Security/Sandbox/2016-08-11

bug 1228022 - Trigger print jobs from the parent instead of the child for OSX - it's working, but font nametable part not done yet
bug 1290619 - Content sandbox rules should use actual profile directory, not Profiles/*/ regex's - should have patch out todayish
bug 1286480 - [10.12] Widevine CDM always crashes on Amazon since upgrade to macOS Sierra - 1-line plugin sandbox fix, want to investigate a bit more

bug 1287446 - Print progress dialog, [Cancel] button is truncated with long document title - uplifted
bug 1287426 - Update security/sandbox/chromium/ to Chromium stable channel version 49.0.2623.112 - problem with USER_NON_ADMIN access token level - impersonation token on main thread (initial weaker token before lockdown) gets replaced when ::CoInitializeSecurity is called in MainThreadRuntime::InitializeSecurity with one for NT AUTHORITY\ANONYMOUS LOGON with untrusted integrity, so other reads after that fail. Haven't worked out why this happens when USER_NON_ADMIN is used as the lockdown token. Only changes I can see in that area are around lifetime management of token handles, so wondered if the token is getting deleted somehow.
bug 1288194 - [e10s] Some SVG images do not print - two separate issues - landed and uplifted

bug 1290896 — Fixed the mysterious Skylake bug by allowing readlink.
Filed some bugs from the syscall meeting Tuesday
- bug 1294286 — clock_getres is a pid/tid lookup; handle like clock_gettime
- bug 1294288 — getdents fact-finding mission

Roundtable

Bug 942698 - Remove syscalls operating on filesystem paths and network addresses from seccomp-bpf whitelist for Linux/Desktop
- meta?
Bug 983358 - Get an early sense of how hard it will be to sandbox open() calls
- fixed?
The Linux temp file thing
- Action: file bug for maybe someday removing the content temp dir
- Action: file bug for using memfd_create where available