Security/Sandbox/2017-06-08

From MozillaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

« previous week | index | next week »

haik

  • bug 1334550 - Proxy moz-extension protocol requests to the parent process
    • Still waiting on reviewer feedback
    • Merging and updating tests that changed
    • Working on what would be a follow up patch to use JAR cache and refactor security checks into main code
  • bug 1350642 - Remove the PBrowser::Msg_GetTabCount sync IPC
    • Need to re-work patch to deal with remoteness switches

Alex_Gaynor

  • bug 1369764 & bug 1367560 - Two tests that failed at level 3
    • One triggered by the addition of /Volumes to the blacklist
    • One which only failed if you replaced the blacklist with a whitelist
  • bug 1370540 - Expanding the macOS level 3 blacklist to include /Users and /Network
  • bug 1221148 - blob:// URI support for mozIJSSubScriptLoader
  • bug 1370438 - Bustage on upcoming beta caused by the minimum-sandbox-level

gcp

  • try is green for bug 1308400
  • cleaning up patches, merging & resplitting
  • dealing with a few nasty symlink cases
  • Extend sandboxing telemetry probes for Linux features

jld

  • The Ubuntu add-on problem (https://bugs.launchpad.net/ubufox/+bug/1627808 and bug 1364978)
    • Most of the non-Nightly Linux userbase doesn't have e10s… but this is about to change.
  • Failed to uplift the socketpair workaround in bug 1355274
    • Should this be release-noted? Let's ask.
  • ESET - bug 1362601
    • GMP does work
    • It seems to “fail open”
    • So, no problem on beta/release
    • For nightly, have a patch
    • We'll get a certain amount of not-really-helpful telemetry from this
      • Suppress it? Tag it somehow? Wait to see if it's really a problem?
      • Resolved: file a bug to get Telemetry on how many users have this lib
  • DConf - bug 1321134 - landed patch; won't uplift
    • We may get bugs about the (harmless) error message
  • Contemplated telemetry (bug 1370578)
    • I think we want to extend userns (decreasing!?), maybe tsync
    • basic seccomp-bpf is >99% so no need to keep tracking
  • Rewrote Security/Sandbox#Linux_2
    • And I have thoughts about the setuid approach
    • Resolved: let's gather telemetry on who's using system packages vs. unrolling as regular user
  • (Also I had some ideas in the meeting about the symlink broker problem, but it's a hard problem.)

bobowen

  • bug 1323188 - Running Firefox from some network drives fails with an initial restricted access token.
    • ready to land
    • went with just using deny only after fighting trying to delay load things.
  • bug 1321430 - Enable separate file:// URLs content process in release
    • landed
  • bug 1370216 - Remove SANDBOX_BROKER_INITIALIZED telemetry.
    • landed
  • bug 1369670 - Blank pages are printed with security.sandbox.content.level set to 3 when Users folder is a junction point
    • Just reviewing a patch by cpearce for a similar longstanding issue for GMP, it seems that resolving is now much easier than I thought.
    • I also need to make sure our directory service is also using the resolved paths to get the rules to work.

handyman

  • bug 1334803 - XFinity login fails due to Flash sandbox
    • APIMonitor shows AcquireCredentialsHandle for schannel failing
    • new bug: CoInitializeSecurity call to ImpersonateAnonymousToken fails when haz restricting SIDs
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Sandbox/2017-06-08&oldid=1175159"