Bug 1562756 - Code Injection in Firefox macOS desktop r=spohl

Drop the com.apple.security.cs.allow-dyld-environment-variables entitlement to disallow use of dyld environment variables in signed production builds. Leave the entitlement in for signed developer builds. Firefox gtests depend on the use of DYLD_LIBRARY_PATH. However, testing infrastructure does not run gtests on signed builds and therefore gtests are not impacted by this change. gtests could be run on signed developer builds in the future which will still allow dyld environment variables after this change. browser.production.entitlements.xml and plugin-container.production.entitlements.xml are not used, but being kept up to date. Differential Revision: https://phabricator.services.mozilla.com/D148324
Brli · Jun 6, 2022 · 899c334 · 899c334
1 parent 65252ed
commit 899c334
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 25 deletions.
diff --git a/ipc/glue/GeckoChildProcessHost.cpp b/ipc/glue/GeckoChildProcessHost.cpp
@@ -1128,6 +1128,10 @@ bool PosixProcessLauncher::DoSetup() {
     mLaunchOptions->env_map["LD_LIBRARY_PATH"] = new_ld_lib_path.get();
 
 #  elif OS_MACOSX  // defined(OS_LINUX) || defined(OS_BSD)
+    // With signed production Mac builds, the dynamic linker (dyld) will
+    // ignore dyld environment variables preventing the use of variables
+    // such as DYLD_LIBRARY_PATH and DYLD_INSERT_LIBRARIES.
+
     // If we're running with gtests, add the gtest XUL ahead of normal XUL on
     // the DYLD_LIBRARY_PATH so that plugin-container.app loads it instead.
     nsCString new_dyld_lib_path(path.get());

diff --git a/security/mac/hardenedruntime/browser.production.entitlements.xml b/security/mac/hardenedruntime/browser.production.entitlements.xml
@@ -18,9 +18,8 @@
     <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
     <key>com.apple.security.cs.disable-library-validation</key><true/>
 
-    <!-- Allow dyld environment variables. Needed because Firefox uses
-         dyld variables to load libaries from within the .app bundle. -->
-    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+    <!-- Don't allow dyld environment variables -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><false/>
 
     <!-- Don't allow debugging of the executable. Debuggers will be prevented
          from attaching to running executables. Notarization does not permit

diff --git a/security/mac/hardenedruntime/developer.entitlements.xml b/security/mac/hardenedruntime/developer.entitlements.xml
@@ -1,14 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <!--
-     Entitlements to apply to the .app bundle and all executable files
-     contained within it during codesigning of developer builds. These
-     entitlements configure hardened runtime and allow debugging of the
-     application. The com.apple.security.get-task-allow entitlement must be
-     set to true to allow debuggers to attach to application processes but
-     this prohibits notarization with the notary service. Aside from allowing
-     debugging, these entitlements enable hardened runtime protections to the
-     extent possible for Firefox.
+     Entitlements to apply during codesigning of developer builds. These
+     differ from the production entitlements in that they allow debugging of
+     executables and allow dyld environment variables to be used. This set of
+     entitlements is intended to be used for signing of builds used in
+     automated testing or local developer builds where debugging of a signed
+     build might be necessary. The com.apple.security.get-task-allow
+     entitlement must be set to true to allow debuggers to attach to
+     application processes but prohibits notarization with the notary service.
+     dyld environment variables are used for some tests and may be useful for
+     developers.
 -->
 <plist version="1.0">
   <dict>
@@ -24,8 +26,7 @@
     <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
     <key>com.apple.security.cs.disable-library-validation</key><true/>
 
-    <!-- Allow dyld environment variables. Needed because Firefox uses
-         dyld variables to load libaries from within the .app bundle. -->
+    <!-- Allow dyld environment variables for gtests and debugging -->
     <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
 
     <!-- Allow debuggers to attach to running executables -->
@@ -39,7 +40,7 @@
 
     <!-- Firefox needs to access the location on sites the user allows -->
     <key>com.apple.security.personal-information.location</key><true/>
-    
+
     <!-- For SmartCardServices(7) -->
     <key>com.apple.security.smartcard</key><true/>
   </dict>

diff --git a/security/mac/hardenedruntime/plugin-container.production.entitlements.xml b/security/mac/hardenedruntime/plugin-container.production.entitlements.xml
@@ -18,9 +18,8 @@
     <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
     <key>com.apple.security.cs.disable-library-validation</key><true/>
 
-    <!-- Allow dyld environment variables. Needed because Firefox uses
-         dyld variables to load libaries from within the .app bundle. -->
-    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+    <!-- Don't allow dyld environment variables -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><false/>
 
     <!-- Don't allow debugging of the executable. Debuggers will be prevented
          from attaching to running executables. Notarization does not permit

diff --git a/security/mac/hardenedruntime/production.entitlements.xml b/security/mac/hardenedruntime/production.entitlements.xml
@@ -1,10 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <!--
-     Entitlements to apply to the .app bundle and all executable files
-     contained within it during codesigning of production channel builds that
-     will be notarized. These entitlements enable hardened runtime protections
-     to the extent possible for Firefox.
+     Entitlements to apply during codesigning of production builds.
 -->
 <plist version="1.0">
   <dict>
@@ -20,9 +17,8 @@
     <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
     <key>com.apple.security.cs.disable-library-validation</key><true/>
 
-    <!-- Allow dyld environment variables. Needed because Firefox uses
-         dyld variables to load libaries from within the .app bundle. -->
-    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+    <!-- Don't allow dyld environment variables -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><false/>
 
     <!-- Don't allow debugging of the executable. Debuggers will be prevented
          from attaching to running executables. Notarization does not permit
@@ -38,7 +34,7 @@
 
     <!-- Firefox needs to access the location on sites the user allows -->
     <key>com.apple.security.personal-information.location</key><true/>
-    
+
     <!-- For SmartCardServices(7) -->
     <key>com.apple.security.smartcard</key><true/>
   </dict>