Closed Bug 1570840 Opened 4 years ago Closed 4 years ago

Set in Hardened Runtime entitlement files


(Core :: Security: Process Sandboxing, defect, P1)

70 Branch



Tracking Status
firefox70 --- wontfix


(Reporter: haik, Assigned: haik)




(1 file, 1 obsolete file)

Now that the definition of the entitlement has changed (see attachment) to mean allow unsigned libraries when set to true, and require signed when false, we should change to false in our Hardened Runtime entitlement lists.

Assignee: nobody → haftandilian
Depends on: 1566127
Priority: -- → P1

I didn't mean to file this as a security bug. It's unlikely this could be used in an attack right now. It is security related.

The posted patch sets in developer and production Hardened Runtime entitlements and (unrelated) updates comments for because @executable_path was not the type of dlyld variable affected.

I'll wait for bug 1570451 to be addressed in the Catalina Beta so we can test this on the latest macOS version.

Unhiding per comment 1.

Group: core-security

Some additional context:

Our macOS builds enable Hardened Runtime and Notarization. With Hardened Runtime, the application is configured with a set of entitlements that control security settings. The entitlement recently changed to mean that when set to true, the application is permitted to load unsigned shared libraries. When set to false, shared libraries must be signed.

All our shared libraries shipped with Firefox are signed and system shared libraries are signed. Firefox processes have to load third party libraries for Flash and Widevine playback. Flash is signed. The Mac Widevine CDM is signed starting with version 4.10.1440.19 which is rolling out via bug 1566127 which is a dependency.

Pushed by
Set in Hardened Runtime entitlement files r=handyman
See Also: → 1562756
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Backed out for breaking Netflix and Flash on Mac Nightly (as per request)

Resolution: FIXED → ---
Target Milestone: mozilla70 → ---

I requested this be backed out for causing bug 1574213.

I was wrong and we can't set because that would require all loaded libraries to be codesigned with the same Apple developer team ID. I misread the updated docs and didn't realize that was the case. Flash and Widevine libs are not signed by Mozilla (they're signed by Adobe and Google respectively) and therefore can't be loaded with I'll close this bug as invalid.

Closed: 4 years ago4 years ago
Resolution: --- → INVALID
Regressions: 1574213
Attachment #9082794 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.