searching for reviewer(gcp)
eb2e95197747e0e76d99bfffd43dc68e78271880: Bug 1808320 - Filter the flags argument of pipe2(). r=gcp
Jed Davis <jld@mozilla.com> - Fri, 27 Jan 2023 02:36:32 +0000 - rev 650750
Push
40583 by nbeleuzu@mozilla.com at Fri, 27 Jan 2023 09:46:52 +0000
Bug 1808320 - Filter the flags argument of pipe2(). r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D166754
8d0768988c02a2e910120a64d8cea78084a247cc: Bug 1805331 - Disable TestDetouredCallUnwindInfo under MOZ_CODE_COVERAGE in TestDllInterceptor. r=gcp
Yannis Juglaret <yjuglaret@mozilla.com> - Tue, 13 Dec 2022 13:00:03 +0000 - rev 645850
Push
40479 by nbeleuzu@mozilla.com at Tue, 13 Dec 2022 16:50:20 +0000
Bug 1805331 - Disable TestDetouredCallUnwindInfo under MOZ_CODE_COVERAGE in TestDllInterceptor. r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D164553
c068d136d7a3ab89937cf54b769f6379b20ff6d8: Bug 1802513 - Allow readlink(/proc/self/exe) in Utility sandbox for FFVPX r=gcp
Alexandre Lissy <lissyx+mozillians@lissyx.dyndns.org> - Wed, 30 Nov 2022 10:10:22 +0000 - rev 644120
Push
40445 by mlaza@mozilla.com at Wed, 30 Nov 2022 21:47:07 +0000
Bug 1802513 - Allow readlink(/proc/self/exe) in Utility sandbox for FFVPX r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D163227
2dad8bc349e6cad29f20514f011e50f95069f58e: Bug 1799562 - update version of Cylance to blocklist r=gcp
Greg Stoll <gstoll@mozilla.com> - Tue, 22 Nov 2022 12:33:34 +0000 - rev 643183
Push
40423 by csabou@mozilla.com at Tue, 22 Nov 2022 21:43:24 +0000
Bug 1799562 - update version of Cylance to blocklist r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D162693
9832e48a30c5ac6e2a189ab7838249ea6ee6d6fb: Bug 1794064 - Block older crash-prone versions of Avast Antivirus r=gcp
Gabriele Svelto <gsvelto@mozilla.com> - Fri, 07 Oct 2022 13:07:04 +0000 - rev 637201
Push
40298 by ctuns@mozilla.com at Fri, 07 Oct 2022 21:38:10 +0000
Bug 1794064 - Block older crash-prone versions of Avast Antivirus r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D158836
708bd57a7057bd44e25db0cb7bf3aa97ad0a2517: Bug 1790419 - cache BinaryPath value on OpenBSD r=gcp
Landry Breuil <landry@openbsd.org> - Thu, 06 Oct 2022 12:08:57 +0000 - rev 637101
Push
40294 by mlaza@mozilla.com at Thu, 06 Oct 2022 21:40:11 +0000
Bug 1790419 - cache BinaryPath value on OpenBSD r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D157554
5ff886a06c2f0c0b400c91e261ce619603c548ed: Bug 1780312 - Part 2: Allow fstatfs in the Linux RDD sandbox policy. r=gcp
Jed Davis <jld@mozilla.com> - Wed, 21 Sep 2022 17:57:54 +0000 - rev 636000
Push
40254 by mlaza@mozilla.com at Wed, 21 Sep 2022 21:43:38 +0000
Bug 1780312 - Part 2: Allow fstatfs in the Linux RDD sandbox policy. r=gcp
As discussed in the last patch, allowing `fstatfs` will also make
`statfs` work on any path that the process could open for reading
(subject to sandbox policy).
Differential Revision:
https://phabricator.services.mozilla.com/D157542
42d3c880806e564f35bc80d024861aacddfb760b: Bug 1780312 - Part 1: Move the statfs replacement into the common sandbox policy. r=gcp
Jed Davis <jld@mozilla.com> - Wed, 21 Sep 2022 17:57:54 +0000 - rev 635999
Push
40254 by mlaza@mozilla.com at Wed, 21 Sep 2022 21:43:38 +0000
Bug 1780312 - Part 1: Move the statfs replacement into the common sandbox policy. r=gcp
We have code to handle `statfs` calls in content processes by
intercepting them and calling `open` and `fstatfs` instead; the former
is then recursively intercepted and brokered. This patch moves that
feature into the common policy, but does not allow `fstatfs` in any
other sandbox types (yet; see next patch). This doesn't affect security
because the caller could have attempted the `open` and `fstatfs`
syscalls itself.
Differential Revision:
https://phabricator.services.mozilla.com/D157541
8e1a65ad0c4d3b0ca9a076521252f2ba28fa898b: Bug 1778052 - Don't reset ignored signals when starting a sandboxed child process on Linux. r=gcp
Jed Davis <jld@mozilla.com> - Tue, 09 Aug 2022 00:35:18 +0000 - rev 626479
Push
40101 by nerli@mozilla.com at Tue, 09 Aug 2022 03:57:17 +0000
Bug 1778052 - Don't reset ignored signals when starting a sandboxed child process on Linux. r=gcp
We uninstall signal handlers in child processes after clone(), because
they probably won't do the right thing if invoked in that context.
However, the current code also resets signals which were ignored;
if that disposition was set by an outside program like `nohup`, the
expectation is that it should be inherited. This patch omits those
signals when resetting handlers (similar to what `exec` does).
Differential Revision:
https://phabricator.services.mozilla.com/D151336
d0b98aadc143b0fb633fc581ea852d99125c0ed9: Bug 1782027 - Fix bustage in simulated early-beta Windows builds r=gcp
Ray Kraesig <rkraesig@mozilla.com> - Thu, 28 Jul 2022 19:11:20 +0000 - rev 625432
Push
40051 by ccozmuta@mozilla.com at Fri, 29 Jul 2022 03:54:04 +0000
Bug 1782027 - Fix bustage in simulated early-beta Windows builds r=gcp
... which was entirely due to a trivial error on my part.
Differential Revision:
https://phabricator.services.mozilla.com/D153109
1ba53f776c9af5a94799e30e713e13fa08b6d893: Bug 1780312 - Turn off the Linux nvidia driver's shader cache in the RDD process. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 28 Jul 2022 19:07:30 +0000 - rev 625431
Push
40051 by ccozmuta@mozilla.com at Fri, 29 Jul 2022 03:54:04 +0000
Bug 1780312 - Turn off the Linux nvidia driver's shader cache in the RDD process. r=gcp
We were already turning off Mesa's shader cache in the RDD process,
because it's not useful given that we're only using video codec
acceleration and moving images around, and it does a few things related
to trying to access the cache that the sandbox would have to accomodate.
This patch does the equivalent thing for the nvidia proprietary driver;
we don't support it for media codec acceleration, but it can still be
loaded in that process (e.g., on multi-GPU systems) and it's trying to
call `statfs` on startup which may be related.
Differential Revision:
https://phabricator.services.mozilla.com/D152932
1e4c845297d75fc1352b0b142139bdc79d58f74a: Bug 1778052 - Don't reset ignored signals when starting a sandboxed child process on Linux. r=gcp
Jed Davis <jld@mozilla.com> - Fri, 08 Jul 2022 22:19:37 +0000 - rev 623394
Push
39958 by abutkovits@mozilla.com at Sat, 09 Jul 2022 09:37:14 +0000
Bug 1778052 - Don't reset ignored signals when starting a sandboxed child process on Linux. r=gcp
We uninstall signal handlers in child processes after clone(), because
they probably won't do the right thing if invoked in that context.
However, the current code also resets signals which were ignored;
if that disposition was set by an outside program like `nohup`, the
expectation is that it should be inherited. This patch omits those
signals when resetting handlers (similar to what `exec` does).
Differential Revision:
https://phabricator.services.mozilla.com/D151336
1221f3ce857cd3faec2784bd2b618b45bd3945c9: Bug 1728871 - P3. Add the URLCLASSIFIER_UPDATE_REMOTE_SETTING_RESULT telemetry r=gcp
Dimi <dlee@mozilla.com> - Thu, 07 Jul 2022 15:01:09 +0000 - rev 623235
Push
39950 by imoraru@mozilla.com at Thu, 07 Jul 2022 21:49:15 +0000
Bug 1728871 - P3. Add the URLCLASSIFIER_UPDATE_REMOTE_SETTING_RESULT telemetry r=gcp
We can use this telemetry to track the statistics of using
RemoteSettings to serve Safe Browsing data.
The can help us understand if we can roll out this feature to more users.
Depends on D135990
Differential Revision:
https://phabricator.services.mozilla.com/D136107
9dd22b2b2196494a21378a6ce6647ea50ae18891: Bug 1728871 - P2. Add UrlClassifierRemoteSettingsService testcases r=gcp
Dimi <dlee@mozilla.com> - Thu, 07 Jul 2022 15:01:09 +0000 - rev 623234
Push
39950 by imoraru@mozilla.com at Thu, 07 Jul 2022 21:49:15 +0000
Bug 1728871 - P2. Add UrlClassifierRemoteSettingsService testcases r=gcp
Depends on D135989
Differential Revision:
https://phabricator.services.mozilla.com/D135990
792934b2ee566152071c0543ab60cdd2795d7f74: Bug 1728871 - P1. Add UrlClassifierRemoteSettingsService to serve update data over RemoteSettings r=gcp,leplatrem
Dimi <dlee@mozilla.com> - Thu, 07 Jul 2022 15:01:08 +0000 - rev 623233
Push
39950 by imoraru@mozilla.com at Thu, 07 Jul 2022 21:49:15 +0000
Bug 1728871 - P1. Add UrlClassifierRemoteSettingsService to serve update data over RemoteSettings r=gcp,leplatrem
This patch implements UrlClassifierRemoteSettingsService to get SafeBrowsing data (protocol v2)
from RemoteSettings instead of from the Shavar server. This is only used
by data provided by Mozilla.
To distinguish if the data should be coming from RemoteSettings or
Shavar, We added a custom scheme "moz-sbrs" to denote that the data should be
retrieved from Remote Setting. This is done by changing the value of pref
"browser.safebrowsing.provider.mozilla.updateURL" to something like
"moz-sbrf://tracking-protection-list". (Note that the hostname is not
used at this point).
The goal of this patch is to make the new architecture compatible with
the original Safe Browsing design. So we don't notify Safe Browsing
there is new data available (via "sync" event of RemoteSettings). We still follow
how Safe Browsing periodically checks whether there is a newer version of list.
Note.
This patch changes the flow comparing with how we usualy receive SafeBrowsing response from Shavar.
In Shavar case, the list data response usually comes with
"n:21600\ni:listname1\nu:redirectURL1\ni:listname2\nu:redirectURL2 ..." first.
And then we fetch the data again from the redirectURL for each list.
But in the current implementation, responses don't contain
redirectURL anymore (since we already have the data). So the mocked response
will contain all the data needed in one response.
For example:
"n:21600\ni:listname1\n:chunkdata1\ni:listname2\n:chunkdata2...".
Differential Revision:
https://phabricator.services.mozilla.com/D135989
3bfb4a4cbf1be7f6544790e9936570159c410d1a: Bug 1777910 - Adjust Mesa environment variables for change/deprecation in 22.1. r=gcp
Jed Davis <jld@mozilla.com> - Wed, 06 Jul 2022 21:20:06 +0000 - rev 623184
Push
39947 by ctuns@mozilla.com at Thu, 07 Jul 2022 09:37:57 +0000
Bug 1777910 - Adjust Mesa environment variables for change/deprecation in 22.1. r=gcp
Mesa 22.1.0 changed the env var name MESA_GLSL_CACHE_DISABLE to
MESA_SHADER_CACHE_DISABLE; it still accepts the old name, but prints a
deprecation warning. If we set both env vars, then we can support both
old and new Mesas correctly (the warning won't be printed if the new env
var is also set).
Differential Revision:
https://phabricator.services.mozilla.com/D151094
cd77f62da01f296789ecca679ef43d601df8140d: Bug 1728871 - P3. Add the URLCLASSIFIER_UPDATE_REMOTE_SETTING_RESULT telemetry r=gcp
Dimi <dlee@mozilla.com> - Thu, 30 Jun 2022 06:32:27 +0000 - rev 622649
Push
39920 by smolnar@mozilla.com at Thu, 30 Jun 2022 21:24:30 +0000
Bug 1728871 - P3. Add the URLCLASSIFIER_UPDATE_REMOTE_SETTING_RESULT telemetry r=gcp
We can use this telemetry to track the statistics of using
RemoteSettings to serve Safe Browsing data.
The can help us understand if we can roll out this feature to more users.
Depends on D135990
Differential Revision:
https://phabricator.services.mozilla.com/D136107
d3f805b9199bd4500ff5267165cd6ce2e7d49d7c: Bug 1728871 - P2. Add UrlClassifierRemoteSettingsService testcases r=gcp
Dimi <dlee@mozilla.com> - Thu, 30 Jun 2022 06:32:26 +0000 - rev 622648
Push
39920 by smolnar@mozilla.com at Thu, 30 Jun 2022 21:24:30 +0000
Bug 1728871 - P2. Add UrlClassifierRemoteSettingsService testcases r=gcp
Depends on D135989
Differential Revision:
https://phabricator.services.mozilla.com/D135990
19899fa89d05cbf4edcf1ef42e61f48d1892a252: Bug 1728871 - P1. Add UrlClassifierRemoteSettingsService to serve update data over RemoteSettings r=gcp,leplatrem
Dimi <dlee@mozilla.com> - Thu, 30 Jun 2022 06:32:26 +0000 - rev 622647
Push
39920 by smolnar@mozilla.com at Thu, 30 Jun 2022 21:24:30 +0000
Bug 1728871 - P1. Add UrlClassifierRemoteSettingsService to serve update data over RemoteSettings r=gcp,leplatrem
This patch implements UrlClassifierRemoteSettingsService to get SafeBrowsing data (protocol v2)
from RemoteSettings instead of from the Shavar server. This is only used
by data provided by Mozilla.
To distinguish if the data should be coming from RemoteSettings or
Shavar, We added a custom scheme "moz-sbrs" to denote that the data should be
retrieved from Remote Setting. This is done by changing the value of pref
"browser.safebrowsing.provider.mozilla.updateURL" to something like
"moz-sbrf://tracking-protection-list". (Note that the hostname is not
used at this point).
The goal of this patch is to make the new architecture compatible with
the original Safe Browsing design. So we don't notify Safe Browsing
there is new data available (via "sync" event of RemoteSettings). We still follow
how Safe Browsing periodically checks whether there is a newer version of list.
Note.
This patch changes the flow comparing with how we usualy receive SafeBrowsing response from Shavar.
In Shavar case, the list data response usually comes with
"n:21600\ni:listname1\nu:redirectURL1\ni:listname2\nu:redirectURL2 ..." first.
And then we fetch the data again from the redirectURL for each list.
But in the current implementation, responses don't contain
redirectURL anymore (since we already have the data). So the mocked response
will contain all the data needed in one response.
For example:
"n:21600\ni:listname1\n:chunkdata1\ni:listname2\n:chunkdata2...".
Differential Revision:
https://phabricator.services.mozilla.com/D135989
2e18d27a4d708825c3faf4264f221fb172427f80: Bug 1771382 - Adjust the Linux RDD sandbox to handle the nvidia driver being loaded but not used. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 23 Jun 2022 00:00:54 +0000 - rev 621837
Push
39885 by nfay@mozilla.com at Thu, 23 Jun 2022 03:54:50 +0000
Bug 1771382 - Adjust the Linux RDD sandbox to handle the nvidia driver being loaded but not used. r=gcp
On multi-GPU systems, even though the GPU we're going to use for
accelerated video decoding is driven by Mesa, sometimes the nvidia
proprietary driver can be loaded and attempt to probe devices. This
patch attempts to make the sandbox policy quietly return errors for
those syscalls, instead of treating them as unexpected (and crashing on
Nightly).
Differential Revision:
https://phabricator.services.mozilla.com/D149652
9a4be9c8c0c631596e5a7aa96612a0b4b842c668: Bug 1770905 - Allow GeckoMediaPlugin processes on Linux to be profiled if memfd_create is available. r=gcp,mstange,media-playback-reviewers,padenot
Jed Davis <jld@mozilla.com> - Wed, 15 Jun 2022 20:55:24 +0000 - rev 621026
Push
39858 by bszekely@mozilla.com at Thu, 16 Jun 2022 09:30:51 +0000
Bug 1770905 - Allow GeckoMediaPlugin processes on Linux to be profiled if memfd_create is available. r=gcp,mstange,media-playback-reviewers,padenot
There are two parts to this patch; both affect only Linux:
1. The GMP sandbox policy is adjusted to allow certain syscalls used in
shared memory creation (ftruncate and fallocate). However, the file
broker is not used; the process still has no access to files in /dev/shm.
2. The profiler is not initialized for GMP processes unless memfd_create
is available (so the process can create shared memory to send
profiling data back, without filesystem access), or the GMP sandbox
is disabled (either at runtime or build time).
As of this patch, profiling GMP processes on Linux should succeed on
distros with kernel >=3.17 (Oct. 2014), but native stack frames won't
have symbols (and may be incorrectly unwound, not that it matters much
without symbols); see the bug for more info. Pseudo-stack frames and
markers should work, however.
Differential Revision:
https://phabricator.services.mozilla.com/D148470
4280a7d0ee17883fb994e22afc43b0ac8ea9416c: Bug 1770905 - Quietly reject `readlink` in the Linux GeckoMediaPlugin sandbox. r=gcp
Jed Davis <jld@mozilla.com> - Wed, 15 Jun 2022 20:55:23 +0000 - rev 621025
Push
39858 by bszekely@mozilla.com at Thu, 16 Jun 2022 09:30:51 +0000
Bug 1770905 - Quietly reject `readlink` in the Linux GeckoMediaPlugin sandbox. r=gcp
The profiler may try to readlink `/proc/self/exe` to determine the
executable name; currently, its attempt to get information about loaded
objects is broken for other reasons, so this isn't helpful. Thus, this
patch has it fail with `EINVAL` (meaning "not a symbolic link) instead of
being treated as unexpected.
(In the future, if we need to, we could simulate that syscall by
recording the target of `/proc/self/exe` before sandboxing, and
recognizing that specific case in a trap function.)
Differential Revision:
https://phabricator.services.mozilla.com/D148469
42d0594d9b9ce11e99a503c915b9302ce630fa52: Bug 1773043 - Remove flashblock from SafeBrowsing r=perftest-reviewers,gcp,sparky
Dimi <dlee@mozilla.com> - Wed, 15 Jun 2022 12:55:26 +0000 - rev 620975
Push
39856 by abutkovits@mozilla.com at Wed, 15 Jun 2022 21:49:08 +0000
Bug 1773043 - Remove flashblock from SafeBrowsing r=perftest-reviewers,gcp,sparky
Depends on D149129
Differential Revision:
https://phabricator.services.mozilla.com/D149130
7f88718e8d4626041f9582cc1fe322d85a8e8e29: Bug 1772142 - Fix the RDD sandbox to deal with Snap moving some config files. r=gcp
Jed Davis <jld@mozilla.com> - Fri, 10 Jun 2022 19:03:55 +0000 - rev 620544
Push
39831 by nbeleuzu@mozilla.com at Sat, 11 Jun 2022 09:51:55 +0000
Bug 1772142 - Fix the RDD sandbox to deal with Snap moving some config files. r=gcp
In the Snap environment, some system config files aren't in their usual
places, but rather in a subtree rooted at `$SNAP/gnome-platform`,
which seems to also be `$SNAP_DESKTOP_RUNTIME`. This includes some
subdirectories of `/usr/share` that we need for EGL to work.
This could probably also have been fixed in the Snap packaging, given
that [Mozilla's][] and [Ubuntu's][] specs both put `/usr/share/libdrm`
back into its normal location, but for now it's easiest to adjust
the sandbox, given that (I think?) anything under `$SNAP` is public
information so we lose nothing by allowing read access. (See also
bug
1732580.)
[Mozilla's]: https://searchfox.org/mozilla-central/rev/973000acec0cbf7211e0fad89ca00c352aeb8384/taskcluster/docker/firefox-snap/firefox.snapcraft.yaml.in#50-52
[Ubuntu's]: https://git.launchpad.net/~mozilla-snaps/firefox-snap/+git/firefox-snap/tree/snapcraft.yaml?id=a24fb4a3f92d190299e4126ecc4132087c2aed3d#n85
Differential Revision:
https://phabricator.services.mozilla.com/D148925
bb37f59772bf9931b541a5640c9aa317cf252703: Bug 1772101 - Part 46: Use plain object for lazy getter in toolkit/components/url-classifier/. r=gcp
Tooru Fujisawa <arai_a@mac.com> - Tue, 07 Jun 2022 04:31:06 +0000 - rev 619912
Push
39810 by ccozmuta@mozilla.com at Tue, 07 Jun 2022 15:57:48 +0000
Bug 1772101 - Part 46: Use plain object for lazy getter in toolkit/components/url-classifier/. r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D147987
7d16dadf837aa05be8c04349e8df58b7ff52329e: Bug 1770523 - Return to not allowing X11 access in the RDD process. r=gcp
Jed Davis <jld@mozilla.com> - Wed, 01 Jun 2022 16:42:53 +0000 - rev 619435
Push
39783 by apavel@mozilla.com at Wed, 01 Jun 2022 21:31:38 +0000
Bug 1770523 - Return to not allowing X11 access in the RDD process. r=gcp
The patch for
bug 1769499 lets the RDD process create a headless EGL
context using GBM, which needs access only to the GPU device files, not
the display server. This means that the X11 access recently added in
bug 1769182 can be turned back off.
Differential Revision:
https://phabricator.services.mozilla.com/D147792
f5495c74793db90bdc7a1b75dad36e61938d1066: Bug 1770703 - Duplicated ioctl() case when building with MOZ_ASAN r=gcp
Alexandre Lissy <lissyx+mozillians@lissyx.dyndns.org> - Mon, 23 May 2022 09:51:28 +0000 - rev 618512
Push
39734 by nerli@mozilla.com at Mon, 23 May 2022 16:22:16 +0000
Bug 1770703 - Duplicated ioctl() case when building with MOZ_ASAN r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D147057
cd0c2d8c609262d6713d6b20804cf283a0c9c330: Bug 1769182 - Allow the RDD process to use EGL under X11 on Linux. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 19 May 2022 17:02:33 +0000 - rev 618264
Push
39722 by nfay@mozilla.com at Fri, 20 May 2022 09:31:26 +0000
Bug 1769182 - Allow the RDD process to use EGL under X11 on Linux. r=gcp
This patch mostly turns on the features set up by the earlier patches:
allow connecting to the X server and reading various related things
(.Xauthority, GPU device info in sysfs, etc.). It also turns off Mesa's
shader cache in the RDD process; that shouldn't be needed here, and
disabling it lets us avoid dealing with a few things in the sandbox
policy that we'd rather not (e.g., `getpwuid`).
Differential Revision:
https://phabricator.services.mozilla.com/D146275
f38d02e551731ee13eb5855d7ae276aaadef81d0: Bug 1769182 - Factor out the X11/Mesa-related parts of Linux sandbox file policies. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 19 May 2022 17:02:32 +0000 - rev 618263
Push
39722 by nfay@mozilla.com at Fri, 20 May 2022 09:31:26 +0000
Bug 1769182 - Factor out the X11/Mesa-related parts of Linux sandbox file policies. r=gcp
This patch moves a lot of text but the idea is relatively simple and
no functional change is intended: factor out the parts of the content
sandbox policy needed to create and use an EGL context under X11.
(The `AddDriPaths` function already has some of the dependencies in a
conveniently separated form, but there are others.)
Differential Revision:
https://phabricator.services.mozilla.com/D146274
e0907e204b986033f48b3b1858843cfa8fda8259: Bug 1769182 - Allow send/recv and sendto/recvfrom in the common Linux sandbox policy. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 19 May 2022 17:02:32 +0000 - rev 618262
Push
39722 by nfay@mozilla.com at Fri, 20 May 2022 09:31:26 +0000
Bug 1769182 - Allow send/recv and sendto/recvfrom in the common Linux sandbox policy. r=gcp
These syscalls (at least send/recv) are used by X11 client libraries, and
allowing them doesn't really change anything about security or attack
surface, because they're strict subsets of sendmsg/recvmsg which we
already allow everywhere for use by IPC. So, this patch allows them in
all process types instead of only content.
Differential Revision:
https://phabricator.services.mozilla.com/D146273
06426a1dbd1aef35df77dd423674cbb3875e2b0f: Bug 1769182 - Factor out connect() brokering in the Linux sandbox policies. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 19 May 2022 17:02:31 +0000 - rev 618261
Push
39722 by nfay@mozilla.com at Fri, 20 May 2022 09:31:26 +0000
Bug 1769182 - Factor out connect() brokering in the Linux sandbox policies. r=gcp
We're going to want to let the RDD process make a (brokered) connection
to a local X server, but the seccomp-bpf plumbing for that mostly lives
in the content process sandbox policy. This moves it into the common
policy, and subclasses can opt in.
Differential Revision:
https://phabricator.services.mozilla.com/D146272
0f9452f00ff91bd7d08656a43d232169a9f02cf5: Bug 1769182 - Refactor seccomp-bpf sandbox policy constructors. r=gcp
Jed Davis <jld@mozilla.com> - Thu, 19 May 2022 17:02:31 +0000 - rev 618260
Push
39722 by nfay@mozilla.com at Fri, 20 May 2022 09:31:26 +0000
Bug 1769182 - Refactor seccomp-bpf sandbox policy constructors. r=gcp
The arguments to the SandboxPolicyCommon contructor will get more
complicated as more optional features are added (e.g., the one added in
the next patch), and they're basically just mapped to boolean member
variables, so this patch lets the subclasses set them directly, to keep
things simpler and more readable.
Differential Revision:
https://phabricator.services.mozilla.com/D146271
f4e4de791d7fdc9cd6707fe28798a1c6d2d1ce58: Bug 1770126 - Make WindowsLocationProvider::Watch() not try to watch for events if already watching. r=gcp
Emilio Cobos Álvarez <emilio@crisal.io> - Thu, 19 May 2022 09:28:59 +0000 - rev 618218
Push
39719 by smolnar@mozilla.com at Thu, 19 May 2022 16:03:14 +0000
Bug 1770126 - Make WindowsLocationProvider::Watch() not try to watch for events if already watching. r=gcp
The second call would fail and thus fall back to MLS, but only null out
mLocation (not unregister the existing listener), so Windows would think we're
still using the location permission forever.
Differential Revision:
https://phabricator.services.mozilla.com/D146785
16856951218b2c0148382d12645cc690ceb19039: Bug 1770126 - Make WindowsLocationProvider::Startup() deal correctly with already-initialized instances. r=gcp
Emilio Cobos Álvarez <emilio@crisal.io> - Thu, 19 May 2022 09:28:59 +0000 - rev 618217
Push
39719 by smolnar@mozilla.com at Thu, 19 May 2022 16:03:14 +0000
Bug 1770126 - Make WindowsLocationProvider::Startup() deal correctly with already-initialized instances. r=gcp
We can call Startup() on an already-running instance, and that would cause us
to not unregister notifications from a pre-existing ILocation instance,
which seems likely to cause things like
bug 1766770.
Other location providers deal correctly with this.
Differential Revision:
https://phabricator.services.mozilla.com/D146783
1797d55fa1534a8f9329461a7b70cc8649db6062: Bug 1769309: Block hmpalert.dll v3.8.8.889 and earlier due to crashes with win32k lockdown. r=gcp
Bob Owen <bobowencode@gmail.com> - Sat, 14 May 2022 22:48:34 +0000 - rev 617327
Push
39697 by abutkovits@mozilla.com at Sun, 15 May 2022 09:49:27 +0000
Bug 1769309: Block hmpalert.dll v3.8.8.889 and earlier due to crashes with win32k lockdown. r=gcp
The version from a fresh install from Sophos website is 3.8.19.923. Only blocking in child processes.
Differential Revision:
https://phabricator.services.mozilla.com/D146382
f5b71a28f28b38132c332644015e755be475a9e5: Bug 1769182 - Allow the RDD process to use EGL under X11 on Linux. r=gcp
Jed Davis <jld@mozilla.com> - Sat, 14 May 2022 00:42:56 +0000 - rev 617304
Push
39695 by mlaza@mozilla.com at Sat, 14 May 2022 21:39:37 +0000
Bug 1769182 - Allow the RDD process to use EGL under X11 on Linux. r=gcp
This patch mostly turns on the features set up by the earlier patches:
allow connecting to the X server and reading various related things
(.Xauthority, GPU device info in sysfs, etc.). It also turns off Mesa's
shader cache in the RDD process; that shouldn't be needed here, and
disabling it lets us avoid dealing with a few things in the sandbox
policy that we'd rather not (e.g., `getpwuid`).
Differential Revision:
https://phabricator.services.mozilla.com/D146275
7a64faec004f287f237bda7c2f8363fe03ce3036: Bug 1769182 - Factor out the X11/Mesa-related parts of Linux sandbox file policies. r=gcp
Jed Davis <jld@mozilla.com> - Sat, 14 May 2022 00:42:56 +0000 - rev 617303
Push
39695 by mlaza@mozilla.com at Sat, 14 May 2022 21:39:37 +0000
Bug 1769182 - Factor out the X11/Mesa-related parts of Linux sandbox file policies. r=gcp
This patch moves a lot of text but the idea is relatively simple and
no functional change is intended: factor out the parts of the content
sandbox policy needed to create and use an EGL context under X11.
(The `AddDriPaths` function already has some of the dependencies in a
conveniently separated form, but there are others.)
Differential Revision:
https://phabricator.services.mozilla.com/D146274
c7833370362acd8e209396d7971549b88b7259fb: Bug 1769182 - Allow send/recv and sendto/recvfrom in the common Linux sandbox policy. r=gcp
Jed Davis <jld@mozilla.com> - Sat, 14 May 2022 00:42:56 +0000 - rev 617302
Push
39695 by mlaza@mozilla.com at Sat, 14 May 2022 21:39:37 +0000
Bug 1769182 - Allow send/recv and sendto/recvfrom in the common Linux sandbox policy. r=gcp
These syscalls (at least send/recv) are used by X11 client libraries, and
allowing them doesn't really change anything about security or attack
surface, because they're strict subsets of sendmsg/recvmsg which we
already allow everywhere for use by IPC. So, this patch allows them in
all process types instead of only content.
Differential Revision:
https://phabricator.services.mozilla.com/D146273
b91adae9bb5996dc1ce5f2133ce00d1d3d8f13e3: Bug 1769182 - Factor out connect() brokering in the Linux sandbox policies. r=gcp
Jed Davis <jld@mozilla.com> - Sat, 14 May 2022 00:42:55 +0000 - rev 617301
Push
39695 by mlaza@mozilla.com at Sat, 14 May 2022 21:39:37 +0000
Bug 1769182 - Factor out connect() brokering in the Linux sandbox policies. r=gcp
We're going to want to let the RDD process make a (brokered) connection
to a local X server, but the seccomp-bpf plumbing for that mostly lives
in the content process sandbox policy. This moves it into the common
policy, and subclasses can opt in.
Differential Revision:
https://phabricator.services.mozilla.com/D146272
cf7bb9b7414d8564eee6ff0722abc595c7d3d2ad: Bug 1769182 - Refactor seccomp-bpf sandbox policy constructors. r=gcp
Jed Davis <jld@mozilla.com> - Sat, 14 May 2022 00:42:55 +0000 - rev 617300
Push
39695 by mlaza@mozilla.com at Sat, 14 May 2022 21:39:37 +0000
Bug 1769182 - Refactor seccomp-bpf sandbox policy constructors. r=gcp
The arguments to the SandboxPolicyCommon contructor will get more
complicated as more optional features are added (e.g., the one added in
the next patch), and they're basically just mapped to boolean member
variables, so this patch lets the subclasses set them directly, to keep
things simpler and more readable.
Differential Revision:
https://phabricator.services.mozilla.com/D146271
339351d0136a57e4e975e2ab88deb69c874ee89a: Bug 1768800: Remove EARLY_BETA_OR_EARLIER guards for safaweb*.dll blocking. r=gcp
Bob Owen <bobowencode@gmail.com> - Wed, 11 May 2022 08:39:32 +0000 - rev 616965
Push
39681 by imoraru@mozilla.com at Wed, 11 May 2022 16:02:29 +0000
Bug 1768800: Remove EARLY_BETA_OR_EARLIER guards for safaweb*.dll blocking. r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D146048
84bb3b358b96c3a784e3bcec22a44096c5516c15: Bug 1767993 p2: Remove EARLY_BETA_OR_EARLIER guards for qipcap*.dll blocking. r=gcp
Bob Owen <bobowencode@gmail.com> - Wed, 11 May 2022 07:26:55 +0000 - rev 616962
Push
39680 by bszekely@mozilla.com at Wed, 11 May 2022 09:42:52 +0000
Bug 1767993 p2: Remove EARLY_BETA_OR_EARLIER guards for qipcap*.dll blocking. r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D146043
f557fc59b1bf7faf1a9b6bb75a39b69e976489c3: Bug 1767993: Block Forcepoint qipcap*.dll v7.7.819.1 and earlier for high crash rate. r=gcp
Bob Owen <bobowencode@gmail.com> - Tue, 10 May 2022 17:42:45 +0000 - rev 616881
Push
39680 by bszekely@mozilla.com at Wed, 11 May 2022 09:42:52 +0000
Bug 1767993: Block Forcepoint qipcap*.dll v7.7.819.1 and earlier for high crash rate. r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D145957
0e94ec1aa0ec6e0ffb6d0874a09196175e3d6dd1: Bug 1766029: Block safaweb* DLLs in child processes due to win32k lockdown crash. r=gcp
Bob Owen <bobowencode@gmail.com> - Tue, 10 May 2022 15:38:27 +0000 - rev 616867
Push
39678 by ctuns@mozilla.com at Tue, 10 May 2022 21:39:54 +0000
Bug 1766029: Block safaweb* DLLs in child processes due to win32k lockdown crash. r=gcp
The version is the last one for which we have seen crashes.
Differential Revision:
https://phabricator.services.mozilla.com/D145899
53032d7125127400ad88d999921039ae69c6ca3f: Bug 1768014 p2: Default to policy win32k lockdown status if in process check fails. r=gcp,cmartin
Bob Owen <bobowencode@gmail.com> - Tue, 10 May 2022 06:07:17 +0000 - rev 616790
Push
39675 by apavel@mozilla.com at Tue, 10 May 2022 09:55:38 +0000
Bug 1768014 p2: Default to policy win32k lockdown status if in process check fails. r=gcp,cmartin
Depends on D145872
Differential Revision:
https://phabricator.services.mozilla.com/D145873
6afde84567715e73da3d9438a362a18e9b5b849a: Bug 1768014 p1: Transfer mitigations to sandboxed child process. r=gcp
Bob Owen <bobowencode@gmail.com> - Tue, 10 May 2022 06:07:16 +0000 - rev 616789
Push
39675 by apavel@mozilla.com at Tue, 10 May 2022 09:55:38 +0000
Bug 1768014 p1: Transfer mitigations to sandboxed child process. r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D145872
743e4a955fea6b94c88ea984b52c22e65f4e3128: Bug 1767999: Re-enable Win32k Lockdown by default. r=gcp
Bob Owen <bobowencode@gmail.com> - Thu, 05 May 2022 18:14:03 +0000 - rev 616318
Push
39657 by imoraru@mozilla.com at Fri, 06 May 2022 09:50:52 +0000
Bug 1767999: Re-enable Win32k Lockdown by default. r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D145618
9e8c4348b179b3cde398141d1843fdb2fef1973e: Bug 1765750 - Part 2: Stop using global this in UrlClassifierListManager.jsm. r=gcp
Tooru Fujisawa <arai_a@mac.com> - Thu, 28 Apr 2022 14:52:45 +0000 - rev 615587
Push
39625 by nfay@mozilla.com at Thu, 28 Apr 2022 21:47:15 +0000
Bug 1765750 - Part 2: Stop using global this in UrlClassifierListManager.jsm. r=gcp
Depends on D144943
Differential Revision:
https://phabricator.services.mozilla.com/D144944
daa0037cc772e164a883d8e67d09c28262c30015: Bug 1765750 - Part 1: Stop exposing the global this object in UrlClassifierLib.jsm. r=gcp
Tooru Fujisawa <arai_a@mac.com> - Thu, 28 Apr 2022 14:52:45 +0000 - rev 615586
Push
39625 by nfay@mozilla.com at Thu, 28 Apr 2022 21:47:15 +0000
Bug 1765750 - Part 1: Stop exposing the global this object in UrlClassifierLib.jsm. r=gcp
Differential Revision:
https://phabricator.services.mozilla.com/D144943
09a4ccbe6d7407f68fc88fa57a385bf2e03ccf92: Bug 1766022: Add videocapturer* to the child process DLL blocklist. r=gcp
Bob Owen <bobowencode@gmail.com> - Fri, 22 Apr 2022 19:31:11 +0000 - rev 615133
Push
39606 by ncsoregi@mozilla.com at Sat, 23 Apr 2022 21:27:33 +0000
Bug 1766022: Add videocapturer* to the child process DLL blocklist. r=gcp
This has been found to cause crashes when win32k lockdown is enabled.
Differential Revision:
https://phabricator.services.mozilla.com/D144459