Security/Sandbox/2016-05-12

From MozillaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

« previous week | index | next week »

haik

  • I've been trying to learn about the bugs we need to fix in order to restrict file system access
  • Testing Nightly with no read/write to the $HOME to see what blows up, also testing with most of system.sb removed from ruleset

bobowen

  • bug 1035125 - On Windows, plugin-container.exe is linked against the sandbox_s library twice - patches reviewed and some changes up in response to glandium's review. Reasonable chance of landing next week, now that the VS2015 problem looks like it is resolved.
  • bug 1250125 - Make a 0 security.sandbox.content.level turn off the content process sandbox to allow Beta testing - patch up for review.
  • bug 1189846 - Print Edit 15.10 - just need to respond to smaug's review.
  • bug 1255336 - Printing results in empty page with print.always_print_silent=true - uplifted to Beta
  • bug 1260413 - Page dimensions aren't passed to print preview when printing via the parent - looks like my change for bug 1255336 fixed this asked the reporter to retest.
  • bug 1271348 - Matrix print full width - landed, uplift to Beta requested.
  • bug 1271900 - Firefox prints with wrong size when either size is less than inch - landed, uplift to Beta requested.

tedd

  • bug 1259508 - sys_clone violation - cubeb patch submitted, r? requested
  • bug 1270147 - remote nsIOService::SpeculativeConnect - patch seems to have the r+, guess they are waiting for tests
  • bug 742434 - enable seccomp on nightly - talked to gcp, seems like an easy patch in old-configure.in
  • looking for ways to help reduce the seccomp whitelist, like file access etc.

gcp

aklotz

  • bug 1270018 - NS_APP_CONTENT_PROCESS_TEMP_DIR should only return the sandbox writeable temp - written, try looks ok, need to push to review

roundtable

  • Looked at bug 1196384 - (sandbox-fs) [meta] Cross-platform blockers for default-deny filesystem policy for content processes
    • Addons can use chrome: and resource: URL's -- can we whitelist files that each addon needs?
    • file:// protocol - bug 922481
    • Printing
    • Any other reasons content would need to read/write within $HOME?
    • Some addons try to read the configuration from the profile
  • From last week
    • bug 1269878 - TB is asking if we can move sandbox config to browser/. I told them to --disable-content-sandbox for the immediate term.
    • bug 1269930 - Crash on windows when logging AEC data from about:webrtc - what should our policy be on file write access in the child for new things?
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Sandbox/2016-05-12&oldid=1134557"