Bug 1083344 - Tighten rules for Mac OS content process sandbox - "core part". r=smichaud

--HG--
extra : histedit_source : 3c904474c57dbf086365cc6b26a55c34b2b449ae

browser/app/profile/firefox.js

@@ -1214,6 +1214,18 @@ pref("security.sandbox.windows.log.stackTraceDepth", 0);
 #endif
 #endif
 
+#if defined(XP_MACOSX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
+// This pref is discussed in bug 1083344, the naming is inspired from its Windows
+// counterpart, but on Mac it's an integer which means:
+// 0 -> "no sandbox"
+// 1 -> "an imperfect sandbox designed to allow firefox to run reasonably well"
+// 2 -> "an ideal sandbox which may break many things"
+// This setting is read when the content process is started. On Mac the content
+// process is killed when all windows are closed, so a change will take effect
+// when the 1st window is opened. It was decided to default this setting to 1.
+pref("security.sandbox.macos.content.moreStrict", 1);
+#endif
+
 // This pref governs whether we attempt to work around problems caused by
 // plugins using OS calls to manipulate the cursor while running out-of-
 // process.  These workarounds all involve intercepting (hooking) certain

dom/ipc/ContentChild.cpp

@@ -93,6 +93,8 @@
 #include "nsISpellChecker.h"
 #include "nsClipboardProxy.h"
 #include "nsISystemMessageCache.h"
+#include "nsDirectoryServiceUtils.h"
+#include "nsDirectoryServiceDefs.h"
 
 #include "IHistory.h"
 #include "nsNetUtil.h"
@@ -1081,8 +1083,11 @@ ContentChild::CleanUpSandboxEnvironment()
 #endif
 
 #if defined(XP_MACOSX) && defined(MOZ_CONTENT_SANDBOX)
+
+#include <stdlib.h>
+
 static bool
-GetAppPaths(nsCString &aAppPath, nsCString &aAppBinaryPath)
+GetAppPaths(nsCString &aAppPath, nsCString &aAppBinaryPath, nsCString &aAppDir)
 {
   nsAutoCString appPath;
   nsAutoCString appBinaryPath(
@@ -1112,6 +1117,23 @@ GetAppPaths(nsCString &aAppPath, nsCString &aAppBinaryPath)
     return false;
   }
 
+  nsCOMPtr<nsIFile> appDir;
+  nsCOMPtr<nsIProperties> dirSvc =
+    do_GetService(NS_DIRECTORY_SERVICE_CONTRACTID);
+  if (!dirSvc) {
+    return false;
+  }
+  rv = dirSvc->Get(NS_XPCOM_CURRENT_PROCESS_DIR,
+                   NS_GET_IID(nsIFile), getter_AddRefs(appDir));
+  if (NS_FAILED(rv)) {
+    return false;
+  }
+  bool exists;
+  rv = appDir->Exists(&exists);
+  if (NS_FAILED(rv) || !exists) {
+    return false;
+  }
+
   bool isLink;
   app->IsSymlink(&isLink);
   if (isLink) {
@@ -1125,6 +1147,12 @@ GetAppPaths(nsCString &aAppPath, nsCString &aAppBinaryPath)
   } else {
     appBinary->GetNativePath(aAppBinaryPath);
   }
+  appDir->IsSymlink(&isLink);
+  if (isLink) {
+    appDir->GetNativeTarget(aAppDir);
+  } else {
+    appDir->GetNativePath(aAppDir);
+  }
 
   return true;
 }
@@ -1132,8 +1160,8 @@ GetAppPaths(nsCString &aAppPath, nsCString &aAppBinaryPath)
 static void
 StartMacOSContentSandbox()
 {
-  nsAutoCString appPath, appBinaryPath;
-  if (!GetAppPaths(appPath, appBinaryPath)) {
+  nsAutoCString appPath, appBinaryPath, appDir;
+  if (!GetAppPaths(appPath, appBinaryPath, appDir)) {
     MOZ_CRASH("Error resolving child process path");
   }
 
@@ -1141,6 +1169,7 @@ StartMacOSContentSandbox()
   info.type = MacSandboxType_Content;
   info.appPath.Assign(appPath);
   info.appBinaryPath.Assign(appBinaryPath);
+  info.appDir.Assign(appDir);
 
   nsAutoCString err;
   if (!mozilla::StartMacSandbox(info, err)) {

security/sandbox/mac/Sandbox.h

@@ -38,6 +38,7 @@ typedef struct _MacSandboxInfo {
   MacSandboxPluginInfo pluginInfo;
   nsCString appPath;
   nsCString appBinaryPath;
+  nsCString appDir;
 } MacSandboxInfo;
 
 namespace mozilla {