Opened 4 weeks ago

Closed 3 weeks ago

Last modified 3 weeks ago

#32505 closed defect (fixed)

Tighten our rules in our entitlements file for macOS

Reported by: gk Owned by: gk
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security, tbb-sign, GeorgKoppen201911, TorBrowserTeam201911R, tbb-backport
Cc: tbb-team Actual Points: 0.1
Parent ID: #32504 Points:
Reviewer: Sponsor:

Description

comment:40:ticket:30126 mentions two possible rules we could tighten in our entitelments file:

com.apple.security.cs.disable-library-validation=false
com.apple.security.automation.apple-events=false

The former seems indeed to be a clear winner but I am not sure about the latter as we usually don't want to break the expected behavior for users installing WebExtensions (even if we don't recommend it).

We could think about more rules to be tightened while we are at it.

Child Tickets

Change History (8)

comment:1 Changed 3 weeks ago by gk

Keywords: GeorgKoppen201911R added; GeorgKoppen201911 removed
Status: newneeds_review

bug_32505 (https://gitweb.torproject.org/user/gk/tor-browser-build.git/commit/?h=bug_32505&id=8e0320bd568f1c5697418498aa1e18b7e34a9207) has a proposed fix fir the alpha entitlements file.

I think we should keep the apple-events entitlement as Mozilla ships it for now.

comment:2 Changed 3 weeks ago by gk

Actual Points: 0.1

comment:3 Changed 3 weeks ago by gk

Keywords: GeorgKoppen201911 TorBrowserTeam201911R added; GeorgKoppen201911R removed

Writing the patch and reviewing it is not smart.

comment:4 Changed 3 weeks ago by gk

Cc: tbb-team added
Owner: changed from tbb-team to gk
Status: needs_reviewassigned

comment:5 Changed 3 weeks ago by mcs

r=mcs
This looks good to me (I assume you did not intend to change the ticket status away from needs_review and that was just Trac "being helpful")

comment:6 Changed 3 weeks ago by mcs

Summary: Tighten our rules in our entitelements file for macOSTighten our rules in our entitlements file for macOS

comment:7 in reply to:  5 Changed 3 weeks ago by gk

Resolution: fixed
Status: assignedclosed

Replying to mcs:

r=mcs
This looks good to me (I assume you did not intend to change the ticket status away from needs_review and that was just Trac "being helpful")

Yeah, Trac cheated on me. Thanks for the review. This is applied to master (commit e01d78d95fa019b9418e17ac03b3b26e655d6cd9) now and will be used for notarizing 9.5a3.

comment:8 Changed 3 weeks ago by gk

Keywords: tbb-backport added

Oh, and this is a candidate for backporting.

Note: See TracTickets for help on using tickets.