Closed Bug 1359573 Opened 3 years ago Closed 3 years ago

[meta] [mac] review mach-lookup permissions for what can be removed

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Unspecified
macOS
enhancement

Tracking

()

RESOLVED FIXED
Tracking Status
firefox55 --- affected

People

(Reporter: Alex_Gaynor, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: meta, Whiteboard: sb+)

https://dxr.mozilla.org/mozilla-central/source/security/sandbox/mac/SandboxPolicies.h#160-178

We currently allow many mach-lookups, which were mostly inherited from |/System/Library/Sandbox/Profiles/system.sb|. We should review this and figure out what can be removed, and what the blockers for removing other items are.
Whiteboard: sbmc3
Depends on: 1383818
Depends on: 1384677
Keywords: meta
Summary: [mac] review mach-lookup permissions for what can be removed → [meta] [mac] review mach-lookup permissions for what can be removed
Depends on: 1384941
Depends on: 1385096
Depends on: 1385332
Depends on: 1386291
See Also: → 1386300
Depends on: 1386308
Depends on: 1386363
Depends on: 1384209
Depends on: 1387570
Depends on: 1322024
Priority: -- → P1
Whiteboard: sbmc3 → sb+
Depends on: 1388172
Depends on: 1388360
Depends on: 1388454
Depends on: 1389494
Depends on: 1389535
No longer depends on: 1389494
Declaring this to be resolved. At this point we have investigated all of the mach-lookup permissions allowed in the content sandbox, removed the ones which we could, and know what the blockers are for the others!
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.