From 6a70261b2bdc25fb16c1e43c6f09e304841d8263 Mon Sep 17 00:00:00 2001
From: David Parks <dparks@mozilla.com>
Date: Mon, 2 Apr 2018 15:27:07 -0700
Subject: [PATCH] Bug 1450773 - Remove restricting SIDs from NPAPI sandbox
 outside of nightly builds. r=bobowen

Restricting SIDs, which harden the sandbox, have caused some problems that we are investigating in nightly and that we don't want in beta/release.
---
 security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
index e38234575153..9593c636cc12 100644
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
@@ -698,6 +698,11 @@ SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel)
     delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM;
   }
 
+#ifndef NIGHTLY_BUILD
+  // We are experimenting with using restricting SIDs in the nightly builds
+  mPolicy->SetDoNotUseRestrictingSIDs();
+#endif
+
   sandbox::ResultCode result = SetJobLevel(mPolicy, jobLevel,
                                            0 /* ui_exceptions */);
   SANDBOX_ENSURE_SUCCESS(result,