Roll out r208589. rdar://problem/29277451
[WebKit-https.git] / Source / WebKit2 / PluginProcess / mac / com.apple.WebKit.plugin-common.sb.in
1 ; Copyright (C) 2013-2016 Apple Inc. All rights reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions
5 ; are met:
6 ; 1. Redistributions of source code must retain the above copyright
7 ;    notice, this list of conditions and the following disclaimer.
8 ; 2. Redistributions in binary form must reproduce the above copyright
9 ;    notice, this list of conditions and the following disclaimer in the
10 ;    documentation and/or other materials provided with the distribution.
11 ;
12 ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
13 ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14 ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15 ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16 ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17 ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18 ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19 ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20 ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21 ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22 ; THE POSSIBILITY OF SUCH DAMAGE.
23
24 (version 1)
25 (deny default)
26 (allow system-audit file-read-metadata)
27
28 (import "system.sb")
29
30 ;; Utility functions
31 (define (home-literal home-relative-literal)
32     (literal (string-append (param "HOME_DIR") home-relative-literal)))
33
34 (define (home-library-regex home-library-relative-regex)
35     (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_DIR")) home-library-relative-regex)))
36
37 (define (home-library-subpath home-library-relative-subpath)
38     (subpath (string-append (param "HOME_LIBRARY_DIR") home-library-relative-subpath)))
39
40 (define (home-library-literal home-library-relative-literal)
41     (literal (string-append (param "HOME_LIBRARY_DIR") home-library-relative-literal)))
42
43 (define (home-library-preferences-regex home-library-preferences-relative-regex)
44     (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_PREFERENCES_DIR")) home-library-preferences-relative-regex)))
45
46 (define (home-library-preferences-subpath home-library-preferences-relative-subpath)
47     (subpath (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-subpath)))
48
49 (define (home-library-preferences-literal home-library-preferences-relative-literal)
50     (literal (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-literal)))
51
52 (define (shared-preferences-read . domains)
53   (for-each (lambda (domain)
54               (begin
55                 (if (defined? `user-preference-read)
56                     (allow user-preference-read (preference-domain domain)))
57                 ; (Temporary) backward compatibility with non-CFPreferences readers.
58                 (allow file-read*
59                        (literal (string-append "/Library/Preferences/" domain ".plist"))
60                        (home-library-preferences-literal (string-append "/" domain ".plist"))
61                        (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
62             domains))
63
64 (define (shared-preferences-read-write . domains)
65   (for-each (lambda (domain)
66               (begin
67                 (if (defined? `user-preference-write)
68                     (allow user-preference-read user-preference-write (preference-domain domain)))
69                 ; (Temporary) backward compatibility with non-CFPreferences readers / writers.
70                 (allow file-read* file-write*
71                        (literal (string-append "/Library/Preferences/" domain ".plist"))
72                        (home-library-preferences-literal (string-append "/" domain ".plist"))
73                        (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
74             domains))
75
76 ;; WebKit2 sandbox launcher needs to define an _OS_VERSION parameter
77 ;; This parameter is the major OS Version number.
78 (if (not (defined? 'os-version))
79     (define os-version (param "_OS_VERSION")))
80
81 ;; Graphics
82 (if (defined? 'system-graphics)
83     (system-graphics)
84     (begin
85         (shared-preferences-read
86             "com.apple.opengl"
87             "com.nvidia.OpenGL")
88         (allow mach-lookup (global-name "com.apple.cvmsServ"))
89         (allow iokit-open
90             (iokit-connection "IOAccelerator")
91             (iokit-user-client-class "IOAccelerationUserClient")
92             (iokit-user-client-class "IOSurfaceRootUserClient")
93             (iokit-user-client-class "IOSurfaceSendRight")
94             (iokit-user-client-class "IOFramebufferSharedUserClient")
95             (iokit-user-client-class "AppleSNBFBUserClient")
96             (iokit-user-client-class "AGPMClient")
97             (iokit-user-client-class "AppleGraphicsControlClient")
98             (iokit-user-client-class "AppleGraphicsPolicyClient"))))
99
100 ;; Read-only preferences
101 (shared-preferences-read
102     ".GlobalPreferences"
103     "com.apple.Bluetooth"
104     "com.apple.CoreGraphics"
105     "com.apple.QuickTime"
106     "com.apple.HIToolbox"
107     "com.apple.ATS"
108     "com.apple.driver.AppleBluetoothMultitouch.mouse"
109     "com.apple.driver.AppleBluetoothMultitouch.trackpad"
110     "com.apple.driver.AppleHIDMouse"
111     "com.apple.inputmethodkit"
112     "com.apple.iWork.Pages"
113     "com.apple.LaunchServices"
114     "com.apple.MultitouchSupport"
115     "com.apple.security"
116     "com.apple.security.revocation"
117     "com.apple.security_common"
118     "com.apple.speech.voice.prefs"
119     "com.apple.speech.synthesis.general.prefs"
120     "com.apple.speech.recognition.AppleSpeechRecognition.prefs"
121     "com.apple.systemsound"
122     "com.apple.universalaccess"
123     "com.apple.WebFoundation"
124     "com.apple.WebKit.PluginProcess"
125     "pbs"
126     "com.apple.ServicesMenu.Services")
127
128 ;; Read-only data
129 (allow file-read*
130     (literal "/")
131     (literal "/private/etc/hosts")
132     (literal "/private/etc/protocols")
133     (literal "/private/etc/services")
134     (literal "/private/etc/resolv.conf")
135     (literal "/private/var/run/resolv.conf")
136
137     (subpath "/Library/Frameworks")
138     (subpath "/Library/Managed Preferences")
139     (subpath "/private/var/db/mds")
140
141     (regex #"^/Library/Preferences/com\.apple\.security")
142     (home-literal "/.CFUserTextEncoding")
143     (home-library-subpath "/Audio")
144     (home-library-subpath "/ColorPickers")
145     (home-library-subpath "/ColorSync")
146     (subpath "/Library/Components")
147     (home-library-subpath "/Components")
148     (subpath "/Library/Contextual Menu Items")
149     (subpath "/Library/Input Methods")
150     (home-library-subpath "/Input Methods")
151     (subpath "/Library/InputManagers")
152     (home-library-subpath "/InputManagers")
153     (home-library-subpath "/KeyBindings")
154     (subpath "/Library/Keyboard Layouts")
155     (home-library-subpath "/Keyboard Layouts")
156     (subpath "/Library/Fonts")
157     (home-library-subpath "/Fonts")
158     (subpath "/Library/Spelling")
159     (home-library-subpath "/Spelling")
160     (subpath "/Library/PDF Services")
161     (home-library-subpath "/PDF Services")
162     (home-library-preferences-literal "/QuickTime Preferences")
163
164     (home-library-literal "/Caches/com.apple.coreaudio.components.plist")
165
166     (subpath "/Library/Audio/Sounds")
167     (subpath "/Library/Audio/Plug-Ins/Components")
168     (home-library-subpath "/Audio/Plug-Ins/Components")
169     (subpath "/Library/Audio/Plug-Ins/HAL")
170     (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")
171     (subpath "/Library/QuickTime")
172     (home-library-subpath "/QuickTime")
173     (subpath "/Library/Video/Plug-Ins")
174     (home-library-subpath "/Caches/QuickTime")
175
176     (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
177
178     (home-library-literal "/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
179
180     (subpath "/Library/ColorSync")
181
182     (home-literal "/Library/Preferences/com.apple.lookup.shared.plist")
183
184     ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
185     (subpath "/Library/Keychains"))
186
187 ;; Security framework
188 (allow mach-lookup (global-name "com.apple.ocspd"))
189 (allow file-read* file-write* (home-library-subpath "/Keychains"))
190 (allow file-read*
191        (subpath "/private/var/db/mds")
192        (literal "/private/var/db/DetachedSignatures"))
193 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
194        (ipc-posix-name "com.apple.AppleDatabaseChanged"))
195
196 ;; Read-write preferences and data
197 (allow file*
198     ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
199     (home-library-subpath "/Keychains"))
200 (allow system-fsctl (fsctl-command (_IO "h" 47)))
201
202 ;; IOKit user clients
203 (allow iokit-open
204     (iokit-user-client-class "IOAudioControlUserClient")
205     (iokit-user-client-class "IOAudioEngineUserClient")
206     (iokit-user-client-class "IOHIDParamUserClient")
207     (iokit-user-client-class "RootDomainUserClient"))
208
209 ;; Various services required by AppKit and other frameworks
210 (allow mach-lookup
211     (global-name "com.apple.CoreServices.coreservicesd")
212     (global-name "com.apple.DiskArbitration.diskarbitrationd")
213     (global-name "com.apple.FileCoordination")
214     (global-name "com.apple.FontObjectsServer")
215 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 101200
216     (global-name "com.apple.FontServer")
217 #endif
218     (global-name "com.apple.ImageCaptureExtension2.presence")
219     (global-name "com.apple.PowerManagement.control")
220     (global-name "com.apple.SecurityServer")
221     (global-name "com.apple.SystemConfiguration.PPPController")
222     (global-name "com.apple.SystemConfiguration.configd")
223     (global-name "com.apple.UNCUserNotification")
224     (global-name "com.apple.audio.VDCAssistant")
225     (global-name "com.apple.audio.audiohald")
226     (global-name "com.apple.audio.coreaudiod")
227     (global-name "com.apple.cfnetwork.AuthBrokerAgent")
228     (global-name "com.apple.cmio.VDCAssistant")
229     (global-name "com.apple.cookied") ;; FIXME: <rdar://problem/10790768> Limit access to cookies.
230     (global-name "com.apple.coreservices.launchservicesd")
231     (global-name "com.apple.fonts")
232     (global-name "com.apple.ocspd")
233     (global-name "com.apple.pasteboard.1")
234     (global-name "com.apple.pbs.fetch_services")
235     (global-name "com.apple.tccd.system")
236     (global-name "com.apple.tsm.uiserver")
237     (global-name "com.apple.window_proxies")
238     (global-name "com.apple.windowserver.active")
239     (local-name "com.apple.tsm.portname")
240     (global-name-regex #"_OpenStep$"))
241
242 ;; Configuration directories
243 (allow file-read* (subpath (param "PLUGIN_PATH")))
244 (allow file-read* (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
245 (allow file* (subpath (param "DARWIN_USER_TEMP_DIR")))
246 (allow file* (subpath (param "DARWIN_USER_CACHE_DIR")))
247 (allow file* (subpath (param "NSURL_CACHE_DIR")))
248
249 ;; Allow the OpenGL Profiler to attach.
250 (if (defined? 'mach-register)
251     (allow mach-register (global-name-regex #"^_oglprof_attach_<[0-9]+>$")))
252
253 ;; Networking
254 (if (defined? 'system-network)
255     (system-network)
256     (begin
257       (allow file-read* (literal "/Library/Preferences/com.apple.networkd.plist"))
258       (allow mach-lookup
259              (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
260              (global-name "com.apple.networkd"))
261       (allow network-outbound
262              (control-name "com.apple.netsrc")
263              (control-name "com.apple.network.statistics"))
264       (allow system-socket
265              (require-all (socket-domain AF_SYSTEM)
266                           (socket-protocol 2)) ; SYSPROTO_CONTROL
267              (socket-domain AF_ROUTE))))
268
269 (allow network-outbound
270     ;; Local mDNSResponder for DNS, arbitrary outbound TCP and UDP
271     (literal "/private/var/run/mDNSResponder")
272     (remote tcp)
273     (remote udp))
274 (allow network-inbound
275     (local udp))
276
277
278 ;; Open and Save panels
279 (define (webkit-powerbox)
280     (allow file-read* (literal "/Library/Preferences/com.apple.ViewBridge.plist"))
281     (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
282     (allow file-issue-extension
283         (require-all
284             (extension-class "com.apple.app-sandbox.read")
285             (extension "com.apple.app-sandbox.read-write"))
286         (require-all
287             (extension-class "com.apple.app-sandbox.read-write")
288             (extension "com.apple.app-sandbox.read-write"))))
289
290 ;; Printing
291 (define (webkit-printing)
292     (if (defined? 'authorization-right-obtain)
293         (allow authorization-right-obtain
294                (right-name "system.print.operator")
295                (right-name "system.printingmanager")))
296     (if (defined? 'mach-register)
297         (deny mach-register (with no-log)
298                (global-name-regex #"^com\.apple\.ICA-[0-9]+$")))
299     (if (defined? 'mach-task-name)
300         (allow mach-task-name))
301     (allow network-outbound (literal "/private/var/run/cupsd"))
302     (allow mach-lookup
303         (global-name "com.apple.printuitool.agent")
304         (global-name "com.apple.printtool.agent")
305         (global-name "com.apple.printtool.daemon"))
306     (allow file-read*
307         (subpath "/Library/Printers")
308         (home-literal "/.cups/lpoptions")
309         (home-literal "/.cups/client.conf")
310         (literal "/private/etc/cups/client.conf")
311         (literal "/private/etc/cups/lpoptions")
312         (subpath "/private/etc/cups/ppd")
313         (literal "/private/var/run/cupsd"))
314     (shared-preferences-read "org.cups.PrintingPrefs"))
315
316 ;; Text Services Manager
317 #if PLATFORM(IOS) || (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200)
318 (with-filter (iokit-registry-entry-class "IOHIDEventDriver")
319     (allow iokit-set-properties (iokit-property "CapsLockDelayOverride")))
320 #else
321 (allow iokit-set-properties (iokit-property "CapsLockDelayOverride"))
322 #endif
323
324 ;; Image Capture
325 (define (webkit-imagecapture)
326     (allow appleevent-send (appleevent-destination "com.apple.imagecaptureextension2")))
327
328 ;; Camera
329 (define (webkit-camera)
330     (shared-preferences-read "com.apple.coremedia")
331     (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
332     (allow mach-lookup
333         (global-name "com.apple.cmio.AppleCameraAssistant")
334         ;; Apple DAL assistants
335         (global-name "com.apple.cmio.VDCAssistant")
336         (global-name "com.apple.cmio.AVCAssistant")
337         (global-name "com.apple.cmio.IIDCVideoAssistant")
338         ;; QuickTimeIIDCDigitizer assistant
339         (global-name "com.apple.IIDCAssistant"))
340     (allow iokit-open
341         ;; QuickTimeUSBVDCDigitizer
342         (iokit-user-client-class "IOUSBDeviceUserClientV2")
343         (iokit-user-client-class "IOUSBInterfaceUserClientV2"))
344     (allow device-camera))
345
346 ;; Microphone
347 (define (webkit-microphone)
348     (allow device-microphone))
349
350 ;; Silently block access to some resources
351 (deny file-read* file-write* (with no-log)
352     (subpath "/Network/Library")
353     (subpath "/Network/Applications")
354     (home-library-preferences-regex #"/com\.apple\.internetconfig(priv)?\.plist")
355
356     ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
357     (home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2")
358     (home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2-journal"))
359
360 (deny mach-lookup (with no-log)
361     (global-name "com.apple.FSEvents")
362     (global-name "com.apple.coreservices.appleevents")
363     (global-name "com.apple.dock.server")
364     (global-name-regex #"^com\.apple\.distributed_notifications"))
365
366 ;; The below rules are inserted at the end of sandbox profile compilation by overriding the finalizer.
367 ;; The initial value of %finalize must be the last function called.
368 (letrec
369    ((original-%finalize %finalize)
370     (webkit-%finalize
371         (lambda ()
372             (if (defined? 'vnode-type)
373                 (deny file-write-create
374                       (vnode-type SYMLINK)))
375             ;; Reserve a namespace for additional protected extended attributes.
376             (deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\."))
377             ;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
378             (if (defined? 'xattr-regex)
379                 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
380                 (deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\.")))
381             (original-%finalize))))
382    (set! %finalize webkit-%finalize))