Randell Jesup
fcaf70841e
Bug 1207753 - Add MOZ_UNANNOTATED to all Mutexes/Monitors r=nika,kershaw
...
Differential Revision: https://phabricator.services.mozilla.com/D140849
2022-03-16 18:47:08 +00:00
Noemi Erli
2390d257e6
Backed out changeset 12a59e5a50bf (bug 1207753) for causing build bustage CLOSED TREE
2022-03-16 18:32:51 +02:00
Randell Jesup
4b033a5256
Bug 1207753 - Add MOZ_UNANNOTATED to all Mutexes/Monitors r=nika,kershaw
...
Differential Revision: https://phabricator.services.mozilla.com/D140849
2022-03-16 16:16:14 +00:00
Butkovits Atila
927ad62c6a
Backed out changeset a68ee4b09f92 (bug 1207753) for causing Hazard bustages. CLOSED TREE
2022-03-16 14:38:14 +02:00
Randell Jesup
7d4b5fae04
Bug 1207753 - Add MOZ_UNANNOTATED to all Mutexes/Monitors r=nika,kershaw
...
Differential Revision: https://phabricator.services.mozilla.com/D140849
2022-03-16 12:01:14 +00:00
criss
b61bbd064d
Merge autoland to mozilla-central. a=merge
2022-03-16 11:49:56 +02:00
Haik Aftandilian
e08fe4e5c5
Bug 1759408 - [macOS] Add sandboxing tests to more process types r=gerard-majax
...
Add the WindowServer test and process launch tests to each Mac child process type.
Differential Revision: https://phabricator.services.mozilla.com/D140941
2022-03-16 04:36:54 +00:00
ffxbld
39212588cc
No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
...
Differential Revision: https://phabricator.services.mozilla.com/D140957
2022-03-15 16:18:49 +00:00
Cosmin Sabou
74d7d4ed0c
Backed out changeset 49a22cd6d6ee (bug 1759408) for causing build bustages on SandboxTestingChildTests.h. CLOSED TREE
2022-03-15 08:09:09 +02:00
Haik Aftandilian
5500a5a34a
Bug 1759408 - [macOS] Add sandboxing tests to more process types r=gerard-majax
...
Add the WindowServer test and process launch tests to each Mac child process type.
Differential Revision: https://phabricator.services.mozilla.com/D140941
2022-03-15 05:47:18 +00:00
ffxbld
9cbbc57fb9
No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
...
Differential Revision: https://phabricator.services.mozilla.com/D140905
2022-03-12 02:15:24 +00:00
Mark Banner
8bb4667fae
Bug 1758474 - Implement an ESLint rule to disallow passing {} as the target parameter for ChromeUtils.import. r=Gijs,mossop,perftest-reviewers,preferences-reviewers,sparky
...
Differential Revision: https://phabricator.services.mozilla.com/D140517
2022-03-11 16:41:29 +00:00
Dana Keeler
3f93068a72
Bug 1756061 - PSM changes corresponding to mozilla::pkix signature verification changes in bug 1755092
r=jschanck
...
Bug 1755092
changed how mozilla::pkix verifies signatures. This patch makes the
corresponding changes in PSM.
Depends on D140597
Differential Revision: https://phabricator.services.mozilla.com/D139202
2022-03-10 23:21:00 +00:00
John Schanck
5075ae5d88
Bug 1758579 - land NSS be8a62f85be7 UPGRADE_NSS_RELEASE, r=keeler
...
Differential Revision: https://phabricator.services.mozilla.com/D140597
2022-03-10 23:20:59 +00:00
ffxbld
65a682de7f
No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
...
Differential Revision: https://phabricator.services.mozilla.com/D140720
2022-03-10 14:28:10 +00:00
smolnar
e89faa903f
Backed out changeset 5018856d8fee (bug 1758474) for causing node eslint failure. CLOSED TREE
2022-03-10 11:58:45 +02:00
Mark Banner
fe937b78bd
Bug 1758474 - Implement an ESLint rule to disallow passing {} as the target parameter for ChromeUtils.import. r=Gijs,mossop,perftest-reviewers,preferences-reviewers,sparky
...
Differential Revision: https://phabricator.services.mozilla.com/D140517
2022-03-10 09:25:28 +00:00
Dana Keeler
23c938c2f3
Bug 1615974 - avoid memmapping CRLite filters in cert_storage r=jschanck,robwu
...
Differential Revision: https://phabricator.services.mozilla.com/D140266
2022-03-09 22:46:15 +00:00
Julien Wajsberg
5aed3f508f
Bug 1756791 - Allow the getcpu syscall in the sandbox r=gcp
...
Recently bug 1753305 introduced the use of the getcpu syscall to add
this information to a profiler marker, but didn't allow this syscall
from the sandbox. In most situations this syscall doesn't happen because
of the VDSO mechanism. However in the cases where VDSO isn't used such
as running under rr, the sandbox crashes the process when starting the
profiler.
Thanks :padenot, :lissyx, :jcristau for all the help.
Differential Revision: https://phabricator.services.mozilla.com/D139712
2022-03-09 10:15:14 +00:00
Gerald Squelart
5802980a6e
Bug 1757596 - #include "mozilla/ProfilerThreadSleep.h" instead of GeckoProfiler.h where possible - r=florian
...
And in one case, #include "mozilla/ProfilerThreadState.h" where only `AUTO_PROFILER_THREAD_WAKE` is used.
Depends on D140172
Differential Revision: https://phabricator.services.mozilla.com/D140173
2022-03-08 10:32:44 +00:00
ffxbld
db387700ea
No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
...
Differential Revision: https://phabricator.services.mozilla.com/D140491
2022-03-07 12:48:38 +00:00
Nika Layzell
05dc5e0d76
Bug 1754037 - Part 3c: Automatically update all ParamTraits implementations, r=ipc-reviewers,media-playback-reviewers,bryce,mccr8
...
Automatically generated rewrites of all ParamTraits and IPDLParamTraits
implementations in-tree to use IPC::Message{Reader,Writer}.
Differential Revision: https://phabricator.services.mozilla.com/D140004
2022-03-04 15:39:41 +00:00
Nika Layzell
5f06238318
Bug 1754037 - Part 3a: Manual changes to new ParamTraits API, r=ipc-reviewers,mccr8
...
This change does not build without the automatically rewritten changes from
part 3c, as every IPC::ParamTraits and IPDLParamTraits implementation needs to
be updated at once, but these are the manual changes which are required and not
handled by the automatic script.
Differential Revision: https://phabricator.services.mozilla.com/D140001
2022-03-04 15:39:40 +00:00
ffxbld
2d09a94c14
No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
...
Differential Revision: https://phabricator.services.mozilla.com/D140176
2022-03-03 14:10:26 +00:00
Dennis Jackson
b5111d6214
Bug 1753980 - land NSS NSS_3_76_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche DONTBUILD
...
Differential Revision: https://phabricator.services.mozilla.com/D140180
2022-03-03 11:51:30 +00:00
John Schanck
47c887153f
Bug 1750787 - get CRLite enrollment list from cert-revocations. r=keeler
...
Differential Revision: https://phabricator.services.mozilla.com/D139728
2022-03-02 18:19:25 +00:00
Jed Davis
9082363e4e
Bug 1129492 - Remove X11 access from the Linux content process sandbox. r=gcp,jgilbert
...
Background: The X11 protocol has a very permissive security model;
clients have essentially full access to the windows of other clients,
and to global resources like input devices. Previously, our sandbox
policy for content processes needed to allow access to the X server;
this limited its effectiveness against a dedicated attacker.
This patch turns on the `security.sandbox.content.headless` pref added
in bug 1640345, which removes the sandbox policy rules that allowed
making new X11 connections, as well as opening the Xauthority file,
reading hardware info needed by Mesa, etc. It also runs content
processes in headless mode (whence the name) so they won't connect to a
display server at startup.
This also removes access to the Wayland compositor: the sandbox policy
never allowed that (as of when socket connections became default-deny),
but now content processes won't connect to it at startup. Wayland is
more capability-oriented so this is less significant for security, but at
a minimum it removes unnecessary attack surface.
Note that if the `webgl.out-of-process` pref is turned off, WebGL
will break unless `security.sandbox.content.headless` is also turned
off. (Similarly, `widget.non-native-theme.enabled` is needed to render
scrollbars and form controls in content.) As a result, this patch
adjusts the job definitions used by CI to test in-process WebGL so that
that they will continue to work.
Differential Revision: https://phabricator.services.mozilla.com/D138613
2022-03-01 20:36:18 +00:00
ffxbld
afffec69b7
No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=dmeehan
...
Differential Revision: https://phabricator.services.mozilla.com/D139826
2022-02-28 13:13:10 +00:00
Dennis Jackson
1eca8a6827
Bug 1753980 - land NSS NSS_3_76_BETA1 UPGRADE_NSS_RELEASE, r=jschanck
...
2022-02-24 John M. Schanck <jschanck@mozilla.com>
* lib/pki/trustdomain.c:
Bug 1755555 - Hold tokensLock through nssToken_GetSlot calls in
nssTrustDomain_GetActiveSlots. r=rrelyea
[a36477f0ee50] [NSS_3_76_BETA1]
2022-02-23 John M. Schanck <jschanck@mozilla.com>
* lib/certdb/crl.c, lib/certdb/stanpcertdb.c, lib/dev/devtoken.c,
lib/dev/devutil.c, lib/pk11wrap/pk11auth.c, lib/pk11wrap/pk11cert.c,
lib/pk11wrap/pk11nobj.c, lib/pk11wrap/pk11slot.c,
lib/pk11wrap/pk11util.c, lib/pk11wrap/secmodti.h,
lib/pki/pki3hack.c, lib/pki/trustdomain.c:
Bug 1370866 - Check return value of PK11Slot_GetNSSToken. r=djackson
[d7e8c2df6bca]
Differential Revision: https://phabricator.services.mozilla.com/D139588
2022-02-24 18:15:43 +00:00
ffxbld
88111eadd6
No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
...
Differential Revision: https://phabricator.services.mozilla.com/D139581
2022-02-24 13:59:41 +00:00
ffxbld
a78cf21c03
No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update a=dmeehan
...
Differential Revision: https://phabricator.services.mozilla.com/D139273
2022-02-22 15:05:34 +00:00
Jens Stutte
8dc1e5affa
Bug 1750635: Substitute AppShutdown:IsShuttingDown with equivalent AppShutdown::IsInOrBeyond. r=florian,xpcom-reviewers,nika
...
Differential Revision: https://phabricator.services.mozilla.com/D139143
2022-02-18 19:35:13 +00:00
Tom Ritter
cfbe02ff6e
Bug 1750859: If not all decoders are remoted, you're disqualified from win32k r=bobowen
...
Differential Revision: https://phabricator.services.mozilla.com/D139043
2022-02-17 18:59:17 +00:00
Sergey Galich
2924bdb35f
Bug 1653486 - Replace all non-user-facing references to "master" password. r=dimi,tgiles,preferences-reviewers
...
Differential Revision: https://phabricator.services.mozilla.com/D138113
2022-02-17 17:29:57 +00:00
ffxbld
fd59e8d9be
No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update a=RyanVM
...
Differential Revision: https://phabricator.services.mozilla.com/D139007
2022-02-17 13:37:52 +00:00
Dana Keeler
f05d29b7f8
Bug 1754217 - remove brittle time format APIs from nsIX509CertValidity r=jschanck
...
nsIX509CertValidity had a handful of APIs that would return formatted time
values. Some of these APIs were unused, and the rest were prone to error due to
platform differences. This patch simplifies this interface by removing those
APIs and having callers perform their own formatting using the remaining APIs
that return PRTime values.
Differential Revision: https://phabricator.services.mozilla.com/D138363
2022-02-15 22:55:02 +00:00
Dennis Jackson
ac3025042a
Bug 1753980 - land NSS 4a8880ef UPGRADE_NSS_RELEASE, r=bbeurdouche
...
```
2022-02-14 Martin Thomson <mt@lowentropy.net>
* gtests/common/testvectors/rsa_pss_2048_sha1_mgf1_20-vectors.h,
gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h,
gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_32-vectors.h,
gtests/common/testvectors/rsa_pss_3072_sha256_mgf1_32-vectors.h,
gtests/common/testvectors/rsa_pss_4096_sha256_mgf1_32-vectors.h,
gtests/common/testvectors/rsa_pss_4096_sha512_mgf1_32-vectors.h,
gtests/common/testvectors/rsa_pss_misc-vectors.h,
gtests/common/wycheproof/genTestVectors.py, gtests/common/wycheproof
/source_vectors/rsa_pss_2048_sha1_mgf1_20_test.json, gtests/common/w
ycheproof/source_vectors/rsa_pss_2048_sha256_mgf1_0_test.json, gtest
s/common/wycheproof/source_vectors/rsa_pss_2048_sha256_mgf1_32_test.
json, gtests/common/wycheproof/source_vectors/rsa_pss_3072_sha256_mg
f1_32_test.json, gtests/common/wycheproof/source_vectors/rsa_pss_409
6_sha256_mgf1_32_test.json, gtests/common/wycheproof/source_vectors/
rsa_pss_4096_sha512_mgf1_32_test.json,
gtests/common/wycheproof/source_vectors/rsa_pss_misc_test.json,
gtests/pk11_gtest/json.h, gtests/pk11_gtest/pk11_hpke_unittest.cc,
gtests/pk11_gtest/pk11_rsapss_unittest.cc:
Bug 1747957 - Use Wycheproof JSON for RSASSA-PSS, r=nss-
reviewers,bbeurdouche
[4a8880ef1adc] [tip]
2022-02-10 Leander Schwarz <lschwarz@mozilla.com>
* gtests/ssl_gtest/ssl_extension_unittest.cc,
gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/ssl3ext.c:
Bug 1751157 - Throw illegal_parameter alert for illegal extensions
in handshake message. r=djackson
[8fd5ca0cf897]
2022-02-09 John M. Schanck <jschanck@mozilla.com>
* automation/release/nss-release-helper.py:
Bug 1753505 - Avoid truncating files in nss-release-helper.py.
r=bbeurdouche
[7876a7255030]
2022-02-08 John M. Schanck <jschanck@mozilla.com>
* lib/ckfw/builtins/certdata.txt:
Bug 1679803 - Add SHA256 fingerprint comments to old certdata.txt
entries. r=nss-reviewers,bbeurdouche
The new SHA256 hashes were calculated using the script below, which
reads certificates out of the builtin token and re-processing them
with the current version of addbuiltin. One of the "Autoridad de
Certificacion Firmaprofesional CIF A62634068" certificates had to be
handled manually because of Bug 456858.
``` #!/bin/bash
NSS_LIB=<path to dist/Debug/lib>
WORK=/tmp/nssdb/ LIST=${WORK}/list.txt OUT=${WORK}/certdata.txt
rm -rf ${WORK} mkdir -p ${WORK} modutil -force -dbdir "sql:${WORK}"
-create modutil -force -dbdir "sql:${WORK}" -add "nssckbi" -libfile
"${NSS_LIB}/libnssckbi.so"
certutil -d "sql:${WORK}" -L -h "Builtin Object Token" | grep
Builtin > ${LIST} sed -i 's/\s*\(C\?,C\?,C\?\)\s*$/;\1/' ${LIST}
while IFS=";" read -r name trust do certutil -d "sql:${WORK}" -L -n
"${name}" -r 1> "${WORK}/${name}.der" addbuiltin -t "${trust}" -n
"${name/Builtin Object Token:/}" -i "${WORK}/${name}.der" done <
${LIST} >> ${OUT} ```
[7a34cf74b659]
```
Differential Revision: https://phabricator.services.mozilla.com/D138799
2022-02-15 18:04:14 +00:00
Haik Aftandilian
e1863039f6
Bug 1707739 - Re-enable browser_content_sandbox_fs.js r=spohl
...
Change browser_content_sandbox_fs.js to not assume the font registry directory or the 'font' file have been created by the system. If the directory and or file are not present, skip the readability test instead of failing.
Differential Revision: https://phabricator.services.mozilla.com/D138622
2022-02-15 16:13:55 +00:00
John Schanck
2654fbb629
Bug 1753071 - Add a "confirm revocations" mode to CRLite. r=keeler
...
Differential Revision: https://phabricator.services.mozilla.com/D137553
2022-02-14 18:55:21 +00:00
ffxbld
79d6ccf336
No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
...
Differential Revision: https://phabricator.services.mozilla.com/D138643
2022-02-14 17:57:46 +00:00
Bob Owen
dbc9c90549
Bug 1754940: Make alternate winstation depend on non-native theme. r=handyman
...
Differential Revision: https://phabricator.services.mozilla.com/D138527
2022-02-11 18:18:15 +00:00
Florian Quèze
7b45ca4063
Bug 1754519 - Add missing profiler_thread_sleep annotations, r=gerald,necko-reviewers,kershaw.
...
Differential Revision: https://phabricator.services.mozilla.com/D138341
2022-02-11 15:19:46 +00:00
Bob Owen
e82a8ce887
Bug 1695556 p3: Add file tests for content process sandbox. r=handyman,ipc-reviewers,jld
...
Depends on D135693
Differential Revision: https://phabricator.services.mozilla.com/D135694
2022-02-10 16:56:02 +00:00
Bob Owen
36c9b7f8da
Bug 1695556 p1a: Add allow reparse points in chromium sandbox code patch. r=handyman
...
Differential Revision: https://phabricator.services.mozilla.com/D137858
2022-02-10 16:56:01 +00:00
Bob Owen
9b1cd0242d
Bug 1695556 p1: Allow reparse points in chromium sandbox code. r=handyman
...
Differential Revision: https://phabricator.services.mozilla.com/D135692
2022-02-10 16:56:01 +00:00
ffxbld
2420fb4c51
No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
...
Differential Revision: https://phabricator.services.mozilla.com/D138425
2022-02-10 13:42:48 +00:00
Kershaw Chang
ef25b1a6f3
Bug 1734470 - Add MITIGATION_DYNAMIC_CODE_DISABLE back to socket process sandboxing, r=bobowen,necko-reviewers,valentin
...
Differential Revision: https://phabricator.services.mozilla.com/D138204
2022-02-10 09:09:59 +00:00
Dana Keeler
437958626e
Bug 1754294 - remove some unused files in PSM that should have been removed in bug 1751078 r=jschanck
...
Depends on D138215
Differential Revision: https://phabricator.services.mozilla.com/D138224
2022-02-09 21:13:24 +00:00
Dana Keeler
9731d7145f
Bug 1754294 - take the appropriate lock when accessing SECMODModule slot information r=jschanck
...
When accessing a SECMODModule's slots or slotCount members, the read lock of
the module list must be acquired.
Differential Revision: https://phabricator.services.mozilla.com/D138215
2022-02-09 21:13:24 +00:00
Nika Layzell
dabb46c84d
Bug 1736371 - Default new actors to be refcounted, r=alwu,media-playback-reviewers,mccr8
...
The changes to ipdl actors were mechanical, and largely automated using
a script.
Differential Revision: https://phabricator.services.mozilla.com/D137237
2022-02-09 17:29:47 +00:00