Counting CPUs accesses the filesystem (sysfs or procfs), which we'd like
to disallow when sandboxed if possible, and fails silently if access
is denied. Because the CPU count rarely changes, this patch handles
that problem for the RDD process by caching a copy before starting
sandboxing.
Tested with a local patch to have the sandbox file broker client crash
if accessing the sysfs node for the CPU count, to verify that it's not
accessed.
Depends on D14524
Differential Revision: https://phabricator.services.mozilla.com/D20895
--HG--
extra : moz-landing-system : lando
This patch does a few things:
* Fleshes out the launcher process failure ping;
* Sends that ping via pingsender;
* If there is any failure in doing so, we fall back to the Windows event log;
* Any launcher process failures will result in us falling back to the normal
startup code path, ensuring that users will still see a browser.
A sample ping will be attached to the bug.
Differential Revision: https://phabricator.services.mozilla.com/D19697
--HG--
extra : moz-landing-system : lando
This patch does a few things:
* Fleshes out the launcher process failure ping;
* Sends that ping via pingsender;
* If there is any failure in doing so, we fall back to the Windows event log;
* Any launcher process failures will result in us falling back to the normal
startup code path, ensuring that users will still see a browser.
A sample ping will be attached to the bug.
***
Format cleanup
Differential Revision: https://phabricator.services.mozilla.com/D19697
--HG--
extra : moz-landing-system : lando
BasicDllServices is used to gain access to the authenticode APIs in non-Gecko
contexts. One feature that WinDllServices provides is the ability to register
a callback interface to be notified when a DLL has been loaded.
This is not particularly useful in the BasicDllServices use case, and in the
"handle a launcher process failure on a background thread" use case, would
actually be harmful.
This patch modifies the DLLServices backend to offer a "basic" option that
omits the callback stuff.
Differential Revision: https://phabricator.services.mozilla.com/D19696
--HG--
extra : moz-landing-system : lando
We use the SHIELD pref instead of the usual launcher process pref for Nightly.
This effectively treats the launcher process as a SHIELD study with 100%
deployment.
We add some Nightly-specific code that uses the SHIELD pref to determine
whether or not to use the launcher. During startup, we query that pref and
reflect it into the registry, which then falls through to the usual launcher
process code.
We will be changing this past 67, but for now this is an effective way to
provide Nightly users with an opt-out to the launcher process and its telemetry.
Differential Revision: https://phabricator.services.mozilla.com/D20621
--HG--
extra : moz-landing-system : lando
Set the updater LDFLAGS to -Wl,-rpath=$ORIGIN so NSS can be found in the binary's directory
Stop changing the LD_LIBRARY_PATH in nsUpdaterDriver.cpp
Load the updater support files before the update begins in progressui_gtk.cpp
Launch the updater from the install directory instead of copying it to the update directory
Remove the skip-if = (os == linux && verify) for the staging tests since this also fixes the ETXTBSY error when calling execv on the copied updater
Differential Revision: https://phabricator.services.mozilla.com/D20098
--HG--
extra : moz-landing-system : lando
This patch takes care of a bunch of issues and does some cleanup:
* We rename mscom::MainThreadRuntime to mscom::ProcessRuntime, as the latter
is a more accurate name going forward.
* We make ProcessRuntime aware of the Win32k Lockdown process mitigation
policy. When Win32k is disabled, we perform process-wide COM initialization
in the multi-threaded apartment (since we cannot create an STA window).
* We refactor the mscom apartment region stuff to enable the Win32k lockdown
pieces in ProcessRuntime.
* We move some Gecko-specific stuff into MOZILLA_INTERNAL_API guards so that
ProcessRuntime is usable outside of xul.dll (I will be needing it for the
launcher process).
* Another thing that might happen with the launcher process is that, under
error conditions in the launcher, we create a ProcessRuntime object on a
background thread for the purposes of telemetry logging, but we also allow
the main thread to proceed to start as the browser. This could result in a
scenario where the main thread, as the browser process, is attempting to
instantiate its ProcessRuntime and ends up racing with the launcher process's
telemetry thread which has its own ProcessRuntime. To account for this
situation, we add mutual exclusion to the process-wide initialization code.
We host this part inside mozglue since that state is shared between both
firefox.exe and xul.dll.
* We clean up ProcessRuntime::InitializeSecurity by using Vector to set up
the EXPLICIT_ACCESS entries.
* We remove mscom::MainThreadClientInfo and replace it with a direct call to
CoGetCallerTID
* We revise all references to this class to use the new name.
Differential Revision: https://phabricator.services.mozilla.com/D19551
--HG--
rename : ipc/mscom/COMApartmentRegion.h => ipc/mscom/ApartmentRegion.h
rename : ipc/mscom/MainThreadRuntime.cpp => ipc/mscom/ProcessRuntime.cpp
rename : ipc/mscom/MainThreadRuntime.h => ipc/mscom/ProcessRuntime.h
extra : moz-landing-system : lando
This patch takes care of a bunch of issues and does some cleanup:
* We rename mscom::MainThreadRuntime to mscom::ProcessRuntime, as the latter
is a more accurate name going forward.
* We make ProcessRuntime aware of the Win32k Lockdown process mitigation
policy. When Win32k is disabled, we perform process-wide COM initialization
in the multi-threaded apartment (since we cannot create an STA window).
* We refactor the mscom apartment region stuff to enable the Win32k lockdown
pieces in ProcessRuntime.
* We move some Gecko-specific stuff into MOZILLA_INTERNAL_API guards so that
ProcessRuntime is usable outside of xul.dll (I will be needing it for the
launcher process).
* Another thing that might happen with the launcher process is that, under
error conditions in the launcher, we create a ProcessRuntime object on a
background thread for the purposes of telemetry logging, but we also allow
the main thread to proceed to start as the browser. This could result in a
scenario where the main thread, as the browser process, is attempting to
instantiate its ProcessRuntime and ends up racing with the launcher process's
telemetry thread which has its own ProcessRuntime. To account for this
situation, we add mutual exclusion to the process-wide initialization code.
We host this part inside mozglue since that state is shared between both
firefox.exe and xul.dll.
* We clean up ProcessRuntime::InitializeSecurity by using Vector to set up
the EXPLICIT_ACCESS entries.
* We remove mscom::MainThreadClientInfo and replace it with a direct call to
CoGetCallerTID
* We revise all references to this class to use the new name.
Differential Revision: https://phabricator.services.mozilla.com/D19551
--HG--
rename : ipc/mscom/COMApartmentRegion.h => ipc/mscom/ApartmentRegion.h
rename : ipc/mscom/MainThreadRuntime.cpp => ipc/mscom/ProcessRuntime.cpp
rename : ipc/mscom/MainThreadRuntime.h => ipc/mscom/ProcessRuntime.h
extra : moz-landing-system : lando
Currently we only check and remove the --allow-downgrade command line argument
if the run is actually a downgrade. When we don't the --allow-downgrade argument
makes it to Firefox's default command line handler which doesn't know how to
handle it and so ignores it and the next argument on the command line.
Flipping the ordering of the check makes sure we always remove the argument.
Differential Revision: https://phabricator.services.mozilla.com/D19569
--HG--
extra : moz-landing-system : lando
Currently we only check and remove the --allow-downgrade command line argument
if the run is actually a downgrade. When we don't the --allow-downgrade argument
makes it to Firefox's default command line handler which doesn't know how to
handle it and so ignores it and the next argument on the command line.
Flipping the ordering of the check makes sure we always remove the argument.
Differential Revision: https://phabricator.services.mozilla.com/D19569
--HG--
extra : rebase_source : 9d92c78a500bccdcb05d002bb129e779d2391468
So the remoting clients can know what the selected profile is before an attempt
to lock it is made we move the locking code to after the call to SelectProfile.
Differential Revision: https://phabricator.services.mozilla.com/D19420
--HG--
extra : moz-landing-system : lando
We cast the nsIToolkitProfileService to nsToolkitProfileService in a bunch of
places, might as well just hold that instead.
Differential Revision: https://phabricator.services.mozilla.com/D19414
--HG--
extra : moz-landing-system : lando
We cast the nsIToolkitProfileService to nsToolkitProfileService in a bunch of
places, might as well just hold that instead.
Differential Revision: https://phabricator.services.mozilla.com/D19414
--HG--
extra : moz-landing-system : lando