Closed Bug 1593071 Opened 3 months ago Closed 2 months ago

[macOS] Land different entitlement files for parent and child processes

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Unspecified
macOS
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox72 --- fixed

People

(Reporter: haik, Assigned: haik)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1593071 - [macOS] Land different entitlement files for parent and child processes r?spohl!
47 bytes, text/x-phabricator-request
Details | Review

We can get some hardening benefits by using different entitlements for different processes. For example, only child processes need to support DYLD variables (for loading our plugin_child_interpose dylib) so we should be able to set com.apple.security.cs.allow-dyld-environment-variables=false in the parent process. This bug is filed to add the new process-specific entitlement files to the tree. I'll link up a bug for the CI work needed to pull in the new entitlement files and support different entitlement files during codesigning.

Additionally, if we used distinct executables for different child process types, that would allow for more fine grained entitlement usage. For now, we use the plugin-container (with different sandbox rulesets) for all child process types (webcontent, Widevine, Flash, etc.). That's out of scope for this fix.

Blocks: 1593072
Assignee: nobody → haftandilian
Priority: -- → P1

With this fix, I plan to land separate entitlement files for the browser (aka parent) process and plugin-container child processes. That will be one file for the browser process and one file for plugin-container processes. We use plugin-container for web content, file web content, GMP processes (Widevine), RDD processes, OpenH264 processes, and Flash.

Bug 1593389 is filed to cover using different executable names for the different plugin-container types.

The changes will not take effect until bug 1593072 is fixed. We will continue to use the old entitlement files until that time.

Add separate entitlement files for the browser (aka parent process) and plugin-container processes. Leave the old production and developer entitlement files in place.

Once automation has been updated to use the new process-specific entitlement files (bug 1593072), the older entitlement files can be removed.

Future work will change the process-specific entitlements to be minimized for each process type.

Update codesign.bash to

  1. use the separate browser and plugin-container entitlement files
  2. only sign executables with entitlements, not sign unnecessary files
  3. output to a .dmg instead of a .zip file.
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/497690887467
[macOS] Land different entitlement files for parent and child processes r=spohl
Pushed by aiakab@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fe7a4ae3b384
Fix for the license lint failure. r=RyanVM

https://hg.mozilla.org/mozilla-central/rev/497690887467
https://hg.mozilla.org/mozilla-central/rev/fe7a4ae3b384

Status: NEW → RESOLVED
Closed: 2 months ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Depends on: 1606778
You need to log in before you can comment on or make changes to this bug.