Bug 1379182 - Remove some unnecessary file-write permissions types from the content process on macOS; r=haik
authorAlex Gaynor <agaynor@mozilla.com>
Fri, 07 Jul 2017 11:05:01 -0400
changeset 368132 1ba3f4c9ef45239055839d6cf1c49687a66f4860
parent 368066 d034fc43e7f64736dc5f9371fb4b7b1848d9058a
child 368133 5b7ea1de6ba0250875ab1245c6027d219af2a82b
push id32158
push usercbook@mozilla.com
push dateTue, 11 Jul 2017 10:48:59 +0000
treeherdermozilla-central@5e2692f8a367 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershaik
bugs1379182
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1379182 - Remove some unnecessary file-write permissions types from the content process on macOS; r=haik On macOS, the file-write* permission type contains numerous sub-permissions (see bug for full listing). Restrict the ones we allow to only the two we need: file-write-create and file-write-data. This primarily reduces kernel attack surface, I'm not aware of any bad things that could be done directly with the removed permissions. MozReview-Commit-ID: 3VvjFesy2qx
security/sandbox/mac/SandboxPolicies.h
security/sandbox/test/browser_content_sandbox_fs.js
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -270,17 +270,17 @@ static const char contentSandboxRules[] 
   (allow file-read-metadata (home-subpath "/Library"))
 
   (allow file-read-metadata
     (literal "/private/var")
     (subpath "/private/var/folders"))
 
 ; bug 1303987
   (if (string? debugWriteDir)
-    (allow file-write* (subpath debugWriteDir)))
+    (allow file-write-create file-write-data (subpath debugWriteDir)))
 
   ; bug 1324610
   (allow network-outbound file-read*
     (literal "/private/var/run/cupsd"))
 
   (allow-shared-list "org.mozilla.plugincontainer")
 
 ; the following rule should be removed when microphone access
@@ -354,15 +354,15 @@ static const char contentSandboxRules[] 
       (iokit-user-client-class "AppleGraphicsPolicyClient"))
 
 ; bug 1153809
   (allow iokit-open
       (iokit-user-client-class "NVDVDContextTesla")
       (iokit-user-client-class "Gen6DVDContext"))
 
   ; bug 1237847
-  (allow file-read* file-write*
+  (allow file-read* file-write-create file-write-data
       (subpath appTempDir))
 )";
 
 }
 
 #endif // mozilla_SandboxPolicies_h
--- a/security/sandbox/test/browser_content_sandbox_fs.js
+++ b/security/sandbox/test/browser_content_sandbox_fs.js
@@ -210,17 +210,25 @@ async function createFileInHome() {
 // Test if the content process can create a temp file, should pass
 async function createTempFile() {
   let browser = gBrowser.selectedBrowser;
   let path = fileInTempDir().path;
   let fileCreated = await ContentTask.spawn(browser, path, createFile);
   ok(fileCreated == true, "creating a file in content temp is permitted");
   // now delete the file
   let fileDeleted = await ContentTask.spawn(browser, path, deleteFile);
-  ok(fileDeleted == true, "deleting a file in content temp is permitted");
+  if (isMac()) {
+    // On macOS we do not allow file deletion - it is not needed by the content
+    // process itself, and macOS uses a different permission to control access
+    // to revoking it is easy.
+    ok(fileDeleted == false,
+       "deleting a file in the content temp is not permitted");
+  } else {
+    ok(fileDeleted == true, "deleting a file in content temp is permitted");
+  }
 }
 
 // Test reading files and dirs from web and file content processes.
 async function testFileAccess() {
   // for tests that run in a web content process
   let webBrowser = gBrowser.selectedBrowser;
 
   // Ensure that the file content process is enabled.