Bug 1393805 - Part 2 - Add Mac whitelisted directory for system extensions development. r=Alex_Gaynor
authorHaik Aftandilian <haftandilian@mozilla.com>
Thu, 05 Oct 2017 16:06:36 -0700
changeset 427484 4d06927fff29302f36d83ffd7c0f60a5a5f80973
parent 427483 2f59f47baabcb2457499dfb810145a0da575994d
child 427485 9fa8e68af08827a4b597f6ed851b581f4a97efd7
push id97
push userfmarier@mozilla.com
push dateSat, 14 Oct 2017 01:12:59 +0000
reviewersAlex_Gaynor
bugs1393805
milestone58.0a1
Bug 1393805 - Part 2 - Add Mac whitelisted directory for system extensions development. r=Alex_Gaynor MozReview-Commit-ID: ADkcqFAsKaY
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -260,16 +260,20 @@ static const char contentSandboxRules[] 
 ; is brokered through the content process
   (allow device-microphone)
 
 ; Per-user and system-wide Extensions dir
   (allow file-read*
       (home-regex "/Library/Application Support/[^/]+/Extensions/")
       (regex "^/Library/Application Support/[^/]+/Extensions/"))
 
+; bug 1393805
+  (allow file-read*
+      (home-subpath "/Library/Application Support/Mozilla/SystemExtensionsDev"))
+
 ; The following rules impose file access restrictions which get
 ; more restrictive in higher levels. When file-origin-specific
 ; content processes are used for file:// origin browsing, the
 ; global file-read* permission should be removed from each level.
 
 ; level 1: global read access permitted, no global write access
   (if (string=? sandbox-level-1 "TRUE") (allow file-read*))