Closed Bug 1555168 Opened 2 years ago Closed 2 years ago

Disable RDD Sandbox Early Start in Beta/68


(Core :: Security: Process Sandboxing, task, P1)

68 Branch



Tracking Status
firefox67 --- unaffected
firefox68 --- verified
firefox69 --- unaffected


(Reporter: haik, Assigned: haik)




(2 files)

Due to reallocation of QA resources in the 68 Beta cycle, defer the project to start the RDD sandbox earlier (bug 1525086) to 69. The project integrated in 68, but can be disabled via a pref flip. This bug is to flip the pref "security.sandbox.rdd.mac.earlyinit" to false in 68 to revert to the 67 behavior for starting the RDD process sandbox.

Assignee: nobody → haftandilian
Priority: -- → P1
See Also: → 1525086
Type: defect → task

Disable starting the RDD Mac sandbox early (landed with bug 1525086) during RDD process startup in Beta.

This reverts parts of bug 1525086 so that the RDD Mac sandbox is started later after the IPC event loop is up.

$ ./ 
usage: [-h] [PID [PID ...]]

Report if a given process on macOS is sandboxed using the undocumented
sandbox_check function (Mac-specific.)

positional arguments:
  PID         PID of a processes to check

optional arguments:
  -h, --help  show this help message and exit

Comment on attachment 9068883 [details]
Bug 1555168 - Disable RDD Sandbox Early Start in Beta/68 r?jmathies

Beta/Release Uplift Approval Request

  • User impact if declined: Bug 1525086 will ship in 68 without adequate QA testing. QA testing was reallocated to another project and so some of the changes in 1525086 are being deferred to 69 via a pref flip.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: There's no error or failure to reproduce. Tests should validate that AV1 playback on YouTube and continues to work as expected.

Use the attached python script to validate that the RDD process is sandboxed. This requires viewing AV1 content, checking that an "rdd" plugin-container process is started, getting the process' PID, and running <PID>.

  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change restores the way the Mac RDD process sandbox is started to match 67 via pref flip. There is some risk because limited testing has been done with the pref flipped.
  • String changes made/needed: None
Attachment #9068883 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9068883 [details]
Bug 1555168 - Disable RDD Sandbox Early Start in Beta/68 r?jmathies

disable a new feature for 68 to allow for more QA. approved for 68.0b7

Attachment #9068883 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]
Closed: 2 years ago
Resolution: --- → FIXED

This issue is verified fixed on Firefox 68.0b7 using mac OS 10.13.6 and 10.14 with security.sandbox.rdd.mac.earlyinit" set to false.
During exploratory testing on YouTube and no new issues were uncovered.

Flags: qe-verify+
Regressions: 1559332
No longer regressions: 1559332
You need to log in before you can comment on or make changes to this bug.