[Mac][WK2] Stop using file* rules in WebProcess sandbox profiles
[WebKit-https.git] / Source / WebKit2 / PluginProcess / mac / com.apple.WebKit.plugin-common.sb.in
1 ; Copyright (C) 2013-2016 Apple Inc. All rights reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions
5 ; are met:
6 ; 1. Redistributions of source code must retain the above copyright
7 ;    notice, this list of conditions and the following disclaimer.
8 ; 2. Redistributions in binary form must reproduce the above copyright
9 ;    notice, this list of conditions and the following disclaimer in the
10 ;    documentation and/or other materials provided with the distribution.
11 ;
12 ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
13 ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14 ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15 ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16 ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17 ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18 ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19 ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20 ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21 ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22 ; THE POSSIBILITY OF SUCH DAMAGE.
23
24 (version 1)
25 (deny default)
26 (allow system-audit file-read-metadata)
27
28 (import "system.sb")
29
30 ;; Utility functions
31 (define (home-literal home-relative-literal)
32     (literal (string-append (param "HOME_DIR") home-relative-literal)))
33
34 (define (home-library-regex home-library-relative-regex)
35     (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_DIR")) home-library-relative-regex)))
36
37 (define (home-library-subpath home-library-relative-subpath)
38     (subpath (string-append (param "HOME_LIBRARY_DIR") home-library-relative-subpath)))
39
40 (define (home-library-literal home-library-relative-literal)
41     (literal (string-append (param "HOME_LIBRARY_DIR") home-library-relative-literal)))
42
43 (define (home-library-preferences-regex home-library-preferences-relative-regex)
44     (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_PREFERENCES_DIR")) home-library-preferences-relative-regex)))
45
46 (define (home-library-preferences-subpath home-library-preferences-relative-subpath)
47     (subpath (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-subpath)))
48
49 (define (home-library-preferences-literal home-library-preferences-relative-literal)
50     (literal (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-literal)))
51
52 (define (shared-preferences-read . domains)
53   (for-each (lambda (domain)
54               (begin
55                 (if (defined? `user-preference-read)
56                     (allow user-preference-read (preference-domain domain)))
57                 ; (Temporary) backward compatibility with non-CFPreferences readers.
58                 (allow file-read*
59                        (literal (string-append "/Library/Preferences/" domain ".plist"))
60                        (home-library-preferences-literal (string-append "/" domain ".plist"))
61                        (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
62             domains))
63
64 (define (shared-preferences-read-write . domains)
65   (for-each (lambda (domain)
66               (begin
67                 (if (defined? `user-preference-write)
68                     (allow user-preference-read user-preference-write (preference-domain domain)))
69                 ; (Temporary) backward compatibility with non-CFPreferences readers / writers.
70                 (allow file-read* file-write*
71                        (literal (string-append "/Library/Preferences/" domain ".plist"))
72                        (home-library-preferences-literal (string-append "/" domain ".plist"))
73                        (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
74             domains))
75
76 ;; Remove when <rdar://problem/29646094> is fixed.
77 (define (HEX-pattern-match-generator pattern-descriptor)
78     (letrec ((pattern-string ""))
79         (for-each  (lambda (repeat-count)
80             (if (zero? repeat-count)
81                 (set! pattern-string (string-append  pattern-string "-"))
82                 (let appender ((count repeat-count))
83                     (if (> count 0)
84                         (begin
85                             (set! pattern-string (string-append  pattern-string "[0-9A-F]"))
86                             (appender (- count 1)))))))
87             pattern-descriptor)
88     pattern-string))
89
90 ;; return a regex pattern matching string for 8-4-4-4-12 UUIDs:
91 (define (uuid-HEX-pattern-match-string)
92     (HEX-pattern-match-generator '(8 0 4 0 4 0 4 0 12)))
93
94 ;; global to hold the computed UUID matching pattern.
95 (define *uuid-pattern* "")
96
97 (define (uuid-regex-string)
98     (if (zero? (string-length *uuid-pattern*))
99         (set! *uuid-pattern* (uuid-HEX-pattern-match-string)))
100     *uuid-pattern*)
101
102 (define (allow-read-write-directory-and-issue-read-write-extensions path)
103     (if path
104         (begin
105             (allow file-read* file-write* (subpath path))
106             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path)))
107             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath path))))))
108
109 ;; WebKit2 sandbox launcher needs to define an _OS_VERSION parameter
110 ;; This parameter is the major OS Version number.
111 (if (not (defined? 'os-version))
112     (define os-version (param "_OS_VERSION")))
113
114 (system-graphics)
115
116 ;; Read-only preferences
117 (shared-preferences-read
118     ".GlobalPreferences"
119     "com.apple.ATS"
120     "com.apple.Bluetooth"
121     "com.apple.CoreGraphics"
122     "com.apple.HIToolbox"
123     "com.apple.QuickTime"
124     "com.apple.driver.AppleBluetoothMultitouch.mouse"
125     "com.apple.driver.AppleBluetoothMultitouch.trackpad"
126     "com.apple.driver.AppleHIDMouse"
127     "com.apple.inputmethodkit"
128     "com.apple.iWork.Pages"
129     "com.apple.LaunchServices"
130     "com.apple.MultitouchSupport"
131     "com.apple.security"
132     "com.apple.security.revocation"
133     "com.apple.security_common"
134     "com.apple.speech.voice.prefs"
135     "com.apple.speech.synthesis.general.prefs"
136     "com.apple.speech.recognition.AppleSpeechRecognition.prefs"
137     "com.apple.systemsound"
138     "com.apple.universalaccess"
139     "com.apple.WebFoundation"
140     "com.apple.WebKit.PluginProcess"
141     "pbs"
142     "com.apple.ServicesMenu.Services")
143
144 ;; Read-only data
145 (allow file-read*
146     (literal "/")
147     (literal "/private/etc/hosts")
148     (literal "/private/etc/protocols")
149     (literal "/private/etc/services")
150     (literal "/private/etc/resolv.conf")
151     (literal "/private/var/run/resolv.conf")
152
153     (subpath "/Library/Frameworks")
154     (subpath "/Library/Managed Preferences")
155     (subpath "/private/var/db/mds")
156
157     (regex #"^/Library/Preferences/com\.apple\.security")
158     (home-literal "/.CFUserTextEncoding")
159     (home-library-subpath "/Audio")
160     (home-library-subpath "/ColorPickers")
161     (home-library-subpath "/ColorSync")
162     (subpath "/Library/Components")
163     (home-library-subpath "/Components")
164     (subpath "/Library/Contextual Menu Items")
165     (subpath "/Library/Input Methods")
166     (home-library-subpath "/Input Methods")
167     (subpath "/Library/InputManagers")
168     (home-library-subpath "/InputManagers")
169     (home-library-subpath "/KeyBindings")
170     (subpath "/Library/Keyboard Layouts")
171     (home-library-subpath "/Keyboard Layouts")
172     (subpath "/Library/Fonts")
173     (home-library-subpath "/Fonts")
174     (subpath "/Library/Spelling")
175     (home-library-subpath "/Spelling")
176     (subpath "/Library/PDF Services")
177     (home-library-subpath "/PDF Services")
178     (home-library-preferences-literal "/QuickTime Preferences")
179
180     (home-library-literal "/Caches/com.apple.coreaudio.components.plist")
181
182     (subpath "/Library/Audio/Sounds")
183     (subpath "/Library/Audio/Plug-Ins/Components")
184     (home-library-subpath "/Audio/Plug-Ins/Components")
185     (subpath "/Library/Audio/Plug-Ins/HAL")
186     (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")
187     (subpath "/Library/QuickTime")
188     (home-library-subpath "/QuickTime")
189     (subpath "/Library/Video/Plug-Ins")
190     (home-library-subpath "/Caches/QuickTime")
191
192     (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
193
194     (home-library-literal "/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
195
196     (subpath "/Library/ColorSync")
197
198     (home-literal "/Library/Preferences/com.apple.lookup.shared.plist"))
199
200 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 101240
201 ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
202 ;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
203 (allow file-read-data file-read-metadata file-write-data
204     (subpath "/Library/Keychains"))
205
206 ;; Do permit creating per-user keychains
207 (allow file-read* file-write*
208     (home-library-subpath "/Keychains"))
209
210 ;; Except deny access to new-style iOS Keychain folders which are UUIDs.
211 (deny file-read* file-write*
212     (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
213     (home-library-regex (string-append "/Keychains/" (uuid-regex-string) "(/|$)")))
214 #endif
215
216 ;; Security framework
217 (allow mach-lookup (global-name "com.apple.ocspd"))
218 (allow file-read*
219        (subpath "/private/var/db/mds")
220        (literal "/private/var/db/DetachedSignatures"))
221 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
222        (ipc-posix-name "com.apple.AppleDatabaseChanged"))
223
224 ;; Read-write preferences and data
225 (allow system-fsctl (fsctl-command (_IO "h" 47)))
226
227 ;; IOKit user clients
228 (allow iokit-open
229     (iokit-user-client-class "IOAudioControlUserClient")
230     (iokit-user-client-class "IOAudioEngineUserClient")
231     (iokit-user-client-class "IOHIDParamUserClient")
232     (iokit-user-client-class "RootDomainUserClient"))
233
234 ;; Various services required by AppKit and other frameworks
235 (allow mach-lookup
236     (global-name "com.apple.CoreServices.coreservicesd")
237     (global-name "com.apple.DiskArbitration.diskarbitrationd")
238     (global-name "com.apple.FileCoordination")
239     (global-name "com.apple.FontObjectsServer")
240 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 101200
241     (global-name "com.apple.FontServer")
242 #endif
243     (global-name "com.apple.ImageCaptureExtension2.presence")
244     (global-name "com.apple.PowerManagement.control")
245     (global-name "com.apple.SecurityServer")
246     (global-name "com.apple.SystemConfiguration.PPPController")
247     (global-name "com.apple.SystemConfiguration.configd")
248     (global-name "com.apple.UNCUserNotification")
249     (global-name "com.apple.audio.VDCAssistant")
250     (global-name "com.apple.audio.audiohald")
251     (global-name "com.apple.audio.coreaudiod")
252     (global-name "com.apple.cfnetwork.AuthBrokerAgent")
253     (global-name "com.apple.cmio.VDCAssistant")
254     (global-name "com.apple.cookied") ;; FIXME: <rdar://problem/10790768> Limit access to cookies.
255     (global-name "com.apple.coreservices.launchservicesd")
256     (global-name "com.apple.fonts")
257     (global-name "com.apple.ocspd")
258     (global-name "com.apple.pasteboard.1")
259     (global-name "com.apple.pbs.fetch_services")
260     (global-name "com.apple.tccd.system")
261     (global-name "com.apple.tsm.uiserver")
262     (global-name "com.apple.window_proxies")
263     (global-name "com.apple.windowserver.active")
264     (local-name "com.apple.tsm.portname")
265     (global-name-regex #"_OpenStep$"))
266
267 ;; Configuration directories
268 (allow file-read* (subpath (param "PLUGIN_PATH")))
269 (allow file-read* (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
270 (if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
271     (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_CACHE_DIR")))
272 (if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
273     (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_TEMP_DIR")))
274 (if (positive? (string-length (param "NSURL_CACHE_DIR")))
275     (allow-read-write-directory-and-issue-read-write-extensions (param "NSURL_CACHE_DIR")))
276
277 ;; Allow the OpenGL Profiler to attach.
278 (if (defined? 'mach-register)
279     (allow mach-register (global-name-regex #"^_oglprof_attach_<[0-9]+>$")))
280
281 (system-network)
282
283 (allow network-outbound
284     ;; Local mDNSResponder for DNS, arbitrary outbound TCP and UDP
285     (literal "/private/var/run/mDNSResponder")
286     (remote tcp)
287     (remote udp))
288 (allow network-inbound
289     (local udp))
290
291
292 ;; Open and Save panels
293 (define (webkit-powerbox)
294     (allow file-read* (literal "/Library/Preferences/com.apple.ViewBridge.plist"))
295     (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
296     (allow file-issue-extension
297         (require-all
298             (extension-class "com.apple.app-sandbox.read")
299             (extension "com.apple.app-sandbox.read-write"))
300         (require-all
301             (extension-class "com.apple.app-sandbox.read-write")
302             (extension "com.apple.app-sandbox.read-write"))))
303
304 ;; Printing
305 (define (webkit-printing)
306     (if (defined? 'authorization-right-obtain)
307         (allow authorization-right-obtain
308                (right-name "system.print.operator")
309                (right-name "system.printingmanager")))
310     (if (defined? 'mach-register)
311         (deny mach-register (with no-log)
312                (global-name-regex #"^com\.apple\.ICA-[0-9]+$")))
313     (if (defined? 'mach-task-name)
314         (allow mach-task-name))
315     (allow network-outbound (literal "/private/var/run/cupsd"))
316     (allow mach-lookup
317         (global-name "com.apple.printuitool.agent")
318         (global-name "com.apple.printtool.agent")
319         (global-name "com.apple.printtool.daemon"))
320     (allow file-read*
321         (subpath "/Library/Printers")
322         (home-literal "/.cups/lpoptions")
323         (home-literal "/.cups/client.conf")
324         (literal "/private/etc/cups/client.conf")
325         (literal "/private/etc/cups/lpoptions")
326         (subpath "/private/etc/cups/ppd")
327         (literal "/private/var/run/cupsd"))
328     (shared-preferences-read "org.cups.PrintingPrefs"))
329
330 ;; Text Services Manager
331 #if PLATFORM(IOS) || (PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200)
332 (with-filter (iokit-registry-entry-class "IOHIDEventDriver")
333     (allow iokit-set-properties (iokit-property "CapsLockDelayOverride")))
334 #else
335 (allow iokit-set-properties (iokit-property "CapsLockDelayOverride"))
336 #endif
337
338 ;; Image Capture
339 (define (webkit-imagecapture)
340     (allow appleevent-send (appleevent-destination "com.apple.imagecaptureextension2")))
341
342 ;; Camera
343 (define (webkit-camera)
344     (shared-preferences-read "com.apple.coremedia")
345     (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
346     (allow mach-lookup
347         (global-name "com.apple.cmio.AppleCameraAssistant")
348         ;; Apple DAL assistants
349         (global-name "com.apple.cmio.VDCAssistant")
350         (global-name "com.apple.cmio.AVCAssistant")
351         (global-name "com.apple.cmio.IIDCVideoAssistant")
352         ;; QuickTimeIIDCDigitizer assistant
353         (global-name "com.apple.IIDCAssistant"))
354     (allow iokit-open
355         ;; QuickTimeUSBVDCDigitizer
356         (iokit-user-client-class "IOUSBDeviceUserClientV2")
357         (iokit-user-client-class "IOUSBInterfaceUserClientV2"))
358     (allow device-camera))
359
360 ;; Microphone
361 (define (webkit-microphone)
362     (allow device-microphone))
363
364 (allow ipc-posix-shm*
365     (ipc-posix-name-regex #"^AudioIO")
366     (ipc-posix-name-regex #"^CFPBS:")
367     (ipc-posix-name "com.apple.ColorSync.Gen.lock")
368     (ipc-posix-name "com.apple.ColorSync.Disp.lock")
369     (ipc-posix-name "com.apple.ColorSync.Gray2.2")
370     (ipc-posix-name "com.apple.ColorSync.sRGB")
371     (ipc-posix-name "com.apple.ColorSync.GenGray")
372     (ipc-posix-name "com.apple.ColorSync.GenRGB")
373     (ipc-posix-name-regex #"^com\.apple\.cs\.")
374     (ipc-posix-name-regex #"^ls\."))
375 (allow ipc-posix-shm-read*
376     (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
377     (ipc-posix-name "FNetwork.defaultStorageSession")
378     (ipc-posix-name "apple.shm.notification_center"))
379
380 ;; Silently block access to some resources
381 (deny file-read* file-write* (with no-log)
382     (subpath "/Network/Library")
383     (subpath "/Network/Applications")
384     (home-library-preferences-regex #"/com\.apple\.internetconfig(priv)?\.plist")
385
386     ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
387     (home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2")
388     (home-library-preferences-literal "/com.apple.LaunchServices.QuarantineEventsV2-journal"))
389
390 (deny mach-lookup (with no-log)
391     (global-name "com.apple.FSEvents")
392     (global-name "com.apple.coreservices.appleevents")
393     (global-name "com.apple.dock.server")
394     (global-name-regex #"^com\.apple\.distributed_notifications"))
395
396 ;; The below rules are inserted at the end of sandbox profile compilation by overriding the finalizer.
397 ;; The initial value of %finalize must be the last function called.
398 (letrec
399    ((original-%finalize %finalize)
400     (webkit-%finalize
401         (lambda ()
402             (if (defined? 'vnode-type)
403                 (deny file-write-create
404                       (vnode-type SYMLINK)))
405             ;; Reserve a namespace for additional protected extended attributes.
406             (deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\."))
407             ;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
408             (if (defined? 'xattr-regex)
409                 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
410                 (deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\.")))
411             (original-%finalize))))
412    (set! %finalize webkit-%finalize))