Bug 1458553 - Return of Google Maps all black map with updated Nvidia web driver on Mac. r=Alex_Gaynor, a=jcristau
authorHaik Aftandilian <haftandilian@mozilla.com>
Wed, 02 May 2018 09:26:55 -0700
changeset 463620 75bb42aac094
parent 463619 3bfc82b371ec
child 463621 7be74890bf90
push id1713
push userryanvm@gmail.com
push date2018-05-14 12:29 +0000
treeherdermozilla-release@540ffec9584e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersAlex_Gaynor, jcristau
bugs1458553
milestone60.0.1
Bug 1458553 - Return of Google Maps all black map with updated Nvidia web driver on Mac. r=Alex_Gaynor, a=jcristau Update Mac sandbox rules to allow executable mappings from /Library/GPUBundles which is used by the Nvidia downloadable "Web" driver. MozReview-Commit-ID: L2nTP4YWdJJ
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -75,28 +75,29 @@ static const char contentSandboxRules[] 
     (deny iokit-get-properties))
   (if (defined? 'file-map-executable)
     (deny file-map-executable))
 
   (if (defined? 'file-map-executable)
     (allow file-map-executable file-read*
       (subpath "/System")
       (subpath "/usr/lib")
+      (subpath "/Library/GPUBundles")
       (subpath appdir-path))
     (allow file-read*
         (subpath "/System")
         (subpath "/usr/lib")
+        (subpath "/Library/GPUBundles")
         (subpath appdir-path)))
 
   ; Allow read access to standard system paths.
   (allow file-read*
     (require-all (file-mode #o0004)
       (require-any
         (subpath "/Library/Filesystems/NetFSPlugins")
-        (subpath "/Library/GPUBundles")
         (subpath "/usr/share"))))
 
   ; Top-level directory metadata access (bug 1404298)
   (allow file-read-metadata (regex #"^/[^/]+$"))
 
   (allow file-read-metadata
     (literal "/private/etc/localtime")
     (regex #"^/private/tmp/KSInstallAction\."))