Closed
Bug 1201935
Opened 9 years ago
Closed 9 years ago
MacOS sandbox breaks WebExtension tests
Categories
(Core :: Security: Process Sandboxing, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
People
(Reporter: billm, Assigned: jld)
Details
Attachments
(1 file, 2 obsolete files)
2.18 KB,
patch
|
jld
:
review+
|
Details | Diff | Splinter Review |
Until we remote resource, chrome, and moz-extension URIs, it is not acceptable to prevent read access of files in the content process. It is not uncommon for add-on developers to locate their add-ons in places that are not part of the profile. The current sandbox breaks this. Right now this is breaking WebExtension tests. I'm going to have to disable them on MacOS. However, we should fix the sandbox rules.
https://hg.mozilla.org/mozilla-central/rev/3be72de9ac6a
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Reporter | ||
Updated•9 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 3•9 years ago
|
||
I'll probably regret taking this bug, but it looks like a simple patch, and we could use a little more “bus factor” for Mac sandboxing.
Assignee: nobody → jld
Assignee | ||
Comment 4•9 years ago
|
||
I can't reproduce this locally (10.10.5), so I'll have to test with Try pushes. For reference, the current default setting of the Mac sandbox prevents access to files in ~/Library (with a few exceptions, like the browser profile) and otherwise allows full read/write.
OS: Unspecified → Mac OS X
Reporter | ||
Comment 5•9 years ago
|
||
Thanks Jed. Here's a sample failure: https://treeherder.mozilla.org/logviewer.html#?job_id=13682808&repo=mozilla-inbound The test creates a zip file in TmpD and then tries to access it in the content process via a moz-extension: URI (which is similar to resource:). Maybe TmpD is returning something in ~/Library?
Assignee | ||
Comment 6•9 years ago
|
||
(In reply to Jed Davis [:jld] {UTC-7} from comment #4) > I can't reproduce this locally (10.10.5) …because I forgot to test with --e10s. (It's the default for running the browser now, but not the default for testing. Oops.) Anyway, TmpD is ~/Library/Caches/TemporaryItems (it's obtained via an OS API, but that's what it is empirically), which isn't whitelisted; bug 1190032 added one particular subdirectory, and this is not it. So, for this bug it should suffice to allow reading from TmpD.
Assignee | ||
Comment 7•9 years ago
|
||
This patch also backs out the earlier patch to the test config. It's worth mentioning that opening files from TemporaryItems is broken without this patch, and that might be something users would actually do — and adjusting SubstitutingProtocolHandler won't fix that.
Attachment #8658865 -
Flags: review?(smichaud)
Attachment #8658865 -
Flags: feedback?(wmccloskey)
Comment 8•9 years ago
|
||
Comment on attachment 8658865 [details] [diff] [review] Patch: whitelist reading from TemporaryItems I can't comment on backing out the previous patch. But the change to security/sandbox/mac/Sandbox.mm looks fine to me. In principal one might worry about our code being able to change temporary directories and files created by other apps ... but lets save that for later.
Attachment #8658865 -
Flags: review?(smichaud) → review+
Comment 9•9 years ago
|
||
Comment on attachment 8658865 [details] [diff] [review] Patch: whitelist reading from TemporaryItems > whitelist reading from TemporaryItems Note that this patch allows both reading and writing to TemporaryItems, to any of its subdirectories, and to any of the items in it.
Comment 10•9 years ago
|
||
> and to any of the items in it
and to any of the items in them
Reporter | ||
Comment 11•9 years ago
|
||
Comment on attachment 8658865 [details] [diff] [review] Patch: whitelist reading from TemporaryItems Review of attachment 8658865 [details] [diff] [review]: ----------------------------------------------------------------- I still think we should just allow read access to the entire file system. But this fixes the immediate problem.
Attachment #8658865 -
Flags: feedback?(wmccloskey) → feedback+
Assignee | ||
Comment 12•9 years ago
|
||
(In reply to Steven Michaud [:smichaud] from comment #9) > Note that this patch allows both reading and writing to TemporaryItems, to > any of its subdirectories, and to any of the items in it. Indeed it does, and that's not quite what I meant. I'll update the patch. (In reply to Bill McCloskey (:billm) from comment #11) > I still think we should just allow read access to the entire file system. I'd tend to agree, but at the same time this isn't my normal area so I'm trying to tread lightly.
Assignee | ||
Comment 13•9 years ago
|
||
Attachment #8658865 -
Attachment is obsolete: true
Attachment #8658929 -
Flags: review?(smichaud)
Comment 14•9 years ago
|
||
Comment on attachment 8658929 [details] [diff] [review] Patch: whitelist reading (and only reading) from TemporaryItems Looks fine to me. And yes, this one only allows reading.
Attachment #8658929 -
Flags: review?(smichaud) → review+
Assignee | ||
Comment 15•9 years ago
|
||
Sorry about losing track of this bug. The patch needed some rebasing, but nothing major, so I'm carrying over r+ (but re-running Try).
Attachment #8658929 -
Attachment is obsolete: true
Attachment #8671010 -
Flags: review+
Assignee | ||
Comment 16•9 years ago
|
||
Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=f3c3a1b26874 (failures are empty test runs from |mach try|); also did https://treeherder.mozilla.org/#/jobs?repo=try&revision=2e079417e80f because of some confusion over what does/doesn't get run for Mac e10s.
Keywords: checkin-needed
Comment 17•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ca9e63379f6a
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/ca9e63379f6a
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: mozilla43 → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•