Bug 1475722 - Mac Flash sandbox causes empty file upload dialogs on OS X 10.9, 10.10 r?Alex_Gaynor
On 10.9 and 10.10, grant global read access to the Flash sandbox.
Change Flash sandbox levels by adding a new level 1 that includes
global read access which will be the default on 10.9/10.10.
Level 2 is the new default for 10.11 and above with file read
access enabled by file dialog activity.
MozReview-Commit-ID: LvXhd6Vf7mo
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@@ -1061,28 +1061,33 @@ pref("security.sandbox.gmp.win32k-disabl
// This setting is read when the content process is started. On Mac the content
// process is killed when all windows are closed, so a change will take effect
// when the 1st window is opened.
pref("security.sandbox.content.level", 3);
#endif
// Enable the Mac Flash sandbox on Nightly and Beta, not Release
#if defined(EARLY_BETA_OR_EARLIER) && defined(XP_MACOSX) && defined(MOZ_SANDBOX)
-// Controls whether and how the Mac NPAPI Flash plugin process is sandboxed.
-// On Mac these levels are:
+// Prefs for controlling whether and how the Mac NPAPI Flash plugin process is
+// sandboxed. On Mac these levels are:
// 0 - "no sandbox"
-// 1 - "write access to some Flash-specific directories and global
-// read access triggered by file dialog activity"
-// 2 - "no global read access, read and write access to some
-// Flash-specific directories"
-pref("dom.ipc.plugins.sandbox-level.flash", 1);
+// 1 - "global read access, limited write access for Flash functionality"
+// 2 - "read access triggered by file dialog activity, limited read/write"
+// "access for Flash functionality"
+// 3 - "limited read/write access for Flash functionality"
+pref("dom.ipc.plugins.sandbox-level.flash", 2);
+// Controls the level used on older OS X versions. Is overriden when the
+// "dom.ipc.plugins.sandbox-level.flash" is set to 0.
+pref("dom.ipc.plugins.sandbox-level.flash.legacy", 1);
+// The max OS minor version where we use the above legacy sandbox level.
+pref("dom.ipc.plugins.sandbox-level.flash.max-legacy-os-minor", 10);
// Controls the sandbox level used by plugins other than Flash. On Mac,
// no other plugins are supported and this pref is only used for test
// plugins used in automated tests.
-pref("dom.ipc.plugins.sandbox-level.default", 1);
+pref("dom.ipc.plugins.sandbox-level.default", 2);
#endif
#if defined(XP_LINUX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
// This pref is introduced as part of bug 742434, the naming is inspired from
// its Windows/Mac counterpart, but on Linux it's an integer which means:
// 0 -> "no sandbox"
// 1 -> "content sandbox using seccomp-bpf when available" + ipc restrictions
// 2 -> "seccomp-bpf + write file broker"
--- a/dom/plugins/base/nsPluginTags.cpp
+++ b/dom/plugins/base/nsPluginTags.cpp
@@ -19,16 +19,17 @@
#include "nsNetUtil.h"
#include <cctype>
#include "mozilla/Encoding.h"
#include "mozilla/dom/ContentChild.h"
#include "mozilla/dom/FakePluginTagInitBinding.h"
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX)
#include "mozilla/SandboxSettings.h"
+#include "nsCocoaFeatures.h"
#endif
using mozilla::dom::FakePluginTagInit;
using namespace mozilla;
// These legacy flags are used in the plugin registry. The states are now
// stored in prefs, but we still need to be able to import them.
#define NS_PLUGIN_FLAG_ENABLED 0x0001 // is this plugin enabled?
@@ -430,24 +431,42 @@ nsPluginTag::InitSandboxLevel()
// be kept up to date with the default value in the firefox.js pref file.
if (mIsFlashPlugin && mSandboxLevel < 2) {
mSandboxLevel = 2;
}
#endif /* defined(_AMD64_) */
#elif defined(XP_MACOSX) && defined(MOZ_SANDBOX)
if (mIsFlashPlugin) {
- if (PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX") ||
- NS_FAILED(Preferences::GetInt("dom.ipc.plugins.sandbox-level.flash",
- &mSandboxLevel))) {
+ // For older OS versions, use a different Flash sandbox level.
+ // The following pref indicates which OS versions this applies to.
+ int legacyOSMinorMax = Preferences::GetInt(
+ "dom.ipc.plugins.sandbox-level.flash.max-legacy-os-minor", 10);
+
+ const char* levelPref = "dom.ipc.plugins.sandbox-level.flash";
+
+ if (PR_GetEnv("MOZ_DISABLE_NPAPI_SANDBOX")) {
+ // Flash sandbox disabled
mSandboxLevel = 0;
+ } else if (nsCocoaFeatures::OSXVersionMajor() == 10 &&
+ nsCocoaFeatures::OSXVersionMinor() <= legacyOSMinorMax) {
+ // We're on an older OS version. Use the minimum of both
+ // prefs so that setting the standard level pref to 0 is sufficient
+ // to disable the sandbox regardless of OS version.
+ const char* legacyLevelPref =
+ "dom.ipc.plugins.sandbox-level.flash.legacy";
+ int32_t compatLevel = Preferences::GetInt(legacyLevelPref, 0);
+ int32_t level = Preferences::GetInt(levelPref, 0);
+ mSandboxLevel = std::min(compatLevel, level);
} else {
- mSandboxLevel = ClampFlashSandboxLevel(mSandboxLevel);
+ // Use standard level
+ mSandboxLevel = Preferences::GetInt(levelPref, 0);
}
+ mSandboxLevel = ClampFlashSandboxLevel(mSandboxLevel);
if (mSandboxLevel > 0) {
// Enable sandbox logging in the plugin process if it has
// been turned on via prefs or environment variables.
if (Preferences::GetBool("security.sandbox.logging.enabled") ||
PR_GetEnv("MOZ_SANDBOX_LOGGING") ||
PR_GetEnv("MOZ_SANDBOX_MAC_FLASH_LOGGING")) {
mIsSandboxLoggingEnabled = true;
}
--- a/security/sandbox/common/SandboxSettings.cpp
+++ b/security/sandbox/common/SandboxSettings.cpp
@@ -37,17 +37,17 @@ int GetEffectiveContentSandboxLevel() {
bool IsContentSandboxEnabled() {
return GetEffectiveContentSandboxLevel() > 0;
}
#if defined(XP_MACOSX)
int ClampFlashSandboxLevel(const int aLevel) {
const int minLevel = 0;
- const int maxLevel = 2;
+ const int maxLevel = 3;
if (aLevel < minLevel) {
return minLevel;
}
if (aLevel > maxLevel) {
return maxLevel;
}
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -688,17 +688,22 @@ static const char flashPluginSandboxRule
(home-subpath "/Library/FontCollections")
(home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
(home-subpath "/Library/Application Support/FontAgent")
(home-subpath "/Library/Extensis/UTC") ; bug 1469657
(subpath "/Library/Extensis/UTC") ; bug 1469657
(regex #"\.fontvault/")
(home-subpath "/FontExplorer X/Font Library")))
- (if (string=? sandbox-level-1 "TRUE") (begin
+ ; level 1: global read access permitted, no global write access
+ (if (string=? sandbox-level-1 "TRUE") (allow file-read*))
+
+ ; level 2: read access via file dialog exceptions, no global write access
+ (if (or (string=? sandbox-level-2 "TRUE")
+ (string=? sandbox-level-1 "TRUE")) (begin
; Open file dialogs
(allow mach-lookup
; needed for the dialog sidebar
(global-name "com.apple.coreservices.sharedfilelistd.xpc")
; bird(8) -- "Documents in the Cloud"
; needed to avoid iCloud error dialogs and to display iCloud files
(global-name "com.apple.bird")
(global-name "com.apple.bird.token")