Open
Bug 1409569
Opened 8 years ago
Updated 2 years ago
Enabling MITIGATION_FORCE_MS_SIGNED_BINS for content processes
Categories
(Core :: Security: Process Sandboxing, task, P3)
Core
Security: Process Sandboxing
Tracking
()
NEW
People
(Reporter: jimm, Unassigned)
References
(Blocks 1 open bug)
Details
Filing this tracking bug for work to be done to enable MITIGATION_FORCE_MS_SIGNED_BINS for content processes on Windows.
We need to develop a strategy for getting core mozilla libraries loaded early or statically linked. It would be nice if we could do this as early as possible.
|
||
Comment 1•8 years ago
|
||
I know offhand one that we'll run into is libsoftokn3; unfortunately I think it intentionally is lazily loaded to assist startup performance.
|
||
Comment 2•8 years ago
|
||
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #1)
> I know offhand one that we'll run into is libsoftokn3; unfortunately I think
> it intentionally is lazily loaded to assist startup performance.
This sounds to me like another data point in favor of having all lazy loading done by a single service, as opposed to ad-hoc places all over the code.
|
||
Comment 3•8 years ago
|
||
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #1)
> I know offhand one that we'll run into is libsoftokn3; unfortunately I think
> it intentionally is lazily loaded to assist startup performance.
I can see why we might want to delay initializing softokn, but that might not apply to just pre-loading the library?
Also, it's theoretically possible to statically link all of NSS, but it'd need some changes in the NSS build system and some strategic use of PR_LoadStaticLibrary. Chrome did this, back before they switched to BoringSSL, and there are even some patches hiding in Bugzilla somewhere (but they're kind of hacky, never landed in upstream NSS, and have certainly bitrotted).
|
||
Comment 4•8 years ago
|
||
status-firefox59:
--- → ?
|
Reporter | |
Updated•7 years ago
|
status-firefox58:
affected → ---
status-firefox59:
? → ---
|
|
Reporter | |
Updated•7 years ago
|
Priority: -- → P3
|
|
Reporter | |
Comment 5•7 years ago
|
||
Also, I think graphics drivers would be a problem here. We could ship this behind WebRender / WSCD possibly.
|
||
Comment 6•6 years ago
|
||
The meta keyword is there, the bug doesn't depend on other bugs and there is no activity for 12 months.
:jimm, maybe it's time to close this bug?
Flags: needinfo?(jmathies)
|
|
||
Updated•6 years ago
|
Summary: Enabling MITIGATION_FORCE_MS_SIGNED_BINS for content processes → [meta] Enabling MITIGATION_FORCE_MS_SIGNED_BINS for content processes
|
|
Reporter | |
Comment 7•6 years ago
|
||
(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #6)
The meta keyword is there, the bug doesn't depend on other bugs and there is no activity for 12 months.
:jimm, maybe it's time to close this bug?
This work hasn't landed but will eventually. I've removed the meta keyword.
Type: enhancement → task
Flags: needinfo?(jmathies)
Keywords: meta
Summary: [meta] Enabling MITIGATION_FORCE_MS_SIGNED_BINS for content processes → Enabling MITIGATION_FORCE_MS_SIGNED_BINS for content processes
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•