Closed Bug 1359573 Opened 8 years ago Closed 7 years ago

[meta] [mac] review mach-lookup permissions for what can be removed

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
macOS
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox55 --- affected

People

(Reporter: Alex_Gaynor, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: meta, Whiteboard: sb+)

https://dxr.mozilla.org/mozilla-central/source/security/sandbox/mac/SandboxPolicies.h#160-178 We currently allow many mach-lookups, which were mostly inherited from |/System/Library/Sandbox/Profiles/system.sb|. We should review this and figure out what can be removed, and what the blockers for removing other items are.
Whiteboard: sbmc3
Depends on: 1383818
Depends on: 1384677
Keywords: meta
Summary: [mac] review mach-lookup permissions for what can be removed → [meta] [mac] review mach-lookup permissions for what can be removed
Depends on: 1384941
Depends on: 1385096
Depends on: 1385332
Depends on: 1386291
See Also: → 1386300
Depends on: 1386308
Depends on: 1386363
Depends on: 1384209
Depends on: 1387570
Depends on: 1322024
Priority: -- → P1
Whiteboard: sbmc3 → sb+
Depends on: 1388172
Depends on: 1388360
Depends on: 1388454
Depends on: 1389494
Depends on: 1389535
No longer depends on: 1389494
Declaring this to be resolved. At this point we have investigated all of the mach-lookup permissions allowed in the content sandbox, removed the ones which we could, and know what the blockers are for the others!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.