security/sandbox/mac/SandboxPolicies.h

   1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* This Source Code Form is subject to the terms of the Mozilla Public
   3  * License, v. 2.0. If a copy of the MPL was not distributed with this
   4  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   5
   6 #ifndef mozilla_SandboxPolicies_h
   7 #define mozilla_SandboxPolicies_h
   8
   9 namespace mozilla {
  10
  11 static const char pluginSandboxRules[] = R"(
  12   (version 1)
  13
  14   (define should-log (param "SHOULD_LOG"))
  15   (define plugin-binary-path (param "PLUGIN_BINARY_PATH"))
  16   (define app-path (param "APP_PATH"))
  17   (define app-binary-path (param "APP_BINARY_PATH"))
  18
  19   (if (string=? should-log "TRUE")
  20       (deny default)
  21       (deny default (with no-log)))
  22
  23   (allow signal (target self))
  24   (allow sysctl-read)
  25   (allow iokit-open (iokit-user-client-class "IOHIDParamUserClient"))
  26   (allow file-read*
  27       (literal "/etc")
  28       (literal "/dev/random")
  29       (literal "/dev/urandom")
  30       (literal "/usr/share/icu/icudt51l.dat")
  31       (subpath "/System/Library/Displays/Overrides")
  32       (subpath "/System/Library/CoreServices/CoreTypes.bundle")
  33       (subpath "/System/Library/PrivateFrameworks")
  34       (regex #"^/usr/lib/libstdc\+\+\.[^/]*dylib$")
  35       (literal plugin-binary-path)
  36       (literal app-path)
  37       (literal app-binary-path))
  38 )";
  39
  40 static const char widevinePluginSandboxRulesAddend[] = R"(
  41   (allow mach-lookup (global-name "com.apple.windowserver.active"))
  42 )";
  43
  44 static const char contentSandboxRules[] = R"(
  45   (version 1)
  46
  47   (define should-log (param "SHOULD_LOG"))
  48   (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
  49   (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
  50   (define sandbox-level-3 (param "SANDBOX_LEVEL_3"))
  51   (define macosMinorVersion (string->number (param "MAC_OS_MINOR")))
  52   (define appPath (param "APP_PATH"))
  53   (define appBinaryPath (param "APP_BINARY_PATH"))
  54   (define appdir-path (param "APP_DIR"))
  55   (define appTempDir (param "APP_TEMP_DIR"))
  56   (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
  57   (define profileDir (param "PROFILE_DIR"))
  58   (define home-path (param "HOME_PATH"))
  59   (define hasFilePrivileges (param "HAS_FILE_PRIVILEGES"))
  60   (define debugWriteDir (param "DEBUG_WRITE_DIR"))
  61   (define testingReadPath1 (param "TESTING_READ_PATH1"))
  62   (define testingReadPath2 (param "TESTING_READ_PATH2"))
  63   (define testingReadPath3 (param "TESTING_READ_PATH3"))
  64   (define testingReadPath4 (param "TESTING_READ_PATH4"))
  65
  66   (if (string=? should-log "TRUE")
  67     (deny default)
  68     (deny default (with no-log)))
  69   (debug deny)
  70
  71   ; Allow read access to standard system paths.
  72   (allow file-read*
  73     (require-all (file-mode #o0004)
  74       (require-any (subpath "/Library/Filesystems/NetFSPlugins")
  75         (subpath "/System")
  76         (subpath "/usr/lib")
  77         (subpath "/usr/share"))))
  78
  79   (allow file-read-metadata
  80     (literal "/etc")
  81     (literal "/tmp")
  82     (literal "/var")
  83     (literal "/private/etc/localtime")
  84     (literal "/home")
  85     (literal "/net")
  86     (regex "^/private/tmp/KSInstallAction\."))
  87
  88   ; Allow read access to standard special files.
  89   (allow file-read*
  90     (literal "/dev/autofs_nowait")
  91     (literal "/dev/random")
  92     (literal "/dev/urandom"))
  93
  94   (allow file-read*
  95     file-write-data
  96     (literal "/dev/null")
  97     (literal "/dev/zero"))
  98
  99   (allow file-read*
 100     file-write-data
 101     file-ioctl
 102     (literal "/dev/dtracehelper"))
 103
 104   ; macOS 10.9 does not support the |sysctl-name| predicate, so unfortunately
 105   ; we need to allow all sysctl-reads there.
 106   (if (= macosMinorVersion 9)
 107     (allow sysctl-read)
 108     (allow sysctl-read
 109       (sysctl-name-regex #"^sysctl\.")
 110       (sysctl-name "kern.ostype")
 111       (sysctl-name "kern.osversion")
 112       (sysctl-name "kern.osrelease")
 113       (sysctl-name "kern.version")
 114       ; TODO: remove "kern.hostname". Without it the tests hang, but the hostname
 115       ; is arguably sensitive information, so we should see what can be done about
 116       ; removing it.
 117       (sysctl-name "kern.hostname")
 118       (sysctl-name "hw.machine")
 119       (sysctl-name "hw.model")
 120       (sysctl-name "hw.ncpu")
 121       (sysctl-name "hw.activecpu")
 122       (sysctl-name "hw.byteorder")
 123       (sysctl-name "hw.pagesize_compat")
 124       (sysctl-name "hw.logicalcpu_max")
 125       (sysctl-name "hw.physicalcpu_max")
 126       (sysctl-name "hw.busfrequency_compat")
 127       (sysctl-name "hw.busfrequency_max")
 128       (sysctl-name "hw.cpufrequency")
 129       (sysctl-name "hw.cpufrequency_compat")
 130       (sysctl-name "hw.cpufrequency_max")
 131       (sysctl-name "hw.l2cachesize")
 132       (sysctl-name "hw.l3cachesize")
 133       (sysctl-name "hw.cachelinesize_compat")
 134       (sysctl-name "hw.tbfrequency_compat")
 135       (sysctl-name "hw.vectorunit")
 136       (sysctl-name "hw.optional.sse2")
 137       (sysctl-name "hw.optional.sse3")
 138       (sysctl-name "hw.optional.sse4_1")
 139       (sysctl-name "hw.optional.sse4_2")
 140       (sysctl-name "hw.optional.avx1_0")
 141       (sysctl-name "hw.optional.avx2_0")
 142       (sysctl-name "machdep.cpu.vendor")
 143       (sysctl-name "machdep.cpu.family")
 144       (sysctl-name "machdep.cpu.model")
 145       (sysctl-name "machdep.cpu.stepping")
 146       (sysctl-name "debug.intel.gstLevelGST")
 147       (sysctl-name "debug.intel.gstLoaderControl")))
 148
 149   (define (home-regex home-relative-regex)
 150     (regex (string-append "^" (regex-quote home-path) home-relative-regex)))
 151   (define (home-subpath home-relative-subpath)
 152     (subpath (string-append home-path home-relative-subpath)))
 153   (define (home-literal home-relative-literal)
 154     (literal (string-append home-path home-relative-literal)))
 155
 156   (define (profile-subpath profile-relative-subpath)
 157     (subpath (string-append profileDir profile-relative-subpath)))
 158
 159   (define (allow-shared-preferences-read domain)
 160         (begin
 161           (if (defined? `user-preference-read)
 162             (allow user-preference-read (preference-domain domain)))
 163           (allow file-read*
 164                  (home-literal (string-append "/Library/Preferences/" domain ".plist"))
 165                  (home-regex (string-append "/Library/Preferences/ByHost/" (regex-quote domain) "\..*\.plist$")))
 166           ))
 167
 168   (define (allow-shared-list domain)
 169     (allow file-read*
 170            (home-regex (string-append "/Library/Preferences/" (regex-quote domain)))))
 171
 172   (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
 173     (ipc-posix-name-regex "^CFPBS:"))
 174   (allow ipc-posix-shm-read* ipc-posix-shm-write-data
 175     (ipc-posix-name-regex "^AudioIO"))
 176
 177   (allow signal (target self))
 178
 179   (allow mach-lookup
 180       (global-name "com.apple.audio.coreaudiod")
 181       (global-name "com.apple.audio.audiohald"))
 182
 183   (if (>= macosMinorVersion 13)
 184     (allow mach-lookup
 185       ; bug 1376163
 186       (global-name "com.apple.audio.AudioComponentRegistrar")
 187       ; bug 1392988
 188       (xpc-service-name "com.apple.coremedia.videodecoder")
 189       (xpc-service-name "com.apple.coremedia.videoencoder")))
 190
 191 ; bug 1312273
 192   (if (= macosMinorVersion 9)
 193      (allow mach-lookup (global-name "com.apple.xpcd")))
 194
 195   (allow iokit-open
 196      (iokit-user-client-class "IOHIDParamUserClient")
 197      (iokit-user-client-class "IOAudioEngineUserClient"))
 198
 199 ; depending on systems, the 1st, 2nd or both rules are necessary
 200   (allow-shared-preferences-read "com.apple.HIToolbox")
 201   (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist"))
 202
 203   (allow-shared-preferences-read "com.apple.ATS")
 204   (allow file-read-data (literal "/Library/Preferences/.GlobalPreferences.plist"))
 205
 206   (allow file-read*
 207       (subpath "/Library/Fonts")
 208       (subpath "/Library/Audio/Plug-Ins")
 209       (subpath "/Library/Spelling")
 210       (literal "/")
 211       (literal "/private/tmp")
 212       (literal "/private/var/tmp")
 213
 214       (home-literal "/.CFUserTextEncoding")
 215       (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
 216       (home-subpath "/Library/Colors")
 217       (home-subpath "/Library/Fonts")
 218       (home-subpath "/Library/FontCollections")
 219       (home-subpath "/Library/Keyboard Layouts")
 220       (home-subpath "/Library/Input Methods")
 221       (home-subpath "/Library/Spelling")
 222       (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
 223
 224       (subpath appdir-path)
 225
 226       (literal appPath)
 227       (literal appBinaryPath))
 228
 229   (when testingReadPath1
 230     (allow file-read* (subpath testingReadPath1)))
 231   (when testingReadPath2
 232     (allow file-read* (subpath testingReadPath2)))
 233   (when testingReadPath3
 234     (allow file-read* (subpath testingReadPath3)))
 235   (when testingReadPath4
 236     (allow file-read* (subpath testingReadPath4)))
 237
 238   (allow file-read-metadata (home-subpath "/Library"))
 239
 240   (allow file-read-metadata
 241     (literal "/private/var")
 242     (subpath "/private/var/folders"))
 243
 244   ; bug 1303987
 245   (if (string? debugWriteDir)
 246     (begin
 247       (allow file-write-data (subpath debugWriteDir))
 248       (allow file-write-create
 249         (require-all
 250           (subpath debugWriteDir)
 251           (vnode-type REGULAR-FILE)))))
 252
 253   ; bug 1324610
 254   (allow network-outbound file-read*
 255     (literal "/private/var/run/cupsd"))
 256
 257   (allow-shared-list "org.mozilla.plugincontainer")
 258
 259 ; the following rule should be removed when microphone access
 260 ; is brokered through the content process
 261   (allow device-microphone)
 262
 263 ; Per-user and system-wide Extensions dir
 264   (allow file-read*
 265       (home-regex "/Library/Application Support/[^/]+/Extensions/[^/]/")
 266       (regex "/Library/Application Support/[^/]+/Extensions/[^/]/"))
 267
 268 ; The following rules impose file access restrictions which get
 269 ; more restrictive in higher levels. When file-origin-specific
 270 ; content processes are used for file:// origin browsing, the
 271 ; global file-read* permission should be removed from each level.
 272
 273 ; level 1: global read access permitted, no global write access
 274   (if (string=? sandbox-level-1 "TRUE") (allow file-read*))
 275
 276 ; level 2: global read access permitted, no global write access,
 277 ;          no read/write access to ~/Library,
 278 ;          no read/write access to $PROFILE,
 279 ;          read access permitted to $PROFILE/{extensions,chrome}
 280   (if (string=? sandbox-level-2 "TRUE")
 281     (if (string=? hasFilePrivileges "TRUE")
 282       ; This process has blanket file read privileges
 283       (allow file-read*)
 284       ; This process does not have blanket file read privileges
 285       (begin
 286         ; bug 1201935
 287         (allow file-read* (home-subpath "/Library/Caches/TemporaryItems"))
 288         (if (string=? hasProfileDir "TRUE")
 289           ; we have a profile dir
 290           (begin
 291             (allow file-read* (require-all
 292                 (require-not (home-subpath "/Library"))
 293                 (require-not (subpath profileDir))))
 294             (allow file-read*
 295                 (profile-subpath "/extensions")
 296                 (profile-subpath "/chrome")))
 297           ; we don't have a profile dir
 298           (allow file-read* (require-not (home-subpath "/Library")))))))
 299
 300   ; level 3: no global read/write access,
 301   ;          read access permitted to $PROFILE/{extensions,chrome}
 302   (if (string=? sandbox-level-3 "TRUE")
 303     (if (string=? hasFilePrivileges "TRUE")
 304       ; This process has blanket file read privileges
 305       (allow file-read*)
 306       ; This process does not have blanket file read privileges
 307       (if (string=? hasProfileDir "TRUE")
 308         ; we have a profile dir
 309           (allow file-read*
 310             (profile-subpath "/extensions")
 311             (profile-subpath "/chrome")))))
 312
 313 ; accelerated graphics
 314   (allow-shared-preferences-read "com.apple.opengl")
 315   (allow-shared-preferences-read "com.nvidia.OpenGL")
 316   (allow mach-lookup
 317       (global-name "com.apple.cvmsServ"))
 318   (allow iokit-open
 319       (iokit-connection "IOAccelerator")
 320       (iokit-user-client-class "IOAccelerationUserClient")
 321       (iokit-user-client-class "IOSurfaceRootUserClient")
 322       (iokit-user-client-class "IOSurfaceSendRight")
 323       (iokit-user-client-class "IOFramebufferSharedUserClient")
 324       (iokit-user-client-class "AGPMClient")
 325       (iokit-user-client-class "AppleGraphicsControlClient")
 326       (iokit-user-client-class "AppleGraphicsPolicyClient"))
 327
 328 ; bug 1153809
 329   (allow iokit-open
 330       (iokit-user-client-class "NVDVDContextTesla")
 331       (iokit-user-client-class "Gen6DVDContext"))
 332
 333   ; bug 1237847
 334   (allow file-read* file-write-data
 335     (subpath appTempDir))
 336   (allow file-write-create
 337     (require-all
 338       (subpath appTempDir)
 339       (require-any
 340         (vnode-type REGULAR-FILE)
 341         (vnode-type DIRECTORY))))
 342
 343   ; bug 1382260
 344   ; We may need to load fonts from outside of the standard
 345   ; font directories whitelisted above. This is typically caused
 346   ; by a font manager. For now, whitelist any file with a
 347   ; font extension. Limit this to the common font types:
 348   ; files ending in .otf, .ttf, .ttc, .otc, and .dfont.
 349   (allow file-read*
 350     (regex #"\.[oO][tT][fF]$"           ; otf
 351            #"\.[tT][tT][fF]$"           ; ttf
 352            #"\.[tT][tT][cC]$"           ; ttc
 353            #"\.[oO][tT][cC]$"           ; otc
 354            #"\.[dD][fF][oO][nN][tT]$")) ; dfont
 355 )";
 356
 357 }
 358
 359 #endif // mozilla_SandboxPolicies_h