Bug 1471977 - Mac Flash sandbox causing World Cup playback issues on foxsports.com r=Alex_Gaynor
Pass the user cache dir as a parameter to the Flash sandbox profile.
Add services and paths to the Flash sandbox profile needed for TLS
and encrypted video playback.
MozReview-Commit-ID: 1szVXVVATFy
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -117,27 +117,41 @@ OSXVersion::GetVersionNumber()
if (mOSXVersion == -1) {
int32_t major, minor, bugfix;
GetSystemVersion(major, minor, bugfix);
mOSXVersion = MAC_OS_X_VERSION_10_0_HEX + (minor << 4) + bugfix;
}
return mOSXVersion;
}
+bool
+GetRealPath(std::string& aOutputPath, const char* aInputPath)
+{
+ char* resolvedPath = realpath(aInputPath, nullptr);
+ if (resolvedPath == nullptr) {
+ return false;
+ }
+
+ aOutputPath = resolvedPath;
+ free(resolvedPath);
+
+ return !aOutputPath.empty();
+}
+
namespace mozilla {
bool StartMacSandbox(MacSandboxInfo const &aInfo, std::string &aErrorMessage)
{
std::vector<const char *> params;
std::string profile;
std::string macOSMinor = std::to_string(OSXVersion::OSXVersionMinor());
// Used for the Flash sandbox. Declared here so that they
// stay in scope until sandbox_init_with_parameters is called.
- std::string flashTempDir, flashPath;
+ std::string flashCacheDir, flashTempDir, flashPath;
if (aInfo.type == MacSandboxType_Plugin &&
aInfo.pluginInfo.type == MacSandboxPluginType_Flash) {
profile = flashPluginSandboxRules;
params.push_back("SHOULD_LOG");
params.push_back(aInfo.shouldLog ? "TRUE" : "FALSE");
@@ -148,30 +162,38 @@ bool StartMacSandbox(MacSandboxInfo cons
params.push_back("MAC_OS_MINOR");
params.push_back(macOSMinor.c_str());
params.push_back("HOME_PATH");
params.push_back(getenv("HOME"));
params.push_back("PLUGIN_BINARY_PATH");
- flashPath = realpath(aInfo.pluginInfo.pluginBinaryPath.c_str(), nullptr);
- if (flashPath.empty()) {
+ if (!GetRealPath(flashPath, aInfo.pluginInfo.pluginBinaryPath.c_str())) {
return false;
}
params.push_back(flashPath.c_str());
+ // User cache dir
+ params.push_back("DARWIN_USER_CACHE_DIR");
+ char confStrBuf[PATH_MAX];
+ if (!confstr(_CS_DARWIN_USER_CACHE_DIR, confStrBuf, sizeof(confStrBuf))) {
+ return false;
+ }
+ if (!GetRealPath(flashCacheDir, confStrBuf)) {
+ return false;
+ }
+ params.push_back(flashCacheDir.c_str());
+
// User temp dir
params.push_back("DARWIN_USER_TEMP_DIR");
- char tempDir[PATH_MAX];
- if (!confstr(_CS_DARWIN_USER_TEMP_DIR, tempDir, sizeof(tempDir))) {
+ if (!confstr(_CS_DARWIN_USER_TEMP_DIR, confStrBuf, sizeof(confStrBuf))) {
return false;
}
- flashTempDir = realpath(tempDir, nullptr);
- if (flashTempDir.empty()) {
+ if (!GetRealPath(flashTempDir, confStrBuf)) {
return false;
}
params.push_back(flashTempDir.c_str());
}
else if (aInfo.type == MacSandboxType_Plugin) {
profile = const_cast<char *>(pluginSandboxRules);
params.push_back("SHOULD_LOG");
params.push_back(aInfo.shouldLog ? "TRUE" : "FALSE");
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -412,16 +412,17 @@ static const char flashPluginSandboxRule
; Parameters
(define shouldLog (param "SHOULD_LOG"))
(define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
(define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
(define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
(define homeDir (param "HOME_PATH"))
(define tempDir (param "DARWIN_USER_TEMP_DIR"))
+ (define cacheDir (param "DARWIN_USER_CACHE_DIR"))
(define pluginPath (param "PLUGIN_BINARY_PATH"))
(if (string=? shouldLog "TRUE")
(deny default)
(deny default (with no-log)))
(debug deny)
(allow system-audit file-read-metadata)
; These are not included in (deny default)
@@ -566,16 +567,20 @@ static const char flashPluginSandboxRule
home-library-preferences-relative-literal)
(literal (string-append home-library-prefs-path
home-library-preferences-relative-literal)))
; Utility for allowing access to a temp dir subdirectory
(define (tempDir-regex tempDir-relative-regex)
(regex (string-append "^" (regex-quote tempDir)) tempDir-relative-regex))
+ ; Utility for allowing access to specific files within the cache dir
+ (define (cache-literal cache-relative-literal)
+ (literal (string-append cacheDir cache-relative-literal)))
+
; Read-only paths
(allow file-read*
(literal "/")
(literal "/private/etc/services")
(literal "/private/etc/resolv.conf")
(literal "/private/var/run/resolv.conf")
(subpath "/Library/Frameworks")
(subpath "/Library/Managed Preferences")
@@ -638,17 +643,19 @@ static const char flashPluginSandboxRule
(global-name "com.apple.axserver")
(global-name "com.apple.pbs.fetch_services")
(global-name "com.apple.tccd.system")
(global-name "com.apple.tsm.uiserver")
(global-name "com.apple.inputmethodkit.launchagent")
(global-name "com.apple.inputmethodkit.launcher")
(global-name "com.apple.inputmethodkit.getxpcendpoint")
(global-name "com.apple.decalog4.incoming")
- (global-name "com.apple.windowserver.active"))
+ (global-name "com.apple.windowserver.active")
+ (global-name "com.apple.trustd.agent")
+ (global-name "com.apple.ocspd"))
; bug 1475707
(if (= macosMinorVersion 9)
(allow mach-lookup (global-name "com.apple.xpcd")))
; Fonts
(allow file-read*
(subpath "/Library/Fonts")
(subpath "/Library/Application Support/Apple/Fonts")
@@ -761,16 +768,29 @@ static const char flashPluginSandboxRule
(home-library-subpath "/Caches/Adobe/Flash Player")
(home-library-subpath "/Preferences/Macromedia/Flash Player"))
(allow file-read*
(literal "/Library/PreferencePanes/Flash Player.prefPane")
(home-library-literal "/PreferencePanes/Flash Player.prefPane")
(home-library-regex "/Application Support/Macromedia/ss\.(cfg|cfn|sgn)$"))
+ (allow file-read*
+ (literal "/Library/Preferences/com.apple.security.plist")
+ (subpath "/private/var/db/mds"))
+ ; Tests revealed file-write-{data,create,flags} required for some encrypted
+ ; video playback. Allowing file-write* to match system profiles.
+ (allow file-read* file-write*
+ (cache-literal "/mds/mds.lock")
+ (cache-literal "/mds/mdsDirectory.db_")
+ (cache-literal "/mds/mdsDirectory.db_")
+ (cache-literal "/mds/mdsObject.db")
+ (cache-literal "/mds/mdsObject.db_")
+ (require-all (vnode-type REGULAR-FILE)))
+
(allow network-bind (local ip))
(deny file-write-create (vnode-type SYMLINK))
)SANDBOX_LITERAL";
}
#endif // mozilla_SandboxPolicies_h