Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-27 23:02:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Backed out changeset 4d7f80401751 (bug 1385028) for bustage.

Browse Source 
--HG--
extra : rebase_source : 74b74e1a87c5e524f15eb04917d5b2205f3f87f3
This commit is contained in:
Ryan VanderMeulen 2017-07-27 20:10:23 -04:00
parent 4864560cd0
commit 4237da641e
2 changed files with 9 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
security/sandbox/mac/Sandbox.mm
View File

@ -129,15 +129,6 @@ bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage)
std::vector<const char *> params;
char *profile = NULL;
bool profile_needs_free = false;
// 11 bytes is enough to store any int32_t, plus one for the NUL byte. In
// practice of course, it's unlikely we'll see a macOS minor version greater
// than 2 digits in the lifetime of this code. Better safe than sorry though!
#define MAX_MACOS_MINOR_VERSION_LENGTH 12
char macOSMinor[MAX_MACOS_MINOR_VERSION_LENGTH];
snprintf(macOSMinor, sizeof(macOSMinor), "%d", OSXVersion::OSXVersionMinor());
#undef MAX_MACOS_MINOR_VERSION_LENGTH
if (aInfo.type == MacSandboxType_Plugin) {
profile = const_cast<char *>(pluginSandboxRules);
params.push_back("SHOULD_LOG");
@ -169,8 +160,10 @@ bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage)
params.push_back(aInfo.level == 2 ? "TRUE" : "FALSE");
params.push_back("SANDBOX_LEVEL_3");
params.push_back(aInfo.level == 3 ? "TRUE" : "FALSE");
params.push_back("MAC_OS_MINOR");
params.push_back(macOSMinor);
params.push_back("MAC_OS_MINOR_9");
params.push_back(OSXVersion::OSXVersionMinor() == 9 ? "TRUE" : "FALSE");
params.push_back("MAC_OS_MINOR_MIN_13");
params.push_back(OSXVersion::OSXVersionMinor() >= 13 ? "TRUE" : "FALSE");
params.push_back("APP_PATH");
params.push_back(aInfo.appPath.c_str());
params.push_back("APP_BINARY_PATH");

9
security/sandbox/mac/SandboxPolicies.h
View File

@ -54,7 +54,8 @@ static const char contentSandboxRules[] = R"(
(define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
(define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
(define sandbox-level-3 (param "SANDBOX_LEVEL_3"))
(define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
(define macosMinorVersion-9 (param "MAC_OS_MINOR_9"))
(define macosMinorVersion-min13 (param "MAC_OS_MINOR_MIN_13"))
(define appPath (param "APP_PATH"))
(define appBinaryPath (param "APP_BINARY_PATH"))
(define appdir-path (param "APP_DIR"))
@ -109,7 +110,7 @@ static const char contentSandboxRules[] = R"(
; macOS 10.9 does not support the |sysctl-name| predicate, so unfortunately
; we need to allow all sysctl-reads there.
(if (= macosMinorVersion 9)
(if (string=? macosMinorVersion-9 "TRUE")
(allow sysctl-read)
(allow sysctl-read
(sysctl-name-regex #"^sysctl\.")
@ -203,11 +204,11 @@ static const char contentSandboxRules[] = R"(
(global-name "com.apple.DesktopServicesHelper"))
; bug 1376163
(if (>= macosMinorVersion 13)
(if (string=? macosMinorVersion-min13 "TRUE")
(allow mach-lookup (global-name "com.apple.audio.AudioComponentRegistrar")))
; bug 1312273
(if (= macosMinorVersion 9)
(if (string=? macosMinorVersion-9 "TRUE")
(allow mach-lookup (global-name "com.apple.xpcd")))
(allow iokit-open