Security/Sandbox/2014-04-17

From MozillaWiki
< Security‎ | Sandbox
Revision as of 21:52, 24 October 2014 by Cpeterson (talk | contribs) (Created page with "<!-- Maybe don't screw with these links unless you've read this blog post: http://blog.johnath.com/2011/01/20/automatic-date-links-in-mediawiki/ Just copy them to new pages an...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


« previous week | index | next week »

17 April 2014

B2G

  • open stuff is still complicated
    • The chromium sandbox doesn't filter open (probably for the same reasons that we are finding it complicated)
  • we are wondering what we can do to make IPDL faster (we may make heavy use of it in sandbox)
  • libgenlock is using the open syscall frequently, if we turn off open it becomes an issue (this is perf critical)
  • may have to use binder to lock down open, but may be more error prone
    • If so… how is binder different from `SCM_RIGHTS`?

Windows (openh264)

  • Tim spent a lot of the week trying to get it to build
    • Looks like it will be pretty simple to get the sandbox applied to the process for openh264
    • expects a patch by the end of next week for this
  • Integrity levels: we've started to use "low" instead of untrusted
    • you can't create D3D device connections from untrusted processes
    • Chrome proxies GPU stuff through a GPU process that's got a higher level than the content process
    • IE just uses "low"

Extra:

  • jld got seccomp working on x86 kitkat emulator (will be on TBPL)
Retrieved from "https://wiki.allizom.org/index.php?title=Security/Sandbox/2014-04-17&oldid=1028041"