1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* This Source Code Form is subject to the terms of the Mozilla Public
3  * License, v. 2.0. If a copy of the MPL was not distributed with this
4  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5 
6 #ifndef mozilla_SandboxPolicyContent_h
7 #define mozilla_SandboxPolicyContent_h
8 
9 #define MAX_CONTENT_TESTING_READ_PATHS 4
10 
11 namespace mozilla {
12 
13 static const char SandboxPolicyContent[] = R"SANDBOX_LITERAL(
14   (version 1)
15 
16   (define should-log (param "SHOULD_LOG"))
17   (define sandbox-level-1 (param "SANDBOX_LEVEL_1"))
18   (define sandbox-level-2 (param "SANDBOX_LEVEL_2"))
19   (define sandbox-level-3 (param "SANDBOX_LEVEL_3"))
20   (define macosVersion (string->number (param "MAC_OS_VERSION")))
21   (define appPath (param "APP_PATH"))
22   (define hasProfileDir (param "HAS_SANDBOXED_PROFILE"))
23   (define profileDir (param "PROFILE_DIR"))
24   (define hasWindowServer (param "HAS_WINDOW_SERVER"))
25   (define home-path (param "HOME_PATH"))
26   (define debugWriteDir (param "DEBUG_WRITE_DIR"))
27   (define userCacheDir (param "DARWIN_USER_CACHE_DIR"))
28   (define testingReadPath1 (param "TESTING_READ_PATH1"))
29   (define testingReadPath2 (param "TESTING_READ_PATH2"))
30   (define testingReadPath3 (param "TESTING_READ_PATH3"))
31   (define testingReadPath4 (param "TESTING_READ_PATH4"))
32   (define crashPort (param "CRASH_PORT"))
33   (define isRosettaTranslated (param "IS_ROSETTA_TRANSLATED"))
34 
35   (define (moz-deny feature)
36     (if (string=? should-log "TRUE")
37       (deny feature)
38       (deny feature (with no-log))))
39 
40   (moz-deny default)
41   ; These are not included in (deny default)
42   (moz-deny process-info*)
43   ; This isn't available in some older macOS releases.
44   (if (defined? 'nvram*)
45     (moz-deny nvram*))
46   ; The next two properties both require macOS 10.10+
47   (if (defined? 'iokit-get-properties)
48     (moz-deny iokit-get-properties))
49   (if (defined? 'file-map-executable)
50     (moz-deny file-map-executable))
51 
52   (if (string=? should-log "TRUE")
53     (debug deny))
54 
55   (if (defined? 'file-map-executable)
56     (begin
57       (if (string=? isRosettaTranslated "TRUE")
58         (allow file-map-executable (subpath "/private/var/db/oah")))
59       (allow file-map-executable file-read*
60         (subpath "/System")
61         (subpath "/usr/lib")
62         (subpath "/Library/GPUBundles")
63         (subpath appPath)))
64     (allow file-read*
65         (subpath "/System")
66         (subpath "/usr/lib")
67         (subpath "/Library/GPUBundles")
68         (subpath appPath)))
69 
70   ; Allow read access to standard system paths.
71   (allow file-read*
72     (require-all (file-mode #o0004)
73       (require-any
74         (subpath "/Library/Filesystems/NetFSPlugins")
75         (subpath "/usr/share"))))
76 
77   ; For stat and symlink resolution
78   (allow file-read-metadata (subpath "/"))
79 
80   ; Timezone
81   (allow file-read*
82     (subpath "/private/var/db/timezone")
83     (subpath "/usr/share/zoneinfo")
84     (subpath "/usr/share/zoneinfo.default")
85     (literal "/private/etc/localtime"))
86 
87   ; Allow read access to standard special files.
88   (allow file-read*
89     (literal "/dev/autofs_nowait")
90     (literal "/dev/random")
91     (literal "/dev/urandom"))
92 
93   (allow file-read*
94     file-write-data
95     (literal "/dev/null")
96     (literal "/dev/zero"))
97 
98   (allow file-read*
99     file-write-data
100     file-ioctl
101     (literal "/dev/dtracehelper"))
102 
103   ; Needed for things like getpriority()/setpriority()
104   (allow process-info-pidinfo process-info-setcontrol (target self))
105 
106   (allow sysctl-read
107     (sysctl-name-regex #"^sysctl\.")
108     (sysctl-name "kern.ostype")
109     (sysctl-name "kern.osversion")
110     (sysctl-name "kern.osrelease")
111     (sysctl-name "kern.version")
112     (sysctl-name "kern.tcsm_available")
113     (sysctl-name "kern.tcsm_enable")
114     ; TODO: remove "kern.hostname". Without it the tests hang, but the hostname
115     ; is arguably sensitive information, so we should see what can be done about
116     ; removing it.
117     (sysctl-name "kern.hostname")
118     (sysctl-name "hw.machine")
119     (sysctl-name "hw.memsize")
120     (sysctl-name "hw.model")
121     (sysctl-name "hw.ncpu")
122     (sysctl-name "hw.activecpu")
123     (sysctl-name "hw.byteorder")
124     (sysctl-name "hw.pagesize_compat")
125     (sysctl-name "hw.logicalcpu")
126     (sysctl-name "hw.logicalcpu_max")
127     (sysctl-name "hw.physicalcpu_max")
128     (sysctl-name "hw.busfrequency_compat")
129     (sysctl-name "hw.busfrequency_max")
130     (sysctl-name "hw.cpufrequency")
131     (sysctl-name "hw.cpufrequency_compat")
132     (sysctl-name "hw.cpufrequency_max")
133     (sysctl-name "hw.l2cachesize")
134     (sysctl-name "hw.l3cachesize")
135     (sysctl-name "hw.cachelinesize")
136     (sysctl-name "hw.cachelinesize_compat")
137     (sysctl-name "hw.tbfrequency_compat")
138     (sysctl-name "hw.vectorunit")
139     (sysctl-name "hw.optional.sse2")
140     (sysctl-name "hw.optional.sse3")
141     (sysctl-name "hw.optional.sse4_1")
142     (sysctl-name "hw.optional.sse4_2")
143     (sysctl-name "hw.optional.avx1_0")
144     (sysctl-name "hw.optional.avx2_0")
145     (sysctl-name "hw.optional.avx512f")
146     (sysctl-name "machdep.cpu.vendor")
147     (sysctl-name "machdep.cpu.family")
148     (sysctl-name "machdep.cpu.model")
149     (sysctl-name "machdep.cpu.stepping")
150     (sysctl-name "debug.intel.gstLevelGST")
151     (sysctl-name "debug.intel.gstLoaderControl"))
152   (allow sysctl-write
153     (sysctl-name "kern.tcsm_enable"))
154 
155   (define (home-regex home-relative-regex)
156     (regex (string-append "^" (regex-quote home-path) home-relative-regex)))
157   (define (home-subpath home-relative-subpath)
158     (subpath (string-append home-path home-relative-subpath)))
159   (define (home-literal home-relative-literal)
160     (literal (string-append home-path home-relative-literal)))
161 
162   (define (profile-subpath profile-relative-subpath)
163     (subpath (string-append profileDir profile-relative-subpath)))
164 
165   (define (allow-shared-list domain)
166     (allow file-read*
167            (home-regex (string-append "/Library/Preferences/" (regex-quote domain)))))
168 
169   (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
170     (ipc-posix-name-regex #"^CFPBS:"))
171 
172   (allow signal (target self))
173   (if (string? crashPort)
174     (allow mach-lookup (global-name crashPort)))
175   (if (string=? hasWindowServer "TRUE")
176     (allow mach-lookup (global-name "com.apple.windowserver.active")))
177   (allow mach-lookup
178     (global-name "com.apple.system.opendirectoryd.libinfo")
179     (global-name "com.apple.CoreServices.coreservicesd")
180     (global-name "com.apple.coreservices.launchservicesd")
181     (global-name "com.apple.lsd.mapdb"))
182 
183   (if (>= macosVersion 1013)
184     (allow mach-lookup
185       ; bug 1392988
186       (xpc-service-name "com.apple.coremedia.videodecoder")
187       (xpc-service-name "com.apple.coremedia.videoencoder")))
188 
189   (if (>= macosVersion 1100)
190     (allow mach-lookup
191       ; bug 1655655
192       (global-name "com.apple.trustd.agent")))
193 
194   (allow iokit-open
195      (iokit-user-client-class "IOHIDParamUserClient"))
196 
197   ; Only supported on macOS 10.10+
198   (if (defined? 'iokit-get-properties)
199     (allow iokit-get-properties
200       (iokit-property "board-id")
201       (iokit-property "class-code")
202       (iokit-property "vendor-id")
203       (iokit-property "device-id")
204       (iokit-property "IODVDBundleName")
205       (iokit-property "IOGLBundleName")
206       (iokit-property "IOGVACodec")
207       (iokit-property "IOGVAHEVCDecode")
208       (iokit-property "IOGVAHEVCEncode")
209       (iokit-property "IOGVAXDecode")
210       (iokit-property "IOPCITunnelled")
211       (iokit-property "IOVARendererID")
212       (iokit-property "MetalPluginName")
213       (iokit-property "MetalPluginClassName")))
214 
215   ; depending on systems, the 1st, 2nd or both rules are necessary
216   (allow user-preference-read (preference-domain "com.apple.HIToolbox"))
217   (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist"))
218 
219   (allow user-preference-read (preference-domain "com.apple.ATS"))
220 
221   ; Needed for some global preferences (such as scrolling behavior)
222   (allow file-read-data
223       (literal "/Library/Preferences/.GlobalPreferences.plist")
224       (home-literal "/Library/Preferences/.GlobalPreferences.plist")
225       (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences.*")
226       (home-literal "/Library/Preferences/com.apple.universalaccess.plist"))
227   (allow mach-lookup
228       (global-name "com.apple.cfprefsd.agent")
229       (global-name "com.apple.cfprefsd.daemon"))
230   (allow ipc-posix-shm-read-data
231       (ipc-posix-name-regex #"^apple\.cfprefs\..*"))
232 
233   (allow file-read*
234       (subpath "/Library/ColorSync/Profiles")
235       (subpath "/Library/Spelling")
236       (literal "/")
237       (literal "/private/tmp")
238       (literal "/private/var/tmp")
239       (home-literal "/.CFUserTextEncoding")
240       (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
241       (home-subpath "/Library/Colors")
242       (home-subpath "/Library/ColorSync/Profiles")
243       (home-subpath "/Library/Keyboard Layouts")
244       (home-subpath "/Library/Input Methods")
245       (home-subpath "/Library/Spelling"))
246 
247   (if (defined? 'file-map-executable)
248     (begin
249       (when testingReadPath1
250         (allow file-read* file-map-executable (subpath testingReadPath1)))
251       (when testingReadPath2
252         (allow file-read* file-map-executable (subpath testingReadPath2)))
253       (when testingReadPath3
254         (allow file-read* file-map-executable (subpath testingReadPath3)))
255       (when testingReadPath4
256         (allow file-read* file-map-executable (subpath testingReadPath4))))
257     (begin
258       (when testingReadPath1
259         (allow file-read* (subpath testingReadPath1)))
260       (when testingReadPath2
261         (allow file-read* (subpath testingReadPath2)))
262       (when testingReadPath3
263         (allow file-read* (subpath testingReadPath3)))
264       (when testingReadPath4
265         (allow file-read* (subpath testingReadPath4)))))
266 
267   ; bug 1692220
268   (when userCacheDir
269     (allow file-read*
270       (subpath (string-append userCacheDir "/com.apple.FontRegistry"))))
271 
272   ; bug 1303987
273   (if (string? debugWriteDir)
274     (begin
275       (allow file-write-data (subpath debugWriteDir))
276       (allow file-write-create
277         (require-all
278           (subpath debugWriteDir)
279           (vnode-type REGULAR-FILE)))))
280 
281   (allow-shared-list "org.mozilla.plugincontainer")
282 
283 ; Per-user and system-wide Extensions dir
284   (allow file-read*
285       (home-regex "/Library/Application Support/[^/]+/Extensions/")
286       (regex "^/Library/Application Support/[^/]+/Extensions/"))
287 
288 ; The following rules impose file access restrictions which get
289 ; more restrictive in higher levels. When file-origin-specific
290 ; content processes are used for file:// origin browsing, the
291 ; global file-read* permission should be removed from each level.
292 
293 ; level 1: global read access permitted, no global write access
294   (if (string=? sandbox-level-1 "TRUE") (allow file-read*))
295 
296 ; level 2: global read access permitted, no global write access,
297 ;          no read/write access to ~/Library,
298 ;          no read/write access to $PROFILE,
299 ;          read access permitted to $PROFILE/{extensions,chrome}
300   (if (string=? sandbox-level-2 "TRUE")
301     (begin
302       ; bug 1201935
303       (allow file-read* (home-subpath "/Library/Caches/TemporaryItems"))
304       (if (string=? hasProfileDir "TRUE")
305         ; we have a profile dir
306         (allow file-read* (require-all
307           (require-not (home-subpath "/Library"))
308           (require-not (subpath profileDir))))
309         ; we don't have a profile dir
310         (allow file-read* (require-not (home-subpath "/Library"))))))
311 
312   ; level 3: Does not have any of it's own rules. The global rules provide:
313   ;          no global read/write access,
314   ;          read access permitted to $PROFILE/{extensions,chrome}
315 
316   (if (string=? hasProfileDir "TRUE")
317     ; we have a profile dir
318     (allow file-read*
319       (profile-subpath "/extensions")
320       (profile-subpath "/chrome")))
321 
322 ; accelerated graphics
323   (allow user-preference-read (preference-domain "com.apple.opengl"))
324   (allow user-preference-read (preference-domain "com.nvidia.OpenGL"))
325   (allow mach-lookup
326       (global-name "com.apple.cvmsServ"))
327   (if (>= macosVersion 1014)
328     (allow mach-lookup
329       (global-name "com.apple.MTLCompilerService")))
330   (allow iokit-open
331       (iokit-connection "IOAccelerator")
332       (iokit-user-client-class "IOAccelerationUserClient")
333       (iokit-user-client-class "IOSurfaceRootUserClient")
334       (iokit-user-client-class "IOSurfaceSendRight")
335       (iokit-user-client-class "IOFramebufferSharedUserClient")
336       (iokit-user-client-class "AGPMClient")
337       (iokit-user-client-class "AppleGraphicsControlClient"))
338 
339 ; bug 1153809
340   (allow iokit-open
341       (iokit-user-client-class "NVDVDContextTesla")
342       (iokit-user-client-class "Gen6DVDContext"))
343 
344   ; Fonts
345   (allow file-read*
346     (subpath "/Library/Fonts")
347     (subpath "/Library/Application Support/Apple/Fonts")
348     (home-subpath "/Library/Fonts")
349     ; Allow read access to paths allowed via sandbox extensions.
350     ; This is needed for fonts in non-standard locations normally
351     ; due to third party font managers. The extensions are
352     ; automatically issued by the font server in response to font
353     ; API calls.
354     (extension "com.apple.app-sandbox.read"))
355   ; Fonts may continue to work without explicitly allowing these
356   ; services because, at present, connections are made to the services
357   ; before the sandbox is enabled as a side-effect of some API calls.
358   (allow mach-lookup
359     (global-name "com.apple.fonts")
360     (global-name "com.apple.FontObjectsServer"))
361 
362   (if (>= macosVersion 1013)
363    (allow mach-lookup
364     ; bug 1565575
365     (global-name "com.apple.audio.AudioComponentRegistrar")))
366 )SANDBOX_LITERAL";
367 
368 // These are additional rules that are added to the content process rules for
369 // file content processes.
370 static const char SandboxPolicyContentFileAddend[] = R"SANDBOX_LITERAL(
371   ; This process has blanket file read privileges
372   (allow file-read*)
373 
374   ; File content processes need access to iconservices to draw file icons in
375   ; directory listings
376   (allow mach-lookup (global-name "com.apple.iconservices"))
377 )SANDBOX_LITERAL";
378 
379 // These are additional rules that are added to the content process rules when
380 // audio remoting is not enabled. (Once audio remoting is always used these
381 // will be deleted.)
382 static const char SandboxPolicyContentAudioAddend[] = R"SANDBOX_LITERAL(
383   (allow ipc-posix-shm-read* ipc-posix-shm-write-data
384     (ipc-posix-name-regex #"^AudioIO"))
385 
386   (allow mach-lookup
387     (global-name "com.apple.audio.coreaudiod")
388     (global-name "com.apple.audio.audiohald"))
389 
390   (allow iokit-open (iokit-user-client-class "IOAudioEngineUserClient"))
391 
392   (allow file-read* (subpath "/Library/Audio/Plug-Ins"))
393 
394   (allow device-microphone)
395 )SANDBOX_LITERAL";
396 
397 }  // namespace mozilla
398 
399 #endif  // mozilla_SandboxPolicyContent_h
400