Bug 1299329 - Remove printing-related privileges from content process sandbox; r?gcp
MozReview-Commit-ID: 9fnfkKvjpGx
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -295,25 +295,22 @@ static const char contentSandboxRules[]
" (global-name \"com.apple.windowserver.active\")\n"
" (global-name \"com.apple.audio.coreaudiod\")\n"
" (global-name \"com.apple.audio.audiohald\")\n"
" (global-name \"com.apple.PowerManagement.control\")\n"
" (global-name \"com.apple.cmio.VDCAssistant\")\n"
" (global-name \"com.apple.SystemConfiguration.configd\")\n"
" (global-name \"com.apple.iconservices\")\n"
" (global-name \"com.apple.cookied\")\n"
- " (global-name \"com.apple.printuitool.agent\")\n"
- " (global-name \"com.apple.printtool.agent\")\n"
" (global-name \"com.apple.cache_delete\")\n"
" (global-name \"com.apple.pluginkit.pkd\")\n"
" (global-name \"com.apple.bird\")\n"
" (global-name \"com.apple.ocspd\")\n"
" (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
- " (global-name \"com.apple.DesktopServicesHelper\")\n"
- " (global-name \"com.apple.printtool.daemon\"))\n"
+ " (global-name \"com.apple.DesktopServicesHelper\"))\n"
"\n"
" (allow iokit-open\n"
" (iokit-user-client-class \"IOHIDParamUserClient\")\n"
" (iokit-user-client-class \"IOAudioControlUserClient\")\n"
" (iokit-user-client-class \"IOAudioEngineUserClient\")\n"
" (iokit-user-client-class \"IGAccelDevice\")\n"
" (iokit-user-client-class \"nvDevice\")\n"
" (iokit-user-client-class \"nvSharedUserClient\")\n"
@@ -334,30 +331,27 @@ static const char contentSandboxRules[]
" (allow-shared-preferences-read \"com.apple.ATS\")\n"
" (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"
"\n"
" (allow file-read*\n"
" (subpath \"/Library/Fonts\")\n"
" (subpath \"/Library/Audio/Plug-Ins\")\n"
" (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n"
" (subpath \"/Library/Spelling\")\n"
- " (subpath \"/private/etc/cups/ppd\")\n"
- " (subpath \"/private/var/run/cupsd\")\n"
" (literal \"/\")\n"
" (literal \"/private/tmp\")\n"
" (literal \"/private/var/tmp\")\n"
"\n"
" (home-literal \"/.CFUserTextEncoding\")\n"
" (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n"
" (home-subpath \"/Library/Colors\")\n"
" (home-subpath \"/Library/Fonts\")\n"
" (home-subpath \"/Library/FontCollections\")\n"
" (home-subpath \"/Library/Keyboard Layouts\")\n"
" (home-subpath \"/Library/Input Methods\")\n"
- " (home-subpath \"/Library/PDF Services\")\n"
" (home-subpath \"/Library/Spelling\")\n"
"\n"
" (subpath appdir-path)\n"
"\n"
" (literal appPath)\n"
" (literal appBinaryPath))\n"
"\n"
" (allow-shared-list \"org.mozilla.plugincontainer\")\n"
@@ -395,67 +389,16 @@ static const char contentSandboxRules[]
" (allow file*\n"
" (require-not (home-subpath \"/Library\"))))\n"
" (allow file*\n"
" (require-all\n"
" (subpath home-path)\n"
" (require-not\n"
" (home-subpath \"/Library\")))))\n"
"\n"
- "; printing\n"
- " (allow authorization-right-obtain\n"
- " (right-name \"system.print.operator\")\n"
- " (right-name \"system.printingmanager\"))\n"
- " (allow mach-lookup\n"
- " (global-name \"com.apple.printuitool.agent\")\n"
- " (global-name \"com.apple.printtool.agent\")\n"
- " (global-name \"com.apple.printtool.daemon\")\n"
- " (global-name \"com.apple.sharingd\")\n"
- " (global-name \"com.apple.metadata.mds\")\n"
- " (global-name \"com.apple.mtmd.xpc\")\n"
- " (global-name \"com.apple.FSEvents\")\n"
- " (global-name \"com.apple.locum\")\n"
- " (global-name \"com.apple.ImageCaptureExtension2.presence\"))\n"
- " (allow file-read*\n"
- " (home-literal \"/.cups/lpoptions\")\n"
- " (home-literal \"/.cups/client.conf\")\n"
- " (literal \"/private/etc/cups/lpoptions\")\n"
- " (literal \"/private/etc/cups/client.conf\")\n"
- " (subpath \"/private/etc/cups/ppd\")\n"
- " (literal \"/private/var/run/cupsd\"))\n"
- " (allow-shared-preferences-read \"org.cups.PrintingPrefs\")\n"
- " (allow-shared-preferences-read \"com.apple.finder\")\n"
- " (allow-shared-preferences-read \"com.apple.LaunchServices\")\n"
- " (allow-shared-preferences-read \".GlobalPreferences\")\n"
- " (allow network-outbound\n"
- " (literal \"/private/var/run/cupsd\")\n"
- " (literal \"/private/var/run/mDNSResponder\"))\n"
- "\n"
- "; print preview\n"
- " (if (> macosMinorVersion 9)\n"
- " (allow lsopen))\n"
- " (allow file-write* file-issue-extension (var-folders2-regex \"/\"))\n"
- " (allow file-read-xattr (literal \"/Applications/Preview.app\"))\n"
- " (allow mach-task-name)\n"
- " (allow mach-register)\n"
- " (allow file-read-data\n"
- " (regex \"^/Library/Printers/[^/]+/PDEs/[^/]+.plugin\")\n"
- " (subpath \"/Library/PDF Services\")\n"
- " (subpath \"/Applications/Preview.app\")\n"
- " (home-literal \"/Library/Preferences/com.apple.ServicesMenu.Services.plist\"))\n"
- " (allow mach-lookup\n"
- " (global-name \"com.apple.pbs.fetch_services\")\n"
- " (global-name \"com.apple.tsm.uiserver\")\n"
- " (global-name \"com.apple.ls.boxd\")\n"
- " (global-name \"com.apple.coreservices.quarantine-resolver\")\n"
- " (global-name-regex \"_OpenStep$\"))\n"
- " (allow appleevent-send\n"
- " (appleevent-destination \"com.apple.preview\")\n"
- " (appleevent-destination \"com.apple.imagecaptureextension2\"))\n"
- "\n"
"; accelerated graphics\n"
" (allow-shared-preferences-read \"com.apple.opengl\")\n"
" (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
" (allow mach-lookup\n"
" (global-name \"com.apple.cvmsServ\"))\n"
" (allow iokit-open\n"
" (iokit-connection \"IOAccelerator\")\n"
" (iokit-user-client-class \"IOAccelerationUserClient\")\n"
