Closed
Bug 1450773
Opened 6 years ago
Closed 6 years ago
Do not use restricting SIDs in NPAPI process except on Nightly
Categories
(Core :: Security: Process Sandboxing, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla61
People
(Reporter: handyman, Assigned: handyman)
References
Details
Attachments
(1 file)
1.61 KB,
patch
|
bobowen
:
review+
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This is to undo the work in Bug 1426733 on all builds except nightly. Right now, restricting SIDs are on in the NPAPI proc in nightly and beta and we are running into some crashes around audio device usage -- see bug 1449388. We think that the crash is due to a regression in Flash that Adobe is fixing. In the interim, we think we should hold the use of restricting SIDs (they _harden_ the sandbox).
Assignee | ||
Comment 1•6 years ago
|
||
Bob, you can get caught up on the history in comment 0. It appears Adobe is on it but we need to do something in the interim since its causing crashes in beta so the plan is to uplift this. So far, the audio crash is the only known fallout from that rest SIDs change. We can always undo the undo if Adobe comes back with something in time. I'm nearly done playing with this locally and so far it doesn't have any conflict with the latest plugin setup (meaning it doesn't conflict with the access token change -- which really isn't a surprise). --- Tests: https://treeherder.mozilla.org/#/jobs?repo=try&revision=40b29602e02fcc45ea344de39a531e9a6f9fd1bf
Attachment #8964442 -
Flags: review?(bobowencode)
Updated•6 years ago
|
Attachment #8964442 -
Flags: review?(bobowencode) → review+
Assignee | ||
Updated•6 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/5365c443117b Remove restricting SIDs from NPAPI sandbox outside of nightly builds. r=bobowen
Keywords: checkin-needed
Comment 3•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/5365c443117b
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Assignee | ||
Comment 4•6 years ago
|
||
Comment on attachment 8964442 [details] [diff] [review] Remove restricting SIDs from NPAPI sandbox outside of nightly builds Approval Request Comment [Feature/Bug causing the regression]: bug 1426733 hardened the plugin sandbox, inspiring some crashes [User impact if declined]: We _believe_ Flash usage will cause occasional crashes when doing things like changing audio devices (e.g. switching to headphones). We _know_ that Flash will not recognize such device changes without this patch. [Is this code covered by automated tests?]: Not really. The sandbox is created in at least one test but this is really relevant to Flash code, which we don't test. [Has the fix been verified in Nightly?]: The patch explicitly #ifdefs out any behavioral changes to nightly. This is only intended to affect beta/release. [Needs manual test from QE? If yes, steps to reproduce]: No. The issue, however, can be verified by running any page with Flash content that makes sounds (like videos) and plugging/unplugging headphones. [List of other uplifts needed for the feature/fix]: None [Is the change risky?]: No. [Why is the change risky/not risky?]: This lowers the power of the sandbox to a setting closer to where it is in release now. A weaker sandbox shouldn't break anything. [String changes made/needed]: None
Attachment #8964442 -
Flags: approval-mozilla-beta?
Comment 5•6 years ago
|
||
Comment on attachment 8964442 [details] [diff] [review] Remove restricting SIDs from NPAPI sandbox outside of nightly builds weaken flash plugin sandbox, approved for 60.0b11 :/
Attachment #8964442 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Updated•6 years ago
|
status-firefox60:
--- → affected
Comment 6•6 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/968f78c16b22
Updated•6 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•