security/sandbox/mac/SandboxPolicies.h

   1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* This Source Code Form is subject to the terms of the Mozilla Public
   3  * License, v. 2.0. If a copy of the MPL was not distributed with this
   4  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   5
   6 #ifndef mozilla_SandboxPolicies_h
   7 #define mozilla_SandboxPolicies_h
   8
   9 namespace mozilla {
  10
  11 static const char pluginSandboxRules[] = R"SANDBOX_LITERAL(
  12   (version 1)
  13
  14   (define should-log (param "SHOULD_LOG"))
  15   (define plugin-binary-path (param "PLUGIN_BINARY_PATH"))
  16   (define app-path (param "APP_PATH"))
  17   (define app-binary-path (param "APP_BINARY_PATH"))
  18
  19   (if (string=? should-log "TRUE")
  20       (deny default)
  21       (deny default (with no-log)))
  22
  23   (allow signal (target self))
  24   (allow sysctl-read)
  25   (allow iokit-open (iokit-user-client-class "IOHIDParamUserClient"))
  26   (allow file-read*
  27       (literal "/etc")
  28       (literal "/dev/random")
  29       (literal "/dev/urandom")
  30       (literal "/usr/share/icu/icudt51l.dat")
  31       (subpath "/System/Library/Displays/Overrides")
  32       (subpath "/System/Library/CoreServices/CoreTypes.bundle")
  33       (subpath "/System/Library/PrivateFrameworks")
  34       (regex #"^/usr/lib/libstdc\+\+\.[^/]*dylib$")
  35       (literal plugin-binary-path)
  36       (literal app-path)
  37       (literal app-binary-path))
  38 )SANDBOX_LITERAL";
  39
  40 static const char widevinePluginSandboxRulesAddend[] = R"SANDBOX_LITERAL(
  41   (allow mach-lookup (global-name "com.apple.windowserver.active"))
  42 )SANDBOX_LITERAL";
  43
  44 static const char contentSandboxRules[] = R"SANDBOX_LITERAL(
  45   (version 1)
  46
  47   (define should-log (param "SHOULD_LOG"))
  48   (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
  49   (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
  50   (define sandbox-level-3 (param "SANDBOX_LEVEL_3"))
  51   (define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
  52   (define appPath (param "APP_PATH"))
  53   (define appBinaryPath (param "APP_BINARY_PATH"))
  54   (define appdir-path (param "APP_DIR"))
  55   (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
  56   (define profileDir (param "PROFILE_DIR"))
  57   (define home-path (param "HOME_PATH"))
  58   (define debugWriteDir (param "DEBUG_WRITE_DIR"))
  59   (define testingReadPath1 (param "TESTING_READ_PATH1"))
  60   (define testingReadPath2 (param "TESTING_READ_PATH2"))
  61   (define testingReadPath3 (param "TESTING_READ_PATH3"))
  62   (define testingReadPath4 (param "TESTING_READ_PATH4"))
  63
  64   (if (string=? should-log "TRUE")
  65     (deny default)
  66     (deny default (with no-log)))
  67   (debug deny)
  68   ; These are not included in (deny default)
  69   (deny process-info*)
  70   ; This isn't available in some older macOS releases.
  71   (if (defined? 'nvram*)
  72     (deny nvram*))
  73   ; The next two properties both require macOS 10.10+
  74   (if (defined? 'iokit-get-properties)
  75     (deny iokit-get-properties))
  76   (if (defined? 'file-map-executable)
  77     (deny file-map-executable))
  78
  79   (if (defined? 'file-map-executable)
  80     (allow file-map-executable file-read*
  81       (subpath "/System")
  82       (subpath "/usr/lib")
  83       (subpath "/Library/GPUBundles")
  84       (subpath appdir-path))
  85     (allow file-read*
  86         (subpath "/System")
  87         (subpath "/usr/lib")
  88         (subpath "/Library/GPUBundles")
  89         (subpath appdir-path)))
  90
  91   ; Allow read access to standard system paths.
  92   (allow file-read*
  93     (require-all (file-mode #o0004)
  94       (require-any
  95         (subpath "/Library/Filesystems/NetFSPlugins")
  96         (subpath "/usr/share"))))
  97
  98   ; Top-level directory metadata access (bug 1404298)
  99   (allow file-read-metadata (regex #"^/[^/]+$"))
 100
 101   (allow file-read-metadata
 102     (literal "/private/etc/localtime")
 103     (regex #"^/private/tmp/KSInstallAction\."))
 104
 105   ; Allow read access to standard special files.
 106   (allow file-read*
 107     (literal "/dev/autofs_nowait")
 108     (literal "/dev/random")
 109     (literal "/dev/urandom"))
 110
 111   (allow file-read*
 112     file-write-data
 113     (literal "/dev/null")
 114     (literal "/dev/zero"))
 115
 116   (allow file-read*
 117     file-write-data
 118     file-ioctl
 119     (literal "/dev/dtracehelper"))
 120
 121   ; Needed for things like getpriority()/setpriority()
 122   (allow process-info-pidinfo process-info-setcontrol (target self))
 123
 124   ; macOS 10.9 does not support the |sysctl-name| predicate, so unfortunately
 125   ; we need to allow all sysctl-reads there.
 126   (if (= macosMinorVersion 9)
 127     (allow sysctl-read)
 128     (allow sysctl-read
 129       (sysctl-name-regex #"^sysctl\.")
 130       (sysctl-name "kern.ostype")
 131       (sysctl-name "kern.osversion")
 132       (sysctl-name "kern.osrelease")
 133       (sysctl-name "kern.version")
 134       ; TODO: remove "kern.hostname". Without it the tests hang, but the hostname
 135       ; is arguably sensitive information, so we should see what can be done about
 136       ; removing it.
 137       (sysctl-name "kern.hostname")
 138       (sysctl-name "hw.machine")
 139       (sysctl-name "hw.model")
 140       (sysctl-name "hw.ncpu")
 141       (sysctl-name "hw.activecpu")
 142       (sysctl-name "hw.byteorder")
 143       (sysctl-name "hw.pagesize_compat")
 144       (sysctl-name "hw.logicalcpu_max")
 145       (sysctl-name "hw.physicalcpu_max")
 146       (sysctl-name "hw.busfrequency_compat")
 147       (sysctl-name "hw.busfrequency_max")
 148       (sysctl-name "hw.cpufrequency")
 149       (sysctl-name "hw.cpufrequency_compat")
 150       (sysctl-name "hw.cpufrequency_max")
 151       (sysctl-name "hw.l2cachesize")
 152       (sysctl-name "hw.l3cachesize")
 153       (sysctl-name "hw.cachelinesize")
 154       (sysctl-name "hw.cachelinesize_compat")
 155       (sysctl-name "hw.tbfrequency_compat")
 156       (sysctl-name "hw.vectorunit")
 157       (sysctl-name "hw.optional.sse2")
 158       (sysctl-name "hw.optional.sse3")
 159       (sysctl-name "hw.optional.sse4_1")
 160       (sysctl-name "hw.optional.sse4_2")
 161       (sysctl-name "hw.optional.avx1_0")
 162       (sysctl-name "hw.optional.avx2_0")
 163       (sysctl-name "machdep.cpu.vendor")
 164       (sysctl-name "machdep.cpu.family")
 165       (sysctl-name "machdep.cpu.model")
 166       (sysctl-name "machdep.cpu.stepping")
 167       (sysctl-name "debug.intel.gstLevelGST")
 168       (sysctl-name "debug.intel.gstLoaderControl")))
 169
 170   (define (home-regex home-relative-regex)
 171     (regex (string-append "^" (regex-quote home-path) home-relative-regex)))
 172   (define (home-subpath home-relative-subpath)
 173     (subpath (string-append home-path home-relative-subpath)))
 174   (define (home-literal home-relative-literal)
 175     (literal (string-append home-path home-relative-literal)))
 176
 177   (define (profile-subpath profile-relative-subpath)
 178     (subpath (string-append profileDir profile-relative-subpath)))
 179
 180   (define (allow-shared-list domain)
 181     (allow file-read*
 182            (home-regex (string-append "/Library/Preferences/" (regex-quote domain)))))
 183
 184   (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
 185     (ipc-posix-name-regex #"^CFPBS:"))
 186
 187   (allow signal (target self))
 188
 189   (if (>= macosMinorVersion 13)
 190     (allow mach-lookup
 191       ; bug 1392988
 192       (xpc-service-name "com.apple.coremedia.videodecoder")
 193       (xpc-service-name "com.apple.coremedia.videoencoder")))
 194
 195 ; bug 1312273
 196   (if (= macosMinorVersion 9)
 197      (allow mach-lookup (global-name "com.apple.xpcd")))
 198
 199   (allow iokit-open
 200      (iokit-user-client-class "IOHIDParamUserClient"))
 201
 202   ; Only supported on macOS 10.10+
 203   (if (defined? 'iokit-get-properties)
 204     (allow iokit-get-properties
 205       (iokit-property "board-id")
 206       (iokit-property "IODVDBundleName")
 207       (iokit-property "IOGLBundleName")
 208       (iokit-property "IOGVACodec")
 209       (iokit-property "IOGVAHEVCDecode")
 210       (iokit-property "IOGVAHEVCEncode")
 211       (iokit-property "IOPCITunnelled")
 212       (iokit-property "IOVARendererID")
 213       (iokit-property "MetalPluginName")
 214       (iokit-property "MetalPluginClassName")))
 215
 216 ; depending on systems, the 1st, 2nd or both rules are necessary
 217   (allow user-preference-read (preference-domain "com.apple.HIToolbox"))
 218   (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist"))
 219
 220   (allow user-preference-read (preference-domain "com.apple.ATS"))
 221   (allow file-read-data (literal "/Library/Preferences/.GlobalPreferences.plist"))
 222
 223   (allow file-read*
 224       (subpath "/Library/Spelling")
 225       (literal "/")
 226       (literal "/private/tmp")
 227       (literal "/private/var/tmp")
 228       (home-literal "/.CFUserTextEncoding")
 229       (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
 230       (home-subpath "/Library/Colors")
 231       (home-subpath "/Library/Keyboard Layouts")
 232       (home-subpath "/Library/Input Methods")
 233       (home-subpath "/Library/Spelling")
 234       (literal appPath)
 235       (literal appBinaryPath))
 236
 237   (if (defined? 'file-map-executable)
 238     (begin
 239       (when testingReadPath1
 240         (allow file-read* file-map-executable (subpath testingReadPath1)))
 241       (when testingReadPath2
 242         (allow file-read* file-map-executable (subpath testingReadPath2)))
 243       (when testingReadPath3
 244         (allow file-read* file-map-executable (subpath testingReadPath3)))
 245       (when testingReadPath4
 246         (allow file-read* file-map-executable (subpath testingReadPath4))))
 247     (begin
 248       (when testingReadPath1
 249         (allow file-read* (subpath testingReadPath1)))
 250       (when testingReadPath2
 251         (allow file-read* (subpath testingReadPath2)))
 252       (when testingReadPath3
 253         (allow file-read* (subpath testingReadPath3)))
 254       (when testingReadPath4
 255         (allow file-read* (subpath testingReadPath4)))))
 256
 257   (allow file-read-metadata (home-subpath "/Library"))
 258
 259   (allow file-read-metadata
 260     (literal "/private/var")
 261     (subpath "/private/var/folders"))
 262
 263   ; bug 1303987
 264   (if (string? debugWriteDir)
 265     (begin
 266       (allow file-write-data (subpath debugWriteDir))
 267       (allow file-write-create
 268         (require-all
 269           (subpath debugWriteDir)
 270           (vnode-type REGULAR-FILE)))))
 271
 272   (allow-shared-list "org.mozilla.plugincontainer")
 273
 274 ; Per-user and system-wide Extensions dir
 275   (allow file-read*
 276       (home-regex "/Library/Application Support/[^/]+/Extensions/")
 277       (regex "^/Library/Application Support/[^/]+/Extensions/"))
 278
 279 ; bug 1393805
 280   (allow file-read*
 281       (home-subpath "/Library/Application Support/Mozilla/SystemExtensionsDev"))
 282
 283 ; The following rules impose file access restrictions which get
 284 ; more restrictive in higher levels. When file-origin-specific
 285 ; content processes are used for file:// origin browsing, the
 286 ; global file-read* permission should be removed from each level.
 287
 288 ; level 1: global read access permitted, no global write access
 289   (if (string=? sandbox-level-1 "TRUE") (allow file-read*))
 290
 291 ; level 2: global read access permitted, no global write access,
 292 ;          no read/write access to ~/Library,
 293 ;          no read/write access to $PROFILE,
 294 ;          read access permitted to $PROFILE/{extensions,chrome}
 295   (if (string=? sandbox-level-2 "TRUE")
 296     (begin
 297       ; bug 1201935
 298       (allow file-read* (home-subpath "/Library/Caches/TemporaryItems"))
 299       (if (string=? hasProfileDir "TRUE")
 300         ; we have a profile dir
 301         (allow file-read* (require-all
 302           (require-not (home-subpath "/Library"))
 303           (require-not (subpath profileDir))))
 304         ; we don't have a profile dir
 305         (allow file-read* (require-not (home-subpath "/Library"))))))
 306
 307   ; level 3: Does not have any of it's own rules. The global rules provide:
 308   ;          no global read/write access,
 309   ;          read access permitted to $PROFILE/{extensions,chrome}
 310
 311   (if (string=? hasProfileDir "TRUE")
 312     ; we have a profile dir
 313     (allow file-read*
 314       (profile-subpath "/extensions")
 315       (profile-subpath "/chrome")))
 316
 317 ; accelerated graphics
 318   (allow user-preference-read (preference-domain "com.apple.opengl"))
 319   (allow user-preference-read (preference-domain "com.nvidia.OpenGL"))
 320   (allow mach-lookup
 321       (global-name "com.apple.cvmsServ"))
 322   (allow iokit-open
 323       (iokit-connection "IOAccelerator")
 324       (iokit-user-client-class "IOAccelerationUserClient")
 325       (iokit-user-client-class "IOSurfaceRootUserClient")
 326       (iokit-user-client-class "IOSurfaceSendRight")
 327       (iokit-user-client-class "IOFramebufferSharedUserClient")
 328       (iokit-user-client-class "AGPMClient")
 329       (iokit-user-client-class "AppleGraphicsControlClient"))
 330
 331 ; bug 1153809
 332   (allow iokit-open
 333       (iokit-user-client-class "NVDVDContextTesla")
 334       (iokit-user-client-class "Gen6DVDContext"))
 335
 336   ; Fonts
 337   (allow file-read*
 338     (subpath "/Library/Fonts")
 339     (subpath "/Library/Application Support/Apple/Fonts")
 340     (home-subpath "/Library/Fonts")
 341     ; Allow read access to paths allowed via sandbox extensions.
 342     ; This is needed for fonts in non-standard locations normally
 343     ; due to third party font managers. The extensions are
 344     ; automatically issued by the font server in response to font
 345     ; API calls.
 346     (extension "com.apple.app-sandbox.read"))
 347   ; Fonts may continue to work without explicitly allowing these
 348   ; services because, at present, connections are made to the services
 349   ; before the sandbox is enabled as a side-effect of some API calls.
 350   (allow mach-lookup
 351     (global-name "com.apple.fonts")
 352     (global-name "com.apple.FontObjectsServer"))
 353   (if (<= macosMinorVersion 11)
 354     (allow mach-lookup (global-name "com.apple.FontServer")))
 355
 356   ; Fonts
 357   ; Workaround for sandbox extensions not being automatically
 358   ; issued for fonts on 10.11 and earlier versions (bug 1460917).
 359   (if (<= macosMinorVersion 11)
 360     (allow file-read*
 361       (regex #"\.[oO][tT][fF]$"          ; otf
 362              #"\.[tT][tT][fF]$"          ; ttf
 363              #"\.[tT][tT][cC]$"          ; ttc
 364              #"\.[oO][tT][cC]$"          ; otc
 365              #"\.[dD][fF][oO][nN][tT]$") ; dfont
 366       (home-subpath "/Library/FontCollections")
 367       (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
 368       (home-subpath "/Library/Application Support/FontAgent")
 369       (home-subpath "/Library/Extensis/UTC") ; bug 1469657
 370       (subpath "/Library/Extensis/UTC")      ; bug 1469657
 371       (regex #"\.fontvault/")
 372       (home-subpath "/FontExplorer X/Font Library")))
 373 )SANDBOX_LITERAL";
 374
 375 // These are additional rules that are added to the content process rules for
 376 // file content processes.
 377 static const char fileContentProcessAddend[] = R"SANDBOX_LITERAL(
 378   ; This process has blanket file read privileges
 379   (allow file-read*)
 380
 381   ; File content processes need access to iconservices to draw file icons in
 382   ; directory listings
 383   (allow mach-lookup (global-name "com.apple.iconservices"))
 384 )SANDBOX_LITERAL";
 385
 386 // These are additional rules that are added to the content process rules when
 387 // audio remoting is not enabled. (Once audio remoting is always used these
 388 // will be deleted.)
 389 static const char contentProcessAudioAddend[] = R"SANDBOX_LITERAL(
 390   (allow ipc-posix-shm-read* ipc-posix-shm-write-data
 391     (ipc-posix-name-regex #"^AudioIO"))
 392
 393   (allow mach-lookup
 394     (global-name "com.apple.audio.coreaudiod")
 395     (global-name "com.apple.audio.audiohald"))
 396
 397   (if (>= macosMinorVersion 13)
 398     (allow mach-lookup
 399     ; bug 1376163
 400     (global-name "com.apple.audio.AudioComponentRegistrar")))
 401
 402   (allow iokit-open (iokit-user-client-class "IOAudioEngineUserClient"))
 403
 404   (allow file-read* (subpath "/Library/Audio/Plug-Ins"))
 405
 406   (allow device-microphone)
 407 )SANDBOX_LITERAL";
 408
 409 // The "Safe Mode" Flash NPAPI plugin process profile
 410 static const char flashPluginSandboxRules[] = R"SANDBOX_LITERAL(
 411   (version 1)
 412
 413   ; Parameters
 414   (define shouldLog (param "SHOULD_LOG"))
 415   (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
 416   (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
 417   (define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
 418   (define homeDir (param "HOME_PATH"))
 419   (define tempDir (param "DARWIN_USER_TEMP_DIR"))
 420   (define cacheDir (param "DARWIN_USER_CACHE_DIR"))
 421   (define pluginPath (param "PLUGIN_BINARY_PATH"))
 422
 423   (if (string=? shouldLog "TRUE")
 424       (deny default)
 425       (deny default (with no-log)))
 426   (debug deny)
 427   (allow system-audit file-read-metadata)
 428   ; These are not included in (deny default)
 429   (deny process-info*)
 430   ; This isn't available in some older macOS releases.
 431   (if (defined? 'nvram*)
 432     (deny nvram*))
 433
 434   ; Allow read access to standard system paths.
 435   (allow file-read*
 436     (require-all (file-mode #o0004)
 437       (require-any
 438         (subpath "/System")
 439         (subpath "/usr/lib")
 440         (subpath "/Library/Filesystems/NetFSPlugins")
 441         (subpath "/Library/GPUBundles")
 442         (subpath "/usr/share"))))
 443   (allow file-read-metadata
 444          (literal "/etc")
 445          (literal "/tmp")
 446          (literal "/var")
 447          (literal "/private/etc/localtime"))
 448   (allow file-read*
 449          (literal "/dev/autofs_nowait")
 450          (literal "/dev/random")
 451          (literal "/dev/urandom"))
 452   (allow file-read*
 453          file-write-data
 454          (literal "/dev/null")
 455          (literal "/dev/zero"))
 456   (allow file-read*
 457          file-write-data
 458          file-ioctl
 459          (literal "/dev/dtracehelper"))
 460
 461   ; Graphics
 462   (allow user-preference-read
 463          (preference-domain "com.apple.opengl")
 464          (preference-domain "com.nvidia.OpenGL"))
 465   (allow mach-lookup
 466          (global-name "com.apple.cvmsServ"))
 467   (allow iokit-open
 468          (iokit-connection "IOAccelerator")
 469          (iokit-user-client-class "IOAccelerationUserClient")
 470          (iokit-user-client-class "IOSurfaceRootUserClient")
 471          (iokit-user-client-class "IOSurfaceSendRight"))
 472   (allow iokit-open
 473          (iokit-user-client-class "AppleIntelMEUserClient")
 474          (iokit-user-client-class "AppleSNBFBUserClient"))
 475   (allow iokit-open
 476          (iokit-user-client-class "AGPMClient")
 477          (iokit-user-client-class "AppleGraphicsControlClient")
 478          (iokit-user-client-class "AppleGraphicsPolicyClient"))
 479   ; Camera access
 480   (allow iokit-open
 481          (iokit-user-client-class "IOUSBDeviceUserClientV2")
 482          (iokit-user-client-class "IOUSBInterfaceUserClientV2"))
 483
 484   ; Network
 485   (allow file-read*
 486          (literal "/Library/Preferences/com.apple.networkd.plist"))
 487   (allow mach-lookup
 488          (global-name "com.apple.SystemConfiguration.PPPController")
 489          (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
 490          (global-name "com.apple.nehelper")
 491          (global-name "com.apple.networkd")
 492          (global-name "com.apple.nsurlstorage-cache")
 493          (global-name "com.apple.symptomsd")
 494          (global-name "com.apple.usymptomsd"))
 495   (allow network-outbound
 496          (control-name "com.apple.netsrc")
 497          (control-name "com.apple.network.statistics"))
 498   (allow system-socket
 499          (require-all (socket-domain AF_SYSTEM)
 500                       (socket-protocol 2)) ; SYSPROTO_CONTROL
 501          (socket-domain AF_ROUTE))
 502   (allow network-outbound
 503       (literal "/private/var/run/mDNSResponder")
 504       (literal "/private/var/run/asl_input")
 505       (literal "/private/var/run/syslog")
 506       (remote tcp)
 507       (remote udp))
 508   (allow network-inbound
 509       (local udp))
 510
 511   (allow process-info-pidinfo)
 512   (allow process-info-setcontrol (target self))
 513
 514   ; macOS 10.9 does not support the |sysctl-name| predicate
 515   (if (= macosMinorVersion 9)
 516       (allow sysctl-read)
 517       (allow sysctl-read
 518         (sysctl-name
 519           "hw.activecpu"
 520           "hw.availcpu"
 521           "hw.busfrequency_max"
 522           "hw.cpu64bit_capable"
 523           "hw.cputype"
 524           "hw.physicalcpu_max"
 525           "hw.logicalcpu_max"
 526           "hw.machine"
 527           "hw.model"
 528           "hw.ncpu"
 529           "hw.optional.avx1_0"
 530           "hw.optional.avx2_0"
 531           "hw.optional.sse2"
 532           "hw.optional.sse3"
 533           "hw.optional.sse4_1"
 534           "hw.optional.sse4_2"
 535           "hw.optional.x86_64"
 536           "kern.hostname"
 537           "kern.maxfilesperproc"
 538           "kern.memorystatus_level"
 539           "kern.osrelease"
 540           "kern.ostype"
 541           "kern.osvariant_status"
 542           "kern.osversion"
 543           "kern.safeboot"
 544           "kern.version"
 545           "vm.footprint_suspend")))
 546
 547   ; Utilities for allowing access to home subdirectories
 548   (define home-library-path
 549     (string-append homeDir "/Library"))
 550
 551   (define (home-subpath home-relative-subpath)
 552     (subpath (string-append homeDir home-relative-subpath)))
 553
 554   (define home-library-prefs-path
 555     (string-append homeDir "/Library" "/Preferences"))
 556
 557   (define (home-literal home-relative-literal)
 558     (literal (string-append homeDir home-relative-literal)))
 559
 560   (define (home-library-regex home-library-relative-regex)
 561     (regex (string-append "^" (regex-quote home-library-path))
 562            home-library-relative-regex))
 563
 564   (define (home-library-subpath home-library-relative-subpath)
 565       (subpath (string-append home-library-path home-library-relative-subpath)))
 566
 567   (define (home-library-literal home-library-relative-literal)
 568       (literal (string-append home-library-path home-library-relative-literal)))
 569
 570   (define (home-library-preferences-literal
 571            home-library-preferences-relative-literal)
 572       (literal (string-append home-library-prefs-path
 573                 home-library-preferences-relative-literal)))
 574
 575   ; Utility for allowing access to a temp dir subdirectory
 576   (define (tempDir-regex tempDir-relative-regex)
 577     (regex (string-append "^" (regex-quote tempDir)) tempDir-relative-regex))
 578
 579   ; Utility for allowing access to specific files within the cache dir
 580   (define (cache-literal cache-relative-literal)
 581     (literal (string-append cacheDir cache-relative-literal)))
 582
 583   ; Read-only paths
 584   (allow file-read*
 585       (literal "/")
 586       (literal "/private/etc/services")
 587       (literal "/private/etc/resolv.conf")
 588       (literal "/private/var/run/resolv.conf")
 589       (subpath "/Library/Frameworks")
 590       (subpath "/Library/Managed Preferences")
 591       (home-literal "/.CFUserTextEncoding")
 592       (home-library-subpath "/Audio")
 593       (home-library-subpath "/ColorPickers")
 594       (home-library-subpath "/ColorSync")
 595       (subpath "/Library/Components")
 596       (home-library-subpath "/Components")
 597       (subpath "/Library/Contextual Menu Items")
 598       (subpath "/Library/Input Methods")
 599       (home-library-subpath "/Input Methods")
 600       (subpath "/Library/InputManagers")
 601       (home-library-subpath "/InputManagers")
 602       (home-library-subpath "/KeyBindings")
 603       (subpath "/Library/Keyboard Layouts")
 604       (home-library-subpath "/Keyboard Layouts")
 605       (subpath "/Library/Spelling")
 606       (home-library-subpath "/Spelling")
 607       (home-library-literal "/Caches/com.apple.coreaudio.components.plist")
 608       (subpath "/Library/Audio/Sounds")
 609       (subpath "/Library/Audio/Plug-Ins/Components")
 610       (home-library-subpath "/Audio/Plug-Ins/Components")
 611       (subpath "/Library/Audio/Plug-Ins/HAL")
 612       (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")
 613       (subpath "/Library/QuickTime")
 614       (home-library-subpath "/QuickTime")
 615       (subpath "/Library/Video/Plug-Ins")
 616       (home-library-subpath "/Caches/QuickTime")
 617       (subpath "/Library/ColorSync")
 618       (home-literal "/Library/Preferences/com.apple.lookup.shared.plist"))
 619
 620   (allow iokit-open
 621       (iokit-user-client-class "IOAudioControlUserClient")
 622       (iokit-user-client-class "IOAudioEngineUserClient")
 623       (iokit-user-client-class "IOHIDParamUserClient")
 624       (iokit-user-client-class "RootDomainUserClient"))
 625
 626   ; Services
 627   (allow mach-lookup
 628       (global-name "com.apple.audio.AudioComponentRegistrar")
 629       (global-name "com.apple.DiskArbitration.diskarbitrationd")
 630       (global-name "com.apple.ImageCaptureExtension2.presence")
 631       (global-name "com.apple.PowerManagement.control")
 632       (global-name "com.apple.SecurityServer")
 633       (global-name "com.apple.SystemConfiguration.PPPController")
 634       (global-name "com.apple.SystemConfiguration.configd")
 635       (global-name "com.apple.UNCUserNotification")
 636       (global-name "com.apple.audio.audiohald")
 637       (global-name "com.apple.audio.coreaudiod")
 638       (global-name "com.apple.cfnetwork.AuthBrokerAgent")
 639       (global-name "com.apple.lsd.mapdb")
 640       (global-name "com.apple.pasteboard.1") ; Allows paste into input field
 641       (global-name "com.apple.dock.server")
 642       (global-name "com.apple.dock.fullscreen")
 643       (global-name "com.apple.coreservices.appleevents")
 644       (global-name "com.apple.coreservices.launchservicesd")
 645       (global-name "com.apple.window_proxies")
 646       (local-name "com.apple.tsm.portname")
 647       (global-name "com.apple.axserver")
 648       (global-name "com.apple.pbs.fetch_services")
 649       (global-name "com.apple.tsm.uiserver")
 650       (global-name "com.apple.inputmethodkit.launchagent")
 651       (global-name "com.apple.inputmethodkit.launcher")
 652       (global-name "com.apple.inputmethodkit.getxpcendpoint")
 653       (global-name "com.apple.decalog4.incoming")
 654       (global-name "com.apple.windowserver.active")
 655       (global-name "com.apple.trustd.agent")
 656       (global-name "com.apple.ocspd"))
 657   ; Required for camera access
 658   (allow mach-lookup
 659       (global-name "com.apple.tccd")
 660       (global-name "com.apple.tccd.system")
 661       (global-name "com.apple.cmio.AppleCameraAssistant")
 662       (global-name "com.apple.cmio.IIDCVideoAssistant")
 663       (global-name "com.apple.cmio.AVCAssistant")
 664       (global-name "com.apple.cmio.VDCAssistant"))
 665   ; bug 1475707
 666   (if (= macosMinorVersion 9)
 667      (allow mach-lookup (global-name "com.apple.xpcd")))
 668
 669   ; Fonts
 670   (allow file-read*
 671     (subpath "/Library/Fonts")
 672     (subpath "/Library/Application Support/Apple/Fonts")
 673     (home-library-subpath "/Fonts")
 674     ; Allow read access to paths allowed via sandbox extensions.
 675     ; This is needed for fonts in non-standard locations normally
 676     ; due to third party font managers. The extensions are
 677     ; automatically issued by the font server in response to font
 678     ; API calls.
 679     (extension "com.apple.app-sandbox.read"))
 680   ; Fonts may continue to work without explicitly allowing these
 681   ; services because, at present, connections are made to the services
 682   ; before the sandbox is enabled as a side-effect of some API calls.
 683   (allow mach-lookup
 684     (global-name "com.apple.fonts")
 685     (global-name "com.apple.FontObjectsServer"))
 686   (if (<= macosMinorVersion 11)
 687     (allow mach-lookup (global-name "com.apple.FontServer")))
 688
 689   ; Fonts
 690   ; Workaround for sandbox extensions not being automatically
 691   ; issued for fonts on 10.11 and earlier versions (bug 1460917).
 692   (if (<= macosMinorVersion 11)
 693     (allow file-read*
 694       (regex #"\.[oO][tT][fF]$"          ; otf
 695              #"\.[tT][tT][fF]$"          ; ttf
 696              #"\.[tT][tT][cC]$"          ; ttc
 697              #"\.[oO][tT][cC]$"          ; otc
 698              #"\.[dD][fF][oO][nN][tT]$") ; dfont
 699       (home-subpath "/Library/FontCollections")
 700       (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
 701       (home-subpath "/Library/Application Support/FontAgent")
 702       (home-subpath "/Library/Extensis/UTC") ; bug 1469657
 703       (subpath "/Library/Extensis/UTC")      ; bug 1469657
 704       (regex #"\.fontvault/")
 705       (home-subpath "/FontExplorer X/Font Library")))
 706
 707   ; level 1: global read access permitted, no global write access
 708   (if (string=? sandbox-level-1 "TRUE") (allow file-read*))
 709
 710   ; level 2: read access via file dialog exceptions, no global write access
 711   (if (or (string=? sandbox-level-2 "TRUE")
 712           (string=? sandbox-level-1 "TRUE")) (begin
 713     ; Open file dialogs
 714     (allow mach-lookup
 715         ; needed for the dialog sidebar
 716         (global-name "com.apple.coreservices.sharedfilelistd.xpc")
 717         ; bird(8) -- "Documents in the Cloud"
 718         ; needed to avoid iCloud error dialogs and to display iCloud files
 719         (global-name "com.apple.bird")
 720         (global-name "com.apple.bird.token")
 721         ; needed for icons in the file dialog
 722         (global-name "com.apple.iconservices"))
 723     ; Needed for read access to files selected by the user with the
 724     ; file dialog. The extensions are granted when the dialog is
 725     ; displayed. Unfortunately (testing revealed) that displaying
 726     ; the file dialog grants access to all files within the directory
 727     ; displayed by the file dialog--a small improvement compared
 728     ; to global read access.
 729     (allow file-read*
 730         (extension "com.apple.app-sandbox.read-write"))))
 731
 732   (allow ipc-posix-shm*
 733       (ipc-posix-name-regex #"^AudioIO")
 734       (ipc-posix-name-regex #"^CFPBS:"))
 735
 736   (allow ipc-posix-shm-read*
 737       (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
 738       (ipc-posix-name "FNetwork.defaultStorageSession")
 739       (ipc-posix-name "apple.shm.notification_center"))
 740
 741   ; Printing
 742   (allow network-outbound (literal "/private/var/run/cupsd"))
 743   (allow mach-lookup
 744       (global-name "com.apple.printuitool.agent")
 745       (global-name "com.apple.printtool.agent")
 746       (global-name "com.apple.printtool.daemon"))
 747   (allow file-read*
 748       (subpath "/Library/Printers")
 749       (home-literal "/.cups/lpoptions")
 750       (home-literal "/.cups/client.conf")
 751       (literal "/private/etc/cups/client.conf")
 752       (literal "/private/etc/cups/lpoptions")
 753       (subpath "/private/etc/cups/ppd")
 754       (literal "/private/var/run/cupsd"))
 755   (allow user-preference-read
 756       (preference-domain "org.cups.PrintingPrefs"))
 757   ; Temporary files read/written here during printing
 758   (allow file-read* file-write-create file-write-data
 759       (tempDir-regex "/FlashTmp"))
 760
 761   ; Camera/Mic
 762   (allow device-camera)
 763   (allow device-microphone)
 764
 765   ; Path to the plugin binary, user cache dir, and user temp dir
 766   (allow file-read* (subpath pluginPath))
 767
 768   ; Per Adobe, needed for Flash LocalConnection functionality
 769   (allow ipc-posix-sem
 770       (ipc-posix-name "MacromediaSemaphoreDig"))
 771
 772   ; Flash debugger and enterprise deployment config files
 773   (allow file-read*
 774       (home-literal "/mm.cfg")
 775       (home-literal "/mms.cfg"))
 776
 777   (allow file-read* file-write-create file-write-mode file-write-owner
 778       (home-library-literal "/Caches/Adobe")
 779       (home-library-preferences-literal "/Macromedia"))
 780
 781   (allow file-read* file-write-create file-write-data
 782       (literal "/Library/Application Support/Macromedia/mms.cfg")
 783       (home-library-literal "/Application Support/Macromedia/mms.cfg")
 784       (home-library-subpath "/Caches/Adobe/Flash Player")
 785       (home-library-subpath "/Preferences/Macromedia/Flash Player"))
 786
 787   (allow file-read*
 788       (literal "/Library/PreferencePanes/Flash Player.prefPane")
 789       (home-library-literal "/PreferencePanes/Flash Player.prefPane")
 790       (home-library-regex "/Application Support/Macromedia/ss\.(cfg|cfn|sgn)$"))
 791
 792   (allow file-read*
 793       (literal "/Library/Preferences/com.apple.security.plist")
 794       (subpath "/private/var/db/mds"))
 795   ; Tests revealed file-write-{data,create,flags} required for some encrypted
 796   ; video playback. Allowing file-write* to match system profiles.
 797   (allow file-read* file-write*
 798       (require-all
 799           (vnode-type REGULAR-FILE)
 800           (require-any
 801               (cache-literal "/mds/mds.lock")
 802               (cache-literal "/mds/mdsDirectory.db")
 803               (cache-literal "/mds/mdsDirectory.db_")
 804               (cache-literal "/mds/mdsObject.db")
 805               (cache-literal "/mds/mdsObject.db_"))))
 806
 807   (allow network-bind (local ip))
 808
 809   (deny file-write-create (vnode-type SYMLINK))
 810 )SANDBOX_LITERAL";
 811
 812 }
 813
 814 #endif // mozilla_SandboxPolicies_h