Closed Bug 1299329 Opened 3 years ago Closed 3 years ago
Remove printing-related privileges from content process sandbox
58 bytes, text/x-review-board-request
Once bug 1090454 is fixed, we can remove the printing-related privileges from the content process sandbox, reducing the content process attack surface.
Assignee: nobody → haftandilian
Depends on: 1090454
See reviewboard for the patch. The removal of (allow mach-register) triggers some console sandbox messages on OS X 10.11 (El Capitan) which I don't think are a concern. So far I've tested on 10.12 (Sierra) and 10.11 and got some coverage on 10.10 (Yosemite) via try. Examples of the sandbox console messages: 9/21/16 9:05:17.815 AM plugin-container: void __CFPasteboardSetup() : Failed to allocate communication port for com.apple.CFPasteboardClient; this is likely due to sandbox restrictions 9/21/16 9:05:44.660 AM sandboxd: () plugin-container(28788) deny mach-register com.apple.axserver (per-pid) 9/21/16 9:05:44.688 AM sandboxd: () plugin-container(28788) deny mach-register com.apple.tsm.portname (per-pid) The mach-register capability appears to be required for a process (aka mach task) to create a port that is accessible by other tasks. The CFPasteBoardSetup is part of the OS X PasteBoard. I've done manual copy-paste tests of text and some images, and drag-n-drop, and haven't noticed any problems. I don't see these messages on Sierra. Apparently macOS Sierra sandboxed apps will not have the mach-register permission hence it makes sense that OS X libraries would be reworked in Sierra to not trigger these sandbox violations. On 10.11, the CFPasteBoard warnings are triggered by the following stack from the NSApplication event loop. Thread 0: 0 libsystem_kernel.dylib 0x00007fff90dfdf72 mach_msg_trap + 10 1 libxpc.dylib 0x00007fff8e1f3b43 xpc_pipe_routine + 249 2 libxpc.dylib 0x00007fff8e1f39de _xpc_interface_routine + 163 3 libxpc.dylib 0x00007fff8e1fa453 bootstrap_register2 + 184 4 CoreFoundation 0x00007fff8ec5d1ea __CFMessagePortCreateLocal + 746 5 CoreFoundation 0x00007fff8ec5ceeb CFMessagePortCreatePerProcessLocal + 27 6 CoreFoundation 0x00007fff8ec5c4c6 CFPasteboardCreate + 1094 7 HIToolbox 0x00007fff98afb5d3 isPrefsGetDefaultAsciiKeyboardLayout + 61 8 HIToolbox 0x00007fff98afb0c9 isPrefsCreateCacheFromEnabledAndDefaultInputSources + 25 9 HIToolbox 0x00007fff98afaa88 islGetInputSourceListWithAdditions + 146 10 HIToolbox 0x00007fff98afa9d5 TSMGetInputSourceCountWithFilteredAdditions + 39 11 HIToolbox 0x00007fff98af9eba TISCreateInputSourceList + 89 12 HIToolbox 0x00007fff98af9b30 SyncHandwritingHotKey + 128 13 HIToolbox 0x00007fff98af8dc9 _FirstEventTime + 1056 14 HIToolbox 0x00007fff98af887b RunCurrentEventLoopInMode + 49 15 HIToolbox 0x00007fff98af8677 ReceiveNextEventCommon + 184 16 HIToolbox 0x00007fff98af85af _BlockUntilNextEventMatchingListInModeWithFilter + 71 17 AppKit 0x00007fff94e46df6 _DPSNextEvent + 1067 18 AppKit 0x00007fff94e46226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 19 XUL 0x00000001120d56b2 -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 82 (nsAppShell.mm:121) 1. https://treeherder.mozilla.org/#/jobs?repo=try&revision=df8e88d8ae3f6fd4b0193b038b149e5e138ebf6c&selectedJob=27747050 2. https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/PasteboardGuide106/Articles/pbGettingStarted.html#//apple_ref/doc/uid/TP40008150-SW1
Comment on attachment 8793399 [details] Bug 1299329 - Remove printing-related privileges from content process sandbox; https://reviewboard.mozilla.org/r/80138/#review79118
Attachment #8793399 - Flags: review?(gpascutto) → review+
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/integration/autoland/rev/f06bf582785b Remove printing-related privileges from content process sandbox; r=gcp
(In reply to Haik Aftandilian [:haik] from comment #2) > I don't see these messages on Sierra. Apparently macOS Sierra sandboxed apps > will not have the mach-register permission hence it makes sense that OS X > libraries would be reworked in Sierra to not trigger these sandbox > violations. Tests I ran today on Sierra 10.12 (first official release) are now showing the tsm.portname sandbox violation in the Console so I'll look into ways we might prevent these messages in the console. I don't know why I didn't see them before. It could be that the behavior of the Console.app changed (it has changed significantly in Sierra), the OS changed, or I just didn't notice them.
Mark 51 as fix-optional. If it's worth uplifting to 51, feel free to nominate it.
OS: Unspecified → Mac OS X
Hardware: Unspecified → x86_64
[Tracking Requested - why for this release]: Remote printing on Mac is already enabled in 51 (due to 1228022 being fixed in 51) and so the privileges being removed here are not needed in 51. This is part of the work required for our level=1 Mac content sandbox and is worth uplifting to get us closer to release given it is relatively low risk. This fix does trigger some warnings in the terminal when Firefox is run from the command line (bug 1306663).
Due to bug 1310165 emerging, I'd like to cancel the uplift request for build 51. Gerry, could you minus this for build 51?
You need to log in before you can comment on or make changes to this bug.