MozillaWiki

Sandbox/OS X Rule Set: Difference between revisions

< Sandbox
(Update dtrace section)
(Removing content no longer useful)
 
(9 intermediate revisions by the same user not shown)
Line 9: Line 9:
Apple's Sandbox Guide v1.0 13-09-2011 <br>
Apple's Sandbox Guide v1.0 13-09-2011 <br>
http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf
http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf
|-
| 2
||
Sandbox setup in the source: see usage of the variable 'contentSandboxRules' and the call to StartMacSandbox() in Sandbox.mm:<br>
https://dxr.mozilla.org/mozilla-central/source/security/sandbox/mac/Sandbox.mm#148
|}
|}


Line 33: Line 28:
= Notes =  
= Notes =  


# One of the confusing things about the Mac file-system related rules is the redundancy.<br>The rules use the "(default deny)" directive which means that unless an access is explicitly allowed, it should be denied. Then, interspersed throughout the ruleset we have several filesystem rules to allow read access to specific locations on the system. Later we have a general rule that allows access to '''anything on the system that is not in ~/Library''' (i.e., access to ~/Library is blocked with some exceptions) making many of the specific rules redundant. Read/write access to ~ is needed for now (see [[Deny Filesystem Access]] for an explanation). Once we can remove read/write access to ~ from the rules, we'll eliminate the redundancy. Lastly we have rules allowing access to specific directories in ~/Library. Bug 1083344 "Tighten rules for Mac OS content process sandbox on 10.9 and 10.10" documents how this came to be -- not allowing access to ~ broke too many things.
# An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access.
# An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access.
# Because of the redundancy, we could remove most filesystem rules and replace them with rules that equate to (allow everything, but don't allow ~/Library except for a few subdirectories in ~/Library).
# Use of file* in the rules includes all of file-read, file-write, file-read-metadata, and file-write-metadata.
# Use of file* in the rules includes all of file-read, file-write, file-read-metadata, and file-write-metadata.


= Annotated Rules =
= Annotated Rules (WARNING: Outdated) =
 
# The table below is not kept up-to-date. Refer to the source code to learn more about the sandbox rules. The Mac policies can be found in [https://hg.mozilla.org/mozilla-central/file/tip/security/sandbox/mac/SandboxPolicies.h SandboxPolicies.h].


{| class="wikitable"
{| class="wikitable"
Line 64: Line 59:
(define home-path \"%s\")</pre>
(define home-path \"%s\")</pre>


* sandbox-level: this is the value of security.sandbox.content.level when it is >=1. If the value is zero, the sandbox policy isn't used. The level value is only used once in the rules:
* sandbox-level: this is the value of security.sandbox.content.level when it is >=1. If the value is zero, the sandbox policy isn't used and content processes aren't sandboxed.
 
  (if (< sandbox-level 2)
    (allow file* (require-not (home-subpath \"/Library\")))
  ;else
    (allow file* (require-all (subpath home-path) (require-not (home-subpath \"/Library\")))))
 
* macosMinorVersion: this is used to detect OS X 10.9 which rejects the "lsopen" rule.
* macosMinorVersion: this is used to detect OS X 10.9 which rejects the "lsopen" rule.
* appTempDir: this is the temp directory for content processes that we create and cleanup in the parent, see bug 1252207 and bug 1237847.
* appTempDir: this is the temp directory for content processes that we create and cleanup in the parent, see bug 1252207 and bug 1237847.
Line 229: Line 218:
   "    (define (home-literal home-relative-literal)\n"
   "    (define (home-literal home-relative-literal)\n"
   "      (resolving-literal (string-append home-path home-relative-literal)))\n"
   "      (resolving-literal (string-append home-path home-relative-literal)))\n"
  "\n"
  "    (define (container-regex container-relative-regex)\n"
  "      (resolving-regex (string-append \"^\" (regex-quote container-path) container-relative-regex)))\n"
  "    (define (container-subpath container-relative-subpath)\n"
  "      (resolving-subpath (string-append container-path container-relative-subpath)))\n"
  "    (define (container-literal container-relative-literal)\n"
  "      (resolving-literal (string-append container-path container-relative-literal)))\n"
   "\n"
   "\n"
   "    (define (var-folders-regex var-folders-relative-regex)\n"
   "    (define (var-folders-regex var-folders-relative-regex)\n"
Line 241: Line 223:
   "    (define (var-folders2-regex var-folders2-relative-regex)\n"
   "    (define (var-folders2-regex var-folders2-relative-regex)\n"
   "      (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
   "      (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
  "\n"
  "    (define (appdir-regex appdir-relative-regex)\n"
  "      (resolving-regex (string-append \"^\" (regex-quote appdir-path) appdir-relative-regex)))\n"
  "    (define (appdir-subpath appdir-relative-subpath)\n"
  "      (resolving-subpath (string-append appdir-path appdir-relative-subpath)))\n"
  "    (define (appdir-literal appdir-relative-literal)\n"
  "      (resolving-literal (string-append appdir-path appdir-relative-literal)))\n"
   "\n"
   "\n"
</pre>
</pre>
Line 271: Line 246:
</pre>
</pre>
|| Macros for dealing with some form of OS X preferences. TBD.
|| Macros for dealing with some form of OS X preferences. TBD.
|- id=aar_readall
|
[[#aar_readall|link]]
<pre  style="border:none;">
  "    (allow file-read-metadata)\n"
</pre>
|| Allows reading file meta-data for all files/dirs the user has permission to read.
|- id=aar_posixshm
|- id=aar_posixshm
|
|
Line 510: Line 477:
/private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*<br>
/private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*<br>
Not found on my 10.11 system.
Not found on my 10.11 system.
|- id=aar_lib_ext
|- id=aar_lib_ext
|
|
Line 521: Line 490:
||
||
See the docs on extensions.autoDisableScopes for more information on these paths. The first path allow access to an Extensions directory that applies to all of a user's profiles. The second is for a system-wide Extensions directory that applies to all users. The setting of extensions.autoDisableScopes controls whether or not these locations are used.
See the docs on extensions.autoDisableScopes for more information on these paths. The first path allow access to an Extensions directory that applies to all of a user's profiles. The second is for a system-wide Extensions directory that applies to all users. The setting of extensions.autoDisableScopes controls whether or not these locations are used.
|- id=aar_lib_profile
 
 
|- id=level1_fs_rules
|
|
[[#aar_lib_profile|link]]
[[#level1_fs_rules|link]]
<pre style="border:none;">
<pre style="border:none;">
   "; Profile subdirectories\n"
   "; The following rules impose file access restrictions which get\n"
   " (if (not (zero? hasProfileDir)) (allow file-read*\n"
  "; more restrictive in higher levels. When file-origin-specific\n"
   "     (profile-subpath \"/extensions\")\n"
  "; content processes are used for file:// origin browsing, the\n"
   "      (profile-subpath \"/weave\")))\n"
   "; global file-read* permission should be removed from each level.\n"
  "\n"
  "; level 1: global read access permitted, no home write access\n"
   " (if (= sandbox-level 1)\n"
  "   (begin\n"
  "      (allow file-read*)\n"
   "      (allow file-write* (require-not (subpath home-path)))))\n"
</pre>
</pre>
||
|| Level 1-specifc filesystem rules: allow reading to anywhere the OS permits. Do not allow writing anywhere in the home directory.
These allow access to the extensions and weave subdirectories within the current profile. Read and write access to the profile director is blocked (in other rules). Bug 1295700 was filed to address removing access to sensitive weave sync data.
|- id=level2_fs_rules
|- id=aar_home_lib
|
|
[[#aar_home_lib|link]]
[[#level2_fs_rules|link]]
<pre style="border:none;">
<pre style="border:none;">
   "; the following rules should be removed when printing and\n"
   "; level 2: global read access permitted, no home write access,\n"
   "; opening a file from disk are brokered through the main process\n"
   ";         no read/write access to ~/Library,\n"
   "  (if (< sandbox-level 2)\n"
  ";          no read/write access to $PROFILE,\n"
  ";          read access permitted to $PROFILE/{extensions,weave}\n"
   "  (if (= sandbox-level 2)\n"
   "    (if (not (zero? hasProfileDir))\n"
   "    (if (not (zero? hasProfileDir))\n"
   "      (allow file*\n"
  "      ; we have a profile dir\n"
   "         (require-all\n"
   "      (begin\n"
   "       (allow file-read* (require-all\n"
   "              (require-not (home-subpath \"/Library\"))\n"
   "              (require-not (home-subpath \"/Library\"))\n"
   "              (require-not (subpath profileDir))))\n"
   "              (require-not (subpath profileDir))))\n"
   "     (allow file*\n"
   "       (allow file-write* (require-all\n"
   "         (require-not (home-subpath \"/Library\"))))\n"
   "             (require-not (subpath home-path))\n"
   "   (allow file*\n"
  "             (require-not (subpath profileDir))))\n"
   "       (require-all\n"
   "       (allow file-read*\n"
   "           (subpath home-path)\n"
   "             (profile-subpath \"/extensions\")\n"
   "           (require-not\n"
   "             (profile-subpath \"/weave\")))\n"
   "               (home-subpath \"/Library\")))))\n"
   "     ; we don't have a profile dir\n"
  "      (begin\n"
  "        (allow file-read*\n"
   "             (require-not (home-subpath \"/Library\")))\n"
  "        (allow file-write* (require-all\n"
  "              (require-not (subpath home-path)))))))\n"
</pre>
</pre>
|| File read and write access for $HOME excluding ~/Library and the current profile directory. We need write access for printing. We need read access to allow user to read files from $HOME. i.e., file:// resources.
|| Level 2-specifc filesystem rules: do not allow writing anywhere in the home directory. Allow reading to anywhere the OS permits except ~/Library or the PROFILE dir. Allow reading from PROFILE/extensions and PROFILE/weave.
|- id=aar_printpreview
|- id=aar_printpreview
|
|
Line 605: Line 589:
||
||
Allow full reads and writes to appTempDir which (in this example) is "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}". The directory is reset each time Firefox starts.
Allow full reads and writes to appTempDir which (in this example) is "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}". The directory is reset each time Firefox starts.
|}
= How security.sandbox.content.level Affects File Access (Planned) =
=='''This section is in progress'''==
{| class="wikitable"
|-
! Release !! Content Sandbox Level
|-
| Nightly(52) || 2
|-
| Aurora, Beta, Release || 0
|}
{| class="wikitable"
|-
! Access Type !! Meaning
|-
| R || Reading access to the file at this path or the directory and possibly all subpaths and directories
|-
| W || Write access to the file at this path or the directory and possibly all subpaths and directories
|-
| read metadata || Reading access to the file metadata only. Applies to this path or directory and possibly all subpaths and
|}
{| class="wikitable sortable"
|-
! Blocked at Sandbox Level !! Access Type !! Are Subpaths Included? !! Path
|-
| 1 || W || yes || <HOME DIR>
|-
| 1 || W || yes || <PROFILE DIR>
|-
| 2 || R || yes || <HOME DIR>/Library
|-
| 2 || R || yes || <PROFILE DIR>
|-
| 3 || R || yes || <PROFILE DIR>/extensions
|-
| 3 || R || yes || <PROFILE DIR>/weave
|-
| 3 || R || yes || <HOME DIR> and anywhere accessible by user by default
|-
| 99 || W || no || /dev/null
|-
| 99 || R || no || /dev/null
|-
| 99 || W || no || /dev/zero
|-
| 99 || R || no || /dev/zero
|-
| 99 || W || no || /dev/dtracehelper
|-
| 99 || R || no || /dev/dtracehelper
|-
| 99 || R || no || <nowiki>/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le</nowiki>
|-
| 99 || W || no || <nowiki>/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IconServices</nowiki>
|-
| 99 || R || no || <nowiki>/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le</nowiki>
|-
| 99 || R || no || <nowiki>/private/var/folders/[^/][^/][^/]+/[^/]/[^/]+.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\</nowiki>
|-
| 99 || W || no || <nowiki>/private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*</nowiki>
|-
| 99 || W || no || ~/Library/Caches/TemporaryItems/Temp-{UUID} (Content Temp Dir)
|-
| 99 || R || no || ~/Library/Caches/TemporaryItems/Temp-{UUID} (Content Temp Dir)
|-
| 99 || R || no || /dev/autofs_nowait
|-
| 99 || R || no || /dev/random
|-
| 99 || R || no || /dev/urandom
|-
| 99 || R || no || /
|-
| 99 || R || no || /private/tmp
|-
| 99 || R || no || /private/var/tmp
|-
| 99 || R || no || <HOME DIR>/.CFUserTextEncoding
|-
| 99 || R || no || <HOME DIR>/Library/Preferences/com.apple.DownloadAssessment.plist
|-
| 99 || R || no || <HOME DIR>/Library/Preferences/.../...plist
|-
| 99 || R || yes || <HOME DIR>/Library/Colors
|-
| 99 || R || yes || <HOME DIR>/Library/Fonts
|-
| 99 || R || yes || <HOME DIR>/Library/FontCollections
|-
| 99 || R || yes || <HOME DIR>/Library/Keyboard Layouts
|-
| 99 || R || yes || <HOME DIR>/Library/Input Methods
|-
| 99 || R || yes || <HOME DIR>/Library/Spelling
|-
| 99 || R || yes || /Library/Filesystems/NetFSPlugins
|-
| 99 || R || yes || /System
|-
| 99 || R || yes || /private/var/db/dyld
|-
| 99 || R || yes || /usr/lib
|-
| 99 || R || yes || /usr/share
|-
| 99 || R || no || /Library/Preferences/com.apple.HIToolbox.plist
|-
| 99 || R || no || /Library/Preferences/.GlobalPreferences.plist
|-
| 99 || R || yes || /Library/Fonts
|-
| 99 || R || yes || /Library/Audio/Plug-Ins
|-
| 99 || R || yes || /Library/CoreMediaIO/Plug-Ins/DAL
|-
| 99 || R || yes || /Library/Spelling
|-
| 99 || R || yes || <INSTALL DIR>/Firefox.app/Contents/Resources/browser
|-
| 99 || R || no  || <INSTALL DIR>/Firefox.app/Contents/MacOS/plugin-container.app
|-
| 99 || R || no  || <INSTALL DIR>/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
|-
| 99 || R || yes || <HOME DIR>/Library/Application Support/[^/]+/Extensions/[^/]/
|-
| 99 || R || yes || /Library/Application Support/[^/]+/Extensions/[^/]/
|-
| 99 || R || yes || <HOME DIR>/Library/Caches/TemporaryItems
|-
| 99 || read metadata || no || /etc
|-
| 99  || read metadata || no || /tmp
|-
| 99  || read metadata || no || /var
|-
| 99  || read metadata || no || /private/etc/localtime
|-
| 99  || read metadata || no || *
|-
| 99  || read metadata || no || /home
|-
| 99  || read metadata || no || /net
|-
| 99  || read metadata || no || /private/tmp/KSInstallAction.*
|-
| 99 || read metadata || no || /private/var/folders/[^/][^/].*
|-
| 99 || read metadata || no || <HOME DIR>/Library
|-
|}
|}

Latest revision as of 17:47, 16 November 2017

References

References
1

Apple's Sandbox Guide v1.0 13-09-2011
http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf

Glossary

References
~

Refers to the full path to the home directory of the user. On OS X this is /Users/<username>.

[^/]+

This is used in some of the regular expressions. [^/] matches a single character that is not a '/'. [^/]+ Matches 1 or more non-slash characters.

Notes

  1. An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access.
  2. Use of file* in the rules includes all of file-read, file-write, file-read-metadata, and file-write-metadata.

Annotated Rules (WARNING: Outdated)

  1. The table below is not kept up-to-date. Refer to the source code to learn more about the sandbox rules. The Mac policies can be found in SandboxPolicies.h.
Rule Description

link 

static const char contentSandboxRules[] =
link 
(version 1)
 References[1] states only version 1 is supported. I tried with version=2 and sandbox_init failed due to "unsupported version".

link 

(define sandbox-level %d)
(define macosMinorVersion %d)
(define appPath \"%s\")
(define appBinaryPath \"%s\")
(define appDir \"%s\")
(define appTempDir \"%s\")
(define home-path \"%s\")
  • sandbox-level: this is the value of security.sandbox.content.level when it is >=1. If the value is zero, the sandbox policy isn't used and content processes aren't sandboxed.
  • macosMinorVersion: this is used to detect OS X 10.9 which rejects the "lsopen" rule.
  • appTempDir: this is the temp directory for content processes that we create and cleanup in the parent, see bug 1252207 and bug 1237847.
  • home-path: this is used so the ruleset can generate home-relative rules for ~/Library, ~/.cups (printing) and ~/.CFUserTextEncoding (stores the default text encoding and preferred language for the user.)

These setup some macros to be used later in the policy. See the next row for examples of what they evaulate to on a Nightly build.

link

Example output of the above macros after running a Nightly build. Paths abbreviated with "...". 

(define sandbox-level 1)
(define macosMinorVersion 11)
(define appPath "/.../NightlyDebug.app/Contents/MacOS/plugin-container.app")
(define appBinaryPath "/.../NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container")
(define appDir "/.../NightlyDebug.app/Contents/Resources/browser")
(define appTempDir "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}")
(define home-path "/Users/<USERNAME>")

link

; Allow read access to standard system paths.
(allow file-read*
       (require-all (file-mode #o0004)
                    (require-any (subpath "/Library/Filesystems/NetFSPlugins")
                                 (subpath "/System")
                                 (subpath "/private/var/db/dyld")
                                 (subpath "/usr/lib")
                                 (subpath "/usr/share"))))

Allow these directories and any contained directories and files to be read if the file's permission permits any user to read them.

link 

(allow file-read-metadata
       (literal "/etc")
       (literal "/tmp")
       (literal "/var")
       (literal "/private/etc/localtime"))

Allow reading of metadata of these directories.

link 

; Allow access to standard special files.
(allow file-read*
       (literal "/dev/autofs_nowait")
       (literal "/dev/random")
       (literal "/dev/urandom")

/dev/random, /dev/urandom Used for randomization code. autofs_nowait TBD, probably allows non-blocking I/O to autofs paths (used for network mounts and other pseudo mount points.)

link 

(allow file-read*
       file-write-data
       (literal "/dev/null")
       (literal "/dev/zero"))

Wondering if we need write access to these.

link 

(allow file-read*
       file-write-data
       file-ioctl
       (literal "/dev/dtracehelper"))

Aids debugging the plugin-container using dtrace. Could be removed, but since root privileges are required to read /dev/dtracehelper this wouldn't be exploitable unless Firefox was run as root or with sudo.

link 

(allow mach-lookup
       (global-name "com.apple.appsleep")
       (global-name "com.apple.bsd.dirhelper")
       (global-name "com.apple.cfprefsd.agent")
       (global-name "com.apple.cfprefsd.daemon")
       (global-name "com.apple.diagnosticd")
       (global-name "com.apple.espd")
       (global-name "com.apple.secinitd")
       (global-name "com.apple.system.DirectoryService.libinfo_v1")
       (global-name "com.apple.system.logger")
       (global-name "com.apple.system.notification_center")
       (global-name "com.apple.system.opendirectoryd.libinfo")
       (global-name "com.apple.system.opendirectoryd.membership")
       (global-name "com.apple.trustd")
       (global-name "com.apple.trustd.agent")
       (global-name "com.apple.xpc.activity.unmanaged")
       (global-name "com.apple.xpcd")
       (local-name "com.apple.cfprefsd.agent"))

Miscellaneous undocumented services.

link 

; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others
(allow sysctl-read)

A subset of the rules originally from /System/Library/Sandbox/Profiles/system.sb which ships with OS X.

link 

  "  (begin\n"
  "    (deny default)\n"

By default, we deny. i.e., for any capability not explicitly allowed here, do not allow it to be used.

link 

  "    (debug deny)\n"
  "\n"

For any rule that causes an action to be denied, log something in system.log. These log entries are easily viewed using the OS X "Console" application and filtering on "sandbox".

link 

  "    (define resolving-literal literal)\n"
  "    (define resolving-subpath subpath)\n"
  "    (define resolving-regex regex)\n"

Shortcut macros.

link 

  "    (define container-path appPath)\n"
  "    (define appdir-path appDir)\n"
  "    (define var-folders-re \"^/private/var/folders/[^/][^/]\")\n"
  "    (define var-folders2-re (string-append var-folders-re \"/[^/]+/[^/]\"))\n"
  "\n"
  "    (define (home-regex home-relative-regex)\n"
  "      (resolving-regex (string-append \"^\" (regex-quote home-path) home-relative-regex)))\n"
  "    (define (home-subpath home-relative-subpath)\n"
  "      (resolving-subpath (string-append home-path home-relative-subpath)))\n"
  "    (define (home-literal home-relative-literal)\n"
  "      (resolving-literal (string-append home-path home-relative-literal)))\n"
  "\n"
  "    (define (var-folders-regex var-folders-relative-regex)\n"
  "      (resolving-regex (string-append var-folders-re var-folders-relative-regex)))\n"
  "    (define (var-folders2-regex var-folders2-relative-regex)\n"
  "      (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
  "\n"
Text substitution macros for dealing with paths.

link 

  "    (define (allow-shared-preferences-read domain)\n"
  "          (begin\n"
  "            (if (defined? `user-preference-read)\n"
  "              (allow user-preference-read (preference-domain domain)))\n"
  "            (allow file-read*\n"
  "                   (home-literal (string-append \"/Library/Preferences/\" domain \".plist\"))\n"
  "                   (home-regex (string-append \"/Library/Preferences/ByHost/\"
                              (regex-quote domain) \"\\..*\\.plist$\")))\n"
  "            ))\n"
  "\n"
  "    (define (allow-shared-list domain)\n"
  "      (allow file-read*\n"
  "             (home-regex (string-append \"/Library/Preferences/\" (regex-quote domain)))))\n"
  "\n"
Macros for dealing with some form of OS X preferences. TBD.

link 

  "\n"
  "    (allow ipc-posix-shm\n"
  "        (ipc-posix-name-regex \"^/tmp/com.apple.csseed:\")\n"
  "        (ipc-posix-name-regex \"^CFPBS:\")\n"
  "        (ipc-posix-name-regex \"^AudioIO\"))\n"
Access via IPC shared memory to services with names matching these regexes? TBD

link 

  "\n"
  "    (allow file-read-metadata\n"
  "        (literal \"/home\")\n"
  "        (literal \"/net\")\n"
  "        (regex \"^/private/tmp/KSInstallAction\\.\")\n"
  "        (var-folders-regex \"/\")\n"
  "        (home-subpath \"/Library\"))\n"
Allow reading of file metadata for these directories and files. Appears to be redundant given the above "(allow file-read-metadata)" rule?

link 

  "    (allow signal (target self))\n"

Allow the content process to send a signal to itself. Searched for callers of kill(2) in mozilla-central and didn't find any.

link 

  "    (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n"

This might be related to using the camera.

link 

  "    (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n"

Setting sound volume?

link 

  "    (allow mach-lookup\n"
  "        (global-name \"com.apple.coreservices.launchservicesd\")\n"
  "        (global-name \"com.apple.coreservices.appleevents\")\n"
  "        (global-name \"com.apple.pasteboard.1\")\n"
  "        (global-name \"com.apple.window_proxies\")\n"
  "        (global-name \"com.apple.windowserver.active\")\n"
  "        (global-name \"com.apple.audio.coreaudiod\")\n"
  "        (global-name \"com.apple.audio.audiohald\")\n"
  "        (global-name \"com.apple.PowerManagement.control\")\n"
  "        (global-name \"com.apple.cmio.VDCAssistant\")\n"
  "        (global-name \"com.apple.SystemConfiguration.configd\")\n"
  "        (global-name \"com.apple.iconservices\")\n"
  "        (global-name \"com.apple.cookied\")\n"
  "        (global-name \"com.apple.printuitool.agent\")\n"
  "        (global-name \"com.apple.printtool.agent\")\n"
  "        (global-name \"com.apple.cache_delete\")\n"
  "        (global-name \"com.apple.pluginkit.pkd\")\n"
  "        (global-name \"com.apple.bird\")\n"
  "        (global-name \"com.apple.ocspd\")\n"
  "        (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
  "        (global-name \"com.apple.DesktopServicesHelper\"))\n"

Access to more undocumented OS X facilities.

link 

  "    (allow iokit-open\n"
  "        (iokit-user-client-class \"IOHIDParamUserClient\")\n"
  "        (iokit-user-client-class \"IOAudioControlUserClient\")\n"
  "        (iokit-user-client-class \"IOAudioEngineUserClient\")\n"
  "        (iokit-user-client-class \"IGAccelDevice\")\n"
  "        (iokit-user-client-class \"nvDevice\")\n"
  "        (iokit-user-client-class \"nvSharedUserClient\")\n"
  "        (iokit-user-client-class \"nvFermiGLContext\")\n"
  "        (iokit-user-client-class \"IGAccelGLContext\")\n"
  "        (iokit-user-client-class \"IGAccelSharedUserClient\")\n"
  "        (iokit-user-client-class \"IGAccelVideoContextMain\")\n"
  "        (iokit-user-client-class \"IGAccelVideoContextMedia\")\n"
  "        (iokit-user-client-class \"IGAccelVideoContextVEBox\")\n"
  "        (iokit-user-client-class \"RootDomainUserClient\")\n"
  "        (iokit-user-client-class \"IOUSBDeviceUserClientV2\")\n"
  "        (iokit-user-client-class \"IOUSBInterfaceUserClientV2\"))\n"

Sound like this is for accessing various kernel driver provided functionality.

link 

  "; depending on systems, the 1st, 2nd or both rules are necessary\n"
  "    (allow-shared-preferences-read \"com.apple.HIToolbox\")\n"
  "    (allow file-read-data (literal \"/Library/Preferences/com.apple.HIToolbox.plist\"))\n"

HIToolbox is Human Interface Toolbox. Sounds related to OS X UI controls.
Allows reading from /Library/Preferences/com.apple.HIToolbox.plist which contains information about the input device such as keyboard layout.

link 

  "    (allow-shared-preferences-read \"com.apple.ATS\")\n"

Possibly font-related.

link 

  "    (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"

Contains some details about time zone, city, language, display devices.

link 

  "    (allow file-read*\n"
  "        (subpath \"/Library/Fonts\")\n"
  "        (subpath \"/Library/Audio/Plug-Ins\")\n"
  "        (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n"
  "        (subpath \"/Library/Spelling\")\n"
  "        (literal \"/\")\n"
  "        (literal \"/private/tmp\")\n"
  "        (literal \"/private/var/tmp\")\n"

Filesystem read access to some system directories.

link 

  "        (home-literal \"/.CFUserTextEncoding\")\n"

Filesystem read access to file ~/.CFUserTextEncoding (stores the user's default text encoding.)

link 

  "        (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n"
  "        (home-subpath \"/Library/Colors\")\n"
  "        (home-subpath \"/Library/Fonts\")\n"
  "        (home-subpath \"/Library/FontCollections\")\n"
  "        (home-subpath \"/Library/Keyboard Layouts\")\n"
  "        (home-subpath \"/Library/Input Methods\")\n"
  "        (home-subpath \"/Library/Spelling\")\n"
Filesystem read access to these ~/Library subdirectories.

link 

  "        (subpath appdir-path)\n"

Read access to part of the application bundle:
/.../NightlyDebug.app/Contents/Resources/browser

link 

  "        (literal appPath)\n"
  "        (literal appBinaryPath))\n"

Read access to plugin-container .app:
/.../NightlyDebug.app/Contents/MacOS/plugin-container.app
and the executable contained in it
/.../NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container

link 

  "    (allow-shared-list \"org.mozilla.plugincontainer\")\n"
Might not be needed. On OS X 10.11, no matches for files with this name found under ~/Library/Preferences/. Matches found in ~/Library/Caches though.

link 

  "; the following 2 rules should be removed when microphone and camera access\n"
  "; are brokered through the content process\n"
  "    (allow device-microphone)\n"
  "    (allow device-camera)\n"
Camera and mic access.

link 

  "\n"
  "    (allow file* (var-folders2-regex \"/com\\.apple\\.IntlDataCache\\.le$\"))\n"
Read and write access to
/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le
This file not prevent on my 10.11 system.

link 

  "    (allow file-read*\n"
  "        (var-folders2-regex \"/com\\.apple\\.IconServices/\")\n"
  "        (var-folders2-regex \"/[^/]+\\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\"))\n"

Read access to
/private/var/folders/[^/][^/][^/]+/[^/]com.apple.IconServices
and
/private/var/folders/[^/][^/][^/]+/[^/][^/]+.mozrunner/extensions/[^/]/chrome/[^/]+/content/[^/]+.j(s|ar)
Not found on my 10.11 system.

link 

  "    (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"

Write access to
/private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*
Not found on my 10.11 system.


link 

  "; Per-user and system-wide Extensions dir\n"
  "  (allow file-read*\n"
  "      (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
  "      (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\"))\n"

See the docs on extensions.autoDisableScopes for more information on these paths. The first path allow access to an Extensions directory that applies to all of a user's profiles. The second is for a system-wide Extensions directory that applies to all users. The setting of extensions.autoDisableScopes controls whether or not these locations are used.


link 

  "; The following rules impose file access restrictions which get\n"
  "; more restrictive in higher levels. When file-origin-specific\n"
  "; content processes are used for file:// origin browsing, the\n"
  "; global file-read* permission should be removed from each level.\n"
  "\n"
  "; level 1: global read access permitted, no home write access\n"
  "  (if (= sandbox-level 1)\n"
  "    (begin\n"
  "      (allow file-read*)\n"
  "      (allow file-write* (require-not (subpath home-path)))))\n"
Level 1-specifc filesystem rules: allow reading to anywhere the OS permits. Do not allow writing anywhere in the home directory.

link 

  "; level 2: global read access permitted, no home write access,\n"
  ";          no read/write access to ~/Library,\n"
  ";          no read/write access to $PROFILE,\n"
  ";          read access permitted to $PROFILE/{extensions,weave}\n"
  "  (if (= sandbox-level 2)\n"
  "    (if (not (zero? hasProfileDir))\n"
  "      ; we have a profile dir\n"
  "      (begin\n"
  "        (allow file-read* (require-all\n"
  "              (require-not (home-subpath \"/Library\"))\n"
  "              (require-not (subpath profileDir))))\n"
  "        (allow file-write* (require-all\n"
  "              (require-not (subpath home-path))\n"
  "              (require-not (subpath profileDir))))\n"
  "        (allow file-read*\n"
  "              (profile-subpath \"/extensions\")\n"
  "              (profile-subpath \"/weave\")))\n"
  "      ; we don't have a profile dir\n"
  "      (begin\n"
  "        (allow file-read*\n"
  "              (require-not (home-subpath \"/Library\")))\n"
  "        (allow file-write* (require-all\n"
  "              (require-not (subpath home-path)))))))\n"
Level 2-specifc filesystem rules: do not allow writing anywhere in the home directory. Allow reading to anywhere the OS permits except ~/Library or the PROFILE dir. Allow reading from PROFILE/extensions and PROFILE/weave.

link 

  "\n"
  "; accelerated graphics\n"
  "    (allow-shared-preferences-read \"com.apple.opengl\")\n"
  "    (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
  "    (allow mach-lookup\n"
  "        (global-name \"com.apple.cvmsServ\"))\n"
  "    (allow iokit-open\n"
  "        (iokit-connection \"IOAccelerator\")\n"
  "        (iokit-user-client-class \"IOAccelerationUserClient\")\n"
  "        (iokit-user-client-class \"IOSurfaceRootUserClient\")\n"
  "        (iokit-user-client-class \"IOSurfaceSendRight\")\n"
  "        (iokit-user-client-class \"IOFramebufferSharedUserClient\")\n"
  "        (iokit-user-client-class \"AppleSNBFBUserClient\")\n"
  "        (iokit-user-client-class \"AGPMClient\")\n"
  "        (iokit-user-client-class \"AppleGraphicsControlClient\")\n"
  "        (iokit-user-client-class \"AppleGraphicsPolicyClient\"))\n"
  "\n"
  "; bug 1153809\n"
  "    (allow iokit-open\n"
  "        (iokit-user-client-class \"NVDVDContextTesla\")\n"
  "        (iokit-user-client-class \"Gen6DVDContext\"))\n"
Graphics

link 

  "\n"
  "; bug 1201935\n"
  "    (allow file-read*\n"
  "        (home-subpath \"/Library/Caches/TemporaryItems\"))\n"
  "\n"
Read-only access to anything in ~/Library/Caches/TemporaryItems

link 

  "; bug 1237847\n"
  "    (allow file-read*\n"
  "        (home-subpath appTempDir))\n"
  "    (allow file-write*\n"
  "        (home-subpath appTempDir))\n"
  "  )\n"
  ")\n";

Allow full reads and writes to appTempDir which (in this example) is "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}". The directory is reset each time Firefox starts.

Retrieved from "https://wiki.mozilla.org/index.php?title=Sandbox/OS_X_Rule_Set&oldid=1184313"