Bug 1306508 - Whitelist /private/var/folders/ in DEBUG and reduce content process write access further; r?gcp
Removes global write access from the content process (instead of
just blocking write access to $HOME) for level 1 and 2 Mac content
sandboxes. Allows writes to /private/var/folders/[0-9][0-9]/ in
DEBUG mode so that leaktest can continue to work.
MozReview-Commit-ID: 635o7Nj9oW1
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -338,45 +338,35 @@ static const char contentSandboxRules[]
" (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
" (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\"))\n"
"\n"
"; The following rules impose file access restrictions which get\n"
"; more restrictive in higher levels. When file-origin-specific\n"
"; content processes are used for file:// origin browsing, the\n"
"; global file-read* permission should be removed from each level.\n"
"\n"
- "; level 1: global read access permitted, no home write access\n"
- " (if (= sandbox-level 1)\n"
- " (begin\n"
- " (allow file-read*)\n"
- " (allow file-write* (require-not (subpath home-path)))))\n"
+ "; level 1: global read access permitted, no global write access\n"
+ " (if (= sandbox-level 1) (allow file-read*))\n"
"\n"
- "; level 2: global read access permitted, no home write access,\n"
+ "; level 2: global read access permitted, no global write access,\n"
"; no read/write access to ~/Library,\n"
"; no read/write access to $PROFILE,\n"
"; read access permitted to $PROFILE/{extensions,weave}\n"
" (if (= sandbox-level 2)\n"
" (if (not (zero? hasProfileDir))\n"
" ; we have a profile dir\n"
" (begin\n"
" (allow file-read* (require-all\n"
" (require-not (home-subpath \"/Library\"))\n"
" (require-not (subpath profileDir))))\n"
- " (allow file-write* (require-all\n"
- " (require-not (subpath home-path))\n"
- " (require-not (subpath profileDir))))\n"
" (allow file-read*\n"
" (profile-subpath \"/extensions\")\n"
" (profile-subpath \"/weave\")))\n"
" ; we don't have a profile dir\n"
- " (begin\n"
- " (allow file-read*\n"
- " (require-not (home-subpath \"/Library\")))\n"
- " (allow file-write* (require-all\n"
- " (require-not (subpath home-path)))))))\n"
+ " (allow file-read* (require-not (home-subpath \"/Library\")))))\n"
"\n"
"; accelerated graphics\n"
" (allow-shared-preferences-read \"com.apple.opengl\")\n"
" (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
" (allow mach-lookup\n"
" (global-name \"com.apple.cvmsServ\"))\n"
" (allow iokit-open\n"
" (iokit-connection \"IOAccelerator\")\n"
@@ -398,16 +388,21 @@ static const char contentSandboxRules[]
" (allow file-read*\n"
" (home-subpath \"/Library/Caches/TemporaryItems\"))\n"
"\n"
"; bug 1237847\n"
" (allow file-read*\n"
" (subpath appTempDir))\n"
" (allow file-write*\n"
" (subpath appTempDir))\n"
+#ifdef DEBUG
+ "\n"
+ "; bug 1303987\n"
+ " (allow file-write* (var-folders-regex \"/\"))\n"
+#endif
")\n";
bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage)
{
char *profile = NULL;
if (aInfo.type == MacSandboxType_Plugin) {
asprintf(&profile, pluginSandboxRules,
aInfo.pluginInfo.pluginBinaryPath.c_str(),