Bug 1431441 - Part 5 - Parameterize access to the windowserver in the Mac content sandbox policy r=Alex_Gaynor

Only allow access to "com.apple.windowserver.active" when the pref
"security.sandbox.content.mac.disconnect-windowserver" is set to true.

Depends on D6721

Differential Revision: https://phabricator.services.mozilla.com/D7357

--HG--
extra : moz-landing-system : lando

dom/ipc/ContentChild.cpp

@@ -1584,6 +1584,8 @@ StartMacOSContentSandbox()
                    PR_GetEnv("MOZ_SANDBOX_LOGGING");
   info.appPath.assign(appPath.get());
   info.hasAudio = !Preferences::GetBool("media.cubeb.sandbox");
+  info.hasWindowServer = !Preferences::GetBool(
+      "security.sandbox.content.mac.disconnect-windowserver");
 
   // These paths are used to whitelist certain directories used by the testing
   // system. They should not be considered a public API, and are only intended

dom/ipc/ContentParent.cpp

@@ -2178,6 +2178,11 @@ ContentParent::AppendSandboxParams(std::vector<std::string> &aArgs)
     aArgs.push_back("-sbAllowAudio");
   }
 
+  // Windowserver access
+  if (!Preferences::GetBool("security.sandbox.content.mac.disconnect-windowserver")) {
+    aArgs.push_back("-sbAllowWindowServer");
+  }
+
   // .app path (normalized)
   nsAutoCString appPath;
   if (!nsMacUtilsImpl::GetAppPath(appPath)) {

security/sandbox/mac/Sandbox.h

@@ -45,6 +45,7 @@ typedef struct _MacSandboxInfo {
     , hasFilePrivileges(false)
     , hasSandboxedProfile(false)
     , hasAudio(false)
+    , hasWindowServer(false)
     , shouldLog(true)
   {
   }
@@ -55,6 +56,7 @@ typedef struct _MacSandboxInfo {
   bool hasFilePrivileges;
   bool hasSandboxedProfile;
   bool hasAudio;
+  bool hasWindowServer;
   MacSandboxPluginInfo pluginInfo;
   std::string appPath;
   std::string appBinaryPath;

security/sandbox/mac/Sandbox.mm

@@ -232,6 +232,8 @@ bool StartMacSandbox(MacSandboxInfo const &aInfo, std::string &aErrorMessage)
       params.push_back(getenv("HOME"));
       params.push_back("HAS_SANDBOXED_PROFILE");
       params.push_back(aInfo.hasSandboxedProfile ? "TRUE" : "FALSE");
+      params.push_back("HAS_WINDOW_SERVER");
+      params.push_back(aInfo.hasWindowServer ? "TRUE" : "FALSE");
       if (!aInfo.parentPort.empty()) {
         params.push_back("PARENT_PORT");
         params.push_back(aInfo.parentPort.c_str());
@@ -379,6 +381,11 @@ GetContentSandboxParamsFromArgs(int aArgc, char** aArgv, MacSandboxInfo& aInfo)
       continue;
     }
 
+    if (strcmp(aArgv[i], "-sbAllowWindowServer") == 0) {
+      aInfo.hasWindowServer = true;
+      continue;
+    }
+
     if ((strcmp(aArgv[i], "-sbAppPath") == 0) && (i + 1 < aArgc)) {
       foundAppPath = true;
       aInfo.appPath.assign(aArgv[i+1]);

security/sandbox/mac/SandboxPolicies.h

@@ -54,6 +54,7 @@ static const char contentSandboxRules[] = R"SANDBOX_LITERAL(
   (define appPath (param "APP_PATH"))
   (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
   (define profileDir (param "PROFILE_DIR"))
+  (define hasWindowServer (param "HAS_WINDOW_SERVER"))
   (define home-path (param "HOME_PATH"))
   (define debugWriteDir (param "DEBUG_WRITE_DIR"))
   (define testingReadPath1 (param "TESTING_READ_PATH1"))
@@ -191,8 +192,9 @@ static const char contentSandboxRules[] = R"SANDBOX_LITERAL(
     (allow mach-lookup (global-name parentPort)))
   (if (string? crashPort)
     (allow mach-lookup (global-name crashPort)))
+  (if (string=? hasWindowServer "TRUE")
+    (allow mach-lookup (global-name "com.apple.windowserver.active")))
   (allow mach-lookup (global-name "com.apple.coreservices.launchservicesd"))
-  (allow mach-lookup (global-name "com.apple.windowserver.active"))
   (allow mach-lookup (global-name "com.apple.lsd.mapdb"))
 
   (if (>= macosMinorVersion 13)