Bug 1284588 - OS X: Disable content process write access to user files in the home directory; r=gcp

Changes the semantics of the security.sandbox.content.level pref on OS X with
respect to file access to the user's home directory. With the fix, Nightly
defaults to 2 while other releases will default to 1. The level values now
have the following meaning.

*) security.sandbox.content.level=0 disables content process sandboxing.
No change here.

*) security.sandbox.content.level=1 blocks write access to the majority of the
home directory.

*) security.sandbox.content.level=2 includes the write access blocking in
level 1, but also blocks both read and write access to ~/Library and $PROFILE
excluding the extensions and weave subdirectories.

Prior to this fix, Nightly defaulted to a value of 1 while all other releases
used 0. The value of 1 meant that read/write access to ~/Library and the
$PROFILE dir (excluding $PROFILE/{extensions,weave}) was prevented.

The strength of a level=1 sandbox is reduced by this with fix,
but level=1 becomes the first ride-the-trains content sandbox candidate,
Nightly changes to level=2, and higher levels still indicate a more
restrictive sandbox.

MozReview-Commit-ID: 7NJAe24T4pU

--HG--
extra : rebase_source : 8cb5ea82004ad631fe688bafffa9dc9979568679

browser/app/profile/firefox.js

@@ -972,16 +972,24 @@ pref("security.sandbox.windows.log.stackTraceDepth", 0);
 #endif
 
 #if defined(XP_MACOSX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
-// This pref is discussed in bug 1083344, the naming is inspired from its Windows
-// counterpart, but on Mac it's an integer which means:
+// This pref is discussed in bug 1083344, the naming is inspired from its
+// Windows counterpart, but on Mac it's an integer which means:
 // 0 -> "no sandbox"
-// 1 -> "an imperfect sandbox designed to allow firefox to run reasonably well"
-// 2 -> "an ideal sandbox which may break many things"
+// 1 -> "preliminary content sandboxing enabled: write access to
+//       home directory is prevented"
+// 2 -> "preliminary content sandboxing enabled with profile protection:
+//       write access to home directory is prevented, read and write access
+//       to ~/Library and profile directories are prevented (excluding
+//       $PROFILE/{extensions,weave})"
 // This setting is read when the content process is started. On Mac the content
 // process is killed when all windows are closed, so a change will take effect
 // when the 1st window is opened.
+#if defined(NIGHTLY_BUILD)
+pref("security.sandbox.content.level", 2);
+#else
 pref("security.sandbox.content.level", 1);
 #endif
+#endif
 
 #if defined(XP_LINUX) && defined(MOZ_SANDBOX) && defined(MOZ_CONTENT_SANDBOX)
 // This pref is introduced as part of bug 742434, the naming is inspired from

security/sandbox/mac/Sandbox.mm

@@ -373,26 +373,40 @@ static const char contentSandboxRules[] =
   "      (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
   "      (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\"))\n"
   "\n"
-  "; Profile subdirectories\n"
-  "  (if (not (zero? hasProfileDir)) (allow file-read*\n"
-  "      (profile-subpath \"/extensions\")\n"
-  "      (profile-subpath \"/weave\")))\n"
+  "; The following rules impose file access restrictions which get\n"
+  "; more restrictive in higher levels. When file-origin-specific\n"
+  "; content processes are used for file:// origin browsing, the\n"
+  "; global file-read* permission should be removed from each level.\n"
   "\n"
-  "; the following rules should be removed when printing and\n"
-  "; opening a file from disk are brokered through the main process\n"
-  "  (if (< sandbox-level 2)\n"
+  "; level 1: global read access permitted, no home write access\n"
+  "  (if (= sandbox-level 1)\n"
+  "    (begin\n"
+  "      (allow file-read*)\n"
+  "      (allow file-write* (require-not (subpath home-path)))))\n"
+  "\n"
+  "; level 2: global read access permitted, no home write access,\n"
+  ";          no read/write access to ~/Library,\n"
+  ";          no read/write access to $PROFILE,\n"
+  ";          read access permitted to $PROFILE/{extensions,weave}\n"
+  "  (if (= sandbox-level 2)\n"
   "    (if (not (zero? hasProfileDir))\n"
-  "      (allow file*\n"
-  "          (require-all\n"
+  "      ; we have a profile dir\n"
+  "      (begin\n"
+  "        (allow file-read* (require-all\n"
   "              (require-not (home-subpath \"/Library\"))\n"
   "              (require-not (subpath profileDir))))\n"
-  "      (allow file*\n"
-  "          (require-not (home-subpath \"/Library\"))))\n"
-  "    (allow file*\n"
-  "        (require-all\n"
-  "            (subpath home-path)\n"
-  "            (require-not\n"
-  "                (home-subpath \"/Library\")))))\n"
+  "        (allow file-write* (require-all\n"
+  "              (require-not (subpath home-path))\n"
+  "              (require-not (subpath profileDir))))\n"
+  "        (allow file-read*\n"
+  "              (profile-subpath \"/extensions\")\n"
+  "              (profile-subpath \"/weave\")))\n"
+  "      ; we don't have a profile dir\n"
+  "      (begin\n"
+  "        (allow file-read*\n"
+  "              (require-not (home-subpath \"/Library\")))\n"
+  "        (allow file-write* (require-all\n"
+  "              (require-not (subpath home-path)))))))\n"
   "\n"
   "; accelerated graphics\n"
   "  (allow-shared-preferences-read \"com.apple.opengl\")\n"