From 567f1c90d070f128031bf0f94a5a092eca8ea7d5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 25 Jul 2017 11:51:03 -0400 Subject: [PATCH] Bug 1384941 - removed access to mach services which are used for cameras in the content process; r=haik MozReview-Commit-ID: Ir6KgLM34bu --HG-- extra : rebase_source : badd0b62f20b870f7da82fcbefb09f7545e02801 --- security/sandbox/mac/SandboxPolicies.h | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/security/sandbox/mac/SandboxPolicies.h b/security/sandbox/mac/SandboxPolicies.h index b9eba53b16f7..38ed1955c6e5 100644 --- a/security/sandbox/mac/SandboxPolicies.h +++ b/security/sandbox/mac/SandboxPolicies.h @@ -181,7 +181,6 @@ static const char contentSandboxRules[] = R"( (ipc-posix-name-regex "^AudioIO")) (allow signal (target self)) - (allow job-creation (literal "/Library/CoreMediaIO/Plug-Ins/DAL")) (allow iokit-set-properties (iokit-property "IOAudioControlValue")) (allow mach-lookup @@ -192,13 +191,11 @@ static const char contentSandboxRules[] = R"( (global-name "com.apple.audio.coreaudiod") (global-name "com.apple.audio.audiohald") (global-name "com.apple.PowerManagement.control") - (global-name "com.apple.cmio.VDCAssistant") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.iconservices") (global-name "com.apple.cache_delete") (global-name "com.apple.pluginkit.pkd") (global-name "com.apple.bird") - (global-name "com.apple.cmio.AppleCameraAssistant") (global-name "com.apple.DesktopServicesHelper")) ; bug 1376163 @@ -222,9 +219,7 @@ static const char contentSandboxRules[] = R"( (iokit-user-client-class "IGAccelVideoContextMain") (iokit-user-client-class "IGAccelVideoContextMedia") (iokit-user-client-class "IGAccelVideoContextVEBox") - (iokit-user-client-class "RootDomainUserClient") - (iokit-user-client-class "IOUSBDeviceUserClientV2") - (iokit-user-client-class "IOUSBInterfaceUserClientV2")) + (iokit-user-client-class "RootDomainUserClient")) ; depending on systems, the 1st, 2nd or both rules are necessary (allow-shared-preferences-read "com.apple.HIToolbox") @@ -236,7 +231,6 @@ static const char contentSandboxRules[] = R"( (allow file-read* (subpath "/Library/Fonts") (subpath "/Library/Audio/Plug-Ins") - (subpath "/Library/CoreMediaIO/Plug-Ins/DAL") (subpath "/Library/Spelling") (literal "/") (literal "/private/tmp")