On 05/09/2017 11:02 AM, Alex Gaynor wrote:
Hi Ehsan,
If we want to dig deeper, let's fork off another thread, but it sounds
like there's two action items here:
1) Fix https://bugzilla.mozilla.org/show_bug.cgi?id=1345046
2) Better document how to disable the sandbox for debugging -- where
would you expect to find docs on this,
https://wiki.mozilla.org/Security/Sandbox, somewhere else?
I really think we should do #1 if at all possible. If that's not an
option, I think we should print out something helpful to stderr when we
see the logging environment variables pointing to a file name in a
sandboxed content process, the problem with picking a wiki page like
above is that most people won't immediately realize that it's sandboxing
that makes the log files not get generated and start wasting time
debugging things until they get to that conclusion and it is only then
when they start to search for relevant documentation in a place related
to sandboxing.
Now let's go back to discussing the actual topic of the thread. Thanks
for indulging the momentary digression from the topic at hand. :-)
Cheers,
Ehsan
Cheers,
Alex
On Tue, May 9, 2017 at 10:49 AM, Ehsan Akhgari
<ehsan.akhg...@gmail.com <mailto:ehsan.akhg...@gmail.com>> wrote:
Hi Alex,
Apologies for hijacking the thread, but since you asked, right now
debugging mochitest that you want to get some logging out of with
a sandboxed content process is super painful. I last hit it when
I was debugging a memory leak which typically requires getting
refcount leak logs and it took me quite a while to find the wiki
page that describes the pref that I needed to set in order to turn
off the sandbox so that any logging in the content process would
be able to write to a log file (and I couldn't even find it again
to include a link to the wiki page here once again!).
I thought I'd mention it since you were asking about stuff that
can be painful when debugging test failures with sandboxed content
processes. :-)
Thanks,
Ehsan
On 05/08/2017 01:26 PM, Alex Gaynor wrote:
Hi dev-platform,
Top-line question: Do you rely on being able to run mochitests
from a
packaged build (`--appname`)?
Context:
The sandboxing team has been hard at work making the content
process
sandbox as restrictive as possible. Our latest focus is
removing file read
permissions from content processes -- the sandbox's value is
pretty limited
if a compromised content process can ship all your files off
by itself!
One of the things we've discovered in the process of
developing these
patches is that they break running mochitest on packaged
firefox builds
(this is the `--appname` flag to mochitest)! `try` doesn't
appear to use
this, and none of us use it in our development workflows, but
we wanted to
check in with dev-platform and see if we were going to be
breaking people's
development flows! While these restrictions are not on by
default yet, once
they are you'd only be able to run tests on packaged builds by
disabling
the sandbox. If this is a fundamental part of lots of folks'
workflows
we'll dig into whether there's a way to keep this working.
Happy Monday!
Alex
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
<mailto:dev-platform@lists.mozilla.org>
https://lists.mozilla.org/listinfo/dev-platform
<https://lists.mozilla.org/listinfo/dev-platform>
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org <mailto:dev-platform@lists.mozilla.org>
https://lists.mozilla.org/listinfo/dev-platform
<https://lists.mozilla.org/listinfo/dev-platform>
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
