Bug 1647816 - Make sandboxing OS version checks aware of major version r=spohl

Fix the content and Flash sandbox policies to use the major and minor number for OS version checks allowing video playback to work properly on macOS 11 Big Sur.

Pass the macOS major and minor version to sandbox policies as a combined string.

Remove unused OSXVersion methods and members and more minor cleanup in Sandbox.mm.

Leave in the checks for unsupported versions (macOS 10.9 - 10.11) for now in case this fix needs to be uplifted.

Differential Revision: https://phabricator.services.mozilla.com/D81385

security/sandbox/mac/Sandbox.mm

@@ -25,24 +25,12 @@
 #include "SandboxPolicyUtility.h"
 #include "SandboxPolicySocket.h"
 
-// XXX There are currently problems with the /usr/include/sandbox.h file on
-// some/all of the Macs in Mozilla's build system. Further,
-// sandbox_init_with_parameters is not included in the header.  For the time
-// being (until this problem is resolved), we refer directly to what we need
-// from it, rather than including it here.
-extern "C" int sandbox_init(const char* profile, uint64_t flags, char** errorbuf);
+// Undocumented sandbox setup routines.
 extern "C" int sandbox_init_with_parameters(const char* profile, uint64_t flags,
                                             const char* const parameters[], char** errorbuf);
 extern "C" void sandbox_free_error(char* errorbuf);
 extern "C" int sandbox_check(pid_t pid, const char* operation, int type, ...);
 
-#define MAC_OS_X_VERSION_10_0_HEX 0x00001000
-#define MAC_OS_X_VERSION_10_6_HEX 0x00001060
-#define MAC_OS_X_VERSION_10_7_HEX 0x00001070
-#define MAC_OS_X_VERSION_10_8_HEX 0x00001080
-#define MAC_OS_X_VERSION_10_9_HEX 0x00001090
-#define MAC_OS_X_VERSION_10_10_HEX 0x000010A0
-
 // Note about "major", "minor" and "bugfix" in the following code:
 //
 // The code decomposes an OS X version number into these components, and in
@@ -51,20 +39,32 @@ extern "C" int sandbox_check(pid_t pid, const char* operation, int type, ...);
 // an OS X version number to indicate a "major" release (for example the "9"
 // in OS X 10.9.5), and the "bugfix" component to indicate a "minor" release
 // (for example the "5" in OS X 10.9.5).
-
 class OSXVersion {
  public:
-  static int32_t OSXVersionMinor();
+  static void Get(int32_t& aMajor, int32_t& aMinor);
 
  private:
   static void GetSystemVersion(int32_t& aMajor, int32_t& aMinor, int32_t& aBugFix);
-  static int32_t GetVersionNumber();
-  static int32_t mOSXVersion;
+  static bool mCached;
+  static int32_t mOSXVersionMajor;
+  static int32_t mOSXVersionMinor;
 };
 
-int32_t OSXVersion::mOSXVersion = -1;
+bool OSXVersion::mCached = false;
+int32_t OSXVersion::mOSXVersionMajor;
+int32_t OSXVersion::mOSXVersionMinor;
 
-int32_t OSXVersion::OSXVersionMinor() { return (GetVersionNumber() & 0xF0) >> 4; }
+void OSXVersion::Get(int32_t& aMajor, int32_t& aMinor) {
+  if (!mCached) {
+    int32_t major, minor, bugfix;
+    GetSystemVersion(major, minor, bugfix);
+    mOSXVersionMajor = major;
+    mOSXVersionMinor = minor;
+    mCached = true;
+  }
+  aMajor = mOSXVersionMajor;
+  aMinor = mOSXVersionMinor;
+}
 
 void OSXVersion::GetSystemVersion(int32_t& aMajor, int32_t& aMinor, int32_t& aBugFix) {
   SInt32 major = 0, minor = 0, bugfix = 0;
@@ -112,15 +112,6 @@ void OSXVersion::GetSystemVersion(int32_t& aMajor, int32_t& aMinor, int32_t& aBu
   }
 }
 
-int32_t OSXVersion::GetVersionNumber() {
-  if (mOSXVersion == -1) {
-    int32_t major, minor, bugfix;
-    GetSystemVersion(major, minor, bugfix);
-    mOSXVersion = MAC_OS_X_VERSION_10_0_HEX + (minor << 4) + bugfix;
-  }
-  return mOSXVersion;
-}
-
 bool GetRealPath(std::string& aOutputPath, const char* aInputPath) {
   char* resolvedPath = realpath(aInputPath, nullptr);
   if (resolvedPath == nullptr) {
@@ -245,7 +236,13 @@ namespace mozilla {
 bool StartMacSandbox(MacSandboxInfo const& aInfo, std::string& aErrorMessage) {
   std::vector<const char*> params;
   std::string profile;
-  std::string macOSMinor = std::to_string(OSXVersion::OSXVersionMinor());
+
+  // Use a combined version number to simplify version check logic
+  // in sandbox policies. For example, 10.14 becomes "1014".
+  int32_t major = 0, minor = 0;
+  OSXVersion::Get(major, minor);
+  MOZ_ASSERT(minor >= 0 && minor < 100);
+  std::string combinedVersion = std::to_string((major * 100) + minor);
 
   // Used for the Flash sandbox. Declared here so that they
   // stay in scope until sandbox_init_with_parameters is called.
@@ -262,8 +259,8 @@ bool StartMacSandbox(MacSandboxInfo const& aInfo, std::string& aErrorMessage) {
     params.push_back("SANDBOX_LEVEL_2");
     params.push_back(aInfo.level == 2 ? "TRUE" : "FALSE");
 
-    params.push_back("MAC_OS_MINOR");
-    params.push_back(macOSMinor.c_str());
+    params.push_back("MAC_OS_VERSION");
+    params.push_back(combinedVersion.c_str());
 
     params.push_back("HOME_PATH");
     params.push_back(getenv("HOME"));
@@ -354,8 +351,8 @@ bool StartMacSandbox(MacSandboxInfo const& aInfo, std::string& aErrorMessage) {
       params.push_back(aInfo.level == 2 ? "TRUE" : "FALSE");
       params.push_back("SANDBOX_LEVEL_3");
       params.push_back(aInfo.level == 3 ? "TRUE" : "FALSE");
-      params.push_back("MAC_OS_MINOR");
-      params.push_back(macOSMinor.c_str());
+      params.push_back("MAC_OS_VERSION");
+      params.push_back(combinedVersion.c_str());
       params.push_back("APP_PATH");
       params.push_back(aInfo.appPath.c_str());
       params.push_back("PROFILE_DIR");

security/sandbox/mac/SandboxPolicyContent.h

@@ -17,7 +17,7 @@ static const char SandboxPolicyContent[] = R"SANDBOX_LITERAL(
   (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
   (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
   (define sandbox-level-3 (param "SANDBOX_LEVEL_3"))
-  (define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
+  (define macosVersion (string->number (param "MAC_OS_VERSION")))
   (define appPath (param "APP_PATH"))
   (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
   (define profileDir (param "PROFILE_DIR"))
@@ -100,7 +100,7 @@ static const char SandboxPolicyContent[] = R"SANDBOX_LITERAL(
 
   ; macOS 10.9 does not support the |sysctl-name| predicate, so unfortunately
   ; we need to allow all sysctl-reads there.
-  (if (= macosMinorVersion 9)
+  (if (= macosVersion 1009)
     (allow sysctl-read)
     (allow sysctl-read
       (sysctl-name-regex #"^sysctl\.")
@@ -145,7 +145,7 @@ static const char SandboxPolicyContent[] = R"SANDBOX_LITERAL(
       (sysctl-name "machdep.cpu.stepping")
       (sysctl-name "debug.intel.gstLevelGST")
       (sysctl-name "debug.intel.gstLoaderControl")))
-  (if (> macosMinorVersion 9)
+  (if (> macosVersion 1009)
     (allow sysctl-write
       (sysctl-name "kern.tcsm_enable")))
 
@@ -177,14 +177,14 @@ static const char SandboxPolicyContent[] = R"SANDBOX_LITERAL(
     (global-name "com.apple.coreservices.launchservicesd")
     (global-name "com.apple.lsd.mapdb"))
 
-  (if (>= macosMinorVersion 13)
+  (if (>= macosVersion 1013)
     (allow mach-lookup
       ; bug 1392988
       (xpc-service-name "com.apple.coremedia.videodecoder")
       (xpc-service-name "com.apple.coremedia.videoencoder")))
 
 ; bug 1312273
-  (if (= macosMinorVersion 9)
+  (if (= macosVersion 1009)
      (allow mach-lookup (global-name "com.apple.xpcd")))
 
   (allow iokit-open
@@ -317,7 +317,7 @@ static const char SandboxPolicyContent[] = R"SANDBOX_LITERAL(
   (allow user-preference-read (preference-domain "com.nvidia.OpenGL"))
   (allow mach-lookup
       (global-name "com.apple.cvmsServ"))
-  (if (>= macosMinorVersion 14)
+  (if (>= macosVersion 1014)
     (allow mach-lookup
       (global-name "com.apple.MTLCompilerService")))
   (allow iokit-open
@@ -351,13 +351,13 @@ static const char SandboxPolicyContent[] = R"SANDBOX_LITERAL(
   (allow mach-lookup
     (global-name "com.apple.fonts")
     (global-name "com.apple.FontObjectsServer"))
-  (if (<= macosMinorVersion 11)
+  (if (<= macosVersion 1011)
     (allow mach-lookup (global-name "com.apple.FontServer")))
 
   ; Fonts
   ; Workaround for sandbox extensions not being automatically
   ; issued for fonts on 10.11 and earlier versions (bug 1460917).
-  (if (<= macosMinorVersion 11)
+  (if (<= macosVersion 1011)
     (allow file-read*
       (regex #"\.[oO][tT][fF]$"          ; otf
              #"\.[tT][tT][fF]$"          ; ttf
@@ -372,7 +372,7 @@ static const char SandboxPolicyContent[] = R"SANDBOX_LITERAL(
       (regex #"\.fontvault/")
       (home-subpath "/FontExplorer X/Font Library")))
 
-  (if (>= macosMinorVersion 13)
+  (if (>= macosVersion 1013)
    (allow mach-lookup
     ; bug 1565575
     (global-name "com.apple.audio.AudioComponentRegistrar")))

security/sandbox/mac/SandboxPolicyFlash.h

@@ -16,7 +16,7 @@ static const char SandboxPolicyFlash[] = R"SANDBOX_LITERAL(
   (define shouldLog (param "SHOULD_LOG"))
   (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
   (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
-  (define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
+  (define macosVersion (string->number (param "MAC_OS_VERSION")))
   (define homeDir (param "HOME_PATH"))
   (define tempDir (param "DARWIN_USER_TEMP_DIR"))
   (define cacheDir (param "DARWIN_USER_CACHE_DIR"))
@@ -120,7 +120,7 @@ static const char SandboxPolicyFlash[] = R"SANDBOX_LITERAL(
   (allow process-info-setcontrol (target self))
 
   ; macOS 10.9 does not support the |sysctl-name| predicate
-  (if (= macosMinorVersion 9)
+  (if (= macosVersion 1009)
       (allow sysctl-read)
       (allow sysctl-read
         (sysctl-name
@@ -271,9 +271,9 @@ static const char SandboxPolicyFlash[] = R"SANDBOX_LITERAL(
       (global-name "com.apple.cmio.AVCAssistant")
       (global-name "com.apple.cmio.VDCAssistant"))
   ; bug 1475707
-  (if (= macosMinorVersion 9)
+  (if (= macosVersion 1009)
      (allow mach-lookup (global-name "com.apple.xpcd")))
-  (if (>= macosMinorVersion 15)
+  (if (>= macosVersion 1015)
      (allow mach-lookup
       (global-name "com.apple.ViewBridgeAuxiliary")
       (global-name "com.apple.appkit.xpc.openAndSavePanelService")
@@ -296,13 +296,13 @@ static const char SandboxPolicyFlash[] = R"SANDBOX_LITERAL(
   (allow mach-lookup
     (global-name "com.apple.fonts")
     (global-name "com.apple.FontObjectsServer"))
-  (if (<= macosMinorVersion 11)
+  (if (<= macosVersion 1011)
     (allow mach-lookup (global-name "com.apple.FontServer")))
 
   ; Fonts
   ; Workaround for sandbox extensions not being automatically
   ; issued for fonts on 10.11 and earlier versions (bug 1460917).
-  (if (<= macosMinorVersion 11)
+  (if (<= macosVersion 1011)
     (allow file-read*
       (regex #"\.[oO][tT][fF]$"          ; otf
              #"\.[tT][tT][fF]$"          ; ttf