Security/Sandbox/2015-01-29: Difference between revisions
Jump to navigation
Jump to search
(Created page with "<!-- Maybe don't screw with these links unless you've read this blog post: http://blog.johnath.com/2011/01/20/automatic-date-links-in-mediawiki/ Just copy them to new pages an...") |
m (→Windows) |
||
| Line 20: | Line 20: | ||
** FYI: EME not going to be fast tracked to 37, so no need to uplift EME patches. | ** FYI: EME not going to be fast tracked to 37, so no need to uplift EME patches. | ||
* ''NPAPI Sandboxing''' | * '''NPAPI Sandboxing''' | ||
** {{Bug|1123245}} - Landed - NPAPI sandbox just using the USER_NON_ADMIN access level token. | ** {{Bug|1123245}} - Landed - NPAPI sandbox just using the USER_NON_ADMIN access level token. | ||
** {{Bug|1126402}} - Landed - added a pref to enable a more strict version of this sandbox. Going to change this to integer prefs to allow more levels instead of the boolean ones ({{Bug|1127230}}). | ** {{Bug|1126402}} - Landed - added a pref to enable a more strict version of this sandbox. Going to change this to integer prefs to allow more levels instead of the boolean ones ({{Bug|1127230}}). | ||
| Line 26: | Line 26: | ||
* '''Other Windows work''' | * '''Other Windows work''' | ||
** {{Bug|1125865}} - Landed - fix to prevent an extra WARNING being logged with each sandbox violation log. This was happening when logging to console wasn't available (GMP / NPAPI). | ** {{Bug|1125865}} - Landed - fix to prevent an extra WARNING being logged with each sandbox violation log. This was happening when logging to console wasn't available (GMP / NPAPI). | ||
===Linux/B2G=== | ===Linux/B2G=== | ||
Latest revision as of 08:06, 23 February 2015
« previous week | index | next week »
Please use MediaWiki formatting because these etherpad notes will be republished on our public wiki: https://wiki.mozilla.org/Sandbox#Meeting_Notes ______________________________________________________________________________
Standup/Status
Windows
- Content Sandboxing
- bug 1104616 - looks like gcp is getting close to having video camera access from the chrome process.
- GMP/EME Sandboxing
- bug 1094370 - Landed - GMP processes now using the USER_LOCKDOWN access token level.
- FYI: EME not going to be fast tracked to 37, so no need to uplift EME patches.
- NPAPI Sandboxing
- bug 1123245 - Landed - NPAPI sandbox just using the USER_NON_ADMIN access level token.
- bug 1126402 - Landed - added a pref to enable a more strict version of this sandbox. Going to change this to integer prefs to allow more levels instead of the boolean ones (bug 1127230).
- Other Windows work
- bug 1125865 - Landed - fix to prevent an extra WARNING being logged with each sandbox violation log. This was happening when logging to console wasn't available (GMP / NPAPI).
Linux/B2G
- Content Sandboxing
- An “open sandbox” mostly passes try and works locally; need to:
- Test with different GPUs, maybe (and maybe accelerated layers?)
- Preferably make xpcshell tests stop running an HTTP server in the child. (Or, failing that, start it earlier.)
- (Side note: content process audio is difficult.)
- Did some fact-finding re getting an actual sandbox on desktop, w.r.t. things that access files directly.
- An “open sandbox” mostly passes try and works locally; need to:
- GMP/EME Sandboxing
- bug 1120045 landed and old Linuxes no longer have OpenH264.
- TODO: consider uplift
- bug 1120045 landed and old Linuxes no longer have OpenH264.
- Other Linux work
- <input type="file"> patch landed.
- jar:http: has run aground on a shoal of bikesheds; could disable tests for B2G.
Mac
- Other Mac work
- Mic access was not working in e10s with the sources I used, a few days ago pulled again from m-c and it works in e10s, but not when enabling the sandbox. Nothing appears in logs related to a denied access to a resource, so investigation on this is a bit harder than others.
- take into account different levels of sandbox. 0 should allow mic to work.
Chromium
- bug 1102195 - update to chromium code - just started looking at this.
Round Table
- blassey on PTO next week.