From 755e1020782fb42863e97d58a3e44d2eca760bb0 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Wed, 2 May 2018 21:58:04 +0200 Subject: Remove content process sandbox code. --- browser/app/nsBrowserApp.cpp | 6 ---- browser/app/profile/firefox.js | 68 ------------------------------------------ 2 files changed, 74 deletions(-) (limited to 'browser/app') diff --git a/browser/app/nsBrowserApp.cpp b/browser/app/nsBrowserApp.cpp index 184b1fc2e..bae1d4bb7 100644 --- a/browser/app/nsBrowserApp.cpp +++ b/browser/app/nsBrowserApp.cpp @@ -260,12 +260,6 @@ static int do_main(int argc, char* argv[], char* envp[], nsIFile *xreDirectory) #if defined(XP_WIN) && defined(MOZ_SANDBOX) sandbox::BrokerServices* brokerServices = sandboxing::GetInitializedBrokerServices(); -#if defined(MOZ_CONTENT_SANDBOX) - if (!brokerServices) { - Output("Couldn't initialize the broker services.\n"); - return 255; - } -#endif appData.sandboxBrokerServices = brokerServices; #endif diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js index 5637d1797..e80f57fe4 100644 --- a/browser/app/profile/firefox.js +++ b/browser/app/profile/firefox.js @@ -945,74 +945,6 @@ pref("dom.ipc.plugins.sandbox-level.flash", 2); #else pref("dom.ipc.plugins.sandbox-level.flash", 0); #endif - -#if defined(MOZ_CONTENT_SANDBOX) -// This controls the strength of the Windows content process sandbox for testing -// purposes. This will require a restart. -// On windows these levels are: -// See - security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp -// SetSecurityLevelForContentProcess() for what the different settings mean. -#if defined(NIGHTLY_BUILD) -pref("security.sandbox.content.level", 2); -#else -pref("security.sandbox.content.level", 1); -#endif - -// This controls the depth of stack trace that is logged when Windows sandbox -// logging is turned on. This is only currently available for the content -// process because the only other sandbox (for GMP) has too strict a policy to -// allow stack tracing. This does not require a restart to take effect. -pref("security.sandbox.windows.log.stackTraceDepth", 0); -#endif -#endif - -#if defined(XP_MACOSX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX) -// This pref is discussed in bug 1083344, the naming is inspired from its -// Windows counterpart, but on Mac it's an integer which means: -// 0 -> "no sandbox" -// 1 -> "preliminary content sandboxing enabled: write access to -// home directory is prevented" -// 2 -> "preliminary content sandboxing enabled with profile protection: -// write access to home directory is prevented, read and write access -// to ~/Library and profile directories are prevented (excluding -// $PROFILE/{extensions,weave})" -// This setting is read when the content process is started. On Mac the content -// process is killed when all windows are closed, so a change will take effect -// when the 1st window is opened. -#if defined(NIGHTLY_BUILD) -pref("security.sandbox.content.level", 2); -#else -pref("security.sandbox.content.level", 1); -#endif -#endif - -#if defined(XP_LINUX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX) -// This pref is introduced as part of bug 742434, the naming is inspired from -// its Windows/Mac counterpart, but on Linux it's an integer which means: -// 0 -> "no sandbox" -// 1 -> "content sandbox using seccomp-bpf when available" -// 2 -> "seccomp-bpf + file broker" -// Content sandboxing on Linux is currently in the stage of -// 'just getting it enabled', which includes a very permissive whitelist. We -// enable seccomp-bpf on nightly to see if everything is running, or if we need -// to whitelist more system calls. -// -// So the purpose of this setting is to allow nightly users to disable the -// sandbox while we fix their problems. This way, they won't have to wait for -// another nightly release which disables seccomp-bpf again. -// -// This setting may not be required anymore once we decide to permanently -// enable the content sandbox. -pref("security.sandbox.content.level", 2); -#endif - -#if defined(XP_MACOSX) || defined(XP_WIN) -#if defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX) -// ID (a UUID when set by gecko) that is used to form the name of a -// sandbox-writable temporary directory to be used by content processes -// when a temporary writable file is required in a level 1 sandbox. -pref("security.sandbox.content.tempDirSuffix", ""); -#endif #endif // This pref governs whether we attempt to work around problems caused by -- cgit v1.2.3