Commit Graph

3020 Commits

Author SHA1 Message Date
Jed Davis
d0d9f194e4 Bug 1141885 - Make readlink() fail instead of allowing it, for B2G content processes. r=kang 2015-03-13 13:47:56 -07:00
André Reinald
f3598cf103 Bug 1083344 - Tighten rules for Mac OS content process sandbox on 10.9 and 10.10. r=smichaud
Allow read to whole filesystem until chrome:// and file:// URLs are brokered through another process.
Except $HOME/Library in which we allow only access to profile add-ons subdir.
Add level 2, which allows read only from $HOME and /tmp (while still restricting $HOME/Library.
Change default back to 1.
2015-03-12 17:42:50 +01:00
ffxbld
4837382e9e No bug, Automated HPKP preload list update from host bld-linux64-spot-532 - a=hpkp-update 2015-03-14 03:26:00 -07:00
ffxbld
7ad0e5a9f3 No bug, Automated HSTS preload list update from host bld-linux64-spot-532 - a=hsts-update 2015-03-14 03:25:58 -07:00
Nathan Froyd
8ddefeed54 Bug 1142503 - don't use QueryInterface when the compiler can do the cast for us; r=ehsan
Calling QueryInterface with a statically known IID should typically not
be necessary.  In those cases where it's not, the compiler can do the
cast for us, though we have to supply the reference-counting that
QueryInterface would do.

In passing, several redundant null-checks for the result of |new T| have
been deleted.
2015-03-12 09:43:50 -04:00
Jed Davis
da39e0a7e8 Bug 1142263 - Specify all syscall parameters when doing CLONE_NEWUSER detection; f=bwc r=kang 2015-03-13 13:01:28 +01:00
Jed Davis
64382897a9 Bug 906996 - Remove unlink from B2G content process syscall whitelist. r=kang 2015-03-11 12:39:00 +01:00
David Keeler
793bd87d86 bug 1102443 - fix leak in key pinning logging by removing an unnecessary function call r=cykesiopka
Also took the opportunity to fix the logging message, since it didn't accurately
describe the information that was being printed.
2015-03-12 14:31:26 -07:00
Jonathan Griffin
84011a87cc Bug 1116187 - Disable failing mochitest-chrome tests for B2G, r=gbrown 2015-02-06 16:30:37 -08:00
David Keeler
f4d016a5d3 bug 1138332 - re-allow overrides for certificates signed by non-CA certificates r=mmc 2015-03-11 11:11:22 -07:00
Cykesiopka
ee6ade0540 Bug 1141815 - Remove nsIDOMCryptoDialogs interface and associated implementation; r=keeler 2015-03-12 10:24:05 +01:00
Ehsan Akhgari
c27574a87c Bug 1140767 - Build more files in security/manager in unified mode; r=dkeeler 2015-03-10 22:52:22 -04:00
Bob Owen
4b39d1da28 Bug 1141169: Add moz.build BUG_COMPONENT metadata for security/sandbox/ r=jld 2015-03-10 08:03:12 +00:00
Bob Owen
9a4eb936ac Bug 1137166: Change the Content moreStrict sandbox pref to an integer to indicate the level of sandboxing. r=tabraldes 2015-03-10 08:03:12 +00:00
Mike Hommey
e4b247f703 Bug 868814 - Fold mozalloc library into mozglue. r=njn 2015-03-10 10:01:52 +09:00
Masatoshi Kimura
40a54ff159 Bug 1106470 - Drop SSLv3 support entirely from PSM. r=keeler 2015-03-10 01:22:59 +09:00
Jed Davis
9e0d0967f3 Bug 1137007 - Detect namespace and SECCOMP_FILTER_FLAG_TSYNC support in SandboxInfo. r=kang, r=Unfocused
Currently, only user namespace support is detected.  This is targeted at
desktop, where (1) user namespace creation is effectively a prerequisite
for unsharing any other namespace, and (2) any kernel with user
namespace support almost certainly has all the others.

Bonus fix: remove extra copy of sandbox flag key names in about:support;
if JS property iteration order ever ceases to follow creation order, the
table rows could be permuted, but this doesn't really matter.
2015-03-06 13:59:00 -05:00
David Keeler
f9447481df Bug 1136616 - Allow underscores in reference DNS-IDs in mozilla::pkix name matching. r=briansmith 2015-03-03 13:34:45 -08:00
Phil Ringnalda
aafe5c8706 Merge m-c to m-i 2015-03-07 19:39:49 -08:00
Phil Ringnalda
0218d6bb94 Merge m-i to m-c, a=merge 2015-03-07 19:11:54 -08:00
ffxbld
9d36331df9 No bug, Automated HPKP preload list update from host bld-linux64-spot-157 - a=hpkp-update 2015-03-07 03:27:15 -08:00
ffxbld
efe016bbfd No bug, Automated HSTS preload list update from host bld-linux64-spot-157 - a=hsts-update 2015-03-07 03:27:13 -08:00
David Keeler
9d2c240868 bug 1129771 - disable IPv6 in PSM xpcshell TLS connection tests due to failures on OS X 10.10 r=cykesiopka a=ryanvm on a CLOSED TREE
In the process of investigating the intermittent failures listed in
bug 1129771, I discovered that the code would frequently get stuck connecting
to [::1] (where no server was listening) and wouldn't fall back to trying
127.0.0.1 (where the test server was listening). This change prevents the code
attempting to connect to [::1]. There probably is an underlying bug here, but
it appears to be in OS X itself and I have neither the time nor expertise to
investigate further.
2015-03-04 13:41:11 -08:00
Cykesiopka
a89929ad29 Bug 1139177 - RSA public key size checking cleanups. r=keeler 2015-03-05 16:41:00 +01:00
Jed Davis
c8b3a23fcc Bug 1140111 - Whitelist readlinkat along with readlink. r=kang 2015-03-07 10:44:23 -05:00
Kai Engert
3d42ff284d Bug 1137470, landing NSS_3_18_RC0 minus bug 1132496, r=nss-confcall 2015-03-07 14:49:00 +01:00
David Keeler
2a097b53b6 bug 1137538 - remove nsIIdentityInfo and nsNSSSocketInfo::GetPreviousCert r=mayhemer 2015-02-27 11:33:36 -08:00
Masatoshi Kimura
926928febc Bug 1138882 - Add a pref to enable unrestricted RC4 fallback. r=keeler 2015-03-05 22:51:31 +09:00
Cykesiopka
73a56cbbda Bug 1121117 - Add some logging to test_ocsp_timeout.js to ease debugging. r=dkeeler 2015-03-03 14:25:00 +01:00
Wes Kocher
6fef6d1fd8 Merge b2g-inbound to m-c a=merge CLOSED TREE 2015-03-03 17:02:21 -08:00
Chuck Lee
ae761fb055 Bug 1012549 - 0004. Support read private key in keystore. r=dkeeler r=qdot 2015-02-28 21:54:24 +08:00
David Keeler
292ae08e69 bug 1085506 - gather telemetry for TLS handshake certificate verification errors r=rbarnes 2015-02-27 11:14:29 -08:00
Mark Goodwin
3c388dbb12 Bug 1130757 - tests for bug 1130757. r=dkeeler 2015-03-02 08:19:00 +01:00
Mark Goodwin
663d50d01d Bug 1130757 - Move OneCRL check to NSSCertDBTrustDomain::GetCertTrust. r=dkeeler 2015-02-26 04:38:00 +01:00
Cykesiopka
d4fbd76026 Bug 1130418 - Remove broken e-mail cert trust editing UI. r=emk 2015-03-02 19:54:00 +01:00
Cykesiopka
427f94114a Bug 1130413 - Remove unused nsITokenPasswordDialogs::GetPassword() function. r=jjones 2015-02-26 13:05:00 +01:00
Wes Kocher
e8af47da16 Merge inbound to m-c a=merge 2015-03-02 12:12:47 -08:00
ffxbld
9ef92bbf7c No bug, Automated HPKP preload list update from host bld-linux64-spot-044 - a=hpkp-update 2015-02-28 03:27:43 -08:00
ffxbld
1893a50754 No bug, Automated HSTS preload list update from host bld-linux64-spot-044 - a=hsts-update 2015-02-28 03:27:41 -08:00
Kai Engert
43f744a2b0 Bug 1137470 - Upgrade Firefox to NSS 3.18, landing NSS_3_18_BETA7, r=nss-confcall 2015-02-26 23:29:08 +01:00
David Keeler
04a248a258 bug 1049740 - implement telemetry to measure compatibility impact of 2048-bit-minimum RSA keys r=briansmith 2015-02-24 15:48:05 -08:00
Boris Zbarsky
8d06e45b3d Bug 1136388. Change nsIDocumentLoaderFactory and nsIURIContentListener to take MIME types as an XPCOM string, not a char*. r=smaug 2015-02-25 10:26:51 -05:00
Jed Davis
232064fbf4 Bug 1134942 - Whitelist fstatat and unlinkat for B2G content processes. r=gdestuynder 2015-02-20 12:16:00 +01:00
Brian Smith
745bea4592 Bug 1077864, Part 3: update nsserrors.properties so error message gets localized. 2015-02-23 16:04:23 -08:00
Brian Smith
e4dfaf9d35 Bug 1131767: Prune away paths using unacceptable algorithms earlier, r=keeler 2015-02-14 16:59:02 -08:00
Brian Smith
a44a7d430b Bug 1077864, Part 2: Override the trust level for OCSP response signer certs so that they are never considered trust anchors, r=keeler 2015-02-14 15:59:38 -08:00
Brian Smith
8aa85cf009 Bug 1077864, Part 1: Check consistency of certificates' signature and signatureAlgorithm fields, r=keeler 2015-02-22 16:59:03 -08:00
Brian Smith
3365c67a40 Bug 1135407: Factor out duplicate logic in tests, r=keeler 2015-02-21 14:12:38 -08:00
Ehsan Akhgari
7270bff2c4 Bug 1135745 - Disable the reserved-id-macro macro in security/pkix; r=briansmith 2015-02-23 13:40:09 -05:00
Ryan VanderMeulen
f1dae981be Merge inbound to m-c. a=merge 2015-02-21 16:40:27 -05:00