Remove content process sandbox code.

4 years ago · 369378d566
41 changed files with 1 additions and 1823 deletions
--- a/accessible/ipc/DocAccessibleParent.cpp
+++ b/accessible/ipc/DocAccessibleParent.cpp
@ -492,32 +492,7 @@ bool
 DocAccessibleParent::RecvGetWindowedPluginIAccessible(
      const WindowsHandle& aHwnd, IAccessibleHolder* aPluginCOMProxy)
 {
-#if defined(MOZ_CONTENT_SANDBOX)
-  // We don't actually want the accessible object for aHwnd, but rather the
-  // one that belongs to its child (see HTMLWin32ObjectAccessible).
-  HWND childWnd = ::GetWindow(reinterpret_cast<HWND>(aHwnd), GW_CHILD);
-  if (!childWnd) {
-    // We're seeing this in the wild - the plugin is windowed but we no longer
-    // have a window.
-    return true;
-  }
-
-  IAccessible* rawAccPlugin = nullptr;
-  HRESULT hr = ::AccessibleObjectFromWindow(childWnd, OBJID_WINDOW,
-                                            IID_IAccessible,
-                                            (void**)&rawAccPlugin);
-  if (FAILED(hr)) {
-    // This might happen if the plugin doesn't handle WM_GETOBJECT properly.
-    // We should not consider that a failure.
-    return true;
-  }
-
-  aPluginCOMProxy->Set(IAccessibleHolder::COMPtrType(rawAccPlugin));
-
-  return true;
-#else
  return false;
-#endif
 }

 #endif // defined(XP_WIN)
--- a/accessible/windows/msaa/HTMLWin32ObjectAccessible.cpp
+++ b/accessible/windows/msaa/HTMLWin32ObjectAccessible.cpp
@ -62,25 +62,6 @@ HTMLWin32ObjectAccessible::HTMLWin32ObjectAccessible(void* aHwnd,
 {
  mHwnd = aHwnd;
  if (mHwnd) {
-#if defined(MOZ_CONTENT_SANDBOX)
-    if (XRE_IsContentProcess()) {
-      DocAccessibleChild* ipcDoc = aDoc->IPCDoc();
-      MOZ_ASSERT(ipcDoc);
-      if (!ipcDoc) {
-        return;
-      }
-
-      IAccessibleHolder proxyHolder;
-      if (!ipcDoc->SendGetWindowedPluginIAccessible(
-              reinterpret_cast<uintptr_t>(mHwnd), &proxyHolder)) {
-        return;
-      }
-
-      mCOMProxy.reset(proxyHolder.Release());
-      return;
-    }
-#endif
-
    // The plugin is not windowless. In this situation we use 
    // use its inner child owned by the plugin so that we don't get
    // in an infinite loop, where the WM_GETOBJECT's get forwarded
@ -92,14 +73,6 @@ HTMLWin32ObjectAccessible::HTMLWin32ObjectAccessible(void* aHwnd,
 void
 HTMLWin32ObjectAccessible::GetNativeInterface(void** aNativeAccessible)
 {
-#if defined(MOZ_CONTENT_SANDBOX)
-  if (XRE_IsContentProcess()) {
-    RefPtr<IAccessible> addRefed = mCOMProxy.get();
-    addRefed.forget(aNativeAccessible);
-    return;
-  }
-#endif
-
  if (mHwnd) {
    ::AccessibleObjectFromWindow(static_cast<HWND>(mHwnd),
                                 OBJID_WINDOW, IID_IAccessible,
--- a/accessible/windows/msaa/HTMLWin32ObjectAccessible.h
+++ b/accessible/windows/msaa/HTMLWin32ObjectAccessible.h
@ -8,10 +8,6 @@

 #include "BaseAccessibles.h"

-#if defined(MOZ_CONTENT_SANDBOX)
-#include "mozilla/mscom/Ptr.h"
-#endif
-
 struct IAccessible;

 namespace mozilla {
@ -59,9 +55,6 @@ public:

 protected:
  void* mHwnd;
-#if defined(MOZ_CONTENT_SANDBOX)
-  mscom::ProxyUniquePtr<IAccessible> mCOMProxy;
-#endif
 };

 } // namespace a11y
--- a/application/palemoon/app/nsBrowserApp.cpp
+++ b/application/palemoon/app/nsBrowserApp.cpp
@ -265,12 +265,6 @@ static int do_main(int argc, char* argv[], char* envp[], nsIFile *xreDirectory)
 #if defined(XP_WIN) && defined(MOZ_SANDBOX)
  sandbox::BrokerServices* brokerServices =
    sandboxing::GetInitializedBrokerServices();
-#if defined(MOZ_CONTENT_SANDBOX)
-  if (!brokerServices) {
-    Output("Couldn't initialize the broker services.\n");
-    return 255;
-  }
-#endif
  appData.sandboxBrokerServices = brokerServices;
 #endif

--- a/browser/app/nsBrowserApp.cpp
+++ b/browser/app/nsBrowserApp.cpp
@ -265,12 +265,6 @@ static int do_main(int argc, char* argv[], char* envp[], nsIFile *xreDirectory)
 #if defined(XP_WIN) && defined(MOZ_SANDBOX)
  sandbox::BrokerServices* brokerServices =
    sandboxing::GetInitializedBrokerServices();
-#if defined(MOZ_CONTENT_SANDBOX)
-  if (!brokerServices) {
-    Output("Couldn't initialize the broker services.\n");
-    return 255;
-  }
-#endif
  appData.sandboxBrokerServices = brokerServices;
 #endif

--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@ -945,74 +945,6 @@ pref("dom.ipc.plugins.sandbox-level.flash", 2);
 #else
 pref("dom.ipc.plugins.sandbox-level.flash", 0);
 #endif
-
-#if defined(MOZ_CONTENT_SANDBOX)
-// This controls the strength of the Windows content process sandbox for testing
-// purposes. This will require a restart.
-// On windows these levels are:
-// See - security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
-// SetSecurityLevelForContentProcess() for what the different settings mean.
-#if defined(NIGHTLY_BUILD)
-pref("security.sandbox.content.level", 2);
-#else
-pref("security.sandbox.content.level", 1);
-#endif
-
-// This controls the depth of stack trace that is logged when Windows sandbox
-// logging is turned on.  This is only currently available for the content
-// process because the only other sandbox (for GMP) has too strict a policy to
-// allow stack tracing.  This does not require a restart to take effect.
-pref("security.sandbox.windows.log.stackTraceDepth", 0);
-#endif
-#endif
-
-#if defined(XP_MACOSX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
-// This pref is discussed in bug 1083344, the naming is inspired from its
-// Windows counterpart, but on Mac it's an integer which means:
-// 0 -> "no sandbox"
-// 1 -> "preliminary content sandboxing enabled: write access to
-//       home directory is prevented"
-// 2 -> "preliminary content sandboxing enabled with profile protection:
-//       write access to home directory is prevented, read and write access
-//       to ~/Library and profile directories are prevented (excluding
-//       $PROFILE/{extensions,weave})"
-// This setting is read when the content process is started. On Mac the content
-// process is killed when all windows are closed, so a change will take effect
-// when the 1st window is opened.
-#if defined(NIGHTLY_BUILD)
-pref("security.sandbox.content.level", 2);
-#else
-pref("security.sandbox.content.level", 1);
-#endif
-#endif
-
-#if defined(XP_LINUX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
-// This pref is introduced as part of bug 742434, the naming is inspired from
-// its Windows/Mac counterpart, but on Linux it's an integer which means:
-// 0 -> "no sandbox"
-// 1 -> "content sandbox using seccomp-bpf when available"
-// 2 -> "seccomp-bpf + file broker"
-// Content sandboxing on Linux is currently in the stage of
-// 'just getting it enabled', which includes a very permissive whitelist. We
-// enable seccomp-bpf on nightly to see if everything is running, or if we need
-// to whitelist more system calls.
-//
-// So the purpose of this setting is to allow nightly users to disable the
-// sandbox while we fix their problems. This way, they won't have to wait for
-// another nightly release which disables seccomp-bpf again.
-//
-// This setting may not be required anymore once we decide to permanently
-// enable the content sandbox.
-pref("security.sandbox.content.level", 2);
-#endif
-
-#if defined(XP_MACOSX) || defined(XP_WIN)
-#if defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
-// ID (a UUID when set by gecko) that is used to form the name of a
-// sandbox-writable temporary directory to be used by content processes
-// when a temporary writable file is required in a level 1 sandbox.
-pref("security.sandbox.content.tempDirSuffix", "");
-#endif
 #endif

 // This pref governs whether we attempt to work around problems caused by
--- a/dom/ipc/ContentChild.cpp
+++ b/dom/ipc/ContentChild.cpp
@ -65,21 +65,6 @@
 #include "imgLoader.h"
 #include "GMPServiceChild.h"

-#if defined(MOZ_CONTENT_SANDBOX)
-#if defined(XP_WIN)
-#define TARGET_SANDBOX_EXPORTS
-#include "mozilla/sandboxTarget.h"
-#elif defined(XP_LINUX)
-#include "mozilla/Sandbox.h"
-#include "mozilla/SandboxInfo.h"
-
-// Remove this include with Bug 1104619
-#include "CubebUtils.h"
-#elif defined(XP_MACOSX)
-#include "mozilla/Sandbox.h"
-#endif
-#endif
-
 #include "mozilla/Unused.h"

 #include "mozInlineSpellChecker.h"
@ -1250,192 +1235,11 @@ ContentChild::AllocPProcessHangMonitorChild(Transport* aTransport,
  return CreateHangMonitorChild(aTransport, aOtherProcess);
 }

-#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-
-#include <stdlib.h>
-
-static bool
-GetAppPaths(nsCString &aAppPath, nsCString &aAppBinaryPath, nsCString &aAppDir)
-{
-  nsAutoCString appPath;
-  nsAutoCString appBinaryPath(
-    (CommandLine::ForCurrentProcess()->argv()[0]).c_str());
-
-  nsAutoCString::const_iterator start, end;
-  appBinaryPath.BeginReading(start);
-  appBinaryPath.EndReading(end);
-  if (RFindInReadable(NS_LITERAL_CSTRING(".app/Contents/MacOS/"), start, end)) {
-    end = start;
-    ++end; ++end; ++end; ++end;
-    appBinaryPath.BeginReading(start);
-    appPath.Assign(Substring(start, end));
-  } else {
-    return false;
-  }
-
-  nsCOMPtr<nsIFile> app, appBinary;
-  nsresult rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appPath),
-                                true, getter_AddRefs(app));
-  if (NS_FAILED(rv)) {
-    return false;
-  }
-  rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appBinaryPath),
-                       true, getter_AddRefs(appBinary));
-  if (NS_FAILED(rv)) {
-    return false;
-  }
-
-  nsCOMPtr<nsIFile> appDir;
-  nsCOMPtr<nsIProperties> dirSvc =
-    do_GetService(NS_DIRECTORY_SERVICE_CONTRACTID);
-  if (!dirSvc) {
-    return false;
-  }
-  rv = dirSvc->Get(NS_XPCOM_CURRENT_PROCESS_DIR,
-                   NS_GET_IID(nsIFile), getter_AddRefs(appDir));
-  if (NS_FAILED(rv)) {
-    return false;
-  }
-  bool exists;
-  rv = appDir->Exists(&exists);
-  if (NS_FAILED(rv) || !exists) {
-    return false;
-  }
-
-  bool isLink;
-  app->IsSymlink(&isLink);
-  if (isLink) {
-    app->GetNativeTarget(aAppPath);
-  } else {
-    app->GetNativePath(aAppPath);
-  }
-  appBinary->IsSymlink(&isLink);
-  if (isLink) {
-    appBinary->GetNativeTarget(aAppBinaryPath);
-  } else {
-    appBinary->GetNativePath(aAppBinaryPath);
-  }
-  appDir->IsSymlink(&isLink);
-  if (isLink) {
-    appDir->GetNativeTarget(aAppDir);
-  } else {
-    appDir->GetNativePath(aAppDir);
-  }
-
-  return true;
-}
-
-static bool
-StartMacOSContentSandbox()
-{
-  int sandboxLevel = Preferences::GetInt("security.sandbox.content.level");
-  if (sandboxLevel < 1) {
-    return false;
-  }
-
-  nsAutoCString appPath, appBinaryPath, appDir;
-  if (!GetAppPaths(appPath, appBinaryPath, appDir)) {
-    MOZ_CRASH("Error resolving child process path");
-  }
-
-  // During sandboxed content process startup, before reaching
-  // this point, NS_OS_TEMP_DIR is modified to refer to a sandbox-
-  // writable temporary directory
-  nsCOMPtr<nsIFile> tempDir;
-  nsresult rv = nsDirectoryService::gService->Get(NS_OS_TEMP_DIR,
-      NS_GET_IID(nsIFile), getter_AddRefs(tempDir));
-  if (NS_FAILED(rv)) {
-    MOZ_CRASH("Failed to get NS_OS_TEMP_DIR");
-  }
-
-  nsAutoCString tempDirPath;
-  tempDir->Normalize();
-  rv = tempDir->GetNativePath(tempDirPath);
-  if (NS_FAILED(rv)) {
-    MOZ_CRASH("Failed to get NS_OS_TEMP_DIR path");
-  }
-
-  nsCOMPtr<nsIFile> profileDir;
-  ContentChild::GetSingleton()->GetProfileDir(getter_AddRefs(profileDir));
-  nsCString profileDirPath;
-  if (profileDir) {
-    rv = profileDir->GetNativePath(profileDirPath);
-    if (NS_FAILED(rv) || profileDirPath.IsEmpty()) {
-      MOZ_CRASH("Failed to get profile path");
-    }
-  }
-
-  MacSandboxInfo info;
-  info.type = MacSandboxType_Content;
-  info.level = info.level = sandboxLevel;
-  info.appPath.assign(appPath.get());
-  info.appBinaryPath.assign(appBinaryPath.get());
-  info.appDir.assign(appDir.get());
-  info.appTempDir.assign(tempDirPath.get());
-
-  if (profileDir) {
-    info.hasSandboxedProfile = true;
-    info.profileDir.assign(profileDirPath.get());
-  } else {
-    info.hasSandboxedProfile = false;
-  }
-
-  std::string err;
-  if (!mozilla::StartMacSandbox(info, err)) {
-    NS_WARNING(err.c_str());
-    MOZ_CRASH("sandbox_init() failed");
-  }
-
-  return true;
-}
-#endif
-
 bool
 ContentChild::RecvSetProcessSandbox(const MaybeFileDesc& aBroker)
 {
  // We may want to move the sandbox initialization somewhere else
  // at some point; see bug 880808.
-#if defined(MOZ_CONTENT_SANDBOX)
-  bool sandboxEnabled = true;
-#if defined(XP_LINUX)
-#if defined(MOZ_WIDGET_GONK) && ANDROID_VERSION >= 19
-  // For B2G >= KitKat, sandboxing is mandatory; this has already
-  // been enforced by ContentParent::StartUp().
-  MOZ_ASSERT(SandboxInfo::Get().CanSandboxContent());
-#else
-  // Otherwise, sandboxing is best-effort.
-  if (!SandboxInfo::Get().CanSandboxContent()) {
-       sandboxEnabled = false;
-   } else {
-       // This triggers the initialization of cubeb, which needs to happen
-       // before seccomp is enabled (Bug 1259508). It also increases the startup
-       // time of the content process, because cubeb is usually initialized
-       // when it is actually needed. This call here is no longer required
-       // once Bug 1104619 (remoting audio) is resolved.
-       Unused << CubebUtils::GetCubebContext();
-  }
-
-#endif /* MOZ_WIDGET_GONK && ANDROID_VERSION >= 19 */
-  if (sandboxEnabled) {
-    int brokerFd = -1;
-    if (aBroker.type() == MaybeFileDesc::TFileDescriptor) {
-      auto fd = aBroker.get_FileDescriptor().ClonePlatformHandle();
-      brokerFd = fd.release();
-      // brokerFd < 0 means to allow direct filesystem access, so
-      // make absolutely sure that doesn't happen if the parent
-      // didn't intend it.
-      MOZ_RELEASE_ASSERT(brokerFd >= 0);
-    }
-    sandboxEnabled = SetContentProcessSandbox(brokerFd);
-  }
-#elif defined(XP_WIN)
-  mozilla::SandboxTarget::Instance()->StartSandbox();
-#elif defined(XP_MACOSX)
-  sandboxEnabled = StartMacOSContentSandbox();
-#endif
-
-#endif /* MOZ_CONTENT_SANDBOX */
-
  return true;
 }

--- a/dom/ipc/ContentChild.h
+++ b/dom/ipc/ContentChild.h
@ -21,10 +21,6 @@
 #include "nsWeakPtr.h"
 #include "nsIWindowProvider.h"

-#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-#include "nsIFile.h"
-#endif
-
 struct ChromePackage;
 class nsIObserver;
 struct SubstitutionMapping;
@ -118,19 +114,6 @@ public:

  void GetProcessName(nsACString& aName) const;

-#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-  void GetProfileDir(nsIFile** aProfileDir) const
-  {
-    *aProfileDir = mProfileDir;
-    NS_IF_ADDREF(*aProfileDir);
-  }
-
-  void SetProfileDir(nsIFile* aProfileDir)
-  {
-    mProfileDir = aProfileDir;
-  }
-#endif
-
  bool IsAlive() const;

  bool IsShuttingDown() const;
@ -679,10 +662,6 @@ private:
  nsCOMPtr<nsIDomainPolicy> mPolicy;
  nsCOMPtr<nsITimer> mForceKillTimer;

-#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-  nsCOMPtr<nsIFile> mProfileDir;
-#endif
-
  // Hashtable to keep track of the pending GetFilesHelper objects.
  // This GetFilesHelperChild objects are removed when RecvGetFilesResponse is
  // received.
--- a/dom/ipc/ContentParent.cpp
+++ b/dom/ipc/ContentParent.cpp
@ -230,12 +230,6 @@ using namespace mozilla::system;
 #include "mozilla/dom/SpeechSynthesisParent.h"
 #endif

-#if defined(MOZ_CONTENT_SANDBOX) && defined(XP_LINUX)
-#include "mozilla/SandboxInfo.h"
-#include "mozilla/SandboxBroker.h"
-#include "mozilla/SandboxBrokerPolicyFactory.h"
-#endif
-
 #ifdef MOZ_TOOLKIT_SEARCH
 #include "nsIBrowserSearchService.h"
 #endif
@ -503,9 +497,6 @@ nsTArray<ContentParent*>* ContentParent::sNonAppContentParents;
 nsTArray<ContentParent*>* ContentParent::sLargeAllocationContentParents;
 nsTArray<ContentParent*>* ContentParent::sPrivateContent;
 StaticAutoPtr<LinkedList<ContentParent> > ContentParent::sContentParents;
-#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX)
-UniquePtr<SandboxBrokerPolicyFactory> ContentParent::sSandboxBrokerPolicyFactory;
-#endif

 // This is true when subprocess launching is enabled.  This is the
 // case between StartUp() and ShutDown() or JoinAllSubprocesses().
@ -637,18 +628,6 @@ ContentParent::StartUp()
    return;
  }

-#if defined(MOZ_CONTENT_SANDBOX) && defined(MOZ_WIDGET_GONK) && ANDROID_VERSION >= 19
-  // Require sandboxing on B2G >= KitKat.  This condition must stay
-  // in sync with ContentChild::RecvSetProcessSandbox.
-  if (!SandboxInfo::Get().CanSandboxContent()) {
-    // MOZ_CRASH strings are only for debug builds; make sure the
-    // message is clear on non-debug builds as well:
-    printf_stderr("Sandboxing support is required on this platform.  "
-                  "Recompile kernel with CONFIG_SECCOMP_FILTER=y\n");
-    MOZ_CRASH("Sandboxing support is required on this platform.");
-  }
-#endif
-
  // Note: This reporter measures all ContentParents.
  RegisterStrongMemoryReporter(new ContentParentsMemoryReporter());

@ -662,10 +641,6 @@ ContentParent::StartUp()
  PreallocatedProcessManager::AllocateAfterDelay();

  sDisableUnsafeCPOWWarnings = PR_GetEnv("DISABLE_UNSAFE_CPOW_WARNINGS");
-
-#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX)
-  sSandboxBrokerPolicyFactory = MakeUnique<SandboxBrokerPolicyFactory>();
-#endif
 }

 /*static*/ void
@ -674,10 +649,6 @@ ContentParent::ShutDown()
  // No-op for now.  We rely on normal process shutdown and
  // ClearOnShutdown() to clean up our state.
  sCanLaunchSubprocesses = false;
-
-#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX)
-  sSandboxBrokerPolicyFactory = nullptr;
-#endif
 }

 /*static*/ void
@ -2244,37 +2215,6 @@ ContentParent::InitInternal(ProcessPriority aInitialPriority,
    }
  }

-#ifdef MOZ_CONTENT_SANDBOX
-  bool shouldSandbox = true;
-  MaybeFileDesc brokerFd = void_t();
-#ifdef XP_LINUX
-  // XXX: Checking the pref here makes it possible to enable/disable sandboxing
-  // during an active session. Currently the pref is only used for testing
-  // purpose. If the decision is made to permanently rely on the pref, this
-  // should be changed so that it is required to restart firefox for the change
-  // of value to take effect.
-  shouldSandbox = (Preferences::GetInt("security.sandbox.content.level") > 0) &&
-    !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX");
-
-  if (shouldSandbox) {
-    MOZ_ASSERT(!mSandboxBroker);
-    UniquePtr<SandboxBroker::Policy> policy =
-      sSandboxBrokerPolicyFactory->GetContentPolicy(Pid());
-    if (policy) {
-      brokerFd = FileDescriptor();
-      mSandboxBroker = SandboxBroker::Create(Move(policy), Pid(), brokerFd);
-      if (!mSandboxBroker) {
-        KillHard("SandboxBroker::Create failed");
-        return;
-      }
-      MOZ_ASSERT(static_cast<const FileDescriptor&>(brokerFd).IsValid());
-    }
-  }
-#endif
-  if (shouldSandbox && !SendSetProcessSandbox(brokerFd)) {
-    KillHard("SandboxInitFailed");
-  }
-#endif
 #if defined(XP_WIN)
  // Send the info needed to join the browser process's audio session.
  nsID id;
--- a/dom/ipc/ContentParent.h
+++ b/dom/ipc/ContentParent.h
@ -46,11 +46,6 @@ class PRemoteSpellcheckEngineParent;
 class ProfileGatherer;
 #endif

-#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX)
-class SandboxBroker;
-class SandboxBrokerPolicyFactory;
-#endif
-
 namespace embedding {
 class PrintingParent;
 }
@ -1152,12 +1147,6 @@ private:

  UniquePtr<gfx::DriverCrashGuard> mDriverCrashGuard;

-#if defined(XP_LINUX) && defined(MOZ_CONTENT_SANDBOX)
-  mozilla::UniquePtr<SandboxBroker> mSandboxBroker;
-  static mozilla::UniquePtr<SandboxBrokerPolicyFactory>
-      sSandboxBrokerPolicyFactory;
-#endif
-
 #ifdef NS_PRINTING
  RefPtr<embedding::PrintingParent> mPrintingParent;
 #endif
--- a/dom/ipc/ContentProcess.cpp
+++ b/dom/ipc/ContentProcess.cpp
@ -8,127 +8,17 @@

 #include "ContentProcess.h"

-#if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX)
-#include "mozilla/WindowsVersion.h"
-#endif
-
-#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-#include <stdlib.h>
-#endif
-
-#if (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX)
-#include "mozilla/Preferences.h"
-#include "nsAppDirectoryServiceDefs.h"
-#include "nsDirectoryService.h"
-#include "nsDirectoryServiceDefs.h"
-#endif
-
 using mozilla::ipc::IOThreadChild;

 namespace mozilla {
 namespace dom {

-#if defined(XP_WIN) && defined(MOZ_CONTENT_SANDBOX)
-static bool
-IsSandboxTempDirRequired()
-{
-  // On Windows, a sandbox-writable temp directory is only used
-  // for Vista or later with sandbox pref level >= 1.
-  return (IsVistaOrLater() &&
-    (Preferences::GetInt("security.sandbox.content.level") >= 1));
-}
-
-static void
-SetTmpEnvironmentVariable(nsIFile* aValue)
-{
-  // Save the TMP environment variable so that is is picked up by GetTempPath().
-  // Note that we specifically write to the TMP variable, as that is the first
-  // variable that is checked by GetTempPath() to determine its output.
-  nsAutoString fullTmpPath;
-  nsresult rv = aValue->GetPath(fullTmpPath);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return;
-  }
-  Unused << NS_WARN_IF(!SetEnvironmentVariableW(L"TMP", fullTmpPath.get()));
-  // We also set TEMP in case there is naughty third-party code that is
-  // referencing the environment variable directly.
-  Unused << NS_WARN_IF(!SetEnvironmentVariableW(L"TEMP", fullTmpPath.get()));
-}
-#endif
-
-#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-static bool
-IsSandboxTempDirRequired()
-{
-  // On OSX, use the sandbox-writable temp when the pref level >= 1.
-  return (Preferences::GetInt("security.sandbox.content.level") >= 1);
-}
-
-static void
-SetTmpEnvironmentVariable(nsIFile* aValue)
-{
-  nsAutoCString fullTmpPath;
-  nsresult rv = aValue->GetNativePath(fullTmpPath);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return;
-  }
-  Unused << NS_WARN_IF(setenv("TMPDIR", fullTmpPath.get(), 1) != 0);
-}
-#endif
-
-#if (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX)
-static void
-SetUpSandboxEnvironment()
-{
-  MOZ_ASSERT(nsDirectoryService::gService,
-    "SetUpSandboxEnvironment relies on nsDirectoryService being initialized");
-
-  if (!IsSandboxTempDirRequired()) {
-    return;
-  }
-
-  nsCOMPtr<nsIFile> sandboxedContentTemp;
-  nsresult rv =
-    nsDirectoryService::gService->Get(NS_APP_CONTENT_PROCESS_TEMP_DIR,
-                                      NS_GET_IID(nsIFile),
-                                      getter_AddRefs(sandboxedContentTemp));
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return;
-  }
-
-  // Change the gecko defined temp directory to our sandbox-writable one.
-  // Undefine returns a failure if the property is not already set.
-  Unused << nsDirectoryService::gService->Undefine(NS_OS_TEMP_DIR);
-  rv = nsDirectoryService::gService->Set(NS_OS_TEMP_DIR, sandboxedContentTemp);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return;
-  }
-
-  SetTmpEnvironmentVariable(sandboxedContentTemp);
-}
-#endif
-
 void
 ContentProcess::SetAppDir(const nsACString& aPath)
 {
  mXREEmbed.SetAppDir(aPath);
 }

-#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-void
-ContentProcess::SetProfile(const nsACString& aProfile)
-{
-  bool flag;
-  nsresult rv =
-    XRE_GetFileFromPath(aProfile.BeginReading(), getter_AddRefs(mProfileDir));
-  if (NS_FAILED(rv) ||
-      NS_FAILED(mProfileDir->Exists(&flag)) || !flag) {
-    NS_WARNING("Invalid profile directory passed to content process.");
-    mProfileDir = nullptr;
-  }
-}
-#endif
-
 bool
 ContentProcess::Init()
 {
@ -139,14 +29,6 @@ ContentProcess::Init()
    mContent.InitXPCOM();
    mContent.InitGraphicsDeviceData();

-#if (defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX)
-    mContent.SetProfileDir(mProfileDir);
-#endif
-
-#if (defined(XP_WIN) || defined(XP_MACOSX)) && defined(MOZ_CONTENT_SANDBOX)
-    SetUpSandboxEnvironment();
-#endif
-
    return true;
 }

--- a/dom/ipc/ContentProcess.h
+++ b/dom/ipc/ContentProcess.h
@ -39,18 +39,10 @@ public:

  void SetAppDir(const nsACString& aPath);

-#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-  void SetProfile(const nsACString& aProfile);
-#endif
-
 private:
  ContentChild mContent;
  mozilla::ipc::ScopedXREEmbed mXREEmbed;

-#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-  nsCOMPtr<nsIFile> mProfileDir;
-#endif
-
 #if defined(XP_WIN)
  // This object initializes and configures COM.
  mozilla::mscom::MainThreadRuntime mCOMRuntime;
--- a/dom/ipc/moz.build
+++ b/dom/ipc/moz.build
@ -112,11 +112,6 @@ if CONFIG['MOZ_SANDBOX'] and CONFIG['OS_TARGET'] == 'Darwin':
        'mozsandbox',
    ]

-if CONFIG['MOZ_CONTENT_SANDBOX'] and CONFIG['OS_ARCH'] == 'Linux':
-    USE_LIBS += [
-        'mozsandbox',
-    ]
-
 LOCAL_INCLUDES += [
    '/caps',
    '/chrome',
--- a/ipc/contentproc/plugin-container.cpp
+++ b/ipc/contentproc/plugin-container.cpp
@ -49,10 +49,6 @@
       "Gecko:MozillaRntimeMain", __VA_ARGS__)) \
     : (void)0 )

-# ifdef MOZ_CONTENT_SANDBOX
-# include "mozilla/Sandbox.h"
-# endif
-
 #endif // MOZ_WIDGET_GONK

 #ifdef MOZ_WIDGET_GONK
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@ -23,10 +23,6 @@
 #include "prenv.h"
 #include "nsXPCOMPrivate.h"

-#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-#include "nsAppDirectoryServiceDefs.h"
-#endif
-
 #include "nsExceptionHandler.h"

 #include "nsDirectoryServiceDefs.h"
@ -312,15 +308,6 @@ GeckoChildProcessHost::PrepareLaunch()
    InitWindowsGroupID();
  }

-#if defined(MOZ_CONTENT_SANDBOX)
-  // We need to get the pref here as the process is launched off main thread.
-  if (mProcessType == GeckoProcessType_Content) {
-    mSandboxLevel = Preferences::GetInt("security.sandbox.content.level");
-    mEnableSandboxLogging =
-      Preferences::GetBool("security.sandbox.windows.log");
-  }
-#endif
-
 #if defined(MOZ_SANDBOX)
  // For other process types we can't rely on them being launched on main
  // thread and they may not have access to prefs in the child process, so allow
@ -608,20 +595,6 @@ AddAppDirToCommandLine(std::vector<std::string>& aCmdLine)
        aCmdLine.push_back(path.get());
 #endif
      }
-
-#if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
-      // Full path to the profile dir
-      nsCOMPtr<nsIFile> profileDir;
-      rv = directoryService->Get(NS_APP_USER_PROFILE_50_DIR,
-                                 NS_GET_IID(nsIFile),
-                                 getter_AddRefs(profileDir));
-      if (NS_SUCCEEDED(rv)) {
-        nsAutoCString path;
-        MOZ_ALWAYS_SUCCEEDS(profileDir->GetNativePath(path));
-        aCmdLine.push_back("-profile");
-        aCmdLine.push_back(path.get());
-      }
-#endif
    }
  }
 }
@ -1029,17 +1002,6 @@ GeckoChildProcessHost::PerformAsyncLaunchInternal(std::vector<std::string>& aExt
  // of reorganizing so I don't think this patch is the right time.
  switch (mProcessType) {
    case GeckoProcessType_Content:
-#if defined(MOZ_CONTENT_SANDBOX)
-      if (mSandboxLevel > 0 &&
-          !PR_GetEnv("MOZ_DISABLE_CONTENT_SANDBOX")) {
-        // For now we treat every failure as fatal in SetSecurityLevelForContentProcess
-        // and just crash there right away. Should this change in the future then we
-        // should also handle the error here.
-        mSandboxBroker.SetSecurityLevelForContentProcess(mSandboxLevel);
-        shouldSandboxCurrentProcess = true;
-        AddContentSandboxAllowedFiles(mSandboxLevel, mAllowedFilesRead);
-      }
-#endif // MOZ_CONTENT_SANDBOX
      break;
    case GeckoProcessType_Plugin:
      if (mSandboxLevel > 0 &&
--- a/ipc/mscom/InterceptorLog.cpp
+++ b/ipc/mscom/InterceptorLog.cpp
@ -98,13 +98,8 @@ Logger::Logger(const nsACString& aLeafBaseName)
    rv = NS_GetSpecialDirectory(NS_OS_TEMP_DIR, getter_AddRefs(logFileName));
  } else if (procType == GeckoProcessType_Content) {
    leafName.AppendLiteral("-Content-");
-#if defined(MOZ_CONTENT_SANDBOX)
-    rv = NS_GetSpecialDirectory(NS_APP_CONTENT_PROCESS_TEMP_DIR,
-                                getter_AddRefs(logFileName));
-#else
    rv = NS_GetSpecialDirectory(NS_OS_TEMP_DIR,
                                getter_AddRefs(logFileName));
-#endif // defined(MOZ_CONTENT_SANDBOX)
  } else {
    return;
  }
--- a/old-configure.in
+++ b/old-configure.in
@ -2311,7 +2311,6 @@ MOZ_INSTALL_TRACKING=
 ACCESSIBILITY=1
 MOZ_TIME_MANAGER=
 MOZ_AUDIO_CHANNEL_MANAGER=
-MOZ_CONTENT_SANDBOX=
 MOZ_GMP_SANDBOX=
 MOZ_SANDBOX=
 MOZ_BINARY_EXTENSIONS=
@ -3943,45 +3942,6 @@ if test -n "$MOZ_TSAN" -o -n "$MOZ_ASAN"; then
    esac
 fi

-dnl ========================================================
-dnl = Content process sandboxing
-dnl ========================================================
-if test -n "$gonkdir"; then
-    MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX
-fi
-
-case "$OS_TARGET:$NIGHTLY_BUILD" in
-WINNT:*)
-    MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX
-    ;;
-Darwin:*)
-    MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX
-    ;;
-Linux:1)
-    case $CPU_ARCH in
-        x86_64|x86)
-            MOZ_CONTENT_SANDBOX=$MOZ_SANDBOX
-        ;;
-    esac
-    ;;
-esac
-
-MOZ_ARG_ENABLE_BOOL(content-sandbox,
-[  --enable-content-sandbox Enable sandboxing support for content-processes
-  --disable-content-sandbox Disable sandboxing support for content-processes],
-    MOZ_CONTENT_SANDBOX=1,
-    MOZ_CONTENT_SANDBOX=)
-
-if test -n "$MOZ_CONTENT_SANDBOX" -a -z "$MOZ_SANDBOX"; then
-    AC_MSG_ERROR([--enable-content-sandbox and --disable-sandbox are conflicting options])
-fi
-
-if test -n "$MOZ_CONTENT_SANDBOX"; then
-    AC_DEFINE(MOZ_CONTENT_SANDBOX)
-fi
-
-AC_SUBST(MOZ_CONTENT_SANDBOX)
-
 dnl ========================================================
 dnl = Gecko Media Plugin sandboxing
 dnl ========================================================
@ -4007,7 +3967,7 @@ fi

 AC_SUBST(MOZ_GMP_SANDBOX)

-if test -z "$MOZ_CONTENT_SANDBOX" -a -z "$MOZ_GMP_SANDBOX"; then
+if test -z "$MOZ_GMP_SANDBOX"; then
    MOZ_SANDBOX=
 fi

--- a/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h
+++ b/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h
@ -89,15 +89,6 @@ InitLoggingIfRequired(ProvideLogFunctionCb aProvideLogFunctionCb)
  if (Preferences::GetBool("security.sandbox.windows.log") ||
      PR_GetEnv("MOZ_WIN_SANDBOX_LOGGING")) {
    aProvideLogFunctionCb(Log);
-
-#if defined(MOZ_CONTENT_SANDBOX)
-    // We can only log the stack trace on process types where we know that the
-    // sandbox won't prevent it.
-    if (XRE_IsContentProcess()) {
-      Preferences::AddUintVarCache(&sStackTraceDepth,
-        "security.sandbox.windows.log.stackTraceDepth");
-    }
-#endif
  }
 }

--- a/security/sandbox/linux/Sandbox.cpp
+++ b/security/sandbox/linux/Sandbox.cpp
@ -626,34 +626,6 @@ SandboxEarlyInit(GeckoProcessType aType)
  }
 }

-#ifdef MOZ_CONTENT_SANDBOX
-/**
- * Starts the seccomp sandbox for a content process.  Should be called
- * only once, and before any potentially harmful content is loaded.
- *
- * Will normally make the process exit on failure.
-*/
-bool
-SetContentProcessSandbox(int aBrokerFd)
-{
-  if (!SandboxInfo::Get().Test(SandboxInfo::kEnabledForContent)) {
-    if (aBrokerFd >= 0) {
-      close(aBrokerFd);
-    }
-    return false;
-  }
-
-  // This needs to live until the process exits.
-  static Maybe<SandboxBrokerClient> sBroker;
-  if (aBrokerFd >= 0) {
-    sBroker.emplace(aBrokerFd);
-  }
-
-  SetCurrentProcessSandbox(GetContentSandboxPolicy(sBroker.ptrOr(nullptr)));
-  return true;
-}
-#endif // MOZ_CONTENT_SANDBOX
-
 #ifdef MOZ_GMP_SANDBOX
 /**
 * Starts the seccomp sandbox for a media plugin process.  Should be
--- a/security/sandbox/linux/Sandbox.h
+++ b/security/sandbox/linux/Sandbox.h
@ -19,14 +19,6 @@ namespace mozilla {
 // This must be called early, while the process is still single-threaded.
 MOZ_EXPORT void SandboxEarlyInit(GeckoProcessType aType);

-#ifdef MOZ_CONTENT_SANDBOX
-// Call only if SandboxInfo::CanSandboxContent() returns true.
-// (No-op if MOZ_DISABLE_CONTENT_SANDBOX is set.)
-// aBrokerFd is the filesystem broker client file descriptor,
-// or -1 to allow direct filesystem access.
-MOZ_EXPORT bool SetContentProcessSandbox(int aBrokerFd);
-#endif
-
 #ifdef MOZ_GMP_SANDBOX
 // Call only if SandboxInfo::CanSandboxMedia() returns true.
 // (No-op if MOZ_DISABLE_GMP_SANDBOX is set.)
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ b/security/sandbox/linux/SandboxFilter.cpp
@ -340,495 +340,6 @@ public:

 // The process-type-specific syscall rules start here:

-#ifdef MOZ_CONTENT_SANDBOX
-// The seccomp-bpf filter for content processes is not a true sandbox
-// on its own; its purpose is attack surface reduction and syscall
-// interception in support of a semantic sandboxing layer.  On B2G
-// this is the Android process permission model; on desktop,
-// namespaces and chroot() will be used.
-class ContentSandboxPolicy : public SandboxPolicyCommon {
-  SandboxBrokerClient* mBroker;
-
-  // Trap handlers for filesystem brokering.
-  // (The amount of code duplication here could be improved....)
-#ifdef __NR_open
-  static intptr_t OpenTrap(ArgsRef aArgs, void* aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto path = reinterpret_cast<const char*>(aArgs.args[0]);
-    auto flags = static_cast<int>(aArgs.args[1]);
-    return broker->Open(path, flags);
-  }
-#endif
-
-  static intptr_t OpenAtTrap(ArgsRef aArgs, void* aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto fd = static_cast<int>(aArgs.args[0]);
-    auto path = reinterpret_cast<const char*>(aArgs.args[1]);
-    auto flags = static_cast<int>(aArgs.args[2]);
-    if (fd != AT_FDCWD && path[0] != '/') {
-      SANDBOX_LOG_ERROR("unsupported fd-relative openat(%d, \"%s\", 0%o)",
-                        fd, path, flags);
-      return BlockedSyscallTrap(aArgs, nullptr);
-    }
-    return broker->Open(path, flags);
-  }
-
-#ifdef __NR_access
-  static intptr_t AccessTrap(ArgsRef aArgs, void* aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto path = reinterpret_cast<const char*>(aArgs.args[0]);
-    auto mode = static_cast<int>(aArgs.args[1]);
-    return broker->Access(path, mode);
-  }
-#endif
-
-  static intptr_t AccessAtTrap(ArgsRef aArgs, void* aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto fd = static_cast<int>(aArgs.args[0]);
-    auto path = reinterpret_cast<const char*>(aArgs.args[1]);
-    auto mode = static_cast<int>(aArgs.args[2]);
-    // Linux's faccessat syscall has no "flags" argument.  Attempting
-    // to handle the flags != 0 case is left to userspace; this is
-    // impossible to do correctly in all cases, but that's not our
-    // problem.
-    if (fd != AT_FDCWD && path[0] != '/') {
-      SANDBOX_LOG_ERROR("unsupported fd-relative faccessat(%d, \"%s\", %d)",
-                        fd, path, mode);
-      return BlockedSyscallTrap(aArgs, nullptr);
-    }
-    return broker->Access(path, mode);
-  }
-
-  static intptr_t StatTrap(ArgsRef aArgs, void* aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto path = reinterpret_cast<const char*>(aArgs.args[0]);
-    auto buf = reinterpret_cast<statstruct*>(aArgs.args[1]);
-    return broker->Stat(path, buf);
-  }
-
-  static intptr_t LStatTrap(ArgsRef aArgs, void* aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto path = reinterpret_cast<const char*>(aArgs.args[0]);
-    auto buf = reinterpret_cast<statstruct*>(aArgs.args[1]);
-    return broker->LStat(path, buf);
-  }
-
-  static intptr_t StatAtTrap(ArgsRef aArgs, void* aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto fd = static_cast<int>(aArgs.args[0]);
-    auto path = reinterpret_cast<const char*>(aArgs.args[1]);
-    auto buf = reinterpret_cast<statstruct*>(aArgs.args[2]);
-    auto flags = static_cast<int>(aArgs.args[3]);
-    if (fd != AT_FDCWD && path[0] != '/') {
-      SANDBOX_LOG_ERROR("unsupported fd-relative fstatat(%d, \"%s\", %p, %d)",
-                        fd, path, buf, flags);
-      return BlockedSyscallTrap(aArgs, nullptr);
-    }
-    if ((flags & ~AT_SYMLINK_NOFOLLOW) != 0) {
-      SANDBOX_LOG_ERROR("unsupported flags %d in fstatat(%d, \"%s\", %p, %d)",
-                        (flags & ~AT_SYMLINK_NOFOLLOW), fd, path, buf, flags);
-      return BlockedSyscallTrap(aArgs, nullptr);
-    }
-    return (flags & AT_SYMLINK_NOFOLLOW) == 0
-      ? broker->Stat(path, buf)
-      : broker->LStat(path, buf);
-  }
-
-  static intptr_t ChmodTrap(ArgsRef aArgs, void* aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto path = reinterpret_cast<const char*>(aArgs.args[0]);
-    auto mode = static_cast<mode_t>(aArgs.args[1]);
-    return broker->Chmod(path, mode);
-  }
-
-  static intptr_t LinkTrap(ArgsRef aArgs, void *aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto path = reinterpret_cast<const char*>(aArgs.args[0]);
-    auto path2 = reinterpret_cast<const char*>(aArgs.args[1]);
-    return broker->Link(path, path2);
-  }
-
-  static intptr_t SymlinkTrap(ArgsRef aArgs, void *aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto path = reinterpret_cast<const char*>(aArgs.args[0]);
-    auto path2 = reinterpret_cast<const char*>(aArgs.args[1]);
-    return broker->Symlink(path, path2);
-  }
-
-  static intptr_t RenameTrap(ArgsRef aArgs, void *aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto path = reinterpret_cast<const char*>(aArgs.args[0]);
-    auto path2 = reinterpret_cast<const char*>(aArgs.args[1]);
-    return broker->Rename(path, path2);
-  }
-
-  static intptr_t MkdirTrap(ArgsRef aArgs, void* aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto path = reinterpret_cast<const char*>(aArgs.args[0]);
-    auto mode = static_cast<mode_t>(aArgs.args[1]);
-    return broker->Mkdir(path, mode);
-  }
-
-  static intptr_t RmdirTrap(ArgsRef aArgs, void* aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto path = reinterpret_cast<const char*>(aArgs.args[0]);
-    return broker->Rmdir(path);
-  }
-
-  static intptr_t UnlinkTrap(ArgsRef aArgs, void* aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto path = reinterpret_cast<const char*>(aArgs.args[0]);
-    return broker->Unlink(path);
-  }
-
-  static intptr_t ReadlinkTrap(ArgsRef aArgs, void* aux) {
-    auto broker = static_cast<SandboxBrokerClient*>(aux);
-    auto path = reinterpret_cast<const char*>(aArgs.args[0]);
-    auto buf = reinterpret_cast<char*>(aArgs.args[1]);
-    auto size = static_cast<size_t>(aArgs.args[2]);
-    return broker->Readlink(path, buf, size);
-  }
-
-  static intptr_t GetPPidTrap(ArgsRef aArgs, void* aux) {
-    // In a pid namespace, getppid() will return 0. We will return 0 instead
-    // of the real parent pid to see what breaks when we introduce the
-    // pid namespace (Bug 1151624).
-    return 0;
-  }
-
-public:
-  explicit ContentSandboxPolicy(SandboxBrokerClient* aBroker):mBroker(aBroker) { }
-  virtual ~ContentSandboxPolicy() { }
-  virtual ResultExpr PrctlPolicy() const override {
-    // Ideally this should be restricted to a whitelist, but content
-    // uses enough things that it's not trivial to determine it.
-    return Allow();
-  }
-  virtual Maybe<ResultExpr> EvaluateSocketCall(int aCall) const override {
-    switch(aCall) {
-    case SYS_RECVFROM:
-    case SYS_SENDTO:
-      return Some(Allow());
-
-    case SYS_SOCKETPAIR: {
-      // See bug 1066750.
-      if (!kSocketCallHasArgs) {
-        // We can't filter the args if the platform passes them by pointer.
-        return Some(Allow());
-      }
-      Arg<int> domain(0), type(1);
-      return Some(If(AllOf(domain == AF_UNIX,
-                           AnyOf(type == SOCK_STREAM, type == SOCK_SEQPACKET)),
-                     Allow())
-                  .Else(InvalidSyscall()));
-    }
-
-#ifdef ANDROID
-    case SYS_SOCKET:
-      return Some(Error(EACCES));
-#else // #ifdef DESKTOP
-    case SYS_RECV:
-    case SYS_SEND:
-    case SYS_SOCKET: // DANGEROUS
-    case SYS_CONNECT: // DANGEROUS
-    case SYS_ACCEPT:
-    case SYS_ACCEPT4:
-    case SYS_BIND:
-    case SYS_LISTEN:
-    case SYS_GETSOCKOPT:
-    case SYS_SETSOCKOPT:
-    case SYS_GETSOCKNAME:
-    case SYS_GETPEERNAME:
-    case SYS_SHUTDOWN:
-      return Some(Allow());
-#endif
-    default:
-      return SandboxPolicyCommon::EvaluateSocketCall(aCall);
-    }
-  }
-
-#ifdef DESKTOP
-  virtual Maybe<ResultExpr> EvaluateIpcCall(int aCall) const override {
-    switch(aCall) {
-      // These are a problem: SysV shared memory follows the Unix
-      // "same uid policy" and can't be restricted/brokered like file
-      // access.  But the graphics layer might not be using them
-      // anymore; this needs to be studied.
-    case SHMGET:
-    case SHMCTL:
-    case SHMAT:
-    case SHMDT:
-    case SEMGET:
-    case SEMCTL:
-    case SEMOP:
-    case MSGGET:
-      return Some(Allow());
-    default:
-      return SandboxPolicyCommon::EvaluateIpcCall(aCall);
-    }
-  }
-#endif
-
-  virtual ResultExpr EvaluateSyscall(int sysno) const override {
-    if (mBroker) {
-      // Have broker; route the appropriate syscalls to it.
-      switch (sysno) {
-      case __NR_open:
-        return Trap(OpenTrap, mBroker);
-      case __NR_openat:
-        return Trap(OpenAtTrap, mBroker);
-      case __NR_access:
-        return Trap(AccessTrap, mBroker);
-      case __NR_faccessat:
-        return Trap(AccessAtTrap, mBroker);
-      CASES_FOR_stat:
-        return Trap(StatTrap, mBroker);
-      CASES_FOR_lstat:
-        return Trap(LStatTrap, mBroker);
-      CASES_FOR_fstatat:
-        return Trap(StatAtTrap, mBroker);
-      case __NR_chmod:
-        return Trap(ChmodTrap, mBroker);
-      case __NR_link:
-        return Trap(LinkTrap, mBroker);
-      case __NR_mkdir:
-        return Trap(MkdirTrap, mBroker);
-      case __NR_symlink:
-        return Trap(SymlinkTrap, mBroker);
-      case __NR_rename:
-        return Trap(RenameTrap, mBroker);
-      case __NR_rmdir:
-        return Trap(RmdirTrap, mBroker);
-      case __NR_unlink:
-        return Trap(UnlinkTrap, mBroker);
-      case __NR_readlink:
-        return Trap(ReadlinkTrap, mBroker);
-      }
-    } else {
-      // No broker; allow the syscalls directly.  )-:
-      switch(sysno) {
-      case __NR_open:
-      case __NR_openat:
-      case __NR_access:
-      case __NR_faccessat:
-      CASES_FOR_stat:
-      CASES_FOR_lstat:
-      CASES_FOR_fstatat:
-      case __NR_chmod:
-      case __NR_link:
-      case __NR_mkdir:
-      case __NR_symlink:
-      case __NR_rename:
-      case __NR_rmdir:
-      case __NR_unlink:
-      case __NR_readlink:
-        return Allow();
-      }
-    }
-
-    switch (sysno) {
-#ifdef DESKTOP
-    case __NR_getppid:
-      return Trap(GetPPidTrap, nullptr);
-
-      // Filesystem syscalls that need more work to determine who's