Add macOS sandboxing to socket process
Categories
(Core :: Networking, enhancement, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox76 | --- | fixed |
People
(Reporter: mjf, Assigned: mjf)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged])
Attachments
(1 file)
The socket process needs macOS sandboxing.
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
|
Assignee | |
Comment 1•6 years ago
|
||
|
|
Assignee | |
Comment 2•6 years ago
|
||
|
|
Assignee | |
Comment 3•6 years ago
•
|
||
|
|
Assignee | |
Comment 4•6 years ago
|
||
Haik, the macOS sandbox for the socket process is causing calls to PR_Bind to fail here[1]. Do you know what I should change to allow that call or will this require a different sandbox than MacSandboxType_Utility?
[1] https://searchfox.org/mozilla-central/source/media/mtransport/nr_socket_prsock.cpp#679
|
|
Assignee | |
Comment 5•6 years ago
|
||
An example test that fails:
./mach mochitest --keep-open=false dom/media/tests/mochitest/identity/test_peerConnection_asymmetricIsolation.html
It passes with:
MOZ_DISABLE_SOCKET_PROCESS_SANDBOX=1 ./mach mochitest --keep-open=false dom/media/tests/mochitest/identity/test_peerConnection_asymmetricIsolation.html
|
||
Comment 6•6 years ago
|
||
(In reply to Michael Froman [:mjf] from comment #4)
Haik, the macOS sandbox for the socket process is causing calls to PR_Bind to fail here[1]. Do you know what I should change to allow that call or will this require a different sandbox than MacSandboxType_Utility?
[1] https://searchfox.org/mozilla-central/source/media/mtransport/nr_socket_prsock.cpp#679
We don't want to add any networking allowances to the utility sandbox, so I suspect we would want to create a new sandbox type. We need to learn more about the requirements for the socket process first. Either way, I can help with that. I'll start look into the requirements.
|
|
||
Comment 7•6 years ago
|
||
To clarify the status of this bug: since the initial r+ code review, it was determined that we need a new sandbox profile that allows networking access as well as additional file system access for any files needed for DNS resolution and certificates. I'll be working on a new Mac sandbox profile for the socket process and then :mjf's changes should only need small changes to use the new networking sandbox profile.
|
|
Assignee | |
Comment 8•6 years ago
|
||
Haik, do you have a bug number for the new profile work?
|
|
||
Comment 9•6 years ago
|
||
(In reply to Michael Froman [:mjf] from comment #8)
Haik, do you have a bug number for the new profile work?
Bug 1614983. I should have something to test with by next week.
|
|
Assignee | |
Comment 10•6 years ago
|
||
(In reply to Haik Aftandilian [:haik] from comment #9)
(In reply to Michael Froman [:mjf] from comment #8)
Haik, do you have a bug number for the new profile work?
Bug 1614983. I should have something to test with by next week.
Thank you!
|
|
Assignee | |
Comment 11•5 years ago
|
||
Here is my final try run that looks good:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=503fa4cb3597267017a1f1191e2d96507f0d67b4&selectedJob=292966460
The sy-d test is failing on the parent push:
https://treeherder.mozilla.org/#/jobs?repo=mozilla-central&revision=ffd615bf92ddb28a01b881d14126fc139ebf7880&selectedJob=293051883
|
||
Comment 12•5 years ago
|
||
|
||
Comment 13•5 years ago
|
||
| bugherder | ||
Description
•