Closed
Bug 1337162
Opened 7 years ago
Closed 7 years ago
Let Linux content process sandbox ride the trains
Categories
(Core :: Security: Process Sandboxing, defect)
Tracking
()
RESOLVED
FIXED
mozilla54
People
(Reporter: jld, Unassigned)
References
Details
(Whiteboard: sblc2)
Attachments
(1 file)
59 bytes,
text/x-review-board-request
|
ted
:
review+
gchang
:
approval-mozilla-aurora-
|
Details |
The actual patch for getting Linux content process sandboxing turned on on non-nightly builds will be tiny, but this bug is also for collecting anything we'll definitely need uplifted in order to jump on the 53 train.
Updated•7 years ago
|
Updated•7 years ago
|
Whiteboard: sblc2
Comment hidden (mozreview-request) |
Comment 3•7 years ago
|
||
mozreview-review |
Comment on attachment 8841061 [details] Bug 1337162 - Enable the Linux content sandbox for non-Nightly builds. https://reviewboard.mozilla.org/r/115408/#review117132 ::: old-configure.in:3740 (Diff revision 1) > dnl ======================================================== > if test -n "$gonkdir"; then > MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX > fi > > case "$OS_TARGET:$NIGHTLY_BUILD" in As a follow-up you could just remove the `$NIGHTLY_BUILD` bit entirely. Although the better patch would be to move all of this logic to moz.configure.
Attachment #8841061 -
Flags: review+
Comment hidden (mozreview-request) |
Comment 5•7 years ago
|
||
mozreview-review |
Comment on attachment 8841061 [details] Bug 1337162 - Enable the Linux content sandbox for non-Nightly builds. https://reviewboard.mozilla.org/r/115408/#review117138
Attachment #8841061 -
Flags: review+
Pushed by gpascutto@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3289df5bebeb Enable the Linux content sandbox for non-Nightly builds. r=ted
Comment 7•7 years ago
|
||
Comment on attachment 8841061 [details] Bug 1337162 - Enable the Linux content sandbox for non-Nightly builds. Approval Request Comment [Feature/Bug causing the regression]: Enables syscall+write sandboxing for Linux. [User impact if declined]: Less secure browser. [Is this code covered by automated tests?]: Yes, there are some to check whether the policies are effective, and all other, normal tests run "inside" the sandbox. [Has the fix been verified in Nightly?]: Core code has been in Nightly since October. [List of other uplifts needed for the feature/fix]: Bug 1286865, Bug 1329216, Bug 1330326, Bug 1335323, Bug 1335329 [Is the change risky?]: Moderately. [Why is the change risky/not risky?]: Although it has been tested in Nightly for months, the main thing that interacts with the Sandbox and could cause problems for us is third-party libraries that are being loaded into Firefox. Differences in user population between Beta/Release and Nightly will mean that we might see new compatibility issues. I suspect this is less of an issue on Aurora (which is probably closer to Nightly), but it will be a bigger one when moving to Beta (one more reason to want this on beta sooner rather than later!). Two of the bugs that need uplift together with this one add a fine-grained exception mechanism that we can use to open holes in the sandbox via preferences, if this turns out to be needed. Another bug adds Telemetry reporting for issues Firefox detects in the field. We believe that with the combination of the two, we can measure the impact and if needed quickly respond and fix issues in Aurora/Beta via preference updates rather than full patches.
Attachment #8841061 -
Flags: review?(mh+mozilla) → approval-mozilla-aurora?
Comment 8•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/3289df5bebeb
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Updated•7 years ago
|
status-firefox53:
--- → affected
Comment 9•7 years ago
|
||
Comment on attachment 8841061 [details] Bug 1337162 - Enable the Linux content sandbox for non-Nightly builds. This is a huge patch according to the [List of other uplifts needed for the feature/fix]. We only have less than 1 week to Beta53. This seems too risky to me to uplift these patches to 53. Aurora53-. We can let this ride the train on 54.
Attachment #8841061 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora-
Comment 10•7 years ago
|
||
I can speak for Bug 1329216, which is already uplifted. But don't know if that changes anything.
You need to log in
before you can comment on or make changes to this bug.
Description
•