Security/Sandbox/2017-07-06
From MozillaWiki
« previous week | index | next week »
Contents
haik
- Landed
- bug 1334550 - Proxy moz-extension protocol requests to the parent process
- bug 1377128 - Screenshots overlay button icons are not displayed on latest Nightly build
- bug 1377614 - System extensions fail to load in local builds
- bug 1377355 - Unable to load unpacked web extensions in about:debugging; content script cannot be loaded
- Autoland
- bug 1332190 - [Mac] Enable level 3 Mac content sandbox, removing filesystem read access
- bug 1376496 - Follow-up fixes to moz-extension remoting support in 1334550
- bug 1376163 - [10.13] No audio playback on YouTube, no audio/video on Netflix (macOS High Sierra 10.13 Beta)
Alex_Gaynor
- bug 1357758 - Replaced blacklisting in macOS sandbox policy with whitelisting [landed]
- bug 1377164, bug 1378434 - cleanup
- bug 1376976 - sysctl lockdown for macOS
gcp
- bug 1308400 - Rebased, small cleanups
- bug 1308400 - There is no symlink - testing
- next: TESTS PERHAPS
- next: X11 inspection
handyman
- bug 1334803 - XFinity login fails due to Flash sandbox
- LSA rejects any client with process token with restricting SIDs
- LSA uses impersonation to get "client token". This ignores the client's impersonated "pre-lockdown" token
- No choice but to remove restricting SIDs (AFAIK)
jld
- bug 1372428 - Widevine fixes: cleaned up; needs 32-bit testing
- bug 1362537 - Re-disallow accept4; landed
- bug 1370578 - Extend telemetry; landed
- bug 1376910 - Remove SysV IPC; have patch; seems to pass Try
- bug 1129492 - X11 bug; commented with some findings - had a nice RHEL bug this morning with SELinux sandbox
- bug 1376559 is the RH bug; they used SELinux to block plugin-container from Internet-domain networking
- (Which would also break remote PulseAudio, I just realized….)
- Should file a followup bug to remove that gdk_flush() that we don't need anymore
- bug 1376559 is the RH bug; they used SELinux to block plugin-container from Internet-domain networking
- WebGL may be easier than we thought…
- (“easier” is relative)
bobowen
- Landed
- bug 1369670 - Blank pages are printed with security.sandbox.content.level set to 3 when Users folder is a junction point - also verified by QA
- bug 1378061 - Only set user's SID in USER_LIMITED as deny only when not using restricting SIDs.
- bug 1366694 - Enable Windows level 3 content process sandbox by default on Nightly.
- Need to disable our sandboxing fs tests for DEBUG on Windows as we currently whitelist the TEMP dir (linux patch does this too)
- Issue with leak of three objects in a11y tests.
- bug 1378377 - file:// URI sub-resources within CAPS whitelisted http pages will fail to load with read sandboxing
