Closed Bug 1357758 Opened 3 years ago Closed 3 years ago

[mac] remove the blacklisting from the content sandbox policy and use whitelisting exclusively

Categories

(Core :: Security: Process Sandboxing, enhancement)

All
macOS
enhancement
Not set

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox55 --- wontfix
firefox56 --- fixed

People

(Reporter: Alex_Gaynor, Assigned: Alex_Gaynor)

References

(Blocks 1 open bug)

Details

(Whiteboard: sbmc3)

Attachments

(1 file)

Right now we have a teeny tiny bit of blacklisting in our content sandbox policy: https://dxr.mozilla.org/mozilla-central/source/security/sandbox/mac/SandboxPolicies.h#289-297

We should move away from "blacklist the home directory" to whitelisting whatever is needed. This reduces the possibility for regressions, and makes it easier to audit what we allow and prune the list.

This will require figuring out what reads are implicitly allowed by the blacklist that we use and adding those to the whitelist.
Whiteboard: sbmc3
Not worth reviewing yet, as there's still some breakages to work through, but figured I'd attach the patch for visibility.
Depends on: 1363760
Depends on: 1369764
Depends on: 1370317
Assignee: nobody → agaynor
Blocks: 1359559
No longer depends on: 1370317
Comment on attachment 8860502 [details]
Bug 1357758 - Replace the file-read blacklist in the macOS sandbox policy with a whitelist of the allowed paths;

https://reviewboard.mozilla.org/r/132506/#review159136

Just plain awesome! Please manually test printing and print-to-file with level 3 set.
Attachment #8860502 - Flags: review?(haftandilian) → review+
Printing looks good! (+/- all the unrelated bugs I hit while testing it :-/)
Keywords: checkin-needed
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/59555f5a60be
Replace the file-read blacklist in the macOS sandbox policy with a whitelist of the allowed paths; r=haik
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/59555f5a60be
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.