Bug 1329638 - do not allow content processes to read from /Volumes on macOS r?haik draft
authorAlex Gaynor <agaynor@mozilla.com>
Fri, 12 May 2017 16:18:57 -0400
changeset 577087 7c46f073b2cf9f5581a0d39b3f0bd9071ed0824a
parent 576982 1e2fe13035e13b7b4001ade3b48f226957cef5fc
child 628416 3df9bb7b015dcd43b3c53bcc901251c05cdf9f3a
push id58598
push userbmo:agaynor@mozilla.com
push dateFri, 12 May 2017 20:19:57 +0000
reviewershaik
bugs1329638
milestone55.0a1
Bug 1329638 - do not allow content processes to read from /Volumes on macOS r?haik MozReview-Commit-ID: 4CDQtCWwW9H
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -271,37 +271,40 @@ static const char contentSandboxRules[] 
                   (profile-subpath "/extensions")
                   (profile-subpath "/chrome")))
             ; we don't have a profile dir
             (allow file-read* (require-not (home-subpath "/Library")))))))
 
   ; level 3: global read access permitted, no global write access,
   ;          no read access to the home directory,
   ;          no read access to /private/var (but read-metadata allowed above),
+  ;          no read access to /Volumes
   ;          read access permitted to $PROFILE/{extensions,chrome}
     (if (string=? sandbox-level-3 "TRUE")
       (if (string=? hasFilePrivileges "TRUE")
         ; This process has blanket file read privileges
         (allow file-read*)
         ; This process does not have blanket file read privileges
         (if (string=? hasProfileDir "TRUE")
           ; we have a profile dir
           (begin
             (allow file-read* (require-all
                 (require-not (subpath home-path))
                 (require-not (subpath profileDir))
+                (require-not (subpath "/Volumes"))
                 (require-not (subpath "/private/var"))))
             (allow file-read* (literal "/private/var/run/cupsd"))
             (allow file-read*
                 (profile-subpath "/extensions")
                 (profile-subpath "/chrome")))
           ; we don't have a profile dir
           (begin
             (allow file-read* (require-all
               (require-not (subpath home-path))
+              (require-not (subpath "/Volumes"))
               (require-not (subpath "/private/var"))))
             (allow file-read* (literal "/private/var/run/cupsd"))))))
 
   ; accelerated graphics
     (allow-shared-preferences-read "com.apple.opengl")
     (allow-shared-preferences-read "com.nvidia.OpenGL")
     (allow mach-lookup
         (global-name "com.apple.cvmsServ"))