Bug 1374660 - Removed redundant declarations from macOS content sandbox policy; r=haik
authorAlex Gaynor <agaynor@mozilla.com>
Tue, 20 Jun 2017 10:27:18 -0400
changeset 365105 6ad9e19b39870b418272894381136534f9cf9433
parent 365104 f7af9bce9793ff275e2c797825b8230f3ff4b4f2
child 365106 9933a2e58516314b080b2f3d1e8b587d6c0c4b69
push id91680
push userkwierso@gmail.com
push dateWed, 21 Jun 2017 01:32:01 +0000
treeherdermozilla-inbound@f7b9dc31956c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershaik
bugs1374660
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1374660 - Removed redundant declarations from macOS content sandbox policy; r=haik MozReview-Commit-ID: Gw6AnH8r9sL
security/sandbox/mac/SandboxPolicies.h
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -51,24 +51,29 @@ static const char contentSandboxRules[] 
 
   (define should-log (param "SHOULD_LOG"))
   (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
   (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
   (define sandbox-level-3 (param "SANDBOX_LEVEL_3"))
   (define macosMinorVersion-9 (param "MAC_OS_MINOR_9"))
   (define appPath (param "APP_PATH"))
   (define appBinaryPath (param "APP_BINARY_PATH"))
-  (define appDir (param "APP_DIR"))
+  (define appdir-path (param "APP_DIR"))
   (define appTempDir (param "APP_TEMP_DIR"))
   (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
   (define profileDir (param "PROFILE_DIR"))
   (define home-path (param "HOME_PATH"))
   (define hasFilePrivileges (param "HAS_FILE_PRIVILEGES"))
   (define debugWriteDir (param "DEBUG_WRITE_DIR"))
 
+  (if (string=? should-log "TRUE")
+    (deny default)
+    (deny default (with no-log)))
+  (debug deny)
+
   ; Allow read access to standard system paths.
   (allow file-read*
     (require-all (file-mode #o0004)
       (require-any (subpath "/Library/Filesystems/NetFSPlugins")
         (subpath "/System")
         (subpath "/usr/lib")
         (subpath "/usr/share"))))
 
@@ -95,246 +100,231 @@ static const char contentSandboxRules[] 
   (allow file-read*
     file-write-data
     file-ioctl
     (literal "/dev/dtracehelper"))
 
   ; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others
   (allow sysctl-read)
 
-  (begin
-    (if (string=? should-log "TRUE")
-      (deny default)
-      (deny default (with no-log)))
-    (debug deny)
-
-    (define resolving-literal literal)
-    (define resolving-subpath subpath)
-    (define resolving-regex regex)
+  (define (home-regex home-relative-regex)
+    (regex (string-append "^" (regex-quote home-path) home-relative-regex)))
+  (define (home-subpath home-relative-subpath)
+    (subpath (string-append home-path home-relative-subpath)))
+  (define (home-literal home-relative-literal)
+    (literal (string-append home-path home-relative-literal)))
 
-    (define container-path appPath)
-    (define appdir-path appDir)
-
-    (define (home-regex home-relative-regex)
-      (resolving-regex (string-append "^" (regex-quote home-path) home-relative-regex)))
-    (define (home-subpath home-relative-subpath)
-      (resolving-subpath (string-append home-path home-relative-subpath)))
-    (define (home-literal home-relative-literal)
-      (resolving-literal (string-append home-path home-relative-literal)))
+  (define (profile-subpath profile-relative-subpath)
+    (subpath (string-append profileDir profile-relative-subpath)))
 
-    (define (profile-subpath profile-relative-subpath)
-      (resolving-subpath (string-append profileDir profile-relative-subpath)))
-
-    (define (allow-shared-preferences-read domain)
-          (begin
-            (if (defined? `user-preference-read)
-              (allow user-preference-read (preference-domain domain)))
-            (allow file-read*
-                   (home-literal (string-append "/Library/Preferences/" domain ".plist"))
-                   (home-regex (string-append "/Library/Preferences/ByHost/" (regex-quote domain) "\..*\.plist$")))
-            ))
+  (define (allow-shared-preferences-read domain)
+        (begin
+          (if (defined? `user-preference-read)
+            (allow user-preference-read (preference-domain domain)))
+          (allow file-read*
+                 (home-literal (string-append "/Library/Preferences/" domain ".plist"))
+                 (home-regex (string-append "/Library/Preferences/ByHost/" (regex-quote domain) "\..*\.plist$")))
+          ))
 
-    (define (allow-shared-list domain)
-      (allow file-read*
-             (home-regex (string-append "/Library/Preferences/" (regex-quote domain)))))
+  (define (allow-shared-list domain)
+    (allow file-read*
+           (home-regex (string-append "/Library/Preferences/" (regex-quote domain)))))
 
-    (allow ipc-posix-shm
-        (ipc-posix-name-regex "^/tmp/com.apple.csseed:")
-        (ipc-posix-name-regex "^CFPBS:")
-        (ipc-posix-name-regex "^AudioIO"))
+  (allow ipc-posix-shm
+      (ipc-posix-name-regex "^/tmp/com.apple.csseed:")
+      (ipc-posix-name-regex "^CFPBS:")
+      (ipc-posix-name-regex "^AudioIO"))
 
-    (allow signal (target self))
-    (allow job-creation (literal "/Library/CoreMediaIO/Plug-Ins/DAL"))
-    (allow iokit-set-properties (iokit-property "IOAudioControlValue"))
+  (allow signal (target self))
+  (allow job-creation (literal "/Library/CoreMediaIO/Plug-Ins/DAL"))
+  (allow iokit-set-properties (iokit-property "IOAudioControlValue"))
 
-    (allow mach-lookup
-        (global-name "com.apple.coreservices.launchservicesd")
-        (global-name "com.apple.coreservices.appleevents")
-        (global-name "com.apple.pasteboard.1")
-        (global-name "com.apple.window_proxies")
-        (global-name "com.apple.windowserver.active")
-        (global-name "com.apple.audio.coreaudiod")
-        (global-name "com.apple.audio.audiohald")
-        (global-name "com.apple.PowerManagement.control")
-        (global-name "com.apple.cmio.VDCAssistant")
-        (global-name "com.apple.SystemConfiguration.configd")
-        (global-name "com.apple.iconservices")
-        (global-name "com.apple.cookied")
-        (global-name "com.apple.cache_delete")
-        (global-name "com.apple.pluginkit.pkd")
-        (global-name "com.apple.bird")
-        (global-name "com.apple.ocspd")
-        (global-name "com.apple.cmio.AppleCameraAssistant")
-        (global-name "com.apple.DesktopServicesHelper"))
+  (allow mach-lookup
+      (global-name "com.apple.coreservices.launchservicesd")
+      (global-name "com.apple.coreservices.appleevents")
+      (global-name "com.apple.pasteboard.1")
+      (global-name "com.apple.window_proxies")
+      (global-name "com.apple.windowserver.active")
+      (global-name "com.apple.audio.coreaudiod")
+      (global-name "com.apple.audio.audiohald")
+      (global-name "com.apple.PowerManagement.control")
+      (global-name "com.apple.cmio.VDCAssistant")
+      (global-name "com.apple.SystemConfiguration.configd")
+      (global-name "com.apple.iconservices")
+      (global-name "com.apple.cookied")
+      (global-name "com.apple.cache_delete")
+      (global-name "com.apple.pluginkit.pkd")
+      (global-name "com.apple.bird")
+      (global-name "com.apple.ocspd")
+      (global-name "com.apple.cmio.AppleCameraAssistant")
+      (global-name "com.apple.DesktopServicesHelper"))
 
-  ; bug 1312273
-    (if (string=? macosMinorVersion-9 "TRUE")
-       (allow mach-lookup (global-name "com.apple.xpcd")))
+; bug 1312273
+  (if (string=? macosMinorVersion-9 "TRUE")
+     (allow mach-lookup (global-name "com.apple.xpcd")))
 
-    (allow iokit-open
-        (iokit-user-client-class "IOHIDParamUserClient")
-        (iokit-user-client-class "IOAudioControlUserClient")
-        (iokit-user-client-class "IOAudioEngineUserClient")
-        (iokit-user-client-class "IGAccelDevice")
-        (iokit-user-client-class "nvDevice")
-        (iokit-user-client-class "nvSharedUserClient")
-        (iokit-user-client-class "nvFermiGLContext")
-        (iokit-user-client-class "IGAccelGLContext")
-        (iokit-user-client-class "IGAccelSharedUserClient")
-        (iokit-user-client-class "IGAccelVideoContextMain")
-        (iokit-user-client-class "IGAccelVideoContextMedia")
-        (iokit-user-client-class "IGAccelVideoContextVEBox")
-        (iokit-user-client-class "RootDomainUserClient")
-        (iokit-user-client-class "IOUSBDeviceUserClientV2")
-        (iokit-user-client-class "IOUSBInterfaceUserClientV2"))
-
-  ; depending on systems, the 1st, 2nd or both rules are necessary
-    (allow-shared-preferences-read "com.apple.HIToolbox")
-    (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist"))
+  (allow iokit-open
+      (iokit-user-client-class "IOHIDParamUserClient")
+      (iokit-user-client-class "IOAudioControlUserClient")
+      (iokit-user-client-class "IOAudioEngineUserClient")
+      (iokit-user-client-class "IGAccelDevice")
+      (iokit-user-client-class "nvDevice")
+      (iokit-user-client-class "nvSharedUserClient")
+      (iokit-user-client-class "nvFermiGLContext")
+      (iokit-user-client-class "IGAccelGLContext")
+      (iokit-user-client-class "IGAccelSharedUserClient")
+      (iokit-user-client-class "IGAccelVideoContextMain")
+      (iokit-user-client-class "IGAccelVideoContextMedia")
+      (iokit-user-client-class "IGAccelVideoContextVEBox")
+      (iokit-user-client-class "RootDomainUserClient")
+      (iokit-user-client-class "IOUSBDeviceUserClientV2")
+      (iokit-user-client-class "IOUSBInterfaceUserClientV2"))
 
-    (allow-shared-preferences-read "com.apple.ATS")
-    (allow file-read-data (literal "/Library/Preferences/.GlobalPreferences.plist"))
+; depending on systems, the 1st, 2nd or both rules are necessary
+  (allow-shared-preferences-read "com.apple.HIToolbox")
+  (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist"))
+
+  (allow-shared-preferences-read "com.apple.ATS")
+  (allow file-read-data (literal "/Library/Preferences/.GlobalPreferences.plist"))
 
-    (allow file-read*
-        (subpath "/Library/Fonts")
-        (subpath "/Library/Audio/Plug-Ins")
-        (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")
-        (subpath "/Library/Spelling")
-        (literal "/")
-        (literal "/private/tmp")
-        (literal "/private/var/tmp")
-
-        (home-literal "/.CFUserTextEncoding")
-        (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
-        (home-subpath "/Library/Colors")
-        (home-subpath "/Library/Fonts")
-        (home-subpath "/Library/FontCollections")
-        (home-subpath "/Library/Keyboard Layouts")
-        (home-subpath "/Library/Input Methods")
-        (home-subpath "/Library/Spelling")
-        (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
+  (allow file-read*
+      (subpath "/Library/Fonts")
+      (subpath "/Library/Audio/Plug-Ins")
+      (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")
+      (subpath "/Library/Spelling")
+      (literal "/")
+      (literal "/private/tmp")
+      (literal "/private/var/tmp")
 
-        (subpath appdir-path)
-
-        (literal appPath)
-        (literal appBinaryPath))
-
-    (allow file-read-metadata (home-subpath "/Library"))
-
-    (allow file-read-metadata
-      (literal "/private/var")
-      (subpath "/private/var/folders"))
+      (home-literal "/.CFUserTextEncoding")
+      (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
+      (home-subpath "/Library/Colors")
+      (home-subpath "/Library/Fonts")
+      (home-subpath "/Library/FontCollections")
+      (home-subpath "/Library/Keyboard Layouts")
+      (home-subpath "/Library/Input Methods")
+      (home-subpath "/Library/Spelling")
+      (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
 
-  ; bug 1303987
-    (if (string? debugWriteDir)
-      (allow file-write* (subpath debugWriteDir)))
+      (subpath appdir-path)
+
+      (literal appPath)
+      (literal appBinaryPath))
 
-  ; bug 1324610
-    (allow network-outbound (literal "/private/var/run/cupsd"))
+  (allow file-read-metadata (home-subpath "/Library"))
 
-    (allow-shared-list "org.mozilla.plugincontainer")
-
-  ; the following rule should be removed when microphone access
-  ; is brokered through the content process
-    (allow device-microphone)
+  (allow file-read-metadata
+    (literal "/private/var")
+    (subpath "/private/var/folders"))
 
-  ; Per-user and system-wide Extensions dir
-    (allow file-read*
-        (home-regex "/Library/Application Support/[^/]+/Extensions/[^/]/")
-        (resolving-regex "/Library/Application Support/[^/]+/Extensions/[^/]/"))
+; bug 1303987
+  (if (string? debugWriteDir)
+    (allow file-write* (subpath debugWriteDir)))
+
+; bug 1324610
+  (allow network-outbound (literal "/private/var/run/cupsd"))
+
+  (allow-shared-list "org.mozilla.plugincontainer")
 
-  ; The following rules impose file access restrictions which get
-  ; more restrictive in higher levels. When file-origin-specific
-  ; content processes are used for file:// origin browsing, the
-  ; global file-read* permission should be removed from each level.
+; the following rule should be removed when microphone access
+; is brokered through the content process
+  (allow device-microphone)
 
-  ; level 1: global read access permitted, no global write access
-    (if (string=? sandbox-level-1 "TRUE") (allow file-read*))
+; Per-user and system-wide Extensions dir
+  (allow file-read*
+      (home-regex "/Library/Application Support/[^/]+/Extensions/[^/]/")
+      (regex "/Library/Application Support/[^/]+/Extensions/[^/]/"))
 
-  ; level 2: global read access permitted, no global write access,
-  ;          no read/write access to ~/Library,
-  ;          no read/write access to $PROFILE,
-  ;          read access permitted to $PROFILE/{extensions,chrome}
-    (if (string=? sandbox-level-2 "TRUE")
-      (if (string=? hasFilePrivileges "TRUE")
-        ; This process has blanket file read privileges
-        (allow file-read*)
-        ; This process does not have blanket file read privileges
-        (begin
-          ; bug 1201935
-          (allow file-read* (home-subpath "/Library/Caches/TemporaryItems"))
-          (if (string=? hasProfileDir "TRUE")
-            ; we have a profile dir
-            (begin
-              (allow file-read* (require-all
-                  (require-not (home-subpath "/Library"))
-                  (require-not (subpath profileDir))))
-              (allow file-read*
-                  (profile-subpath "/extensions")
-                  (profile-subpath "/chrome")))
-            ; we don't have a profile dir
-            (allow file-read* (require-not (home-subpath "/Library")))))))
+; The following rules impose file access restrictions which get
+; more restrictive in higher levels. When file-origin-specific
+; content processes are used for file:// origin browsing, the
+; global file-read* permission should be removed from each level.
+
+; level 1: global read access permitted, no global write access
+  (if (string=? sandbox-level-1 "TRUE") (allow file-read*))
 
-  ; level 3: global read access permitted, no global write access,
-  ;          no read access to the home directory,
-  ;          no read access to /private/var (but read-metadata allowed above),
-  ;          no read access to /{Volumes,Network,Users}
-  ;          read access permitted to $PROFILE/{extensions,chrome}
-    (if (string=? sandbox-level-3 "TRUE")
-      (if (string=? hasFilePrivileges "TRUE")
-        ; This process has blanket file read privileges
-        (allow file-read*)
-        ; This process does not have blanket file read privileges
+; level 2: global read access permitted, no global write access,
+;          no read/write access to ~/Library,
+;          no read/write access to $PROFILE,
+;          read access permitted to $PROFILE/{extensions,chrome}
+  (if (string=? sandbox-level-2 "TRUE")
+    (if (string=? hasFilePrivileges "TRUE")
+      ; This process has blanket file read privileges
+      (allow file-read*)
+      ; This process does not have blanket file read privileges
+      (begin
+        ; bug 1201935
+        (allow file-read* (home-subpath "/Library/Caches/TemporaryItems"))
         (if (string=? hasProfileDir "TRUE")
           ; we have a profile dir
           (begin
             (allow file-read* (require-all
-                (require-not (subpath home-path))
-                (require-not (subpath profileDir))
-                (require-not (subpath "/Volumes"))
-                (require-not (subpath "/Network"))
-                (require-not (subpath "/Users"))
-                (require-not (subpath "/private/var"))))
-            (allow file-read* (literal "/private/var/run/cupsd"))
+                (require-not (home-subpath "/Library"))
+                (require-not (subpath profileDir))))
             (allow file-read*
                 (profile-subpath "/extensions")
                 (profile-subpath "/chrome")))
           ; we don't have a profile dir
-          (begin
-            (allow file-read* (require-all
+          (allow file-read* (require-not (home-subpath "/Library")))))))
+
+; level 3: global read access permitted, no global write access,
+;          no read access to the home directory,
+;          no read access to /private/var (but read-metadata allowed above),
+;          no read access to /{Volumes,Network,Users}
+;          read access permitted to $PROFILE/{extensions,chrome}
+  (if (string=? sandbox-level-3 "TRUE")
+    (if (string=? hasFilePrivileges "TRUE")
+      ; This process has blanket file read privileges
+      (allow file-read*)
+      ; This process does not have blanket file read privileges
+      (if (string=? hasProfileDir "TRUE")
+        ; we have a profile dir
+        (begin
+          (allow file-read* (require-all
               (require-not (subpath home-path))
+              (require-not (subpath profileDir))
               (require-not (subpath "/Volumes"))
               (require-not (subpath "/Network"))
               (require-not (subpath "/Users"))
               (require-not (subpath "/private/var"))))
-            (allow file-read* (literal "/private/var/run/cupsd"))))))
+          (allow file-read* (literal "/private/var/run/cupsd"))
+          (allow file-read*
+              (profile-subpath "/extensions")
+              (profile-subpath "/chrome")))
+        ; we don't have a profile dir
+        (begin
+          (allow file-read* (require-all
+            (require-not (subpath home-path))
+            (require-not (subpath "/Volumes"))
+            (require-not (subpath "/Network"))
+            (require-not (subpath "/Users"))
+            (require-not (subpath "/private/var"))))
+          (allow file-read* (literal "/private/var/run/cupsd"))))))
 
-  ; accelerated graphics
-    (allow-shared-preferences-read "com.apple.opengl")
-    (allow-shared-preferences-read "com.nvidia.OpenGL")
-    (allow mach-lookup
-        (global-name "com.apple.cvmsServ"))
-    (allow iokit-open
-        (iokit-connection "IOAccelerator")
-        (iokit-user-client-class "IOAccelerationUserClient")
-        (iokit-user-client-class "IOSurfaceRootUserClient")
-        (iokit-user-client-class "IOSurfaceSendRight")
-        (iokit-user-client-class "IOFramebufferSharedUserClient")
-        (iokit-user-client-class "AppleSNBFBUserClient")
-        (iokit-user-client-class "AGPMClient")
-        (iokit-user-client-class "AppleGraphicsControlClient")
-        (iokit-user-client-class "AppleGraphicsPolicyClient"))
+; accelerated graphics
+  (allow-shared-preferences-read "com.apple.opengl")
+  (allow-shared-preferences-read "com.nvidia.OpenGL")
+  (allow mach-lookup
+      (global-name "com.apple.cvmsServ"))
+  (allow iokit-open
+      (iokit-connection "IOAccelerator")
+      (iokit-user-client-class "IOAccelerationUserClient")
+      (iokit-user-client-class "IOSurfaceRootUserClient")
+      (iokit-user-client-class "IOSurfaceSendRight")
+      (iokit-user-client-class "IOFramebufferSharedUserClient")
+      (iokit-user-client-class "AppleSNBFBUserClient")
+      (iokit-user-client-class "AGPMClient")
+      (iokit-user-client-class "AppleGraphicsControlClient")
+      (iokit-user-client-class "AppleGraphicsPolicyClient"))
 
-  ; bug 1153809
-    (allow iokit-open
-        (iokit-user-client-class "NVDVDContextTesla")
-        (iokit-user-client-class "Gen6DVDContext"))
+; bug 1153809
+  (allow iokit-open
+      (iokit-user-client-class "NVDVDContextTesla")
+      (iokit-user-client-class "Gen6DVDContext"))
 
-  ; bug 1237847
-    (allow file-read* file-write*
-        (subpath appTempDir))
-
-  )
+; bug 1237847
+  (allow file-read* file-write*
+      (subpath appTempDir))
 )";
 
 }
 
 #endif // mozilla_SandboxPolicies_h