1158849 - Thumbnail content process on Windows is being sandboxed by mistake.

Status: VERIFIED FIXED

(Core :: Security: Process Sandboxing, defect)

Description

[Bob Owen (:bobowen)]

I've recently realised that the thumbnail content process is being sandboxed everywhere because the content sandbox is turned on in all channels.
This is simply because at the time I made that change, I didn't realise that the content process was being used at all.
So I changed it to all channels thinking that it would roll out when e10s did.

This may well not be causing any issues for most platforms, but the WinXP 64-bit sandbox currently fails to start, so it's certainly affecting that.

I'm going to change this to Nightly only for the moment.

Comment 1

[Bob Owen (:bobowen)]

Attachment: Only enable Windows content sandbox on Nightly because of thumbnail process.

Comment 2

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/786d3ff3e82f

Comment 3

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/786d3ff3e82f

Comment 4

[Bob Owen (:bobowen)]

Comment on attachment 8598055 [details] [diff] [review]
Only enable Windows content sandbox on Nightly because of thumbnail process.

Approval Request Comment
[Feature/regressing bug #]:
Bug 928044

[User impact if declined]:
The thumbnail content process will continue to fail to start for WinXP 64-bit users.
Also, there is a possibility that the sandbox is contributing to other crashes, but with no real benefit given the weak sandbox policy.

[Describe test coverage new/current, TreeHerder]:
This essentially falls back to the old chromium code for starting child processes, which is what was used until Fx37 and is still used for NPAPI processes.

Also I have applied this patch to a local version of Aurora and Beta and made sure that the thumbnail process starts correctly without sandboxing.

[Risks and why]:
Low - this is changing back to the Fx36 way of starting the process.

[String/UUID change made/needed]:
None

Comment 5

[Bob Owen (:bobowen)]

Just to be clear I think this should go to 38 and 38.05.

Comment 6

[Sylvestre Ledru [:Sylvestre]]

Comment on attachment 8598055 [details] [diff] [review]
Only enable Windows content sandbox on Nightly because of thumbnail process.

[Triage Comment]
Should be in 38 rc1

Comment 7

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/ee1237e4815e

Comment 8

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-release/rev/742d81505cd3

Comment 9

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr38/rev/742d81505cd3

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/742d81505cd3

Comment 11

[[SV Manager] Florin Mezei, QA (:FlorinMezei)]

Bob, do you have some detailed steps to verify this fix with ESR 38?

Comment 12

[Bob Owen (:bobowen)]

(In reply to Florin Mezei, QA (:FlorinMezei) from comment #11)
> Bob, do you have some detailed steps to verify this fix with ESR 38?

You can trigger the thumbnail content process with these instructions:
https://blog.mozilla.org/nnethercote/2013/10/22/how-to-trigger-a-child-process-in-desktop-firefox/

If you then look at the command line of the plugin-container.exe process using Process Explorer, it should not have the "-sandbox" parameter.

If you check a child process from Nightly with e10s it will have this parameter.

Comment 13

[Petruta Horea [:phorea], Desktop QA]

Reproduced with Firefox 37RC under Win 7 64-bit.
With Firefox 38.0ESR "-sandbox" parameter is not displayed, while on Nightly 40.0a1 2015-05-05 it is shown. 

Marking as verified these two versions.