Security/Sandbox/2017-06-08

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »

haik

  • bug 1334550 - Proxy moz-extension protocol requests to the parent process
    • Still waiting on reviewer feedback
    • Merging and updating tests that changed
    • Working on what would be a follow up patch to use JAR cache and refactor security checks into main code
  • bug 1350642 - Remove the PBrowser::Msg_GetTabCount sync IPC
    • Need to re-work patch to deal with remoteness switches

Alex_Gaynor

  • bug 1369764 & bug 1367560 - Two tests that failed at level 3
    • One triggered by the addition of /Volumes to the blacklist
    • One which only failed if you replaced the blacklist with a whitelist
  • bug 1370540 - Expanding the macOS level 3 blacklist to include /Users and /Network
  • bug 1221148 - blob:// URI support for mozIJSSubScriptLoader
  • bug 1370438 - Bustage on upcoming beta caused by the minimum-sandbox-level

gcp

  • try is green for bug 1308400
  • cleaning up patches, merging & resplitting
  • dealing with a few nasty symlink cases
  • Extend sandboxing telemetry probes for Linux features

jld

  • The Ubuntu add-on problem (https://bugs.launchpad.net/ubufox/+bug/1627808 and bug 1364978)
    • Most of the non-Nightly Linux userbase doesn't have e10s… but this is about to change.
  • Failed to uplift the socketpair workaround in bug 1355274
    • Should this be release-noted? Let's ask.
  • ESET - bug 1362601
    • GMP does work
    • It seems to “fail open”
    • So, no problem on beta/release
    • For nightly, have a patch
    • We'll get a certain amount of not-really-helpful telemetry from this
      • Suppress it? Tag it somehow? Wait to see if it's really a problem?
      • Resolved: file a bug to get Telemetry on how many users have this lib
  • DConf - bug 1321134 - landed patch; won't uplift
    • We may get bugs about the (harmless) error message
  • Contemplated telemetry (bug 1370578)
    • I think we want to extend userns (decreasing!?), maybe tsync
    • basic seccomp-bpf is >99% so no need to keep tracking
  • Rewrote Security/Sandbox#Linux_2
    • And I have thoughts about the setuid approach
    • Resolved: let's gather telemetry on who's using system packages vs. unrolling as regular user
  • (Also I had some ideas in the meeting about the symlink broker problem, but it's a hard problem.)

bobowen

  • bug 1323188 - Running Firefox from some network drives fails with an initial restricted access token.
    • ready to land
    • went with just using deny only after fighting trying to delay load things.
  • bug 1321430 - Enable separate file:// URLs content process in release
    • landed
  • bug 1370216 - Remove SANDBOX_BROKER_INITIALIZED telemetry.
    • landed
  • bug 1369670 - Blank pages are printed with security.sandbox.content.level set to 3 when Users folder is a junction point
    • Just reviewing a patch by cpearce for a similar longstanding issue for GMP, it seems that resolving is now much easier than I thought.
    • I also need to make sure our directory service is also using the resolved paths to get the rules to work.

handyman

  • bug 1334803 - XFinity login fails due to Flash sandbox
    • APIMonitor shows AcquireCredentialsHandle for schannel failing
    • new bug: CoInitializeSecurity call to ImpersonateAnonymousToken fails when haz restricting SIDs
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Sandbox/2017-06-08&oldid=1175159"