Closed Bug 1570840 Opened 6 years ago Closed 6 years ago

Set com.apple.security.cs.disable-library-validation=false in Hardened Runtime entitlement files

Categories

(Core :: Security: Process Sandboxing, defect, P1)

Product:
Core
Component:
Security: Process Sandboxing
Version:
70 Branch
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox70 --- wontfix

People

(Reporter: haik, Assigned: haik)

References

Details

Attachments

(1 file, 1 obsolete file)

Screenshot showing the old and new definition of com.apple.security.cs.disable-library-validation
1.21 MB, image/png
Details

Now that the definition of the com.apple.security.cs.disable-library-validation entitlement has changed (see attachment) to mean allow unsigned libraries when set to true, and require signed when false, we should change com.apple.security.cs.disable-library-validation to false in our Hardened Runtime entitlement lists.

Assignee: nobody → haftandilian
Depends on: 1566127
Priority: -- → P1

I didn't mean to file this as a security bug. It's unlikely this could be used in an attack right now. It is security related.

The posted patch sets com.apple.security.cs.disable-library-validation=false in developer and production Hardened Runtime entitlements and (unrelated) updates comments for com.apple.security.cs.allow-dyld-environment-variables because @executable_path was not the type of dlyld variable affected.

I'll wait for bug 1570451 to be addressed in the Catalina Beta so we can test this on the latest macOS version.

Unhiding per comment 1.

Group: core-security

Some additional context:

Our macOS builds enable Hardened Runtime and Notarization. With Hardened Runtime, the application is configured with a set of entitlements that control security settings. The entitlement com.apple.security.cs.disable-library-validation recently changed to mean that when set to true, the application is permitted to load unsigned shared libraries. When set to false, shared libraries must be signed.

All our shared libraries shipped with Firefox are signed and system shared libraries are signed. Firefox processes have to load third party libraries for Flash and Widevine playback. Flash is signed. The Mac Widevine CDM is signed starting with version 4.10.1440.19 which is rolling out via bug 1566127 which is a dependency.

Pushed by haftandilian@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ee3e55708782 Set com.apple.security.cs.disable-library-validation=false in Hardened Runtime entitlement files r=handyman
See Also: → 1562756

https://hg.mozilla.org/mozilla-central/rev/ee3e55708782

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Backed out for breaking Netflix and Flash on Mac Nightly (as per request)
backout: https://hg.mozilla.org/mozilla-central/rev/aab73dbec4586b814066c09f96538f9e7ad235d0

Status: RESOLVED → REOPENED
status-firefox70: fixedaffected
Resolution: FIXED → ---
Target Milestone: mozilla70 → ---

I requested this be backed out for causing bug 1574213.

I was wrong and we can't set com.apple.security.cs.disable-library-validation=false because that would require all loaded libraries to be codesigned with the same Apple developer team ID. I misread the updated docs and didn't realize that was the case. Flash and Widevine libs are not signed by Mozilla (they're signed by Adobe and Google respectively) and therefore can't be loaded with com.apple.security.cs.disable-library-validation=false. I'll close this bug as invalid.

Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → INVALID
Regressions: 1574213
Attachment #9082794 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: