Security/Sandbox/2017-01-05
From MozillaWiki
« previous week | index | next week »
Contents
bobowen
- bug 1321724 - [e10s] Local HTML cannot be opened in Firefox 50
- Thought this might be down to Active Directory user, although I can't reproduce at the moment.
- bug 1324908 - [e10s] OS X printing related crashes in CoreGraphics@0x regressing in Firefox 51
- looks like this is actually an issue with shared persistent buffer provider - nical is going to disable on Mac and investigate
- bug 1324064 - [e10s] printing causes content process to crash with Foxit Reader PDF
- patch ready to land, which removes all access to print devices in child for Windows, might need a bit more work for other platforms.
- bug 1321566 - landed need to uplift.
- bug 1321020 - When you open a new file content tab from the file content process the wrong remote type gets set.
- landed
- bug 1328829, bug 1327942, bug 1328257 new follow ups for file content process - quite possibly related.
haik
- bug 1309394 - Introduce automated tests to validate content process sandboxing works as intended
- Addressed review comments
- Hitting Windows content temp failure on try, will file new bug to investigate
- bug 1322370 - Disable camera access in the Mac content sandbox
- Landed, will uplift to 52
- bug 1322716 - GMP Security bug
- Landed, will uplift to 52
- bug 1324610 - Printing on OS X makes firefox unusable
- Fix on reviewboard
- bug 1303051 - Printing Issue: Page Setup (eg scaling) not being respected since upgrade to 48.01 on Mac
- Uplifting to 51
jld
- bug TBC - non-fatal reporting for seccomp-bpf policy violations; commented with brain dump
- bug 1326361 - audit local-domain sockets held by sandboxed processes; filed
- bug 1302711 - ioctl restriction; commented to mention tty ioctls after seeing http://www.openwall.com/lists/oss-security/2016/10/25/9
- bug 1328896 - fcntl is dangerous; just filed
tedd
- bug 1325647 - automated bound checking for integers with IPDL
- finished PoC, started email thread with IPC peers/owner
- got some feedback, going to implement new approach
- assurance work
gcp
- reviews (SB/Android/boxing)
- bug 1129492 Firefox content process has a live connection to the X11 server
- Print to file / font serialization was fixed by gfx team, reviewed by bob
- File write policy + seccomp could roll out, but we want soft-fail + logging
- Will make configurable - or too risky?
- Can we even update what Debian/Fedora/Ubuntu ship?
handyman
- bug 1284897 - 64 bit Flash Player has storage permissions issues
- still wip
- bug 1312788 - Add console warning and telemetry if service workers are used in the file content process
- posting for review
round table
jesup doc (https://docs.google.com/document/d/1cwc153l1Vo6CDuzCf7M7WbfFyHLqOcPq3JMwwYuJMRQ/edit#heading=h.qiysnfqg286u)