Closed
Bug 1387233
Opened 7 years ago
Closed 7 years ago
[mac] restrict ipc-posix-shm permissions in content
Categories
(Core :: Security: Process Sandboxing, enhancement)
Tracking
()
RESOLVED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | fixed |
People
(Reporter: Alex_Gaynor, Assigned: Alex_Gaynor)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
We currently allow ipc-posix-shm* on
(ipc-posix-name-regex "^/tmp/com.apple.csseed:")
(ipc-posix-name-regex "^CFPBS:"))
(ipc-posix-name-regex "^AudioIO")
ipc-posix-shm* is made up of:
ipc-posix-shm-read-data
ipc-posix-shm-read-metadata
ipc-posix-shm-write-create
ipc-posix-shm-write-data
ipc-posix-shm-write-unlink
I suspect at a minimum we can remove create and unlink. Some of these might also be either read-only or write-only.
Requires research and investigation. (Also I have no idea what CFPBS or csseed are).
|
Assignee | |
Comment 1•7 years ago
|
||
Try run for a basic simplification looks ok: https://treeherder.mozilla.org/#/jobs?repo=try&revision=7e55a189c05ee416264c6ebe9bc4330fac40d940
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → agaynor
|
||
Comment 3•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8894509 [details]
Bug 1387233 - restrict access to ipc-posix-shm APIs in the content process;
https://reviewboard.mozilla.org/r/165684/#review170774
Attachment #8894509 -
Flags: review?(haftandilian) → review+
|
|
Assignee | |
Updated•7 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/cb06d162a3d0
restrict access to ipc-posix-shm APIs in the content process; r=haik
Keywords: checkin-needed
|
||
Comment 5•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in
before you can comment on or make changes to this bug.
Description
•