Bug 1363179 - do not allow content processes to read from /Volumes on macOS r=haik
authorAlex Gaynor <agaynor@mozilla.com>
Fri, 12 May 2017 16:18:57 -0400
changeset 358176 02f1025c91f8
parent 358175 c9732a51552b
child 358177 41d11d56768c
push id42623
push userryanvm@gmail.com
push dateSat, 13 May 2017 17:05:43 +0000
treeherderautoland@02f1025c91f8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershaik
bugs1363179
milestone55.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1363179 - do not allow content processes to read from /Volumes on macOS r=haik MozReview-Commit-ID: 8osJVQD3myh
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -271,37 +271,40 @@ static const char contentSandboxRules[] 
                   (profile-subpath "/extensions")
                   (profile-subpath "/chrome")))
             ; we don't have a profile dir
             (allow file-read* (require-not (home-subpath "/Library")))))))
 
   ; level 3: global read access permitted, no global write access,
   ;          no read access to the home directory,
   ;          no read access to /private/var (but read-metadata allowed above),
+  ;          no read access to /Volumes
   ;          read access permitted to $PROFILE/{extensions,chrome}
     (if (string=? sandbox-level-3 "TRUE")
       (if (string=? hasFilePrivileges "TRUE")
         ; This process has blanket file read privileges
         (allow file-read*)
         ; This process does not have blanket file read privileges
         (if (string=? hasProfileDir "TRUE")
           ; we have a profile dir
           (begin
             (allow file-read* (require-all
                 (require-not (subpath home-path))
                 (require-not (subpath profileDir))
+                (require-not (subpath "/Volumes"))
                 (require-not (subpath "/private/var"))))
             (allow file-read* (literal "/private/var/run/cupsd"))
             (allow file-read*
                 (profile-subpath "/extensions")
                 (profile-subpath "/chrome")))
           ; we don't have a profile dir
           (begin
             (allow file-read* (require-all
               (require-not (subpath home-path))
+              (require-not (subpath "/Volumes"))
               (require-not (subpath "/private/var"))))
             (allow file-read* (literal "/private/var/run/cupsd"))))))
 
   ; accelerated graphics
     (allow-shared-preferences-read "com.apple.opengl")
     (allow-shared-preferences-read "com.nvidia.OpenGL")
     (allow mach-lookup
         (global-name "com.apple.cvmsServ"))