Closed Bug 1403669 Opened 8 years ago Closed 8 years ago

[Mac] Per-user and system extensions dir regexes only work for 1-character subdirectory names

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Version:
57 Branch
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox58 --- fixed

People

(Reporter: haik, Assigned: haik)

Details

(Whiteboard: sb+)

Attachments

(1 file)

Bug 1403669 - [Mac] Per-user and system extensions dir regexes only work for 1-character subdirectory names.
59 bytes, text/x-review-board-request
Alex_Gaynor
: review+
Details
We have regular expressions in the Mac policy to allow content to access legacy extensions from the per-user and per-system directories, but the regular expressions only match paths with 1-character subdirectories of the extensions dir. Here are relevant regexes. ; Per-user and system-wide Extensions dir (allow file-read* (home-regex "/Library/Application Support/[^/]+/Extensions/[^/]/") (regex "/Library/Application Support/[^/]+/Extensions/[^/]/")) This means the per-user and per-system extension dirs will not work properly on build 56+. Build 56 introduced stronger filesystem read access restrictions.
We should whitelist these directories in 56 because legacy addons installed system-wide or user-wide must still work in 56. We shouldn't need these directories whitelisted in 57 because legacy addons won't be supported and the whitelisting is not required for WebExtension sideloading, but we planned to wait until 58 to remove these rules. After this fix is uplifted to 57 and 56, bug 1356167 will remove the rules completely in 58.
Assignee: nobody → haftandilian
Priority: -- → P1
Whiteboard: sb+
Comment on attachment 8913033 [details] Bug 1403669 - [Mac] Per-user and system extensions dir regexes only work for 1-character subdirectory names. https://reviewboard.mozilla.org/r/184402/#review189772 ::: security/sandbox/mac/SandboxPolicies.h:272 (Diff revision 1) > (allow device-microphone) > > ; Per-user and system-wide Extensions dir > (allow file-read* > - (home-regex "/Library/Application Support/[^/]+/Extensions/[^/]/") > - (regex "/Library/Application Support/[^/]+/Extensions/[^/]/")) > + (home-regex "/Library/Application Support/[^/]+/Extensions/") > + (regex "/Library/Application Support/[^/]+/Extensions/")) Please add a leading `^` to this regex.
Comment on attachment 8913033 [details] Bug 1403669 - [Mac] Per-user and system extensions dir regexes only work for 1-character subdirectory names. https://reviewboard.mozilla.org/r/184402/#review189772 > Please add a leading `^` to this regex. Done. Good catch!
Comment on attachment 8913033 [details] Bug 1403669 - [Mac] Per-user and system extensions dir regexes only work for 1-character subdirectory names. https://reviewboard.mozilla.org/r/184402/#review190212
Attachment #8913033 - Flags: review?(agaynor) → review+
We're sorry, Autoland could not rebase your commits for you automatically. Please manually rebase your commits and try again. hg error in cmd: hg rebase -s 87775e2809d0 -d a9af2009e406: rebasing 423446:87775e2809d0 "Bug 1403669 - [Mac] Per-user and system extensions dir regexes only work for 1-character subdirectory names. r=Alex_Gaynor" (tip) merging security/sandbox/mac/SandboxPolicies.h warning: conflicts while merging security/sandbox/mac/SandboxPolicies.h! (edit, then use 'hg resolve --mark') unresolved conflicts (see hg resolve, then hg rebase --continue)
Pushed by haftandilian@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/febc67e303a2 [Mac] Per-user and system extensions dir regexes only work for 1-character subdirectory names. r=Alex_Gaynor
https://hg.mozilla.org/mozilla-central/rev/febc67e303a2
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox58: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: