Closed
Bug 1388580
Opened 7 years ago
Closed 7 years ago
[Mac] Remove miscellaneous iokit open permissions
Categories
(Core :: Security: Process Sandboxing, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | fixed |
People
(Reporter: haik, Assigned: haik)
References
Details
(Whiteboard: sb+)
Attachments
(1 file)
In local tests with the following iokit-open rules removed (keeping IOAudioEngineUserClient), local browsing, streaming video, sound, and webgl sites seemed to work fine. Testing done on a Mid 2015 Retina MacBook Pro running 10.12. - (allow iokit-open - (iokit-user-client-class "IOHIDParamUserClient") - (iokit-user-client-class "IOAudioEngineUserClient") - (iokit-user-client-class "IGAccelDevice") - (iokit-user-client-class "nvDevice") - (iokit-user-client-class "nvSharedUserClient") - (iokit-user-client-class "nvFermiGLContext") - (iokit-user-client-class "IGAccelGLContext") - (iokit-user-client-class "IGAccelSharedUserClient") - (iokit-user-client-class "IGAccelVideoContextMain") - (iokit-user-client-class "IGAccelVideoContextMedia") - (iokit-user-client-class "IGAccelVideoContextVEBox")) + (allow iokit-open (iokit-user-client-class "IOAudioEngineUserClient")) It could be that some of these drivers are needed only on certain Apple hardware. Of these, on 10.12, nvDevice, nvSharedUserClient, nvFermiGLContext, IGAccelGLContext, aren't used in any of the files in /System/Libary/Sandbox/Profiles/*. On 10.11, only IOHIDParamUserClient is used in /System/Libary/Sandbox/Profiles/*. Regarding nvFermiGLContext, Nvidia Fermi-based cards were available as a Mac Pro (desktop) upgrade. More investigation needed. https://treeherder.mozilla.org/#/jobs?repo=try&revision=3cd6a7dd3c71eb193739cf0eebf289e08ac67092
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → haftandilian
Blocks: 1386300
Priority: -- → P1
Whiteboard: sb+
Target Milestone: --- → mozilla57
|
|
Assignee | |
Comment 1•7 years ago
|
||
https://treeherder.mozilla.org/perf.html#/comparechooser?newProject=try&newRevision=923192ba394a05db79358347075a06cc62828b88
|
||
Comment 2•7 years ago
|
||
Did you look at the console and see if they were being blocked? My concern is that stuff might work without them, but not be accelerated.
|
|
Assignee | |
Comment 3•7 years ago
|
||
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #2) > Did you look at the console and see if they were being blocked? My concern > is that stuff might work without them, but not be accelerated. I've been running with violation logging turned on and haven't seen any violations related to them, but that's the main concern I have too. I'm going to try to test on different Mac models and understand these better.
|
|
Assignee | |
Comment 4•7 years ago
|
||
On 10.11.6, MacBook Air (11-inch, Early 2015), Intel HD Graphics 6000, I'm seeing a violation for IOHIDParamUserClient in the Console app, but don't see a stack. HID is not graphics-specific: https://developer.apple.com/library/content/documentation/DeviceDrivers/Conceptual/HID/intro/intro.html
| Comment hidden (mozreview-request) |
|
|
||
Comment 6•7 years ago
|
||
I was also unable to produce any SandboxViolation warnings with this patch.
|
|
Assignee | |
Comment 7•7 years ago
|
||
And on an older MacBook with an Nvidia GeForce 9400M 256MB running 10.11.6, I didn't see any SandboxViolation warnings with webgl demos, streaming video, and web-RTC.
|
|
Assignee | |
Comment 8•7 years ago
|
||
I'm going to move forward with this fix. We've manually tested on a small number of machines. I would like to have been able to verify this on more Apple models, but time is probably better spent getting this on Nightly earlier.
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8896432 -
Flags: review?(agaynor)
|
|
Assignee | |
Comment 9•7 years ago
|
||
The permissions being removed appear to be related to Intel and Nvidia drivers. We've tested on machines that use Intel and Nvidia graphics and haven't see Sandbox violations related to the removed permissions which tells us they are not needed on those machines.
|
|
||
Comment 10•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8896432 [details] Bug 1388580 - [Mac] Remove miscellaneous iokit open permissions https://reviewboard.mozilla.org/r/167672/#review174882
Attachment #8896432 -
Flags: review?(agaynor) → review+
|
||
Comment 11•7 years ago
|
||
Pushed by haftandilian@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3be9ce238520 [Mac] Remove miscellaneous iokit open permissions r=Alex_Gaynor
|
||
Comment 12•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/3be9ce238520
You need to log in
before you can comment on or make changes to this bug.
Description
•