Bug 1056936 - Specify full path to plugin-container in sandbox rules. r=rjesup a=sledru
authorSteven Michaud <smichaud@pobox.com>
Fri, 29 Aug 2014 14:31:50 -0500
changeset 217721 2e1e87f99cdeaf0b1455cc852a6a5a25efa44499
parent 217720 9e9d7d4091e1e6c6e30d984732fd597ee1371d5b
child 217722 419f744ba5c9077de79dfe416246926db8d4a540
push id515
push userraliiev@mozilla.com
push dateMon, 06 Oct 2014 12:51:51 +0000
treeherdermozilla-release@267c7a481bef [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersrjesup, sledru
bugs1056936
milestone33.0a2
Bug 1056936 - Specify full path to plugin-container in sandbox rules. r=rjesup a=sledru
content/media/gmp/GMPChild.cpp
security/sandbox/mac/Sandbox.h
security/sandbox/mac/Sandbox.mm
--- a/content/media/gmp/GMPChild.cpp
+++ b/content/media/gmp/GMPChild.cpp
@@ -110,30 +110,84 @@ GetPluginPaths(const std::string& aPlugi
     libFile->GetNativeTarget(aPluginFilePath);
   } else {
     libFile->GetNativePath(aPluginFilePath);
   }
 
   return true;
 }
 
+static bool
+GetAppPaths(nsCString &aAppPath, nsCString &aAppBinaryPath)
+{
+  nsAutoCString appPath;
+  nsAutoCString appBinaryPath(
+    (CommandLine::ForCurrentProcess()->argv()[0]).c_str());
+
+  nsAutoCString::const_iterator start, end;
+  appBinaryPath.BeginReading(start);
+  appBinaryPath.EndReading(end);
+  if (RFindInReadable(NS_LITERAL_CSTRING(".app/Contents/MacOS/"), start, end)) {
+    end = start;
+    ++end; ++end; ++end; ++end;
+    appBinaryPath.BeginReading(start);
+    appPath.Assign(Substring(start, end));
+  } else {
+    return false;
+  }
+
+  nsCOMPtr<nsIFile> app, appBinary;
+  nsresult rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appPath),
+                                true, getter_AddRefs(app));
+  if (NS_FAILED(rv)) {
+    return false;
+  }
+  rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appBinaryPath),
+                       true, getter_AddRefs(appBinary));
+  if (NS_FAILED(rv)) {
+    return false;
+  }
+
+  bool isLink;
+  app->IsSymlink(&isLink);
+  if (isLink) {
+    app->GetNativeTarget(aAppPath);
+  } else {
+    app->GetNativePath(aAppPath);
+  }
+  appBinary->IsSymlink(&isLink);
+  if (isLink) {
+    appBinary->GetNativeTarget(aAppBinaryPath);
+  } else {
+    appBinary->GetNativePath(aAppBinaryPath);
+  }
+
+  return true;
+}
+
 void
 GMPChild::OnChannelConnected(int32_t aPid)
 {
   nsAutoCString pluginDirectoryPath, pluginFilePath;
   if (!GetPluginPaths(mPluginPath, pluginDirectoryPath, pluginFilePath)) {
     MOZ_CRASH("Error scanning plugin path");
   }
+  nsAutoCString appPath, appBinaryPath;
+  if (!GetAppPaths(appPath, appBinaryPath)) {
+    MOZ_CRASH("Error resolving child process path");
+  }
 
   MacSandboxInfo info;
   info.type = MacSandboxType_Plugin;
   info.pluginInfo.type = MacSandboxPluginType_GMPlugin_Default;
   info.pluginInfo.pluginPath.Assign(pluginDirectoryPath);
   mPluginBinaryPath.Assign(pluginFilePath);
   info.pluginInfo.pluginBinaryPath.Assign(pluginFilePath);
+  info.appPath.Assign(appPath);
+  info.appBinaryPath.Assign(appBinaryPath);
 
   nsAutoCString err;
   if (!mozilla::StartMacSandbox(info, err)) {
     NS_WARNING(err.get());
     MOZ_CRASH("sandbox_init() failed");
   }
 
   if (!LoadPluginLibrary(mPluginPath)) {
--- a/security/sandbox/mac/Sandbox.h
+++ b/security/sandbox/mac/Sandbox.h
@@ -30,16 +30,18 @@ typedef struct _MacSandboxPluginInfo {
   nsCString pluginBinaryPath;
 } MacSandboxPluginInfo;
 
 typedef struct _MacSandboxInfo {
   _MacSandboxInfo()
     : type(MacSandboxType_Default) {}
   MacSandboxType type;
   MacSandboxPluginInfo pluginInfo;
+  nsCString appPath;
+  nsCString appBinaryPath;
 } MacSandboxInfo;
 
 namespace mozilla {
 
 bool StartMacSandbox(MacSandboxInfo aInfo, nsCString &aErrorMessage);
 
 } // namespace mozilla
 
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -28,36 +28,41 @@ static const char rules[] =
   "    (global-name \"com.apple.cfprefsd.daemon\")\n"
   "    (global-name \"com.apple.system.opendirectoryd.libinfo\")\n"
   "    (global-name \"com.apple.system.logger\")\n"
   "    (global-name \"com.apple.ls.boxd\"))\n"
   "(allow file-read*\n"
   "    (regex #\"^/etc$\")\n"
   "    (regex #\"^/dev/u?random$\")\n"
   "    (regex #\"^/(private/)?var($|/)\")\n"
-  "    (regex #\"\\.app/Contents/MacOS/plugin-container\\.app/Contents/\")\n"
   "    (literal \"/usr/share/icu/icudt51l.dat\")\n"
+  "    (literal \"%s\")\n"
+  "    (literal \"%s\")\n"
   "    (literal \"%s\"))\n";
 
 bool StartMacSandbox(MacSandboxInfo aInfo, nsCString &aErrorMessage)
 {
   if (aInfo.type != MacSandboxType_Plugin) {
     aErrorMessage.AppendPrintf("Unexpected sandbox type %u", aInfo.type);
     return false;
   }
 
   nsAutoCString profile;
   if (nsCocoaFeatures::OnLionOrLater()) {
     profile.AppendPrintf(rules, ";",
                          aInfo.pluginInfo.pluginPath.get(),
-                         aInfo.pluginInfo.pluginBinaryPath.get());
+                         aInfo.pluginInfo.pluginBinaryPath.get(),
+                         aInfo.appPath.get(),
+                         aInfo.appBinaryPath.get());
   } else {
     profile.AppendPrintf(rules, "",
                          aInfo.pluginInfo.pluginPath.get(),
-                         aInfo.pluginInfo.pluginBinaryPath.get());
+                         aInfo.pluginInfo.pluginBinaryPath.get(),
+                         aInfo.appPath.get(),
+                         aInfo.appBinaryPath.get());
   }
 
   char *errorbuf = NULL;
   if (sandbox_init(profile.get(), 0, &errorbuf)) {
     if (errorbuf) {
       aErrorMessage.AppendPrintf("sandbox_init() failed with error \"%s\"",
                                  errorbuf);
       printf("profile: %s\n", profile.get());