Bug 1421372 - simplify the macOS content sandbox rules by splitting the file process rules out; r?haik
MozReview-Commit-ID: GJukCOAyE10
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -174,18 +174,16 @@ bool StartMacSandbox(MacSandboxInfo cons
params.push_back("APP_TEMP_DIR");
params.push_back(aInfo.appTempDir.c_str());
params.push_back("PROFILE_DIR");
params.push_back(aInfo.profileDir.c_str());
params.push_back("HOME_PATH");
params.push_back(getenv("HOME"));
params.push_back("HAS_SANDBOXED_PROFILE");
params.push_back(aInfo.hasSandboxedProfile ? "TRUE" : "FALSE");
- params.push_back("HAS_FILE_PRIVILEGES");
- params.push_back(aInfo.hasFilePrivileges ? "TRUE" : "FALSE");
if (!aInfo.testingReadPath1.empty()) {
params.push_back("TESTING_READ_PATH1");
params.push_back(aInfo.testingReadPath1.c_str());
}
if (!aInfo.testingReadPath2.empty()) {
params.push_back("TESTING_READ_PATH2");
params.push_back(aInfo.testingReadPath2.c_str());
}
@@ -198,16 +196,24 @@ bool StartMacSandbox(MacSandboxInfo cons
params.push_back(aInfo.testingReadPath4.c_str());
}
#ifdef DEBUG
if (!aInfo.debugWriteDir.empty()) {
params.push_back("DEBUG_WRITE_DIR");
params.push_back(aInfo.debugWriteDir.c_str());
}
#endif // DEBUG
+
+ if (aInfo.hasFilePrivileges) {
+ char *fileContentProfile = NULL;
+ asprintf(&fileContentProfile, "%s%s", profile,
+ fileContentProcessAddend);
+ profile = fileContentProfile;
+ profile_needs_free = true;
+ }
} else {
fprintf(stderr,
"Content sandbox disabled due to sandbox level setting\n");
return false;
}
}
else {
char *msg = NULL;
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -51,17 +51,16 @@ static const char contentSandboxRules[]
(define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
(define appPath (param "APP_PATH"))
(define appBinaryPath (param "APP_BINARY_PATH"))
(define appdir-path (param "APP_DIR"))
(define appTempDir (param "APP_TEMP_DIR"))
(define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
(define profileDir (param "PROFILE_DIR"))
(define home-path (param "HOME_PATH"))
- (define hasFilePrivileges (param "HAS_FILE_PRIVILEGES"))
(define debugWriteDir (param "DEBUG_WRITE_DIR"))
(define testingReadPath1 (param "TESTING_READ_PATH1"))
(define testingReadPath2 (param "TESTING_READ_PATH2"))
(define testingReadPath3 (param "TESTING_READ_PATH3"))
(define testingReadPath4 (param "TESTING_READ_PATH4"))
(if (string=? should-log "TRUE")
(deny default)
@@ -187,22 +186,16 @@ static const char contentSandboxRules[]
; bug 1392988
(xpc-service-name "com.apple.coremedia.videodecoder")
(xpc-service-name "com.apple.coremedia.videoencoder")))
; bug 1312273
(if (= macosMinorVersion 9)
(allow mach-lookup (global-name "com.apple.xpcd")))
- ; File content processes need access to iconservices to draw file icons in
- ; directory listings
- (if (string=? hasFilePrivileges "TRUE")
- (allow mach-lookup
- (global-name "com.apple.iconservices")))
-
(allow iokit-open
(iokit-user-client-class "IOHIDParamUserClient")
(iokit-user-client-class "IOAudioEngineUserClient"))
; depending on systems, the 1st, 2nd or both rules are necessary
(allow-shared-preferences-read "com.apple.HIToolbox")
(allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist"))
@@ -294,19 +287,16 @@ static const char contentSandboxRules[]
(require-not (home-subpath "/Library"))
(require-not (subpath profileDir))))
; we don't have a profile dir
(allow file-read* (require-not (home-subpath "/Library"))))))
; level 3: Does not have any of it's own rules. The global rules provide:
; no global read/write access,
; read access permitted to $PROFILE/{extensions,chrome}
- (if (string=? hasFilePrivileges "TRUE")
- ; This process has blanket file read privileges
- (allow file-read*))
(if (string=? hasProfileDir "TRUE")
; we have a profile dir
(allow file-read*
(profile-subpath "/extensions")
(profile-subpath "/chrome")))
; accelerated graphics
@@ -349,11 +339,21 @@ static const char contentSandboxRules[]
#"\.[oO][tT][cC]$" ; otc
#"\.[dD][fF][oO][nN][tT]$")) ; dfont
; bug 1404919
; Read access (recursively) within directories ending in .fontvault
(allow file-read* (regex #"\.fontvault/"))
)";
+static const char fileContentProcessAddend[] = R"(
+ ; This process has blanket file read privileges
+ (allow file-read*)
+
+ ; File content processes need access to iconservices to draw file icons in
+ ; directory listings
+ (allow mach-lookup (global-name "com.apple.iconservices"))
+)";
+
+
}
#endif // mozilla_SandboxPolicies_h