Security/Sandbox/2015-01-22
From MozillaWiki
« previous week | index | next week »
Standup/Status
Windows
- GMP/EME Sandboxing
- bug 1121479 - Turn on DEP, SEHOP, HEAP_TERMINATE, DLL_SEARCH_ORDER process-level mitigations for the GMP sandbox - landed.
- Enabling Google's recommended renderer sandbox settings
- bug 1094370 - Move to using the USER_LOCKDOWN token for the EME/GMP sandbox. - some review comments to address.
- edwin has patch to add WMF decoding to in-tree ClearKey CDM
- Waiting for Adobe CDM v5 drop
- but Adobe is waiting for jwwang to update GMP API for EME v2 and v3 changes
- Ask Adobe to test Nightly or Aurora?
- DLL unload list can only be specified from broker process.
- sec-review
- ACTION: cpeterson to ask dmajor
- bug 1121479 - Turn on DEP, SEHOP, HEAP_TERMINATE, DLL_SEARCH_ORDER process-level mitigations for the GMP sandbox - landed.
- NPAPI Sandboxing
- bug 1123245: minimal sandbox looking OK; ready to land in Nightly.
- bug 1123759: low-rights sandbox will be more work; causing some problems.
Linux/B2G
- Content Sandboxing
- <input type="file"> and jar:http: e10s bugs are actually almost done now
- GMP/EME Sandboxing
- Still not sure what(/if) consensus is on non-sandbox-capable systems and OpenH264
- Disable OpenH264 without sandboxing until someone complains?
- Yes: go ahead with bug 1120045.
- Still not sure what(/if) consensus is on non-sandbox-capable systems and OpenH264
Mac
- Content Sandboxing
- Am starting to review areinald's patch for bug 1083344.
- opened follow up bug 1123291 for previous mac os versions, ordered a machine for testing on them
- will open a follow up bug for tightening rules further as e10s evolves towards more "things" happening from main process (may need help figuring dependency linking on this one)
Chromium
- bug 1102211, bug 1102213, and bug 1102215 - to move all chromium code under the same directory structure - landed.