Sandbox/OS X Rule Set: Difference between revisions

Jump to navigation Jump to search

Sandbox/OS X Rule Set (view source)

Revision as of 17:47, 16 November 2017

5,425 bytes removed ,  16 November 2017
Removing content no longer useful
(explain level 99)
(Removing content no longer useful)
 
Line 9: Line 9:
Apple's Sandbox Guide v1.0 13-09-2011 <br>
Apple's Sandbox Guide v1.0 13-09-2011 <br>
http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf
http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf
|-
| 2
||
Sandbox setup in the source: see usage of the variable 'contentSandboxRules' and the call to StartMacSandbox() in Sandbox.mm:<br>
https://dxr.mozilla.org/mozilla-central/source/security/sandbox/mac/Sandbox.mm#148
|}
|}


Line 33: Line 28:
= Notes =  
= Notes =  


# One of the confusing things about the Mac file-system related rules is the redundancy.<br>The rules use the "(default deny)" directive which means that unless an access is explicitly allowed, it should be denied. Then, interspersed throughout the ruleset we have several filesystem rules to allow read access to specific locations on the system. Later we have a general rule that allows access to '''anything on the system that is not in ~/Library''' (i.e., access to ~/Library is blocked with some exceptions) making many of the specific rules redundant. Read/write access to ~ is needed for now (see [[Deny Filesystem Access]] for an explanation). Once we can remove read/write access to ~ from the rules, we'll eliminate the redundancy. Lastly we have rules allowing access to specific directories in ~/Library. Bug 1083344 "Tighten rules for Mac OS content process sandbox on 10.9 and 10.10" documents how this came to be -- not allowing access to ~ broke too many things.
# An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access.
# An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access.
# Because of the redundancy, we could remove most filesystem rules and replace them with rules that equate to (allow everything, but don't allow ~/Library except for a few subdirectories in ~/Library).
# Use of file* in the rules includes all of file-read, file-write, file-read-metadata, and file-write-metadata.
# Use of file* in the rules includes all of file-read, file-write, file-read-metadata, and file-write-metadata.


= Annotated Rules =
= Annotated Rules (WARNING: Outdated) =
 
# The table below is not kept up-to-date. Refer to the source code to learn more about the sandbox rules. The Mac policies can be found in [https://hg.mozilla.org/mozilla-central/file/tip/security/sandbox/mac/SandboxPolicies.h SandboxPolicies.h].


{| class="wikitable"
{| class="wikitable"
Line 594: Line 589:
||
||
Allow full reads and writes to appTempDir which (in this example) is "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}". The directory is reset each time Firefox starts.
Allow full reads and writes to appTempDir which (in this example) is "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}". The directory is reset each time Firefox starts.
|}
= How security.sandbox.content.level Affects File Access =
{| class="wikitable"
|-
! Release !! Content Sandbox Level
|-
| Nightly(52) || 2
|-
| Aurora || 1
|-
| Beta || Sandbox disabled
|-
| Release || Sandbox disabled
|}
{| class="wikitable"
|-
! Access Type !! Meaning
|-
| R || Reading access to the file at this path or the directory and possibly all subpaths and directories
|-
| W || Write access to the file at this path or the directory and possibly all subpaths and directories
|-
| read metadata || Reading access to the file metadata only. Applies to this path or directory and possibly all subpaths and
|}
{| class="wikitable sortable"
|-
! Blocked at Sandbox Level (level 99 for things we haven't determined a level for yet) !! Access Type !! Are Subpaths Included? !! Path
|-
| 1 || W || yes || <HOME DIR>
|-
| 1 || W || yes || <PROFILE DIR>
|-
| 2 || R || yes || <HOME DIR>/Library
|-
| 2 || R || yes || <PROFILE DIR>
|-
| 3 || R || yes || <PROFILE DIR>/extensions
|-
| 3 || R || yes || <PROFILE DIR>/weave
|-
| 3 || R || yes || <HOME DIR> and anywhere accessible by user by default
|-
| 99 || W || no || /dev/null
|-
| 99 || R || no || /dev/null
|-
| 99 || W || no || /dev/zero
|-
| 99 || R || no || /dev/zero
|-
| 99 || W || no || /dev/dtracehelper
|-
| 99 || R || no || /dev/dtracehelper
|-
| 99 || R || no || <nowiki>/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le</nowiki>
|-
| 99 || W || no || <nowiki>/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IconServices</nowiki>
|-
| 99 || R || no || <nowiki>/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le</nowiki>
|-
| 99 || R || no || <nowiki>/private/var/folders/[^/][^/][^/]+/[^/]/[^/]+.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\</nowiki>
|-
| 99 || W || no || <nowiki>/private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*</nowiki>
|-
| 99 || W || no || ~/Library/Caches/TemporaryItems/Temp-{UUID} (Content Temp Dir)
|-
| 99 || R || no || ~/Library/Caches/TemporaryItems/Temp-{UUID} (Content Temp Dir)
|-
| 99 || R || no || /dev/autofs_nowait
|-
| 99 || R || no || /dev/random
|-
| 99 || R || no || /dev/urandom
|-
| 99 || R || no || /
|-
| 99 || R || no || /private/tmp
|-
| 99 || R || no || /private/var/tmp
|-
| 99 || R || no || <HOME DIR>/.CFUserTextEncoding
|-
| 99 || R || no || <HOME DIR>/Library/Preferences/com.apple.DownloadAssessment.plist
|-
| 99 || R || no || <HOME DIR>/Library/Preferences/.../...plist
|-
| 99 || R || yes || <HOME DIR>/Library/Colors
|-
| 99 || R || yes || <HOME DIR>/Library/Fonts
|-
| 99 || R || yes || <HOME DIR>/Library/FontCollections
|-
| 99 || R || yes || <HOME DIR>/Library/Keyboard Layouts
|-
| 99 || R || yes || <HOME DIR>/Library/Input Methods
|-
| 99 || R || yes || <HOME DIR>/Library/Spelling
|-
| 99 || R || yes || /Library/Filesystems/NetFSPlugins
|-
| 99 || R || yes || /System
|-
| 99 || R || yes || /private/var/db/dyld
|-
| 99 || R || yes || /usr/lib
|-
| 99 || R || yes || /usr/share
|-
| 99 || R || no || /Library/Preferences/com.apple.HIToolbox.plist
|-
| 99 || R || no || /Library/Preferences/.GlobalPreferences.plist
|-
| 99 || R || yes || /Library/Fonts
|-
| 99 || R || yes || /Library/Audio/Plug-Ins
|-
| 99 || R || yes || /Library/CoreMediaIO/Plug-Ins/DAL
|-
| 99 || R || yes || /Library/Spelling
|-
| 99 || R || yes || <INSTALL DIR>/Firefox.app/Contents/Resources/browser
|-
| 99 || R || no  || <INSTALL DIR>/Firefox.app/Contents/MacOS/plugin-container.app
|-
| 99 || R || no  || <INSTALL DIR>/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
|-
| 99 || R || yes || <HOME DIR>/Library/Application Support/[^/]+/Extensions/[^/]/
|-
| 99 || R || yes || /Library/Application Support/[^/]+/Extensions/[^/]/
|-
| 99 || R || yes || <HOME DIR>/Library/Caches/TemporaryItems
|-
| 99 || read metadata || no || /etc
|-
| 99  || read metadata || no || /tmp
|-
| 99  || read metadata || no || /var
|-
| 99  || read metadata || no || /private/etc/localtime
|-
| 99  || read metadata || no || *
|-
| 99  || read metadata || no || /home
|-
| 99  || read metadata || no || /net
|-
| 99  || read metadata || no || /private/tmp/KSInstallAction.*
|-
| 99 || read metadata || no || /private/var/folders/[^/][^/].*
|-
| 99 || read metadata || no || <HOME DIR>/Library
|-
|}
|}
Haftandilian
202

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1184313"

Navigation menu