17 April 2014
- open stuff is still complicated
- The chromium sandbox doesn't filter open (probably for the same reasons that we are finding it complicated)
- we are wondering what we can do to make IPDL faster (we may make heavy use of it in sandbox)
- libgenlock is using the open syscall frequently, if we turn off open it becomes an issue (this is perf critical)
- may have to use binder to lock down open, but may be more error prone
- If so… how is binder different from `SCM_RIGHTS`?
- Tim spent a lot of the week trying to get it to build
- Looks like it will be pretty simple to get the sandbox applied to the process for openh264
- expects a patch by the end of next week for this
- Integrity levels: we've started to use "low" instead of untrusted
- you can't create D3D device connections from untrusted processes
- Chrome proxies GPU stuff through a GPU process that's got a higher level than the content process
- IE just uses "low"
- jld got seccomp working on x86 kitkat emulator (will be on TBPL)