Bug 1284588 - OS X: Disable content process write access to user files in the home directory; r?gcp
Changes the semantics of the security.sandbox.content.level pref on OS X with
respect to file access to the user's home directory. With the fix, Nightly
defaults to 2 while other releases will default to 1. The level values now
have the following meaning.
*) security.sandbox.content.level=0 disables content process sandboxing.
No change here.
*) security.sandbox.content.level=1 blocks write access to the majority of the
home directory.
*) security.sandbox.content.level=2 includes the write access blocking in
level 1, but also blocks both read and write access to ~/Library and $PROFILE
excluding the extensions and weave subdirectories.
Prior to this fix, Nightly defaulted to a value of 1 while all other releases
used 0. The value of 1 meant that read/write access to ~/Library and the
$PROFILE dir (excluding $PROFILE/{extensions,weave}) was prevented.
The strength of a level=1 sandbox is reduced by this with fix,
but level=1 becomes the first ride-the-trains content sandbox candidate,
Nightly changes to level=2, and higher levels still indicate a more
restrictive sandbox.
MozReview-Commit-ID: 7NJAe24T4pU
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@@ -967,26 +967,34 @@ pref("security.sandbox.content.level", 1
// process because the only other sandbox (for GMP) has too strict a policy to
// allow stack tracing. This does not require a restart to take effect.
pref("security.sandbox.windows.log.stackTraceDepth", 0);
#endif
#endif
#endif
#if defined(XP_MACOSX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
-// This pref is discussed in bug 1083344, the naming is inspired from its Windows
-// counterpart, but on Mac it's an integer which means:
+// This pref is discussed in bug 1083344, the naming is inspired from its
+// Windows counterpart, but on Mac it's an integer which means:
// 0 -> "no sandbox"
-// 1 -> "an imperfect sandbox designed to allow firefox to run reasonably well"
-// 2 -> "an ideal sandbox which may break many things"
+// 1 -> "preliminary content sandboxing enabled: write access to
+// home directory is prevented"
+// 2 -> "preliminary content sandboxing enabled with profile protection:
+// write access to home directory is prevented, read and write access
+// to ~/Library and profile directories are prevented (excluding
+// $PROFILE/{extensions,weave})"
// This setting is read when the content process is started. On Mac the content
// process is killed when all windows are closed, so a change will take effect
// when the 1st window is opened.
+#if defined(NIGHTLY_BUILD)
+pref("security.sandbox.content.level", 2);
+#else
pref("security.sandbox.content.level", 1);
#endif
+#endif
#if defined(XP_LINUX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
// This pref is introduced as part of bug 742434, the naming is inspired from
// its Windows/Mac counterpart, but on Linux it's an integer which means:
// 0 -> "no sandbox"
// 1 -> "content sandbox using seccomp-bpf when available"
// 2 -> "seccomp-bpf + file broker"
// Content sandboxing on Linux is currently in the stage of
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -368,36 +368,50 @@ static const char contentSandboxRules[]
"\n"
" (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"
"\n"
"; Per-user and system-wide Extensions dir\n"
" (allow file-read*\n"
" (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
" (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\"))\n"
"\n"
- "; Profile subdirectories\n"
- " (if (not (zero? hasProfileDir)) (allow file-read*\n"
- " (profile-subpath \"/extensions\")\n"
- " (profile-subpath \"/weave\")))\n"
+ "; The following rules impose file access restrictions which get\n"
+ "; more restrictive in higher levels. When file-origin-specific\n"
+ "; content processes are used for file:// origin browsing, the\n"
+ "; global file-read* permission should be removed from each level.\n"
"\n"
- "; the following rules should be removed when printing and\n"
- "; opening a file from disk are brokered through the main process\n"
- " (if (< sandbox-level 2)\n"
+ "; level 1: global read access permitted, no home write access\n"
+ " (if (= sandbox-level 1)\n"
+ " (begin\n"
+ " (allow file-read*)\n"
+ " (allow file-write* (require-not (subpath home-path)))))\n"
+ "\n"
+ "; level 2: global read access permitted, no home write access,\n"
+ "; no read/write access to ~/Library,\n"
+ "; no read/write access to $PROFILE,\n"
+ "; read access permitted to $PROFILE/{extensions,weave}\n"
+ " (if (= sandbox-level 2)\n"
" (if (not (zero? hasProfileDir))\n"
- " (allow file*\n"
- " (require-all\n"
+ " ; we have a profile dir\n"
+ " (begin\n"
+ " (allow file-read* (require-all\n"
" (require-not (home-subpath \"/Library\"))\n"
" (require-not (subpath profileDir))))\n"
- " (allow file*\n"
- " (require-not (home-subpath \"/Library\"))))\n"
- " (allow file*\n"
- " (require-all\n"
- " (subpath home-path)\n"
- " (require-not\n"
- " (home-subpath \"/Library\")))))\n"
+ " (allow file-write* (require-all\n"
+ " (require-not (subpath home-path))\n"
+ " (require-not (subpath profileDir))))\n"
+ " (allow file-read*\n"
+ " (profile-subpath \"/extensions\")\n"
+ " (profile-subpath \"/weave\")))\n"
+ " ; we don't have a profile dir\n"
+ " (begin\n"
+ " (allow file-read*\n"
+ " (require-not (home-subpath \"/Library\")))\n"
+ " (allow file-write* (require-all\n"
+ " (require-not (subpath home-path)))))))\n"
"\n"
"; accelerated graphics\n"
" (allow-shared-preferences-read \"com.apple.opengl\")\n"
" (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
" (allow mach-lookup\n"
" (global-name \"com.apple.cvmsServ\"))\n"
" (allow iokit-open\n"
" (iokit-connection \"IOAccelerator\")\n"