1; Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
2;
3; Redistribution and use in source and binary forms, with or without
4; modification, are permitted provided that the following conditions
5; are met:
6; 1. Redistributions of source code must retain the above copyright
7;    notice, this list of conditions and the following disclaimer.
8; 2. Redistributions in binary form must reproduce the above copyright
9;    notice, this list of conditions and the following disclaimer in the
10;    documentation and/or other materials provided with the distribution.
11;
12; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
13; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22; THE POSSIBILITY OF SUCH DAMAGE.
23
24(version 1)
25(deny default)
26(allow system-audit file-read-metadata)
27
28(import "system.sb")
29
30;; Utility functions
31(define (home-literal home-relative-literal)
32    (literal (string-append (param "HOME_DIR") home-relative-literal)))
33
34(define (home-library-regex home-library-relative-regex)
35    (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_DIR")) home-library-relative-regex)))
36
37(define (home-library-subpath home-library-relative-subpath)
38    (subpath (string-append (param "HOME_LIBRARY_DIR") home-library-relative-subpath)))
39
40(define (home-library-literal home-library-relative-literal)
41    (literal (string-append (param "HOME_LIBRARY_DIR") home-library-relative-literal)))
42
43(define (home-library-preferences-regex home-library-preferences-relative-regex)
44    (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_PREFERENCES_DIR")) home-library-preferences-relative-regex)))
45
46(define (home-library-preferences-subpath home-library-preferences-relative-subpath)
47    (subpath (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-subpath)))
48
49(define (home-library-preferences-literal home-library-preferences-relative-literal)
50    (literal (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-literal)))
51
52(define (shared-preferences-read . domains)
53  (for-each (lambda (domain)
54              (begin
55                (if (defined? `user-preference-read)
56                    (allow user-preference-read (preference-domain domain)))
57                ; (Temporary) backward compatibility with non-CFPreferences readers.
58                (allow file-read*
59                       (literal (string-append "/Library/Preferences/" domain ".plist"))
60                       (home-library-preferences-literal (string-append "/" domain ".plist"))
61                       (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
62            domains))
63
64(define (shared-preferences-read-write . domains)
65  (for-each (lambda (domain)
66              (begin
67                (if (defined? `user-preference-write)
68                    (allow user-preference-read user-preference-write (preference-domain domain)))
69                ; (Temporary) backward compatibility with non-CFPreferences readers / writers.
70                (allow file-read* file-write*
71                       (literal (string-append "/Library/Preferences/" domain ".plist"))
72                       (home-library-preferences-literal (string-append "/" domain ".plist"))
73                       (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
74            domains))
75
76;; WebKit2 sandbox launcher needs to define an _OS_VERSION parameter
77;; This parameter is the major OS Version number.
78(if (not (defined? 'os-version))
79    (define os-version (param "_OS_VERSION")))
80
81;; OS X 10.7 (Lion) compatibility
82(if (not (defined? 'ipc-posix-shm*))
83    (define ipc-posix-shm* ipc-posix-shm))
84(if (not (defined? 'ipc-posix-shm-read*))
85    (define ipc-posix-shm-read* ipc-posix-shm))
86(if (not (defined? 'ipc-posix-shm-write-data))
87    (define ipc-posix-shm-write-data ipc-posix-shm))
88
89;; Graphics
90(if (defined? 'system-graphics)
91    (system-graphics)
92    (begin
93        (shared-preferences-read
94            "com.apple.opengl"
95            "com.nvidia.OpenGL")
96        (allow mach-lookup (global-name "com.apple.cvmsServ"))
97        (allow iokit-open
98            (iokit-connection "IOAccelerator")
99            (iokit-user-client-class "IOAccelerationUserClient")
100            (iokit-user-client-class "IOSurfaceRootUserClient")
101            (iokit-user-client-class "IOSurfaceSendRight")
102            (iokit-user-client-class "IOFramebufferSharedUserClient")
103            (iokit-user-client-class "AppleSNBFBUserClient")
104            (iokit-user-client-class "AGPMClient")
105            (iokit-user-client-class "AppleGraphicsControlClient")
106            (iokit-user-client-class "AppleGraphicsPolicyClient"))))
107
108;; Read-only preferences
109(shared-preferences-read
110    ".GlobalPreferences"
111    "com.apple.Bluetooth"
112    "com.apple.CoreGraphics"
113    "com.apple.QuickTime"
114    "com.apple.HIToolbox"
115    "com.apple.ATS"
116    "com.apple.driver.AppleBluetoothMultitouch.mouse"
117    "com.apple.driver.AppleBluetoothMultitouch.trackpad"
118    "com.apple.driver.AppleHIDMouse"
119    "com.apple.inputmethodkit"
120    "com.apple.iWork.Pages"
121    "com.apple.LaunchServices"
122    "com.apple.MultitouchSupport"
123    "com.apple.security"
124    "com.apple.security.revocation"
125    "com.apple.security_common"
126    "com.apple.speech.voice.prefs"
127    "com.apple.speech.synthesis.general.prefs"
128    "com.apple.speech.recognition.AppleSpeechRecognition.prefs"
129    "com.apple.systemsound"
130    "com.apple.universalaccess"
131    "com.apple.WebFoundation"
132    "com.apple.WebKit.PluginProcess"
133    "pbs"
134    "com.apple.ServicesMenu.Services")
135
136;; Read-only data
137(allow file-read*
138    (literal "/")
139    (literal "/private/etc/hosts")
140    (literal "/private/etc/protocols")
141    (literal "/private/etc/services")
142    (literal "/private/etc/resolv.conf")
143    (literal "/private/var/run/resolv.conf")
144
145    (subpath "/Library/Frameworks")
146    (subpath "/private/var/db/mds")
147
148    (regex #"^/Library/Preferences/com\.apple\.security")
149    (home-literal "/.CFUserTextEncoding")
150    (home-library-subpath "/Audio")
151    (home-library-subpath "/ColorPickers")
152    (home-library-subpath "/ColorSync")
153    (subpath "/Library/Components")
154    (home-library-subpath "/Components")
155    (subpath "/Library/Contextual Menu Items")
156    (subpath "/Library/Input Methods")
157    (home-library-subpath "/Input Methods")
158    (subpath "/Library/InputManagers")
159    (home-library-subpath "/InputManagers")
160    (home-library-subpath "/KeyBindings")
161    (subpath "/Library/Keyboard Layouts")
162    (home-library-subpath "/Keyboard Layouts")
163    (subpath "/Library/Fonts")
164    (home-library-subpath "/Fonts")
165    (subpath "/Library/Spelling")
166    (home-library-subpath "/Spelling")
167    (subpath "/Library/PDF Services")
168    (home-library-subpath "/PDF Services")
169    (home-library-preferences-literal "/QuickTime Preferences")
170
171    (home-library-literal "/Caches/com.apple.coreaudio.components.plist")
172
173    (subpath "/Library/Audio/Sounds")
174    (subpath "/Library/Audio/Plug-Ins/Components")
175    (home-library-subpath "/Audio/Plug-Ins/Components")
176    (subpath "/Library/Audio/Plug-Ins/HAL")
177    (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")
178    (subpath "/Library/QuickTime")
179    (home-library-subpath "/QuickTime")
180    (subpath "/Library/Video/Plug-Ins")
181    (home-library-subpath "/Caches/QuickTime")
182
183    (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
184
185    (home-library-literal "/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
186
187    (subpath "/Library/ColorSync")
188
189    ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
190    (subpath "/Library/Keychains"))
191
192;; Security framework
193(allow mach-lookup (global-name "com.apple.ocspd"))
194(allow file-read* file-write* (home-library-subpath "/Keychains"))
195(allow file-read*
196       (subpath "/private/var/db/mds")
197       (literal "/private/var/db/DetachedSignatures"))
198(allow ipc-posix-shm-read* ipc-posix-shm-write-data
199       (ipc-posix-name "com.apple.AppleDatabaseChanged"))
200
201;; Read-write preferences and data
202(allow file*
203    ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
204    (home-library-subpath "/Keychains"))
205
206;; IOKit user clients
207(allow iokit-open
208    (iokit-user-client-class "IOAudioControlUserClient")
209    (iokit-user-client-class "IOAudioEngineUserClient")
210    (iokit-user-client-class "IOHIDParamUserClient")
211    (iokit-user-client-class "RootDomainUserClient"))
212
213;; Various services required by AppKit and other frameworks
214(allow mach-lookup
215    (global-name "com.apple.CoreServices.coreservicesd")
216    (global-name "com.apple.DiskArbitration.diskarbitrationd")
217    (global-name "com.apple.FileCoordination")
218    (global-name "com.apple.FontObjectsServer")
219    (global-name "com.apple.FontServer")
220    (global-name "com.apple.ImageCaptureExtension2.presence")
221    (global-name "com.apple.PowerManagement.control")
222    (global-name "com.apple.SecurityServer")
223    (global-name "com.apple.SystemConfiguration.PPPController")
224    (global-name "com.apple.SystemConfiguration.configd")
225    (global-name "com.apple.UNCUserNotification")
226    (global-name "com.apple.audio.VDCAssistant")
227    (global-name "com.apple.audio.audiohald")
228    (global-name "com.apple.audio.coreaudiod")
229    (global-name "com.apple.cfnetwork.AuthBrokerAgent")
230    (global-name "com.apple.cmio.VDCAssistant")
231    (global-name "com.apple.cookied") ;; FIXME: <rdar://problem/10790768> Limit access to cookies.
232    (global-name "com.apple.coreservices.launchservicesd")
233    (global-name "com.apple.ocspd")
234    (global-name "com.apple.pasteboard.1")
235    (global-name "com.apple.pbs.fetch_services")
236    (global-name "com.apple.tccd.system")
237    (global-name "com.apple.tsm.uiserver")
238    (global-name "com.apple.window_proxies")
239    (global-name "com.apple.windowserver.active")
240    (local-name "com.apple.tsm.portname")
241    (global-name-regex #"_OpenStep$"))
242
243(if (equal? os-version "10.7")
244    (allow mach-lookup
245        (global-name "com.apple.system.DirectoryService.membership_v1")))
246
247;; Configuration directories
248(allow file-read* (subpath (param "PLUGIN_PATH")))
249(allow file-read* (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
250(allow file* (subpath (param "DARWIN_USER_TEMP_DIR")))
251(allow file* (subpath (param "DARWIN_USER_CACHE_DIR")))
252(allow file* (subpath (param "NSURL_CACHE_DIR")))
253
254
255;; Networking
256(if (defined? 'system-network)
257    (system-network)
258    (begin
259      (allow file-read* (literal "/Library/Preferences/com.apple.networkd.plist"))
260      (allow mach-lookup
261             (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
262             (global-name "com.apple.networkd"))
263      (allow network-outbound
264             (control-name "com.apple.netsrc")
265             (control-name "com.apple.network.statistics"))
266      (allow system-socket
267             (require-all (socket-domain AF_SYSTEM)
268                          (socket-protocol 2)) ; SYSPROTO_CONTROL
269             (socket-domain AF_ROUTE))))
270
271(allow network-outbound
272    ;; Local mDNSResponder for DNS, arbitrary outbound TCP and UDP
273    (literal "/private/var/run/mDNSResponder")
274    (remote tcp)
275    (remote udp))
276(allow network-inbound
277    (local udp))
278
279
280;; Open and Save panels
281(define (webkit-powerbox)
282    (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
283    (allow file-issue-extension
284        (require-all
285            (extension-class "com.apple.app-sandbox.read")
286            (extension "com.apple.app-sandbox.read-write"))
287        (require-all
288            (extension-class "com.apple.app-sandbox.read-write")
289            (extension "com.apple.app-sandbox.read-write"))))
290
291;; Printing
292(define (webkit-printing)
293    (if (defined? 'authorization-right-obtain)
294        (allow authorization-right-obtain
295               (right-name "system.print.operator")
296               (right-name "system.printingmanager")))
297    (if (defined? 'mach-register)
298        (deny mach-register (with no-log)
299               (global-name-regex #"^com\.apple\.ICA-[0-9]+$")))
300    (if (defined? 'mach-task-name)
301        (allow mach-task-name))
302    (allow network-outbound (literal "/private/var/run/cupsd"))
303    (allow mach-lookup
304        (global-name "com.apple.printuitool.agent")
305        (global-name "com.apple.printtool.agent")
306        (global-name "com.apple.printtool.daemon"))
307    (allow file-read*
308        (subpath "/Library/Printers")
309        (home-literal "/.cups/lpoptions")
310        (home-literal "/.cups/client.conf")
311        (literal "/private/etc/cups/client.conf")
312        (literal "/private/etc/cups/lpoptions")
313        (subpath "/private/etc/cups/ppd")
314        (subpath "/private/var/run/cupsd"))
315    (shared-preferences-read "org.cups.PrintingPrefs"))
316
317;; Text Services Manager
318(allow iokit-set-properties (iokit-property "CapsLockDelayOverride"))
319
320;; Image Capture
321(define (webkit-imagecapture)
322    (allow appleevent-send (appleevent-destination "com.apple.imagecaptureextension2")))
323
324;; Camera
325(define (webkit-camera)
326    (shared-preferences-read "com.apple.coremedia")
327    (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
328    (allow mach-lookup
329        (global-name "com.apple.cmio.AppleCameraAssistant")
330        ;; Apple DAL assistants
331        (global-name "com.apple.cmio.VDCAssistant")
332        (global-name "com.apple.cmio.AVCAssistant")
333        (global-name "com.apple.cmio.IIDCVideoAssistant")
334        ;; QuickTimeIIDCDigitizer assistant
335        (global-name "com.apple.IIDCAssistant"))
336    (allow iokit-open
337        ;; QuickTimeUSBVDCDigitizer
338        (iokit-user-client-class "IOUSBDeviceUserClientV2")
339        (iokit-user-client-class "IOUSBInterfaceUserClientV2"))
340    (allow device-camera))
341
342;; Microphone
343(define (webkit-microphone)
344    (allow device-microphone))
345
346(if (equal? os-version "10.7")
347    (allow ipc-posix-shm)
348    (begin
349        (if (equal? os-version "10.8")
350            (allow ipc-posix-shm*
351                (ipc-posix-name "_CS_GSHMEMLOCK")
352                (ipc-posix-name "_CS_DSHMEMLOCK")))
353        (allow ipc-posix-shm*
354            (ipc-posix-name-regex #"^AudioIO")
355            (ipc-posix-name-regex #"^CFPBS:")
356            (ipc-posix-name "com.apple.ColorSync.Gen.lock")
357            (ipc-posix-name "com.apple.ColorSync.Disp.lock")
358            (ipc-posix-name "com.apple.ColorSync.Gray2.2")
359            (ipc-posix-name "com.apple.ColorSync.sRGB")
360            (ipc-posix-name "com.apple.ColorSync.GenGray")
361            (ipc-posix-name "com.apple.ColorSync.GenRGB")
362            (ipc-posix-name-regex #"^com\.apple\.cs\.")
363            (ipc-posix-name-regex #"^ls\."))
364        (allow ipc-posix-shm-read*
365            (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
366            (ipc-posix-name "FNetwork.defaultStorageSession")
367            (ipc-posix-name "apple.shm.notification_center"))))
368
369;; Silently block access to some resources
370(deny file-read* file-write* (with no-log)
371    (subpath "/Network/Library")
372    (subpath "/Network/Applications")
373    (home-library-preferences-regex #"/com\.apple\.internetconfig(priv)?\.plist")
374
375    ;; FIXME: Should be removed after <rdar://problem/9422957> is fixed.
376    (home-library-literal "/Caches/Cache.db")
377
378    ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
379    (home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2")
380    (home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2-journal"))
381
382(deny mach-lookup (with no-log)
383    (global-name "com.apple.FSEvents")
384    (global-name "com.apple.coreservices.appleevents")
385    (global-name "com.apple.dock.server")
386    (global-name-regex #"^com\.apple\.distributed_notifications"))
387
388;; The below rules are inserted at the end of sandbox profile compilation by overriding the finalizer.
389;; The initial value of %finalize must be the last function called.
390(letrec
391   ((original-%finalize %finalize)
392    (webkit-%finalize
393        (lambda ()
394            (if (defined? 'vnode-type)
395                (deny file-write-create
396                      (vnode-type SYMLINK)))
397            ;; Reserve a namespace for additional protected extended attributes.
398            (deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\."))
399            ;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
400            (deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
401            (original-%finalize))))
402   (set! %finalize webkit-%finalize))
403