Bug 1284588 - OS X: Disable content process write access to user files in the home directory draft
authorHaik Aftandilian <haftandilian@mozilla.com>
Wed, 03 Aug 2016 13:17:56 -0700
changeset 396456 46daf7032cb332c05f5c5d6fc1754a46e09e2b04
parent 392445 251fccc1f62bf0eac569ef4f6717fea61ebadb27
child 396457 4154d6890899270c47439e2ed33d0f147037fdcd
push id25004
push userhaftandilian@mozilla.com
push dateWed, 03 Aug 2016 21:06:51 +0000
bugs1284588
milestone50.0a1
Bug 1284588 - OS X: Disable content process write access to user files in the home directory MozReview-Commit-ID: K0i4DT6vFMi
security/sandbox/mac/Sandbox.mm
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -370,17 +370,17 @@ static const char contentSandboxRules[] 
   "      (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
   "      (home-regex \"/Library/Application Support/Firefox/Profiles/[^/]+/extensions/\")\n"
   "      (home-regex \"/Library/Application Support/Firefox/Profiles/[^/]+/weave/\"))\n"
   "\n"
   "; the following rules should be removed when printing and \n"
   "; opening a file from disk are brokered through the main process\n"
   "  (if\n"
   "    (< sandbox-level 2)\n"
-  "    (allow file*\n"
+  "    (allow file-read*\n"
   "        (require-not\n"
   "            (home-subpath \"/Library\")))\n"
   "    (allow file*\n"
   "        (require-all\n"
   "            (subpath home-path)\n"
   "            (require-not\n"
   "                (home-subpath \"/Library\")))))\n"
   "\n"