diff --git a/content/media/gmp/GMPChild.cpp b/content/media/gmp/GMPChild.cpp index 1dde3ac7c8df..bcb0300e274a 100644 --- a/content/media/gmp/GMPChild.cpp +++ b/content/media/gmp/GMPChild.cpp @@ -118,6 +118,54 @@ GetPluginPaths(const std::string& aPluginPath, return true; } +static bool +GetAppPaths(nsCString &aAppPath, nsCString &aAppBinaryPath) +{ + nsAutoCString appPath; + nsAutoCString appBinaryPath( + (CommandLine::ForCurrentProcess()->argv()[0]).c_str()); + + nsAutoCString::const_iterator start, end; + appBinaryPath.BeginReading(start); + appBinaryPath.EndReading(end); + if (RFindInReadable(NS_LITERAL_CSTRING(".app/Contents/MacOS/"), start, end)) { + end = start; + ++end; ++end; ++end; ++end; + appBinaryPath.BeginReading(start); + appPath.Assign(Substring(start, end)); + } else { + return false; + } + + nsCOMPtr app, appBinary; + nsresult rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appPath), + true, getter_AddRefs(app)); + if (NS_FAILED(rv)) { + return false; + } + rv = NS_NewLocalFile(NS_ConvertUTF8toUTF16(appBinaryPath), + true, getter_AddRefs(appBinary)); + if (NS_FAILED(rv)) { + return false; + } + + bool isLink; + app->IsSymlink(&isLink); + if (isLink) { + app->GetNativeTarget(aAppPath); + } else { + app->GetNativePath(aAppPath); + } + appBinary->IsSymlink(&isLink); + if (isLink) { + appBinary->GetNativeTarget(aAppBinaryPath); + } else { + appBinary->GetNativePath(aAppBinaryPath); + } + + return true; +} + void GMPChild::OnChannelConnected(int32_t aPid) { @@ -125,6 +173,10 @@ GMPChild::OnChannelConnected(int32_t aPid) if (!GetPluginPaths(mPluginPath, pluginDirectoryPath, pluginFilePath)) { MOZ_CRASH("Error scanning plugin path"); } + nsAutoCString appPath, appBinaryPath; + if (!GetAppPaths(appPath, appBinaryPath)) { + MOZ_CRASH("Error resolving child process path"); + } MacSandboxInfo info; info.type = MacSandboxType_Plugin; @@ -132,6 +184,8 @@ GMPChild::OnChannelConnected(int32_t aPid) info.pluginInfo.pluginPath.Assign(pluginDirectoryPath); mPluginBinaryPath.Assign(pluginFilePath); info.pluginInfo.pluginBinaryPath.Assign(pluginFilePath); + info.appPath.Assign(appPath); + info.appBinaryPath.Assign(appBinaryPath); nsAutoCString err; if (!mozilla::StartMacSandbox(info, err)) { diff --git a/security/sandbox/mac/Sandbox.h b/security/sandbox/mac/Sandbox.h index 023cb830c55d..3daf41f762e0 100644 --- a/security/sandbox/mac/Sandbox.h +++ b/security/sandbox/mac/Sandbox.h @@ -35,6 +35,8 @@ typedef struct _MacSandboxInfo { : type(MacSandboxType_Default) {} MacSandboxType type; MacSandboxPluginInfo pluginInfo; + nsCString appPath; + nsCString appBinaryPath; } MacSandboxInfo; namespace mozilla { diff --git a/security/sandbox/mac/Sandbox.mm b/security/sandbox/mac/Sandbox.mm index 331cc118f0cd..4474deb665de 100644 --- a/security/sandbox/mac/Sandbox.mm +++ b/security/sandbox/mac/Sandbox.mm @@ -33,8 +33,9 @@ static const char rules[] = " (regex #\"^/etc$\")\n" " (regex #\"^/dev/u?random$\")\n" " (regex #\"^/(private/)?var($|/)\")\n" - " (regex #\"\\.app/Contents/MacOS/plugin-container\\.app/Contents/\")\n" " (literal \"/usr/share/icu/icudt51l.dat\")\n" + " (literal \"%s\")\n" + " (literal \"%s\")\n" " (literal \"%s\"))\n"; bool StartMacSandbox(MacSandboxInfo aInfo, nsCString &aErrorMessage) @@ -48,11 +49,15 @@ bool StartMacSandbox(MacSandboxInfo aInfo, nsCString &aErrorMessage) if (nsCocoaFeatures::OnLionOrLater()) { profile.AppendPrintf(rules, ";", aInfo.pluginInfo.pluginPath.get(), - aInfo.pluginInfo.pluginBinaryPath.get()); + aInfo.pluginInfo.pluginBinaryPath.get(), + aInfo.appPath.get(), + aInfo.appBinaryPath.get()); } else { profile.AppendPrintf(rules, "", aInfo.pluginInfo.pluginPath.get(), - aInfo.pluginInfo.pluginBinaryPath.get()); + aInfo.pluginInfo.pluginBinaryPath.get(), + aInfo.appPath.get(), + aInfo.appBinaryPath.get()); } char *errorbuf = NULL;