Bug 928044 Part 2: Enable the content sandbox by default on Windows with an open policy. r=tabraldes,glandium,jimm
authorBob Owen <bobowencode@gmail.com>
Sat, 29 Nov 2014 17:12:18 +0000
changeset 243939 69c15302979af35dc18095ec18fbf576545a06a9
parent 243938 c2c603abc7bb4de34bf82d7ff4c25075d0480723
child 243940 0f763c186855905fdd78cc4a0f18cbef9c3c5e04
push id4489
push userraliiev@mozilla.com
push dateMon, 23 Feb 2015 15:17:55 +0000
treeherdermozilla-beta@fd7c3dc24146 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstabraldes, glandium, jimm
bugs928044
milestone37.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 928044 Part 2: Enable the content sandbox by default on Windows with an open policy. r=tabraldes,glandium,jimm
browser/app/profile/firefox.js
configure.in
dom/ipc/ContentChild.cpp
ipc/contentproc/plugin-container.cpp
ipc/glue/GeckoChildProcessHost.cpp
ipc/glue/GeckoChildProcessHost.h
security/sandbox/moz.build
security/sandbox/objs.mozbuild
security/sandbox/win/src/logging/loggingCallbacks.h
security/sandbox/win/src/logging/loggingTypes.h
security/sandbox/win/src/logging/sandboxLogging.cpp
security/sandbox/win/src/logging/sandboxLogging.h
security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
security/sandbox/win/src/sandboxbroker/sandboxBroker.h
security/sandbox/win/src/warnonlysandbox/warnOnlySandbox.cpp
security/sandbox/win/src/warnonlysandbox/warnOnlySandbox.h
security/sandbox/win/src/warnonlysandbox/wosCallbacks.h
security/sandbox/win/src/warnonlysandbox/wosTypes.h
toolkit/xre/nsEmbedFunctions.cpp
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@@ -1198,30 +1198,35 @@ pref("dom.ipc.plugins.enabled.x86_64", t
 #else
 pref("dom.ipc.plugins.enabled", true);
 #endif
 
 // Start the browser in e10s mode
 pref("browser.tabs.remote.autostart", false);
 pref("browser.tabs.remote.desktopbehavior", true);
 
-#if defined(MOZ_CONTENT_SANDBOX) && defined(XP_WIN)
-// This controls whether the content process on Windows is sandboxed.
-// You also need to be using remote tabs, see above.
-// on = full sandbox enabled
-// warn = warn only sandbox enabled
-// anything else = sandbox disabled
-// This will probably require a restart.
-pref("browser.tabs.remote.sandbox", "off");
+#if defined(XP_WIN) && defined(MOZ_SANDBOX)
+// When this pref is true the Windows process sandbox will set up dummy
+// interceptions and log to the browser console when calls fail in the sandboxed
+// process and also if they are subsequently allowed by the broker process.
+// This will require a restart.
+pref("security.sandbox.windows.log", false);
+
+#if defined(MOZ_CONTENT_SANDBOX)
+// This controls whether the Windows content process sandbox is using a more
+// strict sandboxing policy.  This will require a restart.
+pref("security.sandbox.windows.content.moreStrict", false);
 
 #if defined(MOZ_STACKWALKING)
-// This controls the depth of stack trace that is logged when the warn only
-// sandbox reports that a resource access request has been blocked.
-// This does not require a restart to take effect.
-pref("browser.tabs.remote.sandbox.warnOnlyStackTraceDepth", 0);
+// This controls the depth of stack trace that is logged when Windows sandbox
+// logging is turned on.  This is only currently available for the content
+// process because the only other sandbox (for GMP) has too strict a policy to
+// allow stack tracing.  This does not require a restart to take effect.
+pref("security.sandbox.windows.log.stackTraceDepth", 0);
+#endif
 #endif
 #endif
 
 // This pref governs whether we attempt to work around problems caused by
 // plugins using OS calls to manipulate the cursor while running out-of-
 // process.  These workarounds all involve intercepting (hooking) certain
 // OS calls in the plugin process, then arranging to make certain OS calls
 // in the browser process.  Eventually plugins will be required to use the
--- a/configure.in
+++ b/configure.in
@@ -6571,30 +6571,34 @@ MOZ_ARG_DISABLE_BOOL(sandbox,
 dnl ========================================================
 dnl = Content process sandboxing
 dnl ========================================================
 if test -n "$gonkdir"; then
     MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX
 fi
 
 case "$OS_TARGET:$NIGHTLY_BUILD" in
-WINNT:1)
+WINNT:*)
     MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX
     ;;
 Darwin:1)
     MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX
     ;;
-*)
-    MOZ_ARG_ENABLE_BOOL(content-sandbox,
-    [  --enable-content-sandbox        Enable sandboxing support for content-processes],
-        MOZ_CONTENT_SANDBOX=1,
-        MOZ_CONTENT_SANDBOX=)
-    ;;
 esac
 
+MOZ_ARG_ENABLE_BOOL(content-sandbox,
+[  --enable-content-sandbox Enable sandboxing support for content-processes
+  --disable-content-sandbox Disable sandboxing support for content-processes],
+    MOZ_CONTENT_SANDBOX=1,
+    MOZ_CONTENT_SANDBOX=)
+
+if test -n "$MOZ_CONTENT_SANDBOX" -a -z "$MOZ_SANDBOX"; then
+    AC_MSG_ERROR([--enable-content-sandbox and --disable-sandbox are conflicting options])
+fi
+
 if test -n "$MOZ_CONTENT_SANDBOX"; then
     AC_DEFINE(MOZ_CONTENT_SANDBOX)
 fi
 
 AC_SUBST(MOZ_CONTENT_SANDBOX)
 
 dnl ========================================================
 dnl = Gecko Media Plugin sandboxing
--- a/dom/ipc/ContentChild.cpp
+++ b/dom/ipc/ContentChild.cpp
@@ -1030,16 +1030,21 @@ SetUpSandboxEnvironment()
     NS_WARN_IF_FALSE(setOK, "Failed to set TEMP to low integrity temp path");
     setOK = SetEnvironmentVariableW(L"TMP", lowIntegrityTempPath.get());
     NS_WARN_IF_FALSE(setOK, "Failed to set TMP to low integrity temp path");
 }
 
 void
 ContentChild::CleanUpSandboxEnvironment()
 {
+    // Sandbox environment is only currently set up with the more strict sandbox.
+    if (!Preferences::GetBool("security.sandbox.windows.content.moreStrict")) {
+        return;
+    }
+
     nsresult rv;
     nsCOMPtr<nsIProperties> directoryService =
         do_GetService(NS_DIRECTORY_SERVICE_CONTRACTID, &rv);
     if (NS_WARN_IF(NS_FAILED(rv))) {
         return;
     }
 
     nsCOMPtr<nsIFile> lowIntegrityTemp;
@@ -1139,21 +1144,18 @@ ContentChild::RecvSetProcessSandbox()
 #else
     // Otherwise, sandboxing is best-effort.
     if (!SandboxInfo::Get().CanSandboxContent()) {
         return true;
     }
 #endif
     SetContentProcessSandbox();
 #elif defined(XP_WIN)
-    nsAdoptingString contentSandboxPref =
-        Preferences::GetString("browser.tabs.remote.sandbox");
-    if (contentSandboxPref.EqualsLiteral("on")
-        || contentSandboxPref.EqualsLiteral("warn")) {
-        mozilla::SandboxTarget::Instance()->StartSandbox();
+    mozilla::SandboxTarget::Instance()->StartSandbox();
+    if (Preferences::GetBool("security.sandbox.windows.content.moreStrict")) {
         SetUpSandboxEnvironment();
     }
 #elif defined(XP_MACOSX)
     StartMacOSContentSandbox();
 #endif
 #endif
     return true;
 }
--- a/ipc/contentproc/plugin-container.cpp
+++ b/ipc/contentproc/plugin-container.cpp
@@ -24,20 +24,17 @@
 
 #include "GMPLoader.h"
 
 #if defined(XP_WIN) && defined(MOZ_SANDBOX)
 #include "sandbox/chromium/base/basictypes.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "mozilla/sandboxTarget.h"
-
-#if defined(MOZ_CONTENT_SANDBOX)
-#include "mozilla/warnonlysandbox/wosCallbacks.h"
-#endif
+#include "mozilla/sandboxing/loggingCallbacks.h"
 #endif
 
 #if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX)
 #include "mozilla/Sandbox.h"
 #include "mozilla/SandboxInfo.h"
 #endif
 
 #ifdef MOZ_WIDGET_GONK
@@ -193,19 +190,17 @@ content_process_main(int argc, char* arg
         }
 
         sandbox::ResultCode result = target_service->Init();
         if (result != sandbox::SBOX_ALL_OK) {
            return 2;
         }
         mozilla::SandboxTarget::Instance()->SetStartSandboxCallback(StartSandboxCallback);
 
-#if defined(MOZ_CONTENT_SANDBOX)
-        mozilla::warnonlysandbox::PrepareForInit();
-#endif
+        mozilla::sandboxing::PrepareForLogging();
     }
 #endif
 #endif
     nsAutoPtr<mozilla::gmp::GMPLoader> loader;
 #if !defined(MOZ_WIDGET_ANDROID) && !defined(MOZ_WIDGET_GONK)
     // On desktop, the GMPLoader lives in plugin-container, so that its
     // code can be covered by an EME/GMP vendor's voucher.
     nsAutoPtr<mozilla::gmp::SandboxStarter> starter(MakeSandboxStarter());
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@@ -30,19 +30,19 @@
 #include "mozilla/ipc/BrowserProcessSubThread.h"
 #include "mozilla/Omnijar.h"
 #include <sys/stat.h>
 
 #ifdef XP_WIN
 #include "nsIWinTaskbar.h"
 #define NS_TASKBAR_CONTRACTID "@mozilla.org/windows-taskbar;1"
 
-#if defined(MOZ_CONTENT_SANDBOX)
+#if defined(MOZ_SANDBOX)
 #include "mozilla/Preferences.h"
-#include "mozilla/warnonlysandbox/warnOnlySandbox.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 #endif
 #endif
 
 #include "nsTArray.h"
 #include "nsClassHashtable.h"
 #include "nsHashKeys.h"
 #include "nsNativeCharsetUtils.h"
 
@@ -90,19 +90,21 @@ GeckoChildProcessHost::DefaultChildPrivi
 GeckoChildProcessHost::GeckoChildProcessHost(GeckoProcessType aProcessType,
                                              ChildPrivileges aPrivileges)
   : ChildProcessHost(RENDER_PROCESS), // FIXME/cjones: we should own this enum
     mProcessType(aProcessType),
     mPrivileges(aPrivileges),
     mMonitor("mozilla.ipc.GeckChildProcessHost.mMonitor"),
     mProcessState(CREATING_CHANNEL),
     mDelegate(nullptr),
-#if defined(MOZ_CONTENT_SANDBOX) && defined(XP_WIN)
-    mEnableContentSandbox(false),
-    mWarnOnlyContentSandbox(false),
+#if defined(MOZ_SANDBOX) && defined(XP_WIN)
+    mEnableSandboxLogging(false),
+#if defined(MOZ_CONTENT_SANDBOX)
+    mMoreStrictContentSandbox(false),
+#endif
 #endif
     mChildProcessHandle(0)
 #if defined(MOZ_WIDGET_COCOA)
   , mChildTask(MACH_PORT_NULL)
 #endif
 {
     MOZ_COUNT_CTOR(GeckoChildProcessHost);
 }
@@ -265,26 +267,30 @@ GeckoChildProcessHost::PrepareLaunch()
 #ifdef XP_WIN
   if (mProcessType == GeckoProcessType_Plugin) {
     InitWindowsGroupID();
   }
 
 #if defined(MOZ_CONTENT_SANDBOX)
   // We need to get the pref here as the process is launched off main thread.
   if (mProcessType == GeckoProcessType_Content) {
-    nsAdoptingString contentSandboxPref =
-      Preferences::GetString("browser.tabs.remote.sandbox");
-    if (contentSandboxPref.EqualsLiteral("on")) {
-      mEnableContentSandbox = true;
-    } else if (contentSandboxPref.EqualsLiteral("warn")) {
-      mEnableContentSandbox = true;
-      mWarnOnlyContentSandbox = true;
-    }
+    mMoreStrictContentSandbox =
+      Preferences::GetBool("security.sandbox.windows.content.moreStrict");
+    mEnableSandboxLogging =
+      Preferences::GetBool("security.sandbox.windows.log");
   }
 #endif
+
+#if defined(MOZ_SANDBOX)
+  // For other process types we can't rely on them being launched on main
+  // thread and they may not have access to prefs in the child process, so allow
+  // them to turn on logging via an environment variable.
+  mEnableSandboxLogging = mEnableSandboxLogging
+                          || !!PR_GetEnv("MOZ_WIN_SANDBOX_LOGGING");
+#endif
 #endif
 }
 
 #ifdef XP_WIN
 void GeckoChildProcessHost::InitWindowsGroupID()
 {
   // On Win7+, pass the application user model to the child, so it can
   // register with it. This insures windows created by the container
@@ -785,21 +791,18 @@ GeckoChildProcessHost::PerformAsyncLaunc
     }
   }
 
 #if defined(XP_WIN)
   bool shouldSandboxCurrentProcess = false;
   switch (mProcessType) {
     case GeckoProcessType_Content:
 #if defined(MOZ_CONTENT_SANDBOX)
-      if (!mEnableContentSandbox) {
-        break;
-      }
       if (!PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
-        mSandboxBroker.SetSecurityLevelForContentProcess(mWarnOnlyContentSandbox);
+        mSandboxBroker.SetSecurityLevelForContentProcess(mMoreStrictContentSandbox);
         cmdLine.AppendLooseValue(UTF8ToWide("-sandbox"));
         shouldSandboxCurrentProcess = true;
       }
 #endif // MOZ_CONTENT_SANDBOX
       break;
     case GeckoProcessType_Plugin:
       // XXX: We don't sandbox this process type yet
       // mSandboxBroker.SetSecurityLevelForPluginProcess();
@@ -859,16 +862,17 @@ GeckoChildProcessHost::PerformAsyncLaunc
 
   // Process type
   cmdLine.AppendLooseValue(UTF8ToWide(childProcessType));
 
 #if defined(XP_WIN) && defined(MOZ_SANDBOX)
   if (shouldSandboxCurrentProcess) {
     mSandboxBroker.LaunchApp(cmdLine.program().c_str(),
                              cmdLine.command_line_string().c_str(),
+                             mEnableSandboxLogging,
                              &process);
   } else
 #endif
   {
     base::LaunchApp(cmdLine, false, false, &process);
   }
 
 #else
--- a/ipc/glue/GeckoChildProcessHost.h
+++ b/ipc/glue/GeckoChildProcessHost.h
@@ -163,20 +163,19 @@ protected:
 
 #ifdef XP_WIN
   void InitWindowsGroupID();
   nsString mGroupId;
 
 #ifdef MOZ_SANDBOX
   SandboxBroker mSandboxBroker;
   std::vector<std::wstring> mAllowedFilesRead;
-
+  bool mEnableSandboxLogging;
 #if defined(MOZ_CONTENT_SANDBOX)
-  bool mEnableContentSandbox;
-  bool mWarnOnlyContentSandbox;
+  bool mMoreStrictContentSandbox;
 #endif
 #endif
 #endif // XP_WIN
 
 #if defined(OS_POSIX)
   base::file_handle_mapping_vector mFileMap;
 #endif
 
--- a/security/sandbox/moz.build
+++ b/security/sandbox/moz.build
@@ -13,22 +13,21 @@ elif CONFIG['OS_ARCH'] == 'WINNT':
     FORCE_STATIC_LIB = True
 
     DIRS += [
         'staticruntime',
         'win/src/sandboxbroker',
         'win/src/sandboxtarget',
     ]
 
-    if CONFIG['MOZ_CONTENT_SANDBOX']:
-        EXPORTS.mozilla.warnonlysandbox += [
-            'win/src/warnonlysandbox/warnOnlySandbox.h',
-            'win/src/warnonlysandbox/wosCallbacks.h',
-            'win/src/warnonlysandbox/wosTypes.h',
-        ]
+    EXPORTS.mozilla.sandboxing += [
+        'win/src/logging/loggingCallbacks.h',
+        'win/src/logging/loggingTypes.h',
+        'win/src/logging/sandboxLogging.h',
+    ]
 
     include('objs.mozbuild')
     SOURCES += security_sandbox_cppsrcs
 
     # Bug 1102853 tracks looking at removing this.
     if CONFIG['CPU_ARCH'] == 'x86_64':
         SOURCES['%s/security/sandbox/win/src/sharedmem_ipc_client.cc' % TOPSRCDIR].no_pgo = True
 
--- a/security/sandbox/objs.mozbuild
+++ b/security/sandbox/objs.mozbuild
@@ -55,16 +55,17 @@ if CONFIG['OS_ARCH'] == 'WINNT':
         'win/src/handle_closer_agent.cc',
         'win/src/handle_dispatcher.cc',
         'win/src/handle_interception.cc',
         'win/src/handle_policy.cc',
         'win/src/handle_table.cc',
         'win/src/interception.cc',
         'win/src/interception_agent.cc',
         'win/src/job.cc',
+        'win/src/logging/sandboxLogging.cpp',
         'win/src/named_pipe_dispatcher.cc',
         'win/src/named_pipe_interception.cc',
         'win/src/named_pipe_policy.cc',
         'win/src/policy_broker.cc',
         'win/src/policy_engine_opcodes.cc',
         'win/src/policy_engine_processor.cc',
         'win/src/policy_low_level.cc',
         'win/src/policy_target.cc',
@@ -97,21 +98,16 @@ if CONFIG['OS_ARCH'] == 'WINNT':
         'win/src/target_interceptions.cc',
         'win/src/target_process.cc',
         'win/src/target_services.cc',
         'win/src/win2k_threadpool.cc',
         'win/src/win_utils.cc',
         'win/src/window.cc',
     ]
 
-    if CONFIG['MOZ_CONTENT_SANDBOX']:
-        security_sandbox_lcppsrcs += [
-            'win/src/warnonlysandbox/warnOnlySandbox.cpp',
-        ]
-
     if CONFIG['CPU_ARCH'] == 'x86_64':
         security_sandbox_lcppsrcs += [
             'win/src/interceptors_64.cc',
             'win/src/resolver_64.cc',
             'win/src/service_resolver_64.cc',
             'win/src/Wow64_64.cc',
         ]
     else:
rename from security/sandbox/win/src/warnonlysandbox/wosCallbacks.h
rename to security/sandbox/win/src/logging/loggingCallbacks.h
--- a/security/sandbox/win/src/warnonlysandbox/wosCallbacks.h
+++ b/security/sandbox/win/src/logging/loggingCallbacks.h
@@ -1,19 +1,19 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#ifndef security_sandbox_wosEnableCallbacks_h__
-#define security_sandbox_wosEnableCallbacks_h__
+#ifndef security_sandbox_loggingCallbacks_h__
+#define security_sandbox_loggingCallbacks_h__
 
-#include "mozilla/warnonlysandbox/wosTypes.h"
-#include "mozilla/warnonlysandbox/warnOnlySandbox.h"
+#include "mozilla/sandboxing/loggingTypes.h"
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 #ifdef TARGET_SANDBOX_EXPORTS
 #include <sstream>
 #include <iostream>
 
 #include "mozilla/Preferences.h"
 #include "nsContentUtils.h"
 
@@ -22,30 +22,30 @@
 #endif
 
 #define TARGET_SANDBOX_EXPORT __declspec(dllexport)
 #else
 #define TARGET_SANDBOX_EXPORT __declspec(dllimport)
 #endif
 
 namespace mozilla {
-namespace warnonlysandbox {
+namespace sandboxing {
 
 // We need to use a callback to work around the fact that sandbox_s lib is
 // linked into plugin-container.exe directly and also via xul.dll via
 // sandboxbroker.dll. This causes problems with holding the state required to
-// work the warn only sandbox.
+// implement sandbox logging.
 // So, we provide a callback from plugin-container.exe that the code in xul.dll
 // can call to make sure we hit the right version of the code.
 void TARGET_SANDBOX_EXPORT
 SetProvideLogFunctionCb(ProvideLogFunctionCb aProvideLogFunctionCb);
 
-// Initialize the warn only sandbox if required.
+// Provide a call back so a pointer to a logging function can be passed later.
 static void
-PrepareForInit()
+PrepareForLogging()
 {
   SetProvideLogFunctionCb(ProvideLogFunction);
 }
 
 #ifdef TARGET_SANDBOX_EXPORTS
 static ProvideLogFunctionCb sProvideLogFunctionCb = nullptr;
 
 void
@@ -62,17 +62,17 @@ static void
 StackFrameToOStringStream(uint32_t aFrameNumber, void* aPC, void* aSP,
                           void* aClosure)
 {
   std::ostringstream* stream = static_cast<std::ostringstream*>(aClosure);
   nsCodeAddressDetails details;
   char buf[1024];
   NS_DescribeCodeAddress(aPC, &details);
   NS_FormatCodeAddressDetails(buf, sizeof(buf), aFrameNumber, aPC, &details);
-  *stream << "--" << buf << '\n';
+  *stream << std::endl << "--" << buf;
   stream->flush();
 }
 #endif
 
 // Log to the browser console and, if DEBUG build, stderr.
 static void
 Log(const char* aMessageType,
     const char* aFunctionName,
@@ -80,47 +80,56 @@ Log(const char* aMessageType,
     const bool aShouldLogStackTrace = false,
     uint32_t aFramesToSkip = 0)
 {
   std::ostringstream msgStream;
   msgStream << "Process Sandbox " << aMessageType << ": " << aFunctionName;
   if (aContext) {
     msgStream << " for : " << aContext;
   }
-  msgStream << std::endl;
 
 #ifdef MOZ_STACKWALKING
   if (aShouldLogStackTrace) {
     if (sStackTraceDepth) {
-      msgStream << "Stack Trace:" << std::endl;
+      msgStream << std::endl << "Stack Trace:";
       NS_StackWalk(StackFrameToOStringStream, aFramesToSkip, sStackTraceDepth,
                    &msgStream, 0, nullptr);
     }
   }
 #endif
 
   std::string msg = msgStream.str();
-#ifdef DEBUG
-  std::cerr << msg;
+#if defined(DEBUG)
+  // Use NS_DebugBreak directly as we want child process prefix, but not source
+  // file or line number.
+  NS_DebugBreak(NS_DEBUG_WARNING, nullptr, msg.c_str(), nullptr, -1);
 #endif
 
   nsContentUtils::LogMessageToConsole(msg.c_str());
 }
 
-// Initialize the warn only sandbox if required.
+// Initialize sandbox logging if required.
 static void
-InitIfRequired()
+InitLoggingIfRequired()
 {
-  if (XRE_GetProcessType() == GeckoProcessType_Content
-      && Preferences::GetString("browser.tabs.remote.sandbox").EqualsLiteral("warn")
-      && sProvideLogFunctionCb) {
-#ifdef MOZ_STACKWALKING
-    Preferences::AddUintVarCache(&sStackTraceDepth,
-      "browser.tabs.remote.sandbox.warnOnlyStackTraceDepth");
+  if (!sProvideLogFunctionCb) {
+    return;
+  }
+
+  if (Preferences::GetBool("security.sandbox.windows.log") ||
+      PR_GetEnv("MOZ_WIN_SANDBOX_LOGGING")) {
+    sProvideLogFunctionCb(Log);
+
+#if defined(MOZ_CONTENT_SANDBOX) && defined(MOZ_STACKWALKING)
+    // We can only log the stack trace on process types where we know that the
+    // sandbox won't prevent it.
+    if (XRE_GetProcessType() == GeckoProcessType_Content) {
+      Preferences::AddUintVarCache(&sStackTraceDepth,
+        "security.sandbox.windows.log.stackTraceDepth");
+    }
 #endif
-    sProvideLogFunctionCb(Log);
   }
 }
 #endif
-} // warnonlysandbox
+} // sandboxing
 } // mozilla
 
-#endif // security_sandbox_wosEnableCallbacks_h__
+#endif // security_sandbox_loggingCallbacks_h__
rename from security/sandbox/win/src/warnonlysandbox/wosTypes.h
rename to security/sandbox/win/src/logging/loggingTypes.h
--- a/security/sandbox/win/src/warnonlysandbox/wosTypes.h
+++ b/security/sandbox/win/src/logging/loggingTypes.h
@@ -1,27 +1,27 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#ifndef security_sandbox_wosTypes_h__
-#define security_sandbox_wosTypes_h__
+#ifndef security_sandbox_loggingTypes_h__
+#define security_sandbox_loggingTypes_h__
 
 #include <stdint.h>
 
 namespace mozilla {
-namespace warnonlysandbox {
+namespace sandboxing {
 
 // We are using callbacks here that are passed in from the core code to prevent
 // a circular dependency in the linking during the build.
 typedef void (*LogFunction) (const char* aMessageType,
                              const char* aFunctionName,
                              const char* aContext,
                              const bool aShouldLogStackTrace,
                              uint32_t aFramesToSkip);
 typedef void (*ProvideLogFunctionCb) (LogFunction aLogFunction);
 
-} // warnonlysandbox
+} // sandboxing
 } // mozilla
 
-#endif // security_sandbox_wosTypes_h__
+#endif // security_sandbox_loggingTypes_h__
rename from security/sandbox/win/src/warnonlysandbox/warnOnlySandbox.cpp
rename to security/sandbox/win/src/logging/sandboxLogging.cpp
--- a/security/sandbox/win/src/warnonlysandbox/warnOnlySandbox.cpp
+++ b/security/sandbox/win/src/logging/sandboxLogging.cpp
@@ -1,64 +1,40 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "warnOnlySandbox.h"
+#include "sandboxLogging.h"
 
 #include "base/strings/utf_string_conversions.h"
 #include "sandbox/win/src/sandbox_policy.h"
 
 namespace mozilla {
-namespace warnonlysandbox {
+namespace sandboxing {
 
 void
-ApplyWarnOnlyPolicy(sandbox::TargetPolicy& aPolicy)
+ApplyLoggingPolicy(sandbox::TargetPolicy& aPolicy)
 {
-  // Add rules to allow everything that we can, so that we can add logging to
-  // warn when we would be blocked by the sandbox.
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
-                  sandbox::TargetPolicy::FILES_ALLOW_ANY, L"*");
+  // Add dummy rules, so that we can log in the interception code.
+  // We already have a file interception set up for the client side of pipes.
+  // Also, passing just "dummy" for file system policy causes win_utils.cc
+  // IsReparsePoint() to loop.
   aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
-                  sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, L"*");
+                  sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, L"dummy");
   aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_PROCESS,
-                  sandbox::TargetPolicy::PROCESS_ALL_EXEC, L"*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_CLASSES_ROOT\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_CURRENT_USER\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_LOCAL_MACHINE\\*");
+                  sandbox::TargetPolicy::PROCESS_MIN_EXEC, L"dummy");
   aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_USERS\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_PERFORMANCE_DATA\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_PERFORMANCE_TEXT\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_PERFORMANCE_NLSTEXT\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_CURRENT_CONFIG\\*");
-  aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
-                  sandbox::TargetPolicy::REG_ALLOW_ANY,
-                  L"HKEY_DYN_DATA\\*");
+                  sandbox::TargetPolicy::REG_ALLOW_READONLY,
+                  L"HKEY_CURRENT_USER\\dummy");
   aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_SYNC,
-                  sandbox::TargetPolicy::EVENTS_ALLOW_ANY, L"*");
+                  sandbox::TargetPolicy::EVENTS_ALLOW_READONLY, L"dummy");
   aPolicy.AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
-                  sandbox::TargetPolicy::HANDLES_DUP_ANY, L"*");
+                  sandbox::TargetPolicy::HANDLES_DUP_BROKER, L"dummy");
 }
 
 static LogFunction sLogFunction = nullptr;
 
 void
 ProvideLogFunction(LogFunction aLogFunction)
 {
   sLogFunction = aLogFunction;
@@ -117,10 +93,10 @@ LogAllowed(const char* aFunctionName, co
            uint16_t aLength)
 {
   if (sLogFunction) {
     LogAllowed(aFunctionName,
                base::WideToUTF8(std::wstring(aContext, aLength)).c_str());
   }
 }
 
-} // warnonlysandbox
+} // sandboxing
 } // mozilla
rename from security/sandbox/win/src/warnonlysandbox/warnOnlySandbox.h
rename to security/sandbox/win/src/logging/sandboxLogging.h
--- a/security/sandbox/win/src/warnonlysandbox/warnOnlySandbox.h
+++ b/security/sandbox/win/src/logging/sandboxLogging.h
@@ -1,44 +1,42 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
- * Set of helper methods to implement a warn only sandbox.
- * Only providing simple namespaced functions as this code will probably be
- * removed once we are properly shipping the content sandbox.
+ * Set of helper methods to implement logging for Windows sandbox.
  */
 
-#ifndef security_sandbox_warnOnlySandbox_h__
-#define security_sandbox_warnOnlySandbox_h__
+#ifndef security_sandbox_sandboxLogging_h__
+#define security_sandbox_sandboxLogging_h__
 
-#include "wosTypes.h"
+#include "loggingTypes.h"
 
 #ifdef SANDBOX_EXPORTS
 #define SANDBOX_EXPORT __declspec(dllexport)
 #else
 #define SANDBOX_EXPORT __declspec(dllimport)
 #endif
 
 namespace sandbox {
 class TargetPolicy;
 }
 
 namespace mozilla {
-namespace warnonlysandbox {
+namespace sandboxing {
 
 // This is used to pass a LogCallback to the sandboxing code, as the logging
 // requires code to which we cannot link directly.
 void SANDBOX_EXPORT ProvideLogFunction(LogFunction aLogFunction);
 
-// Set up the sandbox to allow everything via the broker, so we can log calls.
-void ApplyWarnOnlyPolicy(sandbox::TargetPolicy& aPolicy);
+// Set up dummy interceptions via the broker, so we can log calls.
+void ApplyLoggingPolicy(sandbox::TargetPolicy& aPolicy);
 
 // Log a "BLOCKED" msg to the browser console and, if DEBUG build, stderr.
 // If the logging of a stack trace is enabled then the default aFramesToSkip
 // will start from our caller's caller, which should normally be the function
 // that triggered the interception.
 void LogBlocked(const char* aFunctionName, const char* aContext = nullptr,
                 uint32_t aFramesToSkip = 2);
 
@@ -51,12 +49,12 @@ void LogBlocked(const char* aFunctionNam
 void LogAllowed(const char* aFunctionName, const char* aContext = nullptr);
 
 // Convenience functions to convert to char*.
 void LogAllowed(const char* aFunctionName, const wchar_t* aContext);
 void LogAllowed(const char* aFunctionName, const wchar_t* aContext,
                 uint16_t aLength);
 
 
-} // warnonlysandbox
+} // sandboxing
 } // mozilla
 
-#endif // security_sandbox_warnOnlySandbox_h__
+#endif // security_sandbox_sandboxLogging_h__
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -3,19 +3,17 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "sandboxBroker.h"
 #include "sandbox/win/src/sandbox.h"
 #include "sandbox/win/src/sandbox_factory.h"
 #include "sandbox/win/src/security_level.h"
-#if defined(MOZ_CONTENT_SANDBOX)
-#include "mozilla/warnonlysandbox/warnOnlySandbox.h"
-#endif
+#include "mozilla/sandboxing/sandboxLogging.h"
 
 namespace mozilla
 {
 
 sandbox::BrokerServices *SandboxBroker::sBrokerService = nullptr;
 
 SandboxBroker::SandboxBroker()
 {
@@ -32,26 +30,32 @@ SandboxBroker::SandboxBroker()
   }
 
   mPolicy = sBrokerService->CreatePolicy();
 }
 
 bool
 SandboxBroker::LaunchApp(const wchar_t *aPath,
                          const wchar_t *aArguments,
+                         const bool aEnableLogging,
                          void **aProcessHandle)
 {
   if (!sBrokerService || !mPolicy) {
     return false;
   }
 
   // Set stdout and stderr, to allow inheritance for logging.
   mPolicy->SetStdoutHandle(::GetStdHandle(STD_OUTPUT_HANDLE));
   mPolicy->SetStderrHandle(::GetStdHandle(STD_ERROR_HANDLE));
 
+  // If logging enabled, set up the policy.
+  if (aEnableLogging) {
+    mozilla::sandboxing::ApplyLoggingPolicy(*mPolicy);
+  }
+
   // Ceate the sandboxed process
   PROCESS_INFORMATION targetInfo;
   sandbox::ResultCode result;
   result = sBrokerService->SpawnTarget(aPath, aArguments, mPolicy, &targetInfo);
 
   // The sandboxed process is started in a suspended state, resume it now that
   // we've set things up.
   ResumeThread(targetInfo.hThread);
@@ -60,48 +64,59 @@ SandboxBroker::LaunchApp(const wchar_t *
   // Return the process handle to the caller
   *aProcessHandle = targetInfo.hProcess;
 
   return true;
 }
 
 #if defined(MOZ_CONTENT_SANDBOX)
 bool
-SandboxBroker::SetSecurityLevelForContentProcess(bool inWarnOnlyMode)
+SandboxBroker::SetSecurityLevelForContentProcess(bool aMoreStrict)
 {
   if (!mPolicy) {
     return false;
   }
 
-  auto result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
-  bool ret = (sandbox::SBOX_ALL_OK == result);
+  sandbox::ResultCode result;
+  bool ret;
+  if (aMoreStrict) {
+    result = mPolicy->SetJobLevel(sandbox::JOB_INTERACTIVE, 0);
+    ret = (sandbox::SBOX_ALL_OK == result);
 
-  result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
-                                  sandbox::USER_RESTRICTED_SAME_ACCESS);
-  ret = ret && (sandbox::SBOX_ALL_OK == result);
+    result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                                    sandbox::USER_INTERACTIVE);
+    ret = ret && (sandbox::SBOX_ALL_OK == result);
 
-  // If the delayed integrity level is changed then SetUpSandboxEnvironment and
-  // CleanUpSandboxEnvironment in ContentChild should be changed or removed.
-  result = mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-  ret = ret && (sandbox::SBOX_ALL_OK == result);
+    // If the delayed integrity level is lowered then SetUpSandboxEnvironment and
+    // CleanUpSandboxEnvironment in ContentChild should be changed or removed.
+    result = mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+    ret = ret && (sandbox::SBOX_ALL_OK == result);
 
-  result = mPolicy->SetAlternateDesktop(true);
-  ret = ret && (sandbox::SBOX_ALL_OK == result);
+    result = mPolicy->SetAlternateDesktop(true);
+    ret = ret && (sandbox::SBOX_ALL_OK == result);
+  } else {
+    result = mPolicy->SetJobLevel(sandbox::JOB_NONE, 0);
+    bool ret = (sandbox::SBOX_ALL_OK == result);
+
+    result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
+                                    sandbox::USER_RESTRICTED_SAME_ACCESS);
+    ret = ret && (sandbox::SBOX_ALL_OK == result);
+
+    result = mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_MEDIUM);
+    ret = ret && (sandbox::SBOX_ALL_OK == result);
+  }
 
   // Add the policy for the client side of a pipe. It is just a file
   // in the \pipe\ namespace. We restrict it to pipes that start with
   // "chrome." so the sandboxed process cannot connect to system services.
   result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
                             sandbox::TargetPolicy::FILES_ALLOW_ANY,
                             L"\\??\\pipe\\chrome.*");
   ret = ret && (sandbox::SBOX_ALL_OK == result);
 
-  if (inWarnOnlyMode) {
-    mozilla::warnonlysandbox::ApplyWarnOnlyPolicy(*mPolicy);
-  }
   return ret;
 }
 #endif
 
 bool
 SandboxBroker::SetSecurityLevelForPluginProcess()
 {
   if (!mPolicy) {
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
@@ -21,22 +21,23 @@ namespace sandbox {
 namespace mozilla {
 
 class SANDBOX_EXPORT SandboxBroker
 {
 public:
   SandboxBroker();
   bool LaunchApp(const wchar_t *aPath,
                  const wchar_t *aArguments,
+                 const bool aEnableLogging,
                  void **aProcessHandle);
   virtual ~SandboxBroker();
 
   // Security levels for different types of processes
 #if defined(MOZ_CONTENT_SANDBOX)
-  bool SetSecurityLevelForContentProcess(bool inWarnOnlyMode);
+  bool SetSecurityLevelForContentProcess(bool aMoreStrict);
 #endif
   bool SetSecurityLevelForPluginProcess();
   bool SetSecurityLevelForIPDLUnitTestProcess();
   bool SetSecurityLevelForGMPlugin();
 
   // File system permissions
   bool AllowReadFile(wchar_t const *file);
   bool AllowReadWriteFile(wchar_t const *file);
--- a/toolkit/xre/nsEmbedFunctions.cpp
+++ b/toolkit/xre/nsEmbedFunctions.cpp
@@ -70,19 +70,19 @@
 #include "mozilla/ipc/TestShellParent.h"
 #include "mozilla/ipc/XPCShellEnvironment.h"
 
 #include "GMPProcessChild.h"
 #include "GMPLoader.h"
 
 #include "GeckoProfiler.h"
 
-#if defined(MOZ_CONTENT_SANDBOX) && defined(XP_WIN)
+#if defined(MOZ_SANDBOX) && defined(XP_WIN)
 #define TARGET_SANDBOX_EXPORTS
-#include "mozilla/warnonlysandbox/wosCallbacks.h"
+#include "mozilla/sandboxing/loggingCallbacks.h"
 #endif
 
 #ifdef MOZ_IPDL_TESTS
 #include "mozilla/_ipdltest/IPDLUnitTests.h"
 #include "mozilla/_ipdltest/IPDLUnitTestProcessChild.h"
 
 using mozilla::_ipdltest::IPDLUnitTestProcessChild;
 #endif  // ifdef MOZ_IPDL_TESTS
@@ -553,20 +553,20 @@ XRE_InitChildProcess(int aArgc,
       }
 
       if (!process->Init()) {
         profiler_shutdown();
         NS_LogTerm();
         return NS_ERROR_FAILURE;
       }
 
-#if defined(MOZ_CONTENT_SANDBOX) && defined(XP_WIN)
+#if defined(MOZ_SANDBOX) && defined(XP_WIN)
       // We need to do this after the process has been initialised, as
-      // InitIfRequired needs access to prefs.
-      mozilla::warnonlysandbox::InitIfRequired();
+      // InitLoggingIfRequired may need access to prefs.
+      mozilla::sandboxing::InitLoggingIfRequired();
 #endif
 
       // Run the UI event loop on the main thread.
       uiMessageLoop.MessageLoop::Run();
 
       // Allow ProcessChild to clean up after itself before going out of
       // scope and being deleted
       process->CleanUp();