Wes Kocher
0d9c0798af
Merge m-c to inbound a=merge CLOSED TREE
2015-03-23 16:51:22 -07:00
Edwin Flores
31eadf18b7
Bug 1146192 - Whitelist sched_yield syscall in GMP sandbox on Linux DONTBUILD CLOSED TREE - r=jld
2015-03-24 10:56:49 +13:00
Edwin Flores
13fe1731fe
Bug 1146192 - Backed out changeset d2918bcf0d90 for missing bug number - r=me
2015-03-24 10:53:10 +13:00
Jed Davis
0f3b12d8c5
Bug 1144514 - Whitelist pread64 in content seccomp-bpf policy. r=kang
2015-03-19 11:57:00 -04:00
Phil Ringnalda
b39967c514
Merge m-c to m-i
2015-03-21 12:50:09 -07:00
Phil Ringnalda
c847599e4d
Merge m-i to m-c, a=merge
2015-03-21 12:31:07 -07:00
ffxbld
1f8ea0c488
No bug, Automated HPKP preload list update from host bld-linux64-spot-1002 - a=hpkp-update
2015-03-21 03:30:42 -07:00
ffxbld
703ee2d45b
No bug, Automated HSTS preload list update from host bld-linux64-spot-1002 - a=hsts-update
2015-03-21 03:30:40 -07:00
Ehsan Akhgari
33bb32f549
Bug 1145631 - Part 1: Replace MOZ_OVERRIDE and MOZ_FINAL with override and final in the tree; r=froydnj
...
This patch was automatically generated using the following script:
function convert() {
echo "Converting $1 to $2..."
find . \
! -wholename "*/.git*" \
! -wholename "obj-ff-dbg*" \
-type f \
\( -iname "*.cpp" \
-o -iname "*.h" \
-o -iname "*.c" \
-o -iname "*.cc" \
-o -iname "*.idl" \
-o -iname "*.ipdl" \
-o -iname "*.ipdlh" \
-o -iname "*.mm" \) | \
xargs -n 1 sed -i -e "s/\b$1\b/$2/g"
}
convert MOZ_OVERRIDE override
convert MOZ_FINAL final
2015-03-21 12:28:04 -04:00
Edwin Flores
7a76516d84
Bug 1XXXXXX - Whitelist sched_yield syscall in GMP sandbox on Linux - r=jld
2015-03-24 09:55:36 +13:00
David Keeler
d2ce6abf90
bug 1143085 - allow subject alternative name extensions to be empty for compatibility r=briansmith a=kwierso
2015-03-16 14:00:33 -07:00
Jed Davis
15de7894cc
Bug 1144580 - Whitelist pselect6 in content seccomp-bpf policy. r=kang
2015-03-18 15:30:00 +01:00
Masatoshi Kimura
1999ec07b4
Bug 1133187 - Update fallback whitelist. r=keeler
2015-03-18 15:36:00 +01:00
Jed Davis
d2a1fdfdb7
Bug 1141906 - Adjust some assertions in Linux sandbox feature detection. r=kang
...
See bug, and comment at top of SandboxInfo.cpp, for rationale.
Bonus fix: reword comment about nested namespace limit; the exact limit
is 33 (not counting the root) but doesn't particularly matter.
2015-03-17 22:50:00 +01:00
Cykesiopka
11f5f6058d
Bug 1131227 - Make the about:certerror Unknown Issuer string mention missing intermediates and unimported roots. r=keeler
2015-03-17 14:33:00 +01:00
Masatoshi Kimura
b23f9dc54f
Bug 1143082 - Fix a message in the mixed content UI. r=dolske
2015-03-17 20:34:58 +09:00
Jed Davis
d0d9f194e4
Bug 1141885 - Make readlink() fail instead of allowing it, for B2G content processes. r=kang
2015-03-13 13:47:56 -07:00
André Reinald
f3598cf103
Bug 1083344 - Tighten rules for Mac OS content process sandbox on 10.9 and 10.10. r=smichaud
...
Allow read to whole filesystem until chrome:// and file:// URLs are brokered through another process.
Except $HOME/Library in which we allow only access to profile add-ons subdir.
Add level 2, which allows read only from $HOME and /tmp (while still restricting $HOME/Library.
Change default back to 1.
2015-03-12 17:42:50 +01:00
ffxbld
4837382e9e
No bug, Automated HPKP preload list update from host bld-linux64-spot-532 - a=hpkp-update
2015-03-14 03:26:00 -07:00
ffxbld
7ad0e5a9f3
No bug, Automated HSTS preload list update from host bld-linux64-spot-532 - a=hsts-update
2015-03-14 03:25:58 -07:00
Nathan Froyd
8ddefeed54
Bug 1142503 - don't use QueryInterface when the compiler can do the cast for us; r=ehsan
...
Calling QueryInterface with a statically known IID should typically not
be necessary. In those cases where it's not, the compiler can do the
cast for us, though we have to supply the reference-counting that
QueryInterface would do.
In passing, several redundant null-checks for the result of |new T| have
been deleted.
2015-03-12 09:43:50 -04:00
Jed Davis
da39e0a7e8
Bug 1142263 - Specify all syscall parameters when doing CLONE_NEWUSER detection; f=bwc r=kang
2015-03-13 13:01:28 +01:00
Jed Davis
64382897a9
Bug 906996 - Remove unlink from B2G content process syscall whitelist. r=kang
2015-03-11 12:39:00 +01:00
David Keeler
793bd87d86
bug 1102443 - fix leak in key pinning logging by removing an unnecessary function call r=cykesiopka
...
Also took the opportunity to fix the logging message, since it didn't accurately
describe the information that was being printed.
2015-03-12 14:31:26 -07:00
Jonathan Griffin
84011a87cc
Bug 1116187 - Disable failing mochitest-chrome tests for B2G, r=gbrown
2015-02-06 16:30:37 -08:00
David Keeler
f4d016a5d3
bug 1138332 - re-allow overrides for certificates signed by non-CA certificates r=mmc
2015-03-11 11:11:22 -07:00
Cykesiopka
ee6ade0540
Bug 1141815 - Remove nsIDOMCryptoDialogs interface and associated implementation; r=keeler
2015-03-12 10:24:05 +01:00
David Keeler
9019ce9211
bug 1138716 - update PSM data structures that depend on root CA changes r=mmc
2015-03-23 10:36:55 -07:00
Kai Engert
6c2147ca71
Bug 1137470, remove the documentation patch file, because it's no longer reverted locally, DONTBUILD
2015-03-20 13:38:13 +01:00
Kai Engert
0430fa01a9
Bug 1137470, Upgrade Firefox 38 to use NSS 3.18, land NSS_3_18_RTM, r=nss-confcall
2015-03-20 13:32:58 +01:00
Cykesiopka
dc77495477
Bug 1121117 - Add fuzz time to workaround non-monotonicity of Date(). r=keeler
2015-03-19 19:57:00 +01:00
Bob Owen
9438a86ad1
Bug 1145432: Add the policy for the client side of the crash server pipe to the GMP Windows sandbox. r=aklotz
2015-03-20 07:53:37 +00:00
Ehsan Akhgari
c27574a87c
Bug 1140767 - Build more files in security/manager in unified mode; r=dkeeler
2015-03-10 22:52:22 -04:00
Bob Owen
4b39d1da28
Bug 1141169: Add moz.build BUG_COMPONENT metadata for security/sandbox/ r=jld
2015-03-10 08:03:12 +00:00
Bob Owen
9a4eb936ac
Bug 1137166: Change the Content moreStrict sandbox pref to an integer to indicate the level of sandboxing. r=tabraldes
2015-03-10 08:03:12 +00:00
Mike Hommey
e4b247f703
Bug 868814 - Fold mozalloc library into mozglue. r=njn
2015-03-10 10:01:52 +09:00
Masatoshi Kimura
40a54ff159
Bug 1106470 - Drop SSLv3 support entirely from PSM. r=keeler
2015-03-10 01:22:59 +09:00
Jed Davis
9e0d0967f3
Bug 1137007 - Detect namespace and SECCOMP_FILTER_FLAG_TSYNC support in SandboxInfo. r=kang, r=Unfocused
...
Currently, only user namespace support is detected. This is targeted at
desktop, where (1) user namespace creation is effectively a prerequisite
for unsharing any other namespace, and (2) any kernel with user
namespace support almost certainly has all the others.
Bonus fix: remove extra copy of sandbox flag key names in about:support;
if JS property iteration order ever ceases to follow creation order, the
table rows could be permuted, but this doesn't really matter.
2015-03-06 13:59:00 -05:00
David Keeler
f9447481df
Bug 1136616 - Allow underscores in reference DNS-IDs in mozilla::pkix name matching. r=briansmith
2015-03-03 13:34:45 -08:00
Phil Ringnalda
aafe5c8706
Merge m-c to m-i
2015-03-07 19:39:49 -08:00
Phil Ringnalda
0218d6bb94
Merge m-i to m-c, a=merge
2015-03-07 19:11:54 -08:00
ffxbld
9d36331df9
No bug, Automated HPKP preload list update from host bld-linux64-spot-157 - a=hpkp-update
2015-03-07 03:27:15 -08:00
ffxbld
efe016bbfd
No bug, Automated HSTS preload list update from host bld-linux64-spot-157 - a=hsts-update
2015-03-07 03:27:13 -08:00
David Keeler
9d2c240868
bug 1129771 - disable IPv6 in PSM xpcshell TLS connection tests due to failures on OS X 10.10 r=cykesiopka a=ryanvm on a CLOSED TREE
...
In the process of investigating the intermittent failures listed in
bug 1129771, I discovered that the code would frequently get stuck connecting
to [::1] (where no server was listening) and wouldn't fall back to trying
127.0.0.1 (where the test server was listening). This change prevents the code
attempting to connect to [::1]. There probably is an underlying bug here, but
it appears to be in OS X itself and I have neither the time nor expertise to
investigate further.
2015-03-04 13:41:11 -08:00
Cykesiopka
a89929ad29
Bug 1139177 - RSA public key size checking cleanups. r=keeler
2015-03-05 16:41:00 +01:00
Jed Davis
c8b3a23fcc
Bug 1140111 - Whitelist readlinkat along with readlink. r=kang
2015-03-07 10:44:23 -05:00
Kai Engert
3d42ff284d
Bug 1137470, landing NSS_3_18_RC0 minus bug 1132496, r=nss-confcall
2015-03-07 14:49:00 +01:00
David Keeler
2a097b53b6
bug 1137538 - remove nsIIdentityInfo and nsNSSSocketInfo::GetPreviousCert r=mayhemer
2015-02-27 11:33:36 -08:00
Masatoshi Kimura
926928febc
Bug 1138882 - Add a pref to enable unrestricted RC4 fallback. r=keeler
2015-03-05 22:51:31 +09:00
Cykesiopka
73a56cbbda
Bug 1121117 - Add some logging to test_ocsp_timeout.js to ease debugging. r=dkeeler
2015-03-03 14:25:00 +01:00