Closed
Bug 1307573
Opened 8 years ago
Closed 8 years ago
Remove unused system.sb mach-lookups from OS X content sandbox
Categories
(Core :: Security: Process Sandboxing, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
Tracking | Status | |
---|---|---|
firefox52 | --- | fixed |
People
(Reporter: haik, Assigned: haik)
References
Details
(Whiteboard: sbmc2)
Attachments
(1 file)
The following rules mach-lookup rules don't appear to be needed. These rules are part of /System/Library/Sandbox/Profiles/system.sb which used to be included in the content sandbox rules via an import. Bug 1272772 moved these rules inline. A try run with the allow's removed from the content sandbox didn't turn up any issues. https://treeherder.mozilla.org/#/jobs?repo=try&revision=69fc687a610ed43a0361cd1cbfd1a61e3798573b I'm also testing by browsing with the allow's removed and monitoring the system logs for sandbox rejections this might cause. (allow mach-lookup (global-name "com.apple.appsleep") (global-name "com.apple.bsd.dirhelper") (global-name "com.apple.cfprefsd.agent") (global-name "com.apple.cfprefsd.daemon") (global-name "com.apple.diagnosticd") (global-name "com.apple.espd") (global-name "com.apple.secinitd") (global-name "com.apple.system.DirectoryService.libinfo_v1") (global-name "com.apple.system.logger") (global-name "com.apple.system.notification_center") (global-name "com.apple.system.opendirectoryd.libinfo") (global-name "com.apple.system.opendirectoryd.membership") (global-name "com.apple.trustd") (global-name "com.apple.trustd.agent") (global-name "com.apple.xpc.activity.unmanaged") (global-name "com.apple.xpcd") (local-name "com.apple.cfprefsd.agent")) com.apple.appsleep may be related to a power saving feature, but so far I'm yet to see the firefox or plugin-containers attempt to perform the mach-lookup.
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → haftandilian
Whiteboard: sb? sbmc2
Updated•8 years ago
|
Whiteboard: sb? sbmc2 → sbmc2
Assignee | ||
Comment 1•8 years ago
|
||
With these removed, I've seen the following log entries show up in the OS X console app running El Capitan (10.11), but not on Sierra (10.12). plugin-container(68774) deny mach-lookup com.apple.system.opendirectoryd.membership plugin-container(68774) deny mach-lookup com.apple.bsd.dirhelper I haven't seen new debug messages or errors on the command line.
Comment hidden (mozreview-request) |
Comment 3•8 years ago
|
||
mozreview-review |
Comment on attachment 8799054 [details] Bug 1307573 - Remove unused system.sb mach-lookups from OS X content sandbox; https://reviewboard.mozilla.org/r/84344/#review83194
Attachment #8799054 -
Flags: review?(jmathies) → review+
Assignee | ||
Updated•8 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/f6b04b718e50 Remove unused system.sb mach-lookups from OS X content sandbox; r=jimm
Keywords: checkin-needed
Comment 5•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/f6b04b718e50
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in
before you can comment on or make changes to this bug.
Description
•