Printing to a file is broken with Linux content sandboxing enabled

While investigating #23016 (moved) it turned out that the newly enabled content sandboxing prevents from printing to a file not only on particular Linux setups but outright denies it.

The reason for that is https://bugzilla.mozilla.org/show_bug.cgi?id=1309205. We need to backport

https://hg.mozilla.org/mozilla-central/rev/5c25a123203a https://hg.mozilla.org/mozilla-central/rev/2797f193a147 https://hg.mozilla.org/mozilla-central/rev/5b9702d8fe4e

and

https://hg.mozilla.org/mozilla-central/rev/5e7872cb3b5c

to fix that. As a workaround one can set security.sandbox.content.level to 1.

added AffectsTails TorBrowserTeam201712R component::applications/tor browser ff60-esr-will-have owner::pospeselr priority::medium resolution::fixed severity::normal status::closed tbb-regression type::defect labels

Trac:
Keywords: N/A deleted, GeorgKoppen201710, TorBrowserTeam201710 added

Trac:
Username: tokotoko
Cc: intrigeri, pospeselr to intrigeri, pospeselr, fdsfgs@krutt.org

Moving my tickets to November.

Trac:
Keywords: GeorgKoppen201710 deleted, GeorgKoppen201711 added

Moving tickets over to November.

Trac:
Keywords: TorBrowserTeam201710 deleted, TorBrowserTeam201711 added

See #24177 (moved), too.

http://www.morbo.org/2017/11/linux-sandboxing-improvements-in.html

Trac:
Status: new to assigned
Owner: tbb-team to pospeselr

Trac:
Keywords: GeorgKoppen201711 deleted, N/A added

Trac:
0001-Issue-23970-Printing-to-a-file-is-broken-with-Linux-.patch

Verifying patch builds on Windows and OSX, but this should be a Linux-only change.

Trac:
Status: assigned to needs_review
Keywords: TorBrowserTeam201711 deleted, GeorgKoppen201711, TorBrowserTeam201711R added

I have not looked closer at the backport but here are some things we should fix:

1. Looking at the dependencies for bug 1309205 it seems to me we need to backport https://hg.mozilla.org/mozilla-central/rev/997c6b961cd0.

2. We should have one commit per Mozilla commit. This makes it easier to review the backport at least. It might even make it easier to narrow problems down during bisecting if we don't have just a big patch comprising all the changesets.

3. "Issue 23970" -> "Bug 23970"

Trac:
Keywords: GeorgKoppen201711, TorBrowserTeam201711R deleted, TorBrowserTeam201711 added
Status: needs_review to needs_revision

Split up the original patch into it's component firefox patches, and also added change 997c6b961cd0.

Trac:
Status: needs_revision to needs_review
Keywords: TorBrowserTeam201711 deleted, TorBrowserTeam201711R added

Moving review tickets over to December

Trac:
Keywords: TorBrowserTeam201711R deleted, TorBrowserTeam201712R added

The backport looks good. I think we should somehow keep the original Mozilla bug number at least (maybe even the patch author information) as this helps us finding patches in our tree. Especially in the case where you are referencing the mercurial patch while we are working with git. There are probably more folks who have mozilla-central as a git remote then an additional mercurial checkout of that branch. See comment:10:ticket:22084 for a workflow that works for me at least (not a thing you must or should follow, just something that makes it easy to deal with tor-browser and Mozilla's code in a git repository).

I know you are at the All Hands meeting. If you could find time to add at least the Mozilla bug number until Monday, great. Otherwise I'd take the patches as-is as I want to have that in the next alpha.

Oh, and just for posterity: part of the proposed backport (of 2797f193a147) already landed in ESR 52 previously, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1343813 and https://hg.mozilla.org/releases/mozilla-esr52/rev/90f870bbec29).

Trac:
0001-Bug-23970-Printing-to-a-file-is-broken-with-Linux-co.patch

Trac:
0002-Bug-23970-Printing-to-a-file-is-broken-with-Linux-co.patch

Trac:
0003-Bug-23970-Printing-to-a-file-is-broken-with-Linux-co.patch

Trac:
0004-Bug-23970-Printing-to-a-file-is-broken-with-Linux-co.patch