Security/Sandbox/2015-01-22

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »

Standup/Status

Windows

  • GMP/EME Sandboxing
    • bug 1121479 - Turn on DEP, SEHOP, HEAP_TERMINATE, DLL_SEARCH_ORDER process-level mitigations for the GMP sandbox - landed.
      • Enabling Google's recommended renderer sandbox settings
    • bug 1094370 - Move to using the USER_LOCKDOWN token for the EME/GMP sandbox. - some review comments to address.
    • edwin has patch to add WMF decoding to in-tree ClearKey CDM
    • Waiting for Adobe CDM v5 drop
      • but Adobe is waiting for jwwang to update GMP API for EME v2 and v3 changes
    • Ask Adobe to test Nightly or Aurora?
    • DLL unload list can only be specified from broker process.
    • sec-review
      • ACTION: cpeterson to ask dmajor
  • NPAPI Sandboxing
    • bug 1123245: minimal sandbox looking OK; ready to land in Nightly.
    • bug 1123759: low-rights sandbox will be more work; causing some problems.

Linux/B2G

  • Content Sandboxing
    • <input type="file"> and jar:http: e10s bugs are actually almost done now
  • GMP/EME Sandboxing
    • Still not sure what(/if) consensus is on non-sandbox-capable systems and OpenH264
      • Disable OpenH264 without sandboxing until someone complains?
      • Yes: go ahead with bug 1120045.

Mac

  • Content Sandboxing
    • Am starting to review areinald's patch for bug 1083344.
    • opened follow up bug 1123291 for previous mac os versions, ordered a machine for testing on them
    • will open a follow up bug for tightening rules further as e10s evolves towards more "things" happening from main process (may need help figuring dependency linking on this one)

Chromium