tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

SandboxPolicyRDD.h (6497B)

      1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
      2 /* This Source Code Form is subject to the terms of the Mozilla Public
      3 * License, v. 2.0. If a copy of the MPL was not distributed with this
      4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      5 
      6 #ifndef mozilla_SandboxPolicyRDD_h
      7 #define mozilla_SandboxPolicyRDD_h
      8 
      9 namespace mozilla {
     10 
     11 static const char SandboxPolicyRDD[] = R"SANDBOX_LITERAL(
     12  (version 1)
     13 
     14  (define should-log (param "SHOULD_LOG"))
     15  (define macosVersion (string->number (param "MAC_OS_VERSION")))
     16  (define app-path (param "APP_PATH"))
     17  (define home-path (param "HOME_PATH"))
     18  (define crashPort (param "CRASH_PORT"))
     19  (define isRosettaTranslated (param "IS_ROSETTA_TRANSLATED"))
     20 
     21  (define (moz-deny feature)
     22    (if (string=? should-log "TRUE")
     23      (deny feature)
     24      (deny feature (with no-log))))
     25 
     26  (moz-deny default)
     27  ; These are not included in (deny default)
     28  (moz-deny process-info*)
     29  (moz-deny nvram*)
     30  (moz-deny iokit-get-properties)
     31  (moz-deny file-map-executable)
     32 
     33  ; Needed for things like getpriority()/setpriority()/pthread_setname()
     34  (allow process-info-pidinfo process-info-setcontrol (target self))
     35 
     36  (if (string=? isRosettaTranslated "TRUE")
     37    (allow file-map-executable (subpath "/private/var/db/oah")))
     38 
     39  (allow file-map-executable file-read*
     40    (subpath "/System")
     41    (subpath "/usr/lib")
     42    (subpath "/Library/GPUBundles")
     43    (subpath app-path))
     44 
     45  (if (string? crashPort)
     46    (allow mach-lookup (global-name crashPort)))
     47 
     48  (allow signal (target self))
     49  (allow sysctl-read)
     50  (allow file-read*
     51    (literal "/dev/random")
     52    (literal "/dev/urandom")
     53    (subpath "/usr/share/icu"))
     54 
     55  ; Timezone
     56  (allow file-read*
     57    (subpath "/private/var/db/timezone")
     58    (subpath "/usr/share/zoneinfo")
     59    (subpath "/usr/share/zoneinfo.default")
     60    (literal "/private/etc/localtime"))
     61 
     62  (allow sysctl-read
     63    (sysctl-name-regex #"^sysctl\.")
     64    (sysctl-name "kern.ostype")
     65    (sysctl-name "kern.osversion")
     66    (sysctl-name "kern.osrelease")
     67    (sysctl-name "kern.osproductversion")
     68    (sysctl-name "kern.version")
     69    ; TODO: remove "kern.hostname". Without it the tests hang, but the hostname
     70    ; is arguably sensitive information, so we should see what can be done about
     71    ; removing it.
     72    (sysctl-name "kern.hostname")
     73    (sysctl-name "hw.machine")
     74    (sysctl-name "hw.memsize")
     75    (sysctl-name "hw.model")
     76    (sysctl-name "hw.ncpu")
     77    (sysctl-name "hw.activecpu")
     78    (sysctl-name "hw.byteorder")
     79    (sysctl-name "hw.pagesize_compat")
     80    (sysctl-name "hw.logicalcpu_max")
     81    (sysctl-name "hw.physicalcpu_max")
     82    (sysctl-name "hw.busfrequency_compat")
     83    (sysctl-name "hw.busfrequency_max")
     84    (sysctl-name "hw.cpufrequency")
     85    (sysctl-name "hw.cpufrequency_compat")
     86    (sysctl-name "hw.cpufrequency_max")
     87    (sysctl-name "hw.l2cachesize")
     88    (sysctl-name "hw.l3cachesize")
     89    (sysctl-name "hw.cachelinesize")
     90    (sysctl-name "hw.cachelinesize_compat")
     91    (sysctl-name "hw.tbfrequency_compat")
     92    (sysctl-name "hw.vectorunit")
     93    (sysctl-name "hw.optional.sse2")
     94    (sysctl-name "hw.optional.sse3")
     95    (sysctl-name "hw.optional.sse4_1")
     96    (sysctl-name "hw.optional.sse4_2")
     97    (sysctl-name "hw.optional.avx1_0")
     98    (sysctl-name "hw.optional.avx2_0")
     99    (sysctl-name "hw.optional.avx512f")
    100    (sysctl-name "machdep.cpu.vendor")
    101    (sysctl-name "machdep.cpu.family")
    102    (sysctl-name "machdep.cpu.model")
    103    (sysctl-name "machdep.cpu.stepping")
    104    (sysctl-name "debug.intel.gstLevelGST")
    105    (sysctl-name "debug.intel.gstLoaderControl"))
    106 
    107  (define (home-regex home-relative-regex)
    108    (regex (string-append "^" (regex-quote home-path) home-relative-regex)))
    109  (define (home-subpath home-relative-subpath)
    110    (subpath (string-append home-path home-relative-subpath)))
    111  (define (home-literal home-relative-literal)
    112    (literal (string-append home-path home-relative-literal)))
    113  (define (allow-shared-list domain)
    114    (allow file-read*
    115           (home-regex (string-append "/Library/Preferences/" (regex-quote domain)))))
    116 
    117  (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
    118    (ipc-posix-name-regex #"^CFPBS:"))
    119 
    120  (allow mach-lookup
    121    (global-name "com.apple.CoreServices.coreservicesd")
    122    (global-name "com.apple.coreservices.launchservicesd")
    123    (global-name "com.apple.lsd.mapdb"))
    124 
    125  (allow file-read*
    126      (subpath "/Library/ColorSync/Profiles")
    127      (literal "/")
    128      (literal "/private/tmp")
    129      (literal "/private/var/tmp")
    130      (home-subpath "/Library/Colors")
    131      (home-subpath "/Library/ColorSync/Profiles"))
    132 
    133  (allow mach-lookup
    134    ; bug 1392988
    135    (xpc-service-name "com.apple.coremedia.videodecoder")
    136    (xpc-service-name "com.apple.coremedia.videoencoder"))
    137 
    138  (if (>= macosVersion 1100)
    139    (allow mach-lookup
    140      ; bug 1655655
    141      (global-name "com.apple.trustd.agent")))
    142 
    143  ; Only supported on macOS 10.10+
    144  (if (defined? 'iokit-get-properties)
    145    (allow iokit-get-properties
    146      (iokit-property "board-id")
    147      (iokit-property "class-code")
    148      (iokit-property "vendor-id")
    149      (iokit-property "device-id")
    150      (iokit-property "IODVDBundleName")
    151      (iokit-property "IOGLBundleName")
    152      (iokit-property "IOGVACodec")
    153      (iokit-property "IOGVAHEVCDecode")
    154      (iokit-property "IOAVDHEVCDecodeCapabilities")
    155      (iokit-property "IOGVAHEVCEncode")
    156      (iokit-property "IOGVAXDecode")
    157      (iokit-property "IOAVDAV1DecodeCapabilities")
    158      (iokit-property "IOPCITunnelled")
    159      (iokit-property "IOVARendererID")
    160      (iokit-property "MetalPluginName")
    161      (iokit-property "MetalPluginClassName")))
    162 
    163 ; accelerated graphics
    164  (allow user-preference-read (preference-domain "com.apple.opengl"))
    165  (allow user-preference-read (preference-domain "com.nvidia.OpenGL"))
    166  (allow mach-lookup
    167      (global-name "com.apple.cvmsServ")
    168      (global-name "com.apple.MTLCompilerService"))
    169  (allow iokit-open
    170      (iokit-connection "IOAccelerator")
    171      (iokit-user-client-class "IOAccelerationUserClient")
    172      (iokit-user-client-class "IOSurfaceRootUserClient")
    173      (iokit-user-client-class "IOSurfaceSendRight")
    174      (iokit-user-client-class "IOFramebufferSharedUserClient")
    175      (iokit-user-client-class "AGPMClient")
    176      (iokit-user-client-class "AppleGraphicsControlClient"))
    177 
    178  (allow mach-lookup
    179    ; bug 1565575
    180    (global-name "com.apple.audio.AudioComponentRegistrar"))
    181 )SANDBOX_LITERAL";
    182 
    183 }  // namespace mozilla
    184 
    185 #endif  // mozilla_SandboxPolicyRDD_h