1386762 - [Mac] Need tests that validate removal of services from sandbox rules

Status: NEW

(Core :: Security: Process Sandboxing, enhancement, P3)

Description

[Haik Aftandilian [:haik]]

When we remove rules from the Mac content sandbox, we can't be sure that content processes can't access those services because IPC ports that are opened before the sandbox is initialized remain usable after the sandbox rules are applied even if the rules don't allow access to that service.

If the removal generates sandbox violation warnings, then that's an indication that 1) content really can't access the service directly and 2) something in plugin-container is still triggering an open of a port to that service.

Comment 1

[Alex Gaynor [:Alex_Gaynor]]

Summarizing notes from IRC so I don't forget them:

- we can use bootstrap_look_up to verify that it's no longer possible to open a mach port to a service with the sandbox profile
- bootstrap_look_up does reuse mach ports if you've already got an open one
- the reuse in bootstrap_look_up happens _after_ the permissions check, so |bootstrap_look_up("service")| errors out, regardless of whether or not there's an existing port it could reuse. Therefore we can't use this to test.

I don't know if there's some other API we can use to check if there's an already-open mach port.