зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1387233 - restrict access to ipc-posix-shm APIs in the content process; r=haik
This removes /tmp/com.apple.csseed access entirely, ipc-posix-shm-read-metadata from CFPBS:, and ipc-posix-shm-write-{create,unlink} from AudioIO and CFPBS:. MozReview-Commit-ID: Eahx6guqGos --HG-- extra : rebase_source : 621e81eb00411ae39882504db7d10a50eef30b27
This commit is contained in:
Родитель
97335e3052
Коммит
90d2a77496
|
@ -175,10 +175,10 @@ static const char contentSandboxRules[] = R"(
|
|||
(allow file-read*
|
||||
(home-regex (string-append "/Library/Preferences/" (regex-quote domain)))))
|
||||
|
||||
(allow ipc-posix-shm
|
||||
(ipc-posix-name-regex "^/tmp/com.apple.csseed:")
|
||||
(ipc-posix-name-regex "^CFPBS:")
|
||||
(ipc-posix-name-regex "^AudioIO"))
|
||||
(allow ipc-posix-shm-read-data ipc-posix-shm-write-data
|
||||
(ipc-posix-name-regex "^CFPBS:"))
|
||||
(allow ipc-posix-shm-read* ipc-posix-shm-write-data
|
||||
(ipc-posix-name-regex "^AudioIO"))
|
||||
|
||||
(allow signal (target self))
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче