mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-09 03:15:11 +00:00
Bug 1306508 - Whitelist /private/var/folders/ in DEBUG and reduce content process write access further; r=gcp
Removes global write access from the content process (instead of just blocking write access to $HOME) for level 1 and 2 Mac content sandboxes. Allows writes to /private/var/folders/[0-9][0-9]/ in DEBUG mode so that leaktest can continue to work. MozReview-Commit-ID: 635o7Nj9oW1 --HG-- extra : rebase_source : 7e23612f56a31de83307057c1e6d0eaadb937614
This commit is contained in:
parent
4bec362935
commit
0ebb0c2d3e
@ -343,13 +343,10 @@ static const char contentSandboxRules[] =
|
||||
"; content processes are used for file:// origin browsing, the\n"
|
||||
"; global file-read* permission should be removed from each level.\n"
|
||||
"\n"
|
||||
"; level 1: global read access permitted, no home write access\n"
|
||||
" (if (= sandbox-level 1)\n"
|
||||
" (begin\n"
|
||||
" (allow file-read*)\n"
|
||||
" (allow file-write* (require-not (subpath home-path)))))\n"
|
||||
"; level 1: global read access permitted, no global write access\n"
|
||||
" (if (= sandbox-level 1) (allow file-read*))\n"
|
||||
"\n"
|
||||
"; level 2: global read access permitted, no home write access,\n"
|
||||
"; level 2: global read access permitted, no global write access,\n"
|
||||
"; no read/write access to ~/Library,\n"
|
||||
"; no read/write access to $PROFILE,\n"
|
||||
"; read access permitted to $PROFILE/{extensions,weave}\n"
|
||||
@ -360,18 +357,11 @@ static const char contentSandboxRules[] =
|
||||
" (allow file-read* (require-all\n"
|
||||
" (require-not (home-subpath \"/Library\"))\n"
|
||||
" (require-not (subpath profileDir))))\n"
|
||||
" (allow file-write* (require-all\n"
|
||||
" (require-not (subpath home-path))\n"
|
||||
" (require-not (subpath profileDir))))\n"
|
||||
" (allow file-read*\n"
|
||||
" (profile-subpath \"/extensions\")\n"
|
||||
" (profile-subpath \"/weave\")))\n"
|
||||
" ; we don't have a profile dir\n"
|
||||
" (begin\n"
|
||||
" (allow file-read*\n"
|
||||
" (require-not (home-subpath \"/Library\")))\n"
|
||||
" (allow file-write* (require-all\n"
|
||||
" (require-not (subpath home-path)))))))\n"
|
||||
" (allow file-read* (require-not (home-subpath \"/Library\")))))\n"
|
||||
"\n"
|
||||
"; accelerated graphics\n"
|
||||
" (allow-shared-preferences-read \"com.apple.opengl\")\n"
|
||||
@ -403,6 +393,11 @@ static const char contentSandboxRules[] =
|
||||
" (subpath appTempDir))\n"
|
||||
" (allow file-write*\n"
|
||||
" (subpath appTempDir))\n"
|
||||
#ifdef DEBUG
|
||||
"\n"
|
||||
"; bug 1303987\n"
|
||||
" (allow file-write* (var-folders-regex \"/\"))\n"
|
||||
#endif
|
||||
")\n";
|
||||
|
||||
bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage)
|
||||
|
Loading…
Reference in New Issue
Block a user