Security/Sandbox/2017-05-11

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »

bobowen

  • bug 1351358 - Can't submit form to http(s) URL using POST method from a file:// page
    • Nearly there, just waiting on a couple of reviews.
  • bug 1175267 - [e10s] about:addons page turns blank when opening XPI file
    • Patches up for review.
  • bug 1336657 - Firefox 51.0.1 prints only blank pages
    • Patch reviewed, will land tomorrow and request uplift to Fx54.

haik

  • bug 1334550 - Proxy moz-extension protocol requests to the parent process
    • Got some review comments
  • bug 1361304 - [Mac] Remove /private/var read access from level 3 Content Sandbox
    • Landed
  • bug 1350642 - Remove the PBrowser::Msg_GetTabCount sync IPC
    • Testing a fix, need to root cause failure
  • bug 1358090 - Cleanup Mac sandbox policies considering the file content process

gcp

  • bug 1308400 - Construct a file broker policy for default-deny read access on the Linux Desktop
  • Progress on try orange
  • Investigations regarding --appname, test js layout, SpecialPowers packaging/install, etc

Alex_Gaynor

  • bug 1361733 - Disallow writing to all of /private/var in DEBUG
    • Landed
  • bug 1358223 - Hardcode the lowest sandbox level for macOS and Windows
    • Implemented the changes we talked about last week
  • bug 1357758 - Replace blacklisting macOS sandbox with whitelisting
    • Debugged the root cause of many of the failures
  • bug 1363760 - Remote file reads of specialpowers JS to parent process
    • Working with the addons/testing folks to decide on the right course, but it looks like some work the addons folks were already doing makes fixing this easy

jld

  • DBus: a11y and wakelocks should be the last holdouts
    • bug 1361338 (don't a11y in content procs) landed, so bug 1362537 (re-disallow accept4) can happen
    • bug 1360069 (wakelocks) I more or less have the patch; finding a reviewer might be interesting
  • ESET AV
    • LD_AUDIT will let us block their library if we need to
  • SysV
    • We might be able to stop using SysV IPC after all.
    • msg -> ESET; get rid of it
    • sem -> ALSA; off by default
    • shm -> graphics; complicated but I have a plan
      • MIT-SHM 1.2 with fd-passing
  • madvise
    • It's MADV_NO_HUGEPAGE; I'll file a bug
    • Not sure if we should allow or ignore

roundtable

  • No minimum level on linux
  • SandboxStatus/Settings/Config class name - decided on SandboxSettings