Bug 1370438 - The MOZ_DISABLE_CONTENT_SANDBOX environment variable now works on macOS and is used in the xpcshell tests; r?haik
This environment variable works on both Windows and Linux for force-disabling
the content sandbox, and now does so on macOS as well.
The xpcshell tests force disable the sandbox because they do things like bind()
sockets, which is not compatible with the content sandbox. This is needed now
because
bug 1358223 was force upgrading the sandbox from level 0 (disabled) to
level 1 on beta channel, which caused breakage.
MozReview-Commit-ID: 5DGxtoDLp0C
--- a/dom/ipc/ContentParent.cpp
+++ b/dom/ipc/ContentParent.cpp
@@ -2367,25 +2367,25 @@ ContentParent::InitInternal(ProcessPrior
SerializeURI(sheet->GetSheetURI(), uri);
Unused << SendLoadAndRegisterSheet(uri, nsIStyleSheetService::AUTHOR_SHEET);
}
}
#ifdef MOZ_CONTENT_SANDBOX
bool shouldSandbox = true;
MaybeFileDesc brokerFd = void_t();
-#ifdef XP_LINUX
// XXX: Checking the pref here makes it possible to enable/disable sandboxing
// during an active session. Currently the pref is only used for testing
// purpose. If the decision is made to permanently rely on the pref, this
// should be changed so that it is required to restart firefox for the change
// of value to take effect.
shouldSandbox = (GetEffectiveContentSandboxLevel() > 0) &&
!PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX");
+#ifdef XP_LINUX
if (shouldSandbox) {
MOZ_ASSERT(!mSandboxBroker);
UniquePtr<SandboxBroker::Policy> policy =
sSandboxBrokerPolicyFactory->GetContentPolicy(Pid());
if (policy) {
brokerFd = FileDescriptor();
mSandboxBroker = SandboxBroker::Create(Move(policy), Pid(), brokerFd);
if (!mSandboxBroker) {
--- a/testing/xpcshell/runxpcshelltests.py
+++ b/testing/xpcshell/runxpcshelltests.py
@@ -919,16 +919,21 @@ class XPCShellTests(object):
# Don't permit remote connections by default.
# MOZ_DISABLE_NONLOCAL_CONNECTIONS can be set to "0" to temporarily
# enable non-local connections for the purposes of local testing.
# Don't override the user's choice here. See bug 1049688.
self.env.setdefault('MOZ_DISABLE_NONLOCAL_CONNECTIONS', '1')
if self.mozInfo.get("topsrcdir") is not None:
self.env["MOZ_DEVELOPER_REPO_DIR"] = self.mozInfo["topsrcdir"].encode()
+ # Disable the content process sandbox for the xpcshell tests. They
+ # currently attempt to do things like bind() sockets, which is not
+ # compatible with the sandbox.
+ self.env["MOZ_DISABLE_CONTENT_SANDBOX"] = "1"
+
def buildEnvironment(self):
"""
Create and returns a dictionary of self.env to include all the appropriate env variables and values.
On a remote system, we overload this to set different values and are missing things like os.environ and PATH.
"""
self.env = dict(os.environ)
self.buildCoreEnvironment()
if sys.platform == 'win32':