Sandbox/OS X Rule Set
< Sandbox
Jump to navigation
Jump to search
| References | |
|---|---|
| 1 |
Apple's Sandbox Guide v1.0 13-09-2011 |
| Rule | Description |
|---|---|
static const char contentSandboxRules[] = | |
(version 1) |
References[1] states only version 1 is supported. I tried with version=2 and sandbox_init failed due to "unsupported version". |
(define sandbox-level %d) (define macosMinorVersion %d) (define appPath \"%s\") (define appBinaryPath \"%s\") (define appDir \"%s\") (define appTempDir \"%s\") (define home-path \"%s\") |
These setup some macros to be used later in the policy. See the next row for examples of what they evaulate to on a Nightly build. |
|
Full paths abbreviated. (define sandbox-level 1)
(define macosMinorVersion 11)
(define appPath "/.../NightlyDebug.app/Contents/MacOS/plugin-container.app")
(define appBinaryPath "/.../NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container")
(define appDir "/.../NightlyDebug.app/Contents/Resources/browser")
(define appTempDir "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}")
(define home-path "/Users/<USERNAME>")
| |
(import \"/System/Library/Sandbox/Profiles/system.sb\") This excerpt it what is enabled for us. The file also defines some macros, but they're not used in the file or by our rules. Namely "(define (system-network) ...)" and "(define (system-graphics) ...)". ...
;;; Allow registration of per-pid services.
(allow mach-register
(local-name-regex #""))
;;; Allow read access to standard system paths.
(allow file-read*
(require-all (file-mode #o0004)
(require-any (subpath "/Library/Filesystems/NetFSPlugins")
(subpath "/System")
(subpath "/private/var/db/dyld")
(subpath "/usr/lib")
(subpath "/usr/share"))))
(allow file-read-metadata
(literal "/etc")
(literal "/tmp")
(literal "/var")
(literal "/private/etc/localtime"))
;;; Allow access to standard special files.
(allow file-read*
(literal "/dev/autofs_nowait")
(literal "/dev/random")
(literal "/dev/urandom")
(literal "/private/etc/master.passwd")
(literal "/private/etc/passwd"))
(allow file-read*
file-write-data
(literal "/dev/null")
(literal "/dev/zero"))
(allow file-read*
file-write-data
file-ioctl
(literal "/dev/dtracehelper"))
(allow network-outbound
(literal "/private/var/run/asl_input")
(literal "/private/var/run/syslog"))
;;; Allow creation of core dumps.
(allow file-write-create
(require-all (regex #"^/cores/")
(vnode-type REGULAR-FILE)))
;;; Allow IPC to standard system agents.
(allow ipc-posix-shm-read*
(ipc-posix-name #"apple.shm.notification_center")
(ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))
(allow mach-lookup
(global-name "com.apple.appsleep")
(global-name "com.apple.bsd.dirhelper")
(global-name "com.apple.cfprefsd.agent")
(global-name "com.apple.cfprefsd.daemon")
(global-name "com.apple.diagnosticd")
(global-name "com.apple.espd")
(global-name "com.apple.secinitd")
(global-name "com.apple.system.DirectoryService.libinfo_v1")
(global-name "com.apple.system.logger")
(global-name "com.apple.system.notification_center")
(global-name "com.apple.system.opendirectoryd.libinfo")
(global-name "com.apple.system.opendirectoryd.membership")
(global-name "com.apple.trustd")
(global-name "com.apple.trustd.agent")
(global-name "com.apple.xpc.activity.unmanaged")
(global-name "com.apple.xpcd")
(local-name "com.apple.cfprefsd.agent"))
;;; Allow mostly harmless operations.
(allow sysctl-read)
|
This imports all the sandbox policy directives in the file /System/Library/Sandbox/Profiles/system.sb which ships with OS X. |
"\n" "(if \n" " (or\n" " (< macosMinorVersion 9)\n" " (< sandbox-level 1))\n" " (allow default)\n" |
Don't enable any sandbox for Mac OS X 10.8 and earlier OR if the sandbox-level is less than 1. The rest of the policy only applies for 10.9 later when sandbox-level >= 1. |
" (begin\n" " (deny default)\n" |
By default, we deny. i.e., for any capability not explicitly allowed here, do not allow it to be used. |
" (debug deny)\n" "\n" |
For any rule that causes an action to be denied, log something in system.log. These log entries are easily viewed using the OS X "Console" application and filtering on "sandbox". |
" (define resolving-literal literal)\n" " (define resolving-subpath subpath)\n" " (define resolving-regex regex)\n" |
Shortcut macros. |
" (define container-path appPath)\n"
" (define appdir-path appDir)\n"
" (define var-folders-re \"^/private/var/folders/[^/][^/]\")\n"
" (define var-folders2-re (string-append var-folders-re \"/[^/]+/[^/]\"))\n"
"\n"
" (define (home-regex home-relative-regex)\n"
" (resolving-regex (string-append \"^\" (regex-quote home-path) home-relative-regex)))\n"
" (define (home-subpath home-relative-subpath)\n"
" (resolving-subpath (string-append home-path home-relative-subpath)))\n"
" (define (home-literal home-relative-literal)\n"
" (resolving-literal (string-append home-path home-relative-literal)))\n"
"\n"
" (define (container-regex container-relative-regex)\n"
" (resolving-regex (string-append \"^\" (regex-quote container-path) container-relative-regex)))\n"
" (define (container-subpath container-relative-subpath)\n"
" (resolving-subpath (string-append container-path container-relative-subpath)))\n"
" (define (container-literal container-relative-literal)\n"
" (resolving-literal (string-append container-path container-relative-literal)))\n"
"\n"
" (define (var-folders-regex var-folders-relative-regex)\n"
" (resolving-regex (string-append var-folders-re var-folders-relative-regex)))\n"
" (define (var-folders2-regex var-folders2-relative-regex)\n"
" (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
"\n"
" (define (appdir-regex appdir-relative-regex)\n"
" (resolving-regex (string-append \"^\" (regex-quote appdir-path) appdir-relative-regex)))\n"
" (define (appdir-subpath appdir-relative-subpath)\n"
" (resolving-subpath (string-append appdir-path appdir-relative-subpath)))\n"
" (define (appdir-literal appdir-relative-literal)\n"
" (resolving-literal (string-append appdir-path appdir-relative-literal)))\n"
"\n"
" (define (allow-shared-preferences-read domain)\n"
" (begin\n"
" (if (defined? `user-preference-read)\n"
" (allow user-preference-read (preference-domain domain)))\n"
" (allow file-read*\n"
" (home-literal (string-append \"/Library/Preferences/\" domain \".plist\"))\n"
" (home-regex (string-append \"/Library/Preferences/ByHost/\"
(regex-quote domain) \"\\..*\\.plist$\")))\n"
" ))\n"
"\n"
" (define (allow-shared-list domain)\n"
" (allow file-read*\n"
" (home-regex (string-append \"/Library/Preferences/\" (regex-quote domain)))))\n"
"\n"
|
Macros (needs more explanation) |
" (allow file-read-metadata)\n" |
Does this allow file-read-metadata for all files? |
"\n" " (allow ipc-posix-shm\n" " (ipc-posix-name-regex \"^/tmp/com.apple.csseed:\")\n" " (ipc-posix-name-regex \"^CFPBS:\")\n" " (ipc-posix-name-regex \"^AudioIO\"))\n" |
IPC shared memory? |
"\n" " (allow file-read-metadata\n" " (literal \"/home\")\n" " (literal \"/net\")\n" " (regex \"^/private/tmp/KSInstallAction\\.\")\n" " (var-folders-regex \"/\")\n" " (home-subpath \"/Library\"))\n" |
Allow reading of file metadata for this directories and files. Is this redundant give the above "(allow file-read-metadata)" rule. |
"\n" " (allow signal (target self))\n" " (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n" " (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n" "\n" " (allow mach-lookup\n" " (global-name \"com.apple.coreservices.launchservicesd\")\n" " (global-name \"com.apple.coreservices.appleevents\")\n" " (global-name \"com.apple.pasteboard.1\")\n" " (global-name \"com.apple.window_proxies\")\n" " (global-name \"com.apple.windowserver.active\")\n" " (global-name \"com.apple.audio.coreaudiod\")\n" " (global-name \"com.apple.audio.audiohald\")\n" " (global-name \"com.apple.PowerManagement.control\")\n" " (global-name \"com.apple.cmio.VDCAssistant\")\n" " (global-name \"com.apple.SystemConfiguration.configd\")\n" " (global-name \"com.apple.iconservices\")\n" " (global-name \"com.apple.cookied\")\n" " (global-name \"com.apple.printuitool.agent\")\n" " (global-name \"com.apple.printtool.agent\")\n" " (global-name \"com.apple.cache_delete\")\n" " (global-name \"com.apple.pluginkit.pkd\")\n" " (global-name \"com.apple.bird\")\n" " (global-name \"com.apple.ocspd\")\n" " (global-name \"com.apple.cmio.AppleCameraAssistant\")\n" " (global-name \"com.apple.DesktopServicesHelper\")\n" " (global-name \"com.apple.printtool.daemon\"))\n" "\n" " (allow iokit-open\n" " (iokit-user-client-class \"IOHIDParamUserClient\")\n" " (iokit-user-client-class \"IOAudioControlUserClient\")\n" " (iokit-user-client-class \"IOAudioEngineUserClient\")\n" " (iokit-user-client-class \"IGAccelDevice\")\n" " (iokit-user-client-class \"nvDevice\")\n" " (iokit-user-client-class \"nvSharedUserClient\")\n" " (iokit-user-client-class \"nvFermiGLContext\")\n" " (iokit-user-client-class \"IGAccelGLContext\")\n" " (iokit-user-client-class \"IGAccelSharedUserClient\")\n" " (iokit-user-client-class \"IGAccelVideoContextMain\")\n" " (iokit-user-client-class \"IGAccelVideoContextMedia\")\n" " (iokit-user-client-class \"IGAccelVideoContextVEBox\")\n" " (iokit-user-client-class \"RootDomainUserClient\")\n" " (iokit-user-client-class \"IOUSBDeviceUserClientV2\")\n" " (iokit-user-client-class \"IOUSBInterfaceUserClientV2\"))\n" "\n" "; depending on systems, the 1st, 2nd or both rules are necessary\n" " (allow-shared-preferences-read \"com.apple.HIToolbox\")\n" " (allow file-read-data (literal \"/Library/Preferences/com.apple.HIToolbox.plist\"))\n" "\n" " (allow-shared-preferences-read \"com.apple.ATS\")\n" " (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n" "\n" " (allow file-read*\n" " (subpath \"/Library/Fonts\")\n" " (subpath \"/Library/Audio/Plug-Ins\")\n" " (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n" " (subpath \"/Library/Spelling\")\n" " (subpath \"/private/etc/cups/ppd\")\n" " (subpath \"/private/var/run/cupsd\")\n" " (literal \"/\")\n" " (literal \"/private/tmp\")\n" " (literal \"/private/var/tmp\")\n" "\n" " (home-literal \"/.CFUserTextEncoding\")\n" " (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n" " (home-subpath \"/Library/Colors\")\n" " (home-subpath \"/Library/Fonts\")\n" " (home-subpath \"/Library/FontCollections\")\n" " (home-subpath \"/Library/Keyboard Layouts\")\n" " (home-subpath \"/Library/Input Methods\")\n" " (home-subpath \"/Library/PDF Services\")\n" " (home-subpath \"/Library/Spelling\")\n" "\n" " (subpath appdir-path)\n" "\n" " (literal appPath)\n" " (literal appBinaryPath))\n" "\n" " (allow-shared-list \"org.mozilla.plugincontainer\")\n" "\n" "; the following 2 rules should be removed when microphone and camera access\n" "; are brokered through the content process\n" " (allow device-microphone)\n" " (allow device-camera)\n" "\n" " (allow file* (var-folders2-regex \"/com\\.apple\\.IntlDataCache\\.le$\"))\n" " (allow file-read*\n" " (var-folders2-regex \"/com\\.apple\\.IconServices/\")\n" " (var-folders2-regex \"/[^/]+\\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\"))\n" "\n" " (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n" " (allow file-read*\n" " (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n" " (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n" " (home-regex \"/Library/Application Support/Firefox/Profiles/[^/]+/extensions/\")\n" " (home-regex \"/Library/Application Support/Firefox/Profiles/[^/]+/weave/\"))\n" "\n" "; the following rules should be removed when printing and \n" "; opening a file from disk are brokered through the main process\n" " (if\n" " (< sandbox-level 2)\n" " (allow file*\n" " (require-not\n" " (home-subpath \"/Library\")))\n" " (allow file*\n" " (require-all\n" " (subpath home-path)\n" " (require-not\n" " (home-subpath \"/Library\")))))\n" "\n" "; printing\n" " (allow authorization-right-obtain\n" " (right-name \"system.print.operator\")\n" " (right-name \"system.printingmanager\"))\n" " (allow mach-lookup\n" " (global-name \"com.apple.printuitool.agent\")\n" " (global-name \"com.apple.printtool.agent\")\n" " (global-name \"com.apple.printtool.daemon\")\n" " (global-name \"com.apple.sharingd\")\n" " (global-name \"com.apple.metadata.mds\")\n" " (global-name \"com.apple.mtmd.xpc\")\n" " (global-name \"com.apple.FSEvents\")\n" " (global-name \"com.apple.locum\")\n" " (global-name \"com.apple.ImageCaptureExtension2.presence\"))\n" " (allow file-read*\n" " (home-literal \"/.cups/lpoptions\")\n" " (home-literal \"/.cups/client.conf\")\n" " (literal \"/private/etc/cups/lpoptions\")\n" " (literal \"/private/etc/cups/client.conf\")\n" " (subpath \"/private/etc/cups/ppd\")\n" " (literal \"/private/var/run/cupsd\"))\n" " (allow-shared-preferences-read \"org.cups.PrintingPrefs\")\n" " (allow-shared-preferences-read \"com.apple.finder\")\n" " (allow-shared-preferences-read \"com.apple.LaunchServices\")\n" " (allow-shared-preferences-read \".GlobalPreferences\")\n" " (allow network-outbound\n" " (literal \"/private/var/run/cupsd\")\n" " (literal \"/private/var/run/mDNSResponder\"))\n" "\n" "; print preview\n" " (if (> macosMinorVersion 9)\n" " (allow lsopen))\n" " (allow file-write* file-issue-extension (var-folders2-regex \"/\"))\n" " (allow file-read-xattr (literal \"/Applications/Preview.app\"))\n" " (allow mach-task-name)\n" " (allow mach-register)\n" " (allow file-read-data\n" " (regex \"^/Library/Printers/[^/]+/PDEs/[^/]+.plugin\")\n" " (subpath \"/Library/PDF Services\")\n" " (subpath \"/Applications/Preview.app\")\n" " (home-literal \"/Library/Preferences/com.apple.ServicesMenu.Services.plist\"))\n" " (allow mach-lookup\n" " (global-name \"com.apple.pbs.fetch_services\")\n" " (global-name \"com.apple.tsm.uiserver\")\n" " (global-name \"com.apple.ls.boxd\")\n" " (global-name \"com.apple.coreservices.quarantine-resolver\")\n" " (global-name-regex \"_OpenStep$\"))\n" " (allow appleevent-send\n" " (appleevent-destination \"com.apple.preview\")\n" " (appleevent-destination \"com.apple.imagecaptureextension2\"))\n" "\n" "; accelerated graphics\n" " (allow-shared-preferences-read \"com.apple.opengl\")\n" " (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n" " (allow mach-lookup\n" " (global-name \"com.apple.cvmsServ\"))\n" " (allow iokit-open\n" " (iokit-connection \"IOAccelerator\")\n" " (iokit-user-client-class \"IOAccelerationUserClient\")\n" " (iokit-user-client-class \"IOSurfaceRootUserClient\")\n" " (iokit-user-client-class \"IOSurfaceSendRight\")\n" " (iokit-user-client-class \"IOFramebufferSharedUserClient\")\n" " (iokit-user-client-class \"AppleSNBFBUserClient\")\n" " (iokit-user-client-class \"AGPMClient\")\n" " (iokit-user-client-class \"AppleGraphicsControlClient\")\n" " (iokit-user-client-class \"AppleGraphicsPolicyClient\"))\n" "\n" "; bug 1153809\n" " (allow iokit-open\n" " (iokit-user-client-class \"NVDVDContextTesla\")\n" " (iokit-user-client-class \"Gen6DVDContext\"))\n" "\n" "; bug 1190032\n" " (allow file*\n" " (home-regex \"/Library/Caches/TemporaryItems/plugtmp.*\"))\n" "\n" "; bug 1201935\n" " (allow file-read*\n" " (home-subpath \"/Library/Caches/TemporaryItems\"))\n" "\n" |
TODO |
"; bug 1237847\n" " (allow file-read*\n" " (home-subpath appTempDir))\n" " (allow file-write*\n" " (home-subpath appTempDir))\n" " )\n" ")\n"; |
Allow full reads and writes to appTempDir which (in this example) is "/Users/<USERNAME>/Library/Caches/TemporaryItems/Temp-{62ac76fa-73fd-8f46-bd2b-12c4d53aa1cc}". The directory is reset each time Firefox starts. |