Security/Sandbox/2016-05-12

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »

haik

  • I've been trying to learn about the bugs we need to fix in order to restrict file system access
  • Testing Nightly with no read/write to the $HOME to see what blows up, also testing with most of system.sb removed from ruleset

bobowen

  • bug 1035125 - On Windows, plugin-container.exe is linked against the sandbox_s library twice - patches reviewed and some changes up in response to glandium's review. Reasonable chance of landing next week, now that the VS2015 problem looks like it is resolved.
  • bug 1250125 - Make a 0 security.sandbox.content.level turn off the content process sandbox to allow Beta testing - patch up for review.
  • bug 1189846 - Print Edit 15.10 - just need to respond to smaug's review.
  • bug 1255336 - Printing results in empty page with print.always_print_silent=true - uplifted to Beta
  • bug 1260413 - Page dimensions aren't passed to print preview when printing via the parent - looks like my change for bug 1255336 fixed this asked the reporter to retest.
  • bug 1271348 - Matrix print full width - landed, uplift to Beta requested.
  • bug 1271900 - Firefox prints with wrong size when either size is less than inch - landed, uplift to Beta requested.

tedd

  • bug 1259508 - sys_clone violation - cubeb patch submitted, r? requested
  • bug 1270147 - remote nsIOService::SpeculativeConnect - patch seems to have the r+, guess they are waiting for tests
  • bug 742434 - enable seccomp on nightly - talked to gcp, seems like an easy patch in old-configure.in
  • looking for ways to help reduce the seccomp whitelist, like file access etc.

gcp

aklotz

  • bug 1270018 - NS_APP_CONTENT_PROCESS_TEMP_DIR should only return the sandbox writeable temp - written, try looks ok, need to push to review

roundtable

  • Looked at bug 1196384 - (sandbox-fs) [meta] Cross-platform blockers for default-deny filesystem policy for content processes
    • Addons can use chrome: and resource: URL's -- can we whitelist files that each addon needs?
    • file:// protocol - bug 922481
    • Printing
    • Any other reasons content would need to read/write within $HOME?
    • Some addons try to read the configuration from the profile
  • From last week
    • bug 1269878 - TB is asking if we can move sandbox config to browser/. I told them to --disable-content-sandbox for the immediate term.
    • bug 1269930 - Crash on windows when logging AEC data from about:webrtc - what should our policy be on file write access in the child for new things?