Bug 1431441 - Part 5 - Parameterize access to the windowserver in the Mac content sandbox policy r=Alex_Gaynor
authorHaik Aftandilian <haftandilian@mozilla.com>
Thu, 11 Oct 2018 22:49:44 +0000
changeset 499338 b59b1651fc15347afd509a9b927d435a26ff871c
parent 499337 1e2bb579b824e1aa683318e13d1f9464679d4360
child 499339 fb1a4ddbf9bf2054fae411bea2e83a048bdaa0fe
push id1864
push userffxbld-merge
push dateMon, 03 Dec 2018 15:51:40 +0000
treeherdermozilla-release@f040763d99ad [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersAlex_Gaynor
bugs1431441
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1431441 - Part 5 - Parameterize access to the windowserver in the Mac content sandbox policy r=Alex_Gaynor Only allow access to "com.apple.windowserver.active" when the pref "security.sandbox.content.mac.disconnect-windowserver" is set to true. Depends on D6721 Differential Revision: https://phabricator.services.mozilla.com/D7357
dom/ipc/ContentChild.cpp
dom/ipc/ContentParent.cpp
security/sandbox/mac/Sandbox.h
security/sandbox/mac/Sandbox.mm
security/sandbox/mac/SandboxPolicies.h
--- a/dom/ipc/ContentChild.cpp
+++ b/dom/ipc/ContentChild.cpp
@@ -1579,16 +1579,18 @@ StartMacOSContentSandbox()
   MacSandboxInfo info;
   info.type = MacSandboxType_Content;
   info.level = sandboxLevel;
   info.hasFilePrivileges = isFileProcess;
   info.shouldLog = Preferences::GetBool("security.sandbox.logging.enabled") ||
                    PR_GetEnv("MOZ_SANDBOX_LOGGING");
   info.appPath.assign(appPath.get());
   info.hasAudio = !Preferences::GetBool("media.cubeb.sandbox");
+  info.hasWindowServer = !Preferences::GetBool(
+      "security.sandbox.content.mac.disconnect-windowserver");
 
   // These paths are used to whitelist certain directories used by the testing
   // system. They should not be considered a public API, and are only intended
   // for use in automation.
   nsAutoCString testingReadPath1;
   Preferences::GetCString("security.sandbox.content.mac.testing_read_path1",
                           testingReadPath1);
   if (!testingReadPath1.IsEmpty()) {
--- a/dom/ipc/ContentParent.cpp
+++ b/dom/ipc/ContentParent.cpp
@@ -2173,16 +2173,21 @@ ContentParent::AppendSandboxParams(std::
     aArgs.push_back("-sbAllowFileAccess");
   }
 
   // Audio access
   if (!Preferences::GetBool("media.cubeb.sandbox")) {
     aArgs.push_back("-sbAllowAudio");
   }
 
+  // Windowserver access
+  if (!Preferences::GetBool("security.sandbox.content.mac.disconnect-windowserver")) {
+    aArgs.push_back("-sbAllowWindowServer");
+  }
+
   // .app path (normalized)
   nsAutoCString appPath;
   if (!nsMacUtilsImpl::GetAppPath(appPath)) {
     MOZ_CRASH("Failed to get app dir paths");
   }
   aArgs.push_back("-sbAppPath");
   aArgs.push_back(appPath.get());
 
--- a/security/sandbox/mac/Sandbox.h
+++ b/security/sandbox/mac/Sandbox.h
@@ -40,26 +40,28 @@ typedef struct _MacSandboxPluginInfo {
 
 typedef struct _MacSandboxInfo {
   _MacSandboxInfo()
     : type(MacSandboxType_Default)
     , level(0)
     , hasFilePrivileges(false)
     , hasSandboxedProfile(false)
     , hasAudio(false)
+    , hasWindowServer(false)
     , shouldLog(true)
   {
   }
   _MacSandboxInfo(const struct _MacSandboxInfo& other) = default;
 
   MacSandboxType type;
   int32_t level;
   bool hasFilePrivileges;
   bool hasSandboxedProfile;
   bool hasAudio;
+  bool hasWindowServer;
   MacSandboxPluginInfo pluginInfo;
   std::string appPath;
   std::string appBinaryPath;
   std::string appDir;
   std::string profileDir;
   std::string debugWriteDir;
 
   std::string testingReadPath1;
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -227,16 +227,18 @@ bool StartMacSandbox(MacSandboxInfo cons
       params.push_back("APP_PATH");
       params.push_back(aInfo.appPath.c_str());
       params.push_back("PROFILE_DIR");
       params.push_back(aInfo.profileDir.c_str());
       params.push_back("HOME_PATH");
       params.push_back(getenv("HOME"));
       params.push_back("HAS_SANDBOXED_PROFILE");
       params.push_back(aInfo.hasSandboxedProfile ? "TRUE" : "FALSE");
+      params.push_back("HAS_WINDOW_SERVER");
+      params.push_back(aInfo.hasWindowServer ? "TRUE" : "FALSE");
       if (!aInfo.parentPort.empty()) {
         params.push_back("PARENT_PORT");
         params.push_back(aInfo.parentPort.c_str());
       }
       if (!aInfo.crashServerPort.empty()) {
         params.push_back("CRASH_PORT");
         params.push_back(aInfo.crashServerPort.c_str());
       }
@@ -374,16 +376,21 @@ GetContentSandboxParamsFromArgs(int aArg
       continue;
     }
 
     if (strcmp(aArgv[i], "-sbAllowAudio") == 0) {
       aInfo.hasAudio = true;
       continue;
     }
 
+    if (strcmp(aArgv[i], "-sbAllowWindowServer") == 0) {
+      aInfo.hasWindowServer = true;
+      continue;
+    }
+
     if ((strcmp(aArgv[i], "-sbAppPath") == 0) && (i + 1 < aArgc)) {
       foundAppPath = true;
       aInfo.appPath.assign(aArgv[i+1]);
       i++;
       continue;
     }
 
     if ((strcmp(aArgv[i], "-sbTestingReadPath") == 0) && (i + 1 < aArgc)) {
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -49,16 +49,17 @@ static const char contentSandboxRules[] 
   (define should-log (param "SHOULD_LOG"))
   (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
   (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
   (define sandbox-level-3 (param "SANDBOX_LEVEL_3"))
   (define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
   (define appPath (param "APP_PATH"))
   (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
   (define profileDir (param "PROFILE_DIR"))
+  (define hasWindowServer (param "HAS_WINDOW_SERVER"))
   (define home-path (param "HOME_PATH"))
   (define debugWriteDir (param "DEBUG_WRITE_DIR"))
   (define testingReadPath1 (param "TESTING_READ_PATH1"))
   (define testingReadPath2 (param "TESTING_READ_PATH2"))
   (define testingReadPath3 (param "TESTING_READ_PATH3"))
   (define testingReadPath4 (param "TESTING_READ_PATH4"))
   (define parentPort (param "PARENT_PORT"))
   (define crashPort (param "CRASH_PORT"))
@@ -186,18 +187,19 @@ static const char contentSandboxRules[] 
   (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
     (ipc-posix-name-regex #"^CFPBS:"))
 
   (allow signal (target self))
   (if (string? parentPort)
     (allow mach-lookup (global-name parentPort)))
   (if (string? crashPort)
     (allow mach-lookup (global-name crashPort)))
+  (if (string=? hasWindowServer "TRUE")
+    (allow mach-lookup (global-name "com.apple.windowserver.active")))
   (allow mach-lookup (global-name "com.apple.coreservices.launchservicesd"))
-  (allow mach-lookup (global-name "com.apple.windowserver.active"))
   (allow mach-lookup (global-name "com.apple.lsd.mapdb"))
 
   (if (>= macosMinorVersion 13)
     (allow mach-lookup
       ; bug 1392988
       (xpc-service-name "com.apple.coremedia.videodecoder")
       (xpc-service-name "com.apple.coremedia.videoencoder")))