Bug 1363179 - do not allow content processes to read from /Volumes on macOS r?haik draft
authorAlex Gaynor <agaynor@mozilla.com>
Fri, 12 May 2017 16:18:57 -0400
changeset 577088 02c23f12fb17
parent 576982 1e2fe13035e1
child 628417 adc8a340f6d9
push id58599
push userbmo:agaynor@mozilla.com
push dateFri, 12 May 2017 20:24:06 +0000
reviewershaik
bugs1363179
milestone55.0a1
Bug 1363179 - do not allow content processes to read from /Volumes on macOS r?haik MozReview-Commit-ID: 8osJVQD3myh
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -271,37 +271,40 @@ static const char contentSandboxRules[] 
                   (profile-subpath "/extensions")
                   (profile-subpath "/chrome")))
             ; we don't have a profile dir
             (allow file-read* (require-not (home-subpath "/Library")))))))
 
   ; level 3: global read access permitted, no global write access,
   ;          no read access to the home directory,
   ;          no read access to /private/var (but read-metadata allowed above),
+  ;          no read access to /Volumes
   ;          read access permitted to $PROFILE/{extensions,chrome}
     (if (string=? sandbox-level-3 "TRUE")
       (if (string=? hasFilePrivileges "TRUE")
         ; This process has blanket file read privileges
         (allow file-read*)
         ; This process does not have blanket file read privileges
         (if (string=? hasProfileDir "TRUE")
           ; we have a profile dir
           (begin
             (allow file-read* (require-all
                 (require-not (subpath home-path))
                 (require-not (subpath profileDir))
+                (require-not (subpath "/Volumes"))
                 (require-not (subpath "/private/var"))))
             (allow file-read* (literal "/private/var/run/cupsd"))
             (allow file-read*
                 (profile-subpath "/extensions")
                 (profile-subpath "/chrome")))
           ; we don't have a profile dir
           (begin
             (allow file-read* (require-all
               (require-not (subpath home-path))
+              (require-not (subpath "/Volumes"))
               (require-not (subpath "/private/var"))))
             (allow file-read* (literal "/private/var/run/cupsd"))))))
 
   ; accelerated graphics
     (allow-shared-preferences-read "com.apple.opengl")
     (allow-shared-preferences-read "com.nvidia.OpenGL")
     (allow mach-lookup
         (global-name "com.apple.cvmsServ"))