commit a9b9132117bd5ea14901812c8faa195201e0e1a8
parent 2485ac302318c676883060feb0dc099a8a73191b
Author: Yannis Juglaret <yjuglaret@mozilla.com>
Date: Wed, 17 Dec 2025 15:21:20 +0000
Bug 1957156 - Let the PKCS#11 process run a dedicated executable on macOS in Nightly. r=haik,nika
Running PKCS#11 modules requires specific entitlements on macOS. Now
that we have a dedicated process for running these modules, we can make
this process run a different executable that has these specific
entitlements. Ultimately, this will allow us to remove these
entitlements from the firefox binary so that we obtain a more
fine-grained privilege separation.
For now we only use and make available the new executable in Nightly
builds, and we continue to use the firefox executable in other builds.
This is because we will only be running the new process in Nightly
builds behind a pref for the moment, and we do not want to impact
people's application directories and the size of our installers by
adding a new executable before this executable is actually required.
Based on prior work by Haik Aftandilian and Alexandre Lissy
(D243560, D243561).
Differential Revision: https://phabricator.services.mozilla.com/D270691
Diffstat:
16 files changed, 188 insertions(+), 41 deletions(-)
diff --git a/browser/installer/Makefile.in b/browser/installer/Makefile.in
@@ -63,6 +63,12 @@ DEFINES += -DMOZ_CHILD_PROCESS_NAME=$(MOZ_CHILD_PROCESS_NAME)
DEFINES += -DMOZ_EME_PROCESS_NAME="$(MOZ_EME_PROCESS_NAME)"
DEFINES += -DMOZ_GPU_PROCESS_NAME="$(MOZ_GPU_PROCESS_NAME)"
+ifdef NIGHTLY_BUILD
+ifndef MOZ_NO_SMART_CARDS
+DEFINES += -DMOZ_PKCS11_PROCESS_NAME="$(MOZ_PKCS11_PROCESS_NAME)"
+endif
+endif
+
# Set MSVC dlls version to package, if any.
ifdef MOZ_NO_DEBUG_RTL
ifdef WIN32_REDIST_DIR
diff --git a/browser/installer/allowed-dupes.mn b/browser/installer/allowed-dupes.mn
@@ -13,10 +13,15 @@ plugin-container.app/Contents/PkgInfo
updater.app/Contents/PkgInfo
media-plugin-helper.app/Contents/PkgInfo
gpu-helper.app/Contents/PkgInfo
+security-module-helper.app/Contents/PkgInfo
media-plugin-helper.app/Contents/MacOS/@MOZ_APP_DISPLAYNAME@ Media Plugin Helper
gpu-helper.app/Contents/MacOS/@MOZ_APP_DISPLAYNAME@ GPU Helper
plugin-container.app/Contents/MacOS/plugin-container
+security-module-helper.app/Contents/MacOS/@MOZ_APP_DISPLAYNAME@ Security Module Helper
+
+media-plugin-helper.app/Contents/Resources/English.lproj/InfoPlist.strings
+security-module-helper.app/Contents/Resources/English.lproj/InfoPlist.strings
# Duplicated on Linux by browser/branding/branding-common.mozbuild
#ifdef XP_LINUX
diff --git a/browser/installer/package-manifest.in b/browser/installer/package-manifest.in
@@ -87,6 +87,11 @@
@BINPATH@/@MOZ_CHILD_PROCESS_NAME@.app/
@BINPATH@/@MOZ_EME_PROCESS_NAME@.app/
@BINPATH@/@MOZ_GPU_PROCESS_NAME@.app/
+#ifdef NIGHTLY_BUILD
+#ifndef MOZ_NO_SMART_CARDS
+@BINPATH@/@MOZ_PKCS11_PROCESS_NAME@.app/
+#endif
+#endif
#endif
#ifdef XP_WIN
@BINPATH@/@MOZ_CHILD_PROCESS_NAME@
diff --git a/ipc/app/Makefile.in b/ipc/app/Makefile.in
@@ -34,4 +34,15 @@ libs::
$(call py_action,preprocessor $(MOZ_GPU_PROCESS_NAME).app/Contents/Resources/English.lproj/InfoPlist.strings,-Fsubstitution --output-encoding utf-16 -DAPP_NAME='$(MOZ_GPU_PROCESS_NAME_BRANDED)' $(srcdir)/macbuild/Contents/Resources/English.lproj/InfoPlist.strings.in -o $(DIST)/bin/$(MOZ_GPU_PROCESS_NAME).app/Contents/Resources/English.lproj/InfoPlist.strings)
$(NSINSTALL) -D $(DIST)/bin/$(MOZ_GPU_PROCESS_NAME).app/Contents/MacOS
cp $(DIST)/bin/$(MOZ_CHILD_PROCESS_NAME) "$(DIST)/bin/$(MOZ_GPU_PROCESS_NAME).app/Contents/MacOS/$(MOZ_GPU_PROCESS_NAME_BRANDED)"
+ifdef NIGHTLY_BUILD
+ifndef MOZ_NO_SMART_CARDS
+ # security-module-helper
+ $(NSINSTALL) -D $(DIST)/bin/$(MOZ_PKCS11_PROCESS_NAME).app
+ rsync -a -C --exclude '*.in' $(srcdir)/macbuild/Contents $(DIST)/bin/$(MOZ_PKCS11_PROCESS_NAME).app
+ $(call py_action,preprocessor $(MOZ_PKCS11_PROCESS_NAME).app/Contents/Info.plist,-Fsubstitution -DEXECUTABLE='$(MOZ_PKCS11_PROCESS_NAME_BRANDED)' -DBUNDLEID='$(MOZ_PKCS11_PROCESS_BUNDLEID)' -DMOZ_PKCS11_PROCESS_NAME_BRANDED='$(MOZ_PKCS11_PROCESS_NAME_BRANDED)' -DMOZ_DEVELOPER_REPO_PATH='$(topsrcdir)' -DMOZ_DEVELOPER_OBJ_PATH='$(topobjdir)' $(srcdir)/macbuild/Contents/Info.plist.in -o $(DIST)/bin/$(MOZ_PKCS11_PROCESS_NAME).app/Contents/Info.plist)
+ $(call py_action,preprocessor $(MOZ_PKCS11_PROCESS_NAME).app/Contents/Resources/English.lproj/InfoPlist.strings,-Fsubstitution --output-encoding utf-16 -DAPP_NAME='$(MOZ_PKCS11_PROCESS_BUNDLENAME)' $(srcdir)/macbuild/Contents/Resources/English.lproj/InfoPlist.strings.in -o $(DIST)/bin/$(MOZ_PKCS11_PROCESS_NAME).app/Contents/Resources/English.lproj/InfoPlist.strings)
+ $(NSINSTALL) -D $(DIST)/bin/$(MOZ_PKCS11_PROCESS_NAME).app/Contents/MacOS
+ cp $(DIST)/bin/$(MOZ_CHILD_PROCESS_NAME) "$(DIST)/bin/$(MOZ_PKCS11_PROCESS_NAME).app/Contents/MacOS/$(MOZ_PKCS11_PROCESS_NAME_BRANDED)"
+endif
+endif
endif #}
diff --git a/ipc/glue/GeckoChildProcessHost.cpp b/ipc/glue/GeckoChildProcessHost.cpp
@@ -157,16 +157,15 @@ class BaseProcessLauncher {
geckoargs::ChildProcessArgs&& aExtraOpts)
: mProcessType(aHost->mProcessType),
mLaunchOptions(std::move(aHost->mLaunchOptions)),
- mChildArgs(std::move(aExtraOpts))
+ mChildArgs(std::move(aExtraOpts)),
#ifdef XP_WIN
- ,
- mGroupId(aHost->mGroupId)
+ mGroupId(aHost->mGroupId),
#endif
+ mUtilitySandbox(aHost->mUtilitySandbox)
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
,
mAllowedFilesRead(aHost->mAllowedFilesRead),
mSandboxLevel(aHost->mSandboxLevel),
- mSandbox(aHost->mSandbox),
mIsFileContent(aHost->mIsFileContent),
mEnableSandboxLogging(aHost->mEnableSandboxLogging)
#endif
@@ -213,7 +212,8 @@ class BaseProcessLauncher {
void MapChildLogging();
- static BinPathType GetPathToBinary(FilePath&, GeckoProcessType);
+ static BinPathType GetPathToBinary(FilePath&, GeckoProcessType,
+ SandboxingKind sandboxKind);
void GetChildLogName(const char* origLogName, nsACString& buffer);
@@ -231,10 +231,10 @@ class BaseProcessLauncher {
#ifdef XP_WIN
nsString mGroupId;
#endif
+ SandboxingKind mUtilitySandbox;
#if defined(XP_WIN) && defined(MOZ_SANDBOX)
std::vector<std::wstring> mAllowedFilesRead;
int32_t mSandboxLevel;
- SandboxingKind mSandbox;
bool mIsFileContent;
bool mEnableSandboxLogging;
#endif
@@ -511,7 +511,8 @@ void GeckoChildProcessHost::Destroy() {
// static
mozilla::BinPathType BaseProcessLauncher::GetPathToBinary(
- FilePath& exePath, GeckoProcessType processType) {
+ FilePath& exePath, GeckoProcessType processType,
+ SandboxingKind utilitySandbox) {
exePath = {};
BinPathType pathType = XRE_GetChildProcBinPathType(processType);
@@ -544,6 +545,12 @@ mozilla::BinPathType BaseProcessLauncher::GetPathToBinary(
// Use the GPU helper executable
bundleName = MOZ_GPU_PROCESS_BUNDLENAME;
executableLeafName = MOZ_GPU_PROCESS_NAME_BRANDED;
+# if defined(NIGHTLY_BUILD) && !defined(MOZ_NO_SMART_CARDS)
+ } else if (processType == GeckoProcessType_Utility &&
+ utilitySandbox == PKCS11_MODULE) {
+ bundleName = MOZ_PKCS11_PROCESS_BUNDLENAME;
+ executableLeafName = MOZ_PKCS11_PROCESS_NAME_BRANDED;
+# endif // NIGHTLY_BUILD && !MOZ_NO_SMART_CARDS
} else {
// the default child process executable
bundleName = MOZ_CHILD_PROCESS_BUNDLENAME;
@@ -626,7 +633,7 @@ void GeckoChildProcessHost::SetEnv(const char* aKey, const char* aValue) {
bool GeckoChildProcessHost::PrepareLaunch(
geckoargs::ChildProcessArgs& aExtraOpts) {
#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
- if (!SandboxLaunch::Configure(mProcessType, mSandbox, aExtraOpts,
+ if (!SandboxLaunch::Configure(mProcessType, mUtilitySandbox, aExtraOpts,
mLaunchOptions.get())) {
return false;
}
@@ -1246,7 +1253,8 @@ Result<Ok, LaunchError> PosixProcessLauncher::DoSetup() {
}
FilePath exePath;
- BinPathType pathType = GetPathToBinary(exePath, mProcessType);
+ BinPathType pathType =
+ GetPathToBinary(exePath, mProcessType, mUtilitySandbox);
// Make sure the executable path is present at the start of our argument list.
// If we're using BinPathType::Self, also add the `-contentproc` argument.
@@ -1570,7 +1578,8 @@ Result<Ok, LaunchError> WindowsProcessLauncher::DoSetup() {
}
FilePath exePath;
- BinPathType pathType = GetPathToBinary(exePath, mProcessType);
+ BinPathType pathType =
+ GetPathToBinary(exePath, mProcessType, mUtilitySandbox);
mCmdLine.emplace(exePath.ToWStringHack());
@@ -1664,9 +1673,9 @@ Result<Ok, LaunchError> WindowsProcessLauncher::DoSetup() {
}
break;
case GeckoProcessType_Utility:
- if (IsUtilitySandboxEnabled(mSandbox)) {
+ if (IsUtilitySandboxEnabled(mUtilitySandbox)) {
if (!mResults.mSandboxBroker->SetSecurityLevelForUtilityProcess(
- mSandbox)) {
+ mUtilitySandbox)) {
return Err(LaunchError("SetSecurityLevelForUtilityProcess"));
}
mUseSandbox = true;
diff --git a/ipc/glue/GeckoChildProcessHost.h b/ipc/glue/GeckoChildProcessHost.h
@@ -19,6 +19,7 @@
#include "mozilla/ipc/NodeChannel.h"
#include "mozilla/ipc/LaunchError.h"
#include "mozilla/ipc/ScopedPort.h"
+#include "mozilla/ipc/UtilityProcessSandboxing.h"
#include "mozilla/Atomics.h"
#include "mozilla/LinkedList.h"
#include "mozilla/Monitor.h"
@@ -45,10 +46,6 @@
# include "mozilla/Sandbox.h"
#endif
-#if defined(MOZ_SANDBOX)
-# include "mozilla/ipc/UtilityProcessSandboxing.h"
-#endif
-
#if (defined(XP_WIN) && defined(_ARM64_)) || \
(defined(XP_MACOSX) && defined(__aarch64__))
# define ALLOW_GECKO_CHILD_PROCESS_ARCH
@@ -260,9 +257,12 @@ class GeckoChildProcessHost : public SupportsWeakPtr,
# endif
#endif // XP_WIN
-#if defined(MOZ_SANDBOX)
- SandboxingKind mSandbox;
-#endif
+ // Only set by UtilityProcessHost. The sandbox policy associated with
+ // mUtilitySandbox will only be honored under MOZ_SANDBOX. However, on macOS,
+ // we will choose the proper firefox binary to run independently of
+ // MOZ_SANDBOX. This ensures that the utility process always runs with the
+ // expected set of entitlements.
+ SandboxingKind mUtilitySandbox;
mozilla::RWLock mHandleLock;
ProcessHandle mChildProcessHandle MOZ_GUARDED_BY(mHandleLock);
diff --git a/ipc/glue/UtilityProcessHost.cpp b/ipc/glue/UtilityProcessHost.cpp
@@ -69,19 +69,13 @@ UtilityProcessHost::UtilityProcessHost(SandboxingKind aSandbox,
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
mDisableOSActivityMode = IsUtilitySandboxEnabled(aSandbox);
#endif
-#if defined(MOZ_SANDBOX)
- mSandbox = aSandbox;
-#endif
+ mUtilitySandbox = aSandbox;
}
UtilityProcessHost::~UtilityProcessHost() {
MOZ_COUNT_DTOR(UtilityProcessHost);
-#if defined(MOZ_SANDBOX)
LOGD("[%p] UtilityProcessHost::~UtilityProcessHost sandboxingKind=%" PRIu64,
- this, mSandbox);
-#else
- LOGD("[%p] UtilityProcessHost::~UtilityProcessHost", this);
-#endif
+ this, mUtilitySandbox);
}
bool UtilityProcessHost::Launch(geckoargs::ChildProcessArgs aExtraOpts) {
@@ -189,8 +183,8 @@ void UtilityProcessHost::InitAfterConnect(bool aSucceeded) {
#if defined(XP_LINUX) && defined(MOZ_SANDBOX)
UniquePtr<SandboxBroker::Policy> policy;
- if (IsUtilitySandboxEnabled(mSandbox)) {
- switch (mSandbox) {
+ if (IsUtilitySandboxEnabled(mUtilitySandbox)) {
+ switch (mUtilitySandbox) {
case SandboxingKind::GENERIC_UTILITY:
policy = SandboxBrokerPolicyFactory::GetUtilityProcessPolicy(
GetActor()->OtherPid());
@@ -357,7 +351,7 @@ MacSandboxType UtilityProcessHost::GetMacSandboxType() {
#ifdef MOZ_WMF_CDM_LPAC_SANDBOX
void UtilityProcessHost::EnsureWidevineL1PathForSandbox(
geckoargs::ChildProcessArgs& aExtraOpts) {
- if (mSandbox != SandboxingKind::MF_MEDIA_ENGINE_CDM) {
+ if (mUtilitySandbox != SandboxingKind::MF_MEDIA_ENGINE_CDM) {
return;
}
diff --git a/ipc/glue/moz.build b/ipc/glue/moz.build
@@ -294,6 +294,13 @@ elif CONFIG["TARGET_OS"] == "iOS":
elif CONFIG["MOZ_WIDGET_TOOLKIT"] == "android":
OS_LIBS += ["android"]
+extra_vars = ()
+if CONFIG["NIGHTLY_BUILD"] and not CONFIG["MOZ_NO_SMART_CARDS"]:
+ extra_vars = (
+ "MOZ_PKCS11_PROCESS_NAME_BRANDED",
+ "MOZ_PKCS11_PROCESS_BUNDLENAME",
+ )
+
for var in (
"MOZ_CHILD_PROCESS_NAME",
"MOZ_CHILD_PROCESS_BUNDLENAME",
@@ -301,7 +308,7 @@ for var in (
"MOZ_EME_PROCESS_BUNDLENAME",
"MOZ_GPU_PROCESS_NAME_BRANDED",
"MOZ_GPU_PROCESS_BUNDLENAME",
-):
+) + extra_vars:
DEFINES[var] = '"%s"' % CONFIG[var]
if CONFIG["MOZ_SANDBOX"] and CONFIG["OS_ARCH"] == "WINNT":
diff --git a/security/mac/hardenedruntime/developer/security-module-helper.xml b/security/mac/hardenedruntime/developer/security-module-helper.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+ Entitlements to apply to the security-module-helper.app bundle during
+ codesigning of developer builds.
+-->
+<plist version="1.0">
+ <dict>
+ <!-- Allow loading third party pkcs11 libraries -->
+ <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+ <!-- For SmartCardServices(7) -->
+ <key>com.apple.security.smartcard</key><true/>
+
+ <!-- Allow dyld environment variables for debugging -->
+ <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+ <!-- Allow debuggers to attach to running executables -->
+ <key>com.apple.security.get-task-allow</key><true/>
+ </dict>
+</plist>
diff --git a/security/mac/hardenedruntime/production/security-module-helper.xml b/security/mac/hardenedruntime/production/security-module-helper.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+ Entitlements to apply to the security-module-helper.app bundle during
+ codesigning of production channel builds.
+-->
+<plist version="1.0">
+ <dict>
+ <!-- Allow loading third party pkcs11 libraries -->
+ <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+ <!-- For SmartCardServices(7) -->
+ <key>com.apple.security.smartcard</key><true/>
+ </dict>
+</plist>
diff --git a/taskcluster/config.yml b/taskcluster/config.yml
@@ -875,6 +875,15 @@ mac-signing:
globs:
- "/Contents/MacOS/media-plugin-helper.app"
+ # Only built in Nightly builds for now. For other builds, the
+ # globs will match nothing, and so nothing will happen.
+ - deep: false
+ runtime: true
+ force: true
+ entitlements: public/build/security/security-module-helper.xml
+ globs:
+ - "/Contents/MacOS/security-module-helper.app"
+
- deep: false
runtime: true
force: true
@@ -924,6 +933,15 @@ mac-signing:
globs:
- "/Contents/MacOS/media-plugin-helper.app"
+ # Only built in Nightly builds for now. For other builds, the
+ # globs will match nothing, and so nothing will happen.
+ - deep: false
+ runtime: true
+ force: true
+ entitlements: public/build/security/security-module-helper.xml
+ globs:
+ - "/Contents/MacOS/security-module-helper.app"
+
- deep: false
runtime: true
force: true
diff --git a/taskcluster/kinds/build/macosx-native.yml b/taskcluster/kinds/build/macosx-native.yml
@@ -18,6 +18,9 @@ task-defaults:
- name: public/build/security/plugin-container.xml
path: checkouts/gecko/security/mac/hardenedruntime/{entitlement_directory}/plugin-container.xml
type: file
+ - name: public/build/security/security-module-helper.xml
+ path: checkouts/gecko/security/mac/hardenedruntime/{entitlement_directory}/security-module-helper.xml
+ type: file
run:
using: mozharness
script: "mozharness/scripts/fx_desktop_build.py"
diff --git a/taskcluster/kinds/build/macosx.yml b/taskcluster/kinds/build/macosx.yml
@@ -17,6 +17,9 @@ task-defaults:
- name: public/build/security/plugin-container.xml
path: checkouts/gecko/security/mac/hardenedruntime/{entitlement_directory}/plugin-container.xml
type: file
+ - name: public/build/security/security-module-helper.xml
+ path: checkouts/gecko/security/mac/hardenedruntime/{entitlement_directory}/security-module-helper.xml
+ type: file
run:
using: mozharness
actions: [get-secrets, build]
diff --git a/taskcluster/kinds/instrumented-build/kind.yml b/taskcluster/kinds/instrumented-build/kind.yml
@@ -128,6 +128,9 @@ tasks:
- name: public/build/security/plugin-container.xml
path: checkouts/gecko/security/mac/hardenedruntime/{entitlement_directory}/plugin-container.xml
type: file
+ - name: public/build/security/security-module-helper.xml
+ path: checkouts/gecko/security/mac/hardenedruntime/{entitlement_directory}/security-module-helper.xml
+ type: file
run:
using: mozharness
actions: [get-secrets, build]
@@ -174,6 +177,9 @@ tasks:
- name: public/build/security/plugin-container.xml
path: checkouts/gecko/security/mac/hardenedruntime/{entitlement_directory}/plugin-container.xml
type: file
+ - name: public/build/security/security-module-helper.xml
+ path: checkouts/gecko/security/mac/hardenedruntime/{entitlement_directory}/security-module-helper.xml
+ type: file
run:
using: mozharness
actions: [get-secrets, build]
diff --git a/toolkit/moz.configure b/toolkit/moz.configure
@@ -3719,6 +3719,17 @@ option(env="MOZ_PKG_SPECIAL", nargs=1, help="Name of special moz flavor")
set_config("MOZ_PKG_SPECIAL", depends_if("MOZ_PKG_SPECIAL")(lambda x: x[0]))
+# Smart card support
+# ==============================================================
+@depends(target)
+def disable_smart_cards(target):
+ return target.os == "Android"
+
+
+set_config("MOZ_NO_SMART_CARDS", True, when=disable_smart_cards)
+set_define("MOZ_NO_SMART_CARDS", True, when=disable_smart_cards)
+
+
# OSX Packaging
# ==============================================================
@@ -3818,6 +3829,47 @@ with only_when(target_is_osx):
set_config("MOZ_GPU_PROCESS_BUNDLEID", moz_gpu_process_bundle_id)
+ with only_when(milestone.is_nightly & ~disable_smart_cards):
+ # Security Module Helper
+ #
+ # Set up configuration strings for building and referencing the PKCS#11
+ # utility process executable. For a local developer build where the
+ # display name is "Nightly", the strings will be as follows.
+ #
+ # MOZ_PKCS11_PROCESS_NAME = security-module-helper
+ # MOZ_PKCS11_PROCESS_NAME_BRANDED = Nightly Security Module Helper
+ # MOZ_PKCS11_PROCESS_NAME_BUNDLENAME = security-module-helper.app
+ # MOZ_PKCS11_PROCESS_BUNDLEID = org.mozilla.nightly-security-module-helper
+ moz_pkcs11_process_name = dependable("security-module-helper")
+
+ set_config("MOZ_PKCS11_PROCESS_NAME", moz_pkcs11_process_name)
+ set_config(
+ "MOZ_PKCS11_PROCESS_NAME_BRANDED",
+ depends_if(moz_app_displayname)(
+ lambda name: f"{name} Security Module Helper"
+ ),
+ )
+ set_config(
+ "MOZ_PKCS11_PROCESS_BUNDLENAME",
+ depends(moz_pkcs11_process_name)(lambda name: f"{name}.app"),
+ )
+
+ # Generate a lower case string with no spaces to be used as the bundle ID
+ # for the PKCS11 helper .app of the form org.mozilla.<executable-name>.
+ @depends(moz_app_displayname, moz_pkcs11_process_name, "--with-distribution-id")
+ def moz_pkcs11_process_bundle_id(
+ app_displayname, pkcs11_process_name, distribution_id
+ ):
+ if not app_displayname:
+ return
+
+ pkcs11_process_bundle_id = app_displayname.replace(" ", "-").lower()
+ return (
+ f"{distribution_id[0]}.{pkcs11_process_bundle_id}-{pkcs11_process_name}"
+ )
+
+ set_config("MOZ_PKCS11_PROCESS_BUNDLEID", moz_pkcs11_process_bundle_id)
+
# JS Packaging
# ==============================================================
@@ -4020,16 +4072,6 @@ with only_when(target_has_linux_kernel & compile_environment):
)
-# Smart card support
-# ==============================================================
-@depends(build_project)
-def disable_smart_cards(build_project):
- return build_project == "mobile/android"
-
-
-set_config("MOZ_NO_SMART_CARDS", True, when=disable_smart_cards)
-set_define("MOZ_NO_SMART_CARDS", True, when=disable_smart_cards)
-
# Enable UniFFI fixtures
# ==============================================================
# These are used to test the uniffi-bindgen-gecko-js code generation. They
diff --git a/tools/lint/license.yml b/tools/lint/license.yml
@@ -48,11 +48,13 @@ license:
- security/mac/hardenedruntime/developer/media-plugin-helper.xml
- security/mac/hardenedruntime/developer/plugin-container.xml
- security/mac/hardenedruntime/developer/utility.xml
+ - security/mac/hardenedruntime/developer/security-module-helper.xml
- security/mac/hardenedruntime/production/nightly.browser.xml
- security/mac/hardenedruntime/production/firefox.browser.xml
- security/mac/hardenedruntime/production/firefoxdeveloperedition.browser.xml
- security/mac/hardenedruntime/production/media-plugin-helper.xml
- security/mac/hardenedruntime/production/plugin-container.xml
+ - security/mac/hardenedruntime/production/security-module-helper.xml
- testing/marionette/harness/marionette_harness/www/
# Browsertime can't handle this script when there's a comment at the top
- testing/raptor/browsertime/browsertime_benchmark.js
