Closed Bug 1149483 Opened 10 years ago Closed 10 years ago

Change content sandbox level 1 to a working low integrity sandbox.

Categories

(Core :: Security: Process Sandboxing, defect)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla40
Tracking Flags:
Tracking Status
firefox40 --- fixed

People

(Reporter: bobowen, Assigned: bobowen)

References

Details

Attachments

(1 file)

Change content sandbox level 1 to a working low integrity sandbox.
12.86 KB, patch
TimAbraldes
: review+
billm
: review+
Details | Diff | Splinter Review
Once bug 1119878 lands it appears that the main blocker (audio) for using a low integrity sandbox disappears. We'll need to do a couple (possible more) of things for it to not break things that work with e10s (as far as I know): * Add the crash server pipe to the policy rules. * Move the creation of the low integrity temp directory to early in the process start-up. This will allow file read everywhere that the current user can and write to the temp directory (or other low integrity directories).
Blocks: 1142239
This changes the level 1 content sandbox on Windows to just a low integrity sandbox. This will allow people to test the sandbox and hopefully iron out any problems before I turn this on by default. Changed the low integrity temp so that it is set up as soon as we are able to. Tim - would you look at the sandbox changes? Bill - are you OK yo review the dom/ipc changes? I've also changed the level 2 sandbox to start with low integrity as this makes that work better as well since bug 1119878 landed. Try push just before I added the MOZ_ASSERTs and another minor format change. https://treeherder.mozilla.org/#/jobs?repo=try&revision=fc8c25b80c72 Try push with the sandbox level set to 1 and e10s enabled: https://treeherder.mozilla.org/#/jobs?repo=try&revision=c0eb5f7e1466 This was a slightly earlier version of the patch, but nothing has changed functionally. Only WinXP gl tests that look like they might need some more rules when compared to holly. I'll need to sort that out and possibly other new rules before I can make this the default.
Attachment #8588623 - Flags: review?(wmccloskey)
Attachment #8588623 - Flags: review?(tabraldes)
Attachment #8588623 - Flags: review?(tabraldes) → review+
Attachment #8588623 - Flags: review?(wmccloskey) → review+
Blocks: 1151767
https://hg.mozilla.org/mozilla-central/rev/6f8e9bf83767
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox40: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: