mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1463353 - contentSandboxRules does not explcitly list 'com.apple.fonts' mach service. r=Alex_Gaynor 

Add font servers to sandbox policies instead of relying
on them to be registered before the sandbox is enabled.

MozReview-Commit-ID: IoVJhAqoEEW

--HG--
extra : rebase_source : 448cc9e556056c44cf76f79c126fbfe56e948e1e
This commit is contained in:
Haik Aftandilian 2018-05-29 14:55:12 -07:00
Родитель 3fe5b24454
Коммит 0dfa17d31a
1 изменённых файлов: 16 добавлений и 2 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

18
security/sandbox/mac/SandboxPolicies.h
Просмотреть файл

@ -344,6 +344,14 @@ static const char contentSandboxRules[] = R"SANDBOX_LITERAL(
; automatically issued by the font server in response to font
; API calls.
(extension "com.apple.app-sandbox.read"))
; Fonts may continue to work without explicitly allowing these
; services because, at present, connections are made to the services
; before the sandbox is enabled as a side-effect of some API calls.
(allow mach-lookup
(global-name "com.apple.fonts")
(global-name "com.apple.FontObjectsServer"))
(if (<= macosMinorVersion 11)
(allow mach-lookup (global-name "com.apple.FontServer")))
; Fonts
; Workaround for sandbox extensions not being automatically
@ -617,8 +625,6 @@ static const char flashPluginSandboxRules[] = R"SANDBOX_LITERAL(
(global-name "com.apple.audio.audiohald")
(global-name "com.apple.audio.coreaudiod")
(global-name "com.apple.cfnetwork.AuthBrokerAgent")
(global-name "com.apple.FontObjectsServer")
(global-name "com.apple.fonts")
(global-name "com.apple.lsd.mapdb")
(global-name "com.apple.pasteboard.1") ; Allows paste into input field
(global-name "com.apple.dock.server")
@ -648,6 +654,14 @@ static const char flashPluginSandboxRules[] = R"SANDBOX_LITERAL(
; automatically issued by the font server in response to font
; API calls.
(extension "com.apple.app-sandbox.read"))
; Fonts may continue to work without explicitly allowing these
; services because, at present, connections are made to the services
; before the sandbox is enabled as a side-effect of some API calls.
(allow mach-lookup
(global-name "com.apple.fonts")
(global-name "com.apple.FontObjectsServer"))
(if (<= macosMinorVersion 11)
(allow mach-lookup (global-name "com.apple.FontServer")))
; Fonts
; Workaround for sandbox extensions not being automatically