Bug 1460917 - Fonts not displaying with FontExplorer X fonts in Firefox 60 r=handyman
Add back font whitelist rules removed by the fix for
bug 1393259
to workaround font sandbox extensions not being issued automatically
on OS X 10.11 and earlier.
MozReview-Commit-ID: 2hT0BzN3Ggq
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -339,16 +339,32 @@ static const char contentSandboxRules[]
(subpath "/Library/Application Support/Apple/Fonts")
(home-subpath "/Library/Fonts")
; Allow read access to paths allowed via sandbox extensions.
; This is needed for fonts in non-standard locations normally
; due to third party font managers. The extensions are
; automatically issued by the font server in response to font
; API calls.
(extension "com.apple.app-sandbox.read"))
+
+ ; Fonts
+ ; Workaround for sandbox extensions not being automatically
+ ; issued for fonts on 10.11 and earlier versions (bug 1460917).
+ (if (<= macosMinorVersion 11)
+ (allow file-read*
+ (regex #"\.[oO][tT][fF]$" ; otf
+ #"\.[tT][tT][fF]$" ; ttf
+ #"\.[tT][tT][cC]$" ; ttc
+ #"\.[oO][tT][cC]$" ; otc
+ #"\.[dD][fF][oO][nN][tT]$") ; dfont
+ (home-subpath "/Library/FontCollections")
+ (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
+ (home-subpath "/Library/Application Support/FontAgent")
+ (regex #"\.fontvault/")
+ (home-subpath "/FontExplorer X/Font Library")))
)SANDBOX_LITERAL";
// These are additional rules that are added to the content process rules for
// file content processes.
static const char fileContentProcessAddend[] = R"SANDBOX_LITERAL(
; This process has blanket file read privileges
(allow file-read*)
@@ -512,16 +528,19 @@ static const char flashPluginSandboxRule
"kern.safeboot"
"kern.version"
"vm.footprint_suspend")))
; Utilities for allowing access to home subdirectories
(define home-library-path
(string-append homeDir "/Library"))
+ (define (home-subpath home-relative-subpath)
+ (subpath (string-append homeDir home-relative-subpath)))
+
(define home-library-prefs-path
(string-append homeDir "/Library" "/Preferences"))
(define (home-literal home-relative-literal)
(literal (string-append homeDir home-relative-literal)))
(define (home-library-regex home-library-relative-regex)
(regex (string-append "^" (regex-quote home-library-path))
@@ -625,16 +644,32 @@ static const char flashPluginSandboxRule
(home-library-subpath "/Fonts")
; Allow read access to paths allowed via sandbox extensions.
; This is needed for fonts in non-standard locations normally
; due to third party font managers. The extensions are
; automatically issued by the font server in response to font
; API calls.
(extension "com.apple.app-sandbox.read"))
+ ; Fonts
+ ; Workaround for sandbox extensions not being automatically
+ ; issued for fonts on 10.11 and earlier versions (bug 1460917).
+ (if (<= macosMinorVersion 11)
+ (allow file-read*
+ (regex #"\.[oO][tT][fF]$" ; otf
+ #"\.[tT][tT][fF]$" ; ttf
+ #"\.[tT][tT][cC]$" ; ttc
+ #"\.[oO][tT][cC]$" ; otc
+ #"\.[dD][fF][oO][nN][tT]$") ; dfont
+ (home-subpath "/Library/FontCollections")
+ (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
+ (home-subpath "/Library/Application Support/FontAgent")
+ (regex #"\.fontvault/")
+ (home-subpath "/FontExplorer X/Font Library")))
+
(if (string=? sandbox-level-1 "TRUE") (begin
; Open file dialogs
(allow mach-lookup
; needed for the dialog sidebar
(global-name "com.apple.coreservices.sharedfilelistd.xpc")
; bird(8) -- "Documents in the Cloud"
; needed to avoid iCloud error dialogs and to display iCloud files
(global-name "com.apple.bird")