Bug 1056936 - Specify full path to plugin-container in sandbox rules. r=rjesup

content/media/gmp/GMPChild.cpp

@@ -118,6 +118,54 @@ GetPluginPaths(const std::string& aPluginPath,
   return true;
 }
 
+static bool
+GetAppPaths(nsCString &aAppPath, nsCString &aAppBinaryPath)
+{
+  nsAutoCString appPath;
+  nsAutoCString appBinaryPath(
+    (CommandLine::ForCurrentProcess()->argv()[0]).c_str());
+
+  nsAutoCString::const_iterator start, end;
+  appBinaryPath.BeginReading(start);
+  appBinaryPath.EndReading(end);
+  if (RFindInReadable(NS_LITERAL_CSTRING(".app/Contents/MacOS/"), start, end)) {
+    end = start;
+    ++end; ++end; ++end; ++end;
+    appBinaryPath.BeginReading(start);
+    appPath.Assign(Substring(start, end));
+  } else {
+    return false;
+  }
+
+  nsCOMPtr<nsIFile> app, appBinary;
+  nsresult rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appPath),
+                                true, getter_AddRefs(app));
+  if (NS_FAILED(rv)) {
+    return false;
+  }
+  rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appBinaryPath),
+                       true, getter_AddRefs(appBinary));
+  if (NS_FAILED(rv)) {
+    return false;
+  }
+
+  bool isLink;
+  app->IsSymlink(&isLink);
+  if (isLink) {
+    app->GetNativeTarget(aAppPath);
+  } else {
+    app->GetNativePath(aAppPath);
+  }
+  appBinary->IsSymlink(&isLink);
+  if (isLink) {
+    appBinary->GetNativeTarget(aAppBinaryPath);
+  } else {
+    appBinary->GetNativePath(aAppBinaryPath);
+  }
+
+  return true;
+}
+
 void
 GMPChild::OnChannelConnected(int32_t aPid)
 {
@@ -125,6 +173,10 @@ GMPChild::OnChannelConnected(int32_t aPid)
   if (!GetPluginPaths(mPluginPath, pluginDirectoryPath, pluginFilePath)) {
     MOZ_CRASH("Error scanning plugin path");
   }
+  nsAutoCString appPath, appBinaryPath;
+  if (!GetAppPaths(appPath, appBinaryPath)) {
+    MOZ_CRASH("Error resolving child process path");
+  }
 
   MacSandboxInfo info;
   info.type = MacSandboxType_Plugin;
@@ -132,6 +184,8 @@ GMPChild::OnChannelConnected(int32_t aPid)
   info.pluginInfo.pluginPath.Assign(pluginDirectoryPath);
   mPluginBinaryPath.Assign(pluginFilePath);
   info.pluginInfo.pluginBinaryPath.Assign(pluginFilePath);
+  info.appPath.Assign(appPath);
+  info.appBinaryPath.Assign(appBinaryPath);
 
   nsAutoCString err;
   if (!mozilla::StartMacSandbox(info, err)) {

security/sandbox/mac/Sandbox.h

@@ -35,6 +35,8 @@ typedef struct _MacSandboxInfo {
     : type(MacSandboxType_Default) {}
   MacSandboxType type;
   MacSandboxPluginInfo pluginInfo;
+  nsCString appPath;
+  nsCString appBinaryPath;
 } MacSandboxInfo;
 
 namespace mozilla {

security/sandbox/mac/Sandbox.mm

@@ -33,8 +33,9 @@ static const char rules[] =
   "    (regex #\"^/etc$\")\n"
   "    (regex #\"^/dev/u?random$\")\n"
   "    (regex #\"^/(private/)?var($|/)\")\n"
-  "    (regex #\"\\.app/Contents/MacOS/plugin-container\\.app/Contents/\")\n"
   "    (literal \"/usr/share/icu/icudt51l.dat\")\n"
+  "    (literal \"%s\")\n"
+  "    (literal \"%s\")\n"
   "    (literal \"%s\"))\n";
 
 bool StartMacSandbox(MacSandboxInfo aInfo, nsCString &aErrorMessage)
@@ -48,11 +49,15 @@ bool StartMacSandbox(MacSandboxInfo aInfo, nsCString &aErrorMessage)
   if (nsCocoaFeatures::OnLionOrLater()) {
     profile.AppendPrintf(rules, ";",
                          aInfo.pluginInfo.pluginPath.get(),
-                         aInfo.pluginInfo.pluginBinaryPath.get());
+                         aInfo.pluginInfo.pluginBinaryPath.get(),
+                         aInfo.appPath.get(),
+                         aInfo.appBinaryPath.get());
   } else {
     profile.AppendPrintf(rules, "",
                          aInfo.pluginInfo.pluginPath.get(),
-                         aInfo.pluginInfo.pluginBinaryPath.get());
+                         aInfo.pluginInfo.pluginBinaryPath.get(),
+                         aInfo.appPath.get(),
+                         aInfo.appBinaryPath.get());
   }
 
   char *errorbuf = NULL;