From 4237da641e77aea62de2df521e3c67d806a5f9fa Mon Sep 17 00:00:00 2001 From: Ryan VanderMeulen Date: Thu, 27 Jul 2017 20:10:23 -0400 Subject: [PATCH] Backed out changeset 4d7f80401751 (bug 1385028) for bustage. --HG-- extra : rebase_source : 74b74e1a87c5e524f15eb04917d5b2205f3f87f3 --- security/sandbox/mac/Sandbox.mm | 15 ++++----------- security/sandbox/mac/SandboxPolicies.h | 9 +++++---- 2 files changed, 9 insertions(+), 15 deletions(-) diff --git a/security/sandbox/mac/Sandbox.mm b/security/sandbox/mac/Sandbox.mm index c1c3d99f9bc3..3cbf6e985a0f 100644 --- a/security/sandbox/mac/Sandbox.mm +++ b/security/sandbox/mac/Sandbox.mm @@ -129,15 +129,6 @@ bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage) std::vector params; char *profile = NULL; bool profile_needs_free = false; - -// 11 bytes is enough to store any int32_t, plus one for the NUL byte. In -// practice of course, it's unlikely we'll see a macOS minor version greater -// than 2 digits in the lifetime of this code. Better safe than sorry though! -#define MAX_MACOS_MINOR_VERSION_LENGTH 12 - char macOSMinor[MAX_MACOS_MINOR_VERSION_LENGTH]; - snprintf(macOSMinor, sizeof(macOSMinor), "%d", OSXVersion::OSXVersionMinor()); -#undef MAX_MACOS_MINOR_VERSION_LENGTH - if (aInfo.type == MacSandboxType_Plugin) { profile = const_cast(pluginSandboxRules); params.push_back("SHOULD_LOG"); @@ -169,8 +160,10 @@ bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage) params.push_back(aInfo.level == 2 ? "TRUE" : "FALSE"); params.push_back("SANDBOX_LEVEL_3"); params.push_back(aInfo.level == 3 ? "TRUE" : "FALSE"); - params.push_back("MAC_OS_MINOR"); - params.push_back(macOSMinor); + params.push_back("MAC_OS_MINOR_9"); + params.push_back(OSXVersion::OSXVersionMinor() == 9 ? "TRUE" : "FALSE"); + params.push_back("MAC_OS_MINOR_MIN_13"); + params.push_back(OSXVersion::OSXVersionMinor() >= 13 ? "TRUE" : "FALSE"); params.push_back("APP_PATH"); params.push_back(aInfo.appPath.c_str()); params.push_back("APP_BINARY_PATH"); diff --git a/security/sandbox/mac/SandboxPolicies.h b/security/sandbox/mac/SandboxPolicies.h index bfd38d455310..41cfd73884db 100644 --- a/security/sandbox/mac/SandboxPolicies.h +++ b/security/sandbox/mac/SandboxPolicies.h @@ -54,7 +54,8 @@ static const char contentSandboxRules[] = R"( (define sandbox-level-1 (param "SANDBOX_LEVEL_1")) (define sandbox-level-2 (param "SANDBOX_LEVEL_2")) (define sandbox-level-3 (param "SANDBOX_LEVEL_3")) - (define macosMinorVersion (string->number (param "MAC_OS_MINOR"))) + (define macosMinorVersion-9 (param "MAC_OS_MINOR_9")) + (define macosMinorVersion-min13 (param "MAC_OS_MINOR_MIN_13")) (define appPath (param "APP_PATH")) (define appBinaryPath (param "APP_BINARY_PATH")) (define appdir-path (param "APP_DIR")) @@ -109,7 +110,7 @@ static const char contentSandboxRules[] = R"( ; macOS 10.9 does not support the |sysctl-name| predicate, so unfortunately ; we need to allow all sysctl-reads there. - (if (= macosMinorVersion 9) + (if (string=? macosMinorVersion-9 "TRUE") (allow sysctl-read) (allow sysctl-read (sysctl-name-regex #"^sysctl\.") @@ -203,11 +204,11 @@ static const char contentSandboxRules[] = R"( (global-name "com.apple.DesktopServicesHelper")) ; bug 1376163 - (if (>= macosMinorVersion 13) + (if (string=? macosMinorVersion-min13 "TRUE") (allow mach-lookup (global-name "com.apple.audio.AudioComponentRegistrar"))) ; bug 1312273 - (if (= macosMinorVersion 9) + (if (string=? macosMinorVersion-9 "TRUE") (allow mach-lookup (global-name "com.apple.xpcd"))) (allow iokit-open