Security/Sandbox/2017-10-05

bug 1403669 - [Mac] Per-user and system extensions dir regexes only work for 1-character subdirectory names
- Landed
bug 1403744 - [Windows] Whitelist the per-user extensions dir XRE_USER_SYS_EXTENSION_DIR
- Landed
bug 1393805 - Changes for bug 1332190 broke temporary installations of legacy addons with framescripts
- Backed out due to Mac failures, need to debug
bug 1401756 - [Mac] Remove unneeded mach-lookups from plugin sandbox rules
- Landed
High Sierra ESR/52 uplifts needed
- bug 1392988 - Firefox 55.02 on macOS High Sierra (10.13) cannot play AES encrypted video
- bug 1376163 - [10.13] No audio playback on YouTube, no audio/video on Netflix (macOS High Sierra 10.13 Beta)
bug 1398908 - Add automated test that uses nonexistent script from extension JAR file
- Tests working for JAR files, not yet for unpackaged
bug 1404919 - Fonts don't display correctly since update due to content-process sandboxing on macOS
- Font issue on release, missing some font types in extension whitelist

bug 1372823 - Extend BaseThreadInitThunk gatekeeping to support Windows 64-bit
- Reproduce the test failure, trying to diagnose now.
bug 1400637 - Crash in mozilla::layers::ImageBridgeChild::InitForContent
- For webroot, only seems to crash when loaded very early, which partially explains why it's intermittent
- Still a number of crashes on Nightly, going to expand the DLL list.
bug 1404681 - WebExtensions: tabs.saveAsPDF() throwing exception in Firefox 57.0b3 & 58.0a1
- Problem seems to be due to the ordering of IPC message processing.

1382323 Firefox 54 on Fedora 26 doesn't launch custom protocol handler
Reviews
Adding support for reading ld.conf.*
bug 1387837 Consider using /etc/ld.so.conf for creating the broker read access policy

bug 1380674 - [landed] Removing directory creation permissions from the macOS sandbox
- bug 1405312 - [landed] Delete the dead code in NPAPI that used to create directories
bug 1319423 - [in dev] Change how we do print IPC to not create a temporary file from the content process
- Removes either the last or second to last file creation in content process, in hopes of removing all write privileges!
macOS GPU process
- Trying to understand how Chrome uses its GPU process, given the platform limitiations -- answer seems to be "it does way less than the Windows Chrome GPU process does"

bug 1401666 - The Mesa 12 / libudev bug: wrote patch, tested, landed.
bug 1404647 - Linux sandboxing vs. parent process exiting before content proecesses
- Rust RNG (used by hash tables) panicking because of /dev/urandom
- Will be “fixed” by changes in Servo
- Also commented on bug 1405293 (same Rust stdlib code, but EINTR) while I was at it.
Confirmed that bug 1126437 (socket/connect) allows an easy sandbox escape.
bug 1405891 - split ioctl bug into blocking tty stuff (this bug) and moving to default-deny (original bug; will probably break on Nightly at least once)
- TIOCSTI is a known issue for sandboxes (CVE-2016-9016)
The IPC cleanup train is rolling again
- Landed bug 1397928: remove a few unused things)
- Posted patch for bug 1259852 - de-duplicate env code (& fix race on OS X)
- Posted patch for bug 1316153 - remove B2G ChildPrivileges
- Wrote patch for bug 1400061 - Mac close-on-exec thing (because it was easier to fix than avoid)
  - This one had a FIXME from a Chrome dev from April 2009, and was fixed upstream in August 2009
- Wrote patch for bug 1401790 - Remove ProcessArchitecture (unused now; Mac 32-bit NPAPI)

Round table

Meta bug for all sandbox escapes
Should we have a meta bug for privacy-related things we'd like for 59 (-> ESR -> Tor)?
- Or 58 for Pwn2Own?
- Resolved: yes for 59/Tor (maybe one already exists?), no for 58/P2O.
Elective @ Austin?