Security/Sandbox/2016-07-07

bug 742434 - [landed] enable seccomp on Linux desktop nightly - landed in mc today, this is the last bug of sblc1 milestone
- example crash report due to seccomp: https://crash-stats.mozilla.com/search/?product=Firefox&reason=~SIGSYS&_sort=-date&_facets=signat
bug 1284912 - [new] performance regression in a single test due to seccomp
bug 1284452 - [landed] add sys_getrandom to seccomp whitelist - added rust stuff uses getrandom() (thanks gcp)
bug 1284458 - [new] nsPluginHost::GetPluginTempDir should return a sandbox writeable temp - looking into patches from haik in bug 1270018

bug 1270018 - NS_APP_CONTENT_PROCESS_TEMP_DIR should only return the sandbox writeable temp - ready to land, sorting out test failure
bug 1274540 - Record sandboxing status in crash reports - will have patch up today hopefully
bug 1284291 - Add the 'com.apple.fonts' service to the sandbox profile. - working on getting macOS Sierra VM

bug 1252877 - Add support for taking plugin window captures at the start of a scroll - patches pretty much ready for review
bug 1280159 - Page Setup Margin Widths use Millimeters Instead of Inches (for paper Legal US e.g.) - landed and uplifted to beta
bug 1273765 - Crash in mozilla::gfx::RecordedSetTransform::PlayEvent - being caused by an invalid cairo surface during print, need to find out why. Also possibly need to look into handling these sorts of problems instead of crashing.

roundtable

divide linux milestones into smaller chunks?
- sblc1: getting seccomp on nightly
- sblc2: remove/restrict read file system access
- sblc3: remove/restrict write file system access
- sblc4: remove/restrict socket access + X11
- slbc5: use chroot & user namespaces
- x11 restrictions milestone?
sbmc1: added 1284588 OS X: Disable content process write access to user files in the home directory