When reviewing https://bugzilla.mozilla.org/show_bug.cgi?id=1521052 I did not think about Firefox for Android which is not using e10s.
This means the main DebuggerServer will be killed when there are no connections left. Happy to discuss more about the preferred solution.
This is a regression in 66 and I hope to uplift a fix for this.
Differential Revision: https://phabricator.services.mozilla.com/D20830
--HG--
extra : moz-landing-system : lando
The seccomp-bpf policy is currently just the "common" policy with no
additions (but with the fixes in bug 1511560 to enable shared memory
creation). The file broker policy allows shared memory creation and
nothing else. The namespace setup is the same as for GMP (i.e., as
restrictive as we currently can be).
The sandbox can be turned off for troubleshooting by setting the
environment variable MOZ_DISABLE_RDD_SANDBOX, similarly to the other
process types.
Tested against https://demo.bitmovin.com/public/firefox/av1/ with the
necessary prefs set.
Depends on D20895
Differential Revision: https://phabricator.services.mozilla.com/D14525
--HG--
extra : moz-landing-system : lando
Counting CPUs accesses the filesystem (sysfs or procfs), which we'd like
to disallow when sandboxed if possible, and fails silently if access
is denied. Because the CPU count rarely changes, this patch handles
that problem for the RDD process by caching a copy before starting
sandboxing.
Tested with a local patch to have the sandbox file broker client crash
if accessing the sysfs node for the CPU count, to verify that it's not
accessed.
Depends on D14524
Differential Revision: https://phabricator.services.mozilla.com/D20895
--HG--
extra : moz-landing-system : lando
File descriptors are sometimes dup()ed in the process of communicating
them over IPC; some of this may be unnecessary (due to insufficient
use of move-only types), but dup() is relatively harmless. It was
previously allowed for both content and GMP, so this doesn't change
anything.
The handling of ftruncate is a little complicated -- it's used for IPC
shared memory, but only when creating segments; so GMP doesn't allow
it and should continue not allowing it, but content needs it and RDD
will as well. As a result, the subclass indicates if it will be needed.
Note that even when we have memfd_create support (bug 1440203),
ftruncate is still necessary even though brokering may not.
Depends on D14523
Differential Revision: https://phabricator.services.mozilla.com/D14524
--HG--
extra : moz-landing-system : lando
The sandbox broker uses socketpair to construct the per-request channels
over which responses are sent; thus, if and only if the policy will be
using brokering, it will allow socketpair as safely as possible (i.e.,
denying datagram sockets if possible).
Depends on D14522
Differential Revision: https://phabricator.services.mozilla.com/D14523
--HG--
extra : moz-landing-system : lando
madvise is used by our malloc (and probably others), and mprotect is
used with shared memory, including when created by another process, so
the common policy should include those rules.
Depends on D14521
Differential Revision: https://phabricator.services.mozilla.com/D14522
--HG--
extra : moz-landing-system : lando
This will allow other policies to use brokering if needed (e.g., RDD and
similar utility processes may need to access /dev/shm to create shared
memory). The concrete policy class can deny filesystem access completely
(matching the current behavior of the GMP policy) by passing nullptr to
the superclass constructor instead.
Depends on D14520
Differential Revision: https://phabricator.services.mozilla.com/D14521
--HG--
extra : moz-landing-system : lando
ContentSandboxPolicy currently allows direct filesystem access if it
isn't given a broker client; this is a legacy design from the B2G era,
before the current idea of "sandbox level". With this patch, it allows
filesystem access at level 1, and above that it requires brokering.
This is both to reduce the opportunities for accidentally having a
too-permissive sandbox and to prepare for refactoring the broker glue in
bug 1511560.
Depends on D14519
Differential Revision: https://phabricator.services.mozilla.com/D14520
--HG--
extra : moz-landing-system : lando
Level 1 is meant to enable some seccomp-bpf filtering, but still allow
direct access to the filesystem, and level 2 is where brokering starts.
This was accidentally broken in 1365257 (making "level 1" act like level
2); this patch fixes that.
This feature obviously isn't used much given how long nobody noticed it was
broken, but it's useful to have around for troubleshooting, and it's
actually easier to fix it than edit it out of the documentation.
Differential Revision: https://phabricator.services.mozilla.com/D14519
--HG--
extra : moz-landing-system : lando
This disables the camera for win64-aarch64 for Windows versions below
19H1. These versions have problems with the DirectShow implementation
which prevent the camera from working properly.
Differential Revision: https://phabricator.services.mozilla.com/D21272
--HG--
extra : moz-landing-system : lando
When a user first upgrades to a version where incognito is enabled,
add the permission to all enabled extensions. This preserves user workflow
and addresses other issues (e.g. proxy). This will only happen once.
Differential Revision: https://phabricator.services.mozilla.com/D19442
--HG--
extra : moz-landing-system : lando
If Firefox was using the default profile before restarting to upgrade to a build
supporting dedicated profiles then we should check if we can make the selected
profile the default for this build and if not create the user a new profile.
Differential Revision: https://phabricator.services.mozilla.com/D20415
--HG--
extra : moz-landing-system : lando
AddonRepository validates IDs that are returned from AMO. We
need to handle the case where we are using rta prefix for ReturnToAMO.
Differential Revision: https://phabricator.services.mozilla.com/D21389
--HG--
extra : moz-landing-system : lando
On Android we apparently try to include the cpufeatures.c file from the
NDK as part of the generated-sources tarball. While this works, it makes
tar drop the bogus entry for safety reasons when unpacking the archive.
It also makes tar return an error, which is undesirable for searchfox.
It's better to just skip the entry when building the tarball.
Differential Revision: https://phabricator.services.mozilla.com/D20942
--HG--
extra : moz-landing-system : lando
Refactors the logic so the target node on which the Font Editor operates can point to a parent node in case of text nodes without explicitly changing the node selection.
The target node is assigned to `this.node`. When that is null, it means the node selection is not supported by the Font Editor. This removes the need for the `isSelectedNodeValid()` method.
Differential Revision: https://phabricator.services.mozilla.com/D21387
--HG--
extra : moz-landing-system : lando
This adds support for specifying per-suite perfherder alert thresholds and
updates the base content JS measurement to specify a 0.25% threshold.
Differential Revision: https://phabricator.services.mozilla.com/D21292
--HG--
extra : moz-landing-system : lando