Bug 1272772 - Inline system.sb and remove unneeded rules (inline system.sb rules); r=gcp
authorHaik Aftandilian <haftandilian@mozilla.com>
Wed, 01 Jun 2016 15:40:00 +0200
changeset 341568 b01ae5885b0b81fa638f368739e1a7ce12ad4025
parent 341567 a22e275b759faeda830d2efa9985c3c9609bbde0
child 341569 fe9c2571c13008ea72fc902dd1d0eca9d0f7b910
push id1183
push userraliiev@mozilla.com
push dateMon, 05 Sep 2016 20:01:49 +0000
treeherdermozilla-release@3148731bed45 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgcp
bugs1272772
milestone49.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1272772 - Inline system.sb and remove unneeded rules (inline system.sb rules); r=gcp
security/sandbox/mac/Sandbox.mm
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -160,17 +160,155 @@ static const char contentSandboxRules[] 
   "(define sandbox-level %d)\n"
   "(define macosMinorVersion %d)\n"
   "(define appPath \"%s\")\n"
   "(define appBinaryPath \"%s\")\n"
   "(define appDir \"%s\")\n"
   "(define appTempDir \"%s\")\n"
   "(define home-path \"%s\")\n"
   "\n"
-  "(import \"/System/Library/Sandbox/Profiles/system.sb\")\n"
+  "; -------- START system.sb -------- \n"
+  "(version 1)\n"
+  "\n"
+  ";;; Allow registration of per-pid services.\n"
+  "(allow mach-register\n"
+  "  (local-name-regex #\"\"))\n"
+  "\n"
+  ";;; Allow read access to standard system paths.\n"
+  "(allow file-read*\n"
+  "  (require-all (file-mode #o0004)\n"
+  "    (require-any (subpath \"/Library/Filesystems/NetFSPlugins\")\n"
+  "      (subpath \"/System\")\n"
+  "      (subpath \"/private/var/db/dyld\")\n"
+  "      (subpath \"/usr/lib\")\n"
+  "      (subpath \"/usr/share\"))))\n"
+  "\n"
+  "(allow file-read-metadata\n"
+  "  (literal \"/etc\")\n"
+  "  (literal \"/tmp\")\n"
+  "  (literal \"/var\")\n"
+  "  (literal \"/private/etc/localtime\"))\n"
+  "\n"
+  ";;; Allow access to standard special files.\n"
+  "(allow file-read*\n"
+  "  (literal \"/dev/autofs_nowait\")\n"
+  "  (literal \"/dev/random\")\n"
+  "  (literal \"/dev/urandom\")\n"
+  "  (literal \"/private/etc/master.passwd\")\n"
+  "  (literal \"/private/etc/passwd\"))\n"
+  "\n"
+  "(allow file-read*\n"
+  "  file-write-data\n"
+  "  (literal \"/dev/null\")\n"
+  "  (literal \"/dev/zero\"))\n"
+  "\n"
+  "(allow file-read*\n"
+  "  file-write-data\n"
+  "  file-ioctl\n"
+  "  (literal \"/dev/dtracehelper\"))\n"
+  "\n"
+  "(allow network-outbound\n"
+  "  (literal \"/private/var/run/asl_input\")\n"
+  "  (literal \"/private/var/run/syslog\"))\n"
+  "\n"
+  ";;; Allow creation of core dumps.\n"
+  "(allow file-write-create\n"
+  "  (require-all (regex #\"^/cores/\")\n"
+  "    (vnode-type REGULAR-FILE)))\n"
+  "\n"
+  ";;; Allow IPC to standard system agents.\n"
+  "(allow ipc-posix-shm-read*\n"
+  "  (ipc-posix-name #\"apple.shm.notification_center\")\n"
+  "  (ipc-posix-name-regex #\"^apple\.shm\.cfprefsd\.\"))\n"
+  "\n"
+  "(allow mach-lookup\n"
+  "  (global-name \"com.apple.appsleep\")\n"
+  "  (global-name \"com.apple.bsd.dirhelper\")\n"
+  "  (global-name \"com.apple.cfprefsd.agent\")\n"
+  "  (global-name \"com.apple.cfprefsd.daemon\")\n"
+  "  (global-name \"com.apple.diagnosticd\")\n"
+  "  (global-name \"com.apple.espd\")\n"
+  "  (global-name \"com.apple.secinitd\")\n"
+  "  (global-name \"com.apple.system.DirectoryService.libinfo_v1\")\n"
+  "  (global-name \"com.apple.system.logger\")\n"
+  "  (global-name \"com.apple.system.notification_center\")\n"
+  "  (global-name \"com.apple.system.opendirectoryd.libinfo\")\n"
+  "  (global-name \"com.apple.system.opendirectoryd.membership\")\n"
+  "  (global-name \"com.apple.trustd\")\n"
+  "  (global-name \"com.apple.trustd.agent\")\n"
+  "  (global-name \"com.apple.xpc.activity.unmanaged\")\n"
+  "  (global-name \"com.apple.xpcd\")\n"
+  "  (local-name \"com.apple.cfprefsd.agent\"))\n"
+  "\n"
+  ";;; Allow mostly harmless operations.\n"
+  "(allow sysctl-read)\n"
+  "\n"
+  ";;; (system-graphics) - Allow access to graphics hardware.\n"
+  "(define (system-graphics)\n"
+  "  ;; Preferences\n"
+  "  (allow user-preference-read\n"
+  "    (preference-domain \"com.apple.opengl\")\n"
+  "    (preference-domain \"com.nvidia.OpenGL\"))\n"
+  "  ;; OpenGL memory debugging\n"
+  "  (allow mach-lookup\n"
+  "    (global-name \"com.apple.gpumemd.source\"))\n"
+  "  ;; CVMS\n"
+  "  (allow mach-lookup\n"
+  "    (global-name \"com.apple.cvmsServ\"))\n"
+  "  ;; OpenCL\n"
+  "  (allow iokit-open\n"
+  "    (iokit-connection \"IOAccelerator\")\n"
+  "    (iokit-user-client-class \"IOAccelerationUserClient\")\n"
+  "    (iokit-user-client-class \"IOSurfaceRootUserClient\")\n"
+  "    (iokit-user-client-class \"IOSurfaceSendRight\"))\n"
+  "  ;; CoreVideo CVCGDisplayLink\n"
+  "  (allow iokit-open\n"
+  "    (iokit-user-client-class \"IOFramebufferSharedUserClient\"))\n"
+  "  ;; H.264 Acceleration\n"
+  "  (allow iokit-open\n"
+  "    (iokit-user-client-class \"AppleSNBFBUserClient\"))\n"
+  "  ;; QuartzCore\n"
+  "  (allow iokit-open\n"
+  "    (iokit-user-client-class \"AGPMClient\")\n"
+  "    (iokit-user-client-class \"AppleGraphicsControlClient\")\n"
+  "    (iokit-user-client-class \"AppleGraphicsPolicyClient\"))\n"
+  "  ;; OpenGL\n"
+  "  (allow iokit-open\n"
+  "    (iokit-user-client-class \"AppleMGPUPowerControlClient\"))\n"
+  "  ;; DisplayServices\n"
+  "  (allow iokit-set-properties\n"
+  "    (require-all (iokit-connection \"IODisplay\")\n"
+  "      (require-any (iokit-property \"brightness\")\n"
+  "        (iokit-property \"linear-brightness\")\n"
+  "        (iokit-property \"commit\")\n"
+  "        (iokit-property \"rgcs\")\n"
+  "        (iokit-property \"ggcs\")\n"
+  "        (iokit-property \"bgcs\")))))\n"
+  "\n"
+  ";;; (system-network) - Allow access to the network.\n"
+  "(define (system-network)\n"
+  "  (allow file-read*\n"
+  "     (literal \"/Library/Preferences/com.apple.networkd.plist\"))\n"
+  "  (allow mach-lookup\n"
+  "     (global-name \"com.apple.SystemConfiguration.PPPController\")\n"
+  "     (global-name \"com.apple.SystemConfiguration.SCNetworkReachability\")\n"
+  "     (global-name \"com.apple.nehelper\")\n"
+  "     (global-name \"com.apple.networkd\")\n"
+  "     (global-name \"com.apple.nsurlstorage-cache\")\n"
+  "     (global-name \"com.apple.symptomsd\")\n"
+  "     (global-name \"com.apple.usymptomsd\"))\n"
+  "  (allow network-outbound\n"
+  "     (control-name \"com.apple.netsrc\")\n"
+  "     (control-name \"com.apple.network.statistics\"))\n"
+  "  (allow system-socket\n"
+  "     (require-all (socket-domain AF_SYSTEM)\n"
+  "       (socket-protocol 2)) ; SYSPROTO_CONTROL\n"
+  "     (socket-domain AF_ROUTE)))\n"
+  "\n"
+  "; -------- END system.sb -------- \n"
   "\n"
   "(if \n"
   "  (or\n"
   "    (< macosMinorVersion 9)\n"
   "    (< sandbox-level 1))\n"
   "  (allow default)\n"
   "  (begin\n"
   "    (deny default)\n"