Bug 1370540 - Extend the level 3 content sandbox filesystem read blacklist to include /Network and /Users; r=haik
authorAlex Gaynor <agaynor@mozilla.com>
Tue, 06 Jun 2017 10:48:06 -0400
changeset 362635 c6ab7e1a315b
parent 362634 85b383c5a7a8
child 362636 5718965e62eb
push id44213
push userryanvm@gmail.com
push dateWed, 07 Jun 2017 00:52:28 +0000
treeherderautoland@c6ab7e1a315b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershaik
bugs1370540
milestone55.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1370540 - Extend the level 3 content sandbox filesystem read blacklist to include /Network and /Users; r=haik MozReview-Commit-ID: 6RfS5aYRghK
security/sandbox/mac/SandboxPolicies.h
security/sandbox/test/browser_content_sandbox_fs.js
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -271,40 +271,44 @@ static const char contentSandboxRules[] 
                   (profile-subpath "/extensions")
                   (profile-subpath "/chrome")))
             ; we don't have a profile dir
             (allow file-read* (require-not (home-subpath "/Library")))))))
 
   ; level 3: global read access permitted, no global write access,
   ;          no read access to the home directory,
   ;          no read access to /private/var (but read-metadata allowed above),
-  ;          no read access to /Volumes
+  ;          no read access to /{Volumes,Network,Users}
   ;          read access permitted to $PROFILE/{extensions,chrome}
     (if (string=? sandbox-level-3 "TRUE")
       (if (string=? hasFilePrivileges "TRUE")
         ; This process has blanket file read privileges
         (allow file-read*)
         ; This process does not have blanket file read privileges
         (if (string=? hasProfileDir "TRUE")
           ; we have a profile dir
           (begin
             (allow file-read* (require-all
                 (require-not (subpath home-path))
                 (require-not (subpath profileDir))
                 (require-not (subpath "/Volumes"))
+                (require-not (subpath "/Network"))
+                (require-not (subpath "/Users"))
                 (require-not (subpath "/private/var"))))
             (allow file-read* (literal "/private/var/run/cupsd"))
             (allow file-read*
                 (profile-subpath "/extensions")
                 (profile-subpath "/chrome")))
           ; we don't have a profile dir
           (begin
             (allow file-read* (require-all
               (require-not (subpath home-path))
               (require-not (subpath "/Volumes"))
+              (require-not (subpath "/Network"))
+              (require-not (subpath "/Users"))
               (require-not (subpath "/private/var"))))
             (allow file-read* (literal "/private/var/run/cupsd"))))))
 
   ; accelerated graphics
     (allow-shared-preferences-read "com.apple.opengl")
     (allow-shared-preferences-read "com.nvidia.OpenGL")
     (allow mach-lookup
         (global-name "com.apple.cvmsServ"))
--- a/security/sandbox/test/browser_content_sandbox_fs.js
+++ b/security/sandbox/test/browser_content_sandbox_fs.js
@@ -381,16 +381,34 @@ function* testFileAccess() {
     let volumes = GetDir("/Volumes");
     tests.push({
       desc:     "/Volumes",
       ok:       false,
       browser:  webBrowser,
       file:     volumes,
       minLevel: minHomeReadSandboxLevel(),
     });
+    // Test that we cannot read from /Network at level 3
+    let network = GetDir("/Network");
+    tests.push({
+      desc:     "/Network",
+      ok:       false,
+      browser:  webBrowser,
+      file:     network,
+      minLevel: minHomeReadSandboxLevel(),
+    });
+    // Test that we cannot read from /Users at level 3
+    let users = GetDir("/Users");
+    tests.push({
+      desc:     "/Users",
+      ok:       false,
+      browser:  webBrowser,
+      file:     users,
+      minLevel: minHomeReadSandboxLevel(),
+    });
   }
 
   let extensionsDir = GetProfileEntry("extensions");
   if (extensionsDir.exists() && extensionsDir.isDirectory()) {
     tests.push({
       desc:     "extensions dir",
       ok:       true,
       browser:  webBrowser,