Security/Sandbox/2014-12-11

From MozillaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.


« previous week | index | next week »

Standup/Status

Windows

  • Content Sandboxing
    • bug 1103946 - Changed mach / mochitest option for new more strict policy pref
    • Started looking at virtual cameras for testing capture
    • Spoke to jmaher at the airport over mochitests, looks like we could use subsuite functionality that already exists to run some tests in a separate job with the weaker policy
  • GMP/EME Sandboxing
    • Tested latest version of CDM and seemed to work with sandbox on Windows 7, no need for access to KsecDD
    • CDM gtests don't use WMF; edwin has a patch to use WMF for testing next week.
      • Use WMF on Windows mochitests
      • Use ClearKey (decrypting, non-decoding) CDM on non-Windows mochitests
    • Adobe delivered another CDM build last week. Uses OP.
    • chromium sandbox's DLL unloading list is specified in chrome process, so CDM sandbox can't dynamically unload all non-whitelisted DLLs.
  • Other Windows work

Linux/B2G

  • Content Sandboxing
    • Experiments with brokering open() et al. for FxOS 2.2
      • Current blocker: breaks on Flame because graphics drivers don't like being passed between processes; will try de-lazifying EGL initialization.
  • GMP/EME Sandboxing
    • No change.
  • Other Linux work
    • Header cleanup and seccomp program building cleanup (JoinInstructions) landed
      • These were two of the blockers for updating security/sandbox/chromium

Mac

  • Content Sandboxing
    • adding camera and mic related rules
    • found that there are defined variables which I can use in the sandbox rules scripts, notably the "container" and "home" paths, this should make the rules more elegant than writing those at runtime as we currently do
    • 3–4 weeks to wrap up
    • concerns about the need to access files in write mode from content process, even though they are in "temp" directories: if I block those write accesses, the content process crashes
    • e10s should make more resources accessed by the main process, so the content process can be more tightly restricted
  • GMP/EME Sandboxing
    • bug 1083284: Landed addtional sandox rules to accomodate Adobe's code fragment. Still need to incorporate a version of the code fragment into automated tests.

Round Table

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Sandbox/2014-12-11&oldid=1040226"