- bug 1334550 - Proxy moz-extension protocol requests to the parent process
- Still waiting on reviewer feedback
- Merging and updating tests that changed
- Working on what would be a follow up patch to use JAR cache and refactor security checks into main code
- bug 1350642 - Remove the PBrowser::Msg_GetTabCount sync IPC
- Need to re-work patch to deal with remoteness switches
- bug 1369764 & bug 1367560 - Two tests that failed at level 3
- One triggered by the addition of /Volumes to the blacklist
- One which only failed if you replaced the blacklist with a whitelist
- bug 1370540 - Expanding the macOS level 3 blacklist to include /Users and /Network
- bug 1221148 - blob:// URI support for mozIJSSubScriptLoader
- bug 1370438 - Bustage on upcoming beta caused by the minimum-sandbox-level
- try is green for bug 1308400
- cleaning up patches, merging & resplitting
- dealing with a few nasty symlink cases
- Extend sandboxing telemetry probes for Linux features
- The Ubuntu add-on problem (https://bugs.launchpad.net/ubufox/+bug/1627808 and bug 1364978)
- Most of the non-Nightly Linux userbase doesn't have e10s… but this is about to change.
- Failed to uplift the socketpair workaround in bug 1355274
- Should this be release-noted? Let's ask.
- ESET - bug 1362601
- GMP does work
- It seems to “fail open”
- So, no problem on beta/release
- For nightly, have a patch
- We'll get a certain amount of not-really-helpful telemetry from this
- Suppress it? Tag it somehow? Wait to see if it's really a problem?
- Resolved: file a bug to get Telemetry on how many users have this lib
- DConf - bug 1321134 - landed patch; won't uplift
- We may get bugs about the (harmless) error message
- Contemplated telemetry (bug 1370578)
- I think we want to extend userns (decreasing!?), maybe tsync
- basic seccomp-bpf is >99% so no need to keep tracking
- Rewrote Security/Sandbox#Linux_2
- And I have thoughts about the setuid approach
- Resolved: let's gather telemetry on who's using system packages vs. unrolling as regular user
- (Also I had some ideas in the meeting about the symlink broker problem, but it's a hard problem.)
- bug 1323188 - Running Firefox from some network drives fails with an initial restricted access token.
- ready to land
- went with just using deny only after fighting trying to delay load things.
- bug 1321430 - Enable separate file:// URLs content process in release
- bug 1370216 - Remove SANDBOX_BROKER_INITIALIZED telemetry.
- bug 1369670 - Blank pages are printed with security.sandbox.content.level set to 3 when Users folder is a junction point
- Just reviewing a patch by cpearce for a similar longstanding issue for GMP, it seems that resolving is now much easier than I thought.
- I also need to make sure our directory service is also using the resolved paths to get the rules to work.
- bug 1334803 - XFinity login fails due to Flash sandbox
- APIMonitor shows AcquireCredentialsHandle for schannel failing
- new bug: CoInitializeSecurity call to ImpersonateAnonymousToken fails when haz restricting SIDs