Security/Sandbox/2014-10-30

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »

Standup/status

Windows

  • Content
    • Minimal content sandbox - have patch running on Try - seems OK, need to file bug and get reviews. It has a pref to set a more strict version of the policy, which is very similar to the old policy. This includes bug 1083850 patch for logging change.
    • bug 1075527 - treeherder patch for the content sandbox mochitests is now Live
  • GMP/EME
    • bug 1088130 - Windows Output Protection gtest - r+ on a patch that tests as far as the start of the OP handshake. Not working on Try, need to get a build machine loan to investigate.

Linux/B2G

  • Content
    • bug 641685 landed, so desktop content sandboxing can be investigated without breaking NPAPI plugins. (GMP+e10s is still a problem...)
  • GMP/EME
    • Trying to get “layer 1” sandboxing to work; bug 986397. (More useful for content, but only GMP is well-behaved enough yet.)
      • Need to decide whether to support the legacy suid sandbox or go user-namespace-only.
    • Have patches for creating an about:sandbox page; bug 1077057.
      • Followups, not filed yet: seccomp-BPF support status in telemetry & FHR.

Mac

  • Content
    • Skeleton patch basically ready for landing at bug 1076385. But one question remains unanswered. And anyway the ruleset is empty for the time being -- it allows everything.
  • GMP/EME
    • Work being done on manual and automated testing at bug 1083284 and (eventually) bug 1088130. Have found new sandbox rules needed to make manual tests pass. Some serious problems still remain with automated tests -- like how to tell programmatically when they've failed. But we now have testcode, derived from Adobe's code fragment, that's sufficiently derived for us to publish it in the tree.

Round Table

  • cpeterson asked dveditz for Google security contacts; no response yet, so I need to follow up

Actions

  • ACTION: cpeterson to find link to Adobe CDM builds
  • ACTION: cpeterson to follow up with dveditz about Google security contacts