Bug 1471977 - Mac Flash sandbox causing World Cup playback issues on foxsports.com r=Alex_Gaynor

Pass the user cache dir as a parameter to the Flash sandbox profile. Add services and paths to the Flash sandbox profile needed for TLS and encrypted video playback. MozReview-Commit-ID: 1szVXVVATFy --HG-- extra : rebase_source : 04885bb5d8b9995559462d373199078b109bfdc5
2024-12-03 10:33:33 +00:00 · 2018-07-06 15:06:21 -07:00 · 2018-07-06 15:06:21 -07:00 · b670f9fea5
commit b670f9fea5
parent 1a6ffb9e1e
2 changed files with 52 additions and 10 deletions
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@ -122,6 +122,20 @@ OSXVersion::GetVersionNumber()
  return mOSXVersion;
 }

+bool
+GetRealPath(std::string& aOutputPath, const char* aInputPath)
+{
+  char* resolvedPath = realpath(aInputPath, nullptr);
+  if (resolvedPath == nullptr) {
+    return false;
+  }
+
+  aOutputPath = resolvedPath;
+  free(resolvedPath);
+
+  return !aOutputPath.empty();
+}
+
 namespace mozilla {

 bool StartMacSandbox(MacSandboxInfo const &aInfo, std::string &aErrorMessage)
@ -132,7 +146,7 @@ bool StartMacSandbox(MacSandboxInfo const &aInfo, std::string &aErrorMessage)

  // Used for the Flash sandbox. Declared here so that they
  // stay in scope until sandbox_init_with_parameters is called.
-  std::string flashTempDir, flashPath;
+  std::string flashCacheDir, flashTempDir, flashPath;

  if (aInfo.type == MacSandboxType_Plugin &&
      aInfo.pluginInfo.type == MacSandboxPluginType_Flash) {
@ -153,20 +167,28 @@ bool StartMacSandbox(MacSandboxInfo const &aInfo, std::string &aErrorMessage)
    params.push_back(getenv("HOME"));

    params.push_back("PLUGIN_BINARY_PATH");
-    flashPath = realpath(aInfo.pluginInfo.pluginBinaryPath.c_str(), nullptr);
-    if (flashPath.empty()) {
+    if (!GetRealPath(flashPath, aInfo.pluginInfo.pluginBinaryPath.c_str())) {
      return false;
    }
    params.push_back(flashPath.c_str());

-    // User temp dir
-    params.push_back("DARWIN_USER_TEMP_DIR");
-    char tempDir[PATH_MAX];
-    if (!confstr(_CS_DARWIN_USER_TEMP_DIR, tempDir, sizeof(tempDir))) {
+    // User cache dir
+    params.push_back("DARWIN_USER_CACHE_DIR");
+    char confStrBuf[PATH_MAX];
+    if (!confstr(_CS_DARWIN_USER_CACHE_DIR, confStrBuf, sizeof(confStrBuf))) {
      return false;
    }
-    flashTempDir = realpath(tempDir, nullptr);
-    if (flashTempDir.empty()) {
+    if (!GetRealPath(flashCacheDir, confStrBuf)) {
+      return false;
+    }
+    params.push_back(flashCacheDir.c_str());
+
+    // User temp dir
+    params.push_back("DARWIN_USER_TEMP_DIR");
+    if (!confstr(_CS_DARWIN_USER_TEMP_DIR, confStrBuf, sizeof(confStrBuf))) {
+      return false;
+    }
+    if (!GetRealPath(flashTempDir, confStrBuf)) {
      return false;
    }
    params.push_back(flashTempDir.c_str());
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@ -417,6 +417,7 @@ static const char flashPluginSandboxRules[] = R"SANDBOX_LITERAL(
  (define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
  (define homeDir (param "HOME_PATH"))
  (define tempDir (param "DARWIN_USER_TEMP_DIR"))
+  (define cacheDir (param "DARWIN_USER_CACHE_DIR"))
  (define pluginPath (param "PLUGIN_BINARY_PATH"))

  (if (string=? shouldLog "TRUE")
@ -571,6 +572,10 @@ static const char flashPluginSandboxRules[] = R"SANDBOX_LITERAL(
  (define (tempDir-regex tempDir-relative-regex)
    (regex (string-append "^" (regex-quote tempDir)) tempDir-relative-regex))

+  ; Utility for allowing access to specific files within the cache dir
+  (define (cache-literal cache-relative-literal)
+    (literal (string-append cacheDir cache-relative-literal)))
+
  ; Read-only paths
  (allow file-read*
      (literal "/")
@ -643,7 +648,9 @@ static const char flashPluginSandboxRules[] = R"SANDBOX_LITERAL(
      (global-name "com.apple.inputmethodkit.launcher")
      (global-name "com.apple.inputmethodkit.getxpcendpoint")
      (global-name "com.apple.decalog4.incoming")
-      (global-name "com.apple.windowserver.active"))
+      (global-name "com.apple.windowserver.active")
+      (global-name "com.apple.trustd.agent")
+      (global-name "com.apple.ocspd"))
  ; bug 1475707
  (if (= macosMinorVersion 9)
     (allow mach-lookup (global-name "com.apple.xpcd")))
@ -766,6 +773,19 @@ static const char flashPluginSandboxRules[] = R"SANDBOX_LITERAL(
      (home-library-literal "/PreferencePanes/Flash Player.prefPane")
      (home-library-regex "/Application Support/Macromedia/ss\.(cfg|cfn|sgn)$"))

+  (allow file-read*
+      (literal "/Library/Preferences/com.apple.security.plist")
+      (subpath "/private/var/db/mds"))
+  ; Tests revealed file-write-{data,create,flags} required for some encrypted
+  ; video playback. Allowing file-write* to match system profiles.
+  (allow file-read* file-write*
+      (cache-literal "/mds/mds.lock")
+      (cache-literal "/mds/mdsDirectory.db_")
+      (cache-literal "/mds/mdsDirectory.db_")
+      (cache-literal "/mds/mdsObject.db")
+      (cache-literal "/mds/mdsObject.db_")
+      (require-all (vnode-type REGULAR-FILE)))
+
  (allow network-bind (local ip))

  (deny file-write-create (vnode-type SYMLINK))