Bug 1354678 - Switch our sandbox policies to use C++ raw strings and put them in a new header file
r=haik
MozReview-Commit-ID: Fr5liCjcJtg
--- a/security/sandbox/mac/Sandbox.h
+++ b/security/sandbox/mac/Sandbox.h
@@ -3,16 +3,18 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef mozilla_Sandbox_h
#define mozilla_Sandbox_h
#include <string>
+#include "SandboxPolicies.h"
+
enum MacSandboxType {
MacSandboxType_Default = 0,
MacSandboxType_Plugin,
MacSandboxType_Content,
MacSandboxType_Invalid
};
enum MacSandboxPluginType {
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -119,341 +119,16 @@ OSXVersion::GetVersionNumber()
GetSystemVersion(major, minor, bugfix);
mOSXVersion = MAC_OS_X_VERSION_10_0_HEX + (minor << 4) + bugfix;
}
return mOSXVersion;
}
namespace mozilla {
-static const char pluginSandboxRules[] =
- "(version 1)\n"
-
- "(define should-log (param \"SHOULD_LOG\"))\n"
- "(define plugin-binary-path (param \"PLUGIN_BINARY_PATH\"))\n"
- "(define app-path (param \"APP_PATH\"))\n"
- "(define app-binary-path (param \"APP_BINARY_PATH\"))\n"
-
- "(if (string=? should-log \"TRUE\")\n"
- " (deny default)\n"
- " (deny default (with no-log)))\n"
-
- "(allow signal (target self))\n"
- "(allow sysctl-read)\n"
- "(allow iokit-open (iokit-user-client-class \"IOHIDParamUserClient\"))\n"
- "(allow mach-lookup\n"
- " (global-name \"com.apple.cfprefsd.agent\")\n"
- " (global-name \"com.apple.cfprefsd.daemon\")\n"
- " (global-name \"com.apple.system.opendirectoryd.libinfo\")\n"
- " (global-name \"com.apple.system.logger\")\n"
- " (global-name \"com.apple.ls.boxd\"))\n"
- "(allow file-read*\n"
- " (regex #\"^/etc$\")\n"
- " (regex #\"^/dev/u?random$\")\n"
- " (literal \"/usr/share/icu/icudt51l.dat\")\n"
- " (regex #\"^/System/Library/Displays/Overrides/*\")\n"
- " (regex #\"^/System/Library/CoreServices/CoreTypes.bundle/*\")\n"
- " (regex #\"^/System/Library/PrivateFrameworks/*\")\n"
- " (regex #\"^/usr/lib/libstdc\\+\\+\\..*dylib$\")\n"
- " (literal plugin-binary-path)\n"
- " (literal app-path)\n"
- " (literal app-binary-path))\n";
-
-static const char widevinePluginSandboxRulesAddend[] =
- "(allow mach-lookup (global-name \"com.apple.windowserver.active\"))\n";
-
-static const char contentSandboxRules[] =
- "(version 1)\n"
- "\n"
- "(define should-log (param \"SHOULD_LOG\"))\n"
- "(define sandbox-level-1 (param \"SANDBOX_LEVEL_1\"))\n"
- "(define sandbox-level-2 (param \"SANDBOX_LEVEL_2\"))\n"
- "(define sandbox-level-3 (param \"SANDBOX_LEVEL_3\"))\n"
- "(define macosMinorVersion-9 (param \"MAC_OS_MINOR_9\"))\n"
- "(define appPath (param \"APP_PATH\"))\n"
- "(define appBinaryPath (param \"APP_BINARY_PATH\"))\n"
- "(define appDir (param \"APP_DIR\"))\n"
- "(define appTempDir (param \"APP_TEMP_DIR\"))\n"
- "(define hasProfileDir (param \"HAS_SANDBOXED_PROFILE\"))\n"
- "(define profileDir (param \"PROFILE_DIR\"))\n"
- "(define home-path (param \"HOME_PATH\"))\n"
- "(define hasFilePrivileges (param \"HAS_FILE_PRIVILEGES\"))\n"
- "(define isDebugBuild (param \"DEBUG_BUILD\"))\n"
- "\n"
- "; Allow read access to standard system paths.\n"
- "(allow file-read*\n"
- " (require-all (file-mode #o0004)\n"
- " (require-any (subpath \"/Library/Filesystems/NetFSPlugins\")\n"
- " (subpath \"/System\")\n"
- " (subpath \"/private/var/db/dyld\")\n"
- " (subpath \"/usr/lib\")\n"
- " (subpath \"/usr/share\"))))\n"
- "\n"
- "(allow file-read-metadata\n"
- " (literal \"/etc\")\n"
- " (literal \"/tmp\")\n"
- " (literal \"/var\")\n"
- " (literal \"/private/etc/localtime\"))\n"
- "\n"
- "; Allow read access to standard special files.\n"
- "(allow file-read*\n"
- " (literal \"/dev/autofs_nowait\")\n"
- " (literal \"/dev/random\")\n"
- " (literal \"/dev/urandom\"))\n"
- "\n"
- "(allow file-read*\n"
- " file-write-data\n"
- " (literal \"/dev/null\")\n"
- " (literal \"/dev/zero\"))\n"
- "\n"
- "(allow file-read*\n"
- " file-write-data\n"
- " file-ioctl\n"
- " (literal \"/dev/dtracehelper\"))\n"
- "\n"
- "; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others\n"
- "(allow sysctl-read)\n"
- "\n"
- "(begin\n"
- " (if (string=? should-log \"TRUE\")\n"
- " (deny default)\n"
- " (deny default (with no-log)))\n"
- " (debug deny)\n"
- "\n"
- " (define resolving-literal literal)\n"
- " (define resolving-subpath subpath)\n"
- " (define resolving-regex regex)\n"
- "\n"
- " (define container-path appPath)\n"
- " (define appdir-path appDir)\n"
- " (define var-folders-re \"^/private/var/folders/[^/][^/]\")\n"
- " (define var-folders2-re (string-append var-folders-re \"/[^/]+/[^/]\"))\n"
- "\n"
- " (define (home-regex home-relative-regex)\n"
- " (resolving-regex (string-append \"^\" (regex-quote home-path) home-relative-regex)))\n"
- " (define (home-subpath home-relative-subpath)\n"
- " (resolving-subpath (string-append home-path home-relative-subpath)))\n"
- " (define (home-literal home-relative-literal)\n"
- " (resolving-literal (string-append home-path home-relative-literal)))\n"
- "\n"
- " (define (profile-subpath profile-relative-subpath)\n"
- " (resolving-subpath (string-append profileDir profile-relative-subpath)))\n"
- "\n"
- " (define (var-folders-regex var-folders-relative-regex)\n"
- " (resolving-regex (string-append var-folders-re var-folders-relative-regex)))\n"
- " (define (var-folders2-regex var-folders2-relative-regex)\n"
- " (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
- "\n"
- " (define (allow-shared-preferences-read domain)\n"
- " (begin\n"
- " (if (defined? `user-preference-read)\n"
- " (allow user-preference-read (preference-domain domain)))\n"
- " (allow file-read*\n"
- " (home-literal (string-append \"/Library/Preferences/\" domain \".plist\"))\n"
- " (home-regex (string-append \"/Library/Preferences/ByHost/\" (regex-quote domain) \"\\..*\\.plist$\")))\n"
- " ))\n"
- "\n"
- " (define (allow-shared-list domain)\n"
- " (allow file-read*\n"
- " (home-regex (string-append \"/Library/Preferences/\" (regex-quote domain)))))\n"
- "\n"
- " (allow ipc-posix-shm\n"
- " (ipc-posix-name-regex \"^/tmp/com.apple.csseed:\")\n"
- " (ipc-posix-name-regex \"^CFPBS:\")\n"
- " (ipc-posix-name-regex \"^AudioIO\"))\n"
- "\n"
- " (allow file-read-metadata\n"
- " (literal \"/home\")\n"
- " (literal \"/net\")\n"
- " (regex \"^/private/tmp/KSInstallAction\\.\")\n"
- " (var-folders-regex \"/\")\n"
- " (home-subpath \"/Library\"))\n"
- "\n"
- " (allow signal (target self))\n"
- " (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n"
- " (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n"
- "\n"
- " (allow mach-lookup\n"
- " (global-name \"com.apple.coreservices.launchservicesd\")\n"
- " (global-name \"com.apple.coreservices.appleevents\")\n"
- " (global-name \"com.apple.pasteboard.1\")\n"
- " (global-name \"com.apple.window_proxies\")\n"
- " (global-name \"com.apple.windowserver.active\")\n"
- " (global-name \"com.apple.audio.coreaudiod\")\n"
- " (global-name \"com.apple.audio.audiohald\")\n"
- " (global-name \"com.apple.PowerManagement.control\")\n"
- " (global-name \"com.apple.cmio.VDCAssistant\")\n"
- " (global-name \"com.apple.SystemConfiguration.configd\")\n"
- " (global-name \"com.apple.iconservices\")\n"
- " (global-name \"com.apple.cookied\")\n"
- " (global-name \"com.apple.cache_delete\")\n"
- " (global-name \"com.apple.pluginkit.pkd\")\n"
- " (global-name \"com.apple.bird\")\n"
- " (global-name \"com.apple.ocspd\")\n"
- " (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
- " (global-name \"com.apple.DesktopServicesHelper\"))\n"
- "\n"
- "; bug 1312273\n"
- " (if (string=? macosMinorVersion-9 \"TRUE\")\n"
- " (allow mach-lookup (global-name \"com.apple.xpcd\")))\n"
- "\n"
- " (allow iokit-open\n"
- " (iokit-user-client-class \"IOHIDParamUserClient\")\n"
- " (iokit-user-client-class \"IOAudioControlUserClient\")\n"
- " (iokit-user-client-class \"IOAudioEngineUserClient\")\n"
- " (iokit-user-client-class \"IGAccelDevice\")\n"
- " (iokit-user-client-class \"nvDevice\")\n"
- " (iokit-user-client-class \"nvSharedUserClient\")\n"
- " (iokit-user-client-class \"nvFermiGLContext\")\n"
- " (iokit-user-client-class \"IGAccelGLContext\")\n"
- " (iokit-user-client-class \"IGAccelSharedUserClient\")\n"
- " (iokit-user-client-class \"IGAccelVideoContextMain\")\n"
- " (iokit-user-client-class \"IGAccelVideoContextMedia\")\n"
- " (iokit-user-client-class \"IGAccelVideoContextVEBox\")\n"
- " (iokit-user-client-class \"RootDomainUserClient\")\n"
- " (iokit-user-client-class \"IOUSBDeviceUserClientV2\")\n"
- " (iokit-user-client-class \"IOUSBInterfaceUserClientV2\"))\n"
- "\n"
- "; depending on systems, the 1st, 2nd or both rules are necessary\n"
- " (allow-shared-preferences-read \"com.apple.HIToolbox\")\n"
- " (allow file-read-data (literal \"/Library/Preferences/com.apple.HIToolbox.plist\"))\n"
- "\n"
- " (allow-shared-preferences-read \"com.apple.ATS\")\n"
- " (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"
- "\n"
- " (allow file-read*\n"
- " (subpath \"/Library/Fonts\")\n"
- " (subpath \"/Library/Audio/Plug-Ins\")\n"
- " (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n"
- " (subpath \"/Library/Spelling\")\n"
- " (literal \"/\")\n"
- " (literal \"/private/tmp\")\n"
- " (literal \"/private/var/tmp\")\n"
- "\n"
- " (home-literal \"/.CFUserTextEncoding\")\n"
- " (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n"
- " (home-subpath \"/Library/Colors\")\n"
- " (home-subpath \"/Library/Fonts\")\n"
- " (home-subpath \"/Library/FontCollections\")\n"
- " (home-subpath \"/Library/Keyboard Layouts\")\n"
- " (home-subpath \"/Library/Input Methods\")\n"
- " (home-subpath \"/Library/Spelling\")\n"
- " (home-subpath \"/Library/Application Support/Adobe/CoreSync/plugins/livetype\")\n"
- "\n"
- " (subpath appdir-path)\n"
- "\n"
- " (literal appPath)\n"
- " (literal appBinaryPath))\n"
- "\n"
- " (allow-shared-list \"org.mozilla.plugincontainer\")\n"
- "\n"
- "; the following rule should be removed when microphone access\n"
- "; is brokered through the content process\n"
- " (allow device-microphone)\n"
- "\n"
- " (allow file* (var-folders2-regex \"/com\\.apple\\.IntlDataCache\\.le$\"))\n"
- " (allow file-read*\n"
- " (var-folders2-regex \"/com\\.apple\\.IconServices/\")\n"
- " (var-folders2-regex \"/[^/]+\\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\"))\n"
- "\n"
- " (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"
- "\n"
- "; Per-user and system-wide Extensions dir\n"
- " (allow file-read*\n"
- " (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
- " (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\"))\n"
- "\n"
- "; The following rules impose file access restrictions which get\n"
- "; more restrictive in higher levels. When file-origin-specific\n"
- "; content processes are used for file:// origin browsing, the\n"
- "; global file-read* permission should be removed from each level.\n"
- "\n"
- "; level 1: global read access permitted, no global write access\n"
- " (if (string=? sandbox-level-1 \"TRUE\") (allow file-read*))\n"
- "\n"
- "; level 2: global read access permitted, no global write access,\n"
- "; no read/write access to ~/Library,\n"
- "; no read/write access to $PROFILE,\n"
- "; read access permitted to $PROFILE/{extensions,chrome}\n"
- " (if (string=? sandbox-level-2 \"TRUE\")\n"
- " (if (string=? hasFilePrivileges \"TRUE\")\n"
- " ; This process has blanket file read privileges\n"
- " (allow file-read*)\n"
- " ; This process does not have blanket file read privileges\n"
- " (if (string=? hasProfileDir \"TRUE\")\n"
- " ; we have a profile dir\n"
- " (begin\n"
- " (allow file-read* (require-all\n"
- " (require-not (home-subpath \"/Library\"))\n"
- " (require-not (subpath profileDir))))\n"
- " (allow file-read*\n"
- " (profile-subpath \"/extensions\")\n"
- " (profile-subpath \"/chrome\")))\n"
- " ; we don't have a profile dir\n"
- " (allow file-read* (require-not (home-subpath \"/Library\"))))))\n"
- "\n"
- "; level 3: global read access permitted, no global write access,\n"
- "; no read access to the home directory,\n"
- "; read access permitted to $PROFILE/{extensions,chrome}\n"
- " (if (string=? sandbox-level-3 \"TRUE\")\n"
- " (if (string=? hasFilePrivileges \"TRUE\")\n"
- " ; This process has blanket file read privileges\n"
- " (allow file-read*)\n"
- " ; This process does not have blanket file read privileges\n"
- " (if (string=? hasProfileDir \"TRUE\")\n"
- " ; we have a profile dir\n"
- " (begin\n"
- " (allow file-read* (require-all\n"
- " (require-not (subpath home-path))\n"
- " (require-not (subpath profileDir))))\n"
- " (allow file-read*\n"
- " (profile-subpath \"/extensions\")\n"
- " (profile-subpath \"/chrome\")))\n"
- " ; we don't have a profile dir\n"
- " (allow file-read* (require-not (subpath home-path))))))\n"
- "\n"
- "; accelerated graphics\n"
- " (allow-shared-preferences-read \"com.apple.opengl\")\n"
- " (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
- " (allow mach-lookup\n"
- " (global-name \"com.apple.cvmsServ\"))\n"
- " (allow iokit-open\n"
- " (iokit-connection \"IOAccelerator\")\n"
- " (iokit-user-client-class \"IOAccelerationUserClient\")\n"
- " (iokit-user-client-class \"IOSurfaceRootUserClient\")\n"
- " (iokit-user-client-class \"IOSurfaceSendRight\")\n"
- " (iokit-user-client-class \"IOFramebufferSharedUserClient\")\n"
- " (iokit-user-client-class \"AppleSNBFBUserClient\")\n"
- " (iokit-user-client-class \"AGPMClient\")\n"
- " (iokit-user-client-class \"AppleGraphicsControlClient\")\n"
- " (iokit-user-client-class \"AppleGraphicsPolicyClient\"))\n"
- "\n"
- "; bug 1153809\n"
- " (allow iokit-open\n"
- " (iokit-user-client-class \"NVDVDContextTesla\")\n"
- " (iokit-user-client-class \"Gen6DVDContext\"))\n"
- "\n"
- "; bug 1201935\n"
- " (allow file-read*\n"
- " (home-subpath \"/Library/Caches/TemporaryItems\"))\n"
- "\n"
- "; bug 1237847\n"
- " (allow file-read*\n"
- " (subpath appTempDir))\n"
- " (allow file-write*\n"
- " (subpath appTempDir))\n"
- "\n"
- "; bug 1324610\n"
- " (allow network-outbound (literal \"/private/var/run/cupsd\"))\n"
- "\n"
- "; bug 1303987\n"
- " (if (string=? isDebugBuild \"TRUE\")\n"
- " (allow file-write* (var-folders-regex \"/\")))\n"
- ")\n";
-
bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage)
{
std::vector<const char *> params;
char *profile = NULL;
bool profile_needs_free = false;
if (aInfo.type == MacSandboxType_Plugin) {
profile = const_cast<char *>(pluginSandboxRules);
params.push_back("SHOULD_LOG");
new file mode 100644
--- /dev/null
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -0,0 +1,341 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_SandboxPolicies_h
+#define mozilla_SandboxPolicies_h
+
+namespace mozilla {
+
+static const char pluginSandboxRules[] = R"(
+ (version 1)
+
+ (define should-log (param "SHOULD_LOG"))
+ (define plugin-binary-path (param "PLUGIN_BINARY_PATH"))
+ (define app-path (param "APP_PATH"))
+ (define app-binary-path (param "APP_BINARY_PATH"))
+
+ (if (string=? should-log "TRUE")
+ (deny default)
+ (deny default (with no-log)))
+
+ (allow signal (target self))
+ (allow sysctl-read)
+ (allow iokit-open (iokit-user-client-class "IOHIDParamUserClient"))
+ (allow mach-lookup
+ (global-name "com.apple.cfprefsd.agent")
+ (global-name "com.apple.cfprefsd.daemon")
+ (global-name "com.apple.system.opendirectoryd.libinfo")
+ (global-name "com.apple.system.logger")
+ (global-name "com.apple.ls.boxd"))
+ (allow file-read*
+ (regex #"^/etc$")
+ (regex #"^/dev/u?random$")
+ (literal "/usr/share/icu/icudt51l.dat")
+ (regex #"^/System/Library/Displays/Overrides/*")
+ (regex #"^/System/Library/CoreServices/CoreTypes.bundle/*")
+ (regex #"^/System/Library/PrivateFrameworks/*")
+ (regex #"^/usr/lib/libstdc\+\+\..*dylib$")
+ (literal plugin-binary-path)
+ (literal app-path)
+ (literal app-binary-path))
+)";
+
+static const char widevinePluginSandboxRulesAddend[] = R"(
+ (allow mach-lookup (global-name "com.apple.windowserver.active"))
+)";
+
+static const char contentSandboxRules[] = R"(
+ (version 1)
+
+ (define should-log (param "SHOULD_LOG"))
+ (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
+ (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
+ (define sandbox-level-3 (param "SANDBOX_LEVEL_3"))
+ (define macosMinorVersion-9 (param "MAC_OS_MINOR_9"))
+ (define appPath (param "APP_PATH"))
+ (define appBinaryPath (param "APP_BINARY_PATH"))
+ (define appDir (param "APP_DIR"))
+ (define appTempDir (param "APP_TEMP_DIR"))
+ (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
+ (define profileDir (param "PROFILE_DIR"))
+ (define home-path (param "HOME_PATH"))
+ (define hasFilePrivileges (param "HAS_FILE_PRIVILEGES"))
+ (define isDebugBuild (param "DEBUG_BUILD"))
+
+ ; Allow read access to standard system paths.
+ (allow file-read*
+ (require-all (file-mode #o0004)
+ (require-any (subpath "/Library/Filesystems/NetFSPlugins")
+ (subpath "/System")
+ (subpath "/private/var/db/dyld")
+ (subpath "/usr/lib")
+ (subpath "/usr/share"))))
+
+ (allow file-read-metadata
+ (literal "/etc")
+ (literal "/tmp")
+ (literal "/var")
+ (literal "/private/etc/localtime"))
+
+ ; Allow read access to standard special files.
+ (allow file-read*
+ (literal "/dev/autofs_nowait")
+ (literal "/dev/random")
+ (literal "/dev/urandom"))
+
+ (allow file-read*
+ file-write-data
+ (literal "/dev/null")
+ (literal "/dev/zero"))
+
+ (allow file-read*
+ file-write-data
+ file-ioctl
+ (literal "/dev/dtracehelper"))
+
+ ; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others
+ (allow sysctl-read)
+
+ (begin
+ (if (string=? should-log "TRUE")
+ (deny default)
+ (deny default (with no-log)))
+ (debug deny)
+
+ (define resolving-literal literal)
+ (define resolving-subpath subpath)
+ (define resolving-regex regex)
+
+ (define container-path appPath)
+ (define appdir-path appDir)
+ (define var-folders-re "^/private/var/folders/[^/][^/]")
+ (define var-folders2-re (string-append var-folders-re "/[^/]+/[^/]"))
+
+ (define (home-regex home-relative-regex)
+ (resolving-regex (string-append "^" (regex-quote home-path) home-relative-regex)))
+ (define (home-subpath home-relative-subpath)
+ (resolving-subpath (string-append home-path home-relative-subpath)))
+ (define (home-literal home-relative-literal)
+ (resolving-literal (string-append home-path home-relative-literal)))
+
+ (define (profile-subpath profile-relative-subpath)
+ (resolving-subpath (string-append profileDir profile-relative-subpath)))
+
+ (define (var-folders-regex var-folders-relative-regex)
+ (resolving-regex (string-append var-folders-re var-folders-relative-regex)))
+ (define (var-folders2-regex var-folders2-relative-regex)
+ (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))
+
+ (define (allow-shared-preferences-read domain)
+ (begin
+ (if (defined? `user-preference-read)
+ (allow user-preference-read (preference-domain domain)))
+ (allow file-read*
+ (home-literal (string-append "/Library/Preferences/" domain ".plist"))
+ (home-regex (string-append "/Library/Preferences/ByHost/" (regex-quote domain) "\..*\.plist$")))
+ ))
+
+ (define (allow-shared-list domain)
+ (allow file-read*
+ (home-regex (string-append "/Library/Preferences/" (regex-quote domain)))))
+
+ (allow ipc-posix-shm
+ (ipc-posix-name-regex "^/tmp/com.apple.csseed:")
+ (ipc-posix-name-regex "^CFPBS:")
+ (ipc-posix-name-regex "^AudioIO"))
+
+ (allow file-read-metadata
+ (literal "/home")
+ (literal "/net")
+ (regex "^/private/tmp/KSInstallAction\.")
+ (var-folders-regex "/")
+ (home-subpath "/Library"))
+
+ (allow signal (target self))
+ (allow job-creation (literal "/Library/CoreMediaIO/Plug-Ins/DAL"))
+ (allow iokit-set-properties (iokit-property "IOAudioControlValue"))
+
+ (allow mach-lookup
+ (global-name "com.apple.coreservices.launchservicesd")
+ (global-name "com.apple.coreservices.appleevents")
+ (global-name "com.apple.pasteboard.1")
+ (global-name "com.apple.window_proxies")
+ (global-name "com.apple.windowserver.active")
+ (global-name "com.apple.audio.coreaudiod")
+ (global-name "com.apple.audio.audiohald")
+ (global-name "com.apple.PowerManagement.control")
+ (global-name "com.apple.cmio.VDCAssistant")
+ (global-name "com.apple.SystemConfiguration.configd")
+ (global-name "com.apple.iconservices")
+ (global-name "com.apple.cookied")
+ (global-name "com.apple.cache_delete")
+ (global-name "com.apple.pluginkit.pkd")
+ (global-name "com.apple.bird")
+ (global-name "com.apple.ocspd")
+ (global-name "com.apple.cmio.AppleCameraAssistant")
+ (global-name "com.apple.DesktopServicesHelper"))
+
+ ; bug 1312273
+ (if (string=? macosMinorVersion-9 "TRUE")
+ (allow mach-lookup (global-name "com.apple.xpcd")))
+
+ (allow iokit-open
+ (iokit-user-client-class "IOHIDParamUserClient")
+ (iokit-user-client-class "IOAudioControlUserClient")
+ (iokit-user-client-class "IOAudioEngineUserClient")
+ (iokit-user-client-class "IGAccelDevice")
+ (iokit-user-client-class "nvDevice")
+ (iokit-user-client-class "nvSharedUserClient")
+ (iokit-user-client-class "nvFermiGLContext")
+ (iokit-user-client-class "IGAccelGLContext")
+ (iokit-user-client-class "IGAccelSharedUserClient")
+ (iokit-user-client-class "IGAccelVideoContextMain")
+ (iokit-user-client-class "IGAccelVideoContextMedia")
+ (iokit-user-client-class "IGAccelVideoContextVEBox")
+ (iokit-user-client-class "RootDomainUserClient")
+ (iokit-user-client-class "IOUSBDeviceUserClientV2")
+ (iokit-user-client-class "IOUSBInterfaceUserClientV2"))
+
+ ; depending on systems, the 1st, 2nd or both rules are necessary
+ (allow-shared-preferences-read "com.apple.HIToolbox")
+ (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist"))
+
+ (allow-shared-preferences-read "com.apple.ATS")
+ (allow file-read-data (literal "/Library/Preferences/.GlobalPreferences.plist"))
+
+ (allow file-read*
+ (subpath "/Library/Fonts")
+ (subpath "/Library/Audio/Plug-Ins")
+ (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")
+ (subpath "/Library/Spelling")
+ (literal "/")
+ (literal "/private/tmp")
+ (literal "/private/var/tmp")
+
+ (home-literal "/.CFUserTextEncoding")
+ (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
+ (home-subpath "/Library/Colors")
+ (home-subpath "/Library/Fonts")
+ (home-subpath "/Library/FontCollections")
+ (home-subpath "/Library/Keyboard Layouts")
+ (home-subpath "/Library/Input Methods")
+ (home-subpath "/Library/Spelling")
+ (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
+
+ (subpath appdir-path)
+
+ (literal appPath)
+ (literal appBinaryPath))
+
+ (allow-shared-list "org.mozilla.plugincontainer")
+
+ ; the following rule should be removed when microphone access
+ ; is brokered through the content process
+ (allow device-microphone)
+
+ (allow file* (var-folders2-regex "/com\.apple\.IntlDataCache\.le$"))
+ (allow file-read*
+ (var-folders2-regex "/com\.apple\.IconServices/")
+ (var-folders2-regex "/[^/]+\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\.j(s|ar)$"))
+
+ (allow file-write* (var-folders2-regex "/org\.chromium\.[a-zA-Z0-9]*$"))
+
+ ; Per-user and system-wide Extensions dir
+ (allow file-read*
+ (home-regex "/Library/Application Support/[^/]+/Extensions/[^/]/")
+ (resolving-regex "/Library/Application Support/[^/]+/Extensions/[^/]/"))
+
+ ; The following rules impose file access restrictions which get
+ ; more restrictive in higher levels. When file-origin-specific
+ ; content processes are used for file:// origin browsing, the
+ ; global file-read* permission should be removed from each level.
+
+ ; level 1: global read access permitted, no global write access
+ (if (string=? sandbox-level-1 "TRUE") (allow file-read*))
+
+ ; level 2: global read access permitted, no global write access,
+ ; no read/write access to ~/Library,
+ ; no read/write access to $PROFILE,
+ ; read access permitted to $PROFILE/{extensions,chrome}
+ (if (string=? sandbox-level-2 "TRUE")
+ (if (string=? hasFilePrivileges "TRUE")
+ ; This process has blanket file read privileges
+ (allow file-read*)
+ ; This process does not have blanket file read privileges
+ (if (string=? hasProfileDir "TRUE")
+ ; we have a profile dir
+ (begin
+ (allow file-read* (require-all
+ (require-not (home-subpath "/Library"))
+ (require-not (subpath profileDir))))
+ (allow file-read*
+ (profile-subpath "/extensions")
+ (profile-subpath "/chrome")))
+ ; we don't have a profile dir
+ (allow file-read* (require-not (home-subpath "/Library"))))))
+
+ ; level 3: global read access permitted, no global write access,
+ ; no read access to the home directory,
+ ; read access permitted to $PROFILE/{extensions,chrome}
+ (if (string=? sandbox-level-3 "TRUE")
+ (if (string=? hasFilePrivileges "TRUE")
+ ; This process has blanket file read privileges
+ (allow file-read*)
+ ; This process does not have blanket file read privileges
+ (if (string=? hasProfileDir "TRUE")
+ ; we have a profile dir
+ (begin
+ (allow file-read* (require-all
+ (require-not (subpath home-path))
+ (require-not (subpath profileDir))))
+ (allow file-read*
+ (profile-subpath "/extensions")
+ (profile-subpath "/chrome")))
+ ; we don't have a profile dir
+ (allow file-read* (require-not (subpath home-path))))))
+
+ ; accelerated graphics
+ (allow-shared-preferences-read "com.apple.opengl")
+ (allow-shared-preferences-read "com.nvidia.OpenGL")
+ (allow mach-lookup
+ (global-name "com.apple.cvmsServ"))
+ (allow iokit-open
+ (iokit-connection "IOAccelerator")
+ (iokit-user-client-class "IOAccelerationUserClient")
+ (iokit-user-client-class "IOSurfaceRootUserClient")
+ (iokit-user-client-class "IOSurfaceSendRight")
+ (iokit-user-client-class "IOFramebufferSharedUserClient")
+ (iokit-user-client-class "AppleSNBFBUserClient")
+ (iokit-user-client-class "AGPMClient")
+ (iokit-user-client-class "AppleGraphicsControlClient")
+ (iokit-user-client-class "AppleGraphicsPolicyClient"))
+
+ ; bug 1153809
+ (allow iokit-open
+ (iokit-user-client-class "NVDVDContextTesla")
+ (iokit-user-client-class "Gen6DVDContext"))
+
+ ; bug 1201935
+ (allow file-read*
+ (home-subpath "/Library/Caches/TemporaryItems"))
+
+ ; bug 1237847
+ (allow file-read*
+ (subpath appTempDir))
+ (allow file-write*
+ (subpath appTempDir))
+
+ ; bug 1324610
+ (allow network-outbound (literal "/private/var/run/cupsd"))
+
+ ; bug 1303987
+ (if (string=? isDebugBuild "TRUE")
+ (allow file-write* (var-folders-regex "/")))
+ )
+)";
+
+}
+
+#endif // mozilla_SandboxPolicies_h
--- a/security/sandbox/mac/moz.build
+++ b/security/sandbox/mac/moz.build
@@ -1,15 +1,16 @@
# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
EXPORTS.mozilla += [
'Sandbox.h',
+ 'SandboxPolicies.h'
]
SOURCES += [
'Sandbox.mm',
]
Library('mozsandbox');