Security/Sandbox/2014-07-17

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »

17 July 2014

Standup/status

  • Windows sandboxing
    • OpenH264
      • Landed bug 985252 - sandboxing is now enabled for GMP processes. Next step is to ratchet down permissions so that sandbox is more effective
    • Logging
      • Bug 1018966 - Warn only sandbox progressing. r+s from Tim, waiting for approval of the chromium changes from someone with context from earlier in the sandboxing project. Might need a bit of re-work now that bug 985252 has landed.
      • Bug 1040059 - Registry access reporting not working, that appears to be the problem for mochitest-3. It's trying to access keys like HKLM\SOFTWARE\Wow6432Node\Microsoft\AudioCompressionManager.
    • Content processes
      • Bug 1018988 - Temp directory, has moved forward. As hoped mochitests 2, 4 and 5 pass for win 7 and 8. Moved the getting of the temporary directory into the directory service. Also thinking of adding a guid suffix to the directory name?
    • Bug 1035275 -Imported Chromium code under security/sandbox that is not being compiled - landed.
  • Mac sandboxing
    • With Andre's first (very simple) patch, the sandbox process dies shortly after creation. We'll need to figure out why. It took us a while to realize this because we didn't have adequate instructions on how to use our only testcase.
  • Linux/B2G sandboxing
    • Problem: can we depend on having seccomp-bpf on desktop Linux? https://bugzilla.mozilla.org/show_bug.cgi?id=1039819
    • OpenH264 is mostly done but should be tested on an older distribution.
      • Q: Is there a test case that I can run in a camera-less VM?
    • Good news, maybe: buildbot tests apparently use Ubuntu 12.04, so seccomp-bpf works there.
    • Desktop content process sandboxing is somewhat less broken — it will build and not immediately fail.

Round table

Actions

  • Tim to enumerate what is possible and what is restricted given current GMP sandbox on Windows; provide info to mreavy,blassey so they can decide whether further ratcheting down of permissions should be uplifted or just ride the trains
  • Bob to get a list of temporary files being created by the mochitests.
  • Steven to investigate cpearce's and josh's test cases
  • Jed to email {blassey, gal, jjensen, johnath} about metrics for bug 1039819