1306508 - Whitelist the OS X $TMPDIR and reduce content process write access further

Status: RESOLVED FIXED

(Core :: Security: Process Sandboxing, defect)

Description

[Haik Aftandilian [:haik]]

As a follow up to bug 1284588 where we added rules blocking the content sandbox from writing to the $HOME directory, we could extend this write blocking further by whitelisting the OS X $TMPDIR. We need $TMPDIR for now due to 1303987.

The sandbox rules added in 1284588 allow writes as long as they are not in the $HOME directory. Any other paths that the OS allows the user to write to are permitted (with a few exceptions).

Instead of this inverted "not" in the $HOME rule, we could allow writes to $TMPDIR. Other paths not explicitly blocked would then be allowed.

We could also move NS_APP_CONTENT_PROCESS_TEMP_DIR to a directory within $TMPDIR such as $TMPDIR/org.mozilla.firefox/Temp-{<UUID>} instead of ~/Library/Caches/TemporaryItems/Temp-{<UUID>}. The benefits would be 1) it removes the one writable directory in $HOME and 2) $TMPDIR is the more Mac-friendly place to store temporary files. $TMPDIR is the same as DARWIN_USER_TEMP_DIR documented in confstr(3):

Per CONFSTR(3),

     _CS_DARWIN_USER_TEMP_DIR
             Provides the path to a user's temporary items directory. The
             directory will be created it if does not already exist. This
             directory is created with access permissions of 0700 and
             restricted by the umask(2) of the calling process and is a good
             location for temporary files.

             By default, files in this location may be cleaned (removed) by
             the system if they are not accessed in 3 days.

Comment 1

[Haik Aftandilian [:haik]]

Attachment: Bug 1306508 - Whitelist /private/var/folders/ in DEBUG and reduce content process write access further;

Removes global write access from the content process (instead of
just blocking write access to $HOME) for level 1 and 2 Mac content
sandboxes. Allows writes to /private/var/folders/[0-9][0-9]/ in
DEBUG mode so that leaktest can continue to work.

Review commit: https://reviewboard.mozilla.org/r/85718/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/85718/

Comment 2

[Haik Aftandilian [:haik]]

Debug:
  https://treeherder.mozilla.org/#/jobs?repo=try&revision=46afd16a88fb

Release:
  https://treeherder.mozilla.org/#/jobs?repo=try&revision=f67f3829f55d

Comment 3

[Haik Aftandilian [:haik]]

The posted reviewboard adds a rule allowing write access to files under /private/var/folders/[^/][^/]/ to the content process in DEBUG mode only. This allows leaktest to work and lets us reduce the write access of the content process further as described in description.

Comment 4

[Gian-Carlo Pascutto [:gcp]]

Comment on attachment 8800908 [details]
Bug 1306508 - Whitelist /private/var/folders/ in DEBUG and reduce content process write access further;

https://reviewboard.mozilla.org/r/85718/#review85156

Comment 5

[Pulsebot]

Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a879c89b5446
Whitelist /private/var/folders/ in DEBUG and reduce content process write access further; r=gcp

Comment 6

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/a879c89b5446