Closed Bug 1379182 Opened 4 years ago Closed 4 years ago

restrict file-write* sandbox rules to more specific permissions

Categories

(Core :: Security: Process Sandboxing, enhancement)

Unspecified
macOS
enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox56 --- fixed

People

(Reporter: Alex_Gaynor, Assigned: Alex_Gaynor)

Details

Attachments

(1 file)

We currently use |file-write*| rules in two places in our sandbox policies. |file-write*| encompasses more permissions than we really need. Specifically, based on |strings /usr/lib/libsandbox.dylib | grep file-write| it appears to contain the following:


file-write-acl
file-write-create
file-write-data
file-write-flags
file-write-mode
file-write-owner
file-write-setugid
file-write-times
file-write-unlink
file-write-xattr
(define file-unlink file-write-unlink)
(define file-write-mount file-mount)
(define file-write-unmount file-unmount)
(define file-write-umount file-unmount)


I'm pretty sure that for both of these callsites we only actually need |file-write-create| and |file-write-data|. I don't think there's any particular security concern with these extra rules (and indeed some of these are probably useless without root), so the narrower rule is primarily about reducing the kernel surface exposed.
Assignee: nobody → agaynor
Comment on attachment 8884829 [details]
Bug 1379182 - Remove some unnecessary file-write permissions types from the content process on macOS;

https://reviewboard.mozilla.org/r/155720/#review160782

Looks good. Please sanity check printing and print-to-file for this one too.
Attachment #8884829 - Flags: review?(haftandilian) → review+
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/1ba3f4c9ef45
Remove some unnecessary file-write permissions types from the content process on macOS; r=haik
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/1ba3f4c9ef45
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.