[Mac] Enable level 3 Mac content sandbox, removing filesystem read access

RESOLVED FIXED in Firefox 56

Status

()

defect
RESOLVED FIXED
2 years ago
2 months ago

People

(Reporter: haik, Assigned: haik)

Tracking

(Depends on 1 bug, Blocks 1 bug)

53 Branch
mozilla56
Unspecified
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox53 affected, firefox56 fixed)

Details

(Whiteboard: sbmc2)

Attachments

(1 attachment)

Assignee

Description

2 years ago
This bug covers the changes to remove file system read access from web content processes on Mac. With bug 1147911 fixed in Nightly, file:// URI's are handled by a separate process and the content process shouldn't need read access to the home directory. This work should be limited to Nightly for now and be easily reverted with prefs.
Assignee

Updated

2 years ago
Assignee: nobody → haftandilian
Depends on: 1147911
Whiteboard: sbmc2
Just to clarify, this means disallowing an open() correct?  If we already have a fd it will still be readable, right?
Assignee

Comment 2

2 years ago
(In reply to Ben Kelly [:bkelly] from comment #1)
> Just to clarify, this means disallowing an open() correct?

It means disallowing an open() call depending on the path. The open() syscall won't be blocked completely. We'll still need to allow open() for reading in some directories like $PROFILE/extensions for now. The main benefit will be blocking open(READ) calls for files in the home directory including sensitive parts of the profile. With 52+, we're already blocking open(WRITE) calls for most of the home directory.

> If we already have a fd it will still be readable, right?

Yes, that should continue to work, but if you have a test case, let me know.
(In reply to Haik Aftandilian [:haik] from comment #2)
> > If we already have a fd it will still be readable, right?
> 
> Yes, that should continue to work, but if you have a test case, let me know.

IndexedDB and Cache API do this extensively.  You can run mochitests in dom/cache.
Assignee

Updated

2 years ago
Depends on: 1334550
Assignee

Updated

2 years ago
Depends on: 1340351
Assignee

Updated

2 years ago
Depends on: 1294641
Assignee

Updated

2 years ago
Depends on: 1356324
Assignee

Updated

2 years ago
Depends on: 1357846
Assignee

Updated

2 years ago
Depends on: 1360223
Depends on: 1363179
Assignee

Updated

2 years ago
Depends on: 1374557
Assignee

Updated

2 years ago
Summary: [Mac] Remove file system read access from content sandbox when separate file process in use → [Mac] Enable level 3 Mac content sandbox, removing read access to /Users, /Volumes, and more
:haik, FYI I think as a result of needing to really fix mochitests, we'll be able to switch to whitelisting entirely. I'll keep that as a separate review though!
Assignee

Comment 5

2 years ago
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #4)
> :haik, FYI I think as a result of needing to really fix mochitests, we'll be
> able to switch to whitelisting entirely. I'll keep that as a separate review
> though!

That's great. I don't know what the patches look like, but I'm expecting it will require significant refactoring of the policies so I'd like to land level 3 and then move to the whitelist. Maybe it would make sense to do it in level 4.
Assignee

Updated

2 years ago
Depends on: 1377355
Assignee

Updated

2 years ago
Depends on: 1377128
Assignee

Updated

2 years ago
No longer depends on: 1377128

Comment 7

2 years ago
mozreview-review
Comment on attachment 8882699 [details]
Bug 1332190 - [Mac] Enable level 3 Mac content sandbox, removing filesystem read access.

https://reviewboard.mozilla.org/r/153780/#review158964

LGTM! Good to land once the blockers are landed!
Attachment #8882699 - Flags: review?(agaynor) → review+
Assignee

Updated

2 years ago
Summary: [Mac] Enable level 3 Mac content sandbox, removing read access to /Users, /Volumes, and more → [Mac] Enable level 3 Mac content sandbox, removing filesystem read access
Comment hidden (mozreview-request)

Comment 9

2 years ago
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6b101438c684
[Mac] Enable level 3 Mac content sandbox, removing filesystem read access. r=Alex_Gaynor

Comment 10

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/6b101438c684
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
See Also: → 1380402
No longer depends on: 1380148

Updated

2 years ago
See Also: → 1383915
Depends on: 1382260

Updated

2 years ago
Depends on: 1391186
Depends on: 1393805

Updated

2 years ago
Depends on: 1421262
Depends on: 1404298
Depends on: 1437281
Depends on: 1448374
Depends on: 1452278
Depends on: 1446549
Assignee

Updated

Last year
Depends on: 1469657
Assignee

Updated

2 months ago
Depends on: 1542385
Assignee

Updated

2 months ago
No longer depends on: 1542385
You need to log in before you can comment on or make changes to this bug.