Closed Bug 1491940 Opened 6 years ago Closed 6 years ago

[Mac] Allow Adobe DRM content to play with the Mac Flash sandbox

Categories

(Core :: Security: Process Sandboxing, defect, P1)

63 Branch
Unspecified
macOS
defect

Tracking

()

VERIFIED FIXED
mozilla64
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- verified
firefox63 --- verified
firefox64 --- verified

People

(Reporter: haik, Assigned: haik)

Details

(Keywords: regression)

Attachments

(1 file)

Adobe reported that playback of some DRM streams using their Flash TVSDK are now failing with the Mac Flash sandbox shipped in 62 and enabled by default.

Steps to reproduce (provided by Adobe):

  1. Delete all contents from the directory:
     ~/Library/Caches/Adobe/Flash Player/APSPrivateData2/<some number>/drm-plug-mac-x64/

  2. Visit our test DRM video player:
     https://drmtest2.adobe.com/AccessPlayer/player.html 

It'll have a video stream URL prefilled (http://drmtest2.adobe.com/Content/FAXS4/Anonymous_LOCAL/sample.mp4.m3u8). Try to play the stream using the play button (leftmost on the bottom toolbar). If the whitelisting works, A video of a Train will start playing. The column on the right shows the logs. If the playback fails because of the lack of file write access, the logs will stop with an error code (3374 or 3313)
Assignee: nobody → haftandilian
Priority: -- → P1
Summary: [Mac] Allow Adobe Primetime DRM content to play with the Mac Flash sandbox → [Mac] Allow Adobe DRM content to play with the Mac Flash sandbox
Debugging revealed that the Flash process needs write access to paths like the following.

  /private/var/folders/63/ajdfjlakdjflakjsdflkajfdl/T/TemporaryItems/(A Document Being Saved By NightlyCP 3)/CertStore.dat

After adding a regex allowing file-read* and file-write* to paths like this, the video streams worked as expected.

Without any of file-write-data, file-write-create, file-write-mode, and file-write-unlink, the streaming didn't work so I'm choosing to allow file-write* aiming to make the rules less brittle to minor changes in the future that get made to Flash or OS libraries.

Tested on 10.9, 10.10, and 10.13 so far.
Add an whitelisted write-access path regex to the Flash plugin sandbox.
Comment on attachment 9011516 [details]
Bug 1491940 - [Mac] Allow Adobe DRM content to play with the Mac Flash sandbox r?Alex_Gaynor

Alex Gaynor [:Alex_Gaynor] has approved the revision.
Attachment #9011516 - Flags: review+
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b5945bfd7277
[Mac] Allow Adobe DRM content to play with the Mac Flash sandbox r=Alex_Gaynor
https://hg.mozilla.org/mozilla-central/rev/b5945bfd7277
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Comment on attachment 9011516 [details]
Bug 1491940 - [Mac] Allow Adobe DRM content to play with the Mac Flash sandbox r?Alex_Gaynor

Approval Request Comment

[Feature/Bug causing the regression]:
Mac Flash process sandbox. Bug 1474375.

[User impact if declined]:
As reported by Adobe, some Adobe Flash DRM encrypted video streams fail to play in Firefox starting in build 62.

[Is this code covered by automated tests?]:
No

[Has the fix been verified in Nightly?]:
A build of Nightly with the fix was sent to Adobe and verified.

[Needs manual test from QE? If yes, steps to reproduce]: 
Verify the video at the provided URL plays after deleting cached data as described in the bug description.

[List of other uplifts needed for the feature/fix]:
None

[Is the change risky?]:
No

[Why is the change risky/not risky?]:
The change adds a write-access whitelist rule to the Flash process sandbox on Mac making the sandbox slightly more permissive and is unlikely to cause regressions.

[String changes made/needed]:
None
Attachment #9011516 - Flags: approval-mozilla-release?
Attachment #9011516 - Flags: approval-mozilla-beta?
Comment on attachment 9011516 [details]
Bug 1491940 - [Mac] Allow Adobe DRM content to play with the Mac Flash sandbox r?Alex_Gaynor

Low-risk patch for a P1 regression, uplift approved for 63 beta 10, thanks.
Attachment #9011516 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify+
I managed to reproduce the issue using an older version of Nightly (2018-09-17) on macOS 10.13.
I retested everything on latest Nightly 64.0a1 on the same platform and the bug is not reproducing anymore. The video starts playing without any errors. 
I can still reproduce on beta 63.0b9. I think I have to wait until beta 63.0b10 is up to verify the fix.
I verified the fix on beta 63.0b10 using macOS 10.13. The bug is not reproducing anymore.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Comment on attachment 9011516 [details]
Bug 1491940 - [Mac] Allow Adobe DRM content to play with the Mac Flash sandbox r?Alex_Gaynor

macos sandbox change, approved for 62.0.3
Attachment #9011516 - Flags: approval-mozilla-release? → approval-mozilla-release+
Flags: qe-verify+
I verified the fix using Firefox 62.0.3 on macOS 10.13. The bug is not reproducing anymore.
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.