Bug 1272764 - Remove OS X 10.6-10.8-Specific Sandboxing Code (fix indentation); r=bobowen
authorHaik Aftandilian <haftandilian@mozilla.com>
Mon, 06 Jun 2016 13:15:00 +0200
changeset 376188 4f1b49de286936fa27c74249e2ed1fcdd9c542d9
parent 376187 4ffe615e05a8e86b4a42d65b20701eeef7329791
child 376189 52c23e12438cfc1909cca15eafec9c103c909819
push id20510
push usercholler@mozilla.com
push dateTue, 07 Jun 2016 13:42:30 +0000
reviewersbobowen
bugs1272764
milestone50.0a1
Bug 1272764 - Remove OS X 10.6-10.8-Specific Sandboxing Code (fix indentation); r=bobowen
security/sandbox/mac/Sandbox.mm
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -204,277 +204,277 @@ static const char contentSandboxRules[] 
   "  (global-name \"com.apple.trustd.agent\")\n"
   "  (global-name \"com.apple.xpc.activity.unmanaged\")\n"
   "  (global-name \"com.apple.xpcd\")\n"
   "  (local-name \"com.apple.cfprefsd.agent\"))\n"
   "\n"
   "; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others\n"
   "(allow sysctl-read)\n"
   "\n"
-  "  (begin\n"
-  "    (deny default)\n"
-  "    (debug deny)\n"
+  "(begin\n"
+  "  (deny default)\n"
+  "  (debug deny)\n"
   "\n"
-  "    (define resolving-literal literal)\n"
-  "    (define resolving-subpath subpath)\n"
-  "    (define resolving-regex regex)\n"
+  "  (define resolving-literal literal)\n"
+  "  (define resolving-subpath subpath)\n"
+  "  (define resolving-regex regex)\n"
   "\n"
-  "    (define container-path appPath)\n"
-  "    (define appdir-path appDir)\n"
-  "    (define var-folders-re \"^/private/var/folders/[^/][^/]\")\n"
-  "    (define var-folders2-re (string-append var-folders-re \"/[^/]+/[^/]\"))\n"
+  "  (define container-path appPath)\n"
+  "  (define appdir-path appDir)\n"
+  "  (define var-folders-re \"^/private/var/folders/[^/][^/]\")\n"
+  "  (define var-folders2-re (string-append var-folders-re \"/[^/]+/[^/]\"))\n"
   "\n"
-  "    (define (home-regex home-relative-regex)\n"
-  "      (resolving-regex (string-append \"^\" (regex-quote home-path) home-relative-regex)))\n"
-  "    (define (home-subpath home-relative-subpath)\n"
-  "      (resolving-subpath (string-append home-path home-relative-subpath)))\n"
-  "    (define (home-literal home-relative-literal)\n"
-  "      (resolving-literal (string-append home-path home-relative-literal)))\n"
+  "  (define (home-regex home-relative-regex)\n"
+  "    (resolving-regex (string-append \"^\" (regex-quote home-path) home-relative-regex)))\n"
+  "  (define (home-subpath home-relative-subpath)\n"
+  "    (resolving-subpath (string-append home-path home-relative-subpath)))\n"
+  "  (define (home-literal home-relative-literal)\n"
+  "    (resolving-literal (string-append home-path home-relative-literal)))\n"
   "\n"
-  "    (define (container-regex container-relative-regex)\n"
-  "      (resolving-regex (string-append \"^\" (regex-quote container-path) container-relative-regex)))\n"
-  "    (define (container-subpath container-relative-subpath)\n"
-  "      (resolving-subpath (string-append container-path container-relative-subpath)))\n"
-  "    (define (container-literal container-relative-literal)\n"
-  "      (resolving-literal (string-append container-path container-relative-literal)))\n"
+  "  (define (container-regex container-relative-regex)\n"
+  "    (resolving-regex (string-append \"^\" (regex-quote container-path) container-relative-regex)))\n"
+  "  (define (container-subpath container-relative-subpath)\n"
+  "    (resolving-subpath (string-append container-path container-relative-subpath)))\n"
+  "  (define (container-literal container-relative-literal)\n"
+  "    (resolving-literal (string-append container-path container-relative-literal)))\n"
   "\n"
-  "    (define (var-folders-regex var-folders-relative-regex)\n"
-  "      (resolving-regex (string-append var-folders-re var-folders-relative-regex)))\n"
-  "    (define (var-folders2-regex var-folders2-relative-regex)\n"
-  "      (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
+  "  (define (var-folders-regex var-folders-relative-regex)\n"
+  "    (resolving-regex (string-append var-folders-re var-folders-relative-regex)))\n"
+  "  (define (var-folders2-regex var-folders2-relative-regex)\n"
+  "    (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
   "\n"
-  "    (define (appdir-regex appdir-relative-regex)\n"
-  "      (resolving-regex (string-append \"^\" (regex-quote appdir-path) appdir-relative-regex)))\n"
-  "    (define (appdir-subpath appdir-relative-subpath)\n"
-  "      (resolving-subpath (string-append appdir-path appdir-relative-subpath)))\n"
-  "    (define (appdir-literal appdir-relative-literal)\n"
-  "      (resolving-literal (string-append appdir-path appdir-relative-literal)))\n"
+  "  (define (appdir-regex appdir-relative-regex)\n"
+  "    (resolving-regex (string-append \"^\" (regex-quote appdir-path) appdir-relative-regex)))\n"
+  "  (define (appdir-subpath appdir-relative-subpath)\n"
+  "    (resolving-subpath (string-append appdir-path appdir-relative-subpath)))\n"
+  "  (define (appdir-literal appdir-relative-literal)\n"
+  "    (resolving-literal (string-append appdir-path appdir-relative-literal)))\n"
   "\n"
-  "    (define (allow-shared-preferences-read domain)\n"
-  "          (begin\n"
-  "            (if (defined? `user-preference-read)\n"
-  "              (allow user-preference-read (preference-domain domain)))\n"
-  "            (allow file-read*\n"
-  "                   (home-literal (string-append \"/Library/Preferences/\" domain \".plist\"))\n"
-  "                   (home-regex (string-append \"/Library/Preferences/ByHost/\" (regex-quote domain) \"\\..*\\.plist$\")))\n"
-  "            ))\n"
+  "  (define (allow-shared-preferences-read domain)\n"
+  "        (begin\n"
+  "          (if (defined? `user-preference-read)\n"
+  "            (allow user-preference-read (preference-domain domain)))\n"
+  "          (allow file-read*\n"
+  "                 (home-literal (string-append \"/Library/Preferences/\" domain \".plist\"))\n"
+  "                 (home-regex (string-append \"/Library/Preferences/ByHost/\" (regex-quote domain) \"\\..*\\.plist$\")))\n"
+  "          ))\n"
   "\n"
-  "    (define (allow-shared-list domain)\n"
-  "      (allow file-read*\n"
-  "             (home-regex (string-append \"/Library/Preferences/\" (regex-quote domain)))))\n"
+  "  (define (allow-shared-list domain)\n"
+  "    (allow file-read*\n"
+  "           (home-regex (string-append \"/Library/Preferences/\" (regex-quote domain)))))\n"
   "\n"
-  "    (allow file-read-metadata)\n"
+  "  (allow file-read-metadata)\n"
   "\n"
-  "    (allow ipc-posix-shm\n"
-  "        (ipc-posix-name-regex \"^/tmp/com.apple.csseed:\")\n"
-  "        (ipc-posix-name-regex \"^CFPBS:\")\n"
-  "        (ipc-posix-name-regex \"^AudioIO\"))\n"
+  "  (allow ipc-posix-shm\n"
+  "      (ipc-posix-name-regex \"^/tmp/com.apple.csseed:\")\n"
+  "      (ipc-posix-name-regex \"^CFPBS:\")\n"
+  "      (ipc-posix-name-regex \"^AudioIO\"))\n"
   "\n"
-  "    (allow file-read-metadata\n"
-  "        (literal \"/home\")\n"
-  "        (literal \"/net\")\n"
-  "        (regex \"^/private/tmp/KSInstallAction\\.\")\n"
-  "        (var-folders-regex \"/\")\n"
-  "        (home-subpath \"/Library\"))\n"
+  "  (allow file-read-metadata\n"
+  "      (literal \"/home\")\n"
+  "      (literal \"/net\")\n"
+  "      (regex \"^/private/tmp/KSInstallAction\\.\")\n"
+  "      (var-folders-regex \"/\")\n"
+  "      (home-subpath \"/Library\"))\n"
   "\n"
-  "    (allow signal (target self))\n"
-  "    (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n"
-  "    (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n"
+  "  (allow signal (target self))\n"
+  "  (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n"
+  "  (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n"
   "\n"
-  "    (allow mach-lookup\n"
-  "        (global-name \"com.apple.coreservices.launchservicesd\")\n"
-  "        (global-name \"com.apple.coreservices.appleevents\")\n"
-  "        (global-name \"com.apple.pasteboard.1\")\n"
-  "        (global-name \"com.apple.window_proxies\")\n"
-  "        (global-name \"com.apple.windowserver.active\")\n"
-  "        (global-name \"com.apple.audio.coreaudiod\")\n"
-  "        (global-name \"com.apple.audio.audiohald\")\n"
-  "        (global-name \"com.apple.PowerManagement.control\")\n"
-  "        (global-name \"com.apple.cmio.VDCAssistant\")\n"
-  "        (global-name \"com.apple.SystemConfiguration.configd\")\n"
-  "        (global-name \"com.apple.iconservices\")\n"
-  "        (global-name \"com.apple.cookied\")\n"
-  "        (global-name \"com.apple.printuitool.agent\")\n"
-  "        (global-name \"com.apple.printtool.agent\")\n"
-  "        (global-name \"com.apple.cache_delete\")\n"
-  "        (global-name \"com.apple.pluginkit.pkd\")\n"
-  "        (global-name \"com.apple.bird\")\n"
-  "        (global-name \"com.apple.ocspd\")\n"
-  "        (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
-  "        (global-name \"com.apple.DesktopServicesHelper\")\n"
-  "        (global-name \"com.apple.printtool.daemon\"))\n"
+  "  (allow mach-lookup\n"
+  "      (global-name \"com.apple.coreservices.launchservicesd\")\n"
+  "      (global-name \"com.apple.coreservices.appleevents\")\n"
+  "      (global-name \"com.apple.pasteboard.1\")\n"
+  "      (global-name \"com.apple.window_proxies\")\n"
+  "      (global-name \"com.apple.windowserver.active\")\n"
+  "      (global-name \"com.apple.audio.coreaudiod\")\n"
+  "      (global-name \"com.apple.audio.audiohald\")\n"
+  "      (global-name \"com.apple.PowerManagement.control\")\n"
+  "      (global-name \"com.apple.cmio.VDCAssistant\")\n"
+  "      (global-name \"com.apple.SystemConfiguration.configd\")\n"
+  "      (global-name \"com.apple.iconservices\")\n"
+  "      (global-name \"com.apple.cookied\")\n"
+  "      (global-name \"com.apple.printuitool.agent\")\n"
+  "      (global-name \"com.apple.printtool.agent\")\n"
+  "      (global-name \"com.apple.cache_delete\")\n"
+  "      (global-name \"com.apple.pluginkit.pkd\")\n"
+  "      (global-name \"com.apple.bird\")\n"
+  "      (global-name \"com.apple.ocspd\")\n"
+  "      (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
+  "      (global-name \"com.apple.DesktopServicesHelper\")\n"
+  "      (global-name \"com.apple.printtool.daemon\"))\n"
   "\n"
-  "    (allow iokit-open\n"
-  "        (iokit-user-client-class \"IOHIDParamUserClient\")\n"
-  "        (iokit-user-client-class \"IOAudioControlUserClient\")\n"
-  "        (iokit-user-client-class \"IOAudioEngineUserClient\")\n"
-  "        (iokit-user-client-class \"IGAccelDevice\")\n"
-  "        (iokit-user-client-class \"nvDevice\")\n"
-  "        (iokit-user-client-class \"nvSharedUserClient\")\n"
-  "        (iokit-user-client-class \"nvFermiGLContext\")\n"
-  "        (iokit-user-client-class \"IGAccelGLContext\")\n"
-  "        (iokit-user-client-class \"IGAccelSharedUserClient\")\n"
-  "        (iokit-user-client-class \"IGAccelVideoContextMain\")\n"
-  "        (iokit-user-client-class \"IGAccelVideoContextMedia\")\n"
-  "        (iokit-user-client-class \"IGAccelVideoContextVEBox\")\n"
-  "        (iokit-user-client-class \"RootDomainUserClient\")\n"
-  "        (iokit-user-client-class \"IOUSBDeviceUserClientV2\")\n"
-  "        (iokit-user-client-class \"IOUSBInterfaceUserClientV2\"))\n"
+  "  (allow iokit-open\n"
+  "      (iokit-user-client-class \"IOHIDParamUserClient\")\n"
+  "      (iokit-user-client-class \"IOAudioControlUserClient\")\n"
+  "      (iokit-user-client-class \"IOAudioEngineUserClient\")\n"
+  "      (iokit-user-client-class \"IGAccelDevice\")\n"
+  "      (iokit-user-client-class \"nvDevice\")\n"
+  "      (iokit-user-client-class \"nvSharedUserClient\")\n"
+  "      (iokit-user-client-class \"nvFermiGLContext\")\n"
+  "      (iokit-user-client-class \"IGAccelGLContext\")\n"
+  "      (iokit-user-client-class \"IGAccelSharedUserClient\")\n"
+  "      (iokit-user-client-class \"IGAccelVideoContextMain\")\n"
+  "      (iokit-user-client-class \"IGAccelVideoContextMedia\")\n"
+  "      (iokit-user-client-class \"IGAccelVideoContextVEBox\")\n"
+  "      (iokit-user-client-class \"RootDomainUserClient\")\n"
+  "      (iokit-user-client-class \"IOUSBDeviceUserClientV2\")\n"
+  "      (iokit-user-client-class \"IOUSBInterfaceUserClientV2\"))\n"
   "\n"
   "; depending on systems, the 1st, 2nd or both rules are necessary\n"
-  "    (allow-shared-preferences-read \"com.apple.HIToolbox\")\n"
-  "    (allow file-read-data (literal \"/Library/Preferences/com.apple.HIToolbox.plist\"))\n"
+  "  (allow-shared-preferences-read \"com.apple.HIToolbox\")\n"
+  "  (allow file-read-data (literal \"/Library/Preferences/com.apple.HIToolbox.plist\"))\n"
   "\n"
-  "    (allow-shared-preferences-read \"com.apple.ATS\")\n"
-  "    (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"
+  "  (allow-shared-preferences-read \"com.apple.ATS\")\n"
+  "  (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"
   "\n"
-  "    (allow file-read*\n"
-  "        (subpath \"/Library/Fonts\")\n"
-  "        (subpath \"/Library/Audio/Plug-Ins\")\n"
-  "        (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n"
-  "        (subpath \"/Library/Spelling\")\n"
-  "        (subpath \"/private/etc/cups/ppd\")\n"
-  "        (subpath \"/private/var/run/cupsd\")\n"
-  "        (literal \"/\")\n"
-  "        (literal \"/private/tmp\")\n"
-  "        (literal \"/private/var/tmp\")\n"
+  "  (allow file-read*\n"
+  "      (subpath \"/Library/Fonts\")\n"
+  "      (subpath \"/Library/Audio/Plug-Ins\")\n"
+  "      (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n"
+  "      (subpath \"/Library/Spelling\")\n"
+  "      (subpath \"/private/etc/cups/ppd\")\n"
+  "      (subpath \"/private/var/run/cupsd\")\n"
+  "      (literal \"/\")\n"
+  "      (literal \"/private/tmp\")\n"
+  "      (literal \"/private/var/tmp\")\n"
   "\n"
-  "        (home-literal \"/.CFUserTextEncoding\")\n"
-  "        (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n"
-  "        (home-subpath \"/Library/Colors\")\n"
-  "        (home-subpath \"/Library/Fonts\")\n"
-  "        (home-subpath \"/Library/FontCollections\")\n"
-  "        (home-subpath \"/Library/Keyboard Layouts\")\n"
-  "        (home-subpath \"/Library/Input Methods\")\n"
-  "        (home-subpath \"/Library/PDF Services\")\n"
-  "        (home-subpath \"/Library/Spelling\")\n"
+  "      (home-literal \"/.CFUserTextEncoding\")\n"
+  "      (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n"
+  "      (home-subpath \"/Library/Colors\")\n"
+  "      (home-subpath \"/Library/Fonts\")\n"
+  "      (home-subpath \"/Library/FontCollections\")\n"
+  "      (home-subpath \"/Library/Keyboard Layouts\")\n"
+  "      (home-subpath \"/Library/Input Methods\")\n"
+  "      (home-subpath \"/Library/PDF Services\")\n"
+  "      (home-subpath \"/Library/Spelling\")\n"
   "\n"
-  "        (subpath appdir-path)\n"
+  "      (subpath appdir-path)\n"
   "\n"
-  "        (literal appPath)\n"
-  "        (literal appBinaryPath))\n"
+  "      (literal appPath)\n"
+  "      (literal appBinaryPath))\n"
   "\n"
-  "    (allow-shared-list \"org.mozilla.plugincontainer\")\n"
+  "  (allow-shared-list \"org.mozilla.plugincontainer\")\n"
   "\n"
   "; the following 2 rules should be removed when microphone and camera access\n"
   "; are brokered through the content process\n"
-  "    (allow device-microphone)\n"
-  "    (allow device-camera)\n"
+  "  (allow device-microphone)\n"
+  "  (allow device-camera)\n"
   "\n"
-  "    (allow file* (var-folders2-regex \"/com\\.apple\\.IntlDataCache\\.le$\"))\n"
-  "    (allow file-read*\n"
-  "        (var-folders2-regex \"/com\\.apple\\.IconServices/\")\n"
-  "        (var-folders2-regex \"/[^/]+\\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\"))\n"
+  "  (allow file* (var-folders2-regex \"/com\\.apple\\.IntlDataCache\\.le$\"))\n"
+  "  (allow file-read*\n"
+  "      (var-folders2-regex \"/com\\.apple\\.IconServices/\")\n"
+  "      (var-folders2-regex \"/[^/]+\\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\"))\n"
   "\n"
-  "    (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"
-  "    (allow file-read*\n"
-  "        (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
-  "        (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
-  "        (home-regex \"/Library/Application Support/Firefox/Profiles/[^/]+/extensions/\")\n"
-  "        (home-regex \"/Library/Application Support/Firefox/Profiles/[^/]+/weave/\"))\n"
+  "  (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"
+  "  (allow file-read*\n"
+  "      (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
+  "      (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
+  "      (home-regex \"/Library/Application Support/Firefox/Profiles/[^/]+/extensions/\")\n"
+  "      (home-regex \"/Library/Application Support/Firefox/Profiles/[^/]+/weave/\"))\n"
   "\n"
   "; the following rules should be removed when printing and \n"
   "; opening a file from disk are brokered through the main process\n"
-  "    (if\n"
-  "      (< sandbox-level 2)\n"
-  "      (allow file*\n"
-  "          (require-not\n"
-  "              (home-subpath \"/Library\")))\n"
-  "      (allow file*\n"
-  "          (require-all\n"
-  "              (subpath home-path)\n"
-  "              (require-not\n"
-  "                  (home-subpath \"/Library\")))))\n"
+  "  (if\n"
+  "    (< sandbox-level 2)\n"
+  "    (allow file*\n"
+  "        (require-not\n"
+  "            (home-subpath \"/Library\")))\n"
+  "    (allow file*\n"
+  "        (require-all\n"
+  "            (subpath home-path)\n"
+  "            (require-not\n"
+  "                (home-subpath \"/Library\")))))\n"
   "\n"
   "; printing\n"
-  "    (allow authorization-right-obtain\n"
-  "           (right-name \"system.print.operator\")\n"
-  "           (right-name \"system.printingmanager\"))\n"
-  "    (allow mach-lookup\n"
-  "           (global-name \"com.apple.printuitool.agent\")\n"
-  "           (global-name \"com.apple.printtool.agent\")\n"
-  "           (global-name \"com.apple.printtool.daemon\")\n"
-  "           (global-name \"com.apple.sharingd\")\n"
-  "           (global-name \"com.apple.metadata.mds\")\n"
-  "           (global-name \"com.apple.mtmd.xpc\")\n"
-  "           (global-name \"com.apple.FSEvents\")\n"
-  "           (global-name \"com.apple.locum\")\n"
-  "           (global-name \"com.apple.ImageCaptureExtension2.presence\"))\n"
-  "    (allow file-read*\n"
-  "           (home-literal \"/.cups/lpoptions\")\n"
-  "           (home-literal \"/.cups/client.conf\")\n"
-  "           (literal \"/private/etc/cups/lpoptions\")\n"
-  "           (literal \"/private/etc/cups/client.conf\")\n"
-  "           (subpath \"/private/etc/cups/ppd\")\n"
-  "           (literal \"/private/var/run/cupsd\"))\n"
-  "    (allow-shared-preferences-read \"org.cups.PrintingPrefs\")\n"
-  "    (allow-shared-preferences-read \"com.apple.finder\")\n"
-  "    (allow-shared-preferences-read \"com.apple.LaunchServices\")\n"
-  "    (allow-shared-preferences-read \".GlobalPreferences\")\n"
-  "    (allow network-outbound\n"
-  "        (literal \"/private/var/run/cupsd\")\n"
-  "        (literal \"/private/var/run/mDNSResponder\"))\n"
+  "  (allow authorization-right-obtain\n"
+  "         (right-name \"system.print.operator\")\n"
+  "         (right-name \"system.printingmanager\"))\n"
+  "  (allow mach-lookup\n"
+  "         (global-name \"com.apple.printuitool.agent\")\n"
+  "         (global-name \"com.apple.printtool.agent\")\n"
+  "         (global-name \"com.apple.printtool.daemon\")\n"
+  "         (global-name \"com.apple.sharingd\")\n"
+  "         (global-name \"com.apple.metadata.mds\")\n"
+  "         (global-name \"com.apple.mtmd.xpc\")\n"
+  "         (global-name \"com.apple.FSEvents\")\n"
+  "         (global-name \"com.apple.locum\")\n"
+  "         (global-name \"com.apple.ImageCaptureExtension2.presence\"))\n"
+  "  (allow file-read*\n"
+  "         (home-literal \"/.cups/lpoptions\")\n"
+  "         (home-literal \"/.cups/client.conf\")\n"
+  "         (literal \"/private/etc/cups/lpoptions\")\n"
+  "         (literal \"/private/etc/cups/client.conf\")\n"
+  "         (subpath \"/private/etc/cups/ppd\")\n"
+  "         (literal \"/private/var/run/cupsd\"))\n"
+  "  (allow-shared-preferences-read \"org.cups.PrintingPrefs\")\n"
+  "  (allow-shared-preferences-read \"com.apple.finder\")\n"
+  "  (allow-shared-preferences-read \"com.apple.LaunchServices\")\n"
+  "  (allow-shared-preferences-read \".GlobalPreferences\")\n"
+  "  (allow network-outbound\n"
+  "      (literal \"/private/var/run/cupsd\")\n"
+  "      (literal \"/private/var/run/mDNSResponder\"))\n"
   "\n"
   "; print preview\n"
-  "    (if (> macosMinorVersion 9)\n"
-  "        (allow lsopen))\n"
-  "    (allow file-write* file-issue-extension (var-folders2-regex \"/\"))\n"
-  "    (allow file-read-xattr (literal \"/Applications/Preview.app\"))\n"
-  "    (allow mach-task-name)\n"
-  "    (allow mach-register)\n"
-  "    (allow file-read-data\n"
-  "        (regex \"^/Library/Printers/[^/]+/PDEs/[^/]+.plugin\")\n"
-  "        (subpath \"/Library/PDF Services\")\n"
-  "        (subpath \"/Applications/Preview.app\")\n"
-  "        (home-literal \"/Library/Preferences/com.apple.ServicesMenu.Services.plist\"))\n"
-  "    (allow mach-lookup\n"
-  "        (global-name \"com.apple.pbs.fetch_services\")\n"
-  "        (global-name \"com.apple.tsm.uiserver\")\n"
-  "        (global-name \"com.apple.ls.boxd\")\n"
-  "        (global-name \"com.apple.coreservices.quarantine-resolver\")\n"
-  "        (global-name-regex \"_OpenStep$\"))\n"
-  "    (allow appleevent-send\n"
-  "        (appleevent-destination \"com.apple.preview\")\n"
-  "        (appleevent-destination \"com.apple.imagecaptureextension2\"))\n"
+  "  (if (> macosMinorVersion 9)\n"
+  "      (allow lsopen))\n"
+  "  (allow file-write* file-issue-extension (var-folders2-regex \"/\"))\n"
+  "  (allow file-read-xattr (literal \"/Applications/Preview.app\"))\n"
+  "  (allow mach-task-name)\n"
+  "  (allow mach-register)\n"
+  "  (allow file-read-data\n"
+  "      (regex \"^/Library/Printers/[^/]+/PDEs/[^/]+.plugin\")\n"
+  "      (subpath \"/Library/PDF Services\")\n"
+  "      (subpath \"/Applications/Preview.app\")\n"
+  "      (home-literal \"/Library/Preferences/com.apple.ServicesMenu.Services.plist\"))\n"
+  "  (allow mach-lookup\n"
+  "      (global-name \"com.apple.pbs.fetch_services\")\n"
+  "      (global-name \"com.apple.tsm.uiserver\")\n"
+  "      (global-name \"com.apple.ls.boxd\")\n"
+  "      (global-name \"com.apple.coreservices.quarantine-resolver\")\n"
+  "      (global-name-regex \"_OpenStep$\"))\n"
+  "  (allow appleevent-send\n"
+  "      (appleevent-destination \"com.apple.preview\")\n"
+  "      (appleevent-destination \"com.apple.imagecaptureextension2\"))\n"
   "\n"
   "; accelerated graphics\n"
-  "    (allow-shared-preferences-read \"com.apple.opengl\")\n"
-  "    (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
-  "    (allow mach-lookup\n"
-  "        (global-name \"com.apple.cvmsServ\"))\n"
-  "    (allow iokit-open\n"
-  "        (iokit-connection \"IOAccelerator\")\n"
-  "        (iokit-user-client-class \"IOAccelerationUserClient\")\n"
-  "        (iokit-user-client-class \"IOSurfaceRootUserClient\")\n"
-  "        (iokit-user-client-class \"IOSurfaceSendRight\")\n"
-  "        (iokit-user-client-class \"IOFramebufferSharedUserClient\")\n"
-  "        (iokit-user-client-class \"AppleSNBFBUserClient\")\n"
-  "        (iokit-user-client-class \"AGPMClient\")\n"
-  "        (iokit-user-client-class \"AppleGraphicsControlClient\")\n"
-  "        (iokit-user-client-class \"AppleGraphicsPolicyClient\"))\n"
+  "  (allow-shared-preferences-read \"com.apple.opengl\")\n"
+  "  (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
+  "  (allow mach-lookup\n"
+  "      (global-name \"com.apple.cvmsServ\"))\n"
+  "  (allow iokit-open\n"
+  "      (iokit-connection \"IOAccelerator\")\n"
+  "      (iokit-user-client-class \"IOAccelerationUserClient\")\n"
+  "      (iokit-user-client-class \"IOSurfaceRootUserClient\")\n"
+  "      (iokit-user-client-class \"IOSurfaceSendRight\")\n"
+  "      (iokit-user-client-class \"IOFramebufferSharedUserClient\")\n"
+  "      (iokit-user-client-class \"AppleSNBFBUserClient\")\n"
+  "      (iokit-user-client-class \"AGPMClient\")\n"
+  "      (iokit-user-client-class \"AppleGraphicsControlClient\")\n"
+  "      (iokit-user-client-class \"AppleGraphicsPolicyClient\"))\n"
   "\n"
   "; bug 1153809\n"
-  "    (allow iokit-open\n"
-  "        (iokit-user-client-class \"NVDVDContextTesla\")\n"
-  "        (iokit-user-client-class \"Gen6DVDContext\"))\n"
+  "  (allow iokit-open\n"
+  "      (iokit-user-client-class \"NVDVDContextTesla\")\n"
+  "      (iokit-user-client-class \"Gen6DVDContext\"))\n"
   "\n"
   "; bug 1190032\n"
-  "    (allow file*\n"
-  "        (home-regex \"/Library/Caches/TemporaryItems/plugtmp.*\"))\n"
+  "  (allow file*\n"
+  "      (home-regex \"/Library/Caches/TemporaryItems/plugtmp.*\"))\n"
   "\n"
   "; bug 1201935\n"
-  "    (allow file-read*\n"
-  "        (home-subpath \"/Library/Caches/TemporaryItems\"))\n"
+  "  (allow file-read*\n"
+  "      (home-subpath \"/Library/Caches/TemporaryItems\"))\n"
   "\n"
   "; bug 1237847\n"
-  "    (allow file-read*\n"
-  "        (subpath appTempDir))\n"
-  "    (allow file-write*\n"
-  "        (subpath appTempDir))\n"
-  "  )\n";
+  "  (allow file-read*\n"
+  "      (subpath appTempDir))\n"
+  "  (allow file-write*\n"
+  "      (subpath appTempDir))\n"
+  ")\n";
 
 bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage)
 {
   char *profile = NULL;
   if (aInfo.type == MacSandboxType_Plugin) {
     asprintf(&profile, pluginSandboxRules,
              aInfo.pluginInfo.pluginBinaryPath.c_str(),
              aInfo.appPath.c_str(),