Bug 1363179 - do not allow content processes to read from /Volumes on macOS r?haik
MozReview-Commit-ID: 8osJVQD3myh
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -271,37 +271,40 @@ static const char contentSandboxRules[]
(profile-subpath "/extensions")
(profile-subpath "/chrome")))
; we don't have a profile dir
(allow file-read* (require-not (home-subpath "/Library")))))))
; level 3: global read access permitted, no global write access,
; no read access to the home directory,
; no read access to /private/var (but read-metadata allowed above),
+ ; no read access to /Volumes
; read access permitted to $PROFILE/{extensions,chrome}
(if (string=? sandbox-level-3 "TRUE")
(if (string=? hasFilePrivileges "TRUE")
; This process has blanket file read privileges
(allow file-read*)
; This process does not have blanket file read privileges
(if (string=? hasProfileDir "TRUE")
; we have a profile dir
(begin
(allow file-read* (require-all
(require-not (subpath home-path))
(require-not (subpath profileDir))
+ (require-not (subpath "/Volumes"))
(require-not (subpath "/private/var"))))
(allow file-read* (literal "/private/var/run/cupsd"))
(allow file-read*
(profile-subpath "/extensions")
(profile-subpath "/chrome")))
; we don't have a profile dir
(begin
(allow file-read* (require-all
(require-not (subpath home-path))
+ (require-not (subpath "/Volumes"))
(require-not (subpath "/private/var"))))
(allow file-read* (literal "/private/var/run/cupsd"))))))
; accelerated graphics
(allow-shared-preferences-read "com.apple.opengl")
(allow-shared-preferences-read "com.nvidia.OpenGL")
(allow mach-lookup
(global-name "com.apple.cvmsServ"))