Opened 9 months ago

Closed 9 months ago

Last modified 2 months ago

#32505 closed defect (fixed)

Tighten our rules in our entitlements file for macOS

Reported by: gk Owned by: gk
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, tbb-sign, GeorgKoppen201911, TorBrowserTeam201911R
Cc: tbb-team Actual Points: 0.1
Parent ID: #32504 Points:
Reviewer: Sponsor:

Description

comment:40:ticket:30126 mentions two possible rules we could tighten in our entitelments file:

com.apple.security.cs.disable-library-validation=false
com.apple.security.automation.apple-events=false

The former seems indeed to be a clear winner but I am not sure about the latter as we usually don't want to break the expected behavior for users installing WebExtensions (even if we don't recommend it).

We could think about more rules to be tightened while we are at it.

Child Tickets

Change History (9)

comment:1 Changed 9 months ago by gk

Keywords: GeorgKoppen201911R added; GeorgKoppen201911 removed
Status: newneeds_review

bug_32505 (https://gitweb.torproject.org/user/gk/tor-browser-build.git/commit/?h=bug_32505&id=8e0320bd568f1c5697418498aa1e18b7e34a9207) has a proposed fix fir the alpha entitlements file.

I think we should keep the apple-events entitlement as Mozilla ships it for now.

comment:2 Changed 9 months ago by gk

Actual Points: 0.1

comment:3 Changed 9 months ago by gk

Keywords: GeorgKoppen201911 TorBrowserTeam201911R added; GeorgKoppen201911R removed

Writing the patch and reviewing it is not smart.

comment:4 Changed 9 months ago by gk

Cc: tbb-team added
Owner: changed from tbb-team to gk
Status: needs_reviewassigned

comment:5 Changed 9 months ago by mcs

r=mcs
This looks good to me (I assume you did not intend to change the ticket status away from needs_review and that was just Trac "being helpful")

comment:6 Changed 9 months ago by mcs

Summary: Tighten our rules in our entitelements file for macOSTighten our rules in our entitlements file for macOS

comment:7 in reply to:  5 Changed 9 months ago by gk

Resolution: fixed
Status: assignedclosed

Replying to mcs:

r=mcs
This looks good to me (I assume you did not intend to change the ticket status away from needs_review and that was just Trac "being helpful")

Yeah, Trac cheated on me. Thanks for the review. This is applied to master (commit e01d78d95fa019b9418e17ac03b3b26e655d6cd9) now and will be used for notarizing 9.5a3.

comment:8 Changed 9 months ago by gk

Keywords: tbb-backport added

Oh, and this is a candidate for backporting.

comment:9 Changed 2 months ago by gk

Keywords: tbb-backport removed

No backport for those tickets/fixes. They will emerge with 9.5.

Note: See TracTickets for help on using tickets.