Closed Bug 1401756 Opened 7 years ago Closed 7 years ago

[Mac] Remove unneeded mach-lookups from plugin sandbox rules

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla58

Tracking Flags:

Tracking

Status

firefox57

---

wontfix

firefox58

---

fixed

People

(Reporter: haik, Assigned: haik)

Details

(Whiteboard: sb+)

Attachments

(1 file)

Bug 1401756 - [Mac] Remove unneeded mach-lookups from plugin sandbox rules. 7 years ago Haik Aftandilian [:haik] 59 bytes, text/x-review-board-request	Alex_Gaynor : review+	Details

Haik Aftandilian [:haik]

Assignee

Description

•

7 years ago

The Mac plugin sandbox allows access to some services that are probably no longer needed given that content processes work without them. (allow mach-lookup (global-name "com.apple.cfprefsd.agent") (global-name "com.apple.cfprefsd.daemon") (global-name "com.apple.system.opendirectoryd.libinfo") (global-name "com.apple.system.logger") (global-name "com.apple.ls.boxd")) Local browsing tests on macOS 10.12 without these allowances, testing Netflix, YouTube, Amazon, and other streaming video sites, appeared to work as normal.

Haik Aftandilian [:haik]

Assignee

Comment 1

•

7 years ago

https://treeherder.mozilla.org/#/jobs?repo=try&revision=ae6a8083d96da8bae157359f5101078f3072dc77

Assignee: nobody → haftandilian

Haik Aftandilian [:haik]

Assignee

Comment 2

•

7 years ago

On 10.12, I haven't found any references to opendirectoryd.libinfo, ls.boxd, or the cfprefsd.{agent,daemon}. com.apple.system.logger appears to be a mach interface to syslogd: $ plutil -p /System/Library/LaunchDaemons/com.apple.syslogd.plist { ... "MachServices" => { "com.apple.system.logger" => { "ResetAtClose" => 1 } } ... } Needs testing on earlier OS X versions.

Whiteboard: sb+

Comment hidden (mozreview-request)

Haik Aftandilian [:haik]

Assignee

Updated

•

7 years ago

Priority: -- → P1

Alex Gaynor [:Alex_Gaynor]

Comment 4

•

7 years ago

mozreview-review

Comment on attachment 8912335 [details] Bug 1401756 - [Mac] Remove unneeded mach-lookups from plugin sandbox rules. https://reviewboard.mozilla.org/r/183662/#review188892

Attachment #8912335 - Flags: review?(agaynor) → review+

Haik Aftandilian [:haik]

Assignee

Comment 5

•

7 years ago

I did some manual tests on 10.9 and didn't encounter any problems.

Pulsebot

Comment 6

•

7 years ago

Pushed by haftandilian@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a327ade4032c [Mac] Remove unneeded mach-lookups from plugin sandbox rules. r=Alex_Gaynor

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 7

•

7 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/a327ade4032c

Status: NEW → RESOLVED

Closed: 7 years ago

status-firefox58: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla58

Sylvestre Ledru [:Sylvestre]

Updated

•

7 years ago

status-firefox57: affected → wontfix

You need to log in before you can comment on or make changes to this bug.

Bugzilla

[Mac] Remove unneeded mach-lookups from plugin sandbox rules

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Tracking

()

People

(Reporter: haik, Assigned: haik)

References

Details

(Whiteboard: sb+)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Comment 6

Comment 7

Updated

Attachment

General

Description

File Name

Content Type