95063176fa
Bug 1036894 part 9 - Replace all EXTRA_DSO_LDOPTS, SHARED_LIBRARY_LIBS and LIBS with EXTRA_LIBS, OS_LIBS or OS_LDFLAGS, appropriately. r=gps
...
OS_LIBS for libraries that are not part of the gecko tree, EXTRA_LIBS for
libraries, such as NSPR, that are in the tree, but are not handled by
moz.build just yet. Those EXTRA_LIBS may also come from a system library.
However, in cases where the expanded variables are always empty for the
in-tree case, OS_LIBS is used (as for, e.g. MOZ_ZLIB_LIBS). OS_LDFLAGS is
used exclusively for non-library linker flags.
Always pass EXTRA_LIBS before OS_LIBS on linker command lines.
Forbid EXTRA_DSO_LDOPTS, SHARED_LIBRARY_LIBS and LIBS in Makefiles.
2014-07-23 13:31:02 +09:00
5fab42fcaf
Bug 1036894 part 8 - Move most in-tree library linkage information to moz.build, as USE_LIBS. r=gps
2014-07-23 13:30:52 +09:00
a50127383b
Bug 1041325 - Use intrin.h for _ReturnAddress in the chromium sandbox code; r=bbondy
...
--HG--
extra : rebase_source : 06bb642636a9f3df2e75eb950816a7d48da85faf
2014-07-20 19:05:44 -04:00
90ebf4e684
Bug 1037211 - Remove MOZ_CONTENT_SANDBOX_REPORTER by making it always true. r=kang r=ted
...
--HG--
extra : amend_source : 450d51dab077794e194bf407044de95627de0cde
2014-07-17 14:57:28 -07:00
c55ab9dd20
Bug 1038900 - Dynamically allocate signal number for sandbox startup. r=kang
2014-07-16 13:37:00 +02:00
1aaa7148c1
bug 985252. Build sandbox code regardless of whether --enable-content-sandbox/MOZ_CONTENT_SANDBOX is provided. Enable sandboxing of GMP plugins. Enable `SandboxBroker` to set different security policies for different process types. r=bbondy, r=cpearce, r=bent
2014-07-16 16:01:34 -07:00
d1da9cff99
Bug 1035275 - Remove unused base Chromium code. r=bbondy
2014-07-07 13:59:11 +01:00
2ff3fcad0d
Bug 1038490 - Fix misuse of MOZ_WIDGET_GONK in Linux content process sandbox policy. r=kang
...
--HG--
extra : amend_source : 0a7fe8ca751b59102cbc23316b18982268306423
2014-07-14 18:35:56 -07:00
79f8763545
Bug 1038486 - Fix Linux desktop seccomp sandbox build on 32-bit x86. r=kang
...
--HG--
extra : amend_source : 130d2cbd485734997739ea96ac5d83c01899d8b0
2014-07-09 16:52:56 -07:00
20443103f0
Bug 1035786 - Fix namespace bug in Linux sandbox LOG_ERROR macro. r=jld
2014-07-08 05:53:00 +01:00
51e7e12a6c
Bug 1035786 - Avoid warning-as-error sandbox build failure with an explicit cast. r=gdestuynder
...
getpid() is never negative, so this is safe.
2014-07-10 17:37:45 -07:00
d9210e4477
Bug 1035786 - Fix member variable initialisation order in LogMessage stub in Linux Sandbox.cpp. r=jld
2014-07-09 12:32:49 +01:00
70a5917917
Bug 1036864 - Remove EXPORT_LIBRARY. r=mshal
2014-07-11 19:06:55 +09:00
afdeb7bf07
Bug 956961 - Stop disabling sandboxing when DMD is enabled. r=kang
...
--HG--
extra : rebase_source : 4737cfd613c1ddee8e1a4340e819eddc151e73f7
extra : histedit_source : 2d2610a775a3ae986157f61ef3797f4e88baa922
2014-07-02 11:28:48 -07:00
03cdc19fec
Backed out 3 changesets (bug 956961) for non-unified build bustage
...
Backed out changeset f1be89cb58b9 (bug 956961)
Backed out changeset 272b01e4f856 (bug 956961)
Backed out changeset 56907af18c66 (bug 956961)
2014-07-02 15:03:29 -07:00
1ef012aafb
Bug 956961 - Stop disabling sandboxing when DMD is enabled. r=kang
...
--HG--
extra : amend_source : 66f2453794e6a8a581e1564e786cfc8cac1f6bbd
2014-07-02 11:28:48 -07:00
0fb3cb7f61
Bug 1014299 - Add times() to seccomp whitelist. r=kang
...
This system call seems to be used by some versions of the Qualcomm Adreno
graphics drivers when we run WebGL apps.
2014-06-02 14:52:00 +02:00
a597c57860
Bug 1009452 - inherit stdout and stderr into the content process to allow logging. r=aklotz
2014-05-14 16:09:31 +01:00
9f78dc2ea0
Bug 920372 - Fix socketcall whitelisting on i386. r=kang
2014-05-20 18:38:14 -07:00
f6ffcab30d
Bug 920372 - Allow tgkill only for threads of the calling process itself. r=kang
2014-05-20 18:38:06 -07:00
ebb89f61f4
Bug 920372 - Use Chromium seccomp-bpf compiler to dynamically build sandbox program. r=kang
2014-05-20 18:37:53 -07:00
9e94aea459
Bug 920372 - Import Chromium seccomp-bpf compiler, rev 4c08f442d2588a2c7cfaa117a55bd87d2ac32f9a. r=kang
...
Newly imported:
* sandbox/linux/seccomp-bpf/
* sandbox/linux/sandbox_export.h
* base/posix/eintr_wrapper.h
Updated:
* base/basictypes.h
* base/macros.h
At the time of this writing (see future patches for this bug) the only
things we're using from sandbox/linux/seccomp-bpf/ are codegen.cc and
basicblock.cc, and the header files they require. However, we may use
more of this code in the future, and it seems cleaner in general to
import the entire subtree.
2014-05-20 18:37:45 -07:00
3ab8eb01df
Bug 1004832 - Add tgkill to seccomp-bpf whitelist. r=kang
2014-05-02 16:57:00 +02:00
3fd7deadb7
Bug 997409 - Add set_thread_area to seccomp whitelist if available. r=kang
2014-04-17 16:23:23 -04:00
59ee14f2ce
Bug 981949 - Whitelist ftruncate for seccomp-bpf sandboxing. r=kang
2014-04-11 13:09:00 +02:00
e3cb82bf06
Bug 995047 followup. Fix a caller that I missed because it's only compiled on some platforms, so we can reopen the CLOSED TREE
2014-04-12 00:38:06 -04:00
7f0d9d7eb4
Bug 993145 - Skip attempting seccomp sandboxing if seccomp unavailable. r=kang
2014-04-09 15:23:00 +02:00
e5a5d4a701
Bug 928062 - Set Windows sandbox delayed integrity level to INTEGRITY_LEVEL_LOW. r=aklotz
2014-04-08 16:25:18 +01:00
628fb11481
Bug 989172 - Re-add sigaltstack to seccomp whitelist. r=kang
...
This reinstates the patch from bug 983518, which was unintentionally
dropped while merging with the reorganization in bug 985227.
2014-03-28 17:58:26 -07:00
2244b78e3a
Bug 987888 - --enable-content-sandbox breaks 64-bit builds. r=dkeeler,r=mshal
2014-03-28 13:59:16 +09:00
5a499cf36e
Bug 985227 - Part 3: Replace the seccomp filter arch ifdefs with syscall existence tests. r=kang
2014-03-20 10:19:42 -04:00
ebdd7da812
Bug 985227 - Part 2: Flatten out the #define maze in the seccomp filter. r=kang
2014-03-20 10:19:42 -04:00
5ddfd55b71
Bug 985227 - Part 1: Move the seccomp filter into its own translation unit. r=kang
...
--HG--
rename : security/sandbox/linux/seccomp_filter.h => security/sandbox/linux/SandboxFilter.cpp
2014-03-20 10:19:42 -04:00
3c61d46763
Bug 975273 - Add missing include to unbreak desktop seccomp build. r=kang
2014-03-20 09:27:28 -04:00
4f870b786b
Merge m-c to m-i
2014-03-15 12:32:04 -07:00
fe6c4e28d6
Bug 967364: Rename already_AddRefed::get to take. r=bsmedberg
2014-03-15 12:00:15 -07:00
6034a4eab4
Bug 983518: Fix running B2G-1.4 on KitKat by whitelisting sigalstack in the sandbox. r=kang r=jld
2014-03-14 18:54:20 -07:00
c7a5c70ed1
Bug 944625 - B2G Emulator-x86: fix undeclared __NR_sendto, __NR_recvfrom. r=jld,kang
2014-03-13 13:44:43 +09:00
154d9c5e2a
Bug 977859 - Drop uid 0 in all content processes immediately after fork. r=bent r=kang
...
Now all regular child processes, including preallocated, are deprivileged.
Only Nuwa needs uid 0, because each of its children has a different uid/gid.
2014-03-12 15:48:15 -07:00
0b447036a1
Bug 979686 - Fix the non-(ARM|x86|x86_64) desktop build. r=kang
2014-03-06 12:23:06 -08:00
f2c70589f0
Bug 941110 - Make the Windows sandbox code compile without the Win8 SDK. r=jimm
2014-03-06 12:53:24 -05:00
a76ee1d66c
Bug 946407 - Disable sandbox when DMDing. r=njn r=kang
...
See also bug 956961.
2014-03-04 18:27:14 -08:00
17f4a32d8b
Bug 976896 - Port STL_FLAGS to moz.build; r=mshal
2014-03-04 19:39:06 -05:00
bc6f7d9058
Merge m-c to inbound.
2014-02-28 10:15:57 -05:00
789c3d2ddb
Bug 970676 - Turn on sandboxing on all relevant threads. r=dhylands r=bent f=kang
2014-02-27 13:18:01 -08:00
95a47b6810
Bug 976898 - Move the sdkdecls.h force-include out of the build system; r=bbondy,glandium
2014-02-28 08:17:22 -05:00
065803a376
Bug 971128 - Add sched_yield to seccomp whitelist. r=kang
2014-02-22 18:58:59 -08:00
de99e18e18
Bug 970562 - Add sched_getscheduler to seccomp whitelist. r=kang
2014-02-22 18:58:59 -08:00
99f63f63b5
Bug 974979 - Browser crashes after trying to restart a crashed e10s process. r=aklotz
2014-02-20 12:58:04 -05:00
0551446474
Bug 928061 - Enable separate Desktop in Windows sandbox policy. r=aklotz
2014-02-20 12:37:22 -05:00
Mike Hommey
Ehsan Akhgari
Jed Davis
Tim Abraldes
Bob Owen
jvoisin
Wes Kocher
Boris Zbarsky
Makoto Kato
Phil Ringnalda
Kyle Huey
Guillaume Destuynder
Vicamo Yang
Brian R. Bondy
Ryan VanderMeulen