Sandbox/OS X Rule Set: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Glossary)
(Removing content no longer useful)
 
(59 intermediate revisions by the same user not shown)
Line 9: Line 9:
Apple's Sandbox Guide v1.0 13-09-2011 <br>
Apple's Sandbox Guide v1.0 13-09-2011 <br>
http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf
http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf
|-
| 2
||
Sandbox setup in the source: see usage of the variable 'contentSandboxRules' and the call to StartMacSandbox() in Sandbox.mm:<br>
https://dxr.mozilla.org/mozilla-central/source/security/sandbox/mac/Sandbox.mm#148
|}
|}


Line 33: Line 28:
= Notes =  
= Notes =  


# One of the confusing things about the Mac file-system related rules is the redundancy.<br>The rules use the "(default deny)" directive which means that unless an access is explicitly allowed, it should be denied. Then, interspersed throughout the ruleset we have several filesystem rules to allow read access to specific locations on the system. Later we have a general rule that allows access to '''anything on the system that is not in ~/Library''' (i.e., access to ~/Library is blocked with some exceptions) making many of the specific rules redundant. Read/write access to ~ is needed for now (see [[Deny Filesystem Access]] for an explanation). Once we can remove read/write access to ~ from the rules, we'll eliminate the redundancy. Lastly we have rules allowing access to specific directories in ~/Library. Bug 1083344 "Tighten rules for Mac OS content process sandbox on 10.9 and 10.10" documents how this came to be -- not allowing access to ~ broke too many things.
# An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access.
# An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access.
# Because of the redundancy, we could remove most filesystem rules and replace them with rules that equate to (allow everything, but don't allow ~/Library except for a few subdirectories in ~/Library).
# Use of file* in the rules includes all of file-read, file-write, file-read-metadata, and file-write-metadata.
# Use of file* in the rules includes all of file-read, file-write, file-read-metadata, and file-write-metadata.


= Annotated Rules =
= Annotated Rules (WARNING: Outdated) =
 
# The table below is not kept up-to-date. Refer to the source code to learn more about the sandbox rules. The Mac policies can be found in [https://hg.mozilla.org/mozilla-central/file/tip/security/sandbox/mac/SandboxPolicies.h SandboxPolicies.h].


{| class="wikitable"
{| class="wikitable"
|-
|-
! Rule !! Description
! Rule !! Description
|-
|- id=aar_def
| colspan="2" |<pre style="border:none;">static const char contentSandboxRules[] =</pre>
| colspan="2" |
|-
[[#aar_def|link]]
|<pre style="border:none;">
<pre style="border:none;">static const char contentSandboxRules[] =</pre>
|- id=aar_version
| [[#aar_version|link]]
<pre style="border:none;">
(version 1)</pre>
(version 1)</pre>
|| References[1] states only version 1 is supported. I tried with version=2 and sandbox_init failed due to "unsupported version".
|| References[1] states only version 1 is supported. I tried with version=2 and sandbox_init failed due to "unsupported version".
|-
|- id=aar_macros
|<pre style="border:none;">
|
[[#aar_macros|link]]
<pre style="border:none;">
(define sandbox-level %d)
(define sandbox-level %d)
(define macosMinorVersion %d)
(define macosMinorVersion %d)
Line 59: Line 59:
(define home-path \"%s\")</pre>
(define home-path \"%s\")</pre>


* sandbox-level: this is the value of security.sandbox.content.level when it is >=1. If the value is zero, the sandbox policy isn't used. The level value is only used once in the rules:
* sandbox-level: this is the value of security.sandbox.content.level when it is >=1. If the value is zero, the sandbox policy isn't used and content processes aren't sandboxed.
 
  (if (< sandbox-level 2)
    (allow file* (require-not (home-subpath \"/Library\")))
  ;else
    (allow file* (require-all (subpath home-path) (require-not (home-subpath \"/Library\")))))
 
* macosMinorVersion: this is used to detect OS X 10.9 which rejects the "lsopen" rule.
* macosMinorVersion: this is used to detect OS X 10.9 which rejects the "lsopen" rule.
* appTempDir: this is the temp directory for content processes that we create and cleanup in the parent, see bug 1252207 and bug 1237847.
* appTempDir: this is the temp directory for content processes that we create and cleanup in the parent, see bug 1252207 and bug 1237847.
Line 72: Line 66:
||
||
These setup some macros to be used later in the policy. See the next row for examples of what they evaulate to on a Nightly build.
These setup some macros to be used later in the policy. See the next row for examples of what they evaulate to on a Nightly build.
|-
|- id=aar_example
| colspan="2" |
| colspan="2" |
Example output of the above macros after running a Nightly build. Paths abbreviated with "...".
[[#aar_example|link]]
<p>Example output of the above macros after running a Nightly build. Paths abbreviated with "...".


<pre  style="border:none;">
<pre  style="border:none;">
Line 85: Line 80:
(define home-path "/Users/<USERNAME>")
(define home-path "/Users/<USERNAME>")
</pre>
</pre>
|-
|- id=aar_syspaths1
|
|  
[[#aar_syspaths1|link]]<br>
<pre style="border:none;">
<pre style="border:none;">
; Allow read access to standard system paths.
; Allow read access to standard system paths.
Line 99: Line 95:
||
||
Allow these directories and any contained directories and files to be read if the file's permission permits any user to read them.
Allow these directories and any contained directories and files to be read if the file's permission permits any user to read them.
|-
|- id=aar_syspaths2
|
|
[[#aar_syspaths2|link]]
<pre  style="border:none;">
<pre  style="border:none;">
(allow file-read-metadata
(allow file-read-metadata
Line 110: Line 107:
||
||
Allow reading of metadata of these directories.
Allow reading of metadata of these directories.
|-
|- id=aar_syspaths3
|
|
[[#aar_syspaths3|link]]
<pre  style="border:none;">
<pre  style="border:none;">
; Allow access to standard special files.
; Allow access to standard special files.
Line 121: Line 119:
||
||
/dev/random, /dev/urandom Used for randomization code. autofs_nowait TBD, probably allows non-blocking I/O to autofs paths (used for network mounts and other pseudo mount points.)
/dev/random, /dev/urandom Used for randomization code. autofs_nowait TBD, probably allows non-blocking I/O to autofs paths (used for network mounts and other pseudo mount points.)
|-
|- id=aar_syspaths4
|
|
[[#aar_syspaths4|link]]
<pre  style="border:none;">
<pre  style="border:none;">
(allow file-read*
(allow file-read*
Line 131: Line 130:
||
||
Wondering if we need write access to these.
Wondering if we need write access to these.
|-
|- id=aar_dtrace
|
|
[[#aar_dtrace|link]]
<pre  style="border:none;">
<pre  style="border:none;">
(allow file-read*
(allow file-read*
Line 140: Line 140:
</pre>
</pre>
||
||
Can be removed. Relates to using dtrace (debugging tool).
Aids debugging the plugin-container using dtrace. Could be removed, but since root privileges are required to read /dev/dtracehelper this wouldn't be exploitable unless Firefox was run as root or with sudo.
|-
|- id=aar_apple1
|
|
[[#aar_apple1|link]]
<pre  style="border:none;">
<pre  style="border:none;">
(allow mach-lookup
(allow mach-lookup
Line 165: Line 166:
||
||
Miscellaneous undocumented services.
Miscellaneous undocumented services.
|-
|- id=aar_sysctl1
|
|
[[#aar_sysctl1|link]]
<pre  style="border:none;">
<pre  style="border:none;">
; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others
; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others
Line 173: Line 175:
||
||
A subset of the rules originally from /System/Library/Sandbox/Profiles/system.sb which ships with OS X.
A subset of the rules originally from /System/Library/Sandbox/Profiles/system.sb which ships with OS X.
|-
|- id=aar_defaultdeny
|<pre  style="border:none;">
|
[[#aar_defaultdeny|link]]
<pre  style="border:none;">
   "  (begin\n"
   "  (begin\n"
   "    (deny default)\n"
   "    (deny default)\n"
Line 180: Line 184:
||
||
By default, we deny. i.e., for any capability not explicitly allowed here, do not allow it to be used.
By default, we deny. i.e., for any capability not explicitly allowed here, do not allow it to be used.
|-
|- id=aar_debugdeny
|
|
[[#aar_debugdeny|link]]
<pre style="border:none;">
<pre style="border:none;">
   "    (debug deny)\n"
   "    (debug deny)\n"
Line 188: Line 193:
||
||
For any rule that causes an action to be denied, log something in system.log. These log entries are easily viewed using the OS X "Console" application and filtering on "sandbox".
For any rule that causes an action to be denied, log something in system.log. These log entries are easily viewed using the OS X "Console" application and filtering on "sandbox".
|-
|- id=aar_literal
|<pre  style="border:none;">
|
[[#aar_literal|link]]
<pre  style="border:none;">
   "    (define resolving-literal literal)\n"
   "    (define resolving-literal literal)\n"
   "    (define resolving-subpath subpath)\n"
   "    (define resolving-subpath subpath)\n"
Line 196: Line 203:
||
||
Shortcut macros.
Shortcut macros.
|-
|- id=aar_textmacros
|
|
[[#aar_textmacros|link]]
<pre  style="border:none;">
<pre  style="border:none;">
   "    (define container-path appPath)\n"
   "    (define container-path appPath)\n"
Line 210: Line 218:
   "    (define (home-literal home-relative-literal)\n"
   "    (define (home-literal home-relative-literal)\n"
   "      (resolving-literal (string-append home-path home-relative-literal)))\n"
   "      (resolving-literal (string-append home-path home-relative-literal)))\n"
  "\n"
  "    (define (container-regex container-relative-regex)\n"
  "      (resolving-regex (string-append \"^\" (regex-quote container-path) container-relative-regex)))\n"
  "    (define (container-subpath container-relative-subpath)\n"
  "      (resolving-subpath (string-append container-path container-relative-subpath)))\n"
  "    (define (container-literal container-relative-literal)\n"
  "      (resolving-literal (string-append container-path container-relative-literal)))\n"
   "\n"
   "\n"
   "    (define (var-folders-regex var-folders-relative-regex)\n"
   "    (define (var-folders-regex var-folders-relative-regex)\n"
Line 222: Line 223:
   "    (define (var-folders2-regex var-folders2-relative-regex)\n"
   "    (define (var-folders2-regex var-folders2-relative-regex)\n"
   "      (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
   "      (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
  "\n"
  "    (define (appdir-regex appdir-relative-regex)\n"
  "      (resolving-regex (string-append \"^\" (regex-quote appdir-path) appdir-relative-regex)))\n"
  "    (define (appdir-subpath appdir-relative-subpath)\n"
  "      (resolving-subpath (string-append appdir-path appdir-relative-subpath)))\n"
  "    (define (appdir-literal appdir-relative-literal)\n"
  "      (resolving-literal (string-append appdir-path appdir-relative-literal)))\n"
   "\n"
   "\n"
</pre>
</pre>
|| Text substitution macros for dealing with paths.
|| Text substitution macros for dealing with paths.
|-
|- id=aar_sharedprefs
|
|
[[#aar_sharedprefs|link]]
<pre  style="border:none;">
<pre  style="border:none;">
   "    (define (allow-shared-preferences-read domain)\n"
   "    (define (allow-shared-preferences-read domain)\n"
Line 251: Line 246:
</pre>
</pre>
|| Macros for dealing with some form of OS X preferences. TBD.
|| Macros for dealing with some form of OS X preferences. TBD.
|-
|- id=aar_posixshm
|
<pre  style="border:none;">
 
  "    (allow file-read-metadata)\n"
</pre>
|| Allows reading file meta-data for all files/dirs the user has permission to read.
|-
|
|
[[#aar_posixshm|link]]
<pre  style="border:none;">
<pre  style="border:none;">
   "\n"
   "\n"
Line 268: Line 257:
</pre>
</pre>
|| Access via IPC shared memory to services with names matching these regexes? TBD
|| Access via IPC shared memory to services with names matching these regexes? TBD
|-
|- id=aar_paths4
|
|
[[#aar_paths4|link]]
<pre style="border:none;">
<pre style="border:none;">
   "\n"
   "\n"
Line 280: Line 270:
</pre>
</pre>
|| Allow reading of file metadata for these directories and files. Appears to be redundant given the above "(allow file-read-metadata)" rule?
|| Allow reading of file metadata for these directories and files. Appears to be redundant given the above "(allow file-read-metadata)" rule?
|-
|- id=aar_signalself
|<pre style="border:none;">
|
[[#aar_signalself|link]]
<pre style="border:none;">
   "    (allow signal (target self))\n"
   "    (allow signal (target self))\n"
</pre>
</pre>
||
||
Allow the content process to send a signal to itself. Searched for callers of kill(2) in mozilla-central and didn't find any.
Allow the content process to send a signal to itself. Searched for callers of kill(2) in mozilla-central and didn't find any.
|-
|- id=aar_jobcreationdal
|<pre style="border:none;">
|
[[#aar_jobcreationdal|link]]
<pre style="border:none;">
   "    (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n"
   "    (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n"
</pre>
</pre>
||
||
This might be related to using the camera.
This might be related to using the camera.
|-
|- id=aar_audioctrl
|<pre style="border:none;">
|
[[#aar_audioctrl|link]]
<pre style="border:none;">
   "    (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n"
   "    (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n"
</pre>
</pre>
||
||
Setting sound volume?
Setting sound volume?
|-
|- id=aar_appleglobalcom2
|<pre style="border:none;">
|
[[#aar_appleglobalcom2|link]]
<pre style="border:none;">
   "    (allow mach-lookup\n"
   "    (allow mach-lookup\n"
   "        (global-name \"com.apple.coreservices.launchservicesd\")\n"
   "        (global-name \"com.apple.coreservices.launchservicesd\")\n"
Line 320: Line 318:
   "        (global-name \"com.apple.ocspd\")\n"
   "        (global-name \"com.apple.ocspd\")\n"
   "        (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
   "        (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
   "        (global-name \"com.apple.DesktopServicesHelper\")\n"
   "        (global-name \"com.apple.DesktopServicesHelper\"))\n"
  "        (global-name \"com.apple.printtool.daemon\"))\n"
</pre>
</pre>
||
||
Access to more undocumented OS X facilities.
Access to more undocumented OS X facilities.
|-
|- id=aar_iokituserclient
|
|
[[#aar_iokituserclient|link]]
<pre style="border:none;">
<pre style="border:none;">
   "    (allow iokit-open\n"
   "    (allow iokit-open\n"
Line 347: Line 345:
||
||
Sound like this is for accessing various kernel driver provided functionality.
Sound like this is for accessing various kernel driver provided functionality.
|-
|- id=aar_hitoolbox
|
|
[[#aar_hitoolbox|link]]
<pre style="border:none;">
<pre style="border:none;">
   "; depending on systems, the 1st, 2nd or both rules are necessary\n"
   "; depending on systems, the 1st, 2nd or both rules are necessary\n"
Line 356: Line 355:
||
||
HIToolbox is Human Interface Toolbox. Sounds related to OS X UI controls.<br>Allows reading from /Library/Preferences/com.apple.HIToolbox.plist which contains information about the input device such as keyboard layout.
HIToolbox is Human Interface Toolbox. Sounds related to OS X UI controls.<br>Allows reading from /Library/Preferences/com.apple.HIToolbox.plist which contains information about the input device such as keyboard layout.
|-
|- id=aar_comappleats
|
|
[[#aar_comappleats|link]]
<pre style="border:none;">
<pre style="border:none;">
   "    (allow-shared-preferences-read \"com.apple.ATS\")\n"
   "    (allow-shared-preferences-read \"com.apple.ATS\")\n"
Line 363: Line 363:
||
||
Possibly font-related.
Possibly font-related.
|-
|- id=aar_globalprefs
|
|
[[#aar_globalprefs|link]]
<pre style="border:none;">
<pre style="border:none;">
   "    (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"
   "    (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"
Line 370: Line 371:
||
||
Contains some details about time zone, city, language, display devices.
Contains some details about time zone, city, language, display devices.
|-
|- id=aar_syspaths5
|
|
[[#aar_syspaths5|link]]
<pre style="border:none;">
<pre style="border:none;">
   "    (allow file-read*\n"
   "    (allow file-read*\n"
Line 378: Line 380:
   "        (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n"
   "        (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n"
   "        (subpath \"/Library/Spelling\")\n"
   "        (subpath \"/Library/Spelling\")\n"
  "        (subpath \"/private/etc/cups/ppd\")\n"
  "        (subpath \"/private/var/run/cupsd\")\n"
   "        (literal \"/\")\n"
   "        (literal \"/\")\n"
   "        (literal \"/private/tmp\")\n"
   "        (literal \"/private/tmp\")\n"
Line 386: Line 386:
||
||
Filesystem read access to some system directories.
Filesystem read access to some system directories.
|-
|- id=aar_cfuser
|
|
[[#aar_cfuser|link]]
<pre style="border:none;">
<pre style="border:none;">
   "        (home-literal \"/.CFUserTextEncoding\")\n"
   "        (home-literal \"/.CFUserTextEncoding\")\n"
Line 393: Line 394:
||
||
Filesystem read access to file ~/.CFUserTextEncoding (stores the user's default text encoding.)
Filesystem read access to file ~/.CFUserTextEncoding (stores the user's default text encoding.)
|-
|- id=aar_homepaths1
|
|
[[#aar_homepaths1|link]]
<pre style="border:none;">
<pre style="border:none;">
   "        (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n"
   "        (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n"
Line 402: Line 404:
   "        (home-subpath \"/Library/Keyboard Layouts\")\n"
   "        (home-subpath \"/Library/Keyboard Layouts\")\n"
   "        (home-subpath \"/Library/Input Methods\")\n"
   "        (home-subpath \"/Library/Input Methods\")\n"
  "        (home-subpath \"/Library/PDF Services\")\n"
   "        (home-subpath \"/Library/Spelling\")\n"
   "        (home-subpath \"/Library/Spelling\")\n"
</pre>
</pre>
|| Filesystem read access to these ~/Library subdirectories.
|| Filesystem read access to these ~/Library subdirectories.
|-
|- id=aar_appdir
|
|
[[#aar_appdir|link]]
<pre style="border:none;">
<pre style="border:none;">
   "        (subpath appdir-path)\n"
   "        (subpath appdir-path)\n"
Line 414: Line 416:
Read access to part of the application bundle:<br>
Read access to part of the application bundle:<br>
/.../NightlyDebug.app/Contents/Resources/browser
/.../NightlyDebug.app/Contents/Resources/browser
|-
|- id=aar_apppath
|
|
[[#aar_apppath|link]]
<pre style="border:none;">
<pre style="border:none;">
   "        (literal appPath)\n"
   "        (literal appPath)\n"
Line 425: Line 428:
and the executable contained in it<br>
and the executable contained in it<br>
/.../NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
/.../NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
|-
|- id=aar_plugincontainer_pref
|
|
[[#aar_plugincontainer_pref|link]]
<pre style="border:none;">
<pre style="border:none;">
   "    (allow-shared-list \"org.mozilla.plugincontainer\")\n"
   "    (allow-shared-list \"org.mozilla.plugincontainer\")\n"
</pre>
</pre>
|| Might not be needed. On OS X 10.11, no matches for files with this name found under ~/Library/Preferences/. Matches found in ~/Library/Caches though.  
|| Might not be needed. On OS X 10.11, no matches for files with this name found under ~/Library/Preferences/. Matches found in ~/Library/Caches though.  
|-
|- id=aar_miccam
|
|
[[#aar_miccam|link]]
<pre style="border:none;">
<pre style="border:none;">
   "; the following 2 rules should be removed when microphone and camera access\n"
   "; the following 2 rules should be removed when microphone and camera access\n"
Line 440: Line 445:
</pre>
</pre>
|| Camera and mic access.
|| Camera and mic access.
|-
|- id=aar_intldata
|  
|  
[[#aar_intldata|link]]
<pre style="border:none;">
<pre style="border:none;">
   "\n"
   "\n"
Line 447: Line 453:
</pre>
</pre>
|| Read and write access to<br>/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le<br>This file not prevent on my 10.11 system.
|| Read and write access to<br>/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le<br>This file not prevent on my 10.11 system.
|-
|- id=aar_icon
|
|
[[#aar_icon|link]]
<pre style="border:none;">
<pre style="border:none;">
   "    (allow file-read*\n"
   "    (allow file-read*\n"
Line 460: Line 467:
/private/var/folders/[^/][^/][^/]+/[^/][^/]+.mozrunner/extensions/[^/]/chrome/[^/]+/content/[^/]+.j(s|ar)<br>
/private/var/folders/[^/][^/][^/]+/[^/][^/]+.mozrunner/extensions/[^/]/chrome/[^/]+/content/[^/]+.j(s|ar)<br>
Not found on my 10.11 system.
Not found on my 10.11 system.
|-
|- id=aar_chromregex
|
|
[[#aar_chromregex|link]]
<pre style="border:none;">
<pre style="border:none;">
   "    (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"
   "    (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"
Line 469: Line 477:
/private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*<br>
/private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*<br>
Not found on my 10.11 system.
Not found on my 10.11 system.
|-
 
 
|- id=aar_lib_ext
|
|
[[#aar_lib_ext|link]]
<pre style="border:none;">
<pre style="border:none;">
   "   (allow file-read*\n"
   "; Per-user and system-wide Extensions dir\n"
   "       (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
  "  (allow file-read*\n"
   "       (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
   "     (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
  "        (home-regex \"/Library/Application Support/Firefox/Profiles/[^/]+/extensions/\")\n"
   "     (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\"))\n"
  "        (home-regex \"/Library/Application Support/Firefox/Profiles/[^/]+/weave/\"))\n"
  "\n"
</pre>
</pre>
||
||
Read access to  
See the docs on extensions.autoDisableScopes for more information on these paths. The first path allow access to an Extensions directory that applies to all of a user's profiles. The second is for a system-wide Extensions directory that applies to all users. The setting of extensions.autoDisableScopes controls whether or not these locations are used.
~/Library/Application Support/[^/]+/Extensions/[^/]<br>
 
~/Library/Application Support/Firefox/Profiles/[^/]+/extensions/<br>
 
~/Library/Application Support/Firefox/Profiles/[^/]+/weave/<br>
|- id=level1_fs_rules
/Library/Application Support/[^/]+/Extension/[^/]/<br>
If these are still needed, the ~/Library rules could be improved to use the specific profile dir, not a regex that matches any of the profiles in the Profiles dir.
|-
|
|
[[#level1_fs_rules|link]]
<pre style="border:none;">
<pre style="border:none;">
   "; the following rules should be removed when printing and \n"
   "; The following rules impose file access restrictions which get\n"
   "; opening a file from disk are brokered through the main process\n"
   "; more restrictive in higher levels. When file-origin-specific\n"
  "    (if\n"
   "; content processes are used for file:// origin browsing, the\n"
  "      (< sandbox-level 2)\n"
   "; global file-read* permission should be removed from each level.\n"
   "     (allow file*\n"
  "          (require-not\n"
  "              (home-subpath \"/Library\")))\n"
   "     (allow file*\n"
  "          (require-all\n"
  "              (subpath home-path)\n"
  "              (require-not\n"
  "                  (home-subpath \"/Library\")))))\n"
   "\n"
   "\n"
  "; level 1: global read access permitted, no home write access\n"
  "  (if (= sandbox-level 1)\n"
  "    (begin\n"
  "      (allow file-read*)\n"
  "      (allow file-write* (require-not (subpath home-path)))))\n"
</pre>
</pre>
|| File read and write access for $HOME sans ~/Library. We need write access for printing. We need read access to allow user to read files from $HOME. i.e., file:// resources.
|| Level 1-specifc filesystem rules: allow reading to anywhere the OS permits. Do not allow writing anywhere in the home directory.
|-
|- id=level2_fs_rules
| <pre style="border:none;">
|
   "; printing\n"
[[#level2_fs_rules|link]]
   "   (allow authorization-right-obtain\n"
<pre style="border:none;">
   "           (right-name \"system.print.operator\")\n"
   "; level 2: global read access permitted, no home write access,\n"
   "           (right-name \"system.printingmanager\"))\n"
   ";          no read/write access to ~/Library,\n"
   "   (allow mach-lookup\n"
   ";          no read/write access to $PROFILE,\n"
  "          (global-name \"com.apple.printuitool.agent\")\n"
   ";          read access permitted to $PROFILE/{extensions,weave}\n"
   "           (global-name \"com.apple.printtool.agent\")\n"
   " (if (= sandbox-level 2)\n"
   "           (global-name \"com.apple.printtool.daemon\")\n"
   "   (if (not (zero? hasProfileDir))\n"
   "           (global-name \"com.apple.sharingd\")\n"
   "     ; we have a profile dir\n"
   "           (global-name \"com.apple.metadata.mds\")\n"
   "     (begin\n"
  "          (global-name \"com.apple.mtmd.xpc\")\n"
   "       (allow file-read* (require-all\n"
   "           (global-name \"com.apple.FSEvents\")\n"
   "             (require-not (home-subpath \"/Library\"))\n"
  "          (global-name \"com.apple.locum\")\n"
   "             (require-not (subpath profileDir))))\n"
   "           (global-name \"com.apple.ImageCaptureExtension2.presence\"))\n"
   "       (allow file-write* (require-all\n"
   "   (allow file-read*\n"
   "             (require-not (subpath home-path))\n"
   "           (home-literal \"/.cups/lpoptions\")\n"
   "             (require-not (subpath profileDir))))\n"
   "           (home-literal \"/.cups/client.conf\")\n"
   "       (allow file-read*\n"
   "           (literal \"/private/etc/cups/lpoptions\")\n"
   "             (profile-subpath \"/extensions\")\n"
   "           (literal \"/private/etc/cups/client.conf\")\n"
   "             (profile-subpath \"/weave\")))\n"
   "           (subpath \"/private/etc/cups/ppd\")\n"
   "     ; we don't have a profile dir\n"
   "           (literal \"/private/var/run/cupsd\"))\n"
   "     (begin\n"
   "   (allow-shared-preferences-read \"org.cups.PrintingPrefs\")\n"
   "       (allow file-read*\n"
   "   (allow-shared-preferences-read \"com.apple.finder\")\n"
   "             (require-not (home-subpath \"/Library\")))\n"
   "   (allow-shared-preferences-read \"com.apple.LaunchServices\")\n"
   "       (allow file-write* (require-all\n"
   "   (allow-shared-preferences-read \".GlobalPreferences\")\n"
   "             (require-not (subpath home-path)))))))\n"
   "   (allow network-outbound\n"
  "        (literal \"/private/var/run/cupsd\")\n"
  "        (literal \"/private/var/run/mDNSResponder\"))\n"
  "\n"
 
</pre>
</pre>
|| Printing
|| Level 2-specifc filesystem rules: do not allow writing anywhere in the home directory. Allow reading to anywhere the OS permits except ~/Library or the PROFILE dir. Allow reading from PROFILE/extensions and PROFILE/weave.
|-
|- id=aar_printpreview
| <pre style="border:none;">
|
  "; print preview\n"
[[#aar_printpreview|link]]
  "    (if (> macosMinorVersion 9)\n"
<pre style="border:none;">
  "        (allow lsopen))\n"
  "    (allow file-write* file-issue-extension (var-folders2-regex \"/\"))\n"
  "    (allow file-read-xattr (literal \"/Applications/Preview.app\"))\n"
  "    (allow mach-task-name)\n"
  "    (allow mach-register)\n"
  "    (allow file-read-data\n"
  "        (regex \"^/Library/Printers/[^/]+/PDEs/[^/]+.plugin\")\n"
  "        (subpath \"/Library/PDF Services\")\n"
  "        (subpath \"/Applications/Preview.app\")\n"
  "        (home-literal \"/Library/Preferences/com.apple.ServicesMenu.Services.plist\"))\n"
  "    (allow mach-lookup\n"
  "        (global-name \"com.apple.pbs.fetch_services\")\n"
  "        (global-name \"com.apple.tsm.uiserver\")\n"
  "        (global-name \"com.apple.ls.boxd\")\n"
  "        (global-name \"com.apple.coreservices.quarantine-resolver\")\n"
  "        (global-name-regex \"_OpenStep$\"))\n"
  "    (allow appleevent-send\n"
  "        (appleevent-destination \"com.apple.preview\")\n"
  "        (appleevent-destination \"com.apple.imagecaptureextension2\"))\n"
</pre>
|| Print preview
|-
| <pre style="border:none;">
   "\n"
   "\n"
   "; accelerated graphics\n"
   "; accelerated graphics\n"
Line 588: Line 564:
</pre>
</pre>
|| Graphics
|| Graphics
|-
|- id=aar_tempitems
| <pre style="border:none;">
|
  "\n"
[[#aar_tempitems|link]]
  "; bug 1190032\n"
<pre style="border:none;">
  "    (allow file*\n"
  "        (home-regex \"/Library/Caches/TemporaryItems/plugtmp.*\"))\n"
</pre>
|| Read and write access to anything matching ~/Library/Caches/TemporaryItems/plugtmp.*
|-
| <pre style="border:none;">
   "\n"
   "\n"
   "; bug 1201935\n"
   "; bug 1201935\n"
Line 605: Line 575:
</pre>
</pre>
|| Read-only access to anything in ~/Library/Caches/TemporaryItems
|| Read-only access to anything in ~/Library/Caches/TemporaryItems
|-
|- id=aar_apptempdir
| <pre style="border:none;">
|
[[#aar_apptempdir|link]]
<pre style="border:none;">
   "; bug 1237847\n"
   "; bug 1237847\n"
   "    (allow file-read*\n"
   "    (allow file-read*\n"

Latest revision as of 17:47, 16 November 2017

References

References
1

Apple's Sandbox Guide v1.0 13-09-2011
http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf

Glossary

References
~

Refers to the full path to the home directory of the user. On OS X this is /Users/<username>.

[^/]+

This is used in some of the regular expressions. [^/] matches a single character that is not a '/'. [^/]+ Matches 1 or more non-slash characters.

Notes

  1. An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access.
  2. Use of file* in the rules includes all of file-read, file-write, file-read-metadata, and file-write-metadata.

Annotated Rules (WARNING: Outdated)

  1. The table below is not kept up-to-date. Refer to the source code to learn more about the sandbox rules. The Mac policies can be found in SandboxPolicies.h.
Rule Description

link

static const char contentSandboxRules[] =
link
(version 1)
References[1] states only version 1 is supported. I tried with version=2 and sandbox_init failed due to "unsupported version".

link

(define sandbox-level %d)
(define macosMinorVersion %d)
(define appPath \"%s\")
(define appBinaryPath \"%s\")
(define appDir \"%s\")
(define appTempDir \"%s\")
(define home-path \"%s\")
  • sandbox-level: this is the value of security.sandbox.content.level when it is >=1. If the value is zero, the sandbox policy isn't used and content processes aren't sandboxed.
  • macosMinorVersion: this is used to detect OS X 10.9 which rejects the "lsopen" rule.
  • appTempDir: this is the temp directory for content processes that we create and cleanup in the parent, see bug 1252207 and bug 1237847.
  • home-path: this is used so the ruleset can generate home-relative rules for ~/Library, ~/.cups (printing) and ~/.CFUserTextEncoding (stores the default text encoding and preferred language for the user.)

These setup some macros to be used later in the policy. See the next row for examples of what they evaulate to on a Nightly build.

link

Example output of the above macros after running a Nightly build. Paths abbreviated with "...".

(define sandbox-level 1)
(define macosMinorVersion 11)
(define appPath "/.../NightlyDebug.app/Contents/MacOS/plugin-container.app")
(define appBinaryPath "/.../NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container")
(define appDir "/.../NightlyDebug.app/Contents/Resources/browser")
(define appTempDir "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}")
(define home-path "/Users/<USERNAME>")

link

; Allow read access to standard system paths.
(allow file-read*
       (require-all (file-mode #o0004)
                    (require-any (subpath "/Library/Filesystems/NetFSPlugins")
                                 (subpath "/System")
                                 (subpath "/private/var/db/dyld")
                                 (subpath "/usr/lib")
                                 (subpath "/usr/share"))))

Allow these directories and any contained directories and files to be read if the file's permission permits any user to read them.

link

(allow file-read-metadata
       (literal "/etc")
       (literal "/tmp")
       (literal "/var")
       (literal "/private/etc/localtime"))

Allow reading of metadata of these directories.

link

; Allow access to standard special files.
(allow file-read*
       (literal "/dev/autofs_nowait")
       (literal "/dev/random")
       (literal "/dev/urandom")

/dev/random, /dev/urandom Used for randomization code. autofs_nowait TBD, probably allows non-blocking I/O to autofs paths (used for network mounts and other pseudo mount points.)

link

(allow file-read*
       file-write-data
       (literal "/dev/null")
       (literal "/dev/zero"))

Wondering if we need write access to these.

link

(allow file-read*
       file-write-data
       file-ioctl
       (literal "/dev/dtracehelper"))

Aids debugging the plugin-container using dtrace. Could be removed, but since root privileges are required to read /dev/dtracehelper this wouldn't be exploitable unless Firefox was run as root or with sudo.

link

(allow mach-lookup
       (global-name "com.apple.appsleep")
       (global-name "com.apple.bsd.dirhelper")
       (global-name "com.apple.cfprefsd.agent")
       (global-name "com.apple.cfprefsd.daemon")
       (global-name "com.apple.diagnosticd")
       (global-name "com.apple.espd")
       (global-name "com.apple.secinitd")
       (global-name "com.apple.system.DirectoryService.libinfo_v1")
       (global-name "com.apple.system.logger")
       (global-name "com.apple.system.notification_center")
       (global-name "com.apple.system.opendirectoryd.libinfo")
       (global-name "com.apple.system.opendirectoryd.membership")
       (global-name "com.apple.trustd")
       (global-name "com.apple.trustd.agent")
       (global-name "com.apple.xpc.activity.unmanaged")
       (global-name "com.apple.xpcd")
       (local-name "com.apple.cfprefsd.agent"))

Miscellaneous undocumented services.

link

; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others
(allow sysctl-read)

A subset of the rules originally from /System/Library/Sandbox/Profiles/system.sb which ships with OS X.

link

  "  (begin\n"
  "    (deny default)\n"

By default, we deny. i.e., for any capability not explicitly allowed here, do not allow it to be used.

link

  "    (debug deny)\n"
  "\n"

For any rule that causes an action to be denied, log something in system.log. These log entries are easily viewed using the OS X "Console" application and filtering on "sandbox".

link

  "    (define resolving-literal literal)\n"
  "    (define resolving-subpath subpath)\n"
  "    (define resolving-regex regex)\n"

Shortcut macros.

link

  "    (define container-path appPath)\n"
  "    (define appdir-path appDir)\n"
  "    (define var-folders-re \"^/private/var/folders/[^/][^/]\")\n"
  "    (define var-folders2-re (string-append var-folders-re \"/[^/]+/[^/]\"))\n"
  "\n"
  "    (define (home-regex home-relative-regex)\n"
  "      (resolving-regex (string-append \"^\" (regex-quote home-path) home-relative-regex)))\n"
  "    (define (home-subpath home-relative-subpath)\n"
  "      (resolving-subpath (string-append home-path home-relative-subpath)))\n"
  "    (define (home-literal home-relative-literal)\n"
  "      (resolving-literal (string-append home-path home-relative-literal)))\n"
  "\n"
  "    (define (var-folders-regex var-folders-relative-regex)\n"
  "      (resolving-regex (string-append var-folders-re var-folders-relative-regex)))\n"
  "    (define (var-folders2-regex var-folders2-relative-regex)\n"
  "      (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
  "\n"
Text substitution macros for dealing with paths.

link

  "    (define (allow-shared-preferences-read domain)\n"
  "          (begin\n"
  "            (if (defined? `user-preference-read)\n"
  "              (allow user-preference-read (preference-domain domain)))\n"
  "            (allow file-read*\n"
  "                   (home-literal (string-append \"/Library/Preferences/\" domain \".plist\"))\n"
  "                   (home-regex (string-append \"/Library/Preferences/ByHost/\"
                              (regex-quote domain) \"\\..*\\.plist$\")))\n"
  "            ))\n"
  "\n"
  "    (define (allow-shared-list domain)\n"
  "      (allow file-read*\n"
  "             (home-regex (string-append \"/Library/Preferences/\" (regex-quote domain)))))\n"
  "\n"
Macros for dealing with some form of OS X preferences. TBD.

link

  "\n"
  "    (allow ipc-posix-shm\n"
  "        (ipc-posix-name-regex \"^/tmp/com.apple.csseed:\")\n"
  "        (ipc-posix-name-regex \"^CFPBS:\")\n"
  "        (ipc-posix-name-regex \"^AudioIO\"))\n"
Access via IPC shared memory to services with names matching these regexes? TBD

link

  "\n"
  "    (allow file-read-metadata\n"
  "        (literal \"/home\")\n"
  "        (literal \"/net\")\n"
  "        (regex \"^/private/tmp/KSInstallAction\\.\")\n"
  "        (var-folders-regex \"/\")\n"
  "        (home-subpath \"/Library\"))\n"
Allow reading of file metadata for these directories and files. Appears to be redundant given the above "(allow file-read-metadata)" rule?

link

  "    (allow signal (target self))\n"

Allow the content process to send a signal to itself. Searched for callers of kill(2) in mozilla-central and didn't find any.

link

  "    (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n"

This might be related to using the camera.

link

  "    (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n"

Setting sound volume?

link

  "    (allow mach-lookup\n"
  "        (global-name \"com.apple.coreservices.launchservicesd\")\n"
  "        (global-name \"com.apple.coreservices.appleevents\")\n"
  "        (global-name \"com.apple.pasteboard.1\")\n"
  "        (global-name \"com.apple.window_proxies\")\n"
  "        (global-name \"com.apple.windowserver.active\")\n"
  "        (global-name \"com.apple.audio.coreaudiod\")\n"
  "        (global-name \"com.apple.audio.audiohald\")\n"
  "        (global-name \"com.apple.PowerManagement.control\")\n"
  "        (global-name \"com.apple.cmio.VDCAssistant\")\n"
  "        (global-name \"com.apple.SystemConfiguration.configd\")\n"
  "        (global-name \"com.apple.iconservices\")\n"
  "        (global-name \"com.apple.cookied\")\n"
  "        (global-name \"com.apple.printuitool.agent\")\n"
  "        (global-name \"com.apple.printtool.agent\")\n"
  "        (global-name \"com.apple.cache_delete\")\n"
  "        (global-name \"com.apple.pluginkit.pkd\")\n"
  "        (global-name \"com.apple.bird\")\n"
  "        (global-name \"com.apple.ocspd\")\n"
  "        (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
  "        (global-name \"com.apple.DesktopServicesHelper\"))\n"

Access to more undocumented OS X facilities.

link

  "    (allow iokit-open\n"
  "        (iokit-user-client-class \"IOHIDParamUserClient\")\n"
  "        (iokit-user-client-class \"IOAudioControlUserClient\")\n"
  "        (iokit-user-client-class \"IOAudioEngineUserClient\")\n"
  "        (iokit-user-client-class \"IGAccelDevice\")\n"
  "        (iokit-user-client-class \"nvDevice\")\n"
  "        (iokit-user-client-class \"nvSharedUserClient\")\n"
  "        (iokit-user-client-class \"nvFermiGLContext\")\n"
  "        (iokit-user-client-class \"IGAccelGLContext\")\n"
  "        (iokit-user-client-class \"IGAccelSharedUserClient\")\n"
  "        (iokit-user-client-class \"IGAccelVideoContextMain\")\n"
  "        (iokit-user-client-class \"IGAccelVideoContextMedia\")\n"
  "        (iokit-user-client-class \"IGAccelVideoContextVEBox\")\n"
  "        (iokit-user-client-class \"RootDomainUserClient\")\n"
  "        (iokit-user-client-class \"IOUSBDeviceUserClientV2\")\n"
  "        (iokit-user-client-class \"IOUSBInterfaceUserClientV2\"))\n"

Sound like this is for accessing various kernel driver provided functionality.

link

  "; depending on systems, the 1st, 2nd or both rules are necessary\n"
  "    (allow-shared-preferences-read \"com.apple.HIToolbox\")\n"
  "    (allow file-read-data (literal \"/Library/Preferences/com.apple.HIToolbox.plist\"))\n"

HIToolbox is Human Interface Toolbox. Sounds related to OS X UI controls.
Allows reading from /Library/Preferences/com.apple.HIToolbox.plist which contains information about the input device such as keyboard layout.

link

  "    (allow-shared-preferences-read \"com.apple.ATS\")\n"

Possibly font-related.

link

  "    (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"

Contains some details about time zone, city, language, display devices.

link

  "    (allow file-read*\n"
  "        (subpath \"/Library/Fonts\")\n"
  "        (subpath \"/Library/Audio/Plug-Ins\")\n"
  "        (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n"
  "        (subpath \"/Library/Spelling\")\n"
  "        (literal \"/\")\n"
  "        (literal \"/private/tmp\")\n"
  "        (literal \"/private/var/tmp\")\n"

Filesystem read access to some system directories.

link

  "        (home-literal \"/.CFUserTextEncoding\")\n"

Filesystem read access to file ~/.CFUserTextEncoding (stores the user's default text encoding.)

link

  "        (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n"
  "        (home-subpath \"/Library/Colors\")\n"
  "        (home-subpath \"/Library/Fonts\")\n"
  "        (home-subpath \"/Library/FontCollections\")\n"
  "        (home-subpath \"/Library/Keyboard Layouts\")\n"
  "        (home-subpath \"/Library/Input Methods\")\n"
  "        (home-subpath \"/Library/Spelling\")\n"
Filesystem read access to these ~/Library subdirectories.

link

  "        (subpath appdir-path)\n"

Read access to part of the application bundle:
/.../NightlyDebug.app/Contents/Resources/browser

link

  "        (literal appPath)\n"
  "        (literal appBinaryPath))\n"

Read access to plugin-container .app:
/.../NightlyDebug.app/Contents/MacOS/plugin-container.app
and the executable contained in it
/.../NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container

link

  "    (allow-shared-list \"org.mozilla.plugincontainer\")\n"
Might not be needed. On OS X 10.11, no matches for files with this name found under ~/Library/Preferences/. Matches found in ~/Library/Caches though.

link

  "; the following 2 rules should be removed when microphone and camera access\n"
  "; are brokered through the content process\n"
  "    (allow device-microphone)\n"
  "    (allow device-camera)\n"
Camera and mic access.

link

  "\n"
  "    (allow file* (var-folders2-regex \"/com\\.apple\\.IntlDataCache\\.le$\"))\n"
Read and write access to
/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le
This file not prevent on my 10.11 system.

link

  "    (allow file-read*\n"
  "        (var-folders2-regex \"/com\\.apple\\.IconServices/\")\n"
  "        (var-folders2-regex \"/[^/]+\\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\"))\n"

Read access to
/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IconServices
and
/private/var/folders/[^/][^/][^/]+/[^/][^/]+.mozrunner/extensions/[^/]/chrome/[^/]+/content/[^/]+.j(s|ar)
Not found on my 10.11 system.

link

  "    (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"

Write access to
/private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*
Not found on my 10.11 system.


link

  "; Per-user and system-wide Extensions dir\n"
  "  (allow file-read*\n"
  "      (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
  "      (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\"))\n"

See the docs on extensions.autoDisableScopes for more information on these paths. The first path allow access to an Extensions directory that applies to all of a user's profiles. The second is for a system-wide Extensions directory that applies to all users. The setting of extensions.autoDisableScopes controls whether or not these locations are used.


link

  "; The following rules impose file access restrictions which get\n"
  "; more restrictive in higher levels. When file-origin-specific\n"
  "; content processes are used for file:// origin browsing, the\n"
  "; global file-read* permission should be removed from each level.\n"
  "\n"
  "; level 1: global read access permitted, no home write access\n"
  "  (if (= sandbox-level 1)\n"
  "    (begin\n"
  "      (allow file-read*)\n"
  "      (allow file-write* (require-not (subpath home-path)))))\n"
Level 1-specifc filesystem rules: allow reading to anywhere the OS permits. Do not allow writing anywhere in the home directory.

link

  "; level 2: global read access permitted, no home write access,\n"
  ";          no read/write access to ~/Library,\n"
  ";          no read/write access to $PROFILE,\n"
  ";          read access permitted to $PROFILE/{extensions,weave}\n"
  "  (if (= sandbox-level 2)\n"
  "    (if (not (zero? hasProfileDir))\n"
  "      ; we have a profile dir\n"
  "      (begin\n"
  "        (allow file-read* (require-all\n"
  "              (require-not (home-subpath \"/Library\"))\n"
  "              (require-not (subpath profileDir))))\n"
  "        (allow file-write* (require-all\n"
  "              (require-not (subpath home-path))\n"
  "              (require-not (subpath profileDir))))\n"
  "        (allow file-read*\n"
  "              (profile-subpath \"/extensions\")\n"
  "              (profile-subpath \"/weave\")))\n"
  "      ; we don't have a profile dir\n"
  "      (begin\n"
  "        (allow file-read*\n"
  "              (require-not (home-subpath \"/Library\")))\n"
  "        (allow file-write* (require-all\n"
  "              (require-not (subpath home-path)))))))\n"
Level 2-specifc filesystem rules: do not allow writing anywhere in the home directory. Allow reading to anywhere the OS permits except ~/Library or the PROFILE dir. Allow reading from PROFILE/extensions and PROFILE/weave.

link

  "\n"
  "; accelerated graphics\n"
  "    (allow-shared-preferences-read \"com.apple.opengl\")\n"
  "    (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
  "    (allow mach-lookup\n"
  "        (global-name \"com.apple.cvmsServ\"))\n"
  "    (allow iokit-open\n"
  "        (iokit-connection \"IOAccelerator\")\n"
  "        (iokit-user-client-class \"IOAccelerationUserClient\")\n"
  "        (iokit-user-client-class \"IOSurfaceRootUserClient\")\n"
  "        (iokit-user-client-class \"IOSurfaceSendRight\")\n"
  "        (iokit-user-client-class \"IOFramebufferSharedUserClient\")\n"
  "        (iokit-user-client-class \"AppleSNBFBUserClient\")\n"
  "        (iokit-user-client-class \"AGPMClient\")\n"
  "        (iokit-user-client-class \"AppleGraphicsControlClient\")\n"
  "        (iokit-user-client-class \"AppleGraphicsPolicyClient\"))\n"
  "\n"
  "; bug 1153809\n"
  "    (allow iokit-open\n"
  "        (iokit-user-client-class \"NVDVDContextTesla\")\n"
  "        (iokit-user-client-class \"Gen6DVDContext\"))\n"
Graphics

link

  "\n"
  "; bug 1201935\n"
  "    (allow file-read*\n"
  "        (home-subpath \"/Library/Caches/TemporaryItems\"))\n"
  "\n"
Read-only access to anything in ~/Library/Caches/TemporaryItems

link

  "; bug 1237847\n"
  "    (allow file-read*\n"
  "        (home-subpath appTempDir))\n"
  "    (allow file-write*\n"
  "        (home-subpath appTempDir))\n"
  "  )\n"
  ")\n";

Allow full reads and writes to appTempDir which (in this example) is "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}". The directory is reset each time Firefox starts.