Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-24 21:31:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Backed out changeset 730fcdccb26e (bug 742434)

Browse Source
This commit is contained in:
Carsten "Tomcat" Book 2016-07-05 12:25:41 +02:00
parent 8d25d74c3b
commit d90190d784
3 changed files with 1 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
browser/app/profile/firefox.js
View File

@ -973,26 +973,6 @@ pref("security.sandbox.windows.log.stackTraceDepth", 0);
pref("security.sandbox.content.level", 1);
#endif
#if defined(XP_LINUX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
// This pref is introduced as part of bug 742434, the naming is inspired from
// its Windows/Mac counterpart, but on Linux it's an integer which means:
// 0 -> "no sandbox"
// 1 -> "content sandbox using seccomp-bpf when available"
// 2 -> "seccomp-bpf + file broker"
// Content sandboxing on Linux is currently in the stage of
// 'just getting it enabled', which includes a very permissive whitelist. We
// enable seccomp-bpf on nightly to see if everything is running, or if we need
// to whitelist more system calls.
//
// So the purpose of this setting is to allow nightly users to disable the
// sandbox while we fix their problems. This way, they won't have to wait for
// another nightly release which disables seccomp-bpf again.
//
// This setting may not be required anymore once we decide to permanently
// enable the content sandbox.
pref("security.sandbox.content.level", 1);
#endif
#if defined(XP_MACOSX) || defined(XP_WIN)
#if defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
// ID (a UUID when set by gecko) that is used to form the name of a

8
dom/ipc/ContentParent.cpp
View File

@ -2599,14 +2599,6 @@ ContentParent::InitInternal(ProcessPriority aInitialPriority,
#endif
MaybeFileDesc brokerFd = void_t();
#ifdef XP_LINUX
// XXX: Checking the pref here makes it possible to enable/disable sandboxing
// during an active session. Currently the pref is only used for testing
// purpose. If the decision is made to permanently rely on the pref, this
// should be changed so that it is required to restart firefox for the change
// of value to take effect.
shouldSandbox = (Preferences::GetInt("security.sandbox.content.level") > 0) &&
!PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX");
if (shouldSandbox) {
MOZ_ASSERT(!mSandboxBroker);
UniquePtr<SandboxBroker::Policy> policy =

2
security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
View File

@ -120,7 +120,7 @@ SandboxBrokerPolicyFactory::GetContentPolicy(int aPid)
{
// Allow overriding "unsupported"ness with a pref, for testing.
if (!IsSystemSupported() &&
Preferences::GetInt("security.sandbox.content.level") <= 1) {
Preferences::GetInt("security.sandbox.content.level") <= 0) {
return nullptr;
}