1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* This Source Code Form is subject to the terms of the Mozilla Public
3 * License, v. 2.0. If a copy of the MPL was not distributed with this
4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 #ifndef mozilla_SandboxPolicyContent_h
7 #define mozilla_SandboxPolicyContent_h
9 #define MAX_TESTING_READ_PATHS 4
13 static const char SandboxPolicyContent
[] = R
"SANDBOX_LITERAL(
16 (define should-log (param "SHOULD_LOG
"))
17 (define sandbox-level-1 (param "SANDBOX_LEVEL_1
"))
18 (define sandbox-level-2 (param "SANDBOX_LEVEL_2
"))
19 (define sandbox-level-3 (param "SANDBOX_LEVEL_3
"))
20 (define macosMinorVersion (string->number (param "MAC_OS_MINOR
")))
21 (define appPath (param "APP_PATH
"))
22 (define hasProfileDir (param "HAS_SANDBOXED_PROFILE
"))
23 (define profileDir (param "PROFILE_DIR
"))
24 (define hasWindowServer (param "HAS_WINDOW_SERVER
"))
25 (define home-path (param "HOME_PATH
"))
26 (define debugWriteDir (param "DEBUG_WRITE_DIR
"))
27 (define testingReadPath1 (param "TESTING_READ_PATH1
"))
28 (define testingReadPath2 (param "TESTING_READ_PATH2
"))
29 (define testingReadPath3 (param "TESTING_READ_PATH3
"))
30 (define testingReadPath4 (param "TESTING_READ_PATH4
"))
31 (define crashPort (param "CRASH_PORT
"))
33 (define (moz-deny feature)
34 (if (string=? should-log "TRUE
")
36 (deny feature (with no-log))))
39 ; These are not included in (deny default)
40 (moz-deny process-info*)
41 ; This isn't available in some older macOS releases.
42 (if (defined? 'nvram*)
44 ; The next two properties both require macOS 10.10+
45 (if (defined? 'iokit-get-properties)
46 (moz-deny iokit-get-properties))
47 (if (defined? 'file-map-executable)
48 (moz-deny file-map-executable))
50 (if (string=? should-log "TRUE
")
53 (if (defined? 'file-map-executable)
54 (allow file-map-executable file-read*
57 (subpath "/Library
/GPUBundles
")
62 (subpath "/Library
/GPUBundles
")
65 ; Allow read access to standard system paths.
67 (require-all (file-mode #o0004)
69 (subpath "/Library
/Filesystems
/NetFSPlugins
")
70 (subpath "/usr
/share
"))))
72 ; Top-level directory metadata access (bug 1404298)
73 (allow file-read-metadata (regex #"^/[^/]+$
"))
75 (allow file-read-metadata
76 (literal "/private/etc
/localtime
")
77 (regex #"^/private/tmp
/KSInstallAction\
."))
79 ; Allow read access to standard special files.
81 (literal "/dev
/autofs_nowait
")
82 (literal "/dev
/random
")
83 (literal "/dev
/urandom
"))
88 (literal "/dev
/zero
"))
93 (literal "/dev
/dtracehelper
"))
95 ; Needed for things like getpriority()/setpriority()
96 (allow process-info-pidinfo process-info-setcontrol (target self))
98 ; macOS 10.9 does not support the |sysctl-name| predicate, so unfortunately
99 ; we need to allow all sysctl-reads there.
100 (if (= macosMinorVersion 9)
103 (sysctl-name-regex #"^sysctl\
.")
104 (sysctl-name "kern
.ostype
")
105 (sysctl-name "kern
.osversion
")
106 (sysctl-name "kern
.osrelease
")
107 (sysctl-name "kern
.version
")
108 ; TODO: remove "kern
.hostname
". Without it the tests hang, but the hostname
109 ; is arguably sensitive information, so we should see what can be done about
111 (sysctl-name "kern
.hostname
")
112 (sysctl-name "hw
.machine
")
113 (sysctl-name "hw
.model
")
114 (sysctl-name "hw
.ncpu
")
115 (sysctl-name "hw
.activecpu
")
116 (sysctl-name "hw
.byteorder
")
117 (sysctl-name "hw
.pagesize_compat
")
118 (sysctl-name "hw
.logicalcpu_max
")
119 (sysctl-name "hw
.physicalcpu_max
")
120 (sysctl-name "hw
.busfrequency_compat
")
121 (sysctl-name "hw
.busfrequency_max
")
122 (sysctl-name "hw
.cpufrequency
")
123 (sysctl-name "hw
.cpufrequency_compat
")
124 (sysctl-name "hw
.cpufrequency_max
")
125 (sysctl-name "hw
.l2cachesize
")
126 (sysctl-name "hw
.l3cachesize
")
127 (sysctl-name "hw
.cachelinesize
")
128 (sysctl-name "hw
.cachelinesize_compat
")
129 (sysctl-name "hw
.tbfrequency_compat
")
130 (sysctl-name "hw
.vectorunit
")
131 (sysctl-name "hw
.optional
.sse2
")
132 (sysctl-name "hw
.optional
.sse3
")
133 (sysctl-name "hw
.optional
.sse4_1
")
134 (sysctl-name "hw
.optional
.sse4_2
")
135 (sysctl-name "hw
.optional
.avx1_0
")
136 (sysctl-name "hw
.optional
.avx2_0
")
137 (sysctl-name "machdep
.cpu
.vendor
")
138 (sysctl-name "machdep
.cpu
.family
")
139 (sysctl-name "machdep
.cpu
.model
")
140 (sysctl-name "machdep
.cpu
.stepping
")
141 (sysctl-name "debug
.intel
.gstLevelGST
")
142 (sysctl-name "debug
.intel
.gstLoaderControl
")))
144 (define (home-regex home-relative-regex)
145 (regex (string-append "^" (regex-quote home-path) home-relative-regex)))
146 (define (home-subpath home-relative-subpath)
147 (subpath (string-append home-path home-relative-subpath)))
148 (define (home-literal home-relative-literal)
149 (literal (string-append home-path home-relative-literal)))
151 (define (profile-subpath profile-relative-subpath)
152 (subpath (string-append profileDir profile-relative-subpath)))
154 (define (allow-shared-list domain)
156 (home-regex (string-append "/Library
/Preferences
/" (regex-quote domain)))))
158 (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
159 (ipc-posix-name-regex #"^CFPBS
:"))
161 (allow signal (target self))
162 (if (string? crashPort)
163 (allow mach-lookup (global-name crashPort)))
164 (if (string=? hasWindowServer "TRUE
")
165 (allow mach-lookup (global-name "com
.apple
.windowserver
.active
")))
167 (global-name "com
.apple
.CoreServices
.coreservicesd
")
168 (global-name "com
.apple
.coreservices
.launchservicesd
")
169 (global-name "com
.apple
.lsd
.mapdb
"))
171 (if (>= macosMinorVersion 13)
174 (xpc-service-name "com
.apple
.coremedia
.videodecoder
")
175 (xpc-service-name "com
.apple
.coremedia
.videoencoder
")))
178 (if (= macosMinorVersion 9)
179 (allow mach-lookup (global-name "com
.apple
.xpcd
")))
182 (iokit-user-client-class "IOHIDParamUserClient
"))
184 ; Only supported on macOS 10.10+
185 (if (defined? 'iokit-get-properties)
186 (allow iokit-get-properties
187 (iokit-property "board
-id
")
188 (iokit-property "vendor
-id
")
189 (iokit-property "device
-id
")
190 (iokit-property "IODVDBundleName
")
191 (iokit-property "IOGLBundleName
")
192 (iokit-property "IOGVACodec
")
193 (iokit-property "IOGVAHEVCDecode
")
194 (iokit-property "IOGVAHEVCEncode
")
195 (iokit-property "IOPCITunnelled
")
196 (iokit-property "IOVARendererID
")
197 (iokit-property "MetalPluginName
")
198 (iokit-property "MetalPluginClassName
")))
200 ; depending on systems, the 1st, 2nd or both rules are necessary
201 (allow user-preference-read (preference-domain "com
.apple
.HIToolbox
"))
202 (allow file-read-data (literal "/Library
/Preferences
/com
.apple
.HIToolbox
.plist
"))
204 (allow user-preference-read (preference-domain "com
.apple
.ATS
"))
205 (allow file-read-data (literal "/Library
/Preferences
/.GlobalPreferences
.plist
"))
208 (subpath "/Library
/ColorSync
/Profiles
")
209 (subpath "/Library
/Spelling
")
211 (literal "/private/tmp
")
212 (literal "/private/var
/tmp
")
213 (home-literal "/.CFUserTextEncoding
")
214 (home-literal "/Library
/Preferences
/com
.apple
.DownloadAssessment
.plist
")
215 (home-subpath "/Library
/Colors
")
216 (home-subpath "/Library
/ColorSync
/Profiles
")
217 (home-subpath "/Library
/Keyboard Layouts
")
218 (home-subpath "/Library
/Input Methods
")
219 (home-subpath "/Library
/Spelling
"))
221 (if (defined? 'file-map-executable)
223 (when testingReadPath1
224 (allow file-read* file-map-executable (subpath testingReadPath1)))
225 (when testingReadPath2
226 (allow file-read* file-map-executable (subpath testingReadPath2)))
227 (when testingReadPath3
228 (allow file-read* file-map-executable (subpath testingReadPath3)))
229 (when testingReadPath4
230 (allow file-read* file-map-executable (subpath testingReadPath4))))
232 (when testingReadPath1
233 (allow file-read* (subpath testingReadPath1)))
234 (when testingReadPath2
235 (allow file-read* (subpath testingReadPath2)))
236 (when testingReadPath3
237 (allow file-read* (subpath testingReadPath3)))
238 (when testingReadPath4
239 (allow file-read* (subpath testingReadPath4)))))
241 (allow file-read-metadata (home-subpath "/Library
"))
243 (allow file-read-metadata (subpath "/private/var
"))
246 (if (string? debugWriteDir)
248 (allow file-write-data (subpath debugWriteDir))
249 (allow file-write-create
251 (subpath debugWriteDir)
252 (vnode-type REGULAR-FILE)))))
254 (allow-shared-list "org
.mozilla
.plugincontainer
")
256 ; Per-user and system-wide Extensions dir
258 (home-regex "/Library
/Application Support
/[^/]+/Extensions
/")
259 (regex "^/Library
/Application Support
/[^/]+/Extensions
/"))
263 (home-subpath "/Library
/Application Support
/Mozilla
/SystemExtensionsDev
"))
265 ; The following rules impose file access restrictions which get
266 ; more restrictive in higher levels. When file-origin-specific
267 ; content processes are used for file:// origin browsing, the
268 ; global file-read* permission should be removed from each level.
270 ; level 1: global read access permitted, no global write access
271 (if (string=? sandbox-level-1 "TRUE
") (allow file-read*))
273 ; level 2: global read access permitted, no global write access,
274 ; no read/write access to ~/Library,
275 ; no read/write access to $PROFILE,
276 ; read access permitted to $PROFILE/{extensions,chrome}
277 (if (string=? sandbox-level-2 "TRUE
")
280 (allow file-read* (home-subpath "/Library
/Caches
/TemporaryItems
"))
281 (if (string=? hasProfileDir "TRUE
")
282 ; we have a profile dir
283 (allow file-read* (require-all
284 (require-not (home-subpath "/Library
"))
285 (require-not (subpath profileDir))))
286 ; we don't have a profile dir
287 (allow file-read* (require-not (home-subpath "/Library
"))))))
289 ; level 3: Does not have any of it's own rules. The global rules provide:
290 ; no global read/write access,
291 ; read access permitted to $PROFILE/{extensions,chrome}
293 (if (string=? hasProfileDir "TRUE
")
294 ; we have a profile dir
296 (profile-subpath "/extensions
")
297 (profile-subpath "/chrome
")))
299 ; accelerated graphics
300 (allow user-preference-read (preference-domain "com
.apple
.opengl
"))
301 (allow user-preference-read (preference-domain "com
.nvidia
.OpenGL
"))
303 (global-name "com
.apple
.cvmsServ
"))
304 (if (>= macosMinorVersion 14)
306 (global-name "com
.apple
.MTLCompilerService
")))
308 (iokit-connection "IOAccelerator
")
309 (iokit-user-client-class "IOAccelerationUserClient
")
310 (iokit-user-client-class "IOSurfaceRootUserClient
")
311 (iokit-user-client-class "IOSurfaceSendRight
")
312 (iokit-user-client-class "IOFramebufferSharedUserClient
")
313 (iokit-user-client-class "AGPMClient
")
314 (iokit-user-client-class "AppleGraphicsControlClient
"))
318 (iokit-user-client-class "NVDVDContextTesla
")
319 (iokit-user-client-class "Gen6DVDContext
"))
323 (subpath "/Library
/Fonts
")
324 (subpath "/Library
/Application Support
/Apple
/Fonts
")
325 (home-subpath "/Library
/Fonts
")
326 ; Allow read access to paths allowed via sandbox extensions.
327 ; This is needed for fonts in non-standard locations normally
328 ; due to third party font managers. The extensions are
329 ; automatically issued by the font server in response to font
331 (extension "com
.apple
.app
-sandbox
.read
"))
332 ; Fonts may continue to work without explicitly allowing these
333 ; services because, at present, connections are made to the services
334 ; before the sandbox is enabled as a side-effect of some API calls.
336 (global-name "com
.apple
.fonts
")
337 (global-name "com
.apple
.FontObjectsServer
"))
338 (if (<= macosMinorVersion 11)
339 (allow mach-lookup (global-name "com
.apple
.FontServer
")))
342 ; Workaround for sandbox extensions not being automatically
343 ; issued for fonts on 10.11 and earlier versions (bug 1460917).
344 (if (<= macosMinorVersion 11)
346 (regex #"\
.[oO
][tT
][fF
]$
" ; otf
347 #"\
.[tT
][tT
][fF
]$
" ; ttf
348 #"\
.[tT
][tT
][cC
]$
" ; ttc
349 #"\
.[oO
][tT
][cC
]$
" ; otc
350 #"\
.[dD
][fF
][oO
][nN
][tT
]$
") ; dfont
351 (home-subpath "/Library
/FontCollections
")
352 (home-subpath "/Library
/Application Support
/Adobe
/CoreSync
/plugins
/livetype
")
353 (home-subpath "/Library
/Application Support
/FontAgent
")
354 (home-subpath "/Library
/Extensis
/UTC
") ; bug 1469657
355 (subpath "/Library
/Extensis
/UTC
") ; bug 1469657
356 (regex #"\
.fontvault
/")
357 (home-subpath "/FontExplorer X
/Font Library
")))
360 // These are additional rules that are added to the content process rules for
361 // file content processes.
362 static const char SandboxPolicyContentFileAddend
[] = R
"SANDBOX_LITERAL(
363 ; This process has blanket file read privileges
366 ; File content processes need access to iconservices to draw file icons in
368 (allow mach-lookup (global-name "com
.apple
.iconservices
"))
371 // These are additional rules that are added to the content process rules when
372 // audio remoting is not enabled. (Once audio remoting is always used these
374 static const char SandboxPolicyContentAudioAddend
[] = R
"SANDBOX_LITERAL(
375 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
376 (ipc-posix-name-regex #"^AudioIO
"))
379 (global-name "com
.apple
.audio
.coreaudiod
")
380 (global-name "com
.apple
.audio
.audiohald
"))
382 (if (>= macosMinorVersion 13)
385 (global-name "com
.apple
.audio
.AudioComponentRegistrar
")))
387 (allow iokit-open (iokit-user-client-class "IOAudioEngineUserClient
"))
389 (allow file-read* (subpath "/Library
/Audio
/Plug
-Ins
"))
391 (allow device-microphone)
394 } // namespace mozilla
396 #endif // mozilla_SandboxPolicyContent_h