Sandbox/OS X Rule Set: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(More description of variables passed to ruleset)
(Removing content no longer useful)
 
(92 intermediate revisions by the same user not shown)
Line 11: Line 11:
|}
|}


= Annotated Rules =
= Glossary =


{| class="wikitable"
{| class="wikitable"
|-
|-
! Rule !! Description
! colspan="2" | References
|-
|-
| colspan="2" |<pre style="border:none;">static const char contentSandboxRules[] =</pre>
| ~
||
Refers to the full path to the home directory of the user. On OS X this is /Users/<username>.
|-
|-
|<pre style="border:none;">
| [^/]+
||
This is used in some of the regular expressions. [^/] matches a single character that is not a '/'. [^/]+ Matches 1 or more non-slash characters.
|}
 
= Notes =
 
# An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access.
# Use of file* in the rules includes all of file-read, file-write, file-read-metadata, and file-write-metadata.
 
= Annotated Rules (WARNING: Outdated) =
 
# The table below is not kept up-to-date. Refer to the source code to learn more about the sandbox rules. The Mac policies can be found in [https://hg.mozilla.org/mozilla-central/file/tip/security/sandbox/mac/SandboxPolicies.h SandboxPolicies.h].
 
{| class="wikitable"
|-
! Rule !! Description
|- id=aar_def
| colspan="2" |
[[#aar_def|link]]
<pre style="border:none;">static const char contentSandboxRules[] =</pre>
|- id=aar_version
| [[#aar_version|link]]
<pre style="border:none;">
(version 1)</pre>
(version 1)</pre>
|| References[1] states only version 1 is supported. I tried with version=2 and sandbox_init failed due to "unsupported version".
|| References[1] states only version 1 is supported. I tried with version=2 and sandbox_init failed due to "unsupported version".
|-
|- id=aar_macros
|<pre style="border:none;">
|
[[#aar_macros|link]]
<pre style="border:none;">
(define sandbox-level %d)
(define sandbox-level %d)
(define macosMinorVersion %d)
(define macosMinorVersion %d)
Line 32: Line 59:
(define home-path \"%s\")</pre>
(define home-path \"%s\")</pre>


* sandbox-level: this is the value of security.sandbox.content.level when it is >=1. If the value is zero, the sandbox policy isn't used. The level value is only used in once in the rules:
* sandbox-level: this is the value of security.sandbox.content.level when it is >=1. If the value is zero, the sandbox policy isn't used and content processes aren't sandboxed.
 
  (if (< sandbox-level 2)
    (allow file* (require-not (home-subpath \"/Library\")))
  ;else
    (allow file* (require-all (subpath home-path) (require-not (home-subpath \"/Library\")))))
 
* macosMinorVersion: this is used to detect OS X 10.9 which rejects the "lsopen" rule.
* macosMinorVersion: this is used to detect OS X 10.9 which rejects the "lsopen" rule.
* appTempDir: this is the temp directory for content processes that we create and cleanup in the parent, see bug 1252207 and bug 1237847.
* appTempDir: this is the temp directory for content processes that we create and cleanup in the parent, see bug 1252207 and bug 1237847.
Line 45: Line 66:
||
||
These setup some macros to be used later in the policy. See the next row for examples of what they evaulate to on a Nightly build.
These setup some macros to be used later in the policy. See the next row for examples of what they evaulate to on a Nightly build.
|-
|- id=aar_example
| colspan="2" |
| colspan="2" |
Full paths abbreviated.
[[#aar_example|link]]
<p>Example output of the above macros after running a Nightly build. Paths abbreviated with "...".
 
<pre  style="border:none;">
<pre  style="border:none;">
(define sandbox-level 1)
(define sandbox-level 1)
Line 57: Line 80:
(define home-path "/Users/<USERNAME>")
(define home-path "/Users/<USERNAME>")
</pre>
</pre>
|-
|- id=aar_syspaths1
|
|  
<pre style="border:none;">(import \"/System/Library/Sandbox/Profiles/system.sb\")</pre>
[[#aar_syspaths1|link]]<br>
This excerpt it what is enabled for us. The file also defines some macros, but they're not used in the file or by our rules. Namely "(define (system-network) ...)" and "(define (system-graphics) ...)".
 
<pre style="border:none;">
<pre style="border:none;">
...
; Allow read access to standard system paths.
;;; Allow registration of per-pid services.
(allow mach-register
      (local-name-regex #""))
 
;;; Allow read access to standard system paths.
(allow file-read*
(allow file-read*
       (require-all (file-mode #o0004)
       (require-all (file-mode #o0004)
Line 76: Line 92:
                                 (subpath "/usr/lib")
                                 (subpath "/usr/lib")
                                 (subpath "/usr/share"))))
                                 (subpath "/usr/share"))))
 
</pre>
||
Allow these directories and any contained directories and files to be read if the file's permission permits any user to read them.
|- id=aar_syspaths2
|
[[#aar_syspaths2|link]]
<pre  style="border:none;">
(allow file-read-metadata
(allow file-read-metadata
       (literal "/etc")
       (literal "/etc")
Line 82: Line 104:
       (literal "/var")
       (literal "/var")
       (literal "/private/etc/localtime"))
       (literal "/private/etc/localtime"))
 
</pre>
;;; Allow access to standard special files.
||
Allow reading of metadata of these directories.
|- id=aar_syspaths3
|
[[#aar_syspaths3|link]]
<pre  style="border:none;">
; Allow access to standard special files.
(allow file-read*
(allow file-read*
       (literal "/dev/autofs_nowait")
       (literal "/dev/autofs_nowait")
       (literal "/dev/random")
       (literal "/dev/random")
       (literal "/dev/urandom")
       (literal "/dev/urandom")
      (literal "/private/etc/master.passwd")
</pre>
      (literal "/private/etc/passwd"))
||
 
/dev/random, /dev/urandom Used for randomization code. autofs_nowait TBD, probably allows non-blocking I/O to autofs paths (used for network mounts and other pseudo mount points.)
|- id=aar_syspaths4
|
[[#aar_syspaths4|link]]
<pre  style="border:none;">
(allow file-read*
(allow file-read*
       file-write-data
       file-write-data
       (literal "/dev/null")
       (literal "/dev/null")
       (literal "/dev/zero"))
       (literal "/dev/zero"))
 
</pre>
||
Wondering if we need write access to these.
|- id=aar_dtrace
|
[[#aar_dtrace|link]]
<pre  style="border:none;">
(allow file-read*
(allow file-read*
       file-write-data
       file-write-data
       file-ioctl
       file-ioctl
       (literal "/dev/dtracehelper"))
       (literal "/dev/dtracehelper"))
 
</pre>
(allow network-outbound
||
      (literal "/private/var/run/asl_input")
Aids debugging the plugin-container using dtrace. Could be removed, but since root privileges are required to read /dev/dtracehelper this wouldn't be exploitable unless Firefox was run as root or with sudo.
      (literal "/private/var/run/syslog"))
|- id=aar_apple1
 
|
;;; Allow creation of core dumps.
[[#aar_apple1|link]]
(allow file-write-create
<pre  style="border:none;">
      (require-all (regex #"^/cores/")
                    (vnode-type REGULAR-FILE)))
 
;;; Allow IPC to standard system agents.
(allow ipc-posix-shm-read*
      (ipc-posix-name #"apple.shm.notification_center")
      (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))
 
(allow mach-lookup
(allow mach-lookup
       (global-name "com.apple.appsleep")
       (global-name "com.apple.appsleep")
Line 133: Line 163:
       (global-name "com.apple.xpcd")
       (global-name "com.apple.xpcd")
       (local-name "com.apple.cfprefsd.agent"))
       (local-name "com.apple.cfprefsd.agent"))
 
</pre>
;;; Allow mostly harmless operations.
||
Miscellaneous undocumented services.
|- id=aar_sysctl1
|
[[#aar_sysctl1|link]]
<pre  style="border:none;">
; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others
(allow sysctl-read)
(allow sysctl-read)
</pre>
</pre>
||
||
This imports all the sandbox policy directives in the file /System/Library/Sandbox/Profiles/system.sb which ships with OS X.
A subset of the rules originally from /System/Library/Sandbox/Profiles/system.sb which ships with OS X.
|-
|- id=aar_defaultdeny
|
|
<pre style="border:none;">
[[#aar_defaultdeny|link]]
  "\n"
<pre  style="border:none;">
  "(if \n"
  "  (or\n"
  "    (< macosMinorVersion 9)\n"
  "    (< sandbox-level 1))\n"
  "  (allow default)\n"</pre>
||
Don't enable any sandbox for Mac OS X 10.8 and earlier OR if the sandbox-level is less than 1. The rest of the policy only applies for 10.9 later when sandbox-level >= 1.
|-
|<pre  style="border:none;">
   "  (begin\n"
   "  (begin\n"
   "    (deny default)\n"
   "    (deny default)\n"
Line 157: Line 184:
||
||
By default, we deny. i.e., for any capability not explicitly allowed here, do not allow it to be used.
By default, we deny. i.e., for any capability not explicitly allowed here, do not allow it to be used.
|-
|- id=aar_debugdeny
|
|
[[#aar_debugdeny|link]]
<pre style="border:none;">
<pre style="border:none;">
   "    (debug deny)\n"
   "    (debug deny)\n"
Line 165: Line 193:
||
||
For any rule that causes an action to be denied, log something in system.log. These log entries are easily viewed using the OS X "Console" application and filtering on "sandbox".
For any rule that causes an action to be denied, log something in system.log. These log entries are easily viewed using the OS X "Console" application and filtering on "sandbox".
|-
|- id=aar_literal
|<pre  style="border:none;">
|
[[#aar_literal|link]]
<pre  style="border:none;">
   "    (define resolving-literal literal)\n"
   "    (define resolving-literal literal)\n"
   "    (define resolving-subpath subpath)\n"
   "    (define resolving-subpath subpath)\n"
Line 173: Line 203:
||
||
Shortcut macros.
Shortcut macros.
|-
|- id=aar_textmacros
|
|
[[#aar_textmacros|link]]
<pre  style="border:none;">
<pre  style="border:none;">
   "    (define container-path appPath)\n"
   "    (define container-path appPath)\n"
Line 187: Line 218:
   "    (define (home-literal home-relative-literal)\n"
   "    (define (home-literal home-relative-literal)\n"
   "      (resolving-literal (string-append home-path home-relative-literal)))\n"
   "      (resolving-literal (string-append home-path home-relative-literal)))\n"
  "\n"
  "    (define (container-regex container-relative-regex)\n"
  "      (resolving-regex (string-append \"^\" (regex-quote container-path) container-relative-regex)))\n"
  "    (define (container-subpath container-relative-subpath)\n"
  "      (resolving-subpath (string-append container-path container-relative-subpath)))\n"
  "    (define (container-literal container-relative-literal)\n"
  "      (resolving-literal (string-append container-path container-relative-literal)))\n"
   "\n"
   "\n"
   "    (define (var-folders-regex var-folders-relative-regex)\n"
   "    (define (var-folders-regex var-folders-relative-regex)\n"
Line 200: Line 224:
   "      (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
   "      (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
   "\n"
   "\n"
  "    (define (appdir-regex appdir-relative-regex)\n"
</pre>
  "      (resolving-regex (string-append \"^\" (regex-quote appdir-path) appdir-relative-regex)))\n"
|| Text substitution macros for dealing with paths.
  "    (define (appdir-subpath appdir-relative-subpath)\n"
|- id=aar_sharedprefs
  "      (resolving-subpath (string-append appdir-path appdir-relative-subpath)))\n"
|
  "    (define (appdir-literal appdir-relative-literal)\n"
[[#aar_sharedprefs|link]]
  "      (resolving-literal (string-append appdir-path appdir-relative-literal)))\n"
<pre  style="border:none;">
  "\n"
   "    (define (allow-shared-preferences-read domain)\n"
   "    (define (allow-shared-preferences-read domain)\n"
   "          (begin\n"
   "          (begin\n"
Line 222: Line 245:
   "\n"
   "\n"
</pre>
</pre>
|| Macros (needs more explanation)
|| Macros for dealing with some form of OS X preferences. TBD.
|-
|- id=aar_posixshm
|
<pre  style="border:none;">
 
  "    (allow file-read-metadata)\n"
</pre>
|| Does this allow file-read-metadata for all files?
|-
|
|
[[#aar_posixshm|link]]
<pre  style="border:none;">
<pre  style="border:none;">
   "\n"
   "\n"
Line 239: Line 256:
   "        (ipc-posix-name-regex \"^AudioIO\"))\n"
   "        (ipc-posix-name-regex \"^AudioIO\"))\n"
</pre>
</pre>
|| IPC shared memory?
|| Access via IPC shared memory to services with names matching these regexes? TBD
|-
|- id=aar_paths4
|
|
[[#aar_paths4|link]]
<pre style="border:none;">
<pre style="border:none;">
   "\n"
   "\n"
Line 251: Line 269:
   "        (home-subpath \"/Library\"))\n"
   "        (home-subpath \"/Library\"))\n"
</pre>
</pre>
|| Allow reading of file metadata for this directories and files. Is this redundant give the above "(allow file-read-metadata)" rule.
|| Allow reading of file metadata for these directories and files. Appears to be redundant given the above "(allow file-read-metadata)" rule?
|-
|- id=aar_signalself
|<pre style="border:none;">
|
  "\n"
[[#aar_signalself|link]]
<pre style="border:none;">
   "    (allow signal (target self))\n"
   "    (allow signal (target self))\n"
</pre>
||
Allow the content process to send a signal to itself. Searched for callers of kill(2) in mozilla-central and didn't find any.
|- id=aar_jobcreationdal
|
[[#aar_jobcreationdal|link]]
<pre style="border:none;">
   "    (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n"
   "    (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n"
</pre>
||
This might be related to using the camera.
|- id=aar_audioctrl
|
[[#aar_audioctrl|link]]
<pre style="border:none;">
   "    (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n"
   "    (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n"
  "\n"
</pre>
||
Setting sound volume?
|- id=aar_appleglobalcom2
|
[[#aar_appleglobalcom2|link]]
<pre style="border:none;">
   "    (allow mach-lookup\n"
   "    (allow mach-lookup\n"
   "        (global-name \"com.apple.coreservices.launchservicesd\")\n"
   "        (global-name \"com.apple.coreservices.launchservicesd\")\n"
Line 279: Line 318:
   "        (global-name \"com.apple.ocspd\")\n"
   "        (global-name \"com.apple.ocspd\")\n"
   "        (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
   "        (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
   "        (global-name \"com.apple.DesktopServicesHelper\")\n"
   "        (global-name \"com.apple.DesktopServicesHelper\"))\n"
  "        (global-name \"com.apple.printtool.daemon\"))\n"
</pre>
  "\n"
||
Access to more undocumented OS X facilities.
|- id=aar_iokituserclient
|
[[#aar_iokituserclient|link]]
<pre style="border:none;">
   "    (allow iokit-open\n"
   "    (allow iokit-open\n"
   "        (iokit-user-client-class \"IOHIDParamUserClient\")\n"
   "        (iokit-user-client-class \"IOHIDParamUserClient\")\n"
Line 298: Line 342:
   "        (iokit-user-client-class \"IOUSBDeviceUserClientV2\")\n"
   "        (iokit-user-client-class \"IOUSBDeviceUserClientV2\")\n"
   "        (iokit-user-client-class \"IOUSBInterfaceUserClientV2\"))\n"
   "        (iokit-user-client-class \"IOUSBInterfaceUserClientV2\"))\n"
  "\n"
</pre>
||
Sound like this is for accessing various kernel driver provided functionality.
|- id=aar_hitoolbox
|
[[#aar_hitoolbox|link]]
<pre style="border:none;">
   "; depending on systems, the 1st, 2nd or both rules are necessary\n"
   "; depending on systems, the 1st, 2nd or both rules are necessary\n"
   "    (allow-shared-preferences-read \"com.apple.HIToolbox\")\n"
   "    (allow-shared-preferences-read \"com.apple.HIToolbox\")\n"
   "    (allow file-read-data (literal \"/Library/Preferences/com.apple.HIToolbox.plist\"))\n"
   "    (allow file-read-data (literal \"/Library/Preferences/com.apple.HIToolbox.plist\"))\n"
  "\n"
</pre>
||
HIToolbox is Human Interface Toolbox. Sounds related to OS X UI controls.<br>Allows reading from /Library/Preferences/com.apple.HIToolbox.plist which contains information about the input device such as keyboard layout.
|- id=aar_comappleats
|
[[#aar_comappleats|link]]
<pre style="border:none;">
   "    (allow-shared-preferences-read \"com.apple.ATS\")\n"
   "    (allow-shared-preferences-read \"com.apple.ATS\")\n"
</pre>
||
Possibly font-related.
|- id=aar_globalprefs
|
[[#aar_globalprefs|link]]
<pre style="border:none;">
   "    (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"
   "    (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"
  "\n"
</pre>
||
Contains some details about time zone, city, language, display devices.
|- id=aar_syspaths5
|
[[#aar_syspaths5|link]]
<pre style="border:none;">
   "    (allow file-read*\n"
   "    (allow file-read*\n"
   "        (subpath \"/Library/Fonts\")\n"
   "        (subpath \"/Library/Fonts\")\n"
Line 311: Line 380:
   "        (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n"
   "        (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n"
   "        (subpath \"/Library/Spelling\")\n"
   "        (subpath \"/Library/Spelling\")\n"
  "        (subpath \"/private/etc/cups/ppd\")\n"
  "        (subpath \"/private/var/run/cupsd\")\n"
   "        (literal \"/\")\n"
   "        (literal \"/\")\n"
   "        (literal \"/private/tmp\")\n"
   "        (literal \"/private/tmp\")\n"
   "        (literal \"/private/var/tmp\")\n"
   "        (literal \"/private/var/tmp\")\n"
  "\n"
</pre>
||
Filesystem read access to some system directories.
|- id=aar_cfuser
|
[[#aar_cfuser|link]]
<pre style="border:none;">
   "        (home-literal \"/.CFUserTextEncoding\")\n"
   "        (home-literal \"/.CFUserTextEncoding\")\n"
</pre>
||
Filesystem read access to file ~/.CFUserTextEncoding (stores the user's default text encoding.)
|- id=aar_homepaths1
|
[[#aar_homepaths1|link]]
<pre style="border:none;">
   "        (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n"
   "        (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n"
   "        (home-subpath \"/Library/Colors\")\n"
   "        (home-subpath \"/Library/Colors\")\n"
Line 324: Line 404:
   "        (home-subpath \"/Library/Keyboard Layouts\")\n"
   "        (home-subpath \"/Library/Keyboard Layouts\")\n"
   "        (home-subpath \"/Library/Input Methods\")\n"
   "        (home-subpath \"/Library/Input Methods\")\n"
  "        (home-subpath \"/Library/PDF Services\")\n"
   "        (home-subpath \"/Library/Spelling\")\n"
   "        (home-subpath \"/Library/Spelling\")\n"
  "\n"
</pre>
|| Filesystem read access to these ~/Library subdirectories.
|- id=aar_appdir
|
[[#aar_appdir|link]]
<pre style="border:none;">
   "        (subpath appdir-path)\n"
   "        (subpath appdir-path)\n"
  "\n"
</pre>
||
Read access to part of the application bundle:<br>
/.../NightlyDebug.app/Contents/Resources/browser
|- id=aar_apppath
|
[[#aar_apppath|link]]
<pre style="border:none;">
   "        (literal appPath)\n"
   "        (literal appPath)\n"
   "        (literal appBinaryPath))\n"
   "        (literal appBinaryPath))\n"
  "\n"
</pre>
||
Read access to plugin-container .app:<br>
/.../NightlyDebug.app/Contents/MacOS/plugin-container.app<br>
and the executable contained in it<br>
/.../NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
|- id=aar_plugincontainer_pref
|
[[#aar_plugincontainer_pref|link]]
<pre style="border:none;">
   "    (allow-shared-list \"org.mozilla.plugincontainer\")\n"
   "    (allow-shared-list \"org.mozilla.plugincontainer\")\n"
  "\n"
</pre>
|| Might not be needed. On OS X 10.11, no matches for files with this name found under ~/Library/Preferences/. Matches found in ~/Library/Caches though.
|- id=aar_miccam
|
[[#aar_miccam|link]]
<pre style="border:none;">
   "; the following 2 rules should be removed when microphone and camera access\n"
   "; the following 2 rules should be removed when microphone and camera access\n"
   "; are brokered through the content process\n"
   "; are brokered through the content process\n"
   "    (allow device-microphone)\n"
   "    (allow device-microphone)\n"
   "    (allow device-camera)\n"
   "    (allow device-camera)\n"
</pre>
|| Camera and mic access.
|- id=aar_intldata
|
[[#aar_intldata|link]]
<pre style="border:none;">
   "\n"
   "\n"
   "    (allow file* (var-folders2-regex \"/com\\.apple\\.IntlDataCache\\.le$\"))\n"
   "    (allow file* (var-folders2-regex \"/com\\.apple\\.IntlDataCache\\.le$\"))\n"
</pre>
|| Read and write access to<br>/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le<br>This file not prevent on my 10.11 system.
|- id=aar_icon
|
[[#aar_icon|link]]
<pre style="border:none;">
   "    (allow file-read*\n"
   "    (allow file-read*\n"
   "        (var-folders2-regex \"/com\\.apple\\.IconServices/\")\n"
   "        (var-folders2-regex \"/com\\.apple\\.IconServices/\")\n"
   "        (var-folders2-regex \"/[^/]+\\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\"))\n"
   "        (var-folders2-regex \"/[^/]+\\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\"))\n"
  "\n"
 
</pre>
||
Read access to<br>
/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IconServices<br>and<br>
/private/var/folders/[^/][^/][^/]+/[^/][^/]+.mozrunner/extensions/[^/]/chrome/[^/]+/content/[^/]+.j(s|ar)<br>
Not found on my 10.11 system.
|- id=aar_chromregex
|
[[#aar_chromregex|link]]
<pre style="border:none;">
   "    (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"
   "    (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"
  "    (allow file-read*\n"
  "        (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
  "        (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
  "        (home-regex \"/Library/Application Support/Firefox/Profiles/[^/]+/extensions/\")\n"
  "        (home-regex \"/Library/Application Support/Firefox/Profiles/[^/]+/weave/\"))\n"
  "\n"
  "; the following rules should be removed when printing and \n"
  "; opening a file from disk are brokered through the main process\n"
  "    (if\n"
  "      (< sandbox-level 2)\n"
  "      (allow file*\n"
  "          (require-not\n"
  "              (home-subpath \"/Library\")))\n"
  "      (allow file*\n"
  "          (require-all\n"
  "              (subpath home-path)\n"
  "              (require-not\n"
  "                  (home-subpath \"/Library\")))))\n"
  "\n"
</pre>
</pre>
|| TODO
||
|-
Write access to<br>
| <pre style="border:none;">
/private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*<br>
  "; printing\n"
Not found on my 10.11 system.
  "    (allow authorization-right-obtain\n"
 
  "          (right-name \"system.print.operator\")\n"
 
  "          (right-name \"system.printingmanager\"))\n"
|- id=aar_lib_ext
  "    (allow mach-lookup\n"
|
  "          (global-name \"com.apple.printuitool.agent\")\n"
[[#aar_lib_ext|link]]
  "          (global-name \"com.apple.printtool.agent\")\n"
<pre style="border:none;">
  "          (global-name \"com.apple.printtool.daemon\")\n"
   "; Per-user and system-wide Extensions dir\n"
  "          (global-name \"com.apple.sharingd\")\n"
   " (allow file-read*\n"
  "          (global-name \"com.apple.metadata.mds\")\n"
   "     (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
  "          (global-name \"com.apple.mtmd.xpc\")\n"
   "     (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\"))\n"
  "           (global-name \"com.apple.FSEvents\")\n"
</pre>
   "           (global-name \"com.apple.locum\")\n"
||
  "          (global-name \"com.apple.ImageCaptureExtension2.presence\"))\n"
See the docs on extensions.autoDisableScopes for more information on these paths. The first path allow access to an Extensions directory that applies to all of a user's profiles. The second is for a system-wide Extensions directory that applies to all users. The setting of extensions.autoDisableScopes controls whether or not these locations are used.
   "   (allow file-read*\n"
 
   "           (home-literal \"/.cups/lpoptions\")\n"
 
  "          (home-literal \"/.cups/client.conf\")\n"
|- id=level1_fs_rules
  "          (literal \"/private/etc/cups/lpoptions\")\n"
|
   "           (literal \"/private/etc/cups/client.conf\")\n"
[[#level1_fs_rules|link]]
  "          (subpath \"/private/etc/cups/ppd\")\n"
<pre style="border:none;">
  "          (literal \"/private/var/run/cupsd\"))\n"
   "; The following rules impose file access restrictions which get\n"
  "    (allow-shared-preferences-read \"org.cups.PrintingPrefs\")\n"
   "; more restrictive in higher levels. When file-origin-specific\n"
  "    (allow-shared-preferences-read \"com.apple.finder\")\n"
   "; content processes are used for file:// origin browsing, the\n"
  "    (allow-shared-preferences-read \"com.apple.LaunchServices\")\n"
   "; global file-read* permission should be removed from each level.\n"
   "   (allow-shared-preferences-read \".GlobalPreferences\")\n"
   "   (allow network-outbound\n"
   "       (literal \"/private/var/run/cupsd\")\n"
   "       (literal \"/private/var/run/mDNSResponder\"))\n"
   "\n"
   "\n"
 
  "; level 1: global read access permitted, no home write access\n"
  "  (if (= sandbox-level 1)\n"
  "    (begin\n"
  "      (allow file-read*)\n"
  "      (allow file-write* (require-not (subpath home-path)))))\n"
</pre>
</pre>
|| Printing
|| Level 1-specifc filesystem rules: allow reading to anywhere the OS permits. Do not allow writing anywhere in the home directory.
|-
|- id=level2_fs_rules
| <pre style="border:none;">
|
   "; print preview\n"
[[#level2_fs_rules|link]]
   "   (if (> macosMinorVersion 9)\n"
<pre style="border:none;">
   "       (allow lsopen))\n"
   "; level 2: global read access permitted, no home write access,\n"
   "   (allow file-write* file-issue-extension (var-folders2-regex \"/\"))\n"
  ";          no read/write access to ~/Library,\n"
   "    (allow file-read-xattr (literal \"/Applications/Preview.app\"))\n"
   ";          no read/write access to $PROFILE,\n"
   "   (allow mach-task-name)\n"
   ";          read access permitted to $PROFILE/{extensions,weave}\n"
   "   (allow mach-register)\n"
   " (if (= sandbox-level 2)\n"
   "   (allow file-read-data\n"
   "    (if (not (zero? hasProfileDir))\n"
   "       (regex \"^/Library/Printers/[^/]+/PDEs/[^/]+.plugin\")\n"
   "     ; we have a profile dir\n"
   "       (subpath \"/Library/PDF Services\")\n"
   "     (begin\n"
   "        (subpath \"/Applications/Preview.app\")\n"
   "       (allow file-read* (require-all\n"
   "       (home-literal \"/Library/Preferences/com.apple.ServicesMenu.Services.plist\"))\n"
   "             (require-not (home-subpath \"/Library\"))\n"
   "   (allow mach-lookup\n"
   "             (require-not (subpath profileDir))))\n"
   "       (global-name \"com.apple.pbs.fetch_services\")\n"
   "        (allow file-write* (require-all\n"
   "       (global-name \"com.apple.tsm.uiserver\")\n"
  "             (require-not (subpath home-path))\n"
   "       (global-name \"com.apple.ls.boxd\")\n"
   "             (require-not (subpath profileDir))))\n"
   "        (global-name \"com.apple.coreservices.quarantine-resolver\")\n"
   "       (allow file-read*\n"
   "       (global-name-regex \"_OpenStep$\"))\n"
   "             (profile-subpath \"/extensions\")\n"
   "   (allow appleevent-send\n"
   "             (profile-subpath \"/weave\")))\n"
   "       (appleevent-destination \"com.apple.preview\")\n"
   "     ; we don't have a profile dir\n"
  "        (appleevent-destination \"com.apple.imagecaptureextension2\"))\n"
  "     (begin\n"
   "        (allow file-read*\n"
   "             (require-not (home-subpath \"/Library\")))\n"
   "       (allow file-write* (require-all\n"
   "             (require-not (subpath home-path)))))))\n"
</pre>
</pre>
|| Print preview
|| Level 2-specifc filesystem rules: do not allow writing anywhere in the home directory. Allow reading to anywhere the OS permits except ~/Library or the PROFILE dir. Allow reading from PROFILE/extensions and PROFILE/weave.
|-
|- id=aar_printpreview
| <pre style="border:none;">
|
[[#aar_printpreview|link]]
<pre style="border:none;">
   "\n"
   "\n"
   "; accelerated graphics\n"
   "; accelerated graphics\n"
Line 450: Line 564:
</pre>
</pre>
|| Graphics
|| Graphics
|-
|- id=aar_tempitems
| <pre style="border:none;">
|
  "\n"
[[#aar_tempitems|link]]
  "; bug 1190032\n"
<pre style="border:none;">
  "    (allow file*\n"
  "        (home-regex \"/Library/Caches/TemporaryItems/plugtmp.*\"))\n"
</pre>
|| Read and write access to anything matching ~/Library/Caches/TemporaryItems/plugtmp.*
|-
| <pre style="border:none;">
   "\n"
   "\n"
   "; bug 1201935\n"
   "; bug 1201935\n"
Line 467: Line 575:
</pre>
</pre>
|| Read-only access to anything in ~/Library/Caches/TemporaryItems
|| Read-only access to anything in ~/Library/Caches/TemporaryItems
|-
|- id=aar_apptempdir
| <pre style="border:none;">
|
[[#aar_apptempdir|link]]
<pre style="border:none;">
   "; bug 1237847\n"
   "; bug 1237847\n"
   "    (allow file-read*\n"
   "    (allow file-read*\n"

Latest revision as of 17:47, 16 November 2017

References

References
1

Apple's Sandbox Guide v1.0 13-09-2011
http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf

Glossary

References
~

Refers to the full path to the home directory of the user. On OS X this is /Users/<username>.

[^/]+

This is used in some of the regular expressions. [^/] matches a single character that is not a '/'. [^/]+ Matches 1 or more non-slash characters.

Notes

  1. An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access.
  2. Use of file* in the rules includes all of file-read, file-write, file-read-metadata, and file-write-metadata.

Annotated Rules (WARNING: Outdated)

  1. The table below is not kept up-to-date. Refer to the source code to learn more about the sandbox rules. The Mac policies can be found in SandboxPolicies.h.
Rule Description

link 

static const char contentSandboxRules[] =
link 
(version 1)
 References[1] states only version 1 is supported. I tried with version=2 and sandbox_init failed due to "unsupported version".

link 

(define sandbox-level %d)
(define macosMinorVersion %d)
(define appPath \"%s\")
(define appBinaryPath \"%s\")
(define appDir \"%s\")
(define appTempDir \"%s\")
(define home-path \"%s\")
  • sandbox-level: this is the value of security.sandbox.content.level when it is >=1. If the value is zero, the sandbox policy isn't used and content processes aren't sandboxed.
  • macosMinorVersion: this is used to detect OS X 10.9 which rejects the "lsopen" rule.
  • appTempDir: this is the temp directory for content processes that we create and cleanup in the parent, see bug 1252207 and bug 1237847.
  • home-path: this is used so the ruleset can generate home-relative rules for ~/Library, ~/.cups (printing) and ~/.CFUserTextEncoding (stores the default text encoding and preferred language for the user.)

These setup some macros to be used later in the policy. See the next row for examples of what they evaulate to on a Nightly build.

link

Example output of the above macros after running a Nightly build. Paths abbreviated with "...". 

(define sandbox-level 1)
(define macosMinorVersion 11)
(define appPath "/.../NightlyDebug.app/Contents/MacOS/plugin-container.app")
(define appBinaryPath "/.../NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container")
(define appDir "/.../NightlyDebug.app/Contents/Resources/browser")
(define appTempDir "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}")
(define home-path "/Users/<USERNAME>")

link

; Allow read access to standard system paths.
(allow file-read*
       (require-all (file-mode #o0004)
                    (require-any (subpath "/Library/Filesystems/NetFSPlugins")
                                 (subpath "/System")
                                 (subpath "/private/var/db/dyld")
                                 (subpath "/usr/lib")
                                 (subpath "/usr/share"))))

Allow these directories and any contained directories and files to be read if the file's permission permits any user to read them.

link 

(allow file-read-metadata
       (literal "/etc")
       (literal "/tmp")
       (literal "/var")
       (literal "/private/etc/localtime"))

Allow reading of metadata of these directories.

link 

; Allow access to standard special files.
(allow file-read*
       (literal "/dev/autofs_nowait")
       (literal "/dev/random")
       (literal "/dev/urandom")

/dev/random, /dev/urandom Used for randomization code. autofs_nowait TBD, probably allows non-blocking I/O to autofs paths (used for network mounts and other pseudo mount points.)

link 

(allow file-read*
       file-write-data
       (literal "/dev/null")
       (literal "/dev/zero"))

Wondering if we need write access to these.

link 

(allow file-read*
       file-write-data
       file-ioctl
       (literal "/dev/dtracehelper"))

Aids debugging the plugin-container using dtrace. Could be removed, but since root privileges are required to read /dev/dtracehelper this wouldn't be exploitable unless Firefox was run as root or with sudo.

link 

(allow mach-lookup
       (global-name "com.apple.appsleep")
       (global-name "com.apple.bsd.dirhelper")
       (global-name "com.apple.cfprefsd.agent")
       (global-name "com.apple.cfprefsd.daemon")
       (global-name "com.apple.diagnosticd")
       (global-name "com.apple.espd")
       (global-name "com.apple.secinitd")
       (global-name "com.apple.system.DirectoryService.libinfo_v1")
       (global-name "com.apple.system.logger")
       (global-name "com.apple.system.notification_center")
       (global-name "com.apple.system.opendirectoryd.libinfo")
       (global-name "com.apple.system.opendirectoryd.membership")
       (global-name "com.apple.trustd")
       (global-name "com.apple.trustd.agent")
       (global-name "com.apple.xpc.activity.unmanaged")
       (global-name "com.apple.xpcd")
       (local-name "com.apple.cfprefsd.agent"))

Miscellaneous undocumented services.

link 

; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others
(allow sysctl-read)

A subset of the rules originally from /System/Library/Sandbox/Profiles/system.sb which ships with OS X.

link 

  "  (begin\n"
  "    (deny default)\n"

By default, we deny. i.e., for any capability not explicitly allowed here, do not allow it to be used.

link 

  "    (debug deny)\n"
  "\n"

For any rule that causes an action to be denied, log something in system.log. These log entries are easily viewed using the OS X "Console" application and filtering on "sandbox".

link 

  "    (define resolving-literal literal)\n"
  "    (define resolving-subpath subpath)\n"
  "    (define resolving-regex regex)\n"

Shortcut macros.

link 

  "    (define container-path appPath)\n"
  "    (define appdir-path appDir)\n"
  "    (define var-folders-re \"^/private/var/folders/[^/][^/]\")\n"
  "    (define var-folders2-re (string-append var-folders-re \"/[^/]+/[^/]\"))\n"
  "\n"
  "    (define (home-regex home-relative-regex)\n"
  "      (resolving-regex (string-append \"^\" (regex-quote home-path) home-relative-regex)))\n"
  "    (define (home-subpath home-relative-subpath)\n"
  "      (resolving-subpath (string-append home-path home-relative-subpath)))\n"
  "    (define (home-literal home-relative-literal)\n"
  "      (resolving-literal (string-append home-path home-relative-literal)))\n"
  "\n"
  "    (define (var-folders-regex var-folders-relative-regex)\n"
  "      (resolving-regex (string-append var-folders-re var-folders-relative-regex)))\n"
  "    (define (var-folders2-regex var-folders2-relative-regex)\n"
  "      (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
  "\n"
Text substitution macros for dealing with paths.

link 

  "    (define (allow-shared-preferences-read domain)\n"
  "          (begin\n"
  "            (if (defined? `user-preference-read)\n"
  "              (allow user-preference-read (preference-domain domain)))\n"
  "            (allow file-read*\n"
  "                   (home-literal (string-append \"/Library/Preferences/\" domain \".plist\"))\n"
  "                   (home-regex (string-append \"/Library/Preferences/ByHost/\"
                              (regex-quote domain) \"\\..*\\.plist$\")))\n"
  "            ))\n"
  "\n"
  "    (define (allow-shared-list domain)\n"
  "      (allow file-read*\n"
  "             (home-regex (string-append \"/Library/Preferences/\" (regex-quote domain)))))\n"
  "\n"
Macros for dealing with some form of OS X preferences. TBD.

link 

  "\n"
  "    (allow ipc-posix-shm\n"
  "        (ipc-posix-name-regex \"^/tmp/com.apple.csseed:\")\n"
  "        (ipc-posix-name-regex \"^CFPBS:\")\n"
  "        (ipc-posix-name-regex \"^AudioIO\"))\n"
Access via IPC shared memory to services with names matching these regexes? TBD

link 

  "\n"
  "    (allow file-read-metadata\n"
  "        (literal \"/home\")\n"
  "        (literal \"/net\")\n"
  "        (regex \"^/private/tmp/KSInstallAction\\.\")\n"
  "        (var-folders-regex \"/\")\n"
  "        (home-subpath \"/Library\"))\n"
Allow reading of file metadata for these directories and files. Appears to be redundant given the above "(allow file-read-metadata)" rule?

link 

  "    (allow signal (target self))\n"

Allow the content process to send a signal to itself. Searched for callers of kill(2) in mozilla-central and didn't find any.

link 

  "    (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n"

This might be related to using the camera.

link 

  "    (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n"

Setting sound volume?

link 

  "    (allow mach-lookup\n"
  "        (global-name \"com.apple.coreservices.launchservicesd\")\n"
  "        (global-name \"com.apple.coreservices.appleevents\")\n"
  "        (global-name \"com.apple.pasteboard.1\")\n"
  "        (global-name \"com.apple.window_proxies\")\n"
  "        (global-name \"com.apple.windowserver.active\")\n"
  "        (global-name \"com.apple.audio.coreaudiod\")\n"
  "        (global-name \"com.apple.audio.audiohald\")\n"
  "        (global-name \"com.apple.PowerManagement.control\")\n"
  "        (global-name \"com.apple.cmio.VDCAssistant\")\n"
  "        (global-name \"com.apple.SystemConfiguration.configd\")\n"
  "        (global-name \"com.apple.iconservices\")\n"
  "        (global-name \"com.apple.cookied\")\n"
  "        (global-name \"com.apple.printuitool.agent\")\n"
  "        (global-name \"com.apple.printtool.agent\")\n"
  "        (global-name \"com.apple.cache_delete\")\n"
  "        (global-name \"com.apple.pluginkit.pkd\")\n"
  "        (global-name \"com.apple.bird\")\n"
  "        (global-name \"com.apple.ocspd\")\n"
  "        (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
  "        (global-name \"com.apple.DesktopServicesHelper\"))\n"

Access to more undocumented OS X facilities.

link 

  "    (allow iokit-open\n"
  "        (iokit-user-client-class \"IOHIDParamUserClient\")\n"
  "        (iokit-user-client-class \"IOAudioControlUserClient\")\n"
  "        (iokit-user-client-class \"IOAudioEngineUserClient\")\n"
  "        (iokit-user-client-class \"IGAccelDevice\")\n"
  "        (iokit-user-client-class \"nvDevice\")\n"
  "        (iokit-user-client-class \"nvSharedUserClient\")\n"
  "        (iokit-user-client-class \"nvFermiGLContext\")\n"
  "        (iokit-user-client-class \"IGAccelGLContext\")\n"
  "        (iokit-user-client-class \"IGAccelSharedUserClient\")\n"
  "        (iokit-user-client-class \"IGAccelVideoContextMain\")\n"
  "        (iokit-user-client-class \"IGAccelVideoContextMedia\")\n"
  "        (iokit-user-client-class \"IGAccelVideoContextVEBox\")\n"
  "        (iokit-user-client-class \"RootDomainUserClient\")\n"
  "        (iokit-user-client-class \"IOUSBDeviceUserClientV2\")\n"
  "        (iokit-user-client-class \"IOUSBInterfaceUserClientV2\"))\n"

Sound like this is for accessing various kernel driver provided functionality.

link 

  "; depending on systems, the 1st, 2nd or both rules are necessary\n"
  "    (allow-shared-preferences-read \"com.apple.HIToolbox\")\n"
  "    (allow file-read-data (literal \"/Library/Preferences/com.apple.HIToolbox.plist\"))\n"

HIToolbox is Human Interface Toolbox. Sounds related to OS X UI controls.
Allows reading from /Library/Preferences/com.apple.HIToolbox.plist which contains information about the input device such as keyboard layout.

link 

  "    (allow-shared-preferences-read \"com.apple.ATS\")\n"

Possibly font-related.

link 

  "    (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"

Contains some details about time zone, city, language, display devices.

link 

  "    (allow file-read*\n"
  "        (subpath \"/Library/Fonts\")\n"
  "        (subpath \"/Library/Audio/Plug-Ins\")\n"
  "        (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n"
  "        (subpath \"/Library/Spelling\")\n"
  "        (literal \"/\")\n"
  "        (literal \"/private/tmp\")\n"
  "        (literal \"/private/var/tmp\")\n"

Filesystem read access to some system directories.

link 

  "        (home-literal \"/.CFUserTextEncoding\")\n"

Filesystem read access to file ~/.CFUserTextEncoding (stores the user's default text encoding.)

link 

  "        (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n"
  "        (home-subpath \"/Library/Colors\")\n"
  "        (home-subpath \"/Library/Fonts\")\n"
  "        (home-subpath \"/Library/FontCollections\")\n"
  "        (home-subpath \"/Library/Keyboard Layouts\")\n"
  "        (home-subpath \"/Library/Input Methods\")\n"
  "        (home-subpath \"/Library/Spelling\")\n"
Filesystem read access to these ~/Library subdirectories.

link 

  "        (subpath appdir-path)\n"

Read access to part of the application bundle:
/.../NightlyDebug.app/Contents/Resources/browser

link 

  "        (literal appPath)\n"
  "        (literal appBinaryPath))\n"

Read access to plugin-container .app:
/.../NightlyDebug.app/Contents/MacOS/plugin-container.app
and the executable contained in it
/.../NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container

link 

  "    (allow-shared-list \"org.mozilla.plugincontainer\")\n"
Might not be needed. On OS X 10.11, no matches for files with this name found under ~/Library/Preferences/. Matches found in ~/Library/Caches though.

link 

  "; the following 2 rules should be removed when microphone and camera access\n"
  "; are brokered through the content process\n"
  "    (allow device-microphone)\n"
  "    (allow device-camera)\n"
Camera and mic access.

link 

  "\n"
  "    (allow file* (var-folders2-regex \"/com\\.apple\\.IntlDataCache\\.le$\"))\n"
Read and write access to
/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le
This file not prevent on my 10.11 system.

link 

  "    (allow file-read*\n"
  "        (var-folders2-regex \"/com\\.apple\\.IconServices/\")\n"
  "        (var-folders2-regex \"/[^/]+\\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\"))\n"

Read access to
/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IconServices
and
/private/var/folders/[^/][^/][^/]+/[^/][^/]+.mozrunner/extensions/[^/]/chrome/[^/]+/content/[^/]+.j(s|ar)
Not found on my 10.11 system.

link 

  "    (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"

Write access to
/private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*
Not found on my 10.11 system.


link 

  "; Per-user and system-wide Extensions dir\n"
  "  (allow file-read*\n"
  "      (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
  "      (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\"))\n"

See the docs on extensions.autoDisableScopes for more information on these paths. The first path allow access to an Extensions directory that applies to all of a user's profiles. The second is for a system-wide Extensions directory that applies to all users. The setting of extensions.autoDisableScopes controls whether or not these locations are used.


link 

  "; The following rules impose file access restrictions which get\n"
  "; more restrictive in higher levels. When file-origin-specific\n"
  "; content processes are used for file:// origin browsing, the\n"
  "; global file-read* permission should be removed from each level.\n"
  "\n"
  "; level 1: global read access permitted, no home write access\n"
  "  (if (= sandbox-level 1)\n"
  "    (begin\n"
  "      (allow file-read*)\n"
  "      (allow file-write* (require-not (subpath home-path)))))\n"
Level 1-specifc filesystem rules: allow reading to anywhere the OS permits. Do not allow writing anywhere in the home directory.

link 

  "; level 2: global read access permitted, no home write access,\n"
  ";          no read/write access to ~/Library,\n"
  ";          no read/write access to $PROFILE,\n"
  ";          read access permitted to $PROFILE/{extensions,weave}\n"
  "  (if (= sandbox-level 2)\n"
  "    (if (not (zero? hasProfileDir))\n"
  "      ; we have a profile dir\n"
  "      (begin\n"
  "        (allow file-read* (require-all\n"
  "              (require-not (home-subpath \"/Library\"))\n"
  "              (require-not (subpath profileDir))))\n"
  "        (allow file-write* (require-all\n"
  "              (require-not (subpath home-path))\n"
  "              (require-not (subpath profileDir))))\n"
  "        (allow file-read*\n"
  "              (profile-subpath \"/extensions\")\n"
  "              (profile-subpath \"/weave\")))\n"
  "      ; we don't have a profile dir\n"
  "      (begin\n"
  "        (allow file-read*\n"
  "              (require-not (home-subpath \"/Library\")))\n"
  "        (allow file-write* (require-all\n"
  "              (require-not (subpath home-path)))))))\n"
Level 2-specifc filesystem rules: do not allow writing anywhere in the home directory. Allow reading to anywhere the OS permits except ~/Library or the PROFILE dir. Allow reading from PROFILE/extensions and PROFILE/weave.

link 

  "\n"
  "; accelerated graphics\n"
  "    (allow-shared-preferences-read \"com.apple.opengl\")\n"
  "    (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
  "    (allow mach-lookup\n"
  "        (global-name \"com.apple.cvmsServ\"))\n"
  "    (allow iokit-open\n"
  "        (iokit-connection \"IOAccelerator\")\n"
  "        (iokit-user-client-class \"IOAccelerationUserClient\")\n"
  "        (iokit-user-client-class \"IOSurfaceRootUserClient\")\n"
  "        (iokit-user-client-class \"IOSurfaceSendRight\")\n"
  "        (iokit-user-client-class \"IOFramebufferSharedUserClient\")\n"
  "        (iokit-user-client-class \"AppleSNBFBUserClient\")\n"
  "        (iokit-user-client-class \"AGPMClient\")\n"
  "        (iokit-user-client-class \"AppleGraphicsControlClient\")\n"
  "        (iokit-user-client-class \"AppleGraphicsPolicyClient\"))\n"
  "\n"
  "; bug 1153809\n"
  "    (allow iokit-open\n"
  "        (iokit-user-client-class \"NVDVDContextTesla\")\n"
  "        (iokit-user-client-class \"Gen6DVDContext\"))\n"
Graphics

link 

  "\n"
  "; bug 1201935\n"
  "    (allow file-read*\n"
  "        (home-subpath \"/Library/Caches/TemporaryItems\"))\n"
  "\n"
Read-only access to anything in ~/Library/Caches/TemporaryItems

link 

  "; bug 1237847\n"
  "    (allow file-read*\n"
  "        (home-subpath appTempDir))\n"
  "    (allow file-write*\n"
  "        (home-subpath appTempDir))\n"
  "  )\n"
  ")\n";

Allow full reads and writes to appTempDir which (in this example) is "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}". The directory is reset each time Firefox starts.

Retrieved from "https://wiki.mozilla.org/index.php?title=Sandbox/OS_X_Rule_Set&oldid=1184313"