security/sandbox/mac/SandboxPolicyContent.h

   1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* This Source Code Form is subject to the terms of the Mozilla Public
   3  * License, v. 2.0. If a copy of the MPL was not distributed with this
   4  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   5
   6 #ifndef mozilla_SandboxPolicyContent_h
   7 #define mozilla_SandboxPolicyContent_h
   8
   9 #define MAX_TESTING_READ_PATHS 4
  10
  11 namespace mozilla {
  12
  13 static const char SandboxPolicyContent[] = R"SANDBOX_LITERAL(
  14   (version 1)
  15
  16   (define should-log (param "SHOULD_LOG"))
  17   (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
  18   (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
  19   (define sandbox-level-3 (param "SANDBOX_LEVEL_3"))
  20   (define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
  21   (define appPath (param "APP_PATH"))
  22   (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
  23   (define profileDir (param "PROFILE_DIR"))
  24   (define hasWindowServer (param "HAS_WINDOW_SERVER"))
  25   (define home-path (param "HOME_PATH"))
  26   (define debugWriteDir (param "DEBUG_WRITE_DIR"))
  27   (define testingReadPath1 (param "TESTING_READ_PATH1"))
  28   (define testingReadPath2 (param "TESTING_READ_PATH2"))
  29   (define testingReadPath3 (param "TESTING_READ_PATH3"))
  30   (define testingReadPath4 (param "TESTING_READ_PATH4"))
  31   (define crashPort (param "CRASH_PORT"))
  32
  33   (define (moz-deny feature)
  34     (if (string=? should-log "TRUE")
  35       (deny feature)
  36       (deny feature (with no-log))))
  37
  38   (moz-deny default)
  39   ; These are not included in (deny default)
  40   (moz-deny process-info*)
  41   ; This isn't available in some older macOS releases.
  42   (if (defined? 'nvram*)
  43     (moz-deny nvram*))
  44   ; The next two properties both require macOS 10.10+
  45   (if (defined? 'iokit-get-properties)
  46     (moz-deny iokit-get-properties))
  47   (if (defined? 'file-map-executable)
  48     (moz-deny file-map-executable))
  49
  50   (if (string=? should-log "TRUE")
  51     (debug deny))
  52
  53   (if (defined? 'file-map-executable)
  54     (allow file-map-executable file-read*
  55       (subpath "/System")
  56       (subpath "/usr/lib")
  57       (subpath "/Library/GPUBundles")
  58       (subpath appPath))
  59     (allow file-read*
  60         (subpath "/System")
  61         (subpath "/usr/lib")
  62         (subpath "/Library/GPUBundles")
  63         (subpath appPath)))
  64
  65   ; Allow read access to standard system paths.
  66   (allow file-read*
  67     (require-all (file-mode #o0004)
  68       (require-any
  69         (subpath "/Library/Filesystems/NetFSPlugins")
  70         (subpath "/usr/share"))))
  71
  72   ; Top-level directory metadata access (bug 1404298)
  73   (allow file-read-metadata (regex #"^/[^/]+$"))
  74
  75   (allow file-read-metadata
  76     (literal "/private/etc/localtime")
  77     (regex #"^/private/tmp/KSInstallAction\."))
  78
  79   ; Allow read access to standard special files.
  80   (allow file-read*
  81     (literal "/dev/autofs_nowait")
  82     (literal "/dev/random")
  83     (literal "/dev/urandom"))
  84
  85   (allow file-read*
  86     file-write-data
  87     (literal "/dev/null")
  88     (literal "/dev/zero"))
  89
  90   (allow file-read*
  91     file-write-data
  92     file-ioctl
  93     (literal "/dev/dtracehelper"))
  94
  95   ; Needed for things like getpriority()/setpriority()
  96   (allow process-info-pidinfo process-info-setcontrol (target self))
  97
  98   ; macOS 10.9 does not support the |sysctl-name| predicate, so unfortunately
  99   ; we need to allow all sysctl-reads there.
 100   (if (= macosMinorVersion 9)
 101     (allow sysctl-read)
 102     (allow sysctl-read
 103       (sysctl-name-regex #"^sysctl\.")
 104       (sysctl-name "kern.ostype")
 105       (sysctl-name "kern.osversion")
 106       (sysctl-name "kern.osrelease")
 107       (sysctl-name "kern.version")
 108       ; TODO: remove "kern.hostname". Without it the tests hang, but the hostname
 109       ; is arguably sensitive information, so we should see what can be done about
 110       ; removing it.
 111       (sysctl-name "kern.hostname")
 112       (sysctl-name "hw.machine")
 113       (sysctl-name "hw.model")
 114       (sysctl-name "hw.ncpu")
 115       (sysctl-name "hw.activecpu")
 116       (sysctl-name "hw.byteorder")
 117       (sysctl-name "hw.pagesize_compat")
 118       (sysctl-name "hw.logicalcpu_max")
 119       (sysctl-name "hw.physicalcpu_max")
 120       (sysctl-name "hw.busfrequency_compat")
 121       (sysctl-name "hw.busfrequency_max")
 122       (sysctl-name "hw.cpufrequency")
 123       (sysctl-name "hw.cpufrequency_compat")
 124       (sysctl-name "hw.cpufrequency_max")
 125       (sysctl-name "hw.l2cachesize")
 126       (sysctl-name "hw.l3cachesize")
 127       (sysctl-name "hw.cachelinesize")
 128       (sysctl-name "hw.cachelinesize_compat")
 129       (sysctl-name "hw.tbfrequency_compat")
 130       (sysctl-name "hw.vectorunit")
 131       (sysctl-name "hw.optional.sse2")
 132       (sysctl-name "hw.optional.sse3")
 133       (sysctl-name "hw.optional.sse4_1")
 134       (sysctl-name "hw.optional.sse4_2")
 135       (sysctl-name "hw.optional.avx1_0")
 136       (sysctl-name "hw.optional.avx2_0")
 137       (sysctl-name "machdep.cpu.vendor")
 138       (sysctl-name "machdep.cpu.family")
 139       (sysctl-name "machdep.cpu.model")
 140       (sysctl-name "machdep.cpu.stepping")
 141       (sysctl-name "debug.intel.gstLevelGST")
 142       (sysctl-name "debug.intel.gstLoaderControl")))
 143
 144   (define (home-regex home-relative-regex)
 145     (regex (string-append "^" (regex-quote home-path) home-relative-regex)))
 146   (define (home-subpath home-relative-subpath)
 147     (subpath (string-append home-path home-relative-subpath)))
 148   (define (home-literal home-relative-literal)
 149     (literal (string-append home-path home-relative-literal)))
 150
 151   (define (profile-subpath profile-relative-subpath)
 152     (subpath (string-append profileDir profile-relative-subpath)))
 153
 154   (define (allow-shared-list domain)
 155     (allow file-read*
 156            (home-regex (string-append "/Library/Preferences/" (regex-quote domain)))))
 157
 158   (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
 159     (ipc-posix-name-regex #"^CFPBS:"))
 160
 161   (allow signal (target self))
 162   (if (string? crashPort)
 163     (allow mach-lookup (global-name crashPort)))
 164   (if (string=? hasWindowServer "TRUE")
 165     (allow mach-lookup (global-name "com.apple.windowserver.active")))
 166   (allow mach-lookup
 167     (global-name "com.apple.CoreServices.coreservicesd")
 168     (global-name "com.apple.coreservices.launchservicesd")
 169     (global-name "com.apple.lsd.mapdb"))
 170
 171   (if (>= macosMinorVersion 13)
 172     (allow mach-lookup
 173       ; bug 1392988
 174       (xpc-service-name "com.apple.coremedia.videodecoder")
 175       (xpc-service-name "com.apple.coremedia.videoencoder")))
 176
 177 ; bug 1312273
 178   (if (= macosMinorVersion 9)
 179      (allow mach-lookup (global-name "com.apple.xpcd")))
 180
 181   (allow iokit-open
 182      (iokit-user-client-class "IOHIDParamUserClient"))
 183
 184   ; Only supported on macOS 10.10+
 185   (if (defined? 'iokit-get-properties)
 186     (allow iokit-get-properties
 187       (iokit-property "board-id")
 188       (iokit-property "vendor-id")
 189       (iokit-property "device-id")
 190       (iokit-property "IODVDBundleName")
 191       (iokit-property "IOGLBundleName")
 192       (iokit-property "IOGVACodec")
 193       (iokit-property "IOGVAHEVCDecode")
 194       (iokit-property "IOGVAHEVCEncode")
 195       (iokit-property "IOPCITunnelled")
 196       (iokit-property "IOVARendererID")
 197       (iokit-property "MetalPluginName")
 198       (iokit-property "MetalPluginClassName")))
 199
 200 ; depending on systems, the 1st, 2nd or both rules are necessary
 201   (allow user-preference-read (preference-domain "com.apple.HIToolbox"))
 202   (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist"))
 203
 204   (allow user-preference-read (preference-domain "com.apple.ATS"))
 205   (allow file-read-data (literal "/Library/Preferences/.GlobalPreferences.plist"))
 206
 207   (allow file-read*
 208       (subpath "/Library/ColorSync/Profiles")
 209       (subpath "/Library/Spelling")
 210       (literal "/")
 211       (literal "/private/tmp")
 212       (literal "/private/var/tmp")
 213       (home-literal "/.CFUserTextEncoding")
 214       (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
 215       (home-subpath "/Library/Colors")
 216       (home-subpath "/Library/ColorSync/Profiles")
 217       (home-subpath "/Library/Keyboard Layouts")
 218       (home-subpath "/Library/Input Methods")
 219       (home-subpath "/Library/Spelling"))
 220
 221   (if (defined? 'file-map-executable)
 222     (begin
 223       (when testingReadPath1
 224         (allow file-read* file-map-executable (subpath testingReadPath1)))
 225       (when testingReadPath2
 226         (allow file-read* file-map-executable (subpath testingReadPath2)))
 227       (when testingReadPath3
 228         (allow file-read* file-map-executable (subpath testingReadPath3)))
 229       (when testingReadPath4
 230         (allow file-read* file-map-executable (subpath testingReadPath4))))
 231     (begin
 232       (when testingReadPath1
 233         (allow file-read* (subpath testingReadPath1)))
 234       (when testingReadPath2
 235         (allow file-read* (subpath testingReadPath2)))
 236       (when testingReadPath3
 237         (allow file-read* (subpath testingReadPath3)))
 238       (when testingReadPath4
 239         (allow file-read* (subpath testingReadPath4)))))
 240
 241   (allow file-read-metadata (home-subpath "/Library"))
 242
 243   (allow file-read-metadata (subpath "/private/var"))
 244
 245   ; bug 1303987
 246   (if (string? debugWriteDir)
 247     (begin
 248       (allow file-write-data (subpath debugWriteDir))
 249       (allow file-write-create
 250         (require-all
 251           (subpath debugWriteDir)
 252           (vnode-type REGULAR-FILE)))))
 253
 254   (allow-shared-list "org.mozilla.plugincontainer")
 255
 256 ; Per-user and system-wide Extensions dir
 257   (allow file-read*
 258       (home-regex "/Library/Application Support/[^/]+/Extensions/")
 259       (regex "^/Library/Application Support/[^/]+/Extensions/"))
 260
 261 ; bug 1393805
 262   (allow file-read*
 263       (home-subpath "/Library/Application Support/Mozilla/SystemExtensionsDev"))
 264
 265 ; The following rules impose file access restrictions which get
 266 ; more restrictive in higher levels. When file-origin-specific
 267 ; content processes are used for file:// origin browsing, the
 268 ; global file-read* permission should be removed from each level.
 269
 270 ; level 1: global read access permitted, no global write access
 271   (if (string=? sandbox-level-1 "TRUE") (allow file-read*))
 272
 273 ; level 2: global read access permitted, no global write access,
 274 ;          no read/write access to ~/Library,
 275 ;          no read/write access to $PROFILE,
 276 ;          read access permitted to $PROFILE/{extensions,chrome}
 277   (if (string=? sandbox-level-2 "TRUE")
 278     (begin
 279       ; bug 1201935
 280       (allow file-read* (home-subpath "/Library/Caches/TemporaryItems"))
 281       (if (string=? hasProfileDir "TRUE")
 282         ; we have a profile dir
 283         (allow file-read* (require-all
 284           (require-not (home-subpath "/Library"))
 285           (require-not (subpath profileDir))))
 286         ; we don't have a profile dir
 287         (allow file-read* (require-not (home-subpath "/Library"))))))
 288
 289   ; level 3: Does not have any of it's own rules. The global rules provide:
 290   ;          no global read/write access,
 291   ;          read access permitted to $PROFILE/{extensions,chrome}
 292
 293   (if (string=? hasProfileDir "TRUE")
 294     ; we have a profile dir
 295     (allow file-read*
 296       (profile-subpath "/extensions")
 297       (profile-subpath "/chrome")))
 298
 299 ; accelerated graphics
 300   (allow user-preference-read (preference-domain "com.apple.opengl"))
 301   (allow user-preference-read (preference-domain "com.nvidia.OpenGL"))
 302   (allow mach-lookup
 303       (global-name "com.apple.cvmsServ"))
 304   (if (>= macosMinorVersion 14)
 305     (allow mach-lookup
 306       (global-name "com.apple.MTLCompilerService")))
 307   (allow iokit-open
 308       (iokit-connection "IOAccelerator")
 309       (iokit-user-client-class "IOAccelerationUserClient")
 310       (iokit-user-client-class "IOSurfaceRootUserClient")
 311       (iokit-user-client-class "IOSurfaceSendRight")
 312       (iokit-user-client-class "IOFramebufferSharedUserClient")
 313       (iokit-user-client-class "AGPMClient")
 314       (iokit-user-client-class "AppleGraphicsControlClient"))
 315
 316 ; bug 1153809
 317   (allow iokit-open
 318       (iokit-user-client-class "NVDVDContextTesla")
 319       (iokit-user-client-class "Gen6DVDContext"))
 320
 321   ; Fonts
 322   (allow file-read*
 323     (subpath "/Library/Fonts")
 324     (subpath "/Library/Application Support/Apple/Fonts")
 325     (home-subpath "/Library/Fonts")
 326     ; Allow read access to paths allowed via sandbox extensions.
 327     ; This is needed for fonts in non-standard locations normally
 328     ; due to third party font managers. The extensions are
 329     ; automatically issued by the font server in response to font
 330     ; API calls.
 331     (extension "com.apple.app-sandbox.read"))
 332   ; Fonts may continue to work without explicitly allowing these
 333   ; services because, at present, connections are made to the services
 334   ; before the sandbox is enabled as a side-effect of some API calls.
 335   (allow mach-lookup
 336     (global-name "com.apple.fonts")
 337     (global-name "com.apple.FontObjectsServer"))
 338   (if (<= macosMinorVersion 11)
 339     (allow mach-lookup (global-name "com.apple.FontServer")))
 340
 341   ; Fonts
 342   ; Workaround for sandbox extensions not being automatically
 343   ; issued for fonts on 10.11 and earlier versions (bug 1460917).
 344   (if (<= macosMinorVersion 11)
 345     (allow file-read*
 346       (regex #"\.[oO][tT][fF]$"          ; otf
 347              #"\.[tT][tT][fF]$"          ; ttf
 348              #"\.[tT][tT][cC]$"          ; ttc
 349              #"\.[oO][tT][cC]$"          ; otc
 350              #"\.[dD][fF][oO][nN][tT]$") ; dfont
 351       (home-subpath "/Library/FontCollections")
 352       (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
 353       (home-subpath "/Library/Application Support/FontAgent")
 354       (home-subpath "/Library/Extensis/UTC") ; bug 1469657
 355       (subpath "/Library/Extensis/UTC")      ; bug 1469657
 356       (regex #"\.fontvault/")
 357       (home-subpath "/FontExplorer X/Font Library")))
 358 )SANDBOX_LITERAL";
 359
 360 // These are additional rules that are added to the content process rules for
 361 // file content processes.
 362 static const char SandboxPolicyContentFileAddend[] = R"SANDBOX_LITERAL(
 363   ; This process has blanket file read privileges
 364   (allow file-read*)
 365
 366   ; File content processes need access to iconservices to draw file icons in
 367   ; directory listings
 368   (allow mach-lookup (global-name "com.apple.iconservices"))
 369 )SANDBOX_LITERAL";
 370
 371 // These are additional rules that are added to the content process rules when
 372 // audio remoting is not enabled. (Once audio remoting is always used these
 373 // will be deleted.)
 374 static const char SandboxPolicyContentAudioAddend[] = R"SANDBOX_LITERAL(
 375   (allow ipc-posix-shm-read* ipc-posix-shm-write-data
 376     (ipc-posix-name-regex #"^AudioIO"))
 377
 378   (allow mach-lookup
 379     (global-name "com.apple.audio.coreaudiod")
 380     (global-name "com.apple.audio.audiohald"))
 381
 382   (if (>= macosMinorVersion 13)
 383     (allow mach-lookup
 384     ; bug 1376163
 385     (global-name "com.apple.audio.AudioComponentRegistrar")))
 386
 387   (allow iokit-open (iokit-user-client-class "IOAudioEngineUserClient"))
 388
 389   (allow file-read* (subpath "/Library/Audio/Plug-Ins"))
 390
 391   (allow device-microphone)
 392 )SANDBOX_LITERAL";
 393
 394 }  // namespace mozilla
 395
 396 #endif  // mozilla_SandboxPolicyContent_h