Closed Bug 1401756 Opened 2 years ago Closed 2 years ago

[Mac] Remove unneeded mach-lookups from plugin sandbox rules

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

57 Branch
enhancement

Tracking

()

RESOLVED FIXED
mozilla58
Tracking Status
firefox57 --- wontfix
firefox58 --- fixed

People

(Reporter: haik, Assigned: haik)

Details

(Whiteboard: sb+)

Attachments

(1 file)

The Mac plugin sandbox allows access to some services that are probably no longer needed given that content processes work without them.

  (allow mach-lookup
      (global-name "com.apple.cfprefsd.agent")
      (global-name "com.apple.cfprefsd.daemon")
      (global-name "com.apple.system.opendirectoryd.libinfo")
      (global-name "com.apple.system.logger")
      (global-name "com.apple.ls.boxd"))

Local browsing tests on macOS 10.12 without these allowances, testing Netflix, YouTube, Amazon, and other streaming video sites, appeared to work as normal.
On 10.12, I haven't found any references to opendirectoryd.libinfo, ls.boxd, or the cfprefsd.{agent,daemon}. com.apple.system.logger appears to be a mach interface to syslogd:

  $ plutil -p /System/Library/LaunchDaemons/com.apple.syslogd.plist
  {
  ...
    "MachServices" => {
      "com.apple.system.logger" => {
        "ResetAtClose" => 1
      }
    }
  ...
  }

Needs testing on earlier OS X versions.
Whiteboard: sb+
Priority: -- → P1
Comment on attachment 8912335 [details]
Bug 1401756 - [Mac] Remove unneeded mach-lookups from plugin sandbox rules.

https://reviewboard.mozilla.org/r/183662/#review188892
Attachment #8912335 - Flags: review?(agaynor) → review+
I did some manual tests on 10.9 and didn't encounter any problems.
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a327ade4032c
[Mac] Remove unneeded mach-lookups from plugin sandbox rules. r=Alex_Gaynor
https://hg.mozilla.org/mozilla-central/rev/a327ade4032c
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.