Mercurial > mozreview > gecko / changeset / 04885bb5d8b9995559462d373199078b109bfdc5
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1471977 - Mac Flash sandbox causing World Cup playback issues on foxsports.com r=Alex_Gaynor draft
authorHaik Aftandilian <haftandilian@mozilla.com>
Fri, 06 Jul 2018 15:06:21 -0700
changeset 818969 04885bb5d8b9995559462d373199078b109bfdc5
parent 818870 3aa7471f239bd64d9e153e2e7076e99006358f1f
push id116411
push userhaftandilian@mozilla.com
push dateMon, 16 Jul 2018 21:53:36 +0000
reviewersAlex_Gaynor
bugs1471977
milestone63.0a1
Bug 1471977 - Mac Flash sandbox causing World Cup playback issues on foxsports.com r=Alex_Gaynor Pass the user cache dir as a parameter to the Flash sandbox profile. Add services and paths to the Flash sandbox profile needed for TLS and encrypted video playback. MozReview-Commit-ID: 1szVXVVATFy
security/sandbox/mac/Sandbox.mm file | annotate | diff | comparison | revisions
security/sandbox/mac/SandboxPolicies.h file | annotate | diff | comparison | revisions 
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -117,27 +117,41 @@ OSXVersion::GetVersionNumber()
   if (mOSXVersion == -1) {
     int32_t major, minor, bugfix;
     GetSystemVersion(major, minor, bugfix);
     mOSXVersion = MAC_OS_X_VERSION_10_0_HEX + (minor << 4) + bugfix;
   }
   return mOSXVersion;
 }
 
+bool
+GetRealPath(std::string& aOutputPath, const char* aInputPath)
+{
+  char* resolvedPath = realpath(aInputPath, nullptr);
+  if (resolvedPath == nullptr) {
+    return false;
+  }
+
+  aOutputPath = resolvedPath;
+  free(resolvedPath);
+
+  return !aOutputPath.empty();
+}
+
 namespace mozilla {
 
 bool StartMacSandbox(MacSandboxInfo const &aInfo, std::string &aErrorMessage)
 {
   std::vector<const char *> params;
   std::string profile;
   std::string macOSMinor = std::to_string(OSXVersion::OSXVersionMinor());
 
   // Used for the Flash sandbox. Declared here so that they
   // stay in scope until sandbox_init_with_parameters is called.
-  std::string flashTempDir, flashPath;
+  std::string flashCacheDir, flashTempDir, flashPath;
 
   if (aInfo.type == MacSandboxType_Plugin &&
       aInfo.pluginInfo.type == MacSandboxPluginType_Flash) {
     profile = flashPluginSandboxRules;
 
     params.push_back("SHOULD_LOG");
     params.push_back(aInfo.shouldLog ? "TRUE" : "FALSE");
 
@@ -148,30 +162,38 @@ bool StartMacSandbox(MacSandboxInfo cons
 
     params.push_back("MAC_OS_MINOR");
     params.push_back(macOSMinor.c_str());
 
     params.push_back("HOME_PATH");
     params.push_back(getenv("HOME"));
 
     params.push_back("PLUGIN_BINARY_PATH");
-    flashPath = realpath(aInfo.pluginInfo.pluginBinaryPath.c_str(), nullptr);
-    if (flashPath.empty()) {
+    if (!GetRealPath(flashPath, aInfo.pluginInfo.pluginBinaryPath.c_str())) {
       return false;
     }
     params.push_back(flashPath.c_str());
 
+    // User cache dir
+    params.push_back("DARWIN_USER_CACHE_DIR");
+    char confStrBuf[PATH_MAX];
+    if (!confstr(_CS_DARWIN_USER_CACHE_DIR, confStrBuf, sizeof(confStrBuf))) {
+      return false;
+    }
+    if (!GetRealPath(flashCacheDir, confStrBuf)) {
+      return false;
+    }
+    params.push_back(flashCacheDir.c_str());
+
     // User temp dir
     params.push_back("DARWIN_USER_TEMP_DIR");
-    char tempDir[PATH_MAX];
-    if (!confstr(_CS_DARWIN_USER_TEMP_DIR, tempDir, sizeof(tempDir))) {
+    if (!confstr(_CS_DARWIN_USER_TEMP_DIR, confStrBuf, sizeof(confStrBuf))) {
       return false;
     }
-    flashTempDir = realpath(tempDir, nullptr);
-    if (flashTempDir.empty()) {
+    if (!GetRealPath(flashTempDir, confStrBuf)) {
       return false;
     }
     params.push_back(flashTempDir.c_str());
   }
   else if (aInfo.type == MacSandboxType_Plugin) {
     profile = const_cast<char *>(pluginSandboxRules);
     params.push_back("SHOULD_LOG");
     params.push_back(aInfo.shouldLog ? "TRUE" : "FALSE");
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -412,16 +412,17 @@ static const char flashPluginSandboxRule
 
   ; Parameters
   (define shouldLog (param "SHOULD_LOG"))
   (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
   (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
   (define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
   (define homeDir (param "HOME_PATH"))
   (define tempDir (param "DARWIN_USER_TEMP_DIR"))
+  (define cacheDir (param "DARWIN_USER_CACHE_DIR"))
   (define pluginPath (param "PLUGIN_BINARY_PATH"))
 
   (if (string=? shouldLog "TRUE")
       (deny default)
       (deny default (with no-log)))
   (debug deny)
   (allow system-audit file-read-metadata)
   ; These are not included in (deny default)
@@ -566,16 +567,20 @@ static const char flashPluginSandboxRule
            home-library-preferences-relative-literal)
       (literal (string-append home-library-prefs-path
                 home-library-preferences-relative-literal)))
 
   ; Utility for allowing access to a temp dir subdirectory
   (define (tempDir-regex tempDir-relative-regex)
     (regex (string-append "^" (regex-quote tempDir)) tempDir-relative-regex))
 
+  ; Utility for allowing access to specific files within the cache dir
+  (define (cache-literal cache-relative-literal)
+    (literal (string-append cacheDir cache-relative-literal)))
+
   ; Read-only paths
   (allow file-read*
       (literal "/")
       (literal "/private/etc/services")
       (literal "/private/etc/resolv.conf")
       (literal "/private/var/run/resolv.conf")
       (subpath "/Library/Frameworks")
       (subpath "/Library/Managed Preferences")
@@ -638,17 +643,19 @@ static const char flashPluginSandboxRule
       (global-name "com.apple.axserver")
       (global-name "com.apple.pbs.fetch_services")
       (global-name "com.apple.tccd.system")
       (global-name "com.apple.tsm.uiserver")
       (global-name "com.apple.inputmethodkit.launchagent")
       (global-name "com.apple.inputmethodkit.launcher")
       (global-name "com.apple.inputmethodkit.getxpcendpoint")
       (global-name "com.apple.decalog4.incoming")
-      (global-name "com.apple.windowserver.active"))
+      (global-name "com.apple.windowserver.active")
+      (global-name "com.apple.trustd.agent")
+      (global-name "com.apple.ocspd"))
   ; bug 1475707
   (if (= macosMinorVersion 9)
      (allow mach-lookup (global-name "com.apple.xpcd")))
 
   ; Fonts
   (allow file-read*
     (subpath "/Library/Fonts")
     (subpath "/Library/Application Support/Apple/Fonts")
@@ -761,16 +768,29 @@ static const char flashPluginSandboxRule
       (home-library-subpath "/Caches/Adobe/Flash Player")
       (home-library-subpath "/Preferences/Macromedia/Flash Player"))
 
   (allow file-read*
       (literal "/Library/PreferencePanes/Flash Player.prefPane")
       (home-library-literal "/PreferencePanes/Flash Player.prefPane")
       (home-library-regex "/Application Support/Macromedia/ss\.(cfg|cfn|sgn)$"))
 
+  (allow file-read*
+      (literal "/Library/Preferences/com.apple.security.plist")
+      (subpath "/private/var/db/mds"))
+  ; Tests revealed file-write-{data,create,flags} required for some encrypted
+  ; video playback. Allowing file-write* to match system profiles.
+  (allow file-read* file-write*
+      (cache-literal "/mds/mds.lock")
+      (cache-literal "/mds/mdsDirectory.db_")
+      (cache-literal "/mds/mdsDirectory.db_")
+      (cache-literal "/mds/mdsObject.db")
+      (cache-literal "/mds/mdsObject.db_")
+      (require-all (vnode-type REGULAR-FILE)))
+
   (allow network-bind (local ip))
 
   (deny file-write-create (vnode-type SYMLINK))
 )SANDBOX_LITERAL";
 
 }
 
 #endif // mozilla_SandboxPolicies_h
gecko
Deployed from af051c2a8da7 at 2024-04-29T16:08:02Z.