Open Bug 1333260 Opened 3 years ago Updated 2 years ago

[Mac] Investigate using nsSandboxViolationSink.mm for in-browser sandbox violation reporting

Categories

(Core :: Security: Process Sandboxing, defect)

53 Branch
defect
Not set

Tracking

()

People

(Reporter: haik, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: sb+)

I stumbled onto the code in nsSandboxViolationSink.{mm,h} for logging sandbox violations from Firefox itself. The code there is intended to pick up sandbox violation notifications from a system message log, but I couldn't get it to work on 10.12. (Have not tested older OS X versions.)  It requires setting security.sandbox.mac.track.violations=true and non-debug Nightly or Aurora:

  from nsAppShell.mm:
  #if !defined(RELEASE_OR_BETA) || defined(DEBUG)
    if (Preferences::GetBool("security.sandbox.mac.track.violations", false)) {
      nsSandboxViolationSink::Start();
    }
  #endif

It could be that the queue name "com.apple.sandbox.violation.*" doesn't work with current OS X versions. More debugging needed.

This might allow us to log our own sandbox violations when the logging flag is turned on in a more visible way compared to the OS X console app.

If it doesn't work anymore, we should remove the code.
See Also: → 1306239
Correction: it requires setting security.sandbox.mac.track.violations=true and a debug build or Nightly or Aurora
Whiteboard: sb+
Blocks: sb-log
You need to log in before you can comment on or make changes to this bug.