Closed Bug 1388580 Opened 7 years ago Closed 7 years ago

[Mac] Remove miscellaneous iokit open permissions

Categories

(Core :: Security: Process Sandboxing, defect, P1)

Product:
Core
Component:
Security: Process Sandboxing
Version:
56 Branch
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla57
Tracking Flags:
Tracking Status
firefox57 --- fixed

People

(Reporter: haik, Assigned: haik)

References

Details

(Whiteboard: sb+)

Attachments

(1 file)

Bug 1388580 - [Mac] Remove miscellaneous iokit open permissions
59 bytes, text/x-review-board-request
Alex_Gaynor
: review+
Details
In local tests with the following iokit-open rules removed (keeping IOAudioEngineUserClient), local browsing, streaming video, sound, and webgl sites seemed to work fine. Testing done on a Mid 2015 Retina MacBook Pro running 10.12. - (allow iokit-open - (iokit-user-client-class "IOHIDParamUserClient") - (iokit-user-client-class "IOAudioEngineUserClient") - (iokit-user-client-class "IGAccelDevice") - (iokit-user-client-class "nvDevice") - (iokit-user-client-class "nvSharedUserClient") - (iokit-user-client-class "nvFermiGLContext") - (iokit-user-client-class "IGAccelGLContext") - (iokit-user-client-class "IGAccelSharedUserClient") - (iokit-user-client-class "IGAccelVideoContextMain") - (iokit-user-client-class "IGAccelVideoContextMedia") - (iokit-user-client-class "IGAccelVideoContextVEBox")) + (allow iokit-open (iokit-user-client-class "IOAudioEngineUserClient")) It could be that some of these drivers are needed only on certain Apple hardware. Of these, on 10.12, nvDevice, nvSharedUserClient, nvFermiGLContext, IGAccelGLContext, aren't used in any of the files in /System/Libary/Sandbox/Profiles/*. On 10.11, only IOHIDParamUserClient is used in /System/Libary/Sandbox/Profiles/*. Regarding nvFermiGLContext, Nvidia Fermi-based cards were available as a Mac Pro (desktop) upgrade. More investigation needed. https://treeherder.mozilla.org/#/jobs?repo=try&revision=3cd6a7dd3c71eb193739cf0eebf289e08ac67092
Assignee: nobody → haftandilian
Blocks: 1386300
Priority: -- → P1
Whiteboard: sb+
Target Milestone: --- → mozilla57
Did you look at the console and see if they were being blocked? My concern is that stuff might work without them, but not be accelerated.
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #2) > Did you look at the console and see if they were being blocked? My concern > is that stuff might work without them, but not be accelerated. I've been running with violation logging turned on and haven't seen any violations related to them, but that's the main concern I have too. I'm going to try to test on different Mac models and understand these better.
On 10.11.6, MacBook Air (11-inch, Early 2015), Intel HD Graphics 6000, I'm seeing a violation for IOHIDParamUserClient in the Console app, but don't see a stack. HID is not graphics-specific: https://developer.apple.com/library/content/documentation/DeviceDrivers/Conceptual/HID/intro/intro.html
I was also unable to produce any SandboxViolation warnings with this patch.
And on an older MacBook with an Nvidia GeForce 9400M 256MB running 10.11.6, I didn't see any SandboxViolation warnings with webgl demos, streaming video, and web-RTC.
I'm going to move forward with this fix. We've manually tested on a small number of machines. I would like to have been able to verify this on more Apple models, but time is probably better spent getting this on Nightly earlier.
Attachment #8896432 - Flags: review?(agaynor)
The permissions being removed appear to be related to Intel and Nvidia drivers. We've tested on machines that use Intel and Nvidia graphics and haven't see Sandbox violations related to the removed permissions which tells us they are not needed on those machines.
Comment on attachment 8896432 [details] Bug 1388580 - [Mac] Remove miscellaneous iokit open permissions https://reviewboard.mozilla.org/r/167672/#review174882
Attachment #8896432 - Flags: review?(agaynor) → review+
Pushed by haftandilian@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3be9ce238520 [Mac] Remove miscellaneous iokit open permissions r=Alex_Gaynor
https://hg.mozilla.org/mozilla-central/rev/3be9ce238520
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57: --- → fixed
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: