In order to enable a security hardening feature that prevents injection of libraries using dyld environment variables such as DYLD_INSERT_LIBRARIES, we need to change how Mac child processes (which use the plugin-container executable) load libraries. Today, we launch child processes with DYLD_LIBRARY_PATH set to the directory containing the firefox executable. Without DYLD_LIBRARY_PATH, plugin-container can't load XUL, libnss3.dylib, or other dylibs in the main bundle directory because plugin-container's load paths use @executable_path/<dylib> when then need to use @executable_path/../../../<dylib>. And the dylibs themselves that have dependent dylibs also use @executable_path. This needs to be changed to use @loader_path. Directory structure: ``` $ find Firefox.app -type f |grep -E '(dylib$|XUL$|firefox$|plugin-container$)' Firefox.app/Contents/MacOS/firefox Firefox.app/Contents/MacOS/libfreebl3.dylib Firefox.app/Contents/MacOS/liblgpllibs.dylib Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container Firefox.app/Contents/MacOS/libsoftokn3.dylib Firefox.app/Contents/MacOS/XUL Firefox.app/Contents/MacOS/libosclientcerts.dylib Firefox.app/Contents/MacOS/libmozavutil.dylib Firefox.app/Contents/MacOS/libmozglue.dylib Firefox.app/Contents/MacOS/libipcclientcerts.dylib Firefox.app/Contents/MacOS/libmozavcodec.dylib Firefox.app/Contents/MacOS/libnssckbi.dylib Firefox.app/Contents/MacOS/libnss3.dylib Firefox.app/Contents/Resources/gmp-clearkey/0.1/libclearkey.dylib ``` plugin-container loader paths: (needs changes to use @executable_path/../../../<dylib>) ``` $ otool -arch arm64 -L Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container: @executable_path/libnss3.dylib (compatibility version 1.0.0, current version 1.0.0) @executable_path/XUL (compatibility version 1.0.0, current version 1.0.0) @executable_path/libmozglue.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 904.4.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1292.0.0) ``` libnss3.dylib loader paths: (needs changes to use @loader_path/<dylib>) ``` $ otool -arch arm64 -L Firefox.app/Contents/MacOS/libnss3.dylib Firefox.app/Contents/MacOS/libnss3.dylib: @executable_path/libnss3.dylib (compatibility version 1.0.0, current version 1.0.0) @executable_path/libmozglue.dylib (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 1122.4.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1292.0.0) ```
Bug 1770484 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
In order to enable a security hardening feature (bug 1562756) that prevents injection of libraries using dyld environment variables such as DYLD_INSERT_LIBRARIES, we need to change how Mac child processes (which use the plugin-container executable) load libraries. Today, we launch child processes with DYLD_LIBRARY_PATH set to the directory containing the firefox executable. Without DYLD_LIBRARY_PATH, plugin-container can't load XUL, libnss3.dylib, or other dylibs in the main bundle directory because plugin-container's load paths use @executable_path/<dylib> when then need to use @executable_path/../../../<dylib>. And the dylibs themselves that have dependent dylibs also use @executable_path. This needs to be changed to use @loader_path. Directory structure: ``` $ find Firefox.app -type f |grep -E '(dylib$|XUL$|firefox$|plugin-container$)' Firefox.app/Contents/MacOS/firefox Firefox.app/Contents/MacOS/libfreebl3.dylib Firefox.app/Contents/MacOS/liblgpllibs.dylib Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container Firefox.app/Contents/MacOS/libsoftokn3.dylib Firefox.app/Contents/MacOS/XUL Firefox.app/Contents/MacOS/libosclientcerts.dylib Firefox.app/Contents/MacOS/libmozavutil.dylib Firefox.app/Contents/MacOS/libmozglue.dylib Firefox.app/Contents/MacOS/libipcclientcerts.dylib Firefox.app/Contents/MacOS/libmozavcodec.dylib Firefox.app/Contents/MacOS/libnssckbi.dylib Firefox.app/Contents/MacOS/libnss3.dylib Firefox.app/Contents/Resources/gmp-clearkey/0.1/libclearkey.dylib ``` plugin-container loader paths: (needs changes to use @executable_path/../../../<dylib>) ``` $ otool -arch arm64 -L Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container: @executable_path/libnss3.dylib (compatibility version 1.0.0, current version 1.0.0) @executable_path/XUL (compatibility version 1.0.0, current version 1.0.0) @executable_path/libmozglue.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 904.4.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1292.0.0) ``` libnss3.dylib loader paths: (needs changes to use @loader_path/<dylib>) ``` $ otool -arch arm64 -L Firefox.app/Contents/MacOS/libnss3.dylib Firefox.app/Contents/MacOS/libnss3.dylib: @executable_path/libnss3.dylib (compatibility version 1.0.0, current version 1.0.0) @executable_path/libmozglue.dylib (compatibility version 1.0.0, current version 1.0.0) /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 1122.4.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1292.0.0) ```