Security/Sandbox/2014-07-03
From MozillaWiki
« previous week | index | next week »
3 July 2014
- Windows sandboxing
- Implementing review comments for bug 985252 (Windows gmp/OpenH264 sandbox). Running into issues with process shutdown when the GMP process has already terminated
- Logging
- Warn only sandbox - Fixed linking problem to get round the fact that sandbox_s library is linked in twice. Going to seek reviews.
- Content process
- Started looking at Bug 1018988 - to set temporary dir after lowering the token.
- Mac sandboxing
- Scoped out mac sandboxing
- Hoping André will do most of the actual work and smichaud will help when needed
- Seems more appropriate to use BSD style sandboxing
- Linux/B2G sandboxing
- OpenH264 will soon be filesystem-access-free
- We can even start the sandbox before the library is loaded… but should we?
- jar:http://... problems: https://bugzilla.mozilla.org/show_bug.cgi?id=1031583
- blocks dealing with open() and unlink()
- Supervisor (https://bugzilla.mozilla.org/show_bug.cgi?id=845191)
- fixing issues with epoll wrapper library (https://bugzilla.mozilla.org/show_bug.cgi?id=1031122 )
- implementing parent side of supervisor
- soon testing what has to be remoted
- OpenH264 will soon be filesystem-access-free
Round table
- Where are we with sandboxing for OpenH264 on each platform?
- Windows: 85% confident in Fx33
- Mac: unknown
- Linux: need bent's review for jesup's shared memory patch
- B2G: N/A
Testing OpenH264:
- OpenH264 test page: https://bug999704.bugzilla.mozilla.org/attachment.cgi?id=8436213
- Josh has a patch that you can apply that will cause this page to start the OpenH264 plugin - http://www.w3.org/2010/05/video/mediaevents.html - or you can use WebRTC
- *** pref to enable for H.264: media.peerconnection.video.h264_enabled****
Content process sandboxing starts here:
- https://mxr.mozilla.org/mozilla-central/ident?i=RecvSetProcessSandbox
- https://mxr.mozilla.org/mozilla-central/search?string=SendSetProcessSandbox
Actions
- blassey to get a sandboxing component and module
- jld to verify that the Linux plugin can just be downloaded now