Security/Sandbox/2017-11-30

bug 1400637 - Crash in mozilla::layers::ImageBridgeChild::InitForContent
- Looking into not having to create the window at all.
bug 1403931 - USER_RESTRICTED for content.
- After pre-loading a DWrite font and some other rules, got a running process.
- Audio and some rendering broken.
- USER_LOCKDOWN and untrusted integrity don't seem add any more issues, in fact untrusted only seems to break audio at the moment.
- Chromium uses some other hooking, which might mean we don't need to pre-load the font.
bug 1419739 - Make printing a selection not terrible.
- This landed, but I've just found some issues, so may have to back out.

bug 1382251 - Brokering https in NPAPI process
- Adobe is helping with some additional tests (for now)
- Finishing reviews / cleanup
bug 1415162 - Set USER_LIMITED on NPAPI proc
- WIP
bug 1415160 - Set process mitigations on NPAPI proc
- Most seem fine. One (no dynamic code) totally fails and a few are suspicious but haven't failed anything yet

bug 1419811 - fixed file icons in file:// directory listings - landed
bug 1421372 - cleanup macOS sandbox policy rules for file content process - landed
bug 1414834 - reland print IPC changes - pending confirmation that bob's print selection changes are good
bug 1407693 - do not create files in content process for crash reporting - patch up
Handful of IPC secbugs

bug 1393259 - [Mac] Remote access to fonts from custom directories, font managers
- Converting prototype from PBackground to top-level protocol
- Investigating security impact

Has been fighting with Vidyo. For days.
- The glitchy audio you're hearing (and I'm hearing), from using a full VM because it won't even start with just a chroot/container/flatpak, is the best I've been able to do so far.
- Firefox WebRTC works fine though….
bug 1409895 - The getcwd bug: wrote some JS to fix the tests that were being a problem.
bug 1401062 - clone()ify: adjusting patches to make this preffable, because it'll probably break stuff
- Also I might steal Chrome's longjmp thing instead of doing the syscall directly — it *should* work, but why take the risk.
- bug 1421146 - Also I found a bug in the build system, but there's a workaround which is what I should've been doing anyway.
Trying to comment usefully on all the font bugs.

Good uses for sandboxed utility processes?
- Making sure a file-system read/write operation stays within the intended dir
  - Example: make sure remoted loads for an unpacked extension never load a resource outside of the extension dir
- Look at PDFium
[tjr] Enforcing container isolation in content processes?
- [jld] Assigning tab children to appropriate processes is one thing; enforcing origin restrictions in IPC (like we did — or at least tried to do? — on B2G) is another.
- [tjr] Definetly interested in the enforcing-origin-restrictions-in-IPC aspect :)
- [Alex_Gaynor] this wouldn't be full origin, just OriginAttributes or something like that? Would be easier, since it doesn't require sorting out iframes.
  - [jld] Yes, just OriginAttributes, so no problems with iframes or navigation. This is why I was trying to get people interested in it at the London All-Hands, before e10s-multi shipped
  - [tjr] Even less that OA, just userContextId (container identifier, an int). Each container has its own cookie jar and it's own 'view' of all origin data. And yea, no problems with iframes/nav
- [tjr] files ... https://bugzilla.mozilla.org/show_bug.cgi?id=1422049
Meetings in Austin

Contents