Security/Sandbox/2017-10-26

From MozillaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

« previous week | index | next week »

Alex_Gaynor

  • bug 1409768 - Significant performance regression for printing
    • Patch landed. Flushing your buffers is not the same thing as fsync! (Gecko Profiler is super great for anyone who hasn't used it)
    • (Hopefully) small bit of follow up work to use buffered IO - bug 1411984
  • bug 1407693 - Don't create files from content process on process crash
    • Wrote up an alternate approach, slightly more invasive, waiting for feedback

haik

  • bug 1403260 - Remove access to print server from content process sandbox
    • Landed, backed out last night due to test failure
  • bug 1393259 - Tighten font rules in the Mac content sandbox
    • Working on remoting the async font loading code path (AsyncFontInfoLoader)
    • There are some other code paths on main thread that will need sync remote loading

gcp

  • bug 1386404 Stop allowing Linux content processes to access /tmp
  • Testing path replacement at runtime
  • Adapted the tests, failing due to no(?) access to chrome dir

bobowen

  • bug 1400637 - Crash in mozilla::layers::ImageBridgeChild::InitForContent
    • Symantec still causing lots of crashes in Nightly, going to block just the later loading DLL, which hopefully won't cause same issues as last time
  • Chromium update
    • Lots more painful to take the latest changes particularly with C++14 things for Linux.
    • Have this building now, with a small try push running.
    • I've also decided to move to having patches in tree instead of references to the changesets.


jld

  • Regressions
    • bug 1410280 - prctl PR_GET_NAME, PulseAudio
    • bug 1411115 - fcntl F_SETLK, Nvidia GL and fontconfig
      • F_SETLKW already allowed for PulseAudio; also fontconfig apparently
  • "Fix it later" and now it's later:
    • Syscalls with filesystem paths -> problems for chrooting
    • bug 1408497 - inotify; exthandler -> gio, can just deny
    • bug 1409895 - getcwd; have a polyfill but it's just for this one test
      • If anyone knows a better way for mochitests to find their files....
    • bug 1409900 - quotactl can be blocked; statfs = open+fstatfs
  • Minor cleanups
    • bug 1410191 - all errors are EPERM
      • Fixed so the statfs handler can use it
    • bug 1410241 - possible use-after-destroy in SIGSYS handler
      • Trying to eliminate reasons for mysterious failures when testing new things
  • IPC stuff: landed Mac things; next is LaunchOptions (bug 1401786)

handyman

  • bug 1382251 - Brokering https in NPAPI process
    • fixing leakcheck
  • bug 1411379 - Flash updates need reg keys
    • Jimm asking Adobe

Round table

Win32K lockdown write up and research

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Sandbox/2017-10-26&oldid=1183799"