Bug 1272772 - Inline system.sb and remove unneeded rules (removes unneeded rules); r=gcp
authorHaik Aftandilian <haftandilian@mozilla.com>
Wed, 01 Jun 2016 15:40:00 +0200
changeset 300567 4a08f1841ee0422cd2b4f4a0eb2de16f93576757
parent 300566 fe9c2571c13008ea72fc902dd1d0eca9d0f7b910
child 300568 b9213f375a3fa9570893c23eef9ef4be4cc83226
push id30313
push usercbook@mozilla.com
push dateMon, 06 Jun 2016 09:56:25 +0000
treeherdermozilla-central@0a3b6e2df656 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgcp
bugs1272772
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1272772 - Inline system.sb and remove unneeded rules (removes unneeded rules); r=gcp
security/sandbox/mac/Sandbox.mm
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -160,70 +160,47 @@ static const char contentSandboxRules[] 
   "(define sandbox-level %d)\n"
   "(define macosMinorVersion %d)\n"
   "(define appPath \"%s\")\n"
   "(define appBinaryPath \"%s\")\n"
   "(define appDir \"%s\")\n"
   "(define appTempDir \"%s\")\n"
   "(define home-path \"%s\")\n"
   "\n"
-  "; -------- START system.sb -------- \n"
-  "(version 1)\n"
-  "\n"
-  ";;; Allow registration of per-pid services.\n"
-  "(allow mach-register\n"
-  "  (local-name-regex #\"\"))\n"
-  "\n"
-  ";;; Allow read access to standard system paths.\n"
+  "; Allow read access to standard system paths.\n"
   "(allow file-read*\n"
   "  (require-all (file-mode #o0004)\n"
   "    (require-any (subpath \"/Library/Filesystems/NetFSPlugins\")\n"
   "      (subpath \"/System\")\n"
   "      (subpath \"/private/var/db/dyld\")\n"
   "      (subpath \"/usr/lib\")\n"
   "      (subpath \"/usr/share\"))))\n"
   "\n"
   "(allow file-read-metadata\n"
   "  (literal \"/etc\")\n"
   "  (literal \"/tmp\")\n"
   "  (literal \"/var\")\n"
   "  (literal \"/private/etc/localtime\"))\n"
   "\n"
-  ";;; Allow access to standard special files.\n"
+  "; Allow read access to standard special files.\n"
   "(allow file-read*\n"
   "  (literal \"/dev/autofs_nowait\")\n"
   "  (literal \"/dev/random\")\n"
-  "  (literal \"/dev/urandom\")\n"
-  "  (literal \"/private/etc/master.passwd\")\n"
-  "  (literal \"/private/etc/passwd\"))\n"
+  "  (literal \"/dev/urandom\"))\n"
   "\n"
   "(allow file-read*\n"
   "  file-write-data\n"
   "  (literal \"/dev/null\")\n"
   "  (literal \"/dev/zero\"))\n"
   "\n"
   "(allow file-read*\n"
   "  file-write-data\n"
   "  file-ioctl\n"
   "  (literal \"/dev/dtracehelper\"))\n"
   "\n"
-  "(allow network-outbound\n"
-  "  (literal \"/private/var/run/asl_input\")\n"
-  "  (literal \"/private/var/run/syslog\"))\n"
-  "\n"
-  ";;; Allow creation of core dumps.\n"
-  "(allow file-write-create\n"
-  "  (require-all (regex #\"^/cores/\")\n"
-  "    (vnode-type REGULAR-FILE)))\n"
-  "\n"
-  ";;; Allow IPC to standard system agents.\n"
-  "(allow ipc-posix-shm-read*\n"
-  "  (ipc-posix-name #\"apple.shm.notification_center\")\n"
-  "  (ipc-posix-name-regex #\"^apple\.shm\.cfprefsd\.\"))\n"
-  "\n"
   "(allow mach-lookup\n"
   "  (global-name \"com.apple.appsleep\")\n"
   "  (global-name \"com.apple.bsd.dirhelper\")\n"
   "  (global-name \"com.apple.cfprefsd.agent\")\n"
   "  (global-name \"com.apple.cfprefsd.daemon\")\n"
   "  (global-name \"com.apple.diagnosticd\")\n"
   "  (global-name \"com.apple.espd\")\n"
   "  (global-name \"com.apple.secinitd\")\n"
@@ -233,21 +210,19 @@ static const char contentSandboxRules[] 
   "  (global-name \"com.apple.system.opendirectoryd.libinfo\")\n"
   "  (global-name \"com.apple.system.opendirectoryd.membership\")\n"
   "  (global-name \"com.apple.trustd\")\n"
   "  (global-name \"com.apple.trustd.agent\")\n"
   "  (global-name \"com.apple.xpc.activity.unmanaged\")\n"
   "  (global-name \"com.apple.xpcd\")\n"
   "  (local-name \"com.apple.cfprefsd.agent\"))\n"
   "\n"
-  ";;; Allow mostly harmless operations.\n"
+  "; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others\n"
   "(allow sysctl-read)\n"
   "\n"
-  "; -------- END system.sb -------- \n"
-  "\n"
   "(if \n"
   "  (or\n"
   "    (< macosMinorVersion 9)\n"
   "    (< sandbox-level 1))\n"
   "  (allow default)\n"
   "  (begin\n"
   "    (deny default)\n"
   "    (debug deny)\n"