Change content sandbox level 1 to a working low integrity sandbox.

RESOLVED FIXED in Firefox 40



4 years ago
4 years ago


(Reporter: bobowen, Assigned: bobowen)


Windows 7
Dependency tree / graph

Firefox Tracking Flags

(firefox40 fixed)



(1 attachment)

Once bug 1119878 lands it appears that the main blocker (audio) for using a low integrity sandbox disappears.

We'll need to do a couple (possible more) of things for it to not break things that work with e10s (as far as I know):
* Add the crash server pipe to the policy rules.
* Move the creation of the low integrity temp directory to early in the process start-up.

This will allow file read everywhere that the current user can and write to the temp directory (or other low integrity directories).
Blocks: 1142239
This changes the level 1 content sandbox on Windows to just a low integrity sandbox.
This will allow people to test the sandbox and hopefully iron out any problems before I turn this on by default.
Changed the low integrity temp so that it is set up as soon as we are able to.

Tim - would you look at the sandbox changes?
Bill - are you OK yo review the dom/ipc changes?

I've also changed the level 2 sandbox to start with low integrity as this makes that work better as well since bug 1119878 landed.

Try push just before I added the MOZ_ASSERTs and another minor format change.

Try push with the sandbox level set to 1 and e10s enabled:

This was a slightly earlier version of the patch, but nothing has changed functionally.
Only WinXP gl tests that look like they might need some more rules when compared to holly. I'll need to sort that out and possibly other new rules before I can make this the default.
Attachment #8588623 - Flags: review?(wmccloskey)
Attachment #8588623 - Flags: review?(tabraldes)
Attachment #8588623 - Flags: review?(tabraldes) → review+
Attachment #8588623 - Flags: review?(wmccloskey) → review+
Blocks: 1151767
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.