I have just landed a patch which changes the "level 1" Windows content process 
sandbox policy to one which runs the process at a low integrity level from the 
start. This will hopefully make it into tomorrow's Nightly.
(pref: security.sandbox.content.level=1)

Running at low integrity for the whole lifetime of the process wasn't possible 
before a recent bug fix.
It turned out that doing this (instead of dropping to low integrity later in 
the process) seemed to fix the major blocker to using low integrity.

Low is the same integrity level at which Internet Explorer's Protected Mode 
sandbox runs.

I would be grateful if anyone testing e10s on Windows, would also take some 
time to test with this stronger sandbox policy.
Just set the above pref and then restart Firefox, so that the new policy is 
applied to the content process.

If you find any issues caused by this, please file them to block bug 1151767.

You can turn on limited sandbox logging to the browser console with the pref:
security.sandbox.windows.log

This doesn't log all the things that the sandbox might block, but it should log 
things that we might be able to fix by adding new policy rules.
You can filter the output with "Process Sandbox".
Please copy (or attach) anything that looks like it might be relevant into the 
bug.

You can also get a stack trace in the log entry with:
security.sandbox.windows.log.stackTraceDepth

The logging requires a restart, but changing the stack trace depth should not.

I hope to change this policy to the default one later this month.

Thanks,
Bob
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to