Bug 1354678 - Switch our sandbox policies to use C++ raw strings and put them in a new header file r=haik
authorAlex Gaynor <agaynor@mozilla.com>
Fri, 14 Apr 2017 13:12:09 -0400
changeset 353205 f40ab563c8c15aeb1cee5313be267c3d639eeaa5
parent 353204 a9a0bb47b38de07c272c6870e7300650d26ed6c8
child 353206 c39953270c307b41d160adba490ef9d28a03f479
push id31660
push userarchaeopteryx@coole-files.de
push dateSat, 15 Apr 2017 17:57:59 +0000
treeherdermozilla-central@ed88aa504601 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewershaik
bugs1354678
milestone55.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1354678 - Switch our sandbox policies to use C++ raw strings and put them in a new header file r=haik r=haik MozReview-Commit-ID: Fr5liCjcJtg
security/sandbox/mac/Sandbox.h
security/sandbox/mac/Sandbox.mm
security/sandbox/mac/SandboxPolicies.h
security/sandbox/mac/moz.build
--- a/security/sandbox/mac/Sandbox.h
+++ b/security/sandbox/mac/Sandbox.h
@@ -3,16 +3,18 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef mozilla_Sandbox_h
 #define mozilla_Sandbox_h
 
 #include <string>
 
+#include "SandboxPolicies.h"
+
 enum MacSandboxType {
   MacSandboxType_Default = 0,
   MacSandboxType_Plugin,
   MacSandboxType_Content,
   MacSandboxType_Invalid
 };
 
 enum MacSandboxPluginType {
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -119,341 +119,16 @@ OSXVersion::GetVersionNumber()
     GetSystemVersion(major, minor, bugfix);
     mOSXVersion = MAC_OS_X_VERSION_10_0_HEX + (minor << 4) + bugfix;
   }
   return mOSXVersion;
 }
 
 namespace mozilla {
 
-static const char pluginSandboxRules[] =
-  "(version 1)\n"
-
-  "(define should-log (param \"SHOULD_LOG\"))\n"
-  "(define plugin-binary-path (param \"PLUGIN_BINARY_PATH\"))\n"
-  "(define app-path (param \"APP_PATH\"))\n"
-  "(define app-binary-path (param \"APP_BINARY_PATH\"))\n"
-
-  "(if (string=? should-log \"TRUE\")\n"
-  "    (deny default)\n"
-  "    (deny default (with no-log)))\n"
-
-  "(allow signal (target self))\n"
-  "(allow sysctl-read)\n"
-  "(allow iokit-open (iokit-user-client-class \"IOHIDParamUserClient\"))\n"
-  "(allow mach-lookup\n"
-  "    (global-name \"com.apple.cfprefsd.agent\")\n"
-  "    (global-name \"com.apple.cfprefsd.daemon\")\n"
-  "    (global-name \"com.apple.system.opendirectoryd.libinfo\")\n"
-  "    (global-name \"com.apple.system.logger\")\n"
-  "    (global-name \"com.apple.ls.boxd\"))\n"
-  "(allow file-read*\n"
-  "    (regex #\"^/etc$\")\n"
-  "    (regex #\"^/dev/u?random$\")\n"
-  "    (literal \"/usr/share/icu/icudt51l.dat\")\n"
-  "    (regex #\"^/System/Library/Displays/Overrides/*\")\n"
-  "    (regex #\"^/System/Library/CoreServices/CoreTypes.bundle/*\")\n"
-  "    (regex #\"^/System/Library/PrivateFrameworks/*\")\n"
-  "    (regex #\"^/usr/lib/libstdc\\+\\+\\..*dylib$\")\n"
-  "    (literal plugin-binary-path)\n"
-  "    (literal app-path)\n"
-  "    (literal app-binary-path))\n";
-
-static const char widevinePluginSandboxRulesAddend[] =
-  "(allow mach-lookup (global-name \"com.apple.windowserver.active\"))\n";
-
-static const char contentSandboxRules[] =
-  "(version 1)\n"
-  "\n"
-  "(define should-log (param \"SHOULD_LOG\"))\n"
-  "(define sandbox-level-1 (param \"SANDBOX_LEVEL_1\"))\n"
-  "(define sandbox-level-2 (param \"SANDBOX_LEVEL_2\"))\n"
-  "(define sandbox-level-3 (param \"SANDBOX_LEVEL_3\"))\n"
-  "(define macosMinorVersion-9 (param \"MAC_OS_MINOR_9\"))\n"
-  "(define appPath (param \"APP_PATH\"))\n"
-  "(define appBinaryPath (param \"APP_BINARY_PATH\"))\n"
-  "(define appDir (param \"APP_DIR\"))\n"
-  "(define appTempDir (param \"APP_TEMP_DIR\"))\n"
-  "(define hasProfileDir (param \"HAS_SANDBOXED_PROFILE\"))\n"
-  "(define profileDir (param \"PROFILE_DIR\"))\n"
-  "(define home-path (param \"HOME_PATH\"))\n"
-  "(define hasFilePrivileges (param \"HAS_FILE_PRIVILEGES\"))\n"
-  "(define isDebugBuild (param \"DEBUG_BUILD\"))\n"
-  "\n"
-  "; Allow read access to standard system paths.\n"
-  "(allow file-read*\n"
-  "  (require-all (file-mode #o0004)\n"
-  "    (require-any (subpath \"/Library/Filesystems/NetFSPlugins\")\n"
-  "      (subpath \"/System\")\n"
-  "      (subpath \"/private/var/db/dyld\")\n"
-  "      (subpath \"/usr/lib\")\n"
-  "      (subpath \"/usr/share\"))))\n"
-  "\n"
-  "(allow file-read-metadata\n"
-  "  (literal \"/etc\")\n"
-  "  (literal \"/tmp\")\n"
-  "  (literal \"/var\")\n"
-  "  (literal \"/private/etc/localtime\"))\n"
-  "\n"
-  "; Allow read access to standard special files.\n"
-  "(allow file-read*\n"
-  "  (literal \"/dev/autofs_nowait\")\n"
-  "  (literal \"/dev/random\")\n"
-  "  (literal \"/dev/urandom\"))\n"
-  "\n"
-  "(allow file-read*\n"
-  "  file-write-data\n"
-  "  (literal \"/dev/null\")\n"
-  "  (literal \"/dev/zero\"))\n"
-  "\n"
-  "(allow file-read*\n"
-  "  file-write-data\n"
-  "  file-ioctl\n"
-  "  (literal \"/dev/dtracehelper\"))\n"
-  "\n"
-  "; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others\n"
-  "(allow sysctl-read)\n"
-  "\n"
-  "(begin\n"
-  "  (if (string=? should-log \"TRUE\")\n"
-  "    (deny default)\n"
-  "    (deny default (with no-log)))\n"
-  "  (debug deny)\n"
-  "\n"
-  "  (define resolving-literal literal)\n"
-  "  (define resolving-subpath subpath)\n"
-  "  (define resolving-regex regex)\n"
-  "\n"
-  "  (define container-path appPath)\n"
-  "  (define appdir-path appDir)\n"
-  "  (define var-folders-re \"^/private/var/folders/[^/][^/]\")\n"
-  "  (define var-folders2-re (string-append var-folders-re \"/[^/]+/[^/]\"))\n"
-  "\n"
-  "  (define (home-regex home-relative-regex)\n"
-  "    (resolving-regex (string-append \"^\" (regex-quote home-path) home-relative-regex)))\n"
-  "  (define (home-subpath home-relative-subpath)\n"
-  "    (resolving-subpath (string-append home-path home-relative-subpath)))\n"
-  "  (define (home-literal home-relative-literal)\n"
-  "    (resolving-literal (string-append home-path home-relative-literal)))\n"
-  "\n"
-  "  (define (profile-subpath profile-relative-subpath)\n"
-  "    (resolving-subpath (string-append profileDir profile-relative-subpath)))\n"
-  "\n"
-  "  (define (var-folders-regex var-folders-relative-regex)\n"
-  "    (resolving-regex (string-append var-folders-re var-folders-relative-regex)))\n"
-  "  (define (var-folders2-regex var-folders2-relative-regex)\n"
-  "    (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
-  "\n"
-  "  (define (allow-shared-preferences-read domain)\n"
-  "        (begin\n"
-  "          (if (defined? `user-preference-read)\n"
-  "            (allow user-preference-read (preference-domain domain)))\n"
-  "          (allow file-read*\n"
-  "                 (home-literal (string-append \"/Library/Preferences/\" domain \".plist\"))\n"
-  "                 (home-regex (string-append \"/Library/Preferences/ByHost/\" (regex-quote domain) \"\\..*\\.plist$\")))\n"
-  "          ))\n"
-  "\n"
-  "  (define (allow-shared-list domain)\n"
-  "    (allow file-read*\n"
-  "           (home-regex (string-append \"/Library/Preferences/\" (regex-quote domain)))))\n"
-  "\n"
-  "  (allow ipc-posix-shm\n"
-  "      (ipc-posix-name-regex \"^/tmp/com.apple.csseed:\")\n"
-  "      (ipc-posix-name-regex \"^CFPBS:\")\n"
-  "      (ipc-posix-name-regex \"^AudioIO\"))\n"
-  "\n"
-  "  (allow file-read-metadata\n"
-  "      (literal \"/home\")\n"
-  "      (literal \"/net\")\n"
-  "      (regex \"^/private/tmp/KSInstallAction\\.\")\n"
-  "      (var-folders-regex \"/\")\n"
-  "      (home-subpath \"/Library\"))\n"
-  "\n"
-  "  (allow signal (target self))\n"
-  "  (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n"
-  "  (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n"
-  "\n"
-  "  (allow mach-lookup\n"
-  "      (global-name \"com.apple.coreservices.launchservicesd\")\n"
-  "      (global-name \"com.apple.coreservices.appleevents\")\n"
-  "      (global-name \"com.apple.pasteboard.1\")\n"
-  "      (global-name \"com.apple.window_proxies\")\n"
-  "      (global-name \"com.apple.windowserver.active\")\n"
-  "      (global-name \"com.apple.audio.coreaudiod\")\n"
-  "      (global-name \"com.apple.audio.audiohald\")\n"
-  "      (global-name \"com.apple.PowerManagement.control\")\n"
-  "      (global-name \"com.apple.cmio.VDCAssistant\")\n"
-  "      (global-name \"com.apple.SystemConfiguration.configd\")\n"
-  "      (global-name \"com.apple.iconservices\")\n"
-  "      (global-name \"com.apple.cookied\")\n"
-  "      (global-name \"com.apple.cache_delete\")\n"
-  "      (global-name \"com.apple.pluginkit.pkd\")\n"
-  "      (global-name \"com.apple.bird\")\n"
-  "      (global-name \"com.apple.ocspd\")\n"
-  "      (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
-  "      (global-name \"com.apple.DesktopServicesHelper\"))\n"
-  "\n"
-  "; bug 1312273\n"
-  "  (if (string=? macosMinorVersion-9 \"TRUE\")\n"
-  "     (allow mach-lookup (global-name \"com.apple.xpcd\")))\n"
-  "\n"
-  "  (allow iokit-open\n"
-  "      (iokit-user-client-class \"IOHIDParamUserClient\")\n"
-  "      (iokit-user-client-class \"IOAudioControlUserClient\")\n"
-  "      (iokit-user-client-class \"IOAudioEngineUserClient\")\n"
-  "      (iokit-user-client-class \"IGAccelDevice\")\n"
-  "      (iokit-user-client-class \"nvDevice\")\n"
-  "      (iokit-user-client-class \"nvSharedUserClient\")\n"
-  "      (iokit-user-client-class \"nvFermiGLContext\")\n"
-  "      (iokit-user-client-class \"IGAccelGLContext\")\n"
-  "      (iokit-user-client-class \"IGAccelSharedUserClient\")\n"
-  "      (iokit-user-client-class \"IGAccelVideoContextMain\")\n"
-  "      (iokit-user-client-class \"IGAccelVideoContextMedia\")\n"
-  "      (iokit-user-client-class \"IGAccelVideoContextVEBox\")\n"
-  "      (iokit-user-client-class \"RootDomainUserClient\")\n"
-  "      (iokit-user-client-class \"IOUSBDeviceUserClientV2\")\n"
-  "      (iokit-user-client-class \"IOUSBInterfaceUserClientV2\"))\n"
-  "\n"
-  "; depending on systems, the 1st, 2nd or both rules are necessary\n"
-  "  (allow-shared-preferences-read \"com.apple.HIToolbox\")\n"
-  "  (allow file-read-data (literal \"/Library/Preferences/com.apple.HIToolbox.plist\"))\n"
-  "\n"
-  "  (allow-shared-preferences-read \"com.apple.ATS\")\n"
-  "  (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"
-  "\n"
-  "  (allow file-read*\n"
-  "      (subpath \"/Library/Fonts\")\n"
-  "      (subpath \"/Library/Audio/Plug-Ins\")\n"
-  "      (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n"
-  "      (subpath \"/Library/Spelling\")\n"
-  "      (literal \"/\")\n"
-  "      (literal \"/private/tmp\")\n"
-  "      (literal \"/private/var/tmp\")\n"
-  "\n"
-  "      (home-literal \"/.CFUserTextEncoding\")\n"
-  "      (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n"
-  "      (home-subpath \"/Library/Colors\")\n"
-  "      (home-subpath \"/Library/Fonts\")\n"
-  "      (home-subpath \"/Library/FontCollections\")\n"
-  "      (home-subpath \"/Library/Keyboard Layouts\")\n"
-  "      (home-subpath \"/Library/Input Methods\")\n"
-  "      (home-subpath \"/Library/Spelling\")\n"
-  "      (home-subpath \"/Library/Application Support/Adobe/CoreSync/plugins/livetype\")\n"
-  "\n"
-  "      (subpath appdir-path)\n"
-  "\n"
-  "      (literal appPath)\n"
-  "      (literal appBinaryPath))\n"
-  "\n"
-  "  (allow-shared-list \"org.mozilla.plugincontainer\")\n"
-  "\n"
-  "; the following rule should be removed when microphone access\n"
-  "; is brokered through the content process\n"
-  "  (allow device-microphone)\n"
-  "\n"
-  "  (allow file* (var-folders2-regex \"/com\\.apple\\.IntlDataCache\\.le$\"))\n"
-  "  (allow file-read*\n"
-  "      (var-folders2-regex \"/com\\.apple\\.IconServices/\")\n"
-  "      (var-folders2-regex \"/[^/]+\\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\"))\n"
-  "\n"
-  "  (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"
-  "\n"
-  "; Per-user and system-wide Extensions dir\n"
-  "  (allow file-read*\n"
-  "      (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
-  "      (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\"))\n"
-  "\n"
-  "; The following rules impose file access restrictions which get\n"
-  "; more restrictive in higher levels. When file-origin-specific\n"
-  "; content processes are used for file:// origin browsing, the\n"
-  "; global file-read* permission should be removed from each level.\n"
-  "\n"
-  "; level 1: global read access permitted, no global write access\n"
-  "  (if (string=? sandbox-level-1 \"TRUE\") (allow file-read*))\n"
-  "\n"
-  "; level 2: global read access permitted, no global write access,\n"
-  ";          no read/write access to ~/Library,\n"
-  ";          no read/write access to $PROFILE,\n"
-  ";          read access permitted to $PROFILE/{extensions,chrome}\n"
-  "  (if (string=? sandbox-level-2 \"TRUE\")\n"
-  "    (if (string=? hasFilePrivileges \"TRUE\")\n"
-  "      ; This process has blanket file read privileges\n"
-  "      (allow file-read*)\n"
-  "      ; This process does not have blanket file read privileges\n"
-  "      (if (string=? hasProfileDir \"TRUE\")\n"
-  "        ; we have a profile dir\n"
-  "        (begin\n"
-  "          (allow file-read* (require-all\n"
-  "              (require-not (home-subpath \"/Library\"))\n"
-  "              (require-not (subpath profileDir))))\n"
-  "          (allow file-read*\n"
-  "              (profile-subpath \"/extensions\")\n"
-  "              (profile-subpath \"/chrome\")))\n"
-  "        ; we don't have a profile dir\n"
-  "        (allow file-read* (require-not (home-subpath \"/Library\"))))))\n"
-  "\n"
-  "; level 3: global read access permitted, no global write access,\n"
-  ";          no read access to the home directory,\n"
-  ";          read access permitted to $PROFILE/{extensions,chrome}\n"
-  "  (if (string=? sandbox-level-3 \"TRUE\")\n"
-  "    (if (string=? hasFilePrivileges \"TRUE\")\n"
-  "      ; This process has blanket file read privileges\n"
-  "      (allow file-read*)\n"
-  "      ; This process does not have blanket file read privileges\n"
-  "      (if (string=? hasProfileDir \"TRUE\")\n"
-  "        ; we have a profile dir\n"
-  "        (begin\n"
-  "          (allow file-read* (require-all\n"
-  "              (require-not (subpath home-path))\n"
-  "              (require-not (subpath profileDir))))\n"
-  "          (allow file-read*\n"
-  "              (profile-subpath \"/extensions\")\n"
-  "              (profile-subpath \"/chrome\")))\n"
-  "        ; we don't have a profile dir\n"
-  "        (allow file-read* (require-not (subpath home-path))))))\n"
-  "\n"
-  "; accelerated graphics\n"
-  "  (allow-shared-preferences-read \"com.apple.opengl\")\n"
-  "  (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
-  "  (allow mach-lookup\n"
-  "      (global-name \"com.apple.cvmsServ\"))\n"
-  "  (allow iokit-open\n"
-  "      (iokit-connection \"IOAccelerator\")\n"
-  "      (iokit-user-client-class \"IOAccelerationUserClient\")\n"
-  "      (iokit-user-client-class \"IOSurfaceRootUserClient\")\n"
-  "      (iokit-user-client-class \"IOSurfaceSendRight\")\n"
-  "      (iokit-user-client-class \"IOFramebufferSharedUserClient\")\n"
-  "      (iokit-user-client-class \"AppleSNBFBUserClient\")\n"
-  "      (iokit-user-client-class \"AGPMClient\")\n"
-  "      (iokit-user-client-class \"AppleGraphicsControlClient\")\n"
-  "      (iokit-user-client-class \"AppleGraphicsPolicyClient\"))\n"
-  "\n"
-  "; bug 1153809\n"
-  "  (allow iokit-open\n"
-  "      (iokit-user-client-class \"NVDVDContextTesla\")\n"
-  "      (iokit-user-client-class \"Gen6DVDContext\"))\n"
-  "\n"
-  "; bug 1201935\n"
-  "  (allow file-read*\n"
-  "      (home-subpath \"/Library/Caches/TemporaryItems\"))\n"
-  "\n"
-  "; bug 1237847\n"
-  "  (allow file-read*\n"
-  "      (subpath appTempDir))\n"
-  "  (allow file-write*\n"
-  "      (subpath appTempDir))\n"
-  "\n"
-  "; bug 1324610\n"
-  "  (allow network-outbound (literal \"/private/var/run/cupsd\"))\n"
-  "\n"
-  "; bug 1303987\n"
-  "  (if (string=? isDebugBuild \"TRUE\")\n"
-  "      (allow file-write* (var-folders-regex \"/\")))\n"
-  ")\n";
-
 bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage)
 {
   std::vector<const char *> params;
   char *profile = NULL;
   bool profile_needs_free = false;
   if (aInfo.type == MacSandboxType_Plugin) {
     profile = const_cast<char *>(pluginSandboxRules);
     params.push_back("SHOULD_LOG");
new file mode 100644
--- /dev/null
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -0,0 +1,341 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_SandboxPolicies_h
+#define mozilla_SandboxPolicies_h
+
+namespace mozilla {
+
+static const char pluginSandboxRules[] = R"(
+  (version 1)
+
+  (define should-log (param "SHOULD_LOG"))
+  (define plugin-binary-path (param "PLUGIN_BINARY_PATH"))
+  (define app-path (param "APP_PATH"))
+  (define app-binary-path (param "APP_BINARY_PATH"))
+
+  (if (string=? should-log "TRUE")
+      (deny default)
+      (deny default (with no-log)))
+
+  (allow signal (target self))
+  (allow sysctl-read)
+  (allow iokit-open (iokit-user-client-class "IOHIDParamUserClient"))
+  (allow mach-lookup
+      (global-name "com.apple.cfprefsd.agent")
+      (global-name "com.apple.cfprefsd.daemon")
+      (global-name "com.apple.system.opendirectoryd.libinfo")
+      (global-name "com.apple.system.logger")
+      (global-name "com.apple.ls.boxd"))
+  (allow file-read*
+      (regex #"^/etc$")
+      (regex #"^/dev/u?random$")
+      (literal "/usr/share/icu/icudt51l.dat")
+      (regex #"^/System/Library/Displays/Overrides/*")
+      (regex #"^/System/Library/CoreServices/CoreTypes.bundle/*")
+      (regex #"^/System/Library/PrivateFrameworks/*")
+      (regex #"^/usr/lib/libstdc\+\+\..*dylib$")
+      (literal plugin-binary-path)
+      (literal app-path)
+      (literal app-binary-path))
+)";
+
+static const char widevinePluginSandboxRulesAddend[] = R"(
+  (allow mach-lookup (global-name "com.apple.windowserver.active"))
+)";
+
+static const char contentSandboxRules[] = R"(
+  (version 1)
+
+      (define should-log (param "SHOULD_LOG"))
+  (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
+  (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
+  (define sandbox-level-3 (param "SANDBOX_LEVEL_3"))
+  (define macosMinorVersion-9 (param "MAC_OS_MINOR_9"))
+  (define appPath (param "APP_PATH"))
+  (define appBinaryPath (param "APP_BINARY_PATH"))
+  (define appDir (param "APP_DIR"))
+  (define appTempDir (param "APP_TEMP_DIR"))
+  (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
+  (define profileDir (param "PROFILE_DIR"))
+  (define home-path (param "HOME_PATH"))
+  (define hasFilePrivileges (param "HAS_FILE_PRIVILEGES"))
+  (define isDebugBuild (param "DEBUG_BUILD"))
+
+  ; Allow read access to standard system paths.
+  (allow file-read*
+    (require-all (file-mode #o0004)
+      (require-any (subpath "/Library/Filesystems/NetFSPlugins")
+        (subpath "/System")
+        (subpath "/private/var/db/dyld")
+        (subpath "/usr/lib")
+        (subpath "/usr/share"))))
+
+  (allow file-read-metadata
+    (literal "/etc")
+    (literal "/tmp")
+    (literal "/var")
+    (literal "/private/etc/localtime"))
+
+  ; Allow read access to standard special files.
+  (allow file-read*
+    (literal "/dev/autofs_nowait")
+    (literal "/dev/random")
+    (literal "/dev/urandom"))
+
+  (allow file-read*
+    file-write-data
+    (literal "/dev/null")
+    (literal "/dev/zero"))
+
+  (allow file-read*
+    file-write-data
+    file-ioctl
+    (literal "/dev/dtracehelper"))
+
+  ; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others
+  (allow sysctl-read)
+
+  (begin
+    (if (string=? should-log "TRUE")
+      (deny default)
+      (deny default (with no-log)))
+    (debug deny)
+
+    (define resolving-literal literal)
+    (define resolving-subpath subpath)
+    (define resolving-regex regex)
+
+    (define container-path appPath)
+    (define appdir-path appDir)
+    (define var-folders-re "^/private/var/folders/[^/][^/]")
+    (define var-folders2-re (string-append var-folders-re "/[^/]+/[^/]"))
+
+    (define (home-regex home-relative-regex)
+      (resolving-regex (string-append "^" (regex-quote home-path) home-relative-regex)))
+    (define (home-subpath home-relative-subpath)
+      (resolving-subpath (string-append home-path home-relative-subpath)))
+    (define (home-literal home-relative-literal)
+      (resolving-literal (string-append home-path home-relative-literal)))
+
+    (define (profile-subpath profile-relative-subpath)
+      (resolving-subpath (string-append profileDir profile-relative-subpath)))
+
+    (define (var-folders-regex var-folders-relative-regex)
+      (resolving-regex (string-append var-folders-re var-folders-relative-regex)))
+    (define (var-folders2-regex var-folders2-relative-regex)
+      (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))
+
+    (define (allow-shared-preferences-read domain)
+          (begin
+            (if (defined? `user-preference-read)
+              (allow user-preference-read (preference-domain domain)))
+            (allow file-read*
+                   (home-literal (string-append "/Library/Preferences/" domain ".plist"))
+                   (home-regex (string-append "/Library/Preferences/ByHost/" (regex-quote domain) "\..*\.plist$")))
+            ))
+
+    (define (allow-shared-list domain)
+      (allow file-read*
+             (home-regex (string-append "/Library/Preferences/" (regex-quote domain)))))
+
+    (allow ipc-posix-shm
+        (ipc-posix-name-regex "^/tmp/com.apple.csseed:")
+        (ipc-posix-name-regex "^CFPBS:")
+        (ipc-posix-name-regex "^AudioIO"))
+
+    (allow file-read-metadata
+        (literal "/home")
+        (literal "/net")
+        (regex "^/private/tmp/KSInstallAction\.")
+        (var-folders-regex "/")
+        (home-subpath "/Library"))
+
+    (allow signal (target self))
+    (allow job-creation (literal "/Library/CoreMediaIO/Plug-Ins/DAL"))
+    (allow iokit-set-properties (iokit-property "IOAudioControlValue"))
+
+    (allow mach-lookup
+        (global-name "com.apple.coreservices.launchservicesd")
+        (global-name "com.apple.coreservices.appleevents")
+        (global-name "com.apple.pasteboard.1")
+        (global-name "com.apple.window_proxies")
+        (global-name "com.apple.windowserver.active")
+        (global-name "com.apple.audio.coreaudiod")
+        (global-name "com.apple.audio.audiohald")
+        (global-name "com.apple.PowerManagement.control")
+        (global-name "com.apple.cmio.VDCAssistant")
+        (global-name "com.apple.SystemConfiguration.configd")
+        (global-name "com.apple.iconservices")
+        (global-name "com.apple.cookied")
+        (global-name "com.apple.cache_delete")
+        (global-name "com.apple.pluginkit.pkd")
+        (global-name "com.apple.bird")
+        (global-name "com.apple.ocspd")
+        (global-name "com.apple.cmio.AppleCameraAssistant")
+        (global-name "com.apple.DesktopServicesHelper"))
+
+  ; bug 1312273
+    (if (string=? macosMinorVersion-9 "TRUE")
+       (allow mach-lookup (global-name "com.apple.xpcd")))
+
+    (allow iokit-open
+        (iokit-user-client-class "IOHIDParamUserClient")
+        (iokit-user-client-class "IOAudioControlUserClient")
+        (iokit-user-client-class "IOAudioEngineUserClient")
+        (iokit-user-client-class "IGAccelDevice")
+        (iokit-user-client-class "nvDevice")
+        (iokit-user-client-class "nvSharedUserClient")
+        (iokit-user-client-class "nvFermiGLContext")
+        (iokit-user-client-class "IGAccelGLContext")
+        (iokit-user-client-class "IGAccelSharedUserClient")
+        (iokit-user-client-class "IGAccelVideoContextMain")
+        (iokit-user-client-class "IGAccelVideoContextMedia")
+        (iokit-user-client-class "IGAccelVideoContextVEBox")
+        (iokit-user-client-class "RootDomainUserClient")
+        (iokit-user-client-class "IOUSBDeviceUserClientV2")
+        (iokit-user-client-class "IOUSBInterfaceUserClientV2"))
+
+  ; depending on systems, the 1st, 2nd or both rules are necessary
+    (allow-shared-preferences-read "com.apple.HIToolbox")
+    (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist"))
+
+    (allow-shared-preferences-read "com.apple.ATS")
+    (allow file-read-data (literal "/Library/Preferences/.GlobalPreferences.plist"))
+
+    (allow file-read*
+        (subpath "/Library/Fonts")
+        (subpath "/Library/Audio/Plug-Ins")
+        (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")
+        (subpath "/Library/Spelling")
+        (literal "/")
+        (literal "/private/tmp")
+        (literal "/private/var/tmp")
+
+        (home-literal "/.CFUserTextEncoding")
+        (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
+        (home-subpath "/Library/Colors")
+        (home-subpath "/Library/Fonts")
+        (home-subpath "/Library/FontCollections")
+        (home-subpath "/Library/Keyboard Layouts")
+        (home-subpath "/Library/Input Methods")
+        (home-subpath "/Library/Spelling")
+        (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype")
+
+        (subpath appdir-path)
+
+        (literal appPath)
+        (literal appBinaryPath))
+
+    (allow-shared-list "org.mozilla.plugincontainer")
+
+  ; the following rule should be removed when microphone access
+  ; is brokered through the content process
+    (allow device-microphone)
+
+    (allow file* (var-folders2-regex "/com\.apple\.IntlDataCache\.le$"))
+    (allow file-read*
+        (var-folders2-regex "/com\.apple\.IconServices/")
+        (var-folders2-regex "/[^/]+\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\.j(s|ar)$"))
+
+    (allow file-write* (var-folders2-regex "/org\.chromium\.[a-zA-Z0-9]*$"))
+
+  ; Per-user and system-wide Extensions dir
+    (allow file-read*
+        (home-regex "/Library/Application Support/[^/]+/Extensions/[^/]/")
+        (resolving-regex "/Library/Application Support/[^/]+/Extensions/[^/]/"))
+
+  ; The following rules impose file access restrictions which get
+  ; more restrictive in higher levels. When file-origin-specific
+  ; content processes are used for file:// origin browsing, the
+  ; global file-read* permission should be removed from each level.
+
+  ; level 1: global read access permitted, no global write access
+    (if (string=? sandbox-level-1 "TRUE") (allow file-read*))
+
+  ; level 2: global read access permitted, no global write access,
+  ;          no read/write access to ~/Library,
+  ;          no read/write access to $PROFILE,
+  ;          read access permitted to $PROFILE/{extensions,chrome}
+    (if (string=? sandbox-level-2 "TRUE")
+      (if (string=? hasFilePrivileges "TRUE")
+        ; This process has blanket file read privileges
+        (allow file-read*)
+        ; This process does not have blanket file read privileges
+        (if (string=? hasProfileDir "TRUE")
+          ; we have a profile dir
+          (begin
+            (allow file-read* (require-all
+                (require-not (home-subpath "/Library"))
+                (require-not (subpath profileDir))))
+            (allow file-read*
+                (profile-subpath "/extensions")
+                (profile-subpath "/chrome")))
+          ; we don't have a profile dir
+          (allow file-read* (require-not (home-subpath "/Library"))))))
+
+  ; level 3: global read access permitted, no global write access,
+  ;          no read access to the home directory,
+  ;          read access permitted to $PROFILE/{extensions,chrome}
+    (if (string=? sandbox-level-3 "TRUE")
+      (if (string=? hasFilePrivileges "TRUE")
+        ; This process has blanket file read privileges
+        (allow file-read*)
+        ; This process does not have blanket file read privileges
+        (if (string=? hasProfileDir "TRUE")
+          ; we have a profile dir
+          (begin
+            (allow file-read* (require-all
+                (require-not (subpath home-path))
+                (require-not (subpath profileDir))))
+            (allow file-read*
+                (profile-subpath "/extensions")
+                (profile-subpath "/chrome")))
+          ; we don't have a profile dir
+          (allow file-read* (require-not (subpath home-path))))))
+
+  ; accelerated graphics
+    (allow-shared-preferences-read "com.apple.opengl")
+    (allow-shared-preferences-read "com.nvidia.OpenGL")
+    (allow mach-lookup
+        (global-name "com.apple.cvmsServ"))
+    (allow iokit-open
+        (iokit-connection "IOAccelerator")
+        (iokit-user-client-class "IOAccelerationUserClient")
+        (iokit-user-client-class "IOSurfaceRootUserClient")
+        (iokit-user-client-class "IOSurfaceSendRight")
+        (iokit-user-client-class "IOFramebufferSharedUserClient")
+        (iokit-user-client-class "AppleSNBFBUserClient")
+        (iokit-user-client-class "AGPMClient")
+        (iokit-user-client-class "AppleGraphicsControlClient")
+        (iokit-user-client-class "AppleGraphicsPolicyClient"))
+
+  ; bug 1153809
+    (allow iokit-open
+        (iokit-user-client-class "NVDVDContextTesla")
+        (iokit-user-client-class "Gen6DVDContext"))
+
+  ; bug 1201935
+    (allow file-read*
+        (home-subpath "/Library/Caches/TemporaryItems"))
+
+  ; bug 1237847
+    (allow file-read*
+        (subpath appTempDir))
+    (allow file-write*
+        (subpath appTempDir))
+
+  ; bug 1324610
+    (allow network-outbound (literal "/private/var/run/cupsd"))
+
+  ; bug 1303987
+    (if (string=? isDebugBuild "TRUE")
+        (allow file-write* (var-folders-regex "/")))
+  )
+)";
+
+}
+
+#endif // mozilla_SandboxPolicies_h
--- a/security/sandbox/mac/moz.build
+++ b/security/sandbox/mac/moz.build
@@ -1,15 +1,16 @@
 # -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 EXPORTS.mozilla += [
     'Sandbox.h',
+    'SandboxPolicies.h'
 ]
 
 SOURCES += [
     'Sandbox.mm',
 ]
 
 Library('mozsandbox');