Security/Sandbox/2014-07-17
From MozillaWiki
« previous week | index | next week »
17 July 2014
Standup/status
- Windows sandboxing
- OpenH264
- Landed bug 985252 - sandboxing is now enabled for GMP processes. Next step is to ratchet down permissions so that sandbox is more effective
- Logging
- Bug 1018966 - Warn only sandbox progressing. r+s from Tim, waiting for approval of the chromium changes from someone with context from earlier in the sandboxing project. Might need a bit of re-work now that bug 985252 has landed.
- Bug 1040059 - Registry access reporting not working, that appears to be the problem for mochitest-3. It's trying to access keys like HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager.
- Content processes
- Bug 1018988 - Temp directory, has moved forward. As hoped mochitests 2, 4 and 5 pass for win 7 and 8. Moved the getting of the temporary directory into the directory service. Also thinking of adding a guid suffix to the directory name?
- Bug 1035275 -Imported Chromium code under security/sandbox that is not being compiled - landed.
- OpenH264
- Mac sandboxing
- With Andre's first (very simple) patch, the sandbox process dies shortly after creation. We'll need to figure out why. It took us a while to realize this because we didn't have adequate instructions on how to use our only testcase.
- Linux/B2G sandboxing
- Problem: can we depend on having seccomp-bpf on desktop Linux? https://bugzilla.mozilla.org/show_bug.cgi?id=1039819
- OpenH264 is mostly done but should be tested on an older distribution.
- Q: Is there a test case that I can run in a camera-less VM?
- Good news, maybe: buildbot tests apparently use Ubuntu 12.04, so seccomp-bpf works there.
- Desktop content process sandboxing is somewhat less broken — it will build and not immediately fail.
Round table
Actions
- Tim to enumerate what is possible and what is restricted given current GMP sandbox on Windows; provide info to mreavy,blassey so they can decide whether further ratcheting down of permissions should be uplifted or just ride the trains
- Bob to get a list of temporary files being created by the mochitests.
- Steven to investigate cpearce's and josh's test cases
- Jed to email {blassey, gal, jjensen, johnath} about metrics for bug 1039819