From 9730f3f5d52af777f72418d59f953f4d24473dde Mon Sep 17 00:00:00 2001 From: Chris Martin Date: Wed, 15 Mar 2023 13:32:42 +0000 Subject: [PATCH] Bug 1822308 - Re-tighten GPU sandbox's filesystem access Differential Revision: https://phabricator.services.mozilla.com/D172565 --- .../win/src/sandboxbroker/sandboxBroker.cpp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp index 4fdf48a0ffc3..94b7fabedff3 100644 --- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp +++ b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp @@ -1211,14 +1211,14 @@ void SandboxBroker::SetSecurityLevelForGPUProcess(int32_t aSandboxLevel) { sandbox::SBOX_ALL_OK == result, "With these static arguments AddRule should never fail, what happened?"); - // TEMPORARY WORKAROUND - Blocking access to the filesystem breaks Raptor - // tests and any other piece of software that uses screen recording, which - // may hinder developers that are developing/testing on Firefox - result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, - sandbox::TargetPolicy::FILES_ALLOW_ANY, L"*"); - MOZ_RELEASE_ASSERT( - sandbox::SBOX_ALL_OK == result, - "With these static arguments AddRule should never fail, what happened?"); + // The GPU process needs to write to a shader cache for performance reasons + if (sProfileDir) { + AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY, + sProfileDir, u"\\shader-cache"_ns); + + AddCachedDirRule(mPolicy, sandbox::TargetPolicy::FILES_ALLOW_ANY, + sProfileDir, u"\\shader-cache\\*"_ns); + } // The process needs to be able to duplicate shared memory handles, // which are Section handles, to the broker process and other child processes.