Security/Sandbox/2014-04-17

From MozillaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.


« previous week | index | next week »

17 April 2014

B2G

  • open stuff is still complicated
    • The chromium sandbox doesn't filter open (probably for the same reasons that we are finding it complicated)
  • we are wondering what we can do to make IPDL faster (we may make heavy use of it in sandbox)
  • libgenlock is using the open syscall frequently, if we turn off open it becomes an issue (this is perf critical)
  • may have to use binder to lock down open, but may be more error prone
    • If so… how is binder different from `SCM_RIGHTS`?

Windows (openh264)

  • Tim spent a lot of the week trying to get it to build
    • Looks like it will be pretty simple to get the sandbox applied to the process for openh264
    • expects a patch by the end of next week for this
  • Integrity levels: we've started to use "low" instead of untrusted
    • you can't create D3D device connections from untrusted processes
    • Chrome proxies GPU stuff through a GPU process that's got a higher level than the content process
    • IE just uses "low"

Extra:

  • jld got seccomp working on x86 kitkat emulator (will be on TBPL)
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Sandbox/2014-04-17&oldid=1028041"