Bug 1460917 - Fonts not displaying with FontExplorer X fonts in Firefox 60 r=handyman
authorHaik Aftandilian <haftandilian@mozilla.com>
Mon, 14 May 2018 16:04:55 -0700
changeset 418417 373ddd2470ec
parent 418416 21ab7bb3b993
child 418418 e4bbc6fc7355
push id34000
push userebalazs@mozilla.com
push dateWed, 16 May 2018 09:59:58 +0000
treeherdermozilla-central@dedd25bfd279 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershandyman
bugs1460917, 1393259
milestone62.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1460917 - Fonts not displaying with FontExplorer X fonts in Firefox 60 r=handyman Add back font whitelist rules removed by the fix for bug 1393259 to workaround font sandbox extensions not being issued automatically on OS X 10.11 and earlier. MozReview-Commit-ID: 2hT0BzN3Ggq
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -339,16 +339,32 @@ static const char contentSandboxRules[] 
     (subpath "/Library/Application Support/Apple/Fonts")
     (home-subpath "/Library/Fonts")
     ; Allow read access to paths allowed via sandbox extensions.
     ; This is needed for fonts in non-standard locations normally
     ; due to third party font managers. The extensions are
     ; automatically issued by the font server in response to font
     ; API calls.
     (extension "com.apple.app-sandbox.read"))
+
+  ; Fonts
+  ; Workaround for sandbox extensions not being automatically
+  ; issued for fonts on 10.11 and earlier versions (bug 1460917).
+  (if (<= macosMinorVersion 11)
+    (allow file-read*
+      (regex #"\.[oO][tT][fF]$"          ; otf
+             #"\.[tT][tT][fF]$"          ; ttf
+             #"\.[tT][tT][cC]$"          ; ttc
+             #"\.[oO][tT][cC]$"          ; otc
+             #"\.[dD][fF][oO][nN][tT]$") ; dfont
+      (home-subpath "/Library/FontCollections")
+      (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
+      (home-subpath "/Library/Application Support/FontAgent")
+      (regex #"\.fontvault/")
+      (home-subpath "/FontExplorer X/Font Library")))
 )SANDBOX_LITERAL";
 
 // These are additional rules that are added to the content process rules for
 // file content processes.
 static const char fileContentProcessAddend[] = R"SANDBOX_LITERAL(
   ; This process has blanket file read privileges
   (allow file-read*)
 
@@ -512,16 +528,19 @@ static const char flashPluginSandboxRule
           "kern.safeboot"
           "kern.version"
           "vm.footprint_suspend")))
 
   ; Utilities for allowing access to home subdirectories
   (define home-library-path
     (string-append homeDir "/Library"))
 
+  (define (home-subpath home-relative-subpath)
+    (subpath (string-append homeDir home-relative-subpath)))
+
   (define home-library-prefs-path
     (string-append homeDir "/Library" "/Preferences"))
 
   (define (home-literal home-relative-literal)
     (literal (string-append homeDir home-relative-literal)))
 
   (define (home-library-regex home-library-relative-regex)
     (regex (string-append "^" (regex-quote home-library-path))
@@ -625,16 +644,32 @@ static const char flashPluginSandboxRule
     (home-library-subpath "/Fonts")
     ; Allow read access to paths allowed via sandbox extensions.
     ; This is needed for fonts in non-standard locations normally
     ; due to third party font managers. The extensions are
     ; automatically issued by the font server in response to font
     ; API calls.
     (extension "com.apple.app-sandbox.read"))
 
+  ; Fonts
+  ; Workaround for sandbox extensions not being automatically
+  ; issued for fonts on 10.11 and earlier versions (bug 1460917).
+  (if (<= macosMinorVersion 11)
+    (allow file-read*
+      (regex #"\.[oO][tT][fF]$"          ; otf
+             #"\.[tT][tT][fF]$"          ; ttf
+             #"\.[tT][tT][cC]$"          ; ttc
+             #"\.[oO][tT][cC]$"          ; otc
+             #"\.[dD][fF][oO][nN][tT]$") ; dfont
+      (home-subpath "/Library/FontCollections")
+      (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
+      (home-subpath "/Library/Application Support/FontAgent")
+      (regex #"\.fontvault/")
+      (home-subpath "/FontExplorer X/Font Library")))
+
   (if (string=? sandbox-level-1 "TRUE") (begin
     ; Open file dialogs
     (allow mach-lookup
 	; needed for the dialog sidebar
 	(global-name "com.apple.coreservices.sharedfilelistd.xpc")
 	; bird(8) -- "Documents in the Cloud"
 	; needed to avoid iCloud error dialogs and to display iCloud files
 	(global-name "com.apple.bird")