Mercurial > mozreview > gecko / changeset / b44218063ffdad3d55743a68b79eb8c170271ebc
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1421372 - simplify the macOS content sandbox rules by splitting the file process rules out; r?haik draft
authorAlex Gaynor <agaynor@mozilla.com>
Tue, 28 Nov 2017 14:06:06 -0500
changeset 704667 b44218063ffdad3d55743a68b79eb8c170271ebc
parent 704194 5b33b070378ae0806bed0b5e5e34de429a29e7db
child 742112 da4d0060f2ac4d3a5d9c9ab9bbb389229131565d
push id91194
push userbmo:agaynor@mozilla.com
push dateTue, 28 Nov 2017 19:06:46 +0000
reviewershaik
bugs1421372
milestone59.0a1
Bug 1421372 - simplify the macOS content sandbox rules by splitting the file process rules out; r?haik MozReview-Commit-ID: GJukCOAyE10
security/sandbox/mac/Sandbox.mm file | annotate | diff | comparison | revisions
security/sandbox/mac/SandboxPolicies.h file | annotate | diff | comparison | revisions 
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -174,18 +174,16 @@ bool StartMacSandbox(MacSandboxInfo cons
       params.push_back("APP_TEMP_DIR");
       params.push_back(aInfo.appTempDir.c_str());
       params.push_back("PROFILE_DIR");
       params.push_back(aInfo.profileDir.c_str());
       params.push_back("HOME_PATH");
       params.push_back(getenv("HOME"));
       params.push_back("HAS_SANDBOXED_PROFILE");
       params.push_back(aInfo.hasSandboxedProfile ? "TRUE" : "FALSE");
-      params.push_back("HAS_FILE_PRIVILEGES");
-      params.push_back(aInfo.hasFilePrivileges ? "TRUE" : "FALSE");
       if (!aInfo.testingReadPath1.empty()) {
         params.push_back("TESTING_READ_PATH1");
         params.push_back(aInfo.testingReadPath1.c_str());
       }
       if (!aInfo.testingReadPath2.empty()) {
         params.push_back("TESTING_READ_PATH2");
         params.push_back(aInfo.testingReadPath2.c_str());
       }
@@ -198,16 +196,24 @@ bool StartMacSandbox(MacSandboxInfo cons
         params.push_back(aInfo.testingReadPath4.c_str());
       }
 #ifdef DEBUG
       if (!aInfo.debugWriteDir.empty()) {
         params.push_back("DEBUG_WRITE_DIR");
         params.push_back(aInfo.debugWriteDir.c_str());
       }
 #endif // DEBUG
+
+      if (aInfo.hasFilePrivileges) {
+        char *fileContentProfile = NULL;
+        asprintf(&fileContentProfile, "%s%s", profile,
+          fileContentProcessAddend);
+        profile = fileContentProfile;
+        profile_needs_free = true;
+      }
     } else {
       fprintf(stderr,
         "Content sandbox disabled due to sandbox level setting\n");
       return false;
     }
   }
   else {
     char *msg = NULL;
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -51,17 +51,16 @@ static const char contentSandboxRules[] 
   (define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
   (define appPath (param "APP_PATH"))
   (define appBinaryPath (param "APP_BINARY_PATH"))
   (define appdir-path (param "APP_DIR"))
   (define appTempDir (param "APP_TEMP_DIR"))
   (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
   (define profileDir (param "PROFILE_DIR"))
   (define home-path (param "HOME_PATH"))
-  (define hasFilePrivileges (param "HAS_FILE_PRIVILEGES"))
   (define debugWriteDir (param "DEBUG_WRITE_DIR"))
   (define testingReadPath1 (param "TESTING_READ_PATH1"))
   (define testingReadPath2 (param "TESTING_READ_PATH2"))
   (define testingReadPath3 (param "TESTING_READ_PATH3"))
   (define testingReadPath4 (param "TESTING_READ_PATH4"))
 
   (if (string=? should-log "TRUE")
     (deny default)
@@ -187,22 +186,16 @@ static const char contentSandboxRules[] 
       ; bug 1392988
       (xpc-service-name "com.apple.coremedia.videodecoder")
       (xpc-service-name "com.apple.coremedia.videoencoder")))
 
 ; bug 1312273
   (if (= macosMinorVersion 9)
      (allow mach-lookup (global-name "com.apple.xpcd")))
 
-  ; File content processes need access to iconservices to draw file icons in
-  ; directory listings
-  (if (string=? hasFilePrivileges "TRUE")
-    (allow mach-lookup
-      (global-name "com.apple.iconservices")))
-
   (allow iokit-open
      (iokit-user-client-class "IOHIDParamUserClient")
      (iokit-user-client-class "IOAudioEngineUserClient"))
 
 ; depending on systems, the 1st, 2nd or both rules are necessary
   (allow-shared-preferences-read "com.apple.HIToolbox")
   (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist"))
 
@@ -294,19 +287,16 @@ static const char contentSandboxRules[] 
           (require-not (home-subpath "/Library"))
           (require-not (subpath profileDir))))
         ; we don't have a profile dir
         (allow file-read* (require-not (home-subpath "/Library"))))))
 
   ; level 3: Does not have any of it's own rules. The global rules provide:
   ;          no global read/write access,
   ;          read access permitted to $PROFILE/{extensions,chrome}
-  (if (string=? hasFilePrivileges "TRUE")
-    ; This process has blanket file read privileges
-    (allow file-read*))
 
   (if (string=? hasProfileDir "TRUE")
     ; we have a profile dir
     (allow file-read*
       (profile-subpath "/extensions")
       (profile-subpath "/chrome")))
 
 ; accelerated graphics
@@ -349,11 +339,21 @@ static const char contentSandboxRules[] 
            #"\.[oO][tT][cC]$"           ; otc
            #"\.[dD][fF][oO][nN][tT]$")) ; dfont
 
   ; bug 1404919
   ; Read access (recursively) within directories ending in .fontvault
   (allow file-read* (regex #"\.fontvault/"))
 )";
 
+static const char fileContentProcessAddend[] = R"(
+  ; This process has blanket file read privileges
+  (allow file-read*)
+
+  ; File content processes need access to iconservices to draw file icons in
+  ; directory listings
+  (allow mach-lookup (global-name "com.apple.iconservices"))
+)";
+
+
 }
 
 #endif // mozilla_SandboxPolicies_h
gecko
Deployed from 4e825768105f at 2024-04-08T16:23:59Z.