Bug 1355083 - Switch from using a #define to alter a sandbox policy to a normal param r=haik
authorAlex Gaynor <agaynor@mozilla.com>
Mon, 10 Apr 2017 09:53:47 -0400
changeset 560255 5b7e7bd0878992ca8f178f1bfd9f66f473fe8c21
parent 560254 23546115feb2e2e997da17aa1f78cacc5b93c6f0
child 560256 649da44e21340ad03bfef7095a0dcbc50836d617
push id53365
push userjichen@mozilla.com
push dateTue, 11 Apr 2017 08:35:12 +0000
reviewershaik
bugs1355083
milestone55.0a1
Bug 1355083 - Switch from using a #define to alter a sandbox policy to a normal param r=haik r=haik MozReview-Commit-ID: KqmRra6NqPa
security/sandbox/mac/Sandbox.mm
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -171,16 +171,17 @@ static const char contentSandboxRules[] 
   "(define appPath (param \"APP_PATH\"))\n"
   "(define appBinaryPath (param \"APP_BINARY_PATH\"))\n"
   "(define appDir (param \"APP_DIR\"))\n"
   "(define appTempDir (param \"APP_TEMP_DIR\"))\n"
   "(define hasProfileDir (param \"HAS_SANDBOXED_PROFILE\"))\n"
   "(define profileDir (param \"PROFILE_DIR\"))\n"
   "(define home-path (param \"HOME_PATH\"))\n"
   "(define hasFilePrivileges (param \"HAS_FILE_PRIVILEGES\"))\n"
+  "(define isDebugBuild (param \"DEBUG_BUILD\"))\n"
   "\n"
   "; Allow read access to standard system paths.\n"
   "(allow file-read*\n"
   "  (require-all (file-mode #o0004)\n"
   "    (require-any (subpath \"/Library/Filesystems/NetFSPlugins\")\n"
   "      (subpath \"/System\")\n"
   "      (subpath \"/private/var/db/dyld\")\n"
   "      (subpath \"/usr/lib\")\n"
@@ -437,21 +438,20 @@ static const char contentSandboxRules[] 
   "; bug 1237847\n"
   "  (allow file-read*\n"
   "      (subpath appTempDir))\n"
   "  (allow file-write*\n"
   "      (subpath appTempDir))\n"
   "\n"
   "; bug 1324610\n"
   "  (allow network-outbound (literal \"/private/var/run/cupsd\"))\n"
-#ifdef DEBUG
   "\n"
   "; bug 1303987\n"
-  "  (allow file-write* (var-folders-regex \"/\"))\n"
-#endif
+  "  (if (string=? isDebugBuild \"TRUE\")\n"
+  "      (allow file-write* (var-folders-regex \"/\")))\n"
   ")\n";
 
 bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage)
 {
   std::vector<const char *> params;
   char *profile = NULL;
   bool profile_needs_free = false;
   if (aInfo.type == MacSandboxType_Plugin) {
@@ -498,16 +498,22 @@ bool StartMacSandbox(MacSandboxInfo aInf
       params.push_back("PROFILE_DIR");
       params.push_back(aInfo.profileDir.c_str());
       params.push_back("HOME_PATH");
       params.push_back(getenv("HOME"));
       params.push_back("HAS_SANDBOXED_PROFILE");
       params.push_back(aInfo.hasSandboxedProfile ? "TRUE" : "FALSE");
       params.push_back("HAS_FILE_PRIVILEGES");
       params.push_back(aInfo.hasFilePrivileges ? "TRUE" : "FALSE");
+      params.push_back("DEBUG_BUILD");
+#ifdef DEBUG
+      params.push_back("TRUE");
+#else
+      params.push_back("FALSE");
+#endif
     } else {
       fprintf(stderr,
         "Content sandbox disabled due to sandbox level setting\n");
       return false;
     }
   }
   else {
     char *msg = NULL;