Right now we have a teeny tiny bit of blacklisting in our content sandbox policy: https://dxr.mozilla.org/mozilla-central/source/security/sandbox/mac/SandboxPolicies.h#289-297 We should move away from "blacklist the home directory" to whitelisting whatever is needed. This reduces the possibility for regressions, and makes it easier to audit what we allow and prune the list. This will require figuring out what reads are implicitly allowed by the blacklist that we use and adding those to the whitelist.

Not worth reviewing yet, as there's still some breakages to work through, but figured I'd attach the patch for visibility.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=9b63488894624e29aabc051de3615f9291e316f0&group_state=expanded example try run from a few days ago

All green! https://treeherder.mozilla.org/#/jobs?repo=try&revision=ed0a090e297125887c8bbe7cbdcc9657a3f955ed&group_state=expanded

Comment on attachment 8860502 [details] Bug 1357758 - Replace the file-read blacklist in the macOS sandbox policy with a whitelist of the allowed paths; https://reviewboard.mozilla.org/r/132506/#review159136 Just plain awesome! Please manually test printing and print-to-file with level 3 set.

Printing looks good! (+/- all the unrelated bugs I hit while testing it :-/)

Pushed by haftandilian@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/59555f5a60be Replace the file-read blacklist in the macOS sandbox policy with a whitelist of the allowed paths; r=haik