Bug 1046166 - Add sandbox white list for userContent.css on MacOSX. r=haik,pbro
authorWei-Cheng Pan <wpan@mozilla.com>
Thu, 17 Nov 2016 11:56:10 +0800
changeset 323393 783d76ec78f08e815b9d8dd44f4a55a573ec4d92
parent 323392 73ed02918ff7faf9f00ecaf514029010441bacc7
child 323394 a2ca13b26bbac87df79c6555351c6f454ab3888b
push id30977
push usercbook@mozilla.com
push dateMon, 21 Nov 2016 14:43:25 +0000
treeherdermozilla-central@46e4cd888213 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershaik, pbro
bugs1046166
milestone53.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1046166 - Add sandbox white list for userContent.css on MacOSX. r=haik,pbro MozReview-Commit-ID: BVnGjaSSkEh
security/sandbox/mac/Sandbox.mm
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -348,27 +348,28 @@ static const char contentSandboxRules[] 
   "; global file-read* permission should be removed from each level.\n"
   "\n"
   "; level 1: global read access permitted, no global write access\n"
   "  (if (= sandbox-level 1) (allow file-read*))\n"
   "\n"
   "; level 2: global read access permitted, no global write access,\n"
   ";          no read/write access to ~/Library,\n"
   ";          no read/write access to $PROFILE,\n"
-  ";          read access permitted to $PROFILE/{extensions,weave}\n"
+  ";          read access permitted to $PROFILE/{extensions,weave,chrome}\n"
   "  (if (= sandbox-level 2)\n"
   "    (if (not (zero? hasProfileDir))\n"
   "      ; we have a profile dir\n"
   "      (begin\n"
   "        (allow file-read* (require-all\n"
   "              (require-not (home-subpath \"/Library\"))\n"
   "              (require-not (subpath profileDir))))\n"
   "        (allow file-read*\n"
   "              (profile-subpath \"/extensions\")\n"
-  "              (profile-subpath \"/weave\")))\n"
+  "              (profile-subpath \"/weave\")\n"
+  "              (profile-subpath \"/chrome\")))\n"
   "      ; we don't have a profile dir\n"
   "      (allow file-read* (require-not (home-subpath \"/Library\")))))\n"
   "\n"
   "; accelerated graphics\n"
   "  (allow-shared-preferences-read \"com.apple.opengl\")\n"
   "  (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
   "  (allow mach-lookup\n"
   "      (global-name \"com.apple.cvmsServ\"))\n"