Closed Bug 1565575 Opened 6 years ago Closed 6 years ago

Sandboxing on OSX blocks lots of media decoding calls

Categories

(Core :: Security: Process Sandboxing, defect, P2)

Product:
Core
Component:
Security: Process Sandboxing
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox70 --- fixed

People

(Reporter: padenot, Assigned: padenot)

References

Details

Attachments

(1 file)

Bug 1565575 - Allow access to AudioComponentRegistrar when doing audio remoting on OSX to be able to use system decoders. r?haik
47 bytes, text/x-phabricator-request
Details | Review

When cubeb sandboxing is enabled, quite a few functions that are being used for decoding are blocked and error out, resulting in lots of failed test.

This happens here: https://searchfox.org/mozilla-central/source/dom/ipc/ContentParent.cpp#1950 and here https://searchfox.org/mozilla-central/source/dom/ipc/ContentChild.cpp#1648.

For example, https://searchfox.org/mozilla-central/source/dom/media/platforms/apple/AppleATDecoder.cpp#545 or https://searchfox.org/mozilla-central/source/dom/media/platforms/apple/AppleATDecoder.cpp#336 fail.

I don't know much about OSX sandboxing, but I'll try to let those functions pass through.

Flags: needinfo?(kinetik)
Flags: needinfo?(jyavenard)
Flags: needinfo?(haftandilian)
Flags: needinfo?(alex.gaynor)
Priority: -- → P2
Assignee: nobody → padenot

I can help with this. When we set media.cubeb.sandbox=true, we remove the rules in SandboxPolicyContentAudioAddend from the content process sandbox policy making it more restrictive. We haven't thoroughly tested this (certainly not recently) and there's a good chance we will have to adjust the rules that Cubeb remoting allows us to remove. One of the main security wins will be to allow removal of (allow device-microphone) which grants access to the microphone.

To experiment with this, we can start by moving these entries into the main content process policy string SandboxPolicyContent and add them back to SandboxPolicyContentAudioAddend one at a time to find a combination that works. Then investigate each item we need to keep in more detail.

Note: some of the rules are conditional on the OS version and will act differently on try vs newer OS versions.

static const char SandboxPolicyContentAudioAddend[] = R"SANDBOX_LITERAL(
  (allow ipc-posix-shm-read* ipc-posix-shm-write-data
    (ipc-posix-name-regex #"^AudioIO"))
  (allow mach-lookup
    (global-name "com.apple.audio.coreaudiod")
    (global-name "com.apple.audio.audiohald"))
  (if (>= macosMinorVersion 13)
    (allow mach-lookup
    ; bug 1376163
    (global-name "com.apple.audio.AudioComponentRegistrar")))
  (allow iokit-open (iokit-user-client-class "IOAudioEngineUserClient"))
  (allow file-read* (subpath "/Library/Audio/Plug-Ins"))
  (allow device-microphone)
)SANDBOX_LITERAL";
Flags: needinfo?(kinetik)
Flags: needinfo?(jyavenard)
Flags: needinfo?(haftandilian)
Flags: needinfo?(alex.gaynor)
Pushed by padenot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e67f139cf831 Allow access to AudioComponentRegistrar when doing audio remoting on OSX to be able to use system decoders. r=haik

https://hg.mozilla.org/mozilla-central/rev/e67f139cf831

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: