Closed Bug 1386161 Opened 7 years ago Closed 7 years ago

[Mac] Remove IOAudioControl Rules

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Version:
57 Branch
Platform:
Unspecified
macOS
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla57
Tracking Flags:
Tracking Status
firefox57 --- fixed

People

(Reporter: haik, Assigned: haik)

References

Details

(Whiteboard: sb+)

Attachments

(2 files)

Bug 1386161 - [Mac] Remove IOAudioControl Rules.
59 bytes, text/x-review-board-request
Alex_Gaynor
: review+
Details
IOAudioControlUserClient.log.txt
8.02 KB, text/plain
Details
With some minimal testing, sound playing and WebRTC continue to work with these rules removed. These seem to be for interacting directly with audio drivers and may not be needed. (allow iokit-set-properties (iokit-property "IOAudioControlValue")) (allow iokit-open (iokit-user-client-class "IOAudioControlUserClient"))
Blocks: 1386300
Whiteboard: sbmc3
Assignee: nobody → haftandilian
Priority: -- → P1
Version: 56 Branch → 57 Branch
My local testing and try testing hasn't turned up any issues with these changes so I'm going to move forward with the changes. These lines were introduced in bug 1083344 when Steven first landed most of the rules.
Comment on attachment 8893589 [details] Bug 1386161 - [Mac] Remove IOAudioControl Rules. https://reviewboard.mozilla.org/r/164664/#review170286
Attachment #8893589 - Flags: review?(agaynor) → review+
Pushed by haftandilian@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/989cea1f3820 [Mac] Remove IOAudioControl Rules. r=Alex_Gaynor
Whiteboard: sbmc3 → sb+
https://hg.mozilla.org/mozilla-central/rev/989cea1f3820
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
With the fix for this, when sandbox logging is enabled[1], we log a sandbox violation: "plugin-container(1666) deny iokit-open IOAudioControlUserClient" when watching a video on YouTube (and probably in other cases too). Attachment is the Console report collected on 10.11 and the stack shows cubeb_init() is triggering it. See attachment for the full stack. 1. security.sandbox.logging.enabled=true or env var MOZ_SANDBOX_LOGGING is set
(In reply to Haik Aftandilian [:haik] from comment #7) > ... > Attachment is the Console report collected on 10.11 and the stack shows > cubeb_init() is triggering it. See attachment for the full stack. > ... We have bug 1362220 to move audio out of the content process.
See Also: → 1362220
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: