Security/Sandbox/2016-09-29

< Security‎ | Sandbox

haik

  • bug 1299329 - Remove printing-related privileges from content process sandbox - landed
  • bug 1284588 - OS X: Disable content process write access to user files in the home directory - landed

bobowen

  • bug 1147911 - Use a separate content process for file:// URLs
    • Good progress - fixed issues with view-source and forward / back navigation, which was partly down to an existing bug in docshell history code.
    • Still working on problem with links from file:// to web content, because it allocates a new tab upfront in the child process.
  • bug 1273372 - [EME] Crash in mozilla::gmp::GMPChild::ProcessingError
    • Further investigation here, probably need to add new logging to see if any new dependencies are trying to be loaded.
  • Chromium code
    • Gone through changes in Chromium code for sandbox/ and base/ up to latest stable from our version in Fx51.
    • Corresponded with Chromium sandboxing team and requested security bug access on their advice.

jld

  • bug 1303813 — Allow MADV_FREE for Linux GMP; fix Widevine crash from mozjemalloc on newer build hosts.
  • bug 1304220 — Allow times(2) for Linux GMP; fix Widevine crash when running on older glibc.
  • bug 1289718 (Linux desktop file brokering): finally done reviewing.

gcp

  • bug 1289718 Construct a seccomp-bpf policy for file access on Linux Desktop
  • Ready to land, but have 1 or 2 patches I want to add

handyman

  • bug 1241250 Prezi frozen at loading on fresh profile with latest Nightly 64 bits
    • Prezi still unable to reproduce on their end.
  • bug 1269114 [x86_64] Last picked directory not saved when using Flash Player
    • Landed
  • bug 1284897 64 bit Flash Player has storage permissions issues
    • Brokering GetOpenFileName/GetSaveFileName to run on parent
  • Longer term discussion of Windows content proc file access logging

roundtable