SandboxPolicyContent.h (14626B)
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* This Source Code Form is subject to the terms of the Mozilla Public 3 * License, v. 2.0. If a copy of the MPL was not distributed with this 4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 5 6 #ifndef mozilla_SandboxPolicyContent_h 7 #define mozilla_SandboxPolicyContent_h 8 9 #define MAX_CONTENT_TESTING_READ_PATHS 4 10 11 namespace mozilla { 12 13 static const char SandboxPolicyContent[] = R"SANDBOX_LITERAL( 14 (version 1) 15 16 (define should-log (param "SHOULD_LOG")) 17 (define sandbox-level-1 (param "SANDBOX_LEVEL_1")) 18 (define sandbox-level-2 (param "SANDBOX_LEVEL_2")) 19 (define sandbox-level-3 (param "SANDBOX_LEVEL_3")) 20 (define macosVersion (string->number (param "MAC_OS_VERSION"))) 21 (define appPath (param "APP_PATH")) 22 (define hasProfileDir (param "HAS_SANDBOXED_PROFILE")) 23 (define profileDir (param "PROFILE_DIR")) 24 (define hasWindowServer (param "HAS_WINDOW_SERVER")) 25 (define home-path (param "HOME_PATH")) 26 (define debugWriteDir (param "DEBUG_WRITE_DIR")) 27 (define userCacheDir (param "DARWIN_USER_CACHE_DIR")) 28 (define testingReadPath1 (param "TESTING_READ_PATH1")) 29 (define testingReadPath2 (param "TESTING_READ_PATH2")) 30 (define testingReadPath3 (param "TESTING_READ_PATH3")) 31 (define testingReadPath4 (param "TESTING_READ_PATH4")) 32 (define crashPort (param "CRASH_PORT")) 33 (define isRosettaTranslated (param "IS_ROSETTA_TRANSLATED")) 34 35 (define (moz-deny feature) 36 (if (string=? should-log "TRUE") 37 (deny feature) 38 (deny feature (with no-log)))) 39 40 (moz-deny default) 41 ; These are not included in (deny default) 42 (moz-deny process-info*) 43 (moz-deny nvram*) 44 (moz-deny iokit-get-properties) 45 (moz-deny file-map-executable) 46 47 (if (string=? should-log "TRUE") 48 (debug deny)) 49 50 (if (string=? isRosettaTranslated "TRUE") 51 (allow file-map-executable (subpath "/private/var/db/oah"))) 52 53 (allow file-map-executable file-read* 54 (subpath "/System") 55 (subpath "/usr/lib") 56 (subpath "/Library/GPUBundles") 57 (subpath appPath)) 58 59 ; Allow read access to standard system paths. 60 (allow file-read* 61 (require-all (file-mode #o0004) 62 (require-any 63 (subpath "/Library/Filesystems/NetFSPlugins") 64 (subpath "/usr/share")))) 65 66 ; For stat and symlink resolution 67 (allow file-read-metadata (subpath "/")) 68 69 ; Timezone 70 (allow file-read* 71 (subpath "/private/var/db/timezone") 72 (subpath "/usr/share/zoneinfo") 73 (subpath "/usr/share/zoneinfo.default") 74 (literal "/private/etc/localtime")) 75 76 ; Allow read access to standard special files. 77 (allow file-read* 78 (literal "/dev/autofs_nowait") 79 (literal "/dev/random") 80 (literal "/dev/urandom")) 81 82 (allow file-read* 83 file-write-data 84 (literal "/dev/null") 85 (literal "/dev/zero")) 86 87 (allow file-read* 88 file-write-data 89 file-ioctl 90 (literal "/dev/dtracehelper")) 91 92 ; Needed for things like getpriority()/setpriority() 93 (allow process-info-pidinfo process-info-setcontrol (target self)) 94 95 (allow sysctl-read 96 (sysctl-name-regex #"^sysctl\.") 97 (sysctl-name "kern.ostype") 98 (sysctl-name "kern.osversion") 99 (sysctl-name "kern.osrelease") 100 (sysctl-name "kern.version") 101 (sysctl-name "kern.tcsm_available") 102 (sysctl-name "kern.tcsm_enable") 103 ; TODO: remove "kern.hostname". Without it the tests hang, but the hostname 104 ; is arguably sensitive information, so we should see what can be done about 105 ; removing it. 106 (sysctl-name "kern.hostname") 107 (sysctl-name "kern.hv_vmm_present") 108 (sysctl-name "kern.osproductversion") 109 (sysctl-name "hw.machine") 110 (sysctl-name "hw.memsize") 111 (sysctl-name "hw.model") 112 (sysctl-name "hw.ncpu") 113 (sysctl-name "hw.activecpu") 114 (sysctl-name "hw.byteorder") 115 (sysctl-name "hw.pagesize_compat") 116 (sysctl-name "hw.logicalcpu") 117 (sysctl-name "hw.logicalcpu_max") 118 (sysctl-name "hw.perflevel0.logicalcpu_max") 119 (sysctl-name "hw.perflevel1.logicalcpu_max") 120 (sysctl-name "hw.physicalcpu_max") 121 (sysctl-name "hw.busfrequency_compat") 122 (sysctl-name "hw.busfrequency_max") 123 (sysctl-name "hw.cpufrequency") 124 (sysctl-name "hw.cpufrequency_compat") 125 (sysctl-name "hw.cpufrequency_max") 126 (sysctl-name "hw.l2cachesize") 127 (sysctl-name "hw.l3cachesize") 128 (sysctl-name "hw.cachelinesize") 129 (sysctl-name "hw.cachelinesize_compat") 130 (sysctl-name "hw.tbfrequency_compat") 131 (sysctl-name "hw.vectorunit") 132 (sysctl-name "hw.optional.sse2") 133 (sysctl-name "hw.optional.sse3") 134 (sysctl-name "hw.optional.sse4_1") 135 (sysctl-name "hw.optional.sse4_2") 136 (sysctl-name "hw.optional.avx1_0") 137 (sysctl-name "hw.optional.avx2_0") 138 (sysctl-name "hw.optional.avx512f") 139 (sysctl-name "machdep.cpu.vendor") 140 (sysctl-name "machdep.cpu.family") 141 (sysctl-name "machdep.cpu.model") 142 (sysctl-name "machdep.cpu.stepping") 143 (sysctl-name "debug.intel.gstLevelGST") 144 (sysctl-name "debug.intel.gstLoaderControl")) 145 (allow sysctl-write 146 (sysctl-name "kern.tcsm_enable")) 147 148 (define (home-regex home-relative-regex) 149 (regex (string-append "^" (regex-quote home-path) home-relative-regex))) 150 (define (home-subpath home-relative-subpath) 151 (subpath (string-append home-path home-relative-subpath))) 152 (define (home-literal home-relative-literal) 153 (literal (string-append home-path home-relative-literal))) 154 155 (define (profile-subpath profile-relative-subpath) 156 (subpath (string-append profileDir profile-relative-subpath))) 157 158 (define (allow-shared-list domain) 159 (allow file-read* 160 (home-regex (string-append "/Library/Preferences/" (regex-quote domain))))) 161 162 (allow ipc-posix-shm-read-data ipc-posix-shm-write-data 163 (ipc-posix-name-regex #"^CFPBS:")) 164 165 (allow signal (target self)) 166 (if (string? crashPort) 167 (allow mach-lookup (global-name crashPort))) 168 (if (string=? hasWindowServer "TRUE") 169 (allow mach-lookup (global-name "com.apple.windowserver.active"))) 170 (allow mach-lookup 171 (global-name "com.apple.system.opendirectoryd.libinfo") 172 (global-name "com.apple.CoreServices.coreservicesd") 173 (global-name "com.apple.coreservices.launchservicesd") 174 (global-name "com.apple.lsd.mapdb")) 175 176 (allow mach-lookup 177 ; bug 1392988 178 (xpc-service-name "com.apple.coremedia.videodecoder") 179 (xpc-service-name "com.apple.coremedia.videoencoder")) 180 181 (if (>= macosVersion 1100) 182 (allow mach-lookup 183 ; bug 1655655 184 (global-name "com.apple.trustd.agent"))) 185 186 (allow iokit-open 187 (iokit-user-client-class "IOHIDParamUserClient")) 188 189 ; Only supported on macOS 10.10+ 190 (if (defined? 'iokit-get-properties) 191 (allow iokit-get-properties 192 (iokit-property "board-id") 193 (iokit-property "class-code") 194 (iokit-property "vendor-id") 195 (iokit-property "device-id") 196 (iokit-property "IODVDBundleName") 197 (iokit-property "IOGLBundleName") 198 (iokit-property "IOGVACodec") 199 (iokit-property "IOGVAHEVCDecode") 200 (iokit-property "IOGVAHEVCEncode") 201 (iokit-property "IOGVAXDecode") 202 (iokit-property "IOAVDAV1DecodeCapabilities") 203 (iokit-property "IOPCITunnelled") 204 (iokit-property "IOVARendererID") 205 (iokit-property "MetalPluginName") 206 (iokit-property "MetalPluginClassName"))) 207 ; bug 1893921 208 (if (defined? 'iokit-get-properties) 209 (with-filter (iokit-registry-entry-class "IOPlatformDevice") 210 (allow iokit-get-properties 211 (iokit-property "product-id") 212 (iokit-property "IORegistryEntryPropertyKeys") 213 (iokit-property "ean-storage-present")))) 214 (if (defined? 'iokit-get-properties) 215 (with-filter (iokit-registry-entry-class "IOService") 216 (allow iokit-get-properties 217 (iokit-property "housing-color") 218 (iokit-property "syscfg-erly-kbgs-allow-load") 219 (iokit-property "syscfg-erly-kbgs-data-class") 220 (iokit-property "syscfg-erly-kbgs-allow-unsealed") 221 (iokit-property "syscfg-v2-data")))) 222 223 ; depending on systems, the 1st, 2nd or both rules are necessary 224 (allow user-preference-read (preference-domain "com.apple.HIToolbox")) 225 (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist")) 226 227 (allow user-preference-read (preference-domain "com.apple.ATS")) 228 229 ; Needed for some global preferences (such as scrolling behavior) 230 (allow file-read-data 231 (literal "/Library/Preferences/.GlobalPreferences.plist") 232 (home-literal "/Library/Preferences/.GlobalPreferences.plist") 233 (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences.*") 234 (home-literal "/Library/Preferences/com.apple.universalaccess.plist")) 235 (allow mach-lookup 236 (global-name "com.apple.cfprefsd.agent") 237 (global-name "com.apple.cfprefsd.daemon")) 238 (allow ipc-posix-shm-read-data 239 (ipc-posix-name-regex #"^apple\.cfprefs\..*")) 240 241 (allow file-read* 242 (subpath "/Library/ColorSync/Profiles") 243 (subpath "/Library/Spelling") 244 (literal "/") 245 (literal "/private/tmp") 246 (literal "/private/var/tmp") 247 (home-literal "/.CFUserTextEncoding") 248 (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist") 249 (home-subpath "/Library/Colors") 250 (home-subpath "/Library/ColorSync/Profiles") 251 (home-subpath "/Library/Keyboard Layouts") 252 (home-subpath "/Library/Input Methods") 253 (home-subpath "/Library/Spelling")) 254 255 (when testingReadPath1 256 (allow file-read* file-map-executable (subpath testingReadPath1))) 257 (when testingReadPath2 258 (allow file-read* file-map-executable (subpath testingReadPath2))) 259 (when testingReadPath3 260 (allow file-read* file-map-executable (subpath testingReadPath3))) 261 (when testingReadPath4 262 (allow file-read* file-map-executable (subpath testingReadPath4))) 263 264 ; bug 1692220 265 (when userCacheDir 266 (allow file-read* 267 (subpath (string-append userCacheDir "/com.apple.FontRegistry")))) 268 269 ; bug 1303987 270 (if (string? debugWriteDir) 271 (begin 272 (allow file-write-data (subpath debugWriteDir)) 273 (allow file-write-create 274 (require-all 275 (subpath debugWriteDir) 276 (vnode-type REGULAR-FILE))))) 277 278 (allow-shared-list "org.mozilla.plugincontainer") 279 280 ; Per-user and system-wide Extensions dir 281 (allow file-read* 282 (home-regex "/Library/Application Support/[^/]+/Extensions/") 283 (regex "^/Library/Application Support/[^/]+/Extensions/")) 284 285 ; The following rules impose file access restrictions which get 286 ; more restrictive in higher levels. When file-origin-specific 287 ; content processes are used for file:// origin browsing, the 288 ; global file-read* permission should be removed from each level. 289 290 ; level 1: global read access permitted, no global write access 291 (if (string=? sandbox-level-1 "TRUE") (allow file-read*)) 292 293 ; level 2: global read access permitted, no global write access, 294 ; no read/write access to ~/Library, 295 ; no read/write access to $PROFILE, 296 ; read access permitted to $PROFILE/{extensions,chrome} 297 (if (string=? sandbox-level-2 "TRUE") 298 (begin 299 ; bug 1201935 300 (allow file-read* (home-subpath "/Library/Caches/TemporaryItems")) 301 (if (string=? hasProfileDir "TRUE") 302 ; we have a profile dir 303 (allow file-read* (require-all 304 (require-not (home-subpath "/Library")) 305 (require-not (subpath profileDir)))) 306 ; we don't have a profile dir 307 (allow file-read* (require-not (home-subpath "/Library")))))) 308 309 ; level 3: Does not have any of it's own rules. The global rules provide: 310 ; no global read/write access, 311 ; read access permitted to $PROFILE/{extensions,chrome} 312 313 (if (string=? hasProfileDir "TRUE") 314 ; we have a profile dir 315 (allow file-read* 316 (profile-subpath "/extensions") 317 (profile-subpath "/chrome"))) 318 319 ; accelerated graphics 320 (allow user-preference-read (preference-domain "com.apple.opengl")) 321 (allow user-preference-read (preference-domain "com.nvidia.OpenGL")) 322 (allow mach-lookup 323 (global-name "com.apple.cvmsServ") 324 (global-name "com.apple.MTLCompilerService")) 325 (allow iokit-open 326 (iokit-connection "IOAccelerator") 327 (iokit-user-client-class "IOAccelerationUserClient") 328 (iokit-user-client-class "IOSurfaceRootUserClient") 329 (iokit-user-client-class "IOSurfaceSendRight") 330 (iokit-user-client-class "IOFramebufferSharedUserClient") 331 (iokit-user-client-class "AGPMClient") 332 (iokit-user-client-class "AppleGraphicsControlClient")) 333 334 ; bug 1153809 335 (allow iokit-open 336 (iokit-user-client-class "NVDVDContextTesla") 337 (iokit-user-client-class "Gen6DVDContext")) 338 339 ; Fonts 340 (allow file-read* 341 (subpath "/Library/Fonts") 342 (subpath "/Library/Application Support/Apple/Fonts") 343 (home-subpath "/Library/Fonts") 344 ; Allow read access to paths allowed via sandbox extensions. 345 ; This is needed for fonts in non-standard locations normally 346 ; due to third party font managers. The extensions are 347 ; automatically issued by the font server in response to font 348 ; API calls. 349 (extension "com.apple.app-sandbox.read")) 350 ; Fonts may continue to work without explicitly allowing these 351 ; services because, at present, connections are made to the services 352 ; before the sandbox is enabled as a side-effect of some API calls. 353 (allow mach-lookup 354 (global-name "com.apple.fonts") 355 (global-name "com.apple.FontObjectsServer")) 356 357 ; bug 1565575 358 (allow mach-lookup (global-name "com.apple.audio.AudioComponentRegistrar")) 359 )SANDBOX_LITERAL"; 360 361 // These are additional rules that are added to the content process rules for 362 // file content processes. 363 static const char SandboxPolicyContentFileAddend[] = R"SANDBOX_LITERAL( 364 ; This process has blanket file read privileges 365 (allow file-read*) 366 367 ; File content processes need access to iconservices to draw file icons in 368 ; directory listings 369 (allow mach-lookup (global-name "com.apple.iconservices")) 370 )SANDBOX_LITERAL"; 371 372 // These are additional rules that are added to the content process rules when 373 // audio remoting is not enabled. (Once audio remoting is always used these 374 // will be deleted.) 375 static const char SandboxPolicyContentAudioAddend[] = R"SANDBOX_LITERAL( 376 (allow ipc-posix-shm-read* ipc-posix-shm-write-data 377 (ipc-posix-name-regex #"^AudioIO")) 378 379 (allow mach-lookup 380 (global-name "com.apple.audio.coreaudiod") 381 (global-name "com.apple.audio.audiohald")) 382 383 (allow iokit-open (iokit-user-client-class "IOAudioEngineUserClient")) 384 385 (allow file-read* (subpath "/Library/Audio/Plug-Ins")) 386 387 (allow device-microphone) 388 )SANDBOX_LITERAL"; 389 390 } // namespace mozilla 391 392 #endif // mozilla_SandboxPolicyContent_h