Mercurial > mozreview > gecko / changeset / 57786796d1df35f6ef0182578f949902989e54aa
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1379182 - Remove some unnecessary file-write permissions types from the content process on macOS; r?haik draft
authorAlex Gaynor <agaynor@mozilla.com>
Fri, 07 Jul 2017 11:05:01 -0400
changeset 606152 57786796d1df35f6ef0182578f949902989e54aa
parent 606124 91c943f7373722ad4e122d98a2ddd6c79708b732
child 636690 120c51436664c7c148cef6992437555ee0cf4d5d
push id67620
push userbmo:agaynor@mozilla.com
push dateMon, 10 Jul 2017 13:55:55 +0000
reviewershaik
bugs1379182
milestone56.0a1
Bug 1379182 - Remove some unnecessary file-write permissions types from the content process on macOS; r?haik On macOS, the file-write* permission type contains numerous sub-permissions (see bug for full listing). Restrict the ones we allow to only the two we need: file-write-create and file-write-data. This primarily reduces kernel attack surface, I'm not aware of any bad things that could be done directly with the removed permissions. MozReview-Commit-ID: 3VvjFesy2qx
security/sandbox/mac/SandboxPolicies.h file | annotate | diff | comparison | revisions
security/sandbox/test/browser_content_sandbox_fs.js file | annotate | diff | comparison | revisions 
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -270,17 +270,17 @@ static const char contentSandboxRules[] 
   (allow file-read-metadata (home-subpath "/Library"))
 
   (allow file-read-metadata
     (literal "/private/var")
     (subpath "/private/var/folders"))
 
 ; bug 1303987
   (if (string? debugWriteDir)
-    (allow file-write* (subpath debugWriteDir)))
+    (allow file-write-create file-write-data (subpath debugWriteDir)))
 
   ; bug 1324610
   (allow network-outbound file-read*
     (literal "/private/var/run/cupsd"))
 
   (allow-shared-list "org.mozilla.plugincontainer")
 
 ; the following rule should be removed when microphone access
@@ -354,15 +354,15 @@ static const char contentSandboxRules[] 
       (iokit-user-client-class "AppleGraphicsPolicyClient"))
 
 ; bug 1153809
   (allow iokit-open
       (iokit-user-client-class "NVDVDContextTesla")
       (iokit-user-client-class "Gen6DVDContext"))
 
   ; bug 1237847
-  (allow file-read* file-write*
+  (allow file-read* file-write-create file-write-data
       (subpath appTempDir))
 )";
 
 }
 
 #endif // mozilla_SandboxPolicies_h
--- a/security/sandbox/test/browser_content_sandbox_fs.js
+++ b/security/sandbox/test/browser_content_sandbox_fs.js
@@ -210,17 +210,25 @@ async function createFileInHome() {
 // Test if the content process can create a temp file, should pass
 async function createTempFile() {
   let browser = gBrowser.selectedBrowser;
   let path = fileInTempDir().path;
   let fileCreated = await ContentTask.spawn(browser, path, createFile);
   ok(fileCreated == true, "creating a file in content temp is permitted");
   // now delete the file
   let fileDeleted = await ContentTask.spawn(browser, path, deleteFile);
-  ok(fileDeleted == true, "deleting a file in content temp is permitted");
+  if (isMac()) {
+    // On macOS we do not allow file deletion - it is not needed by the content
+    // process itself, and macOS uses a different permission to control access
+    // to revoking it is easy.
+    ok(fileDeleted == false,
+       "deleting a file in the content temp is not permitted");
+  } else {
+    ok(fileDeleted == true, "deleting a file in content temp is permitted");
+  }
 }
 
 // Test reading files and dirs from web and file content processes.
 async function testFileAccess() {
   // for tests that run in a web content process
   let webBrowser = gBrowser.selectedBrowser;
 
   // Ensure that the file content process is enabled.
gecko
Deployed from 4e825768105f at 2024-04-08T16:23:58Z.