Bug 1433065 - Make the Chromium sandbox DLL blocking Nightly only. r=jimm, a=lizzard DEVEDITION_59_0b4_BUILD1 DEVEDITION_59_0b4_RELEASE FIREFOX_59_0b4_BUILD1 FIREFOX_59_0b4_RELEASE
authorBob Owen <bobowencode@gmail.com>
Thu, 25 Jan 2018 15:33:55 +0000
changeset 747201 783507b1b80d927d5ef408c6ff87f8c52f2c8af9
parent 747200 7047d5147ac6d3fca4bc0b134225617f09306930
child 747202 5e87644954210bb7f04321b461408f701c43de83
child 750562 aaffe23142b3ba74848b964a79d37ffb45569715
push id96837
push userpaolo.mozmail@amadzone.org
push dateThu, 25 Jan 2018 17:24:37 +0000
reviewersjimm, lizzard
bugs1433065
milestone59.0
Bug 1433065 - Make the Chromium sandbox DLL blocking Nightly only. r=jimm, a=lizzard
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -2,17 +2,19 @@
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "sandboxBroker.h"
 
 #include <string>
+#if defined(NIGHTLY_BUILD)
 #include <vector>
+#endif
 
 #include "base/win/windows_version.h"
 #include "mozilla/Assertions.h"
 #include "mozilla/ClearOnShutdown.h"
 #include "mozilla/Logging.h"
 #include "mozilla/NSPRLogModulesParser.h"
 #include "mozilla/UniquePtr.h"
 #include "mozilla/Telemetry.h"
@@ -24,16 +26,18 @@
 #include "nsIProperties.h"
 #include "nsServiceManagerUtils.h"
 #include "nsString.h"
 #include "nsTHashtable.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/security_level.h"
 #include "WinUtils.h"
 
+#if defined(NIGHTLY_BUILD)
+
 // This list of DLLs have been found to cause instability in sandboxed child
 // processes and so they will be unloaded if they attempt to load.
 const std::vector<std::wstring> kDllsToUnload = {
   // Symantec Corporation (bug 1400637)
   L"ffm64.dll",
   L"ffm.dll",
   L"prntm64.dll",
 
@@ -46,16 +50,18 @@ const std::vector<std::wstring> kDllsToU
 
   // Webroot SecureAnywhere (bug 1400637)
   L"wrusr.dll",
 
   // Comodo Internet Security (bug 1400637)
   L"guard32.dll",
 };
 
+#endif
+
 namespace mozilla
 {
 
 sandbox::BrokerServices *SandboxBroker::sBrokerService = nullptr;
 
 // This is set to true in Initialize when our exe file name has a drive type of
 // DRIVE_REMOTE, so that we can tailor the sandbox policy as some settings break
 // fundamental things when running from a network drive. We default to false in
@@ -247,34 +253,38 @@ SandboxBroker::LaunchApp(const wchar_t *
   if (it != aEnvironment.end()) {
     logFileName = (it->second).c_str();
   }
   if (logFileName) {
     mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                      sandbox::TargetPolicy::FILES_ALLOW_ANY, logFileName);
   }
 
+  sandbox::ResultCode result;
+#if defined(NIGHTLY_BUILD)
+
   // Add DLLs to the policy that have been found to cause instability with the
   // sandbox, so that they will be unloaded when they attempt to load.
-  sandbox::ResultCode result;
   for (std::wstring dllToUnload : kDllsToUnload) {
     // Similar to Chromium, we only add a DLL if it is loaded in this process.
     if (::GetModuleHandleW(dllToUnload.c_str())) {
       result = mPolicy->AddDllToUnload(dllToUnload.c_str());
       MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
                          "AddDllToUnload should never fail, what happened?");
     }
   }
 
   // Add K7 Computing DLL to be blocked even if not loaded in the parent, as we
   // are still getting crash reports for it.
   result = mPolicy->AddDllToUnload(L"k7pswsen.dll");
   MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result,
                      "AddDllToUnload should never fail, what happened?");
 
+#endif
+
   // Ceate the sandboxed process
   PROCESS_INFORMATION targetInfo = {0};
   sandbox::ResultCode last_warning = sandbox::SBOX_ALL_OK;
   DWORD last_error = ERROR_SUCCESS;
   result = sBrokerService->SpawnTarget(aPath, aArguments, aEnvironment, mPolicy,
                                        &last_warning, &last_error, &targetInfo);
   if (sandbox::SBOX_ALL_OK != result) {
     nsAutoCString key;