Closed Bug 1379803 Opened 7 years ago Closed 7 years ago

[Mac] Use vnode-type predicate in content sandbox to limit what type of files content can create

Categories

(Core :: Security: Process Sandboxing, enhancement)

Product:
Core
Component:
Security: Process Sandboxing
Version:
56 Branch
Platform:
Unspecified
macOS
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox56 --- fixed

People

(Reporter: haik, Assigned: Alex_Gaynor)

References

Details

Attachments

(1 file)

Bug 1379803 - on macOS, only allow the creation of regular files and directories in writable directories;
59 bytes, text/x-review-board-request
haik
: review+
Details 
Content processes have permission to write to a few directories. For example, for printing. On the Mac, we can use the vnode-type predicate with (allow file-write-create ...) rules to prevent content from creating symlinks, directories, and ttys which we don't expect content to need to do. There are instances of this in /System/Library/Sandbox/Profiles, but otherwise it's not documented.
Blocks: CVE-2018-5107
Assignee: nobody → agaynor
Comment on attachment 8885272 [details]
Bug 1379803 - on macOS, only allow the creation of regular files and directories in writable directories;

https://reviewboard.mozilla.org/r/156140/#review161258

r+

s/writably/writable in commit message.

::: security/sandbox/test/browser_content_sandbox_fs.js:224
(Diff revision 1)
>      // content process successfully created the file, now remove it
>      homeFile.remove(false);
>    }
>  }
>  
>  // Test if the content process can create a temp file, should pass

Update comment

::: security/sandbox/test/browser_content_sandbox_fs.js:235
(Diff revision 1)
>    // now delete the file
>    let fileDeleted = await ContentTask.spawn(browser, path, deleteFile);
>    if (isMac()) {
>      // On macOS we do not allow file deletion - it is not needed by the content
>      // process itself, and macOS uses a different permission to control access
>      // to revoking it is easy.

s/to/so
Attachment #8885272 - Flags: review?(haftandilian) → review+
dom/plugins/test/mochitest/test_pluginstream_asfile.html appear to be a legit failing test, looks like for plugins we lazilly create a plugin temp directory (dom/plugins/base/nsPluginHost.cpp line ~693). For now I think the easiest thing to do is allow directory creation -- unless there's an alternate suggestion.
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #3)
> dom/plugins/test/mochitest/test_pluginstream_asfile.html appear to be a
> legit failing test, looks like for plugins we lazilly create a plugin temp
> directory (dom/plugins/base/nsPluginHost.cpp line ~693). For now I think the
> easiest thing to do is allow directory creation -- unless there's an
> alternate suggestion.

Allowing directory creation sounds fine for now, but I wonder if pluginstream is something we don't support anymore given our trajectory with plugins (yes, wishful thinking) similar to what happened with bug 1360223. :bsmedberg, is this something you're familiar with?
Flags: needinfo?(benjamin)
Yes, bug 1352567.
Flags: needinfo?(benjamin)
Thanks :bsmedberg. I've uploaded a patch which adds directories to the allowed vnode-types, after this is landed I'll file a bug to remove directories, blocked on that bug.
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/566036f11442
on macOS, only allow the creation of regular files and directories in writable directories; r=haik
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/566036f11442
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: