Security/Sandbox/2014-06-12

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »

12 June 2014

OpenH264:

  • Windows sandboxing
    • Patch posted for bug 1014002 (blocks gmp sandboxing on Windows)
    • Patch in bug 985252 (Windows gmp sandbox) to receive second review
    • Currently investigating follow-up issues (ratcheting down permissions)
    • Logging
      • Bob Owen working on this; working to get it into automation
  • Mac sandboxing
    • Maire and Sid still looking for an owner
  • Linux sandboxing

Not OpenH264:

  • Linux/B2G:
    • Open (parallel approach to the broker solution): working to implement it in seccomp (loading a whitelist, mprotecting it, hooking open calls)
    • Kernel support landed for Flame; waiting on upstream for Dolphin
    • The Chromium open() broker compiles, but hasn't been glued in yet; if it works, it could take care of the known non-Gecko cases.
    • Looking at selinux for quicker fix if we can't get what we need in seccomp right away

Google meeting summary

  • Lots of people (19 or so)
  • discussed open problem, they used the broker but are looking into the mprotect hack and are happy to collaborate with us on our approach
  • for media plugins they want to use NaCl, wanted us to implement NaCl too.  :(
  • IPC: google does ipc a bit differently. Julien (intern) is looking into it. We have races in the IPC mechanism, it is slow and complicated. We are interested to see what they have improved in chromium
  • plan to do a quarterly meeting like this for more collaboration (and they're interested in e10s)