Closed Bug 1322370 Opened 5 years ago Closed 5 years ago

Disable camera access in the Mac content sandbox

Categories

(Core :: Security: Process Sandboxing, defect)

53 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox52 --- fixed
firefox53 --- fixed

People

(Reporter: haik, Assigned: haik)

Details

(Whiteboard: sbmc2)

Attachments

(1 file)

With the fix for bug 1104616 the content process should not need web camera access. This fix is to remove the camera allowance in the Mac sandbox rules. With the "(allow device-camera)" rule removed, try unit tests passed and talky.io appeared to work as before. I'm working on a method to validate that this change does indeed prevent content from accessing the camera.
Assignee: nobody → haftandilian
Whiteboard: sbmc2
For validation, I added a test to the work I'm doing (not integrated yet) on bug 1309394 that loads a Mac .dylib file and executes an exported function that returns the number of available cameras. (See the AVFoundation Programming Guide on https://developer.apple.com.)

     1 int GetNumberOfCameras(void) {
     2     int numCameras = 0;
     3     
     4     NSArray *devices = [AVCaptureDevice devices];
     5     for (AVCaptureDevice *device in devices) {
     6         if ([device hasMediaType:AVMediaTypeVideo]) {
     7             numCameras++;
     8         }   
     9     }   
    10     
    11     return (numCameras);
    12 }

Without the change to the sandbox policy, the function returns 1 on my MacBook equipped with a front facing camera. With the change to remove camera permission from the sandbox, the function returns 0--no cameras found.

I haven't done the plumbing yet to build the dylib for the test execution, but I'm planning to move forward with this fix first.
Comment on attachment 8820892 [details]
Bug 1322370 - Disable camera access in the Mac content sandbox;

https://reviewboard.mozilla.org/r/100278/#review101106
Attachment #8820892 - Flags: review+
Keywords: checkin-needed
Pushed by ihsiao@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/159eb0f5dcae
Disable camera access in the Mac content sandbox; r=jimm
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/159eb0f5dcae
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment on attachment 8820892 [details]
Bug 1322370 - Disable camera access in the Mac content sandbox;

Approval Request Comment
[Feature/Bug causing the regression]:
None

[User impact if declined]:
A compromised content process can access 

[Is this code covered by automated tests?]:
No, but that is being worked on.

[Has the fix been verified in Nightly?]:
Yes. 

[Needs manual test from QE? If yes, steps to reproduce]: 
No

[List of other uplifts needed for the feature/fix]:
None

[Is the change risky?]:
Low risk.

[Why is the change risky/not risky?]:
There are no changes to executable code, just the Mac content sandbox ruleset to remove access to the camera. This leverages work already done to proxy camera access through the parent process.

[String changes made/needed]:
None
Attachment #8820892 - Flags: approval-mozilla-aurora?
For testing on Aurora 52, I used the same approach described in comment 2.

Try results for Aurora 52:

  https://treeherder.mozilla.org/#/jobs?repo=try&revision=85f1bede4d2d98e5bf0ac22b601a0d62763d6783
Comment on attachment 8820892 [details]
Bug 1322370 - Disable camera access in the Mac content sandbox;

tighten mac content sandbox, aurora52+
Attachment #8820892 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.