Bug 1363179 - do not allow content processes to read from /Volumes on macOS r=haik

MozReview-Commit-ID: 8osJVQD3myh

--HG--
extra : rebase_source : 8cda32ca1bca80b796458d36099244a45af2f185

security/sandbox/mac/SandboxPolicies.h

@@ -276,6 +276,7 @@ static const char contentSandboxRules[] = R"(
   ; level 3: global read access permitted, no global write access,
   ;          no read access to the home directory,
   ;          no read access to /private/var (but read-metadata allowed above),
+  ;          no read access to /Volumes
   ;          read access permitted to $PROFILE/{extensions,chrome}
     (if (string=? sandbox-level-3 "TRUE")
       (if (string=? hasFilePrivileges "TRUE")
@@ -288,6 +289,7 @@ static const char contentSandboxRules[] = R"(
             (allow file-read* (require-all
                 (require-not (subpath home-path))
                 (require-not (subpath profileDir))
+                (require-not (subpath "/Volumes"))
                 (require-not (subpath "/private/var"))))
             (allow file-read* (literal "/private/var/run/cupsd"))
             (allow file-read*
@@ -297,6 +299,7 @@ static const char contentSandboxRules[] = R"(
           (begin
             (allow file-read* (require-all
               (require-not (subpath home-path))
+              (require-not (subpath "/Volumes"))
               (require-not (subpath "/private/var"))))
             (allow file-read* (literal "/private/var/run/cupsd"))))))