Security/Sandbox/2016-06-09

« previous week | index | next week »

bobowen

• bug 1275813 - Crash in base::win::PEImage::GetProcOrdinal - emailed Kev Needham a couple of days ago - seems to have almost disappeared.
• bug 1276717 - Print Preview and output much smaller than original/document size in one profile - landed and uplifted - relnote added to Fx47 with link to article.
• bug 1278528 - Don't try to initialize the sandbox TargetServices when we are not sandboxed - landed
• bug 1278547 - Don't attempt to delete the content process temp directory when it is the normal temp - landed
• bug 1278537 - Print dimensions aren't passed when printing silently via the parent - patch up for review ... after all the problems I've had with the always_print_silent pref, the thing that annoys me most is that print, being a verb, needs an adverb not an adjective, so it should be always_print_silently.
• bug 1252877 - Add support for taking plugin window captures at the start of a scroll - after delay by some of the above and also a sec bug, I've just got back to this today.

tedd

• bug 1274873 - [landed] gmain signal blocking issue on systems with no TSYNC
• bug 1275781 - [landed] seccomp violation: sys_accept
• bug 1275785 - [landed] seccomp violation: sys_bind
• bug 1275786 - [landed] seccomp violation: sys_listen
• bug 1275920 - [inbound] seccomp violation: sys_rt_tgsigqueueinfo
• bug 1276470 - [landed] seccomp violation: sys_statfs

• Progress on investigating try failures with seccomp enabled:
  • https://bugzilla.mozilla.org/show_bug.cgi?id=579388#c11
  • https://dxr.mozilla.org/mozilla-central/rev/ec20b463c04f57a4bfca1edb987fcb9e9707c364/uriloader/exthandler/unix/nsOSHelperAppService.cpp#1069
  • tl:dr nsOSHelperAppService is executing shell commands in content (blocks seccomp on nightly)

gcp

• bug 1273852 - socket calls. Still dancing around 32-bit/64-bit/Linux kernel version differences
• File system broker with paths - will file bugs
• FYI Chromium has no file access in content/rendered at all :-/

haik

• bug 1272764 - Remove OS X 10.6-10.8-Specific Sandboxing Code - landed
• bug 1272772 - Inline system.sb and remove unneeded rules - landed
• bug 1270018 - NS_APP_CONTENT_PROCESS_TEMP_DIR should only return the sandbox writeable temp - need to make multi-process safe

More updates to https://wiki.mozilla.org/Sandbox/OS_X_Rule_Set https://wiki.mozilla.org/Security/Sandbox/Deny_Filesystem_Access

aklotz

• bug 1276961 - Reviewed