wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity
243,828 Commits 1 Branch 166 Tags 1.2 GiB
719abb1297
Commit Graph

263 Commits

Author SHA1 Message Date
David Major
68b0dee7c5 Bug 1149718: Fix wow_helper lib path for VS2015. r=glandium 2015-05-12 18:20:28 -04:00
Bob Owen
6bab3a7af4 Bug 1146874 Part 1: Check that Windows sandboxed process starts correctly. r=tabraldes 2015-05-11 08:24:39 +01:00
Bob Owen
46c30cdbd5 Bug 1158773: Use the same initial and delayed integrity level for Windows content sandbox level 0. r=tabraldes 2015-05-06 10:11:56 +01:00
Bob Owen
0693a1dc83 Bug 1150515: Set the subsystem to WINDOWS,5.02 for wow_helper so that it runs on WinXP 64-bit. r=glandium 2015-04-30 09:48:03 +01:00
Jed Davis
8f10995d7b Bug 1154184 - Don't use Linux sandbox gtest dir if not building tests. r=gps 2015-04-24 17:36:08 -07:00
Steven Michaud
2bb57bcd7a Bug 1153809 - Loosen Mac content process sandbox rules for NVidia and Intel HD 3000 graphics hardware. r=areinald 2015-04-22 14:56:09 -05:00
Ehsan Akhgari
d278570d19 Bug 1153348 - Add an analysis to prohibit operator bools which aren't marked as either explicit or MOZ_IMPLICIT; r=jrmuizel 
This is the counterpart to the existing analysis to catch
constructors which aren't marked as either explicit or
MOZ_IMPLICIT.
 2015-04-21 21:40:49 -04:00
André Reinald
12017521df Bug 1150765 - Add sandbox rules to allow hardware rendering of OpenGL on Mac. r=smichaud 2015-04-21 11:17:16 +02:00
Jed Davis
bd4374a0cc Bug 1151607 - Step 2: Apply net/ipc namespace separation and chroot to media plugins. r=kang 
This needs more unit tests for the various pieces of what's going on
here (LinuxCapabilities, SandboxChroot, UnshareUserNamespace()) but
that's nontrivial due to needing a single-threaded process -- and
currently they can't be run on Mozilla's CI anyway due to needing user
namespaces, and local testing can just try using GMP and manually
inspecting the child process.  So that will be a followup.
 2015-04-10 18:05:19 -07:00
Jed Davis
a25b210578 Bug 1151607 - Step 1.5: Avoid unlikely false positives in Linux SandboxInfo feature detection. r=kang 
Using the equivalent of release assertions in the patch after this one
is easier to justify if I can't come up with vaguely legitimate reasons
why they might fail; this detects the ones I thought of.
 2015-04-10 18:05:19 -07:00
Jed Davis
4bcdc2879f Bug 1151607 - Step 1: Add Linux sandboxing hook for when child processes are still single-threaded. r=kang r=bent 
This means that B2G plugin-container must (dynamically) link against
libmozsandbox in order to call into it before initializing Binder.
(Desktop Linux plugin-container already contains the sandbox code.)
 2015-04-10 18:05:19 -07:00
Jed Davis
08099f9875 Bug 1151607 - Step 0: sort includes to make the following patches cleaner. r=kang 2015-04-10 18:05:19 -07:00
Bob Owen
72b3de6331 Bug 1149483: Change content sandbox level 1 to a working low integrity sandbox. r=tabraldes, r=billm 2015-04-05 14:01:38 +01:00
Steven Michaud
aa2d63ddad Bug 1110911 - Move Mac sandboxing code into plugin-container. r=cpearce,areinald,jld 2015-04-03 11:51:41 -05:00
Bob Owen
666e96adb9 Bug 1119878 Part 2: Change IPC code to hold ProcessID instead of ProcessHandle. r=billm, r=dvander, r=aklotz, r=cpearce 2015-04-01 09:40:35 +01:00
Bob Owen
8e1e75d04b Bug 1119878 Part 1: Change SandboxTarget to hold sandbox target services to provide functions. r=aklotz, r=glandium, r=cpearce 2015-04-01 09:40:35 +01:00
Bob Owen
1eda62eb8d Bug 1147446: Chromium patch to fix memory leak in Windows sandbox sharedmem_ipc_server.cc. r=aklotz 2015-03-26 08:06:04 +00:00
Wes Kocher
0d9c0798af Merge m-c to inbound a=merge CLOSED TREE 2015-03-23 16:51:22 -07:00
Edwin Flores
31eadf18b7 Bug 1146192 - Whitelist sched_yield syscall in GMP sandbox on Linux DONTBUILD CLOSED TREE - r=jld 2015-03-24 10:56:49 +13:00
Edwin Flores
13fe1731fe Bug 1146192 - Backed out changeset d2918bcf0d90 for missing bug number - r=me 2015-03-24 10:53:10 +13:00
Jed Davis
0f3b12d8c5 Bug 1144514 - Whitelist pread64 in content seccomp-bpf policy. r=kang 2015-03-19 11:57:00 -04:00
Ehsan Akhgari
33bb32f549 Bug 1145631 - Part 1: Replace MOZ_OVERRIDE and MOZ_FINAL with override and final in the tree; r=froydnj 
This patch was automatically generated using the following script:

function convert() {
echo "Converting $1 to $2..."
find . \
       ! -wholename "*/.git*" \
       ! -wholename "obj-ff-dbg*" \
         -type f \
      \( -iname "*.cpp" \
         -o -iname "*.h" \
         -o -iname "*.c" \
         -o -iname "*.cc" \
         -o -iname "*.idl" \
         -o -iname "*.ipdl" \
         -o -iname "*.ipdlh" \
         -o -iname "*.mm" \) | \
    xargs -n 1 sed -i -e "s/\b$1\b/$2/g"
}

convert MOZ_OVERRIDE override
convert MOZ_FINAL final
 2015-03-21 12:28:04 -04:00
Edwin Flores
7a76516d84 Bug 1XXXXXX - Whitelist sched_yield syscall in GMP sandbox on Linux - r=jld 2015-03-24 09:55:36 +13:00
Bob Owen
9438a86ad1 Bug 1145432: Add the policy for the client side of the crash server pipe to the GMP Windows sandbox. r=aklotz 2015-03-20 07:53:37 +00:00
Jed Davis
15de7894cc Bug 1144580 - Whitelist pselect6 in content seccomp-bpf policy. r=kang 2015-03-18 15:30:00 +01:00
Jed Davis
d2a1fdfdb7 Bug 1141906 - Adjust some assertions in Linux sandbox feature detection. r=kang 
See bug, and comment at top of SandboxInfo.cpp, for rationale.

Bonus fix: reword comment about nested namespace limit; the exact limit
is 33 (not counting the root) but doesn't particularly matter.
 2015-03-17 22:50:00 +01:00
Jed Davis
d0d9f194e4 Bug 1141885 - Make readlink() fail instead of allowing it, for B2G content processes. r=kang 2015-03-13 13:47:56 -07:00
André Reinald
f3598cf103 Bug 1083344 - Tighten rules for Mac OS content process sandbox on 10.9 and 10.10. r=smichaud 
Allow read to whole filesystem until chrome:// and file:// URLs are brokered through another process.
Except $HOME/Library in which we allow only access to profile add-ons subdir.
Add level 2, which allows read only from $HOME and /tmp (while still restricting $HOME/Library.
Change default back to 1.
 2015-03-12 17:42:50 +01:00
Jed Davis
da39e0a7e8 Bug 1142263 - Specify all syscall parameters when doing CLONE_NEWUSER detection; f=bwc r=kang 2015-03-13 13:01:28 +01:00
Jed Davis
64382897a9 Bug 906996 - Remove unlink from B2G content process syscall whitelist. r=kang 2015-03-11 12:39:00 +01:00
Bob Owen
4b39d1da28 Bug 1141169: Add moz.build BUG_COMPONENT metadata for security/sandbox/ r=jld 2015-03-10 08:03:12 +00:00
Bob Owen
9a4eb936ac Bug 1137166: Change the Content moreStrict sandbox pref to an integer to indicate the level of sandboxing. r=tabraldes 2015-03-10 08:03:12 +00:00
Jed Davis
9e0d0967f3 Bug 1137007 - Detect namespace and SECCOMP_FILTER_FLAG_TSYNC support in SandboxInfo. r=kang, r=Unfocused 
Currently, only user namespace support is detected.  This is targeted at
desktop, where (1) user namespace creation is effectively a prerequisite
for unsharing any other namespace, and (2) any kernel with user
namespace support almost certainly has all the others.

Bonus fix: remove extra copy of sandbox flag key names in about:support;
if JS property iteration order ever ceases to follow creation order, the
table rows could be permuted, but this doesn't really matter.
 2015-03-06 13:59:00 -05:00
Jed Davis
c8b3a23fcc Bug 1140111 - Whitelist readlinkat along with readlink. r=kang 2015-03-07 10:44:23 -05:00
André Reinald
29bb5c62b7 Bug 1083344 - Add "allow" sandbox rules to fix mochitests on OSX 10.9 and 10.10. r=smichaud 2015-02-27 16:55:35 +01:00
Jed Davis
232064fbf4 Bug 1134942 - Whitelist fstatat and unlinkat for B2G content processes. r=gdestuynder 2015-02-20 12:16:00 +01:00
André Reinald
7f6c61c6b3 Bug 1083344 - Tighten rules for Mac OS content process sandbox - "rules part". r=smichaud 
--HG--
extra : histedit_source : f703a6a8abbf500cb882263426776fdb138b73a3
 2015-02-21 13:06:34 +01:00
André Reinald
0f64952695 Bug 1083344 - Tighten rules for Mac OS content process sandbox - "core part". r=smichaud 
--HG--
extra : histedit_source : 3c904474c57dbf086365cc6b26a55c34b2b449ae
 2015-02-18 14:10:27 +01:00
Bob Owen
b56ef398b7 Bug 1132021 - Add a new sandbox level for Windows NPAPI to use USER_LIMITED access token level. r=bsmedberg, r=bbondy 2015-02-11 16:25:43 +00:00
Brian Smith
6361bff3d7 Bug 1102195 Part 4: Re-apply - Change a non-conforming usage of a const value type to a non-const value type, which VS2015 rightly rejects, r=bobowen 
Originally landed as changset:
https://hg.mozilla.org/mozilla-central/rev/c827c112df81
 2015-01-07 23:28:51 -08:00
Bob Owen
608de41dda Bug 1102195 Part 3: Re-apply logging changes to the Chromium interception code. r=tabraldes 
Originally landed as changset:
https://hg.mozilla.org/mozilla-central/rev/0f763c186855
 2014-11-29 17:12:18 +00:00
Bob Owen
0603798733 Bug 1102195 Part 2: Re-apply pre-vista stdout/err process inheritance change to Chromium code after merge. r=tabraldes 
Originally landed as changset:
https://hg.mozilla.org/mozilla-central/rev/f94a07671389
 2014-11-18 15:11:47 +00:00
Bob Owen
cb041d2191 Bug 1102195 Part 1: Update Chromium sandbox code to commit df7cc6c04725630dd4460f29d858a77507343b24. r=aklotz, r=jld 2015-02-11 08:22:02 +00:00
Bob Owen
ad26d9d0cc Bug 1129369 Part 3: Turn on MITIGATION_STRICT_HANDLE_CHECKS process-level mitigation for the GMP sandbox. r=tabraldes 2015-02-10 09:06:59 +00:00
Bob Owen
bb4e5fbdaa Bug 1129369 Part 2: Turn on BOTTOM_UP_ASLR process-level mitigation for the GMP sandbox. r=tabraldes 2015-02-10 09:06:59 +00:00
Bob Owen
ee5f7177c6 Bug 1129369 Part 1: Turn on DEP_NO_ATL_THUNK process-level mitigation for the GMP sandbox. r=tabraldes 2015-02-10 09:06:59 +00:00
Bob Owen
721c4e20e1 Bug 1127230: Change the NPAPI sandbox prefs to integers to indicate the level of sandboxing. r=bsmedberg 2015-01-30 17:48:15 +00:00
Bob Owen
8299a8da28 Bug 1126402: Add a pref to enable a more strict version of the Windows NPAPI process sandbox. r=bsmedberg, r=bbondy 2015-01-29 08:13:07 +00:00
Bob Owen
41778cfef0 Bug 1125865: Only log Windows sandbox violations to console when nsContentUtils is initialized. r=bbondy 2015-01-28 11:21:24 +00:00
Bob Owen
f9d1522cfc Bug 1094370: Use the USER_LOCKDOWN access token for GMP processes. r=aklotz 2015-01-26 10:14:39 +00:00