Security/Sandbox/2015-03-12
From MozillaWiki
« previous week | index | next week »
Standup/Status
Windows
- Content Sandboxing
- bug 1137166 - sandboxing levels using a pref - landed.
- GMP/EME Sandboxing
- EME planning to ship in 38.
Linux/B2G
- Content Sandboxing
- The patches to make remote jars not open files in the content process have finally landed.
- Unwhitelisting unlink() is on its way.
- Also, making readlink() fail instead of allowing it.
- Fun fact: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto also loads NSS in the content process, not just WebRTC.
- v2.2 needs some uplifts for Lollipop
- Other Linux work
- Testing for the presence of more advanced sandboxing features landed, and had an obvious-in-hindsight bug that ASAN caught (but not on automation, because their kernels are too old)
- rel ops is going to look into upgrading automation to Ubuntu 14.04.
- Testing for the presence of more advanced sandboxing features landed, and had an obvious-in-hindsight bug that ASAN caught (but not on automation, because their kernels are too old)
Mac
- Content Sandboxing
- "breaking addons once" and "breaking nothing now" are mutually incompatible expectations. The 2nd expectation requires to allow "read all", which may still break some addons for other reasons, and as a later sandbox will turn that to "read-some", a 2nd wave of addons will break, contradicting 1st expectation. Keeping the default sandbox level to 0 seems to be the only sensible option for now.
- agreed to have a "allow read mostly everywhere" rule, will only restrict access in "$HOME/Library" to addons inside the profiles dirs. Will raise the default level to 1. Should post the patch after the standup.
- implement level 2, to be more strict. basically will be what level 1 is today.
- GMP/EME Sandboxing
- Close to finishing bug 1110911 ("Move Mac sandboxing code into plugin-container").
Chromium
- Chromium update - gcc-4.6 not sure if Android and B2G are a problem.
- Bob to follow up with mwu.
Round Table
- Added BUG_COMPONENT metadata for security/sandbox/