| author | Bob Owen <bobowencode@gmail.com> |
| Wed, 10 Jul 2019 14:57:01 +0000 | |
| changeset 482362 | 9559ef8f347dc0e4e92546954472d4153283d5f2 |
| parent 482361 | 203e09f37d1f38b5f6f7de0fd8dc181a66d6daa2 |
| child 482363 | 2729b410f2b58d9e55227514d4e0115ac9529d87 |
| push id | 89719 |
| push user | bobowencode@gmail.com |
| push date | Thu, 11 Jul 2019 09:19:44 +0000 |
| treeherder | autoland@9559ef8f347d [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | jmathies |
| bugs | 1557282 |
| milestone | 70.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| browser/app/profile/firefox.js | file | annotate | diff | comparison | revisions | |
| security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp | file | annotate | diff | comparison | revisions |
--- a/browser/app/profile/firefox.js +++ b/browser/app/profile/firefox.js @@ -1036,17 +1036,17 @@ pref("dom.ipc.plugins.sandbox-level.flas pref("dom.ipc.plugins.sandbox-level.flash", 0); #endif // This controls the strength of the Windows content process sandbox for testing // purposes. This will require a restart. // On windows these levels are: // See - security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp // SetSecurityLevelForContentProcess() for what the different settings mean. -pref("security.sandbox.content.level", 5); +pref("security.sandbox.content.level", 6); // This controls the depth of stack trace that is logged when Windows sandbox // logging is turned on. This is only currently available for the content // process because the only other sandbox (for GMP) has too strict a policy to // allow stack tracing. This does not require a restart to take effect. pref("security.sandbox.windows.log.stackTraceDepth", 0); // This controls the strength of the Windows GPU process sandbox. Changes
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp +++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp @@ -497,16 +497,23 @@ void SandboxBroker::SetSecurityLevelForC result = mPolicy->SetIntegrityLevel(initialIntegrityLevel); MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, "SetIntegrityLevel should never fail, what happened?"); result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel); MOZ_RELEASE_ASSERT( sandbox::SBOX_ALL_OK == result, "SetDelayedIntegrityLevel should never fail, what happened?"); + // SetLockdownDefaultDacl causes audio to fail for Windows 8.1 and earlier. + // Bug 1564842 tracks removing the Win10 or later restriction, once we can + // work around that problem. + if (aSandboxLevel > 5 && IsWin10OrLater()) { + mPolicy->SetLockdownDefaultDacl(); + } + sandbox::MitigationFlags mitigations = sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE | sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE | sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32; #if defined(_M_ARM64) // Disable CFG on older versions of ARM64 Windows to avoid a crash in COM.