Bug 1306508 - Whitelist /private/var/folders/ in DEBUG and reduce content process write access further; r=gcp

Removes global write access from the content process (instead of just blocking write access to $HOME) for level 1 and 2 Mac content sandboxes. Allows writes to /private/var/folders/[0-9][0-9]/ in DEBUG mode so that leaktest can continue to work. MozReview-Commit-ID: 635o7Nj9oW1 --HG-- extra : rebase_source : 7e23612f56a31de83307057c1e6d0eaadb937614
2024-10-09 03:15:11 +00:00 · 2016-10-12 11:53:38 -07:00 · 2016-10-12 11:53:38 -07:00 · 0ebb0c2d3e
commit 0ebb0c2d3e
parent 4bec362935
1 changed files with 9 additions and 14 deletions
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@ -343,13 +343,10 @@ static const char contentSandboxRules[] =
  "; content processes are used for file:// origin browsing, the\n"
  "; global file-read* permission should be removed from each level.\n"
  "\n"
-  "; level 1: global read access permitted, no home write access\n"
-  "  (if (= sandbox-level 1)\n"
-  "    (begin\n"
-  "      (allow file-read*)\n"
-  "      (allow file-write* (require-not (subpath home-path)))))\n"
+  "; level 1: global read access permitted, no global write access\n"
+  "  (if (= sandbox-level 1) (allow file-read*))\n"
  "\n"
-  "; level 2: global read access permitted, no home write access,\n"
+  "; level 2: global read access permitted, no global write access,\n"
  ";          no read/write access to ~/Library,\n"
  ";          no read/write access to $PROFILE,\n"
  ";          read access permitted to $PROFILE/{extensions,weave}\n"
@ -360,18 +357,11 @@ static const char contentSandboxRules[] =
  "        (allow file-read* (require-all\n"
  "              (require-not (home-subpath \"/Library\"))\n"
  "              (require-not (subpath profileDir))))\n"
-  "        (allow file-write* (require-all\n"
-  "              (require-not (subpath home-path))\n"
-  "              (require-not (subpath profileDir))))\n"
  "        (allow file-read*\n"
  "              (profile-subpath \"/extensions\")\n"
  "              (profile-subpath \"/weave\")))\n"
  "      ; we don't have a profile dir\n"
-  "      (begin\n"
-  "        (allow file-read*\n"
-  "              (require-not (home-subpath \"/Library\")))\n"
-  "        (allow file-write* (require-all\n"
-  "              (require-not (subpath home-path)))))))\n"
+  "      (allow file-read* (require-not (home-subpath \"/Library\")))))\n"
  "\n"
  "; accelerated graphics\n"
  "  (allow-shared-preferences-read \"com.apple.opengl\")\n"
@ -403,6 +393,11 @@ static const char contentSandboxRules[] =
  "      (subpath appTempDir))\n"
  "  (allow file-write*\n"
  "      (subpath appTempDir))\n"
+#ifdef DEBUG
+  "\n"
+  "; bug 1303987\n"
+  "  (allow file-write* (var-folders-regex \"/\"))\n"
+#endif
  ")\n";

 bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage)