Bug 1506495 - Whitelist /Library and ~/Library ColorSync Profile directories r=Alex_Gaynor a=lizzard
authorHaik Aftandilian <haftandilian@mozilla.com>
Fri, 01 Feb 2019 22:09:24 +0000
changeset 515723 63b220f22addd222434d43e0ba0d46e263b58916
parent 515722 764910a1fa7e4f4d334734397035770b192b0aff
child 515724 864ba4d0315680df488437a8c31a9c3de8040164
push id1953
push userffxbld-merge
push dateMon, 11 Mar 2019 12:10:20 +0000
treeherdermozilla-release@9c35dcbaa899 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersAlex_Gaynor, lizzard
bugs1506495
milestone66.0
Bug 1506495 - Whitelist /Library and ~/Library ColorSync Profile directories r=Alex_Gaynor a=lizzard Whitelist the /Library and ~/Library ColorSync profile directories allowing gfx.color_management.display_profile to be used to load color profiles from those locations. Differential Revision: https://phabricator.services.mozilla.com/D18390
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -246,23 +246,25 @@ static const char contentSandboxRules[] 
 ; depending on systems, the 1st, 2nd or both rules are necessary
   (allow user-preference-read (preference-domain "com.apple.HIToolbox"))
   (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist"))
 
   (allow user-preference-read (preference-domain "com.apple.ATS"))
   (allow file-read-data (literal "/Library/Preferences/.GlobalPreferences.plist"))
 
   (allow file-read*
+      (subpath "/Library/ColorSync/Profiles")
       (subpath "/Library/Spelling")
       (literal "/")
       (literal "/private/tmp")
       (literal "/private/var/tmp")
       (home-literal "/.CFUserTextEncoding")
       (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
       (home-subpath "/Library/Colors")
+      (home-subpath "/Library/ColorSync/Profiles")
       (home-subpath "/Library/Keyboard Layouts")
       (home-subpath "/Library/Input Methods")
       (home-subpath "/Library/Spelling"))
 
   (if (defined? 'file-map-executable)
     (begin
       (when testingReadPath1
         (allow file-read* file-map-executable (subpath testingReadPath1)))