Closed Bug 1307573 Opened 8 years ago Closed 8 years ago

Remove unused system.sb mach-lookups from OS X content sandbox

Categories

(Core :: Security: Process Sandboxing, defect)

Product:
Core
Component:
Security: Process Sandboxing
Version:
51 Branch
Platform:
Unspecified
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox52 --- fixed

People

(Reporter: haik, Assigned: haik)

References

Details

(Whiteboard: sbmc2)

Attachments

(1 file)

Bug 1307573 - Remove unused system.sb mach-lookups from OS X content sandbox;
58 bytes, text/x-review-board-request
jimm
: review+
Details 
The following rules mach-lookup rules don't appear to be needed. These rules are part of /System/Library/Sandbox/Profiles/system.sb which used to be included in the content sandbox rules via an import. Bug 1272772 moved these rules inline. A try run with the allow's removed from the content sandbox didn't turn up any issues.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=69fc687a610ed43a0361cd1cbfd1a61e3798573b

I'm also testing by browsing with the allow's removed and monitoring the system logs for sandbox rejections this might cause.

  (allow mach-lookup
       (global-name "com.apple.appsleep")
       (global-name "com.apple.bsd.dirhelper")
       (global-name "com.apple.cfprefsd.agent")
       (global-name "com.apple.cfprefsd.daemon")
       (global-name "com.apple.diagnosticd")
       (global-name "com.apple.espd")
       (global-name "com.apple.secinitd")
       (global-name "com.apple.system.DirectoryService.libinfo_v1")
       (global-name "com.apple.system.logger")
       (global-name "com.apple.system.notification_center")
       (global-name "com.apple.system.opendirectoryd.libinfo")
       (global-name "com.apple.system.opendirectoryd.membership")
       (global-name "com.apple.trustd")
       (global-name "com.apple.trustd.agent")
       (global-name "com.apple.xpc.activity.unmanaged")
       (global-name "com.apple.xpcd")
       (local-name "com.apple.cfprefsd.agent"))

com.apple.appsleep may be related to a power saving feature, but so far I'm yet to see the firefox or plugin-containers attempt to perform the mach-lookup.
Assignee: nobody → haftandilian
Whiteboard: sb? sbmc2
Whiteboard: sb? sbmc2 → sbmc2
With these removed, I've seen the following log entries show up in the OS X console app running El Capitan (10.11), but not on Sierra (10.12).

  plugin-container(68774) deny mach-lookup com.apple.system.opendirectoryd.membership
  plugin-container(68774) deny mach-lookup com.apple.bsd.dirhelper

I haven't seen new debug messages or errors on the command line.
Comment on attachment 8799054 [details]
Bug 1307573 - Remove unused system.sb mach-lookups from OS X content sandbox;

https://reviewboard.mozilla.org/r/84344/#review83194
Attachment #8799054 - Flags: review?(jmathies) → review+
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/f6b04b718e50
Remove unused system.sb mach-lookups from OS X content sandbox; r=jimm
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/f6b04b718e50
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Depends on: 1312273
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: