Closed Bug 1357758 Opened 3 years ago Closed 3 years ago
[mac] remove the blacklisting from the content sandbox policy and use whitelisting exclusively
Bug 1357758 - Replace the file-read blacklist in the macOS sandbox policy with a whitelist of the allowed paths;
59 bytes, text/x-review-board-request
Right now we have a teeny tiny bit of blacklisting in our content sandbox policy: https://dxr.mozilla.org/mozilla-central/source/security/sandbox/mac/SandboxPolicies.h#289-297 We should move away from "blacklist the home directory" to whitelisting whatever is needed. This reduces the possibility for regressions, and makes it easier to audit what we allow and prune the list. This will require figuring out what reads are implicitly allowed by the blacklist that we use and adding those to the whitelist.
Not worth reviewing yet, as there's still some breakages to work through, but figured I'd attach the patch for visibility.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=9b63488894624e29aabc051de3615f9291e316f0&group_state=expanded example try run from a few days ago
Comment on attachment 8860502 [details] Bug 1357758 - Replace the file-read blacklist in the macOS sandbox policy with a whitelist of the allowed paths; https://reviewboard.mozilla.org/r/132506/#review159136 Just plain awesome! Please manually test printing and print-to-file with level 3 set.
Attachment #8860502 - Flags: review?(haftandilian) → review+
Printing looks good! (+/- all the unrelated bugs I hit while testing it :-/)
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/59555f5a60be Replace the file-read blacklist in the macOS sandbox policy with a whitelist of the allowed paths; r=haik
You need to log in before you can comment on or make changes to this bug.