Bug 1491940 - [Mac] Allow Adobe DRM content to play with the Mac Flash sandbox. r=Alex_Gaynor, a=jcristau
authorHaik Aftandilian <haftandilian@mozilla.com>
Mon, 24 Sep 2018 17:22:49 +0000
changeset 481193 dc99e844c2af
parent 481192 dc688e0c9702
child 481194 5f9fa0298fc3
push id1804
push userjcristau@mozilla.com
push dateMon, 01 Oct 2018 10:38:02 +0000
treeherdermozilla-release@dc99e844c2af [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersAlex_Gaynor, jcristau
bugs1491940
milestone62.0.3
Bug 1491940 - [Mac] Allow Adobe DRM content to play with the Mac Flash sandbox. r=Alex_Gaynor, a=jcristau Add an whitelisted write-access path regex to the Flash plugin sandbox. Differential Revision: https://phabricator.services.mozilla.com/D6679
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -787,27 +787,32 @@ static const char flashPluginSandboxRule
   (allow file-read*
       (literal "/Library/PreferencePanes/Flash Player.prefPane")
       (home-library-literal "/PreferencePanes/Flash Player.prefPane")
       (home-library-regex "/Application Support/Macromedia/ss\.(cfg|cfn|sgn)$"))
 
   (allow file-read*
       (literal "/Library/Preferences/com.apple.security.plist")
       (subpath "/private/var/db/mds"))
-  ; Tests revealed file-write-{data,create,flags} required for some encrypted
-  ; video playback. Allowing file-write* to match system profiles.
+
+  ; Additional read/write paths needed for encrypted video playback.
+  ; Tests revealed file-write-{data,create,flags} are required for the
+  ; accesses to the mds files. file-write-{data,create,mode,unlink}
+  ; required for CertStore.dat access. Allow file-write* to match system
+  ; profiles and for better compatibilty.
   (allow file-read* file-write*
       (require-all
           (vnode-type REGULAR-FILE)
           (require-any
               (cache-literal "/mds/mds.lock")
               (cache-literal "/mds/mdsDirectory.db")
               (cache-literal "/mds/mdsDirectory.db_")
               (cache-literal "/mds/mdsObject.db")
-              (cache-literal "/mds/mdsObject.db_"))))
+              (cache-literal "/mds/mdsObject.db_")
+              (tempDir-regex "/TemporaryItems/[^/]+/CertStore.dat"))))
 
   (allow network-bind (local ip))
 
   (deny file-write-create (vnode-type SYMLINK))
 )SANDBOX_LITERAL";
 
 }