Bug 1385028 - simplify handling of macOS minor version in the sandbox policy; r=haik
authorAlex Gaynor <agaynor@mozilla.com>
Thu, 27 Jul 2017 13:58:28 -0400
changeset 420378 53132a945541ae4359b913afd7b1c9dd0abcfedb
parent 420377 ceb431d84aabd7f011fbdd9f95feff1772b6aba4
child 420379 9368bd8045136706950cde7cf718fda5492499e8
push id7566
push usermtabara@mozilla.com
push dateWed, 02 Aug 2017 08:25:16 +0000
treeherdermozilla-beta@86913f512c3c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershaik
bugs1385028
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1385028 - simplify handling of macOS minor version in the sandbox policy; r=haik MozReview-Commit-ID: BDD7WzTqHC6
security/sandbox/mac/Sandbox.mm
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -124,16 +124,19 @@ OSXVersion::GetVersionNumber()
 
 namespace mozilla {
 
 bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage)
 {
   std::vector<const char *> params;
   char *profile = NULL;
   bool profile_needs_free = false;
+
+  std::string macOSMinor = std::to_string(OSXVersion::OSXVersionMinor());
+
   if (aInfo.type == MacSandboxType_Plugin) {
     profile = const_cast<char *>(pluginSandboxRules);
     params.push_back("SHOULD_LOG");
     params.push_back(aInfo.shouldLog ? "TRUE" : "FALSE");
     params.push_back("PLUGIN_BINARY_PATH");
     params.push_back(aInfo.pluginInfo.pluginBinaryPath.c_str());
     params.push_back("APP_PATH");
     params.push_back(aInfo.appPath.c_str());
@@ -155,20 +158,18 @@ bool StartMacSandbox(MacSandboxInfo aInf
       params.push_back("SHOULD_LOG");
       params.push_back(aInfo.shouldLog ? "TRUE" : "FALSE");
       params.push_back("SANDBOX_LEVEL_1");
       params.push_back(aInfo.level == 1 ? "TRUE" : "FALSE");
       params.push_back("SANDBOX_LEVEL_2");
       params.push_back(aInfo.level == 2 ? "TRUE" : "FALSE");
       params.push_back("SANDBOX_LEVEL_3");
       params.push_back(aInfo.level == 3 ? "TRUE" : "FALSE");
-      params.push_back("MAC_OS_MINOR_9");
-      params.push_back(OSXVersion::OSXVersionMinor() == 9 ? "TRUE" : "FALSE");
-      params.push_back("MAC_OS_MINOR_MIN_13");
-      params.push_back(OSXVersion::OSXVersionMinor() >= 13 ? "TRUE" : "FALSE");
+      params.push_back("MAC_OS_MINOR");
+      params.push_back(macOSMinor.c_str());
       params.push_back("APP_PATH");
       params.push_back(aInfo.appPath.c_str());
       params.push_back("APP_BINARY_PATH");
       params.push_back(aInfo.appBinaryPath.c_str());
       params.push_back("APP_DIR");
       params.push_back(aInfo.appDir.c_str());
       params.push_back("APP_TEMP_DIR");
       params.push_back(aInfo.appTempDir.c_str());
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -49,18 +49,17 @@ static const char widevinePluginSandboxR
 
 static const char contentSandboxRules[] = R"(
   (version 1)
 
   (define should-log (param "SHOULD_LOG"))
   (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
   (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
   (define sandbox-level-3 (param "SANDBOX_LEVEL_3"))
-  (define macosMinorVersion-9 (param "MAC_OS_MINOR_9"))
-  (define macosMinorVersion-min13 (param "MAC_OS_MINOR_MIN_13"))
+  (define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
   (define appPath (param "APP_PATH"))
   (define appBinaryPath (param "APP_BINARY_PATH"))
   (define appdir-path (param "APP_DIR"))
   (define appTempDir (param "APP_TEMP_DIR"))
   (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
   (define profileDir (param "PROFILE_DIR"))
   (define home-path (param "HOME_PATH"))
   (define hasFilePrivileges (param "HAS_FILE_PRIVILEGES"))
@@ -105,17 +104,17 @@ static const char contentSandboxRules[] 
 
   (allow file-read*
     file-write-data
     file-ioctl
     (literal "/dev/dtracehelper"))
 
   ; macOS 10.9 does not support the |sysctl-name| predicate, so unfortunately
   ; we need to allow all sysctl-reads there.
-  (if (string=? macosMinorVersion-9 "TRUE")
+  (if (= macosMinorVersion 9)
     (allow sysctl-read)
     (allow sysctl-read
       (sysctl-name-regex #"^sysctl\.")
       (sysctl-name "kern.ostype")
       (sysctl-name "kern.osversion")
       (sysctl-name "kern.osrelease")
       (sysctl-name "kern.version")
       ; TODO: remove "kern.hostname". Without it the tests hang, but the hostname
@@ -199,21 +198,21 @@ static const char contentSandboxRules[] 
       (global-name "com.apple.iconservices")
       (global-name "com.apple.cache_delete")
       (global-name "com.apple.pluginkit.pkd")
       (global-name "com.apple.bird")
       (global-name "com.apple.cmio.AppleCameraAssistant")
       (global-name "com.apple.DesktopServicesHelper"))
 
 ; bug 1376163
-  (if (string=? macosMinorVersion-min13 "TRUE")
+  (if (>= macosMinorVersion 13)
     (allow mach-lookup (global-name "com.apple.audio.AudioComponentRegistrar")))
 
 ; bug 1312273
-  (if (string=? macosMinorVersion-9 "TRUE")
+  (if (= macosMinorVersion 9)
      (allow mach-lookup (global-name "com.apple.xpcd")))
 
   (allow iokit-open
       (iokit-user-client-class "IOHIDParamUserClient")
       (iokit-user-client-class "IOAudioControlUserClient")
       (iokit-user-client-class "IOAudioEngineUserClient")
       (iokit-user-client-class "IGAccelDevice")
       (iokit-user-client-class "nvDevice")