Closed Bug 1570840 Opened 2 months ago Closed Last month

Set com.apple.security.cs.disable-library-validation=false in Hardened Runtime entitlement files

Categories

(Core :: Security: Process Sandboxing, defect, P1)

70 Branch
Unspecified
macOS
defect

Tracking

()

RESOLVED INVALID
Tracking Status
firefox70 --- affected

People

(Reporter: haik, Assigned: haik)

References

Details

Attachments

(1 file, 1 obsolete file)

Now that the definition of the com.apple.security.cs.disable-library-validation entitlement has changed (see attachment) to mean allow unsigned libraries when set to true, and require signed when false, we should change com.apple.security.cs.disable-library-validation to false in our Hardened Runtime entitlement lists.

Assignee: nobody → haftandilian
Depends on: 1566127
Priority: -- → P1

I didn't mean to file this as a security bug. It's unlikely this could be used in an attack right now. It is security related.

The posted patch sets com.apple.security.cs.disable-library-validation=false in developer and production Hardened Runtime entitlements and (unrelated) updates comments for com.apple.security.cs.allow-dyld-environment-variables because @executable_path was not the type of dlyld variable affected.

I'll wait for bug 1570451 to be addressed in the Catalina Beta so we can test this on the latest macOS version.

Unhiding per comment 1.

Group: core-security

Some additional context:

Our macOS builds enable Hardened Runtime and Notarization. With Hardened Runtime, the application is configured with a set of entitlements that control security settings. The entitlement com.apple.security.cs.disable-library-validation recently changed to mean that when set to true, the application is permitted to load unsigned shared libraries. When set to false, shared libraries must be signed.

All our shared libraries shipped with Firefox are signed and system shared libraries are signed. Firefox processes have to load third party libraries for Flash and Widevine playback. Flash is signed. The Mac Widevine CDM is signed starting with version 4.10.1440.19 which is rolling out via bug 1566127 which is a dependency.

Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ee3e55708782
Set com.apple.security.cs.disable-library-validation=false in Hardened Runtime entitlement files r=handyman
See Also: → 1562756
Status: NEW → RESOLVED
Closed: Last month
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Backed out for breaking Netflix and Flash on Mac Nightly (as per request)
backout: https://hg.mozilla.org/mozilla-central/rev/aab73dbec4586b814066c09f96538f9e7ad235d0

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: mozilla70 → ---

I requested this be backed out for causing bug 1574213.

I was wrong and we can't set com.apple.security.cs.disable-library-validation=false because that would require all loaded libraries to be codesigned with the same Apple developer team ID. I misread the updated docs and didn't realize that was the case. Flash and Widevine libs are not signed by Mozilla (they're signed by Adobe and Google respectively) and therefore can't be loaded with com.apple.security.cs.disable-library-validation=false. I'll close this bug as invalid.

Status: REOPENED → RESOLVED
Closed: Last monthLast month
Resolution: --- → INVALID
Regressions: 1574213
Attachment #9082794 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.