Bug 1370540 - Extend the level 3 content sandbox filesystem read blacklist to include /Network and /Users; r?haik draft
authorAlex Gaynor <agaynor@mozilla.com>
Tue, 06 Jun 2017 10:48:06 -0400
changeset 589768 607eafa25013
parent 589544 4dd1d17ba226
child 632002 088c0e8bb07d
push id62502
push userbmo:agaynor@mozilla.com
push dateTue, 06 Jun 2017 19:40:27 +0000
reviewershaik
bugs1370540
milestone55.0a1
Bug 1370540 - Extend the level 3 content sandbox filesystem read blacklist to include /Network and /Users; r?haik MozReview-Commit-ID: 6RfS5aYRghK
security/sandbox/mac/SandboxPolicies.h
security/sandbox/test/browser_content_sandbox_fs.js
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -271,40 +271,44 @@ static const char contentSandboxRules[] 
                   (profile-subpath "/extensions")
                   (profile-subpath "/chrome")))
             ; we don't have a profile dir
             (allow file-read* (require-not (home-subpath "/Library")))))))
 
   ; level 3: global read access permitted, no global write access,
   ;          no read access to the home directory,
   ;          no read access to /private/var (but read-metadata allowed above),
-  ;          no read access to /Volumes
+  ;          no read access to /{Volumes,Network,Users}
   ;          read access permitted to $PROFILE/{extensions,chrome}
     (if (string=? sandbox-level-3 "TRUE")
       (if (string=? hasFilePrivileges "TRUE")
         ; This process has blanket file read privileges
         (allow file-read*)
         ; This process does not have blanket file read privileges
         (if (string=? hasProfileDir "TRUE")
           ; we have a profile dir
           (begin
             (allow file-read* (require-all
                 (require-not (subpath home-path))
                 (require-not (subpath profileDir))
                 (require-not (subpath "/Volumes"))
+                (require-not (subpath "/Network"))
+                (require-not (subpath "/Users"))
                 (require-not (subpath "/private/var"))))
             (allow file-read* (literal "/private/var/run/cupsd"))
             (allow file-read*
                 (profile-subpath "/extensions")
                 (profile-subpath "/chrome")))
           ; we don't have a profile dir
           (begin
             (allow file-read* (require-all
               (require-not (subpath home-path))
               (require-not (subpath "/Volumes"))
+              (require-not (subpath "/Network"))
+              (require-not (subpath "/Users"))
               (require-not (subpath "/private/var"))))
             (allow file-read* (literal "/private/var/run/cupsd"))))))
 
   ; accelerated graphics
     (allow-shared-preferences-read "com.apple.opengl")
     (allow-shared-preferences-read "com.nvidia.OpenGL")
     (allow mach-lookup
         (global-name "com.apple.cvmsServ"))
--- a/security/sandbox/test/browser_content_sandbox_fs.js
+++ b/security/sandbox/test/browser_content_sandbox_fs.js
@@ -381,16 +381,34 @@ function* testFileAccess() {
     let volumes = GetDir("/Volumes");
     tests.push({
       desc:     "/Volumes",
       ok:       false,
       browser:  webBrowser,
       file:     volumes,
       minLevel: minHomeReadSandboxLevel(),
     });
+    // Test that we cannot read from /Network at level 3
+    let network = GetDir("/Network");
+    tests.push({
+      desc:     "/Network",
+      ok:       false,
+      browser:  webBrowser,
+      file:     network,
+      minLevel: minHomeReadSandboxLevel(),
+    });
+    // Test that we cannot read from /Users at level 3
+    let users = GetDir("/Users");
+    tests.push({
+      desc:     "/Users",
+      ok:       false,
+      browser:  webBrowser,
+      file:     users,
+      minLevel: minHomeReadSandboxLevel(),
+    });
   }
 
   let extensionsDir = GetProfileEntry("extensions");
   if (extensionsDir.exists() && extensionsDir.isDirectory()) {
     tests.push({
       desc:     "extensions dir",
       ok:       true,
       browser:  webBrowser,