Bug 1428055 - Further lockdown the macOS content sandbox policy by restricting some allowed-by-default privileges; r?haik
MozReview-Commit-ID: DbJv5VIoKVV
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -61,25 +61,43 @@ static const char contentSandboxRules[]
(define testingReadPath2 (param "TESTING_READ_PATH2"))
(define testingReadPath3 (param "TESTING_READ_PATH3"))
(define testingReadPath4 (param "TESTING_READ_PATH4"))
(if (string=? should-log "TRUE")
(deny default)
(deny default (with no-log)))
(debug deny)
+ ; These are not included in (deny default)
+ (deny process-info*)
+ ; This isn't available in some older macOS releases.
+ (if (defined? 'nvram*)
+ (deny nvram*))
+ ; The next two properties both require macOS 10.10+
+ (if (defined? 'iokit-get-properties)
+ (deny iokit-get-properties))
+ (if (defined? 'file-map-executable)
+ (deny file-map-executable))
+
+ (if (defined? 'file-map-executable)
+ (allow file-map-executable file-read*
+ (subpath "/System")
+ (subpath "/usr/lib")
+ (subpath appdir-path))
+ (allow file-read*
+ (subpath "/System")
+ (subpath "/usr/lib")
+ (subpath appdir-path)))
; Allow read access to standard system paths.
(allow file-read*
(require-all (file-mode #o0004)
(require-any
(subpath "/Library/Filesystems/NetFSPlugins")
(subpath "/Library/GPUBundles")
- (subpath "/System")
- (subpath "/usr/lib")
(subpath "/usr/share"))))
; Top-level directory metadata access (bug 1404298)
(allow file-read-metadata (regex #"^/[^/]+$"))
(allow file-read-metadata
(literal "/private/etc/localtime")
(regex #"^/private/tmp/KSInstallAction\."))
@@ -95,16 +113,19 @@ static const char contentSandboxRules[]
(literal "/dev/null")
(literal "/dev/zero"))
(allow file-read*
file-write-data
file-ioctl
(literal "/dev/dtracehelper"))
+ ; Needed for things like getpriority()/setpriority()
+ (allow process-info-pidinfo process-info-setcontrol (target self))
+
; macOS 10.9 does not support the |sysctl-name| predicate, so unfortunately
; we need to allow all sysctl-reads there.
(if (= macosMinorVersion 9)
(allow sysctl-read)
(allow sysctl-read
(sysctl-name-regex #"^sysctl\.")
(sysctl-name "kern.ostype")
(sysctl-name "kern.osversion")
@@ -182,16 +203,30 @@ static const char contentSandboxRules[]
; bug 1312273
(if (= macosMinorVersion 9)
(allow mach-lookup (global-name "com.apple.xpcd")))
(allow iokit-open
(iokit-user-client-class "IOHIDParamUserClient")
(iokit-user-client-class "IOAudioEngineUserClient"))
+ ; Only supported on macOS 10.10+
+ (if (defined? 'iokit-get-properties)
+ (allow iokit-get-properties
+ (iokit-property "board-id")
+ (iokit-property "IODVDBundleName")
+ (iokit-property "IOGLBundleName")
+ (iokit-property "IOGVACodec")
+ (iokit-property "IOGVAHEVCDecode")
+ (iokit-property "IOGVAHEVCEncode")
+ (iokit-property "IOPCITunnelled")
+ (iokit-property "IOVARendererID")
+ (iokit-property "MetalPluginName")
+ (iokit-property "MetalPluginClassName")))
+
; depending on systems, the 1st, 2nd or both rules are necessary
(allow user-preference-read (preference-domain "com.apple.HIToolbox"))
(allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist"))
(allow user-preference-read (preference-domain "com.apple.ATS"))
(allow file-read-data (literal "/Library/Preferences/.GlobalPreferences.plist"))
(allow file-read*
@@ -208,29 +243,38 @@ static const char contentSandboxRules[]
(home-subpath "/Library/Fonts")
(home-subpath "/Library/FontCollections")
(home-subpath "/Library/Keyboard Layouts")
(home-subpath "/Library/Input Methods")
(home-subpath "/Library/Spelling")
(home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
(home-subpath "/Library/Application Support/FontAgent")
- (subpath appdir-path)
-
(literal appPath)
(literal appBinaryPath))
- (when testingReadPath1
- (allow file-read* (subpath testingReadPath1)))
- (when testingReadPath2
- (allow file-read* (subpath testingReadPath2)))
- (when testingReadPath3
- (allow file-read* (subpath testingReadPath3)))
- (when testingReadPath4
- (allow file-read* (subpath testingReadPath4)))
+ (if (defined? 'file-map-executable)
+ (begin
+ (when testingReadPath1
+ (allow file-read* file-map-executable (subpath testingReadPath1)))
+ (when testingReadPath2
+ (allow file-read* file-map-executable (subpath testingReadPath2)))
+ (when testingReadPath3
+ (allow file-read* file-map-executable (subpath testingReadPath3)))
+ (when testingReadPath4
+ (allow file-read* file-map-executable (subpath testingReadPath4))))
+ (begin
+ (when testingReadPath1
+ (allow file-read* (subpath testingReadPath1)))
+ (when testingReadPath2
+ (allow file-read* (subpath testingReadPath2)))
+ (when testingReadPath3
+ (allow file-read* (subpath testingReadPath3)))
+ (when testingReadPath4
+ (allow file-read* (subpath testingReadPath4)))))
(allow file-read-metadata (home-subpath "/Library"))
(allow file-read-metadata
(literal "/private/var")
(subpath "/private/var/folders"))
; bug 1303987