Security/Sandbox/2017-10-26
From MozillaWiki
« previous week | index | next week »
Alex_Gaynor
- bug 1409768 - Significant performance regression for printing
- Patch landed. Flushing your buffers is not the same thing as fsync! (Gecko Profiler is super great for anyone who hasn't used it)
- (Hopefully) small bit of follow up work to use buffered IO - bug 1411984
- bug 1407693 - Don't create files from content process on process crash
- Wrote up an alternate approach, slightly more invasive, waiting for feedback
haik
- bug 1403260 - Remove access to print server from content process sandbox
- Landed, backed out last night due to test failure
- bug 1393259 - Tighten font rules in the Mac content sandbox
- Working on remoting the async font loading code path (AsyncFontInfoLoader)
- There are some other code paths on main thread that will need sync remote loading
gcp
- bug 1386404 Stop allowing Linux content processes to access /tmp
- Testing path replacement at runtime
- Adapted the tests, failing due to no(?) access to chrome dir
bobowen
- bug 1400637 - Crash in mozilla::layers::ImageBridgeChild::InitForContent
- Symantec still causing lots of crashes in Nightly, going to block just the later loading DLL, which hopefully won't cause same issues as last time
- Chromium update
- Lots more painful to take the latest changes particularly with C++14 things for Linux.
- Have this building now, with a small try push running.
- I've also decided to move to having patches in tree instead of references to the changesets.
jld
- Regressions
- bug 1410280 - prctl PR_GET_NAME, PulseAudio
- bug 1411115 - fcntl F_SETLK, Nvidia GL and fontconfig
- F_SETLKW already allowed for PulseAudio; also fontconfig apparently
- "Fix it later" and now it's later:
- Syscalls with filesystem paths -> problems for chrooting
- bug 1408497 - inotify; exthandler -> gio, can just deny
- bug 1409895 - getcwd; have a polyfill but it's just for this one test
- If anyone knows a better way for mochitests to find their files....
- bug 1409900 - quotactl can be blocked; statfs = open+fstatfs
- Minor cleanups
- bug 1410191 - all errors are EPERM
- Fixed so the statfs handler can use it
- bug 1410241 - possible use-after-destroy in SIGSYS handler
- Trying to eliminate reasons for mysterious failures when testing new things
- bug 1410191 - all errors are EPERM
- IPC stuff: landed Mac things; next is LaunchOptions (bug 1401786)
- which conflicts with bug 1386404
handyman
- bug 1382251 - Brokering https in NPAPI process
- fixing leakcheck
- bug 1411379 - Flash updates need reg keys
- Jimm asking Adobe
Round table
Win32K lockdown write up and research