Bug 1460917 - Fonts not displaying with FontExplorer X fonts in Firefox 60. r=handyman, a=jcristau
authorHaik Aftandilian <haftandilian@mozilla.com>
Mon, 14 May 2018 16:04:55 -0700
changeset 463640 760e1b2d9adc
parent 463639 b5ad20486d35
child 463641 a0b222c551f5
push id1724
push userjcristau@mozilla.com
push dateTue, 05 Jun 2018 17:15:42 +0000
treeherdermozilla-release@a0b222c551f5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershandyman, jcristau
bugs1460917, 1393259
milestone60.0.2
Bug 1460917 - Fonts not displaying with FontExplorer X fonts in Firefox 60. r=handyman, a=jcristau Add back font whitelist rules removed by the fix for bug 1393259 to workaround font sandbox extensions not being issued automatically on OS X 10.11 and earlier. MozReview-Commit-ID: 2hT0BzN3Ggq
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -339,16 +339,32 @@ static const char contentSandboxRules[] 
     (subpath "/Library/Application Support/Apple/Fonts")
     (home-subpath "/Library/Fonts")
     ; Allow read access to paths allowed via sandbox extensions.
     ; This is needed for fonts in non-standard locations normally
     ; due to third party font managers. The extensions are
     ; automatically issued by the font server in response to font
     ; API calls.
     (extension "com.apple.app-sandbox.read"))
+
+  ; Fonts
+  ; Workaround for sandbox extensions not being automatically
+  ; issued for fonts on 10.11 and earlier versions (bug 1460917).
+  (if (<= macosMinorVersion 11)
+    (allow file-read*
+      (regex #"\.[oO][tT][fF]$"          ; otf
+             #"\.[tT][tT][fF]$"          ; ttf
+             #"\.[tT][tT][cC]$"          ; ttc
+             #"\.[oO][tT][cC]$"          ; otc
+             #"\.[dD][fF][oO][nN][tT]$") ; dfont
+      (home-subpath "/Library/FontCollections")
+      (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
+      (home-subpath "/Library/Application Support/FontAgent")
+      (regex #"\.fontvault/")
+      (home-subpath "/FontExplorer X/Font Library")))
 )SANDBOX_LITERAL";
 
 // These are additional rules that are added to the content process rules for
 // file content processes.
 static const char fileContentProcessAddend[] = R"SANDBOX_LITERAL(
   ; This process has blanket file read privileges
   (allow file-read*)
 
@@ -496,16 +512,19 @@ static const char flashPluginSandboxRule
           "kern.hostname"
           "kern.maxfilesperproc"
           "vm.footprint_suspend")))
 
   ; Utilities for allowing access to home subdirectories
   (define home-library-path
     (string-append homeDir "/Library"))
 
+  (define (home-subpath home-relative-subpath)
+    (subpath (string-append homeDir home-relative-subpath)))
+
   (define home-library-prefs-path
     (string-append homeDir "/Library" "/Preferences"))
 
   (define (home-literal home-relative-literal)
     (literal (string-append homeDir home-relative-literal)))
 
   (define (home-library-regex home-library-relative-regex)
     (regex (string-append "^" (regex-quote home-library-path))
@@ -605,16 +624,32 @@ static const char flashPluginSandboxRule
     (home-library-subpath "/Fonts")
     ; Allow read access to paths allowed via sandbox extensions.
     ; This is needed for fonts in non-standard locations normally
     ; due to third party font managers. The extensions are
     ; automatically issued by the font server in response to font
     ; API calls.
     (extension "com.apple.app-sandbox.read"))
 
+  ; Fonts
+  ; Workaround for sandbox extensions not being automatically
+  ; issued for fonts on 10.11 and earlier versions (bug 1460917).
+  (if (<= macosMinorVersion 11)
+    (allow file-read*
+      (regex #"\.[oO][tT][fF]$"          ; otf
+             #"\.[tT][tT][fF]$"          ; ttf
+             #"\.[tT][tT][cC]$"          ; ttc
+             #"\.[oO][tT][cC]$"          ; otc
+             #"\.[dD][fF][oO][nN][tT]$") ; dfont
+      (home-subpath "/Library/FontCollections")
+      (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
+      (home-subpath "/Library/Application Support/FontAgent")
+      (regex #"\.fontvault/")
+      (home-subpath "/FontExplorer X/Font Library")))
+
   (allow ipc-posix-shm*
       (ipc-posix-name-regex #"^AudioIO")
       (ipc-posix-name-regex #"^CFPBS:"))
 
   (allow ipc-posix-shm-read*
       (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
       (ipc-posix-name "FNetwork.defaultStorageSession")
       (ipc-posix-name "apple.shm.notification_center"))