mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-28 07:13:20 +00:00
9082363e4e
Background: The X11 protocol has a very permissive security model; clients have essentially full access to the windows of other clients, and to global resources like input devices. Previously, our sandbox policy for content processes needed to allow access to the X server; this limited its effectiveness against a dedicated attacker. This patch turns on the `security.sandbox.content.headless` pref added in bug 1640345, which removes the sandbox policy rules that allowed making new X11 connections, as well as opening the Xauthority file, reading hardware info needed by Mesa, etc. It also runs content processes in headless mode (whence the name) so they won't connect to a display server at startup. This also removes access to the Wayland compositor: the sandbox policy never allowed that (as of when socket connections became default-deny), but now content processes won't connect to it at startup. Wayland is more capability-oriented so this is less significant for security, but at a minimum it removes unnecessary attack surface. Note that if the `webgl.out-of-process` pref is turned off, WebGL will break unless `security.sandbox.content.headless` is also turned off. (Similarly, `widget.non-native-theme.enabled` is needed to render scrollbars and form controls in content.) As a result, this patch adjusts the job definitions used by CI to test in-process WebGL so that that they will continue to work. Differential Revision: https://phabricator.services.mozilla.com/D138613 |
||
|---|---|---|
| .. | ||
| apps | ||
| certverifier | ||
| ct | ||
| mac/hardenedruntime | ||
| manager | ||
| nss | ||
| rlbox | ||
| sandbox | ||
| .eslintrc.js | ||
| generate_certdata.py | ||
| generate_mapfile.py | ||
| moz.build | ||
| nss.symbols | ||