[Mac][WK2] Stop using file* rules in WebProcess sandbox profiles
[WebKit-https.git] / Source / WebKit2 / WebProcess / com.apple.WebProcess.sb.in
1 ; Copyright (C) 2010-2016 Apple Inc. All rights reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions
5 ; are met:
6 ; 1. Redistributions of source code must retain the above copyright
7 ;    notice, this list of conditions and the following disclaimer.
8 ; 2. Redistributions in binary form must reproduce the above copyright
9 ;    notice, this list of conditions and the following disclaimer in the
10 ;    documentation and/or other materials provided with the distribution.
11 ;
12 ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
13 ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14 ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15 ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16 ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17 ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18 ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19 ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20 ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21 ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22 ; THE POSSIBILITY OF SUCH DAMAGE.
23
24 (version 1)
25 (deny default (with partial-symbolication))
26 (allow system-audit file-read-metadata)
27
28 (import "system.sb")
29
30 ;; Utility functions for home directory relative path filters
31 (define (home-regex home-relative-regex)
32   (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
33
34 (define (home-subpath home-relative-subpath)
35   (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
36
37 (define (home-literal home-relative-literal)
38   (literal (string-append (param "HOME_DIR") home-relative-literal)))
39
40 (define (allow-read-directory-and-issue-read-extensions path)
41     (if path
42         (begin
43             (allow file-read* (subpath path))
44             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path))))))
45
46 (define (allow-read-write-directory-and-issue-read-write-extensions path)
47     (if path
48         (begin
49             (allow file-read* file-write* (subpath path))
50             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path)))
51             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath path))))))
52
53 ;; Remove when <rdar://problem/29646094> is fixed.
54 (define (HEX-pattern-match-generator pattern-descriptor)
55     (letrec ((pattern-string ""))
56         (for-each  (lambda (repeat-count)
57             (if (zero? repeat-count)
58                 (set! pattern-string (string-append  pattern-string "-"))
59                 (let appender ((count repeat-count))
60                     (if (> count 0)
61                         (begin
62                             (set! pattern-string (string-append  pattern-string "[0-9A-F]"))
63                             (appender (- count 1)))))))
64             pattern-descriptor)
65     pattern-string))
66
67 ;; return a regex pattern matching string for 8-4-4-4-12 UUIDs:
68 (define (uuid-HEX-pattern-match-string)
69     (HEX-pattern-match-generator '(8 0 4 0 4 0 4 0 12)))
70
71 ;; global to hold the computed UUID matching pattern.
72 (define *uuid-pattern* "")
73
74 (define (uuid-regex-string)
75     (if (zero? (string-length *uuid-pattern*))
76         (set! *uuid-pattern* (uuid-HEX-pattern-match-string)))
77     *uuid-pattern*)
78
79 ;; Read-only preferences and data
80 (allow file-read*
81        ;; Basic system paths
82        (subpath "/Library/Dictionaries")
83        (subpath "/Library/Fonts")
84        (subpath "/Library/Frameworks")
85        (subpath "/Library/Managed Preferences")
86        (subpath "/Library/Speech/Synthesizers")
87        (regex #"^/private/etc/(hosts|group|passwd)$")
88
89        (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
90
91        ;; System and user preferences
92        (home-literal "/.CFUserTextEncoding")
93
94        ;; FIXME: This should be removed when <rdar://problem/8957845> is fixed.
95        (home-subpath "/Library/Fonts")
96
97        ;; FIXME: These should be removed when <rdar://problem/9217757> is fixed.
98        (home-subpath "/Library/Audio/Plug-Ins/Components")
99        (home-subpath "/Library/Preferences/QuickTime Preferences")
100        (home-literal "/Library/Caches/com.apple.coreaudio.components.plist")
101        (subpath "/Library/Audio/Plug-Ins/Components")
102        (subpath "/Library/Audio/Plug-Ins/HAL")
103        (subpath "/Library/Video/Plug-Ins")
104        (subpath "/Library/QuickTime")
105
106        (home-subpath "/Library/Dictionaries"))
107
108 ;; Preferences support
109 (allow user-preference-read
110     (preference-domain
111         "kCFPreferencesAnyApplication"
112         "com.apple.ATS"
113         "com.apple.CoreGraphics"
114         "com.apple.DownloadAssessment"
115         "com.apple.HIToolbox"
116         "com.apple.LaunchServices"
117         "com.apple.MultitouchSupport" ;; FIXME: Remove when <rdar://problem/13011633> is fixed.
118         "com.apple.QTKit"
119         "com.apple.ServicesMenu.Services" ;; Needed for NSAttributedString <rdar://problem/10844321>
120         "com.apple.WebFoundation"
121         "com.apple.avfoundation"
122         "com.apple.coremedia"
123         "com.apple.crypto"
124         "com.apple.driver.AppleBluetoothMultitouch.mouse"
125         "com.apple.driver.AppleBluetoothMultitouch.trackpad"
126         "com.apple.driver.AppleHIDMouse"
127         "com.apple.lookup.shared"
128         "com.apple.mediaaccessibility"
129         "com.apple.networkConnect"
130         "com.apple.security"
131         "com.apple.security.common"
132         "com.apple.security.revocation"
133         "com.apple.speech.voice.prefs"
134         "com.apple.systemsound"
135         "com.apple.universalaccess"
136         "edu.mit.Kerberos"
137         "pbs" ;; Needed for NSAttributedString <rdar://problem/10844321>
138 ))
139
140 ;; On-disk WebKit2 framework location, to account for debug installations outside of /System/Library/Frameworks,
141 ;; and to allow issuing extensions.
142 (allow-read-directory-and-issue-read-extensions (param "WEBKIT2_FRAMEWORK_DIR"))
143
144 ;; Allow issuing extensions to system libraries that the Network process can already read.
145 ;; This is to avoid warnings attempting to create extensions for these resources.
146 (allow-read-directory-and-issue-read-extensions "/System/Library/PrivateFrameworks/WebInspectorUI.framework")
147
148 ;; Sandbox extensions
149 (define (apply-read-and-issue-extension op path-filter)
150     (op file-read* path-filter)
151     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
152 (define (apply-write-and-issue-extension op path-filter)
153     (op file-write* path-filter)
154     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
155 (define (read-only-and-issue-extensions path-filter)
156     (apply-read-and-issue-extension allow path-filter))
157 (define (read-write-and-issue-extensions path-filter)
158     (apply-read-and-issue-extension allow path-filter)
159     (apply-write-and-issue-extension allow path-filter))
160 (read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
161 (read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
162 (allow mach-lookup (extension "com.apple.app-sandbox.mach")) ;; FIXME: Should be removed when <rdar://problem/13066206> is fixed.
163
164 ;; Allow the OpenGL Profiler to attach.
165 (if (defined? 'mach-register)
166     (allow mach-register (global-name-regex #"^_oglprof_attach_<[0-9]+>$")))
167
168 ;; MediaAccessibility
169 (allow user-preference-read user-preference-write
170     (preference-domain "com.apple.mediaaccessibility.public"))
171
172 (if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
173     (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_CACHE_DIR")))
174
175 (if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
176     (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_TEMP_DIR")))
177
178 ;; IOKit user clients
179 (allow iokit-open
180        (iokit-user-client-class "AppleUpstreamUserClient")
181        (iokit-user-client-class "IOHIDParamUserClient")
182        (iokit-user-client-class "RootDomainUserClient")
183        (iokit-user-client-class "IOAudioControlUserClient")
184        (iokit-user-client-class "IOAudioEngineUserClient"))
185
186 ;; cookied.
187 ;; FIXME: Update for <rdar://problem/13642852>.
188 (allow ipc-posix-shm-read-data
189     (ipc-posix-name "FNetwork.defaultStorageSession")
190     (ipc-posix-name-regex #"\.PrivateBrowsing-")
191     (ipc-posix-name-regex #"^WebKit Test-"))
192
193 ;; ColorSync
194 (allow ipc-posix-shm*
195     (ipc-posix-name "com.apple.ColorSync.Gen.lock")
196     (ipc-posix-name "com.apple.ColorSync.Disp.lock")
197     (ipc-posix-name "com.apple.ColorSync.Gray2.2")
198     (ipc-posix-name "com.apple.ColorSync.sRGB")
199     (ipc-posix-name "com.apple.ColorSync.GenGray")
200     (ipc-posix-name "com.apple.ColorSync.GenRGB"))
201
202 ;; Audio
203 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
204     (ipc-posix-name-regex #"^AudioIO"))
205
206 ;; Remote Web Inspector
207 (allow mach-lookup
208        (global-name "com.apple.webinspector"))
209
210 ;; Various services required by AppKit and other frameworks
211 (allow mach-lookup
212        (global-name "com.apple.DiskArbitration.diskarbitrationd")
213        (global-name "com.apple.FileCoordination")
214        (global-name "com.apple.FontObjectsServer")
215 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 101200
216        (global-name "com.apple.FontServer")
217 #endif
218        (global-name "com.apple.PowerManagement.control")
219        (global-name "com.apple.SystemConfiguration.configd")
220        (global-name "com.apple.SystemConfiguration.PPPController")
221        (global-name "com.apple.audio.SystemSoundServer-OSX")
222        (global-name "com.apple.audio.VDCAssistant")
223        (global-name "com.apple.audio.audiohald")
224        (global-name "com.apple.audio.coreaudiod")
225        (global-name "com.apple.awdd")
226        (global-name "com.apple.cfnetwork.AuthBrokerAgent")
227        (global-name "com.apple.cookied")
228        (global-name "com.apple.coreservices.launchservicesd")
229        (global-name "com.apple.dock.server")
230        (global-name "com.apple.fonts")
231        (global-name "com.apple.iconservices")
232        (global-name "com.apple.iconservices.store")
233 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
234        (global-name "com.apple.mediaremoted.xpc")
235 #endif
236 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
237        (global-name "com.apple.nesessionmanager.flow-divert-token")
238 #endif
239        (global-name "com.apple.speech.speechsynthesisd")
240        (global-name "com.apple.speech.synthesis.console")
241        (global-name "com.apple.system.opendirectoryd.api")
242        (global-name "com.apple.tccd")
243        (global-name "com.apple.tccd.system")
244        (global-name "com.apple.window_proxies")
245        (global-name "com.apple.windowserver.active")
246 )
247
248 ;; Security framework
249 (allow mach-lookup
250        (global-name "com.apple.ctkd.token-client")
251        (global-name "com.apple.ocspd")
252        (global-name "com.apple.securityd.xpc") 
253        (global-name "com.apple.CoreAuthentication.agent.libxpc")
254        (global-name "com.apple.SecurityServer"))
255
256 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 101240
257 ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
258 ;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
259 (allow file-read-data file-read-metadata file-write-data
260     (subpath "/Library/Keychains"))
261
262 ;; Do permit creating per-user keychains
263 (allow file-read* file-write*
264     (home-subpath "/Library/Keychains"))
265
266 ;; Except deny access to new-style iOS Keychain folders which are UUIDs.
267 (deny file-read* file-write*
268     (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
269     (home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
270 #endif
271
272 (allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
273
274 (allow file-read*
275        (subpath "/private/var/db/mds")
276        (literal "/private/var/db/DetachedSignatures")
277        ; The following are needed until <rdar://problem/11134688> is resolved.
278        (literal "/Library/Preferences/com.apple.security.plist")
279        (literal "/Library/Preferences/com.apple.security.common.plist")
280        (literal "/Library/Preferences/com.apple.security.revocation.plist")
281        (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
282        (home-literal "/Library/Preferences/com.apple.security.plist")
283        (home-literal "/Library/Preferences/com.apple.security.revocation.plist"))
284
285 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
286        (ipc-posix-name "com.apple.AppleDatabaseChanged"))
287
288 ;; CoreFoundation. We don't import com.apple.corefoundation.sb, because it allows unnecessary access to pasteboard.
289 (allow mach-lookup
290     (global-name-regex #"^com.apple.distributed_notifications")                                                       
291     (global-name "com.apple.CoreServices.coreservicesd"))
292 (allow file-read-data
293     (literal "/dev/autofs_nowait")) ; Used by CF to circumvent automount triggers
294 (allow ipc-posix-shm
295     (ipc-posix-name-regex #"^CFPBS:")) ; <rdar://problem/13757475>
296 (allow system-fsctl (fsctl-command (_IO "h" 47)))
297
298 ;; Graphics
299 (system-graphics)
300
301 ;; Networking
302 (system-network)
303 (allow network-outbound
304        ;; Local mDNSResponder for DNS, arbitrary outbound TCP
305        (literal "/private/var/run/mDNSResponder")
306        (remote tcp))
307
308 (allow mach-lookup
309        (global-name "com.apple.pbs.fetch_services"))
310
311 ;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
312 (allow mach-lookup
313        (global-name "org.h5l.kcm")
314        (global-name "com.apple.GSSCred")
315        (global-name "com.apple.system.logger")
316        (global-name "com.apple.system.notification_center"))
317 (allow network-outbound
318        (remote udp))
319 (allow user-preference-read
320     (preference-domain
321         "com.apple.Kerberos"
322         "com.apple.GSS"))
323
324 (allow file-read*
325         (literal "/private/etc/krb5.conf")
326         (literal "/private/etc/services")
327         (literal "/private/etc/host")
328         (subpath "/Library/KerberosPlugins/GSSAPI")
329         (subpath "/Library/KerberosPlugins/KerberosFrameworkPlugins"))
330
331 (if (defined? 'vnode-type)
332         (deny file-write-create (vnode-type SYMLINK)))
333
334 ;; Reserve a namespace for additional protected extended attributes.
335 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
336
337 (deny file-read* file-write* (with no-log)
338        ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
339        (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
340        (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
341
342 ;; Deny access needed for unnecessary NSApplication initialization.
343 ;; FIXME: This can be removed once <rdar://problem/13011633> is fixed.
344 (deny file-read* (with no-log)
345        (subpath "/Library/InputManagers")
346        (home-subpath "/Library/InputManagers"))
347 (deny user-preference-read (with no-log)
348     (preference-domain "com.apple.speech.recognition.AppleSpeechRecognition.prefs"))
349 (deny mach-lookup (with no-log)
350        (global-name "com.apple.coreservices.appleevents")
351        (global-name "com.apple.pasteboard.1")
352        (global-name "com.apple.speech.recognitionserver"))
353 ;; Also part of unnecessary NSApplication initialization, but we can't block access to these yet, see <rdar://problem/13869765>.
354 (allow file-read*
355        (subpath "/Library/Components")
356        (subpath "/Library/Keyboard Layouts")
357        (subpath "/Library/Input Methods")
358        (home-subpath "/Library/Components")
359        (home-subpath "/Library/Keyboard Layouts")
360        (home-subpath "/Library/Input Methods"))
361
362 ;; AirPlay
363 (allow mach-lookup
364     (global-name "com.apple.coremedia.endpoint.xpc")
365     (global-name "com.apple.coremedia.endpointstream.xpc")
366     (global-name "com.apple.coremedia.endpointplaybacksession.xpc")
367     (global-name "com.apple.coremedia.endpointpicker.xpc"))
368
369 ;; Data Detectors
370 (allow file-read* (subpath "/private/var/db/datadetectors/sys"))
371
372 ;; Media capture, utilities
373 (if (not (defined? 'sbpl-filter?))
374   (define (sbpl-filter? x)
375       (and (list? x)
376            (eq? (car x) 'filter))))
377
378 (macro (with-filter form)
379    (let* ((ps (cdr form))
380           (extra-filter (car ps))
381           (rules (cdr ps)))
382     `(letrec
383         ((collect
384              (lambda (l filters non-filters)
385                  (if (null? l)
386                      (list filters non-filters)
387                      (let* 
388                          ((x (car l))
389                           (rest (cdr l)))
390                          (if (sbpl-filter? x)
391                              (collect rest (cons x filters) non-filters)
392                              (collect rest filters (cons x non-filters)))))))
393          (inject-filter
394              (lambda args
395                  (let* ((collected (collect args '() '()))
396                         (filters (car collected))
397                         (non-filters (cadr collected)))
398                  (if (null? filters)
399                      (cons ,extra-filter non-filters)
400                      (cons (require-all (apply require-any filters) ,extra-filter) non-filters)))))
401          (orig-allow allow)
402          (orig-deny deny)
403          (wrapper
404              (lambda (action)
405                  (lambda args (apply action (apply inject-filter args))))))
406         (set! allow (wrapper orig-allow))
407         (set! deny (wrapper orig-deny))
408         ,@rules
409         (set! deny orig-deny)
410         (set! allow orig-allow))))
411
412 (define (home-library-preferences-regex home-library-preferences-relative-regex)
413     (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_PREFERENCES_DIR")) home-library-preferences-relative-regex)))
414
415 (define (home-library-preferences-literal home-library-preferences-relative-literal)
416     (literal (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-literal)))
417
418 (define (shared-preferences-read . domains)
419   (for-each (lambda (domain)
420               (begin
421                 (if (defined? `user-preference-read)
422                     (allow user-preference-read (preference-domain domain)))
423                 ; (Temporary) backward compatibility with non-CFPreferences readers.
424                 (allow file-read*
425                        (literal (string-append "/Library/Preferences/" domain ".plist"))
426                        (home-library-preferences-literal (string-append "/" domain ".plist"))
427                        (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
428             domains))
429
430 ;; Media capture, microphone access
431 (with-filter (extension "com.apple.webkit.microphone")
432     (allow device-microphone))
433
434 ;; Media capture, camera access
435 (with-filter (extension "com.apple.webkit.camera")
436     (shared-preferences-read "com.apple.coremedia")
437     (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
438     (allow mach-lookup
439         (global-name "com.apple.cmio.AppleCameraAssistant")
440         ;; Apple DAL assistants
441         (global-name "com.apple.cmio.VDCAssistant")
442         (global-name "com.apple.cmio.AVCAssistant")
443         (global-name "com.apple.cmio.IIDCVideoAssistant")
444         ;; QuickTimeIIDCDigitizer assistant
445         (global-name "com.apple.IIDCAssistant"))
446     (allow iokit-open
447         ;; QuickTimeUSBVDCDigitizer
448         (iokit-user-client-class "IOUSBDeviceUserClientV2")
449         (iokit-user-client-class "IOUSBInterfaceUserClientV2"))
450     (allow device-camera))