Closed
Bug 1379803
Opened 7 years ago
Closed 7 years ago
[Mac] Use vnode-type predicate in content sandbox to limit what type of files content can create
Categories
(Core :: Security: Process Sandboxing, enhancement)
Tracking
()
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox56 | --- | fixed |
People
(Reporter: haik, Assigned: Alex_Gaynor)
References
Details
Attachments
(1 file)
Content processes have permission to write to a few directories. For example, for printing. On the Mac, we can use the vnode-type predicate with (allow file-write-create ...) rules to prevent content from creating symlinks, directories, and ttys which we don't expect content to need to do. There are instances of this in /System/Library/Sandbox/Profiles, but otherwise it's not documented.
Assignee | ||
Updated•7 years ago
|
Blocks: CVE-2018-5107
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → agaynor
Comment hidden (mozreview-request) |
Reporter | ||
Comment 2•7 years ago
|
||
mozreview-review |
Comment on attachment 8885272 [details] Bug 1379803 - on macOS, only allow the creation of regular files and directories in writable directories; https://reviewboard.mozilla.org/r/156140/#review161258 r+ s/writably/writable in commit message. ::: security/sandbox/test/browser_content_sandbox_fs.js:224 (Diff revision 1) > // content process successfully created the file, now remove it > homeFile.remove(false); > } > } > > // Test if the content process can create a temp file, should pass Update comment ::: security/sandbox/test/browser_content_sandbox_fs.js:235 (Diff revision 1) > // now delete the file > let fileDeleted = await ContentTask.spawn(browser, path, deleteFile); > if (isMac()) { > // On macOS we do not allow file deletion - it is not needed by the content > // process itself, and macOS uses a different permission to control access > // to revoking it is easy. s/to/so
Attachment #8885272 -
Flags: review?(haftandilian) → review+
Assignee | ||
Comment 3•7 years ago
|
||
dom/plugins/test/mochitest/test_pluginstream_asfile.html appear to be a legit failing test, looks like for plugins we lazilly create a plugin temp directory (dom/plugins/base/nsPluginHost.cpp line ~693). For now I think the easiest thing to do is allow directory creation -- unless there's an alternate suggestion.
Reporter | ||
Comment 4•7 years ago
|
||
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #3) > dom/plugins/test/mochitest/test_pluginstream_asfile.html appear to be a > legit failing test, looks like for plugins we lazilly create a plugin temp > directory (dom/plugins/base/nsPluginHost.cpp line ~693). For now I think the > easiest thing to do is allow directory creation -- unless there's an > alternate suggestion. Allowing directory creation sounds fine for now, but I wonder if pluginstream is something we don't support anymore given our trajectory with plugins (yes, wishful thinking) similar to what happened with bug 1360223. :bsmedberg, is this something you're familiar with?
Flags: needinfo?(benjamin)
Comment hidden (mozreview-request) |
Assignee | ||
Comment 7•7 years ago
|
||
Thanks :bsmedberg. I've uploaded a patch which adds directories to the allowed vnode-types, after this is landed I'll file a bug to remove directories, blocked on that bug.
Assignee | ||
Comment 8•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=24fd6a724e445e6c7a023515d4c236c1b0c7e96b Looks good!
Assignee | ||
Updated•7 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/566036f11442 on macOS, only allow the creation of regular files and directories in writable directories; r=haik
Keywords: checkin-needed
Comment 10•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/566036f11442
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in
before you can comment on or make changes to this bug.
Description
•