Bug 1541230 - Part 2 - Add /System/Library read access to the utility sandbox r=Alex_Gaynor
authorHaik Aftandilian <haftandilian@mozilla.com>
Tue, 09 Apr 2019 12:51:18 +0000
changeset 468590 f558bd686d04a94c66f74593abed7d0eeaa2b8c1
parent 468589 247f24a6210293589d56c1420b84a8a1f8f627c4
child 468591 20c3796517dababd5f650efcfeaaa361f1474b95
push id35843
push usernbeleuzu@mozilla.com
push dateTue, 09 Apr 2019 22:08:13 +0000
treeherdermozilla-central@a31032a16330 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersAlex_Gaynor
bugs1541230
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1541230 - Part 2 - Add /System/Library read access to the utility sandbox r=Alex_Gaynor Allow read access to /System/Library for accessing system libraries. Depends on D26397 Differential Revision: https://phabricator.services.mozilla.com/D26626
security/sandbox/mac/SandboxPolicyUtility.h
--- a/security/sandbox/mac/SandboxPolicyUtility.h
+++ b/security/sandbox/mac/SandboxPolicyUtility.h
@@ -27,35 +27,32 @@ static const char SandboxPolicyUtility[]
   (if (defined? 'nvram*)
     (moz-deny nvram*))
   ; This property requires macOS 10.10+
   (if (defined? 'file-map-executable)
     (moz-deny file-map-executable))
 
   (if (defined? 'file-map-executable)
     (allow file-map-executable file-read*
-      (subpath "/System/Library/PrivateFrameworks")
-      (subpath "/System/Library/Frameworks")
+      (subpath "/System/Library")
       (subpath "/usr/lib")
       (subpath app-path))
     (allow file-read*
-      (subpath "/System/Library/PrivateFrameworks")
-      (subpath "/System/Library/Frameworks")
+      (subpath "/System/Library")
       (subpath "/usr/lib")
       (subpath app-path)))
 
   (if (string? crashPort)
     (allow mach-lookup (global-name crashPort)))
 
   (allow signal (target self))
   (allow sysctl-read)
   (allow file-read*
     (literal "/dev/random")
     (literal "/dev/urandom")
-    (literal "/System/Library/CoreServices/SystemVersion.plist")
     (subpath "/usr/share/icu"))
 
   (allow mach-lookup
     (global-name "com.apple.coreservices.launchservicesd"))
 )SANDBOX_LITERAL";
 
 }  // namespace mozilla