Bug 1750742 - Enable Win32k Lockdown by default in Nightly r=bobowen

It's time to graduate Win32k lockdown from Nightly Experiments to default on Nightly. Differential Revision: https://phabricator.services.mozilla.com/D139487
2022-02-24 13:01:39 +00:00 · 2022-02-24 13:01:39 +00:00 · 0c100013ef
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -11596,17 +11596,6 @@
  mirror: always
  do_not_use_directly: true # Consumers should use SandboxSettings to ask.

-
-# Whether win32k is disabled for content processes.
-# true means win32k system calls are not permitted.
-# (This cannot be put behind the XP_WIN and MOZ_SANDBOX guards because
-#  "Nightly Experiments" has no way to filter options based on OS or other
-#  CPP defines, and it fails if the pref doesn't exist)
- name: security.sandbox.content.win32k-disable
-  type: RelaxedAtomicBool
-  value: false
-  mirror: always
-
 # Enrollment preferences for the win32k experiment, set and managed by Normandy
 - name: security.sandbox.content.win32k-experiment.enrollmentStatus
  type: uint32_t
@ -11619,6 +11608,14 @@
  mirror: never

 #if defined(XP_WIN) && defined(MOZ_SANDBOX)
+
+  # Whether win32k is disabled for content processes.
+  # true means win32k system calls are not permitted.
+-   name: security.sandbox.content.win32k-disable
+    type: RelaxedAtomicBool
+    value: @IS_NIGHTLY_BUILD@
+    mirror: always
+
  # Note: win32k is currently _not_ disabled for GMP due to intermittent test
  # failures, where the GMP process fails very early. See bug 1449348.
 -   name: security.sandbox.gmp.win32k-disable
--- a/toolkit/components/featuregates/Features.toml
+++ b/toolkit/components/featuregates/Features.toml
@ -113,16 +113,6 @@ bug-numbers = [1643027]
 is-public = true
 default-value = false

-[win32-lockdown]
-title = "experimental-features-win32k-lockdown"
-description = "experimental-features-win32k-lockdown-description"
-restart-required = true
-preference = "security.sandbox.content.win32k-disable"
-type = "boolean"
-bug-numbers = [1697865]
-is-public = true
-default-value = false
-
 [url-bar-ime-search]
 title = "experimental-features-ime-search"
 description = "experimental-features-ime-search-description"
--- a/toolkit/locales/en-US/toolkit/featuregates/features.ftl
+++ b/toolkit/locales/en-US/toolkit/featuregates/features.ftl
@ -63,11 +63,6 @@ experimental-features-webrtc-global-mute-toggles =
    .label = WebRTC Global Mute Toggles
 experimental-features-webrtc-global-mute-toggles-description = Add controls to the WebRTC global sharing indicator that allow users to globally mute their microphone and camera feeds.

-# Win32k Lockdown
-experimental-features-win32k-lockdown =
-    .label = Win32k Lockdown
-experimental-features-win32k-lockdown-description = Disable use of Win32k APIs in browser tabs. Provides an increase in security but may currently be unstable or glitchy. (Windows only)
-
 # JS JIT Warp project
 experimental-features-js-warp =
    .label = JavaScript JIT: Warp