Bug 1360356 - [Mac] Remove "/Library/Caches/TemporaryItems" rule from…

… level 3 Content Sandbox; r=Alex_Gaynor. a=merge

Remove reading of "~/Library/Caches/TemporaryItems" from level 3 and update
sandboxing filesystem test to check ~/Library/Caches/TemporaryItems readability.

MozReview-Commit-ID: 6EMzH7brSnp

--HG--
extra : rebase_source : f97b5625da2abda73decc969fc581c2bf858183f
extra : amend_source : ab31c96ca883314dcf2f3ff0293a8fd6ac4748dc

security/sandbox/mac/SandboxPolicies.h

@@ -264,17 +264,20 @@ static const char contentSandboxRules[] = R"(
         ; This process has blanket file read privileges
         (allow file-read*)
         ; This process does not have blanket file read privileges
-        (if (string=? hasProfileDir "TRUE")
-          ; we have a profile dir
-          (begin
-            (allow file-read* (require-all
-                (require-not (home-subpath "/Library"))
-                (require-not (subpath profileDir))))
-            (allow file-read*
-                (profile-subpath "/extensions")
-                (profile-subpath "/chrome")))
-          ; we don't have a profile dir
-          (allow file-read* (require-not (home-subpath "/Library"))))))
+        (begin
+          ; bug 1201935
+          (allow file-read* (home-subpath "/Library/Caches/TemporaryItems"))
+          (if (string=? hasProfileDir "TRUE")
+            ; we have a profile dir
+            (begin
+              (allow file-read* (require-all
+                  (require-not (home-subpath "/Library"))
+                  (require-not (subpath profileDir))))
+              (allow file-read*
+                  (profile-subpath "/extensions")
+                  (profile-subpath "/chrome")))
+            ; we don't have a profile dir
+            (allow file-read* (require-not (home-subpath "/Library")))))))
 
   ; level 3: global read access permitted, no global write access,
   ;          no read access to the home directory,
@@ -317,10 +320,6 @@ static const char contentSandboxRules[] = R"(
         (iokit-user-client-class "NVDVDContextTesla")
         (iokit-user-client-class "Gen6DVDContext"))
 
-  ; bug 1201935
-    (allow file-read*
-        (home-subpath "/Library/Caches/TemporaryItems"))
-
   ; bug 1237847
     (allow file-read*
         (subpath appTempDir))

security/sandbox/test/browser_content_sandbox_fs.js

@@ -248,6 +248,9 @@ function* testFileAccess() {
     fileBrowser = gBrowser.getBrowserForTab(gBrowser.selectedTab);
   }
 
+  // Current level
+  let level = prefs.getIntPref("security.sandbox.content.level");
+
   // Directories/files to test accessing from content processes.
   // For directories, we test whether a directory listing is allowed
   // or blocked. For files, we test if we can read from the file.
@@ -291,6 +294,30 @@ function* testFileAccess() {
     });
   }
 
+  if (isMac()) {
+    // If ~/Library/Caches/TemporaryItems exists, when level <= 2 we
+    // make sure it's readable. For level 3, we make sure it isn't.
+    let homeTempDir = GetHomeDir();
+    homeTempDir.appendRelativePath('Library/Caches/TemporaryItems');
+    if (homeTempDir.exists()) {
+      let shouldBeReadable, minLevel;
+      if (level >= minHomeReadSandboxLevel()) {
+        shouldBeReadable = false;
+        minLevel = minHomeReadSandboxLevel();
+      } else {
+        shouldBeReadable = true;
+        minLevel = 0;
+      }
+      tests.push({
+        desc:     "home library cache temp dir",
+        ok:       shouldBeReadable,
+        browser:  webBrowser,
+        file:     homeTempDir,
+        minLevel: minLevel,
+      });
+    }
+  }
+
   let extensionsDir = GetProfileEntry("extensions");
   if (extensionsDir.exists() && extensionsDir.isDirectory()) {
     tests.push({
@@ -331,7 +358,6 @@ function* testFileAccess() {
   }
 
   // remove tests not enabled by the current sandbox level
-  let level = prefs.getIntPref("security.sandbox.content.level");
   tests = tests.filter((test) => { return (test.minLevel <= level); });
 
   for (let test of tests) {