Bug 1746544 - Move --enable-sandbox to python configure. r=firefox-build-system-reviewers,andi

Differential Revision: https://phabricator.services.mozilla.com/D134102
2021-12-17 22:52:11 +00:00 · 2021-12-17 22:52:11 +00:00 · 0e0c8ed255
--- a/build/moz.configure/old.configure
+++ b/build/moz.configure/old.configure
@ -92,7 +92,6 @@ def old_configure_options(*options):
    "--cache-file",
    "--datadir",
    "--enable-official-branding",
-    "--enable-sandbox",
    "--enable-system-extension-dirs",
    "--enable-system-pixman",
    "--enable-universalchardet",
--- a/old-configure.in
+++ b/old-configure.in
@ -1217,7 +1217,6 @@ MOZ_OFFICIAL_BRANDING=
 MOZ_UNIVERSALCHARDET=1
 MOZ_ZIPWRITER=1
 MOZ_NO_SMART_CARDS=
-MOZ_SANDBOX=1
 MOZ_BINARY_EXTENSIONS=
 MOZ_DEVTOOLS=server

@ -1460,50 +1459,6 @@ if test -n "$MOZ_NO_SMART_CARDS"; then
 fi
 AC_SUBST(MOZ_NO_SMART_CARDS)

-dnl ========================================================
-dnl = Sandboxing support
-dnl ========================================================
-if test -n "$MOZ_TSAN" -o -n "$MOZ_ASAN"; then
-    # Bug 1182565: TSan conflicts with sandboxing on Linux.
-    # Bug 1287971: LSan also conflicts with sandboxing on Linux.
-    case $OS_TARGET in
-    Linux|Android)
-        MOZ_SANDBOX=
-        ;;
-    esac
-fi
-
-MOZ_ARG_DISABLE_BOOL(sandbox,
-[  --disable-sandbox        Disable sandboxing support],
-    MOZ_SANDBOX=,
-    MOZ_SANDBOX=1)
-
-case "$OS_TARGET" in
-WINNT|Darwin|OpenBSD)
-;;
-Linux)
-    case $CPU_ARCH in
-        x86_64|x86|arm|aarch64)
-        ;;
-        # Linux sandbox is only available on x86{,_64} and arm{,64}.
-        *)
-            MOZ_SANDBOX=
-        ;;
-    esac
-    ;;
-*)
-    # Only enable the sandbox by default on Linux, OpenBSD, macOS, and Windows
-    MOZ_SANDBOX=
-;;
-esac
-
-if test -n "$MOZ_SANDBOX"; then
-    AC_DEFINE(MOZ_SANDBOX)
-fi
-
-AC_SUBST(MOZ_SANDBOX)
-
-
 dnl ========================================================
 dnl =
 dnl = Module specific options
--- a/toolkit/moz.configure
+++ b/toolkit/moz.configure
@ -2786,3 +2786,28 @@ set_define(
    True,
    when=depends("--enable-parental-controls")(lambda x: not x),
 )
+
+
+# Sandboxing support
+# ==============================================================
+@depends(target, tsan, asan)
+def sandbox_default(target, tsan, asan):
+    # Only enable the sandbox by default on Linux, OpenBSD, macOS, and Windows
+    if target.kernel == "Linux":
+        # Bug 1182565: TSan conflicts with sandboxing on Linux.
+        # Bug 1287971: LSan also conflicts with sandboxing on Linux.
+        if tsan or asan:
+            return False
+        # Linux sandbox is only available on x86{,_64} and arm{,64}.
+        return target.cpu in ("x86", "x86_64", "arm", "aarch64")
+    return target.kernel in ("WINNT", "Darwin", "OpenBSD")
+
+
+option(
+    "--enable-sandbox",
+    default=sandbox_default,
+    help="{Enable|Disable} sandboxing support",
+)
+
+set_config("MOZ_SANDBOX", True, when="--enable-sandbox")
+set_define("MOZ_SANDBOX", True, when="--enable-sandbox")