Bug 1295700 - Don't allow content processes to access the weave director on macOS r=haik
authorAlex Gaynor <agaynor@mozilla.com>
Thu, 06 Apr 2017 15:20:23 -0400
changeset 558280 afccb72dba235d506af7b989cdc3c8d6aa4d6bb1
parent 558279 05a48259d0732cd1880c6cb82452b740135a6688
child 558281 bd875ac1b42050e52e857e1c46be1a106f470c3f
push id52860
push userbmo:walkingice0204@gmail.com
push dateFri, 07 Apr 2017 13:29:26 +0000
reviewershaik
bugs1295700
milestone55.0a1
Bug 1295700 - Don't allow content processes to access the weave director on macOS r=haik These directories contain sensitive content, and access is not necessary now that we have file content processes. r=haik MozReview-Commit-ID: FiRJkMnlYUx
security/sandbox/mac/Sandbox.mm
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -365,31 +365,30 @@ static const char contentSandboxRules[] 
   "; global file-read* permission should be removed from each level.\n"
   "\n"
   "; level 1: global read access permitted, no global write access\n"
   "  (if (string=? sandbox-level-1 \"TRUE\") (allow file-read*))\n"
   "\n"
   "; level 2: global read access permitted, no global write access,\n"
   ";          no read/write access to ~/Library,\n"
   ";          no read/write access to $PROFILE,\n"
-  ";          read access permitted to $PROFILE/{extensions,weave,chrome}\n"
+  ";          read access permitted to $PROFILE/{extensions,chrome}\n"
   "  (if (string=? sandbox-level-2 \"TRUE\")\n"
   "    (if (string=? hasFilePrivileges \"TRUE\")\n"
   "      ; This process has blanket file read privileges\n"
   "      (allow file-read*)\n"
   "      ; This process does not have blanket file read privileges\n"
   "      (if (string=? hasProfileDir \"TRUE\")\n"
   "        ; we have a profile dir\n"
   "        (begin\n"
   "          (allow file-read* (require-all\n"
   "              (require-not (home-subpath \"/Library\"))\n"
   "              (require-not (subpath profileDir))))\n"
   "          (allow file-read*\n"
   "              (profile-subpath \"/extensions\")\n"
-  "              (profile-subpath \"/weave\")\n"
   "              (profile-subpath \"/chrome\")))\n"
   "        ; we don't have a profile dir\n"
   "        (allow file-read* (require-not (home-subpath \"/Library\"))))))\n"
   "\n"
   "; accelerated graphics\n"
   "  (allow-shared-preferences-read \"com.apple.opengl\")\n"
   "  (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
   "  (allow mach-lookup\n"