Bug 1419811 - allow file content processes to access the com.apple.iconservices service; r=Gijs,haik a=gchang on a CLOSED TREE
authorAlex Gaynor <agaynor@mozilla.com>
Wed, 22 Nov 2017 11:51:32 -0600
changeset 445019 40a6d6c3807248bae0430bc57444a9aeaf0bbad3
parent 445018 b4a737a2a3d7f56cace147a0fbaaf558b11a8f60
child 445020 a52371d2dadcdca0a7298054e06c6c0a7f7e4877
push id1618
push userCallek@gmail.com
push dateThu, 11 Jan 2018 17:45:48 +0000
treeherdermozilla-release@882ca853e05a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersGijs, haik, gchang
bugs1419811
milestone58.0
Bug 1419811 - allow file content processes to access the com.apple.iconservices service; r=Gijs,haik a=gchang on a CLOSED TREE Directory listing for file URLs needs access to draw icons for files. MozReview-Commit-ID: KIEx00gB5ia
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -187,16 +187,22 @@ static const char contentSandboxRules[] 
       ; bug 1392988
       (xpc-service-name "com.apple.coremedia.videodecoder")
       (xpc-service-name "com.apple.coremedia.videoencoder")))
 
 ; bug 1312273
   (if (= macosMinorVersion 9)
      (allow mach-lookup (global-name "com.apple.xpcd")))
 
+  ; File content processes need access to iconservices to draw file icons in
+  ; directory listings
+  (if (string=? hasFilePrivileges "TRUE")
+    (allow mach-lookup
+      (global-name "com.apple.iconservices")))
+
   (allow iokit-open
      (iokit-user-client-class "IOHIDParamUserClient")
      (iokit-user-client-class "IOAudioEngineUserClient"))
 
 ; depending on systems, the 1st, 2nd or both rules are necessary
   (allow-shared-preferences-read "com.apple.HIToolbox")
   (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist"))