Sandbox/OS X Rule Set: Difference between revisions

Path list
(Glossary)
(Path list)
Line 618: Line 618:
Allow full reads and writes to appTempDir which (in this example) is "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}". The directory is reset each time Firefox starts.
Allow full reads and writes to appTempDir which (in this example) is "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}". The directory is reset each time Firefox starts.
|}
|}
= File Paths in the Rules =
<pre>
On OS X the Firefox profile is (by default) stored in ~/Library/Application Support/Firefox/Profiles
read & write:
  All paths except ~/Library and what is specifically allowed in ~/Library
  -- This rule makes most other rules redundant, but once it is removed
    the other rules with specific inclusions will take effect.
  /dev/null
  /dev/zero
  /dev/dtracehelper
  /private/var/folders/[^/][^/][^/]+/[^/]com.apple.IntlDataCache.le
  /private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*
  ~/Library/Caches/TemporaryItems/plugtmp.*
  ~/Library/Caches/TemporaryItems/Temp-{UUID}
read:
  /Library/Filesystems/NetFSPlugins
  /System
  /private/var/db/dyld
  /usr/lib
  /usr/share
  /Library/Fonts
  /Library/Audio/Plug-Ins
  /Library/CoreMediaIO/Plug-Ins/DAL
  /Library/Spelling
  /private/etc/cups/ppd
  /private/var/run/cupsd
  /Library/Application Support/[^/]+/Extensions/[^/]/
  /private/var/folders/[^/][^/][^/]+/[^/]com.apple.IconServices
  /private/var/folders/[^/][^/][^/]+/[^/][^/]+.mozrunner/extensions/[^/]/chrome/[^/]+/content/[^/]+.j(s|ar)
  ~/Library/Colors
  ~/Library/Fonts
  ~/Library/FontCollections
  ~/Library/Keyboard Layouts
  ~/Library/Input Methods
  ~/Library/PDF Services
  ~/Library/Spelling
  ~/Library/Application Support/[^/]+/Extensions/[^/]/
  ~/Library/Application Support/Firefox/Profiles/[^/]+/extensions/
  ~/Library/Application Support/Firefox/Profiles/[^/]+/weave/
  ~/Library/Caches/TemporaryItems/*
  ~/.cups/lpoptions
  ~/.cups/client.conf
  /private/etc/cups/lpoptions
  /private/etc/cups/client.conf
  /private/etc/cups/ppd/*...
  /private/var/run/cupsd
  /Library/Printers/[^/]+/PDEs/[^/]+.plugin
  /Library/PDF Services/*...
  /Applications/Preview.app
  ~/Library/Preferences/com.apple.ServicesMenu.Services.plist
read literal:
  /dev/autofs_nowait
  /dev/random
  /dev/urandom
  /
  /private/tmp
  /private/var/tmp
  ~/.CFUserTextEncoding
  ~/Library/Preferences/com.apple.DownloadAssessment.plist
  ~/Library/Preferences/.../...plist
read metadata:
  literal /etc
  /tmp
  /var
  /private/etc/localtime
  *
  /home
  /net
  /private/var/folders/...
  ~/Library
</pre>
202

edits