Closed Bug 1314056 Opened 4 years ago Closed 3 years ago

Enable Mac content sandbox level 1 in 52

Categories

(Core :: Security: Process Sandboxing, defect)

52 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox52 --- fixed
firefox53 --- fixed

People

(Reporter: haik, Assigned: haik)

References

Details

(Whiteboard: sbmc1)

Attachments

(1 file)

This bug covers enabling the Mac content sandbox with level 1 (security.sandbox.content.level=1) in 52. Level 1 removes filesystem write access permission to the majority of the filesystem including the user's home directory. At present, Nightly uses the Mac level 2 sandbox which includes these write access limits.
Depends on: 1310165
Whiteboard: sbmc1
Assignee: nobody → haftandilian
Depends on: 1315121
Depends on: 1317801
Comment on attachment 8811532 [details]
Bug 1314056 - Enable Mac content sandbox level 1 in 52;

https://reviewboard.mozilla.org/r/93610/#review93876
Attachment #8811532 - Flags: review?(gpascutto) → review+
Adding needinfo? to glandium for the old-configure.in change.
Flags: needinfo?(mh+mozilla)
Comment on attachment 8811532 [details]
Bug 1314056 - Enable Mac content sandbox level 1 in 52;

https://reviewboard.mozilla.org/r/93610/#review94144
Attachment #8811532 - Flags: review+
Flags: needinfo?(mh+mozilla)
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/bce473db20d7
Enable Mac content sandbox level 1 in 52; r=gcp,glandium
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/bce473db20d7
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment on attachment 8811532 [details]
Bug 1314056 - Enable Mac content sandbox level 1 in 52;

Approval Request Comment
[Feature/regressing bug #]: Mac content sandbox level 1 (improved security)

[User impact if declined]: Users won't have a content sandbox on Mac in build 52. This first iteration of the Mac sandbox blocks web content processes from writing to most filesystem locations.

[Describe test coverage new/current, TreeHerder]: Enabled on central since early October via bug 1306508.

[Risks and why]: Regresses printing or some unforeseen reason the content process is dependent on writing to filesystem locations that are blocked.

[String/UUID change made/needed]: None
Attachment #8811532 - Flags: approval-mozilla-aurora?
Comment on attachment 8811532 [details]
Bug 1314056 - Enable Mac content sandbox level 1 in 52;

mac content sandbox, take in aurora52 (together with bug 1317801)
Attachment #8811532 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.