Security/Sandbox/2015-02-12
From MozillaWiki
« previous week | index | next week »
Standup/Status
Windows
- GMP/EME Sandboxing
- bug 1129369 - Turn on DEP_NO_ATL_THUNK, BOTTOM_UP_ASLR and MITIGATION_STRICT_HANDLE_CHECKS process-level mitigations - landed.
- NPAPI Sandboxing
- bug 1132021 - Add a new sandbox level for Windows NPAPI to use USER_LIMITED access token level. - landed
Linux/B2G
- Content Sandboxing
- Still looking like it can't happen on desktop.
- GMP/EME Sandboxing
- Can get chroot + network namespace isolation relatively easily, if user namespaces supported, then follow up with pid namespaces.
- Other Linux work
- bug 1088387 is finally ready for review.
- (But it needs a better title…)
- bug 1088387 is finally ready for review.
Mac
- Content Sandboxing
- addressed issues mentioned in the past meeting:
- hopefully printing and printing to pdf on 10.10 based on logs sent by smichaud
- allowed file read/write access inside $HOME minus $HOME/Library
- added "security.sandbox.macos.content.moreStrict" preference, 1 enables sandbox and should be default
- waiting for review of 1083344
Chromium
- bug 1102195 - Update security/sandbox/chromium/ to Chromium stable channel version 40.0.2214.111 - landed.
Round Table
- EME:
- The EME team plans to ship in 38. We have twice-weekly EME standup meetings (Monday/Thursday).
- Do we still want our EME sandboxing meeting? cpeterson to follow up in email.
- OS X CDM may start in a couple months.
- The EME team plans to ship in 38. We have twice-weekly EME standup meetings (Monday/Thursday).