Security/Sandbox/2014-07-17

From MozillaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.


« previous week | index | next week »

17 July 2014

Standup/status

  • Windows sandboxing
    • OpenH264
      • Landed bug 985252 - sandboxing is now enabled for GMP processes. Next step is to ratchet down permissions so that sandbox is more effective
    • Logging
      • Bug 1018966 - Warn only sandbox progressing. r+s from Tim, waiting for approval of the chromium changes from someone with context from earlier in the sandboxing project. Might need a bit of re-work now that bug 985252 has landed.
      • Bug 1040059 - Registry access reporting not working, that appears to be the problem for mochitest-3. It's trying to access keys like HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager.
    • Content processes
      • Bug 1018988 - Temp directory, has moved forward. As hoped mochitests 2, 4 and 5 pass for win 7 and 8. Moved the getting of the temporary directory into the directory service. Also thinking of adding a guid suffix to the directory name?
    • Bug 1035275 -Imported Chromium code under security/sandbox that is not being compiled - landed.
  • Mac sandboxing
    • With Andre's first (very simple) patch, the sandbox process dies shortly after creation. We'll need to figure out why. It took us a while to realize this because we didn't have adequate instructions on how to use our only testcase.
  • Linux/B2G sandboxing
    • Problem: can we depend on having seccomp-bpf on desktop Linux? https://bugzilla.mozilla.org/show_bug.cgi?id=1039819
    • OpenH264 is mostly done but should be tested on an older distribution.
      • Q: Is there a test case that I can run in a camera-less VM?
    • Good news, maybe: buildbot tests apparently use Ubuntu 12.04, so seccomp-bpf works there.
    • Desktop content process sandboxing is somewhat less broken — it will build and not immediately fail.

Round table

Actions

  • Tim to enumerate what is possible and what is restricted given current GMP sandbox on Windows; provide info to mreavy,blassey so they can decide whether further ratcheting down of permissions should be uplifted or just ride the trains
  • Bob to get a list of temporary files being created by the mochitests.
  • Steven to investigate cpearce's and josh's test cases
  • Jed to email {blassey, gal, jjensen, johnath} about metrics for bug 1039819
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Sandbox/2014-07-17&oldid=1028053"