Bug 1385028 - simplify handling of macOS minor version in the sandbox policy; r?haik draft
authorAlex Gaynor <agaynor@mozilla.com>
Thu, 27 Jul 2017 13:58:28 -0400
changeset 617056 0e3e41b9479cc089002f5ef7859f915f5d46f961
parent 616915 36f95aeb4c77f7cf3b3366583008cd6e4b6b1dba
child 639682 5fc9847432d39233dae9390caf3c5e4c2f2ec4db
push id70907
push userbmo:agaynor@mozilla.com
push dateThu, 27 Jul 2017 20:35:19 +0000
reviewershaik
bugs1385028
milestone56.0a1
Bug 1385028 - simplify handling of macOS minor version in the sandbox policy; r?haik MozReview-Commit-ID: BDD7WzTqHC6
security/sandbox/mac/Sandbox.mm
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -124,16 +124,25 @@ OSXVersion::GetVersionNumber()
 
 namespace mozilla {
 
 bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage)
 {
   std::vector<const char *> params;
   char *profile = NULL;
   bool profile_needs_free = false;
+
+// 12 bytes is enough to store any int32_t, plus one for the NUL byte. In
+// practice of course, it's unlikely we'll see a macOS minor version greater
+// than 2 digits in the lifetime of this code. Better safe than sorry though!
+#define MAX_MACOS_MINOR_VERSION_LENGTH 13
+  char macOSMinor[MAX_MACOS_MINOR_VERSION_LENGTH];
+  snprintf(macOSMinor, sizeof(macOSMinor), "%d", OSXVersion::OSXVersionMinor());
+#undef MAX_MACOS_MINOR_VERSION_LENGTH
+
   if (aInfo.type == MacSandboxType_Plugin) {
     profile = const_cast<char *>(pluginSandboxRules);
     params.push_back("SHOULD_LOG");
     params.push_back(aInfo.shouldLog ? "TRUE" : "FALSE");
     params.push_back("PLUGIN_BINARY_PATH");
     params.push_back(aInfo.pluginInfo.pluginBinaryPath.c_str());
     params.push_back("APP_PATH");
     params.push_back(aInfo.appPath.c_str());
@@ -155,20 +164,18 @@ bool StartMacSandbox(MacSandboxInfo aInf
       params.push_back("SHOULD_LOG");
       params.push_back(aInfo.shouldLog ? "TRUE" : "FALSE");
       params.push_back("SANDBOX_LEVEL_1");
       params.push_back(aInfo.level == 1 ? "TRUE" : "FALSE");
       params.push_back("SANDBOX_LEVEL_2");
       params.push_back(aInfo.level == 2 ? "TRUE" : "FALSE");
       params.push_back("SANDBOX_LEVEL_3");
       params.push_back(aInfo.level == 3 ? "TRUE" : "FALSE");
-      params.push_back("MAC_OS_MINOR_9");
-      params.push_back(OSXVersion::OSXVersionMinor() == 9 ? "TRUE" : "FALSE");
-      params.push_back("MAC_OS_MINOR_MIN_13");
-      params.push_back(OSXVersion::OSXVersionMinor() >= 13 ? "TRUE" : "FALSE");
+      params.push_back("MAC_OS_MINOR");
+      params.push_back(macOSMinor);
       params.push_back("APP_PATH");
       params.push_back(aInfo.appPath.c_str());
       params.push_back("APP_BINARY_PATH");
       params.push_back(aInfo.appBinaryPath.c_str());
       params.push_back("APP_DIR");
       params.push_back(aInfo.appDir.c_str());
       params.push_back("APP_TEMP_DIR");
       params.push_back(aInfo.appTempDir.c_str());
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -49,18 +49,17 @@ static const char widevinePluginSandboxR
 
 static const char contentSandboxRules[] = R"(
   (version 1)
 
   (define should-log (param "SHOULD_LOG"))
   (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
   (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
   (define sandbox-level-3 (param "SANDBOX_LEVEL_3"))
-  (define macosMinorVersion-9 (param "MAC_OS_MINOR_9"))
-  (define macosMinorVersion-min13 (param "MAC_OS_MINOR_MIN_13"))
+  (define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
   (define appPath (param "APP_PATH"))
   (define appBinaryPath (param "APP_BINARY_PATH"))
   (define appdir-path (param "APP_DIR"))
   (define appTempDir (param "APP_TEMP_DIR"))
   (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
   (define profileDir (param "PROFILE_DIR"))
   (define home-path (param "HOME_PATH"))
   (define hasFilePrivileges (param "HAS_FILE_PRIVILEGES"))
@@ -105,17 +104,17 @@ static const char contentSandboxRules[] 
 
   (allow file-read*
     file-write-data
     file-ioctl
     (literal "/dev/dtracehelper"))
 
   ; macOS 10.9 does not support the |sysctl-name| predicate, so unfortunately
   ; we need to allow all sysctl-reads there.
-  (if (string=? macosMinorVersion-9 "TRUE")
+  (if (= macosMinorVersion 9)
     (allow sysctl-read)
     (allow sysctl-read
       (sysctl-name-regex #"^sysctl\.")
       (sysctl-name "kern.ostype")
       (sysctl-name "kern.osversion")
       (sysctl-name "kern.osrelease")
       (sysctl-name "kern.version")
       ; TODO: remove "kern.hostname". Without it the tests hang, but the hostname
@@ -199,21 +198,21 @@ static const char contentSandboxRules[] 
       (global-name "com.apple.iconservices")
       (global-name "com.apple.cache_delete")
       (global-name "com.apple.pluginkit.pkd")
       (global-name "com.apple.bird")
       (global-name "com.apple.cmio.AppleCameraAssistant")
       (global-name "com.apple.DesktopServicesHelper"))
 
 ; bug 1376163
-  (if (string=? macosMinorVersion-min13 "TRUE")
+  (if (>= macosMinorVersion 13)
     (allow mach-lookup (global-name "com.apple.audio.AudioComponentRegistrar")))
 
 ; bug 1312273
-  (if (string=? macosMinorVersion-9 "TRUE")
+  (if (= macosMinorVersion 9)
      (allow mach-lookup (global-name "com.apple.xpcd")))
 
   (allow iokit-open
       (iokit-user-client-class "IOHIDParamUserClient")
       (iokit-user-client-class "IOAudioControlUserClient")
       (iokit-user-client-class "IOAudioEngineUserClient")
       (iokit-user-client-class "IGAccelDevice")
       (iokit-user-client-class "nvDevice")