mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-08 02:14:43 +00:00
Bug 1783223 - Enable Arbitratry Code Guard in RDD on Nightly. r=bobowen
This was previously disabled in bug 1673194 because of start up crashes. It seems like msmpeg2vdec.dll may use dynamic code to support encrypted code that uses. In recent versions of Windows this only seems used in the 32bit version. The 32bit version will opt out of ACG on the threads where it needs to use VirtualProtect so we use the weaker variant there. Differential Revision: https://phabricator.services.mozilla.com/D153762
This commit is contained in:
parent
8eb399bdd5
commit
64aded89bb
@ -1073,9 +1073,25 @@ bool SandboxBroker::SetSecurityLevelForRDDProcess() {
|
||||
mPolicy->SetLockdownDefaultDacl();
|
||||
mPolicy->AddRestrictingRandomSid();
|
||||
|
||||
sandbox::MitigationFlags dynamicCodeDisable = 0;
|
||||
// ASAN is not compatible with ACG:
|
||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=1783223#c12
|
||||
#if defined(NIGHTLY_BUILD) && !defined(MOZ_ASAN)
|
||||
// msmpeg2vdec.dll will opt out of DYNAMIC_CODE_DISABLE on threads
|
||||
// where it needs to use VirtualProtect
|
||||
dynamicCodeDisable = sandbox::MITIGATION_DYNAMIC_CODE_DISABLE_WITH_OPT_OUT;
|
||||
# ifdef _WIN64
|
||||
if (IsWin10CreatorsUpdateOrLater()) {
|
||||
// later 64bit versions of msmpeg2vdec.dll don't use VirtualProtect
|
||||
// anymore
|
||||
dynamicCodeDisable = sandbox::MITIGATION_DYNAMIC_CODE_DISABLE;
|
||||
}
|
||||
# endif
|
||||
#endif
|
||||
sandbox::MitigationFlags mitigations =
|
||||
sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE |
|
||||
sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
|
||||
dynamicCodeDisable | sandbox::MITIGATION_BOTTOM_UP_ASLR |
|
||||
sandbox::MITIGATION_HEAP_TERMINATE | sandbox::MITIGATION_SEHOP |
|
||||
sandbox::MITIGATION_EXTENSION_POINT_DISABLE |
|
||||
sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP |
|
||||
sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user