[macOS] Land different entitlement files for parent and child processes
Categories
(Core :: Security: Process Sandboxing, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox72 | --- | fixed |
People
(Reporter: haik, Assigned: haik)
References
Details
Attachments
(1 file)
We can get some hardening benefits by using different entitlements for different processes. For example, only child processes need to support DYLD variables (for loading our plugin_child_interpose dylib) so we should be able to set com.apple.security.cs.allow-dyld-environment-variables=false
in the parent process. This bug is filed to add the new process-specific entitlement files to the tree. I'll link up a bug for the CI work needed to pull in the new entitlement files and support different entitlement files during codesigning.
Additionally, if we used distinct executables for different child process types, that would allow for more fine grained entitlement usage. For now, we use the plugin-container (with different sandbox rulesets) for all child process types (webcontent, Widevine, Flash, etc.). That's out of scope for this fix.
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 1•6 years ago
|
||
With this fix, I plan to land separate entitlement files for the browser (aka parent) process and plugin-container child processes. That will be one file for the browser process and one file for plugin-container processes. We use plugin-container for web content, file web content, GMP processes (Widevine), RDD processes, OpenH264 processes, and Flash.
Bug 1593389 is filed to cover using different executable names for the different plugin-container types.
The changes will not take effect until bug 1593072 is fixed. We will continue to use the old entitlement files until that time.
Assignee | ||
Comment 2•6 years ago
|
||
Add separate entitlement files for the browser (aka parent process) and plugin-container processes. Leave the old production and developer entitlement files in place.
Once automation has been updated to use the new process-specific entitlement files (bug 1593072), the older entitlement files can be removed.
Future work will change the process-specific entitlements to be minimized for each process type.
Update codesign.bash to
- use the separate browser and plugin-container entitlement files
- only sign executables with entitlements, not sign unnecessary files
- output to a .dmg instead of a .zip file.
Comment 5•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/497690887467
https://hg.mozilla.org/mozilla-central/rev/fe7a4ae3b384
Updated•3 years ago
|
Description
•