Bug 1379182 - Remove some unnecessary file-write permissions types from the content process on macOS; r?haik
On macOS, the file-write* permission type contains numerous sub-permissions (see
bug for full listing). Restrict the ones we allow to only the two we need:
file-write-create and file-write-data. This primarily reduces kernel attack
surface, I'm not aware of any bad things that could be done directly with the
removed permissions.
MozReview-Commit-ID: 3VvjFesy2qx
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -270,17 +270,17 @@ static const char contentSandboxRules[]
(allow file-read-metadata (home-subpath "/Library"))
(allow file-read-metadata
(literal "/private/var")
(subpath "/private/var/folders"))
; bug 1303987
(if (string? debugWriteDir)
- (allow file-write* (subpath debugWriteDir)))
+ (allow file-write-create file-write-data (subpath debugWriteDir)))
; bug 1324610
(allow network-outbound file-read*
(literal "/private/var/run/cupsd"))
(allow-shared-list "org.mozilla.plugincontainer")
; the following rule should be removed when microphone access
@@ -354,15 +354,15 @@ static const char contentSandboxRules[]
(iokit-user-client-class "AppleGraphicsPolicyClient"))
; bug 1153809
(allow iokit-open
(iokit-user-client-class "NVDVDContextTesla")
(iokit-user-client-class "Gen6DVDContext"))
; bug 1237847
- (allow file-read* file-write*
+ (allow file-read* file-write-create file-write-data
(subpath appTempDir))
)";
}
#endif // mozilla_SandboxPolicies_h
--- a/security/sandbox/test/browser_content_sandbox_fs.js
+++ b/security/sandbox/test/browser_content_sandbox_fs.js
@@ -210,17 +210,25 @@ async function createFileInHome() {
// Test if the content process can create a temp file, should pass
async function createTempFile() {
let browser = gBrowser.selectedBrowser;
let path = fileInTempDir().path;
let fileCreated = await ContentTask.spawn(browser, path, createFile);
ok(fileCreated == true, "creating a file in content temp is permitted");
// now delete the file
let fileDeleted = await ContentTask.spawn(browser, path, deleteFile);
- ok(fileDeleted == true, "deleting a file in content temp is permitted");
+ if (isMac()) {
+ // On macOS we do not allow file deletion - it is not needed by the content
+ // process itself, and macOS uses a different permission to control access
+ // to revoking it is easy.
+ ok(fileDeleted == false,
+ "deleting a file in the content temp is not permitted");
+ } else {
+ ok(fileDeleted == true, "deleting a file in content temp is permitted");
+ }
}
// Test reading files and dirs from web and file content processes.
async function testFileAccess() {
// for tests that run in a web content process
let webBrowser = gBrowser.selectedBrowser;
// Ensure that the file content process is enabled.