Bug 1428361 - remove some 'on by default' permissions from the macOS plugin sandbox; r=haik
authorAlex Gaynor <agaynor@mozilla.com>
Wed, 14 Nov 2018 16:46:05 +0000
changeset 446446 aeea4bb2f0f7b78efadec21a2c916d8e54b844e4
parent 446445 9728b79f2ff41f879452ab78e565896f3de431b8
child 446447 daffe63f1a1f313446c7f4c29e24de04f4ed1062
push id72999
push userrvandermeulen@mozilla.com
push dateWed, 14 Nov 2018 22:47:32 +0000
treeherderautoland@aeea4bb2f0f7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershaik
bugs1428361
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1428361 - remove some 'on by default' permissions from the macOS plugin sandbox; r=haik Differential Revision: https://phabricator.services.mozilla.com/D11892
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -17,31 +17,49 @@ static const char pluginSandboxRules[] =
   (define plugin-binary-path (param "PLUGIN_BINARY_PATH"))
   (define app-path (param "APP_PATH"))
   (define app-binary-path (param "APP_BINARY_PATH"))
 
   (if (string=? should-log "TRUE")
       (deny default)
       (deny default (with no-log)))
 
+  ; These are not included in (deny default)
+  (deny process-info*)
+  ; This isn't available in some older macOS releases.
+  (if (defined? 'nvram*)
+    (deny nvram*))
+  ; This property require macOS 10.10+
+  (if (defined? 'file-map-executable)
+    (deny file-map-executable))
+
+  (if (defined? 'file-map-executable)
+    (allow file-map-executable file-read*
+      (subpath "/System/Library/PrivateFrameworks")
+      (regex #"^/usr/lib/libstdc\+\+\.[^/]*dylib$")
+      (literal plugin-binary-path)
+      (literal app-binary-path)
+      (subpath app-path))
+    (allow file-read*
+      (subpath "/System/Library/PrivateFrameworks")
+      (regex #"^/usr/lib/libstdc\+\+\.[^/]*dylib$")
+      (literal plugin-binary-path)
+      (literal app-binary-path)
+      (subpath app-path)))
+
   (allow signal (target self))
   (allow sysctl-read)
   (allow iokit-open (iokit-user-client-class "IOHIDParamUserClient"))
   (allow file-read*
       (literal "/etc")
       (literal "/dev/random")
       (literal "/dev/urandom")
       (literal "/usr/share/icu/icudt51l.dat")
       (subpath "/System/Library/Displays/Overrides")
-      (subpath "/System/Library/CoreServices/CoreTypes.bundle")
-      (subpath "/System/Library/PrivateFrameworks")
-      (regex #"^/usr/lib/libstdc\+\+\.[^/]*dylib$")
-      (literal plugin-binary-path)
-      (literal app-path)
-      (literal app-binary-path))
+      (subpath "/System/Library/CoreServices/CoreTypes.bundle"))
 )SANDBOX_LITERAL";
 
 static const char widevinePluginSandboxRulesAddend[] = R"SANDBOX_LITERAL(
   (allow mach-lookup (global-name "com.apple.windowserver.active"))
 )SANDBOX_LITERAL";
 
 static const char contentSandboxRules[] = R"SANDBOX_LITERAL(
   (version 1)