Closed Bug 1611288 Opened 1 year ago Closed 1 year ago

Add macOS sandboxing to socket process

Categories

(Core :: Networking, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla76
Tracking Status
firefox76 --- fixed

People

(Reporter: mjf, Assigned: mjf)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [necko-triaged])

Attachments

(1 file)

The socket process needs macOS sandboxing.

Assignee: nobody → mfroman
Priority: -- → P2
Whiteboard: [necko-triaged]
Blocks: 1611527

Haik, the macOS sandbox for the socket process is causing calls to PR_Bind to fail here[1]. Do you know what I should change to allow that call or will this require a different sandbox than MacSandboxType_Utility?

[1] https://searchfox.org/mozilla-central/source/media/mtransport/nr_socket_prsock.cpp#679

Flags: needinfo?(haftandilian)

An example test that fails:
./mach mochitest --keep-open=false dom/media/tests/mochitest/identity/test_peerConnection_asymmetricIsolation.html

It passes with:
MOZ_DISABLE_SOCKET_PROCESS_SANDBOX=1 ./mach mochitest --keep-open=false dom/media/tests/mochitest/identity/test_peerConnection_asymmetricIsolation.html

(In reply to Michael Froman [:mjf] from comment #4)

Haik, the macOS sandbox for the socket process is causing calls to PR_Bind to fail here[1]. Do you know what I should change to allow that call or will this require a different sandbox than MacSandboxType_Utility?

[1] https://searchfox.org/mozilla-central/source/media/mtransport/nr_socket_prsock.cpp#679

We don't want to add any networking allowances to the utility sandbox, so I suspect we would want to create a new sandbox type. We need to learn more about the requirements for the socket process first. Either way, I can help with that. I'll start look into the requirements.

Flags: needinfo?(haftandilian)

To clarify the status of this bug: since the initial r+ code review, it was determined that we need a new sandbox profile that allows networking access as well as additional file system access for any files needed for DNS resolution and certificates. I'll be working on a new Mac sandbox profile for the socket process and then :mjf's changes should only need small changes to use the new networking sandbox profile.

Haik, do you have a bug number for the new profile work?

Flags: needinfo?(haftandilian)

(In reply to Michael Froman [:mjf] from comment #8)

Haik, do you have a bug number for the new profile work?

Bug 1614983. I should have something to test with by next week.

Depends on: 1614983
Flags: needinfo?(haftandilian)

(In reply to Haik Aftandilian [:haik] from comment #9)

(In reply to Michael Froman [:mjf] from comment #8)

Haik, do you have a bug number for the new profile work?

Bug 1614983. I should have something to test with by next week.

Thank you!

See Also: → 1620716
Pushed by mfroman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c1ca51edaa44
add macOS sandboxing to socket process. r=haik
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
Regressions: 1622855
You need to log in before you can comment on or make changes to this bug.