Closed
Bug 1357758
Opened 7 years ago
Closed 7 years ago
[mac] remove the blacklisting from the content sandbox policy and use whitelisting exclusively
Categories
(Core :: Security: Process Sandboxing, enhancement)
Tracking
()
RESOLVED
FIXED
mozilla56
People
(Reporter: Alex_Gaynor, Assigned: Alex_Gaynor)
References
(Blocks 1 open bug)
Details
(Whiteboard: sbmc3)
Attachments
(1 file)
Right now we have a teeny tiny bit of blacklisting in our content sandbox policy: https://dxr.mozilla.org/mozilla-central/source/security/sandbox/mac/SandboxPolicies.h#289-297 We should move away from "blacklist the home directory" to whitelisting whatever is needed. This reduces the possibility for regressions, and makes it easier to audit what we allow and prune the list. This will require figuring out what reads are implicitly allowed by the blacklist that we use and adding those to the whitelist.
|
||
Updated•7 years ago
|
Whiteboard: sbmc3
| Comment hidden (mozreview-request) |
|
Assignee | |
Comment 2•7 years ago
|
||
Not worth reviewing yet, as there's still some breakages to work through, but figured I'd attach the patch for visibility.
|
|
Assignee | |
Comment 3•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=9b63488894624e29aabc051de3615f9291e316f0&group_state=expanded example try run from a few days ago
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → agaynor
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Comment 5•7 years ago
|
||
All green! https://treeherder.mozilla.org/#/jobs?repo=try&revision=ed0a090e297125887c8bbe7cbdcc9657a3f955ed&group_state=expanded
|
|
Assignee | |
Updated•7 years ago
|
|
||
Comment 6•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8860502 [details] Bug 1357758 - Replace the file-read blacklist in the macOS sandbox policy with a whitelist of the allowed paths; https://reviewboard.mozilla.org/r/132506/#review159136 Just plain awesome! Please manually test printing and print-to-file with level 3 set.
Attachment #8860502 -
Flags: review?(haftandilian) → review+
|
|
Assignee | |
Comment 7•7 years ago
|
||
Printing looks good! (+/- all the unrelated bugs I hit while testing it :-/)
|
|
Assignee | |
Updated•7 years ago
|
Keywords: checkin-needed
Pushed by haftandilian@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/59555f5a60be Replace the file-read blacklist in the macOS sandbox policy with a whitelist of the allowed paths; r=haik
Keywords: checkin-needed
|
||
Comment 9•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/59555f5a60be
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
|
||
Updated•7 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•