зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1563774 - Enable Binary Signature Policy on the RDD process r=bobowen
To do this, we preload the AV libraries. They may not be needed right now, but by doing this now we ensure that future RDD work won't mysteriously fail during development for some poor coworker. Differential Revision: https://phabricator.services.mozilla.com/D37928 --HG-- extra : moz-landing-system : lando
This commit is contained in:
Родитель
840dc6a66f
Коммит
334edd038c
|
@ -24,6 +24,10 @@ RDDProcessImpl::~RDDProcessImpl() {}
|
|||
|
||||
bool RDDProcessImpl::Init(int aArgc, char* aArgv[]) {
|
||||
#if defined(MOZ_SANDBOX) && defined(OS_WIN)
|
||||
// Preload AV dlls so we can enable Binary Signature Policy
|
||||
// to restrict further dll loads.
|
||||
LoadLibraryW(L"mozavcodec.dll");
|
||||
LoadLibraryW(L"mozavutil.dll");
|
||||
mozilla::SandboxTarget::Instance()->StartSandbox();
|
||||
#endif
|
||||
char* parentBuildID = nullptr;
|
||||
|
|
|
@ -814,7 +814,8 @@ bool SandboxBroker::SetSecurityLevelForRDDProcess() {
|
|||
|
||||
mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
|
||||
sandbox::MITIGATION_DYNAMIC_CODE_DISABLE |
|
||||
sandbox::MITIGATION_DLL_SEARCH_ORDER;
|
||||
sandbox::MITIGATION_DLL_SEARCH_ORDER |
|
||||
sandbox::MITIGATION_FORCE_MS_SIGNED_BINS;
|
||||
|
||||
result = mPolicy->SetDelayedProcessMitigations(mitigations);
|
||||
SANDBOX_ENSURE_SUCCESS(result,
|
||||
|
|
Загрузка…
Ссылка в новой задаче