows (and potentially all printing by going via PDF in the future).
    • In review process.
  • bug 1412827 - Block Symantec DLLs causing ImageBridgeChild::InitForContent with alternate desktop.
    • Landed this to try and reduce Crash in InitForContent bug 1400637.
    • Looks like there has been a reduction, but there is probably a long tail of AVs still causing them.
    • Need to decide if we want to let this roll to Beta and see how bad the problem is there. If not we should move Alternate Desktop to level 5 and let other things in level 4 roll out.
  • bug 1368268 - Crash in `anonymous namespace::ActiveVerifier::StartTracking
    • Had another look at this, the crash level is now very low.
    • Can't see how it is happening, possible change in chromium update will help.
  • bug 1409063 - FF 56.0.1 x64 on W7x64: now creating events in "Microsoft-Windows-Known Folders/ Operational" event log, "Error 0x80070005 occurred while creating known folder" for all known folders, upon each FF startup.
    • I see similar errors to this and it could be sandbox related, but haven't had time to investigate further.
  • Chromium sandbox update.
    • Had a few problems on try that are now all fixed.
    • Tidying up patches now to get them ready for review, won't land until Fx59.

haik

  • bug 1403260 - Remove access to print server from content process sandbox
    • Landed
  • bug 1393259 - Tighten font rules in the Mac content sandbox
    • Planning to use PBackground for messaging, use IO thread for reading font file
  • bug 1404298 - When Running Firefox Stable and Firefox Developer Edition together, eventually tabs begin crashing
    • No luck with minidump so far, not sure it will be useful
    • Reporter ran debug build which provided a bit more info
    • Installed Sophos (Mac Antivirus) and testing locally

jld

  • bug 1411115 - F_SETLK fcntl regression; fixed
  • Yak shaving sequence:
    • bug 1409900 - statfs; backed out for getting the statfs64 args wrong; fixed and relanded
      • Resolved: file a bug so we can actually write tests for this kind of thing
    • bug 1412480 - syscall argument size mistake; fixed (waiting for review)
    • bug 1413312 - sched_get_priority_* mistake; sent patch
    • bug 1413313 - scheduling pid/tid restrictions for content; investigated
      • Chromium did this, discovered later that priority changes were more broken than normal, & changed their threading APIs to accommodate
  • bug 1412480 - LaunchOptions; finally sent for review
  • bug 1412464 - inotify regression; fixed (waiting for review)
  • bug 1409895 - getcwd; found solution, maybe: change mochitests to chrome
  • Reviews (mainly /tmp blocking)
  • Had an opinion on the font bug (bug 1412090; BTW, that affects 57 and we probably can't land anything nontrivial now?)
    • Resolved: relnotes it for 57
  • Also: discovered and filed bug 1412114 -

handyman

  • bug 1382251 - Brokering https in NPAPI process
    • clang-static analyzer and mingw-gcc builds

Round table