Bug 1379803 - on macOS, only allow the creation of regular files and directories in writable directories; r=haik

This specifically disallows the creation of ttys and symlinks. Writable directories are needed for plugins, which lazily create the plugintmp directory. If/when the plugin API surface is reduced we can restrict down to just regular files. MozReview-Commit-ID: Ec6qeaiHSsB --HG-- extra : rebase_source : 252a3cbf7954b9c09092b896ef8af45310438a86
2017-07-11 09:51:04 -04:00 · 2017-07-11 09:51:04 -04:00 · f76801e348
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@ -273,9 +273,14 @@ static const char contentSandboxRules[] = R"(
    (literal "/private/var")
    (subpath "/private/var/folders"))

-; bug 1303987
+  ; bug 1303987
  (if (string? debugWriteDir)
-    (allow file-write-create file-write-data (subpath debugWriteDir)))
+    (begin
+      (allow file-write-data (subpath debugWriteDir))
+      (allow file-write-create
+        (require-all
+          (subpath debugWriteDir)
+          (vnode-type REGULAR-FILE)))))

  ; bug 1324610
  (allow network-outbound file-read*
@ -359,8 +364,14 @@ static const char contentSandboxRules[] = R"(
      (iokit-user-client-class "Gen6DVDContext"))

  ; bug 1237847
-  (allow file-read* file-write-create file-write-data
-      (subpath appTempDir))
+  (allow file-read* file-write-data
+    (subpath appTempDir))
+  (allow file-write-create
+    (require-all
+      (subpath appTempDir)
+      (require-any
+        (vnode-type REGULAR-FILE)
+        (vnode-type DIRECTORY))))
 )";

 }
--- a/security/sandbox/test/browser_content_sandbox_fs.js
+++ b/security/sandbox/test/browser_content_sandbox_fs.js
@ -29,6 +29,20 @@ function createFile(path) {
  });
 }

+
+// Creates a symlink at |path| and returns a promise that resolves with true
+// if the symlink was successfully created, otherwise false. Include imports
+// so this can be safely serialized and run remotely by ContentTask.spawn.
+function createSymlink(path) {
+  Components.utils.import("resource://gre/modules/osfile.jsm");
+  // source location for the symlink can be anything
+  return OS.File.unixSymLink("/Users", path).then(function(value) {
+    return true;
+  }, function(reason) {
+    return false;
+  });
+}
+
 // Deletes file at |path| and returns a promise that resolves with true
 // if the file was successfully deleted, otherwise false. Include imports
 // so this can be safely serialized and run remotely by ContentTask.spawn.
@ -207,7 +221,8 @@ async function createFileInHome() {
  }
 }

-// Test if the content process can create a temp file, should pass
+// Test if the content process can create a temp file, should pass. Also test
+// that the content process cannot create symlinks or delete files.
 async function createTempFile() {
  let browser = gBrowser.selectedBrowser;
  let path = fileInTempDir().path;
@ -218,9 +233,14 @@ async function createTempFile() {
  if (isMac()) {
    // On macOS we do not allow file deletion - it is not needed by the content
    // process itself, and macOS uses a different permission to control access
-    // to revoking it is easy.
+    // so revoking it is easy.
    ok(fileDeleted == false,
-       "deleting a file in the content temp is not permitted");
+       "deleting a file in content temp is not permitted");
+
+    let path = fileInTempDir().path;
+    let symlinkCreated = await ContentTask.spawn(browser, path, createSymlink);
+    ok(symlinkCreated == false,
+       "created a symlink in content temp is not permitted");
  } else {
    ok(fileDeleted == true, "deleting a file in content temp is permitted");
  }