Merge pull request #323 from MoonchildProductions/nuke-sandbox

Nuke sandbox

9 files changed, 0 insertions, 441 deletions

diff --git a/ipc/app/moz.build b/ipc/app/moz.build
index 55c338cb8..a5bf66737 100644
--- a/ipc/app/moz.build
+++ b/ipc/app/moz.build
@@ -43,47 +43,10 @@ if CONFIG['OS_ARCH'] == 'WINNT':
         'nss3.dll',
     ]
 
-    if CONFIG['MOZ_SANDBOX']:
-        # For sandbox includes and the include dependencies those have
-        LOCAL_INCLUDES += [
-            '/security/sandbox/chromium',
-            '/security/sandbox/chromium-shim',
-        ]
-
-        USE_LIBS += [
-            'sandbox_s',
-        ]
-
-        DELAYLOAD_DLLS += [
-            'winmm.dll',
-            'user32.dll',
-        ]
-
     DELAYLOAD_DLLS += [
         'xul.dll',
     ]
 
-if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_TARGET'] in ('Linux', 'Android'):
-    USE_LIBS += [
-        'mozsandbox',
-    ]
-
-    # gcc lto likes to put the top level asm in syscall.cc in a different partition
-    # from the function using it which breaks the build.  Work around that by
-    # forcing there to be only one partition.
-    if '-flto' in CONFIG['OS_CXXFLAGS'] and not CONFIG['CLANG_CXX']:
-        LDFLAGS += ['--param lto-partitions=1']
-
-if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_TARGET'] == 'Darwin':
-    # For sandbox includes and the include dependencies those have
-    LOCAL_INCLUDES += [
-        '/security/sandbox/chromium',
-        '/security/sandbox/chromium-shim',
-    ]
-    USE_LIBS += [
-        'mozsandbox',
-    ]
-
 if CONFIG['_MSC_VER']:
     # Always enter a Windows program through wmain, whether or not we're
     # a console application.
diff --git a/ipc/app/pie/moz.build b/ipc/app/pie/moz.build
index 0247b25b4..6924199b5 100644
--- a/ipc/app/pie/moz.build
+++ b/ipc/app/pie/moz.build
@@ -16,15 +16,4 @@ LOCAL_INCLUDES += [
     '/xpcom/base',
 ]
 
-if CONFIG['MOZ_SANDBOX']:
-    USE_LIBS += [
-        'mozsandbox',
-    ]
-
-    # gcc lto likes to put the top level asm in syscall.cc in a different partition
-    # from the function using it which breaks the build.  Work around that by
-    # forcing there to be only one partition.
-    if '-flto' in CONFIG['OS_CXXFLAGS'] and not CONFIG['CLANG_CXX']:
-	LDFLAGS += ['--param lto-partitions=1']
-
 LDFLAGS += ['-pie']
diff --git a/ipc/contentproc/moz.build b/ipc/contentproc/moz.build
index 07cf0b97c..f9ded56ec 100644
--- a/ipc/contentproc/moz.build
+++ b/ipc/contentproc/moz.build
@@ -18,8 +18,3 @@ if CONFIG['OS_ARCH'] == 'WINNT':
         '/xpcom/base',
     ]
 
-if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_ARCH'] == 'WINNT':
-    LOCAL_INCLUDES += [
-        '/security/sandbox/chromium',
-        '/security/sandbox/chromium-shim',
-    ]
diff --git a/ipc/contentproc/plugin-container.cpp b/ipc/contentproc/plugin-container.cpp
index f293889b0..6a9341d7f 100644
--- a/ipc/contentproc/plugin-container.cpp
+++ b/ipc/contentproc/plugin-container.cpp
@@ -22,16 +22,6 @@
 
 #include "GMPLoader.h"
 
-#if defined(XP_WIN) && defined(MOZ_SANDBOX)
-#include "mozilla/sandboxing/SandboxInitialization.h"
-#include "mozilla/sandboxing/sandboxLogging.h"
-#endif
-
-#if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX)
-#include "mozilla/Sandbox.h"
-#include "mozilla/SandboxInfo.h"
-#endif
-
 #ifdef MOZ_WIDGET_GONK
 # include <sys/time.h>
 # include <sys/resource.h> 
@@ -49,10 +39,6 @@
        "Gecko:MozillaRntimeMain", __VA_ARGS__)) \
      : (void)0 )
 
-# ifdef MOZ_CONTENT_SANDBOX
-# include "mozilla/Sandbox.h"
-# endif
-
 #endif // MOZ_WIDGET_GONK
 
 #ifdef MOZ_WIDGET_GONK
@@ -71,69 +57,10 @@ InitializeBinder(void *aDummy) {
 }
 #endif
 
-#if defined(XP_WIN) && defined(MOZ_SANDBOX)
-class WinSandboxStarter : public mozilla::gmp::SandboxStarter {
-public:
-    virtual bool Start(const char *aLibPath) override {
-        if (IsSandboxedProcess()) {
-            mozilla::sandboxing::LowerSandbox();
-        }
-        return true;
-    }
-};
-#endif
-
-#if defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX)
-class LinuxSandboxStarter : public mozilla::gmp::SandboxStarter {
-    LinuxSandboxStarter() { }
-public:
-    static SandboxStarter* Make() {
-        if (mozilla::SandboxInfo::Get().CanSandboxMedia()) {
-            return new LinuxSandboxStarter();
-        } else {
-            // Sandboxing isn't possible, but the parent has already
-            // checked that this plugin doesn't require it.  (Bug 1074561)
-            return nullptr;
-        }
-    }
-    virtual bool Start(const char *aLibPath) override {
-        mozilla::SetMediaPluginSandbox(aLibPath);
-        return true;
-    }
-};
-#endif
-
-#if defined(XP_MACOSX) && defined(MOZ_GMP_SANDBOX)
-class MacSandboxStarter : public mozilla::gmp::SandboxStarter {
-public:
-    virtual bool Start(const char *aLibPath) override {
-      std::string err;
-      bool rv = mozilla::StartMacSandbox(mInfo, err);
-      if (!rv) {
-        fprintf(stderr, "sandbox_init() failed! Error \"%s\"\n", err.c_str());
-      }
-      return rv;
-    }
-    virtual void SetSandboxInfo(MacSandboxInfo* aSandboxInfo) override {
-      mInfo = *aSandboxInfo;
-    }
-private:
-  MacSandboxInfo mInfo;
-};
-#endif
-
 mozilla::gmp::SandboxStarter*
 MakeSandboxStarter()
 {
-#if defined(XP_WIN) && defined(MOZ_SANDBOX)
-    return new WinSandboxStarter();
-#elif defined(XP_LINUX) && defined(MOZ_GMP_SANDBOX)
-    return LinuxSandboxStarter::Make();
-#elif defined(XP_MACOSX) && defined(MOZ_GMP_SANDBOX)
-    return new MacSandboxStarter();
-#else
     return nullptr;
-#endif
 }
 
 int
@@ -147,27 +74,8 @@ content_process_main(int argc, char* argv[])
 
     XREChildData childData;
 
-#if defined(XP_WIN) && defined(MOZ_SANDBOX)
-    if (IsSandboxedProcess()) {
-        childData.sandboxTargetServices =
-            mozilla::sandboxing::GetInitializedTargetServices();
-        if (!childData.sandboxTargetServices) {
-            return 1;
-        }
-
-        childData.ProvideLogFunction = mozilla::sandboxing::ProvideLogFunction;
-    }
-#endif
-
     XRE_SetProcessType(argv[--argc]);
 
-#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
-    // This has to happen while we're still single-threaded, and on
-    // B2G that means before the Android Binder library is
-    // initialized.
-    mozilla::SandboxEarlyInit(XRE_GetProcessType());
-#endif
-
 #ifdef MOZ_WIDGET_GONK
     // This creates a ThreadPool for binder ipc. A ThreadPool is necessary to
     // receive binder calls, though not necessary to send binder calls.
diff --git a/ipc/glue/GeckoChildProcessHost.cpp b/ipc/glue/GeckoChildProcessHost.cpp
index db8ab3d0a..9ab9cc4d4 100644
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@@ -23,10 +23,6 @@
 #include "prenv.h"
 #include "nsXPCOMPrivate.h"
 
-#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-#include "nsAppDirectoryServiceDefs.h"
-#endif
-
 #include "nsExceptionHandler.h"
 
 #include "nsDirectoryServiceDefs.h"
@@ -43,12 +39,6 @@
 #ifdef XP_WIN
 #include "nsIWinTaskbar.h"
 #define NS_TASKBAR_CONTRACTID "@mozilla.org/windows-taskbar;1"
-
-#if defined(MOZ_SANDBOX)
-#include "mozilla/Preferences.h"
-#include "mozilla/sandboxing/sandboxLogging.h"
-#include "nsDirectoryServiceUtils.h"
-#endif
 #endif
 
 #include "nsTArray.h"
@@ -101,10 +91,6 @@ GeckoChildProcessHost::GeckoChildProcessHost(GeckoProcessType aProcessType,
     mPrivileges(aPrivileges),
     mMonitor("mozilla.ipc.GeckChildProcessHost.mMonitor"),
     mProcessState(CREATING_CHANNEL),
-#if defined(MOZ_SANDBOX) && defined(XP_WIN)
-    mEnableSandboxLogging(false),
-    mSandboxLevel(0),
-#endif
     mChildProcessHandle(0)
 #if defined(MOZ_WIDGET_COCOA)
   , mChildTask(MACH_PORT_NULL)
@@ -311,23 +297,6 @@ GeckoChildProcessHost::PrepareLaunch()
   if (mProcessType == GeckoProcessType_Plugin) {
     InitWindowsGroupID();
   }
-
-#if defined(MOZ_CONTENT_SANDBOX)
-  // We need to get the pref here as the process is launched off main thread.
-  if (mProcessType == GeckoProcessType_Content) {
-    mSandboxLevel = Preferences::GetInt("security.sandbox.content.level");
-    mEnableSandboxLogging =
-      Preferences::GetBool("security.sandbox.windows.log");
-  }
-#endif
-
-#if defined(MOZ_SANDBOX)
-  // For other process types we can't rely on them being launched on main
-  // thread and they may not have access to prefs in the child process, so allow
-  // them to turn on logging via an environment variable.
-  mEnableSandboxLogging = mEnableSandboxLogging
-                          || !!PR_GetEnv("MOZ_WIN_SANDBOX_LOGGING");
-#endif
 #endif
 }
 
@@ -608,109 +577,10 @@ AddAppDirToCommandLine(std::vector<std::string>& aCmdLine)
         aCmdLine.push_back(path.get());
 #endif
       }
-
-#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-      // Full path to the profile dir
-      nsCOMPtr<nsIFile> profileDir;
-      rv = directoryService->Get(NS_APP_USER_PROFILE_50_DIR,
-                                 NS_GET_IID(nsIFile),
-                                 getter_AddRefs(profileDir));
-      if (NS_SUCCEEDED(rv)) {
-        nsAutoCString path;
-        MOZ_ALWAYS_SUCCEEDS(profileDir->GetNativePath(path));
-        aCmdLine.push_back("-profile");
-        aCmdLine.push_back(path.get());
-      }
-#endif
-    }
-  }
-}
-
-#if defined(XP_WIN) && defined(MOZ_SANDBOX)
-static void
-MaybeAddNsprLogFileAccess(std::vector<std::wstring>& aAllowedFilesReadWrite)
-{
-  const char* nsprLogFileEnv = PR_GetEnv("NSPR_LOG_FILE");
-  if (!nsprLogFileEnv) {
-    return;
-  }
-
-  nsDependentCString nsprLogFilePath(nsprLogFileEnv);
-  nsCOMPtr<nsIFile> nsprLogFile;
-  nsresult rv = NS_NewNativeLocalFile(nsprLogFilePath, true,
-                                      getter_AddRefs(nsprLogFile));
-  if (NS_FAILED(rv)) {
-    // Not an absolute path, try it as a relative one.
-    nsresult rv = NS_GetSpecialDirectory(NS_OS_CURRENT_WORKING_DIR,
-                                         getter_AddRefs(nsprLogFile));
-    if (NS_FAILED(rv) || !nsprLogFile) {
-      NS_WARNING("Failed to get current working directory");
-      return;
-    }
-
-    rv = nsprLogFile->AppendRelativeNativePath(nsprLogFilePath);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      return;
     }
   }
-
-  nsAutoString resolvedFilePath;
-  rv = nsprLogFile->GetPath(resolvedFilePath);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-      return;
-  }
-
-  // Update the environment variable as well as adding the rule, because the
-  // Chromium sandbox can only allow access to fully qualified file paths. This
-  // only affects the environment for the child process we're about to create,
-  // because this will get reset to the original value in PerformAsyncLaunch.
-  aAllowedFilesReadWrite.push_back(std::wstring(resolvedFilePath.get()));
-  nsAutoCString resolvedEnvVar("NSPR_LOG_FILE=");
-  AppendUTF16toUTF8(resolvedFilePath, resolvedEnvVar);
-  PR_SetEnv(resolvedEnvVar.get());
 }
 
-static void
-AddContentSandboxAllowedFiles(int32_t aSandboxLevel,
-                              std::vector<std::wstring>& aAllowedFilesRead)
-{
-  if (aSandboxLevel < 1) {
-    return;
-  }
-
-  nsCOMPtr<nsIFile> binDir;
-  nsresult rv = NS_GetSpecialDirectory(NS_GRE_DIR, getter_AddRefs(binDir));
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return;
-  }
-
-  nsAutoString binDirPath;
-  rv = binDir->GetPath(binDirPath);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return;
-  }
-
-  // If bin directory is on a remote drive add read access.
-  wchar_t volPath[MAX_PATH];
-  if (!::GetVolumePathNameW(binDirPath.get(), volPath, MAX_PATH)) {
-    return;
-  }
-
-  if (::GetDriveTypeW(volPath) != DRIVE_REMOTE) {
-    return;
-  }
-
-  // Convert network share path to format for sandbox policy.
-  if (Substring(binDirPath, 0, 2).Equals(L"\\\\")) {
-    binDirPath.InsertLiteral(u"??\\UNC", 1);
-  }
-
-  binDirPath.AppendLiteral(u"\\*");
-
-  aAllowedFilesRead.push_back(std::wstring(binDirPath.get()));
-}
-#endif
-
 bool
 GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExtraOpts, base::ProcessArchitecture arch)
 {
@@ -835,27 +705,6 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
   }
 #endif // MOZ_WIDGET_GONK
 
-#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
-  // Preload libmozsandbox.so so that sandbox-related interpositions
-  // can be defined there instead of in the executable.
-  // (This could be made conditional on intent to use sandboxing, but
-  // it's harmless for non-sandboxed processes.)
-  {
-    nsAutoCString preload;
-    // Prepend this, because people can and do preload libpthread.
-    // (See bug 1222500.)
-    preload.AssignLiteral("libmozsandbox.so");
-    if (const char* oldPreload = PR_GetEnv("LD_PRELOAD")) {
-      // Doesn't matter if oldPreload is ""; extra separators are ignored.
-      preload.Append(' ');
-      preload.Append(oldPreload);
-    }
-    // Explicitly construct the std::string to make it clear that this
-    // isn't retaining a pointer to the nsCString's buffer.
-    newEnvVars["LD_PRELOAD"] = std::string(preload.get());
-  }
-#endif
-
   // remap the IPC socket fd to a well-known int, as the OS does for
   // STDOUT_FILENO, for example
   int srcChannelFd, dstChannelFd;
@@ -1021,85 +870,6 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
     }
   }
 
-#if defined(XP_WIN) && defined(MOZ_SANDBOX)
-  bool shouldSandboxCurrentProcess = false;
-
-  // XXX: Bug 1124167: We should get rid of the process specific logic for
-  // sandboxing in this class at some point. Unfortunately it will take a bit
-  // of reorganizing so I don't think this patch is the right time.
-  switch (mProcessType) {
-    case GeckoProcessType_Content:
-#if defined(MOZ_CONTENT_SANDBOX)
-      if (mSandboxLevel > 0 &&
-          !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
-        // For now we treat every failure as fatal in SetSecurityLevelForContentProcess
-        // and just crash there right away. Should this change in the future then we
-        // should also handle the error here.
-        mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel);
-        shouldSandboxCurrentProcess = true;
-        AddContentSandboxAllowedFiles(mSandboxLevel, mAllowedFilesRead);
-      }
-#endif // MOZ_CONTENT_SANDBOX
-      break;
-    case GeckoProcessType_Plugin:
-      if (mSandboxLevel > 0 &&
-          !PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) {
-        bool ok = mSandboxBroker.SetSecurityLevelForPluginProcess(mSandboxLevel);
-        if (!ok) {
-          return false;
-        }
-        shouldSandboxCurrentProcess = true;
-      }
-      break;
-    case GeckoProcessType_IPDLUnitTest:
-      // XXX: We don't sandbox this process type yet
-      break;
-    case GeckoProcessType_GMPlugin:
-      if (!PR_GetEnv("MOZ_DISABLE_GMP_SANDBOX")) {
-        // The Widevine CDM on Windows can only load at USER_RESTRICTED,
-        // not at USER_LOCKDOWN. So look in the command line arguments
-        // to see if we're loading the path to the Widevine CDM, and if
-        // so use sandbox level USER_RESTRICTED instead of USER_LOCKDOWN.
-        bool isWidevine = std::any_of(aExtraOpts.begin(), aExtraOpts.end(),
-          [](const std::string arg) { return arg.find("gmp-widevinecdm") != std::string::npos; });
-        auto level = isWidevine ? SandboxBroker::Restricted : SandboxBroker::LockDown;
-        bool ok = mSandboxBroker.SetSecurityLevelForGMPlugin(level);
-        if (!ok) {
-          return false;
-        }
-        shouldSandboxCurrentProcess = true;
-      }
-      break;
-    case GeckoProcessType_GPU:
-      break;
-    case GeckoProcessType_Default:
-    default:
-      MOZ_CRASH("Bad process type in GeckoChildProcessHost");
-      break;
-  };
-
-  if (shouldSandboxCurrentProcess) {
-    MaybeAddNsprLogFileAccess(mAllowedFilesReadWrite);
-    for (auto it = mAllowedFilesRead.begin();
-         it != mAllowedFilesRead.end();
-         ++it) {
-      mSandboxBroker.AllowReadFile(it->c_str());
-    }
-
-    for (auto it = mAllowedFilesReadWrite.begin();
-         it != mAllowedFilesReadWrite.end();
-         ++it) {
-      mSandboxBroker.AllowReadWriteFile(it->c_str());
-    }
-
-    for (auto it = mAllowedDirectories.begin();
-         it != mAllowedDirectories.end();
-         ++it) {
-      mSandboxBroker.AllowDirectory(it->c_str());
-    }
-  }
-#endif // XP_WIN && MOZ_SANDBOX
-
   // Add the application directory path (-appdir path)
   AddAppDirToCommandLine(cmdLine);
 
@@ -1116,33 +886,8 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
   // Process type
   cmdLine.AppendLooseValue(UTF8ToWide(childProcessType));
 
-#if defined(XP_WIN) && defined(MOZ_SANDBOX)
-  if (shouldSandboxCurrentProcess) {
-    if (mSandboxBroker.LaunchApp(cmdLine.program().c_str(),
-                                 cmdLine.command_line_string().c_str(),
-                                 mEnableSandboxLogging,
-                                 &process)) {
-      EnvironmentLog("MOZ_PROCESS_LOG").print(
-        "==> process %d launched child process %d (%S)\n",
-        base::GetCurrentProcId(), base::GetProcId(process),
-        cmdLine.command_line_string().c_str());
-    }
-  } else
-#endif
   {
     base::LaunchApp(cmdLine, false, false, &process);
-
-#ifdef MOZ_SANDBOX
-    // We need to be able to duplicate handles to some types of non-sandboxed
-    // child processes.
-    if (mProcessType == GeckoProcessType_Content ||
-        mProcessType == GeckoProcessType_GPU ||
-        mProcessType == GeckoProcessType_GMPlugin) {
-      if (!mSandboxBroker.AddTargetPeer(process)) {
-        NS_WARNING("Failed to add content process as target peer.");
-      }
-    }
-#endif
   }
 
 #else
diff --git a/ipc/glue/GeckoChildProcessHost.h b/ipc/glue/GeckoChildProcessHost.h
index 3d55564ac..d278d8928 100644
--- a/ipc/glue/GeckoChildProcessHost.h
+++ b/ipc/glue/GeckoChildProcessHost.h
@@ -21,10 +21,6 @@
 #include "nsXULAppAPI.h"        // for GeckoProcessType
 #include "nsString.h"
 
-#if defined(XP_WIN) && defined(MOZ_SANDBOX)
-#include "sandboxBroker.h"
-#endif
-
 namespace mozilla {
 namespace ipc {
 
@@ -153,15 +149,6 @@ protected:
 #ifdef XP_WIN
   void InitWindowsGroupID();
   nsString mGroupId;
-
-#ifdef MOZ_SANDBOX
-  SandboxBroker mSandboxBroker;
-  std::vector<std::wstring> mAllowedFilesRead;
-  std::vector<std::wstring> mAllowedFilesReadWrite;
-  std::vector<std::wstring> mAllowedDirectories;
-  bool mEnableSandboxLogging;
-  int32_t mSandboxLevel;
-#endif
 #endif // XP_WIN
 
 #if defined(OS_POSIX)
diff --git a/ipc/glue/ProtocolUtils.cpp b/ipc/glue/ProtocolUtils.cpp
index 4de131469..7d8a1153c 100644
--- a/ipc/glue/ProtocolUtils.cpp
+++ b/ipc/glue/ProtocolUtils.cpp
@@ -20,11 +20,6 @@
 #include "mozilla/Unused.h"
 #include "nsPrintfCString.h"
 
-#if defined(MOZ_SANDBOX) && defined(XP_WIN)
-#define TARGET_SANDBOX_EXPORTS
-#include "mozilla/sandboxTarget.h"
-#endif
-
 #include "nsAutoPtr.h"
 
 using namespace IPC;
@@ -162,17 +157,6 @@ bool DuplicateHandle(HANDLE aSourceHandle,
 
   }
 
-#if defined(MOZ_SANDBOX)
-  // Try the broker next (will fail if not sandboxed).
-  if (SandboxTarget::Instance()->BrokerDuplicateHandle(aSourceHandle,
-                                                       aTargetProcessId,
-                                                       aTargetHandle,
-                                                       aDesiredAccess,
-                                                       aOptions)) {
-    return true;
-  }
-#endif
-
   // Finally, see if we already have access to the process.
   ScopedProcessHandle targetProcess(OpenProcess(PROCESS_DUP_HANDLE,
                                                 FALSE,
diff --git a/ipc/glue/moz.build b/ipc/glue/moz.build
index dd3a2e1ba..8caee1ffe 100644
--- a/ipc/glue/moz.build
+++ b/ipc/glue/moz.build
@@ -196,12 +196,5 @@ for var in ('MOZ_CHILD_PROCESS_NAME', 'MOZ_CHILD_PROCESS_NAME_PIE',
             'MOZ_CHILD_PROCESS_BUNDLE', 'DLL_PREFIX', 'DLL_SUFFIX'):
     DEFINES[var] = '"%s"' % CONFIG[var]
 
-if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_ARCH'] == 'WINNT':
-    LOCAL_INCLUDES += [
-        '/security/sandbox/chromium',
-        '/security/sandbox/chromium-shim',
-        '/security/sandbox/win/src/sandboxbroker',
-    ]
-
 if CONFIG['GNU_CXX']:
     CXXFLAGS += ['-Wno-shadow']
diff --git a/ipc/mscom/InterceptorLog.cpp b/ipc/mscom/InterceptorLog.cpp
index c2cd3c7df..3f3dc3f34 100644
--- a/ipc/mscom/InterceptorLog.cpp
+++ b/ipc/mscom/InterceptorLog.cpp
@@ -98,13 +98,8 @@ Logger::Logger(const nsACString& aLeafBaseName)
     rv = NS_GetSpecialDirectory(NS_OS_TEMP_DIR, getter_AddRefs(logFileName));
   } else if (procType == GeckoProcessType_Content) {
     leafName.AppendLiteral("-Content-");
-#if defined(MOZ_CONTENT_SANDBOX)
-    rv = NS_GetSpecialDirectory(NS_APP_CONTENT_PROCESS_TEMP_DIR,
-                                getter_AddRefs(logFileName));
-#else
     rv = NS_GetSpecialDirectory(NS_OS_TEMP_DIR,
                                 getter_AddRefs(logFileName));
-#endif // defined(MOZ_CONTENT_SANDBOX)
   } else {
     return;
   }