Bug 1458553 - Return of Google Maps all black map with updated Nvidia web driver on Mac. r=Alex_Gaynor, a=jcristau
authorHaik Aftandilian <haftandilian@mozilla.com>
Wed, 02 May 2018 09:26:55 -0700
changeset 795879 b20c5c5180a7886d25c138d5577b68f1b112a911
parent 795878 1496652b66f905579d9967f437bf3123deebea98
child 795880 275875c44e45866d23c7a00675847932f6d91321
push id110108
push userbmo:tom@mozilla.com
push dateWed, 16 May 2018 18:43:56 +0000
reviewersAlex_Gaynor, jcristau
bugs1458553
milestone60.0.1
Bug 1458553 - Return of Google Maps all black map with updated Nvidia web driver on Mac. r=Alex_Gaynor, a=jcristau Update Mac sandbox rules to allow executable mappings from /Library/GPUBundles which is used by the Nvidia downloadable "Web" driver. MozReview-Commit-ID: L2nTP4YWdJJ
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -75,28 +75,29 @@ static const char contentSandboxRules[] 
     (deny iokit-get-properties))
   (if (defined? 'file-map-executable)
     (deny file-map-executable))
 
   (if (defined? 'file-map-executable)
     (allow file-map-executable file-read*
       (subpath "/System")
       (subpath "/usr/lib")
+      (subpath "/Library/GPUBundles")
       (subpath appdir-path))
     (allow file-read*
         (subpath "/System")
         (subpath "/usr/lib")
+        (subpath "/Library/GPUBundles")
         (subpath appdir-path)))
 
   ; Allow read access to standard system paths.
   (allow file-read*
     (require-all (file-mode #o0004)
       (require-any
         (subpath "/Library/Filesystems/NetFSPlugins")
-        (subpath "/Library/GPUBundles")
         (subpath "/usr/share"))))
 
   ; Top-level directory metadata access (bug 1404298)
   (allow file-read-metadata (regex #"^/[^/]+$"))
 
   (allow file-read-metadata
     (literal "/private/etc/localtime")
     (regex #"^/private/tmp/KSInstallAction\."))