[Mac] Enable level 3 Mac content sandbox, removing filesystem read access

RESOLVED FIXED in Firefox 56

Status

()

defect
RESOLVED FIXED
2 years ago
16 days ago

People

(Reporter: haik, Assigned: haik)

Tracking

(Depends on 1 bug, Blocks 1 bug)

53 Branch
mozilla56
Unspecified
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox53 affected, firefox56 fixed)

Details

(Whiteboard: sbmc2)

Attachments

(1 attachment)

(Assignee)

Description

2 years ago
This bug covers the changes to remove file system read access from web content processes on Mac. With bug 1147911 fixed in Nightly, file:// URI's are handled by a separate process and the content process shouldn't need read access to the home directory. This work should be limited to Nightly for now and be easily reverted with prefs.
(Assignee)

Updated

2 years ago
Assignee: nobody → haftandilian
Depends on: 1147911
Whiteboard: sbmc2
Just to clarify, this means disallowing an open() correct?  If we already have a fd it will still be readable, right?
(Assignee)

Comment 2

2 years ago
(In reply to Ben Kelly [:bkelly] from comment #1)
> Just to clarify, this means disallowing an open() correct?

It means disallowing an open() call depending on the path. The open() syscall won't be blocked completely. We'll still need to allow open() for reading in some directories like $PROFILE/extensions for now. The main benefit will be blocking open(READ) calls for files in the home directory including sensitive parts of the profile. With 52+, we're already blocking open(WRITE) calls for most of the home directory.

> If we already have a fd it will still be readable, right?

Yes, that should continue to work, but if you have a test case, let me know.
(In reply to Haik Aftandilian [:haik] from comment #2)
> > If we already have a fd it will still be readable, right?
> 
> Yes, that should continue to work, but if you have a test case, let me know.

IndexedDB and Cache API do this extensively.  You can run mochitests in dom/cache.
(Assignee)

Updated

2 years ago
Depends on: 1334550
(Assignee)

Updated

2 years ago
Depends on: 1340351
(Assignee)

Updated

2 years ago
Depends on: 1294641
(Assignee)

Updated

2 years ago
Depends on: 1356324
(Assignee)

Updated

2 years ago
Depends on: 1357846
(Assignee)

Updated

2 years ago
Depends on: 1360223
Depends on: 1363179
(Assignee)

Updated

2 years ago
Depends on: 1374557
(Assignee)

Updated

2 years ago
Summary: [Mac] Remove file system read access from content sandbox when separate file process in use → [Mac] Enable level 3 Mac content sandbox, removing read access to /Users, /Volumes, and more
:haik, FYI I think as a result of needing to really fix mochitests, we'll be able to switch to whitelisting entirely. I'll keep that as a separate review though!
(Assignee)

Comment 5

2 years ago
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #4)
> :haik, FYI I think as a result of needing to really fix mochitests, we'll be
> able to switch to whitelisting entirely. I'll keep that as a separate review
> though!

That's great. I don't know what the patches look like, but I'm expecting it will require significant refactoring of the policies so I'd like to land level 3 and then move to the whitelist. Maybe it would make sense to do it in level 4.
(Assignee)

Updated

2 years ago
Depends on: 1377355
(Assignee)

Updated

2 years ago
Depends on: 1377128
(Assignee)

Updated

2 years ago
No longer depends on: 1377128

Comment 7

2 years ago
mozreview-review
Comment on attachment 8882699 [details]
Bug 1332190 - [Mac] Enable level 3 Mac content sandbox, removing filesystem read access.

https://reviewboard.mozilla.org/r/153780/#review158964

LGTM! Good to land once the blockers are landed!
Attachment #8882699 - Flags: review?(agaynor) → review+
(Assignee)

Updated

2 years ago
Summary: [Mac] Enable level 3 Mac content sandbox, removing read access to /Users, /Volumes, and more → [Mac] Enable level 3 Mac content sandbox, removing filesystem read access
Comment hidden (mozreview-request)

Comment 9

2 years ago
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6b101438c684
[Mac] Enable level 3 Mac content sandbox, removing filesystem read access. r=Alex_Gaynor

Comment 10

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/6b101438c684
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
See Also: → 1380402
No longer depends on: 1380148

Updated

2 years ago
See Also: → 1383915
Depends on: 1382260

Updated

2 years ago
Depends on: 1391186
Depends on: 1393805
Depends on: 1421262
Depends on: 1404298
Depends on: 1437281
Depends on: 1448374
Depends on: 1452278
Depends on: 1446549
(Assignee)

Updated

10 months ago
Depends on: 1469657
(Assignee)

Updated

16 days ago
Depends on: 1542385
(Assignee)

Updated

16 days ago
No longer depends on: 1542385
You need to log in before you can comment on or make changes to this bug.