$HOME/.cache/fontconfig should be rdonly but is not added
Categories
(Core :: Security: Process Sandboxing, defect, P1)
Tracking
()
People
(Reporter: gerard-majax, Assigned: gerard-majax)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
While working on bug 1718084, tracing calls to policy->AddDir() shows that while we should be authorizing access to $HOME/.cache/fontconfig as per https://searchfox.org/mozilla-central/rev/5b3444ad300e244b5af4214212e22bd9e4b7088a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#397 we actually dont:
0:03.70 GECKO(3645994) [Parent 3645994, Main Thread] WARNING: Trying to add extraConfDirsAllow: file /home/alexandre/Documents/codaz/Mozilla/MiscWork/mozilla-source/mozilla-unified/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp:415
0:03.70 GECKO(3645994) policy->AddDir(rdonly, /home/alexandre/.config)
0:03.70 GECKO(3645994) [Parent 3645994, Main Thread] WARNING: Trying to add extraConfDirsAllow: file /home/alexandre/Documents/codaz/Mozilla/MiscWork/mozilla-source/mozilla-unified/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp:415
0:03.70 GECKO(3645994) policy->AddDir(rdonly, /home/alexandre/.themes)
0:03.70 GECKO(3645994) [Parent 3645994, Main Thread] WARNING: Trying to add extraConfDirsAllow: file /home/alexandre/Documents/codaz/Mozilla/MiscWork/mozilla-source/mozilla-unified/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp:415
0:03.70 GECKO(3645994) policy->AddDir(rdonly, /home/alexandre/.fonts)
0:03.70 GECKO(3645994) [Parent 3645994, Main Thread] WARNING: Trying to add extraConfDirsAllow: file /home/alexandre/Documents/codaz/Mozilla/MiscWork/mozilla-source/mozilla-unified/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp:415
0:03.70 GECKO(3645994) [Parent 3645994, Main Thread] WARNING: Trying to add extraConfDirsBlock: file /home/alexandre/Documents/codaz/Mozilla/MiscWork/mozilla-source/mozilla-unified/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp:431
I guess https://searchfox.org/mozilla-central/rev/5b3444ad300e244b5af4214212e22bd9e4b7088a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp#409-410 does not like that we pass .cache/fontconfig as a path component
|
Assignee | |
Comment 1•4 years ago
|
||
|
|
Assignee | |
Comment 2•4 years ago
|
||
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Comment 4•3 years ago
|
||
| bugherder | ||
|
||
Comment 5•3 years ago
|
||
Please nominate this for ESR91 approval (it'll simplify the uplift of bug 1718084).
|
|
Assignee | |
Comment 6•3 years ago
|
||
Comment on attachment 9229865 [details]
Bug 1719279 - Properly add $HOME/.cache/fontconfig allowance r?gcp
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: easier to uplift bug 1732580
- User impact if declined: no webgl on snap package
- Fix Landed on Version: 92
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): tested, landed for three months, no known regression
- String or UUID changes made by this patch:
|
|
||
Comment 7•3 years ago
|
||
Comment on attachment 9229865 [details]
Bug 1719279 - Properly add $HOME/.cache/fontconfig allowance r?gcp
Approved for 91.3esr, thanks.
|
|
||
Comment 8•3 years ago
|
||
| bugherder uplift | ||
Description
•