Closed
Bug 1379182
Opened 7 years ago
Closed 7 years ago
restrict file-write* sandbox rules to more specific permissions
Categories
(Core :: Security: Process Sandboxing, enhancement)
Tracking
()
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox56 | --- | fixed |
People
(Reporter: Alex_Gaynor, Assigned: Alex_Gaynor)
Details
Attachments
(1 file)
We currently use |file-write*| rules in two places in our sandbox policies. |file-write*| encompasses more permissions than we really need. Specifically, based on |strings /usr/lib/libsandbox.dylib | grep file-write| it appears to contain the following: file-write-acl file-write-create file-write-data file-write-flags file-write-mode file-write-owner file-write-setugid file-write-times file-write-unlink file-write-xattr (define file-unlink file-write-unlink) (define file-write-mount file-mount) (define file-write-unmount file-unmount) (define file-write-umount file-unmount) I'm pretty sure that for both of these callsites we only actually need |file-write-create| and |file-write-data|. I don't think there's any particular security concern with these extra rules (and indeed some of these are probably useless without root), so the narrower rule is primarily about reducing the kernel surface exposed.
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → agaynor
Assignee | ||
Comment 1•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=bb68a37950baa5cf250fddf2c82cd27ebd46f375&selectedJob=112577127
Comment hidden (mozreview-request) |
Comment 3•7 years ago
|
||
mozreview-review |
Comment on attachment 8884829 [details] Bug 1379182 - Remove some unnecessary file-write permissions types from the content process on macOS; https://reviewboard.mozilla.org/r/155720/#review160782 Looks good. Please sanity check printing and print-to-file for this one too.
Attachment #8884829 -
Flags: review?(haftandilian) → review+
Assignee | ||
Updated•7 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/1ba3f4c9ef45 Remove some unnecessary file-write permissions types from the content process on macOS; r=haik
Keywords: checkin-needed
Comment 5•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/1ba3f4c9ef45
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in
before you can comment on or make changes to this bug.
Description
•