Sandbox/OS X Rule Set: Difference between revisions
Haftandilian (talk | contribs) (Glossary) |
Haftandilian (talk | contribs) (Removing content no longer useful) |
||
(59 intermediate revisions by the same user not shown) | |||
Line 9: | Line 9: | ||
Apple's Sandbox Guide v1.0 13-09-2011 <br> | Apple's Sandbox Guide v1.0 13-09-2011 <br> | ||
http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf | http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf | ||
|} | |} | ||
Line 33: | Line 28: | ||
= Notes = | = Notes = | ||
# An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access. | # An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access. | ||
# Use of file* in the rules includes all of file-read, file-write, file-read-metadata, and file-write-metadata. | # Use of file* in the rules includes all of file-read, file-write, file-read-metadata, and file-write-metadata. | ||
= Annotated Rules = | = Annotated Rules (WARNING: Outdated) = | ||
# The table below is not kept up-to-date. Refer to the source code to learn more about the sandbox rules. The Mac policies can be found in [https://hg.mozilla.org/mozilla-central/file/tip/security/sandbox/mac/SandboxPolicies.h SandboxPolicies.h]. | |||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Rule !! Description | ! Rule !! Description | ||
|- | |- id=aar_def | ||
| colspan="2" |<pre style="border:none;">static const char contentSandboxRules[] =</pre> | | colspan="2" | | ||
|- | [[#aar_def|link]] | ||
|<pre style="border:none;"> | <pre style="border:none;">static const char contentSandboxRules[] =</pre> | ||
|- id=aar_version | |||
| [[#aar_version|link]] | |||
<pre style="border:none;"> | |||
(version 1)</pre> | (version 1)</pre> | ||
|| References[1] states only version 1 is supported. I tried with version=2 and sandbox_init failed due to "unsupported version". | || References[1] states only version 1 is supported. I tried with version=2 and sandbox_init failed due to "unsupported version". | ||
|- | |- id=aar_macros | ||
|<pre style="border:none;"> | | | ||
[[#aar_macros|link]] | |||
<pre style="border:none;"> | |||
(define sandbox-level %d) | (define sandbox-level %d) | ||
(define macosMinorVersion %d) | (define macosMinorVersion %d) | ||
Line 59: | Line 59: | ||
(define home-path \"%s\")</pre> | (define home-path \"%s\")</pre> | ||
* sandbox-level: this is the value of security.sandbox.content.level when it is >=1. If the value is zero, the sandbox policy isn't used. | * sandbox-level: this is the value of security.sandbox.content.level when it is >=1. If the value is zero, the sandbox policy isn't used and content processes aren't sandboxed. | ||
* macosMinorVersion: this is used to detect OS X 10.9 which rejects the "lsopen" rule. | * macosMinorVersion: this is used to detect OS X 10.9 which rejects the "lsopen" rule. | ||
* appTempDir: this is the temp directory for content processes that we create and cleanup in the parent, see bug 1252207 and bug 1237847. | * appTempDir: this is the temp directory for content processes that we create and cleanup in the parent, see bug 1252207 and bug 1237847. | ||
Line 72: | Line 66: | ||
|| | || | ||
These setup some macros to be used later in the policy. See the next row for examples of what they evaulate to on a Nightly build. | These setup some macros to be used later in the policy. See the next row for examples of what they evaulate to on a Nightly build. | ||
|- | |- id=aar_example | ||
| colspan="2" | | | colspan="2" | | ||
Example output of the above macros after running a Nightly build. Paths abbreviated with "...". | [[#aar_example|link]] | ||
<p>Example output of the above macros after running a Nightly build. Paths abbreviated with "...". | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
Line 85: | Line 80: | ||
(define home-path "/Users/<USERNAME>") | (define home-path "/Users/<USERNAME>") | ||
</pre> | </pre> | ||
|- | |- id=aar_syspaths1 | ||
| | | | ||
[[#aar_syspaths1|link]]<br> | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
; Allow read access to standard system paths. | ; Allow read access to standard system paths. | ||
Line 99: | Line 95: | ||
|| | || | ||
Allow these directories and any contained directories and files to be read if the file's permission permits any user to read them. | Allow these directories and any contained directories and files to be read if the file's permission permits any user to read them. | ||
|- | |- id=aar_syspaths2 | ||
| | | | ||
[[#aar_syspaths2|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
(allow file-read-metadata | (allow file-read-metadata | ||
Line 110: | Line 107: | ||
|| | || | ||
Allow reading of metadata of these directories. | Allow reading of metadata of these directories. | ||
|- | |- id=aar_syspaths3 | ||
| | | | ||
[[#aar_syspaths3|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
; Allow access to standard special files. | ; Allow access to standard special files. | ||
Line 121: | Line 119: | ||
|| | || | ||
/dev/random, /dev/urandom Used for randomization code. autofs_nowait TBD, probably allows non-blocking I/O to autofs paths (used for network mounts and other pseudo mount points.) | /dev/random, /dev/urandom Used for randomization code. autofs_nowait TBD, probably allows non-blocking I/O to autofs paths (used for network mounts and other pseudo mount points.) | ||
|- | |- id=aar_syspaths4 | ||
| | | | ||
[[#aar_syspaths4|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
(allow file-read* | (allow file-read* | ||
Line 131: | Line 130: | ||
|| | || | ||
Wondering if we need write access to these. | Wondering if we need write access to these. | ||
|- | |- id=aar_dtrace | ||
| | | | ||
[[#aar_dtrace|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
(allow file-read* | (allow file-read* | ||
Line 140: | Line 140: | ||
</pre> | </pre> | ||
|| | || | ||
Aids debugging the plugin-container using dtrace. Could be removed, but since root privileges are required to read /dev/dtracehelper this wouldn't be exploitable unless Firefox was run as root or with sudo. | |||
|- | |- id=aar_apple1 | ||
| | | | ||
[[#aar_apple1|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
(allow mach-lookup | (allow mach-lookup | ||
Line 165: | Line 166: | ||
|| | || | ||
Miscellaneous undocumented services. | Miscellaneous undocumented services. | ||
|- | |- id=aar_sysctl1 | ||
| | | | ||
[[#aar_sysctl1|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others | ; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others | ||
Line 173: | Line 175: | ||
|| | || | ||
A subset of the rules originally from /System/Library/Sandbox/Profiles/system.sb which ships with OS X. | A subset of the rules originally from /System/Library/Sandbox/Profiles/system.sb which ships with OS X. | ||
|- | |- id=aar_defaultdeny | ||
|<pre style="border:none;"> | | | ||
[[#aar_defaultdeny|link]] | |||
<pre style="border:none;"> | |||
" (begin\n" | " (begin\n" | ||
" (deny default)\n" | " (deny default)\n" | ||
Line 180: | Line 184: | ||
|| | || | ||
By default, we deny. i.e., for any capability not explicitly allowed here, do not allow it to be used. | By default, we deny. i.e., for any capability not explicitly allowed here, do not allow it to be used. | ||
|- | |- id=aar_debugdeny | ||
| | | | ||
[[#aar_debugdeny|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (debug deny)\n" | " (debug deny)\n" | ||
Line 188: | Line 193: | ||
|| | || | ||
For any rule that causes an action to be denied, log something in system.log. These log entries are easily viewed using the OS X "Console" application and filtering on "sandbox". | For any rule that causes an action to be denied, log something in system.log. These log entries are easily viewed using the OS X "Console" application and filtering on "sandbox". | ||
|- | |- id=aar_literal | ||
|<pre style="border:none;"> | | | ||
[[#aar_literal|link]] | |||
<pre style="border:none;"> | |||
" (define resolving-literal literal)\n" | " (define resolving-literal literal)\n" | ||
" (define resolving-subpath subpath)\n" | " (define resolving-subpath subpath)\n" | ||
Line 196: | Line 203: | ||
|| | || | ||
Shortcut macros. | Shortcut macros. | ||
|- | |- id=aar_textmacros | ||
| | | | ||
[[#aar_textmacros|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (define container-path appPath)\n" | " (define container-path appPath)\n" | ||
Line 210: | Line 218: | ||
" (define (home-literal home-relative-literal)\n" | " (define (home-literal home-relative-literal)\n" | ||
" (resolving-literal (string-append home-path home-relative-literal)))\n" | " (resolving-literal (string-append home-path home-relative-literal)))\n" | ||
"\n" | "\n" | ||
" (define (var-folders-regex var-folders-relative-regex)\n" | " (define (var-folders-regex var-folders-relative-regex)\n" | ||
Line 222: | Line 223: | ||
" (define (var-folders2-regex var-folders2-relative-regex)\n" | " (define (var-folders2-regex var-folders2-relative-regex)\n" | ||
" (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n" | " (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n" | ||
"\n" | "\n" | ||
</pre> | </pre> | ||
|| Text substitution macros for dealing with paths. | || Text substitution macros for dealing with paths. | ||
|- | |- id=aar_sharedprefs | ||
| | | | ||
[[#aar_sharedprefs|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (define (allow-shared-preferences-read domain)\n" | " (define (allow-shared-preferences-read domain)\n" | ||
Line 251: | Line 246: | ||
</pre> | </pre> | ||
|| Macros for dealing with some form of OS X preferences. TBD. | || Macros for dealing with some form of OS X preferences. TBD. | ||
|- | |- id=aar_posixshm | ||
| | | | ||
[[#aar_posixshm|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
"\n" | "\n" | ||
Line 268: | Line 257: | ||
</pre> | </pre> | ||
|| Access via IPC shared memory to services with names matching these regexes? TBD | || Access via IPC shared memory to services with names matching these regexes? TBD | ||
|- | |- id=aar_paths4 | ||
| | | | ||
[[#aar_paths4|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
"\n" | "\n" | ||
Line 280: | Line 270: | ||
</pre> | </pre> | ||
|| Allow reading of file metadata for these directories and files. Appears to be redundant given the above "(allow file-read-metadata)" rule? | || Allow reading of file metadata for these directories and files. Appears to be redundant given the above "(allow file-read-metadata)" rule? | ||
|- | |- id=aar_signalself | ||
|<pre style="border:none;"> | | | ||
[[#aar_signalself|link]] | |||
<pre style="border:none;"> | |||
" (allow signal (target self))\n" | " (allow signal (target self))\n" | ||
</pre> | </pre> | ||
|| | || | ||
Allow the content process to send a signal to itself. Searched for callers of kill(2) in mozilla-central and didn't find any. | Allow the content process to send a signal to itself. Searched for callers of kill(2) in mozilla-central and didn't find any. | ||
|- | |- id=aar_jobcreationdal | ||
|<pre style="border:none;"> | | | ||
[[#aar_jobcreationdal|link]] | |||
<pre style="border:none;"> | |||
" (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n" | " (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n" | ||
</pre> | </pre> | ||
|| | || | ||
This might be related to using the camera. | This might be related to using the camera. | ||
|- | |- id=aar_audioctrl | ||
|<pre style="border:none;"> | | | ||
[[#aar_audioctrl|link]] | |||
<pre style="border:none;"> | |||
" (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n" | " (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n" | ||
</pre> | </pre> | ||
|| | || | ||
Setting sound volume? | Setting sound volume? | ||
|- | |- id=aar_appleglobalcom2 | ||
|<pre style="border:none;"> | | | ||
[[#aar_appleglobalcom2|link]] | |||
<pre style="border:none;"> | |||
" (allow mach-lookup\n" | " (allow mach-lookup\n" | ||
" (global-name \"com.apple.coreservices.launchservicesd\")\n" | " (global-name \"com.apple.coreservices.launchservicesd\")\n" | ||
Line 320: | Line 318: | ||
" (global-name \"com.apple.ocspd\")\n" | " (global-name \"com.apple.ocspd\")\n" | ||
" (global-name \"com.apple.cmio.AppleCameraAssistant\")\n" | " (global-name \"com.apple.cmio.AppleCameraAssistant\")\n" | ||
" (global-name \"com.apple.DesktopServicesHelper | " (global-name \"com.apple.DesktopServicesHelper\"))\n" | ||
</pre> | </pre> | ||
|| | || | ||
Access to more undocumented OS X facilities. | Access to more undocumented OS X facilities. | ||
|- | |- id=aar_iokituserclient | ||
| | | | ||
[[#aar_iokituserclient|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (allow iokit-open\n" | " (allow iokit-open\n" | ||
Line 347: | Line 345: | ||
|| | || | ||
Sound like this is for accessing various kernel driver provided functionality. | Sound like this is for accessing various kernel driver provided functionality. | ||
|- | |- id=aar_hitoolbox | ||
| | | | ||
[[#aar_hitoolbox|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
"; depending on systems, the 1st, 2nd or both rules are necessary\n" | "; depending on systems, the 1st, 2nd or both rules are necessary\n" | ||
Line 356: | Line 355: | ||
|| | || | ||
HIToolbox is Human Interface Toolbox. Sounds related to OS X UI controls.<br>Allows reading from /Library/Preferences/com.apple.HIToolbox.plist which contains information about the input device such as keyboard layout. | HIToolbox is Human Interface Toolbox. Sounds related to OS X UI controls.<br>Allows reading from /Library/Preferences/com.apple.HIToolbox.plist which contains information about the input device such as keyboard layout. | ||
|- | |- id=aar_comappleats | ||
| | | | ||
[[#aar_comappleats|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (allow-shared-preferences-read \"com.apple.ATS\")\n" | " (allow-shared-preferences-read \"com.apple.ATS\")\n" | ||
Line 363: | Line 363: | ||
|| | || | ||
Possibly font-related. | Possibly font-related. | ||
|- | |- id=aar_globalprefs | ||
| | | | ||
[[#aar_globalprefs|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n" | " (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n" | ||
Line 370: | Line 371: | ||
|| | || | ||
Contains some details about time zone, city, language, display devices. | Contains some details about time zone, city, language, display devices. | ||
|- | |- id=aar_syspaths5 | ||
| | | | ||
[[#aar_syspaths5|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (allow file-read*\n" | " (allow file-read*\n" | ||
Line 378: | Line 380: | ||
" (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n" | " (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n" | ||
" (subpath \"/Library/Spelling\")\n" | " (subpath \"/Library/Spelling\")\n" | ||
" (literal \"/\")\n" | " (literal \"/\")\n" | ||
" (literal \"/private/tmp\")\n" | " (literal \"/private/tmp\")\n" | ||
Line 386: | Line 386: | ||
|| | || | ||
Filesystem read access to some system directories. | Filesystem read access to some system directories. | ||
|- | |- id=aar_cfuser | ||
| | | | ||
[[#aar_cfuser|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (home-literal \"/.CFUserTextEncoding\")\n" | " (home-literal \"/.CFUserTextEncoding\")\n" | ||
Line 393: | Line 394: | ||
|| | || | ||
Filesystem read access to file ~/.CFUserTextEncoding (stores the user's default text encoding.) | Filesystem read access to file ~/.CFUserTextEncoding (stores the user's default text encoding.) | ||
|- | |- id=aar_homepaths1 | ||
| | | | ||
[[#aar_homepaths1|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n" | " (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n" | ||
Line 402: | Line 404: | ||
" (home-subpath \"/Library/Keyboard Layouts\")\n" | " (home-subpath \"/Library/Keyboard Layouts\")\n" | ||
" (home-subpath \"/Library/Input Methods\")\n" | " (home-subpath \"/Library/Input Methods\")\n" | ||
" (home-subpath \"/Library/Spelling\")\n" | " (home-subpath \"/Library/Spelling\")\n" | ||
</pre> | </pre> | ||
|| Filesystem read access to these ~/Library subdirectories. | || Filesystem read access to these ~/Library subdirectories. | ||
|- | |- id=aar_appdir | ||
| | | | ||
[[#aar_appdir|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (subpath appdir-path)\n" | " (subpath appdir-path)\n" | ||
Line 414: | Line 416: | ||
Read access to part of the application bundle:<br> | Read access to part of the application bundle:<br> | ||
/.../NightlyDebug.app/Contents/Resources/browser | /.../NightlyDebug.app/Contents/Resources/browser | ||
|- | |- id=aar_apppath | ||
| | | | ||
[[#aar_apppath|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (literal appPath)\n" | " (literal appPath)\n" | ||
Line 425: | Line 428: | ||
and the executable contained in it<br> | and the executable contained in it<br> | ||
/.../NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container | /.../NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container | ||
|- | |- id=aar_plugincontainer_pref | ||
| | | | ||
[[#aar_plugincontainer_pref|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (allow-shared-list \"org.mozilla.plugincontainer\")\n" | " (allow-shared-list \"org.mozilla.plugincontainer\")\n" | ||
</pre> | </pre> | ||
|| Might not be needed. On OS X 10.11, no matches for files with this name found under ~/Library/Preferences/. Matches found in ~/Library/Caches though. | || Might not be needed. On OS X 10.11, no matches for files with this name found under ~/Library/Preferences/. Matches found in ~/Library/Caches though. | ||
|- | |- id=aar_miccam | ||
| | | | ||
[[#aar_miccam|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
"; the following 2 rules should be removed when microphone and camera access\n" | "; the following 2 rules should be removed when microphone and camera access\n" | ||
Line 440: | Line 445: | ||
</pre> | </pre> | ||
|| Camera and mic access. | || Camera and mic access. | ||
|- | |- id=aar_intldata | ||
| | | | ||
[[#aar_intldata|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
"\n" | "\n" | ||
Line 447: | Line 453: | ||
</pre> | </pre> | ||
|| Read and write access to<br>/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le<br>This file not prevent on my 10.11 system. | || Read and write access to<br>/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le<br>This file not prevent on my 10.11 system. | ||
|- | |- id=aar_icon | ||
| | | | ||
[[#aar_icon|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (allow file-read*\n" | " (allow file-read*\n" | ||
Line 460: | Line 467: | ||
/private/var/folders/[^/][^/][^/]+/[^/][^/]+.mozrunner/extensions/[^/]/chrome/[^/]+/content/[^/]+.j(s|ar)<br> | /private/var/folders/[^/][^/][^/]+/[^/][^/]+.mozrunner/extensions/[^/]/chrome/[^/]+/content/[^/]+.j(s|ar)<br> | ||
Not found on my 10.11 system. | Not found on my 10.11 system. | ||
|- | |- id=aar_chromregex | ||
| | | | ||
[[#aar_chromregex|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n" | " (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n" | ||
Line 469: | Line 477: | ||
/private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*<br> | /private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*<br> | ||
Not found on my 10.11 system. | Not found on my 10.11 system. | ||
|- | |||
|- id=aar_lib_ext | |||
| | | | ||
[[#aar_lib_ext|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
" | "; Per-user and system-wide Extensions dir\n" | ||
" | " (allow file-read*\n" | ||
" | " (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n" | ||
" (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\"))\n" | |||
</pre> | </pre> | ||
|| | || | ||
See the docs on extensions.autoDisableScopes for more information on these paths. The first path allow access to an Extensions directory that applies to all of a user's profiles. The second is for a system-wide Extensions directory that applies to all users. The setting of extensions.autoDisableScopes controls whether or not these locations are used. | |||
|- id=level1_fs_rules | |||
|- | |||
| | | | ||
[[#level1_fs_rules|link]] | |||
<pre style="border:none;"> | <pre style="border:none;"> | ||
"; | "; The following rules impose file access restrictions which get\n" | ||
"; | "; more restrictive in higher levels. When file-origin-specific\n" | ||
"; content processes are used for file:// origin browsing, the\n" | |||
"; global file-read* permission should be removed from each level.\n" | |||
" | |||
" | |||
"\n" | "\n" | ||
"; level 1: global read access permitted, no home write access\n" | |||
" (if (= sandbox-level 1)\n" | |||
" (begin\n" | |||
" (allow file-read*)\n" | |||
" (allow file-write* (require-not (subpath home-path)))))\n" | |||
</pre> | </pre> | ||
|| | || Level 1-specifc filesystem rules: allow reading to anywhere the OS permits. Do not allow writing anywhere in the home directory. | ||
|- | |- id=level2_fs_rules | ||
| <pre style="border:none;"> | | | ||
"; | [[#level2_fs_rules|link]] | ||
" | <pre style="border:none;"> | ||
" | "; level 2: global read access permitted, no home write access,\n" | ||
" | "; no read/write access to ~/Library,\n" | ||
" | "; no read/write access to $PROFILE,\n" | ||
"; read access permitted to $PROFILE/{extensions,weave}\n" | |||
" | " (if (= sandbox-level 2)\n" | ||
" | " (if (not (zero? hasProfileDir))\n" | ||
" | " ; we have a profile dir\n" | ||
" | " (begin\n" | ||
" (allow file-read* (require-all\n" | |||
" | " (require-not (home-subpath \"/Library\"))\n" | ||
" (require-not (subpath profileDir))))\n" | |||
" | " (allow file-write* (require-all\n" | ||
" | " (require-not (subpath home-path))\n" | ||
" | " (require-not (subpath profileDir))))\n" | ||
" | " (allow file-read*\n" | ||
" | " (profile-subpath \"/extensions\")\n" | ||
" | " (profile-subpath \"/weave\")))\n" | ||
" | " ; we don't have a profile dir\n" | ||
" | " (begin\n" | ||
" | " (allow file-read*\n" | ||
" | " (require-not (home-subpath \"/Library\")))\n" | ||
" | " (allow file-write* (require-all\n" | ||
" | " (require-not (subpath home-path)))))))\n" | ||
" | |||
</pre> | </pre> | ||
|| | || Level 2-specifc filesystem rules: do not allow writing anywhere in the home directory. Allow reading to anywhere the OS permits except ~/Library or the PROFILE dir. Allow reading from PROFILE/extensions and PROFILE/weave. | ||
|- id=aar_printpreview | |||
| | |||
[[#aar_printpreview|link]] | |||
<pre style="border:none;"> | |||
| | |||
| | |||
"\n" | "\n" | ||
"; accelerated graphics\n" | "; accelerated graphics\n" | ||
Line 588: | Line 564: | ||
</pre> | </pre> | ||
|| Graphics | || Graphics | ||
|- | |- id=aar_tempitems | ||
| | |||
[[#aar_tempitems|link]] | |||
<pre style="border:none;"> | |||
| | |||
"\n" | "\n" | ||
"; bug 1201935\n" | "; bug 1201935\n" | ||
Line 605: | Line 575: | ||
</pre> | </pre> | ||
|| Read-only access to anything in ~/Library/Caches/TemporaryItems | || Read-only access to anything in ~/Library/Caches/TemporaryItems | ||
|- | |- id=aar_apptempdir | ||
| <pre style="border:none;"> | | | ||
[[#aar_apptempdir|link]] | |||
<pre style="border:none;"> | |||
"; bug 1237847\n" | "; bug 1237847\n" | ||
" (allow file-read*\n" | " (allow file-read*\n" |
Latest revision as of 17:47, 16 November 2017
References
References | |
---|---|
1 |
Apple's Sandbox Guide v1.0 13-09-2011 |
Glossary
References | |
---|---|
~ |
Refers to the full path to the home directory of the user. On OS X this is /Users/<username>. |
[^/]+ |
This is used in some of the regular expressions. [^/] matches a single character that is not a '/'. [^/]+ Matches 1 or more non-slash characters. |
Notes
- An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access.
- Use of file* in the rules includes all of file-read, file-write, file-read-metadata, and file-write-metadata.
Annotated Rules (WARNING: Outdated)
- The table below is not kept up-to-date. Refer to the source code to learn more about the sandbox rules. The Mac policies can be found in SandboxPolicies.h.
Rule | Description |
---|---|
static const char contentSandboxRules[] = | |
link
(version 1) |
References[1] states only version 1 is supported. I tried with version=2 and sandbox_init failed due to "unsupported version". |
(define sandbox-level %d) (define macosMinorVersion %d) (define appPath \"%s\") (define appBinaryPath \"%s\") (define appDir \"%s\") (define appTempDir \"%s\") (define home-path \"%s\")
|
These setup some macros to be used later in the policy. See the next row for examples of what they evaulate to on a Nightly build. |
Example output of the above macros after running a Nightly build. Paths abbreviated with "...". (define sandbox-level 1) (define macosMinorVersion 11) (define appPath "/.../NightlyDebug.app/Contents/MacOS/plugin-container.app") (define appBinaryPath "/.../NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container") (define appDir "/.../NightlyDebug.app/Contents/Resources/browser") (define appTempDir "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}") (define home-path "/Users/<USERNAME>") | |
; Allow read access to standard system paths. (allow file-read* (require-all (file-mode #o0004) (require-any (subpath "/Library/Filesystems/NetFSPlugins") (subpath "/System") (subpath "/private/var/db/dyld") (subpath "/usr/lib") (subpath "/usr/share")))) |
Allow these directories and any contained directories and files to be read if the file's permission permits any user to read them. |
(allow file-read-metadata (literal "/etc") (literal "/tmp") (literal "/var") (literal "/private/etc/localtime")) |
Allow reading of metadata of these directories. |
; Allow access to standard special files. (allow file-read* (literal "/dev/autofs_nowait") (literal "/dev/random") (literal "/dev/urandom") |
/dev/random, /dev/urandom Used for randomization code. autofs_nowait TBD, probably allows non-blocking I/O to autofs paths (used for network mounts and other pseudo mount points.) |
(allow file-read* file-write-data (literal "/dev/null") (literal "/dev/zero")) |
Wondering if we need write access to these. |
(allow file-read* file-write-data file-ioctl (literal "/dev/dtracehelper")) |
Aids debugging the plugin-container using dtrace. Could be removed, but since root privileges are required to read /dev/dtracehelper this wouldn't be exploitable unless Firefox was run as root or with sudo. |
(allow mach-lookup (global-name "com.apple.appsleep") (global-name "com.apple.bsd.dirhelper") (global-name "com.apple.cfprefsd.agent") (global-name "com.apple.cfprefsd.daemon") (global-name "com.apple.diagnosticd") (global-name "com.apple.espd") (global-name "com.apple.secinitd") (global-name "com.apple.system.DirectoryService.libinfo_v1") (global-name "com.apple.system.logger") (global-name "com.apple.system.notification_center") (global-name "com.apple.system.opendirectoryd.libinfo") (global-name "com.apple.system.opendirectoryd.membership") (global-name "com.apple.trustd") (global-name "com.apple.trustd.agent") (global-name "com.apple.xpc.activity.unmanaged") (global-name "com.apple.xpcd") (local-name "com.apple.cfprefsd.agent")) |
Miscellaneous undocumented services. |
; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others (allow sysctl-read) |
A subset of the rules originally from /System/Library/Sandbox/Profiles/system.sb which ships with OS X. |
" (begin\n" " (deny default)\n" |
By default, we deny. i.e., for any capability not explicitly allowed here, do not allow it to be used. |
" (debug deny)\n" "\n" |
For any rule that causes an action to be denied, log something in system.log. These log entries are easily viewed using the OS X "Console" application and filtering on "sandbox". |
" (define resolving-literal literal)\n" " (define resolving-subpath subpath)\n" " (define resolving-regex regex)\n" |
Shortcut macros. |
" (define container-path appPath)\n" " (define appdir-path appDir)\n" " (define var-folders-re \"^/private/var/folders/[^/][^/]\")\n" " (define var-folders2-re (string-append var-folders-re \"/[^/]+/[^/]\"))\n" "\n" " (define (home-regex home-relative-regex)\n" " (resolving-regex (string-append \"^\" (regex-quote home-path) home-relative-regex)))\n" " (define (home-subpath home-relative-subpath)\n" " (resolving-subpath (string-append home-path home-relative-subpath)))\n" " (define (home-literal home-relative-literal)\n" " (resolving-literal (string-append home-path home-relative-literal)))\n" "\n" " (define (var-folders-regex var-folders-relative-regex)\n" " (resolving-regex (string-append var-folders-re var-folders-relative-regex)))\n" " (define (var-folders2-regex var-folders2-relative-regex)\n" " (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n" "\n" |
Text substitution macros for dealing with paths. |
" (define (allow-shared-preferences-read domain)\n" " (begin\n" " (if (defined? `user-preference-read)\n" " (allow user-preference-read (preference-domain domain)))\n" " (allow file-read*\n" " (home-literal (string-append \"/Library/Preferences/\" domain \".plist\"))\n" " (home-regex (string-append \"/Library/Preferences/ByHost/\" (regex-quote domain) \"\\..*\\.plist$\")))\n" " ))\n" "\n" " (define (allow-shared-list domain)\n" " (allow file-read*\n" " (home-regex (string-append \"/Library/Preferences/\" (regex-quote domain)))))\n" "\n" |
Macros for dealing with some form of OS X preferences. TBD. |
"\n" " (allow ipc-posix-shm\n" " (ipc-posix-name-regex \"^/tmp/com.apple.csseed:\")\n" " (ipc-posix-name-regex \"^CFPBS:\")\n" " (ipc-posix-name-regex \"^AudioIO\"))\n" |
Access via IPC shared memory to services with names matching these regexes? TBD |
"\n" " (allow file-read-metadata\n" " (literal \"/home\")\n" " (literal \"/net\")\n" " (regex \"^/private/tmp/KSInstallAction\\.\")\n" " (var-folders-regex \"/\")\n" " (home-subpath \"/Library\"))\n" |
Allow reading of file metadata for these directories and files. Appears to be redundant given the above "(allow file-read-metadata)" rule? |
" (allow signal (target self))\n" |
Allow the content process to send a signal to itself. Searched for callers of kill(2) in mozilla-central and didn't find any. |
" (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n" |
This might be related to using the camera. |
" (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n" |
Setting sound volume? |
" (allow mach-lookup\n" " (global-name \"com.apple.coreservices.launchservicesd\")\n" " (global-name \"com.apple.coreservices.appleevents\")\n" " (global-name \"com.apple.pasteboard.1\")\n" " (global-name \"com.apple.window_proxies\")\n" " (global-name \"com.apple.windowserver.active\")\n" " (global-name \"com.apple.audio.coreaudiod\")\n" " (global-name \"com.apple.audio.audiohald\")\n" " (global-name \"com.apple.PowerManagement.control\")\n" " (global-name \"com.apple.cmio.VDCAssistant\")\n" " (global-name \"com.apple.SystemConfiguration.configd\")\n" " (global-name \"com.apple.iconservices\")\n" " (global-name \"com.apple.cookied\")\n" " (global-name \"com.apple.printuitool.agent\")\n" " (global-name \"com.apple.printtool.agent\")\n" " (global-name \"com.apple.cache_delete\")\n" " (global-name \"com.apple.pluginkit.pkd\")\n" " (global-name \"com.apple.bird\")\n" " (global-name \"com.apple.ocspd\")\n" " (global-name \"com.apple.cmio.AppleCameraAssistant\")\n" " (global-name \"com.apple.DesktopServicesHelper\"))\n" |
Access to more undocumented OS X facilities. |
" (allow iokit-open\n" " (iokit-user-client-class \"IOHIDParamUserClient\")\n" " (iokit-user-client-class \"IOAudioControlUserClient\")\n" " (iokit-user-client-class \"IOAudioEngineUserClient\")\n" " (iokit-user-client-class \"IGAccelDevice\")\n" " (iokit-user-client-class \"nvDevice\")\n" " (iokit-user-client-class \"nvSharedUserClient\")\n" " (iokit-user-client-class \"nvFermiGLContext\")\n" " (iokit-user-client-class \"IGAccelGLContext\")\n" " (iokit-user-client-class \"IGAccelSharedUserClient\")\n" " (iokit-user-client-class \"IGAccelVideoContextMain\")\n" " (iokit-user-client-class \"IGAccelVideoContextMedia\")\n" " (iokit-user-client-class \"IGAccelVideoContextVEBox\")\n" " (iokit-user-client-class \"RootDomainUserClient\")\n" " (iokit-user-client-class \"IOUSBDeviceUserClientV2\")\n" " (iokit-user-client-class \"IOUSBInterfaceUserClientV2\"))\n" |
Sound like this is for accessing various kernel driver provided functionality. |
"; depending on systems, the 1st, 2nd or both rules are necessary\n" " (allow-shared-preferences-read \"com.apple.HIToolbox\")\n" " (allow file-read-data (literal \"/Library/Preferences/com.apple.HIToolbox.plist\"))\n" |
HIToolbox is Human Interface Toolbox. Sounds related to OS X UI controls. |
" (allow-shared-preferences-read \"com.apple.ATS\")\n" |
Possibly font-related. |
" (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n" |
Contains some details about time zone, city, language, display devices. |
" (allow file-read*\n" " (subpath \"/Library/Fonts\")\n" " (subpath \"/Library/Audio/Plug-Ins\")\n" " (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n" " (subpath \"/Library/Spelling\")\n" " (literal \"/\")\n" " (literal \"/private/tmp\")\n" " (literal \"/private/var/tmp\")\n" |
Filesystem read access to some system directories. |
" (home-literal \"/.CFUserTextEncoding\")\n" |
Filesystem read access to file ~/.CFUserTextEncoding (stores the user's default text encoding.) |
" (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n" " (home-subpath \"/Library/Colors\")\n" " (home-subpath \"/Library/Fonts\")\n" " (home-subpath \"/Library/FontCollections\")\n" " (home-subpath \"/Library/Keyboard Layouts\")\n" " (home-subpath \"/Library/Input Methods\")\n" " (home-subpath \"/Library/Spelling\")\n" |
Filesystem read access to these ~/Library subdirectories. |
" (subpath appdir-path)\n" |
Read access to part of the application bundle: |
" (literal appPath)\n" " (literal appBinaryPath))\n" |
Read access to plugin-container .app: |
" (allow-shared-list \"org.mozilla.plugincontainer\")\n" |
Might not be needed. On OS X 10.11, no matches for files with this name found under ~/Library/Preferences/. Matches found in ~/Library/Caches though. |
"; the following 2 rules should be removed when microphone and camera access\n" "; are brokered through the content process\n" " (allow device-microphone)\n" " (allow device-camera)\n" |
Camera and mic access. |
"\n" " (allow file* (var-folders2-regex \"/com\\.apple\\.IntlDataCache\\.le$\"))\n" |
Read and write access to /private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le This file not prevent on my 10.11 system. |
" (allow file-read*\n" " (var-folders2-regex \"/com\\.apple\\.IconServices/\")\n" " (var-folders2-regex \"/[^/]+\\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\"))\n" |
Read access to |
" (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n" |
Write access to
|
"; Per-user and system-wide Extensions dir\n" " (allow file-read*\n" " (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n" " (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\"))\n" |
See the docs on extensions.autoDisableScopes for more information on these paths. The first path allow access to an Extensions directory that applies to all of a user's profiles. The second is for a system-wide Extensions directory that applies to all users. The setting of extensions.autoDisableScopes controls whether or not these locations are used.
|
"; The following rules impose file access restrictions which get\n" "; more restrictive in higher levels. When file-origin-specific\n" "; content processes are used for file:// origin browsing, the\n" "; global file-read* permission should be removed from each level.\n" "\n" "; level 1: global read access permitted, no home write access\n" " (if (= sandbox-level 1)\n" " (begin\n" " (allow file-read*)\n" " (allow file-write* (require-not (subpath home-path)))))\n" |
Level 1-specifc filesystem rules: allow reading to anywhere the OS permits. Do not allow writing anywhere in the home directory. |
"; level 2: global read access permitted, no home write access,\n" "; no read/write access to ~/Library,\n" "; no read/write access to $PROFILE,\n" "; read access permitted to $PROFILE/{extensions,weave}\n" " (if (= sandbox-level 2)\n" " (if (not (zero? hasProfileDir))\n" " ; we have a profile dir\n" " (begin\n" " (allow file-read* (require-all\n" " (require-not (home-subpath \"/Library\"))\n" " (require-not (subpath profileDir))))\n" " (allow file-write* (require-all\n" " (require-not (subpath home-path))\n" " (require-not (subpath profileDir))))\n" " (allow file-read*\n" " (profile-subpath \"/extensions\")\n" " (profile-subpath \"/weave\")))\n" " ; we don't have a profile dir\n" " (begin\n" " (allow file-read*\n" " (require-not (home-subpath \"/Library\")))\n" " (allow file-write* (require-all\n" " (require-not (subpath home-path)))))))\n" |
Level 2-specifc filesystem rules: do not allow writing anywhere in the home directory. Allow reading to anywhere the OS permits except ~/Library or the PROFILE dir. Allow reading from PROFILE/extensions and PROFILE/weave. |
"\n" "; accelerated graphics\n" " (allow-shared-preferences-read \"com.apple.opengl\")\n" " (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n" " (allow mach-lookup\n" " (global-name \"com.apple.cvmsServ\"))\n" " (allow iokit-open\n" " (iokit-connection \"IOAccelerator\")\n" " (iokit-user-client-class \"IOAccelerationUserClient\")\n" " (iokit-user-client-class \"IOSurfaceRootUserClient\")\n" " (iokit-user-client-class \"IOSurfaceSendRight\")\n" " (iokit-user-client-class \"IOFramebufferSharedUserClient\")\n" " (iokit-user-client-class \"AppleSNBFBUserClient\")\n" " (iokit-user-client-class \"AGPMClient\")\n" " (iokit-user-client-class \"AppleGraphicsControlClient\")\n" " (iokit-user-client-class \"AppleGraphicsPolicyClient\"))\n" "\n" "; bug 1153809\n" " (allow iokit-open\n" " (iokit-user-client-class \"NVDVDContextTesla\")\n" " (iokit-user-client-class \"Gen6DVDContext\"))\n" |
Graphics |
"\n" "; bug 1201935\n" " (allow file-read*\n" " (home-subpath \"/Library/Caches/TemporaryItems\"))\n" "\n" |
Read-only access to anything in ~/Library/Caches/TemporaryItems |
"; bug 1237847\n" " (allow file-read*\n" " (home-subpath appTempDir))\n" " (allow file-write*\n" " (home-subpath appTempDir))\n" " )\n" ")\n"; |
Allow full reads and writes to appTempDir which (in this example) is "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}". The directory is reset each time Firefox starts. |