Bug 1431441 - Part 5 - Parameterize access to the windowserver in the Mac content sandbox policy r=Alex_Gaynor
authorHaik Aftandilian <haftandilian@mozilla.com>
Thu, 18 Oct 2018 20:49:51 +0000
changeset 490778 cd9c1a610dd7edf256945bccea8671cb2bd18f70
parent 490777 abbae9f258346c8964babc3ee9e1ec061b749af1
child 490779 c70d57adec824c605e77196e651191c784c84bc3
push id247
push userfmarier@mozilla.com
push dateSat, 27 Oct 2018 01:06:44 +0000
reviewersAlex_Gaynor
bugs1431441
milestone64.0a1
Bug 1431441 - Part 5 - Parameterize access to the windowserver in the Mac content sandbox policy r=Alex_Gaynor Only allow access to "com.apple.windowserver.active" when the pref "security.sandbox.content.mac.disconnect-windowserver" is set to true. Depends on D6721 Differential Revision: https://phabricator.services.mozilla.com/D7357
dom/ipc/ContentChild.cpp
dom/ipc/ContentParent.cpp
security/sandbox/mac/Sandbox.h
security/sandbox/mac/Sandbox.mm
security/sandbox/mac/SandboxPolicies.h
--- a/dom/ipc/ContentChild.cpp
+++ b/dom/ipc/ContentChild.cpp
@@ -1579,16 +1579,18 @@ StartMacOSContentSandbox()
   MacSandboxInfo info;
   info.type = MacSandboxType_Content;
   info.level = sandboxLevel;
   info.hasFilePrivileges = isFileProcess;
   info.shouldLog = Preferences::GetBool("security.sandbox.logging.enabled") ||
                    PR_GetEnv("MOZ_SANDBOX_LOGGING");
   info.appPath.assign(appPath.get());
   info.hasAudio = !Preferences::GetBool("media.cubeb.sandbox");
+  info.hasWindowServer = !Preferences::GetBool(
+      "security.sandbox.content.mac.disconnect-windowserver");
 
   // These paths are used to whitelist certain directories used by the testing
   // system. They should not be considered a public API, and are only intended
   // for use in automation.
   nsAutoCString testingReadPath1;
   Preferences::GetCString("security.sandbox.content.mac.testing_read_path1",
                           testingReadPath1);
   if (!testingReadPath1.IsEmpty()) {
--- a/dom/ipc/ContentParent.cpp
+++ b/dom/ipc/ContentParent.cpp
@@ -2160,16 +2160,21 @@ ContentParent::AppendSandboxParams(std::
     aArgs.push_back("-sbAllowFileAccess");
   }
 
   // Audio access
   if (!Preferences::GetBool("media.cubeb.sandbox")) {
     aArgs.push_back("-sbAllowAudio");
   }
 
+  // Windowserver access
+  if (!Preferences::GetBool("security.sandbox.content.mac.disconnect-windowserver")) {
+    aArgs.push_back("-sbAllowWindowServer");
+  }
+
   // .app path (normalized)
   nsAutoCString appPath;
   if (!nsMacUtilsImpl::GetAppPath(appPath)) {
     MOZ_CRASH("Failed to get app dir paths");
   }
   aArgs.push_back("-sbAppPath");
   aArgs.push_back(appPath.get());
 
--- a/security/sandbox/mac/Sandbox.h
+++ b/security/sandbox/mac/Sandbox.h
@@ -40,26 +40,28 @@ typedef struct _MacSandboxPluginInfo {
 
 typedef struct _MacSandboxInfo {
   _MacSandboxInfo()
     : type(MacSandboxType_Default)
     , level(0)
     , hasFilePrivileges(false)
     , hasSandboxedProfile(false)
     , hasAudio(false)
+    , hasWindowServer(false)
     , shouldLog(true)
   {
   }
   _MacSandboxInfo(const struct _MacSandboxInfo& other) = default;
 
   MacSandboxType type;
   int32_t level;
   bool hasFilePrivileges;
   bool hasSandboxedProfile;
   bool hasAudio;
+  bool hasWindowServer;
   MacSandboxPluginInfo pluginInfo;
   std::string appPath;
   std::string appBinaryPath;
   std::string appDir;
   std::string profileDir;
   std::string debugWriteDir;
 
   std::string testingReadPath1;
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -227,16 +227,18 @@ bool StartMacSandbox(MacSandboxInfo cons
       params.push_back("APP_PATH");
       params.push_back(aInfo.appPath.c_str());
       params.push_back("PROFILE_DIR");
       params.push_back(aInfo.profileDir.c_str());
       params.push_back("HOME_PATH");
       params.push_back(getenv("HOME"));
       params.push_back("HAS_SANDBOXED_PROFILE");
       params.push_back(aInfo.hasSandboxedProfile ? "TRUE" : "FALSE");
+      params.push_back("HAS_WINDOW_SERVER");
+      params.push_back(aInfo.hasWindowServer ? "TRUE" : "FALSE");
       if (!aInfo.parentPort.empty()) {
         params.push_back("PARENT_PORT");
         params.push_back(aInfo.parentPort.c_str());
       }
       if (!aInfo.crashServerPort.empty()) {
         params.push_back("CRASH_PORT");
         params.push_back(aInfo.crashServerPort.c_str());
       }
@@ -374,16 +376,21 @@ GetContentSandboxParamsFromArgs(int aArg
       continue;
     }
 
     if (strcmp(aArgv[i], "-sbAllowAudio") == 0) {
       aInfo.hasAudio = true;
       continue;
     }
 
+    if (strcmp(aArgv[i], "-sbAllowWindowServer") == 0) {
+      aInfo.hasWindowServer = true;
+      continue;
+    }
+
     if ((strcmp(aArgv[i], "-sbAppPath") == 0) && (i + 1 < aArgc)) {
       foundAppPath = true;
       aInfo.appPath.assign(aArgv[i+1]);
       i++;
       continue;
     }
 
     if ((strcmp(aArgv[i], "-sbTestingReadPath") == 0) && (i + 1 < aArgc)) {
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -49,16 +49,17 @@ static const char contentSandboxRules[] 
   (define should-log (param "SHOULD_LOG"))
   (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
   (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
   (define sandbox-level-3 (param "SANDBOX_LEVEL_3"))
   (define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
   (define appPath (param "APP_PATH"))
   (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
   (define profileDir (param "PROFILE_DIR"))
+  (define hasWindowServer (param "HAS_WINDOW_SERVER"))
   (define home-path (param "HOME_PATH"))
   (define debugWriteDir (param "DEBUG_WRITE_DIR"))
   (define testingReadPath1 (param "TESTING_READ_PATH1"))
   (define testingReadPath2 (param "TESTING_READ_PATH2"))
   (define testingReadPath3 (param "TESTING_READ_PATH3"))
   (define testingReadPath4 (param "TESTING_READ_PATH4"))
   (define parentPort (param "PARENT_PORT"))
   (define crashPort (param "CRASH_PORT"))
@@ -186,18 +187,19 @@ static const char contentSandboxRules[] 
   (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
     (ipc-posix-name-regex #"^CFPBS:"))
 
   (allow signal (target self))
   (if (string? parentPort)
     (allow mach-lookup (global-name parentPort)))
   (if (string? crashPort)
     (allow mach-lookup (global-name crashPort)))
+  (if (string=? hasWindowServer "TRUE")
+    (allow mach-lookup (global-name "com.apple.windowserver.active")))
   (allow mach-lookup (global-name "com.apple.coreservices.launchservicesd"))
-  (allow mach-lookup (global-name "com.apple.windowserver.active"))
   (allow mach-lookup (global-name "com.apple.lsd.mapdb"))
 
   (if (>= macosMinorVersion 13)
     (allow mach-lookup
       ; bug 1392988
       (xpc-service-name "com.apple.coremedia.videodecoder")
       (xpc-service-name "com.apple.coremedia.videoencoder")))