Security/Sandbox/2017-07-06

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »

haik

  • Landed
    • bug 1334550 - Proxy moz-extension protocol requests to the parent process
    • bug 1377128 - Screenshots overlay button icons are not displayed on latest Nightly build
    • bug 1377614 - System extensions fail to load in local builds
    • bug 1377355 - Unable to load unpacked web extensions in about:debugging; content script cannot be loaded
  • Autoland
    • bug 1332190 - [Mac] Enable level 3 Mac content sandbox, removing filesystem read access
  • bug 1376496 - Follow-up fixes to moz-extension remoting support in 1334550
  • bug 1376163 - [10.13] No audio playback on YouTube, no audio/video on Netflix (macOS High Sierra 10.13 Beta)

Alex_Gaynor

gcp

  • bug 1308400 - Rebased, small cleanups
  • bug 1308400 - There is no symlink - testing
  • next: TESTS PERHAPS
  • next: X11 inspection

handyman

  • bug 1334803 - XFinity login fails due to Flash sandbox
    • LSA rejects any client with process token with restricting SIDs
    • LSA uses impersonation to get "client token". This ignores the client's impersonated "pre-lockdown" token
    • No choice but to remove restricting SIDs (AFAIK)

jld

  • bug 1372428 - Widevine fixes: cleaned up; needs 32-bit testing
  • bug 1362537 - Re-disallow accept4; landed
  • bug 1370578 - Extend telemetry; landed
  • bug 1376910 - Remove SysV IPC; have patch; seems to pass Try
  • bug 1129492 - X11 bug; commented with some findings - had a nice RHEL bug this morning with SELinux sandbox
    • bug 1376559 is the RH bug; they used SELinux to block plugin-container from Internet-domain networking
      • (Which would also break remote PulseAudio, I just realized….)
    • Should file a followup bug to remove that gdk_flush() that we don't need anymore
  • WebGL may be easier than we thought…
    • (“easier” is relative)

bobowen

  • Landed
    • bug 1369670 - Blank pages are printed with security.sandbox.content.level set to 3 when Users folder is a junction point - also verified by QA
    • bug 1378061 - Only set user's SID in USER_LIMITED as deny only when not using restricting SIDs.
  • bug 1366694 - Enable Windows level 3 content process sandbox by default on Nightly.
    • Need to disable our sandboxing fs tests for DEBUG on Windows as we currently whitelist the TEMP dir (linux patch does this too)
    • Issue with leak of three objects in a11y tests.
  • bug 1378377 - file:// URI sub-resources within CAPS whitelisted http pages will fail to load with read sandboxing