Security/Sandbox/2014-06-19

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »

19 June 2014

OpenH264:

  • Windows sandboxing
    • Got review comments today for bug 985252 (Windows gmp sandbox); will implement and re-request review
    • No comment from reviewer in bug 1014002 (blocks gmp sandboxing on Windows); requested June 9th, pinged June 18th
    • Continuing to investigate follow-up issues (ratcheting down permissions)
    • Logging
      • bob having problem with linking sandboxing dll
      • blassey suggests talking to randall barker in #mobile or glandium/gps
  • Mac sandboxing
    • Still waiting on a promise from rstrong about who can run point on this
      • rstrong responded (though he's still out sick) -- we have Andre starting Tuesday with smichaud helping with design and review
    • FYI - rstrong is out with the flu (you probably already knew that) (no, thanks! explains why I didn't hear back when I expected. Hope he feels better soon!)
  • Linux/B2G sandboxing
    • The Chromium open broker was hacked into sort-of-working on B2G; many content-process open()s were filed as bugs. See https://bugzilla.mozilla.org/show_bug.cgi?id=930258
      • Basic functionality was working without whitelisting any syscalls that take pathnames.
    • Question: is anyone looking into building an ioctl whitelist?
      • As in the "cmd" argument. It's been an array-overflow vector in the past, and it can prevent access to vulnerable driver functionality that's not needed (especially if we can't filter open()).
    • B2G IPC doc (incomplete) https://wiki.mozilla.org/User:Tedd/ipc-doc-preview
      • It's an overview of how it generally works
      • next, we will add documentation about how to enforce security settings
      • what are the current security enforcements