Roll r208589 back in. The rollout will be on the Safari-603.1.13.1 tag. rdar://proble...
[WebKit-https.git] / Source / WebKit2 / WebProcess / com.apple.WebProcess.sb.in
1 ; Copyright (C) 2010-2016 Apple Inc. All rights reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions
5 ; are met:
6 ; 1. Redistributions of source code must retain the above copyright
7 ;    notice, this list of conditions and the following disclaimer.
8 ; 2. Redistributions in binary form must reproduce the above copyright
9 ;    notice, this list of conditions and the following disclaimer in the
10 ;    documentation and/or other materials provided with the distribution.
11 ;
12 ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
13 ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14 ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15 ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16 ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17 ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18 ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19 ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20 ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21 ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22 ; THE POSSIBILITY OF SUCH DAMAGE.
23
24 (version 1)
25 (deny default (with partial-symbolication))
26 (allow system-audit file-read-metadata)
27
28 (import "system.sb")
29
30 ;; Utility functions for home directory relative path filters
31 (define (home-regex home-relative-regex)
32   (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
33
34 (define (home-subpath home-relative-subpath)
35   (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
36
37 (define (home-literal home-relative-literal)
38   (literal (string-append (param "HOME_DIR") home-relative-literal)))
39
40 (define (allow-read-directory-and-issue-read-extensions path)
41     (if path
42         (begin
43             (allow file-read* (subpath path))
44             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path))))))
45
46 ;; Read-only preferences and data
47 (allow file-read*
48        ;; Basic system paths
49        (subpath "/Library/Dictionaries")
50        (subpath "/Library/Fonts")
51        (subpath "/Library/Frameworks")
52        (subpath "/Library/Managed Preferences")
53        (subpath "/Library/Speech/Synthesizers")
54        (regex #"^/private/etc/(hosts|group|passwd)$")
55
56        (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
57
58        ;; System and user preferences
59        (literal "/Library/Preferences/.GlobalPreferences.plist")
60        (home-literal "/Library/Preferences/.GlobalPreferences.plist")
61        (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")
62        (home-regex #"/Library/Preferences/ByHost/com\.apple\.HIToolbox\.")
63        (home-regex #"/Library/Preferences/ByHost/com\.apple\.networkConnect\.")
64        (home-literal "/Library/Preferences/com.apple.ATS.plist")
65        (home-literal "/Library/Preferences/com.apple.CoreGraphics.plist")
66        (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
67        (home-literal "/Library/Preferences/com.apple.HIToolbox.plist")
68        (home-literal "/Library/Preferences/com.apple.LaunchServices.plist")
69        (home-literal "/Library/Preferences/com.apple.MultitouchSupport.plist") ;; FIXME: Remove when <rdar://problem/13011633> is fixed.
70        (home-literal "/Library/Preferences/com.apple.QTKit.plist")
71        (home-literal "/Library/Preferences/com.apple.WebFoundation.plist")
72        (home-literal "/Library/Preferences/com.apple.avfoundation.plist")
73        (home-literal "/Library/Preferences/com.apple.coremedia.plist")
74        (home-literal "/Library/Preferences/com.apple.speech.voice.prefs.plist")
75        (home-literal "/Library/Preferences/com.apple.systemsound.plist")
76        (home-literal "/Library/Preferences/com.apple.universalaccess.plist")
77        (home-literal "/Library/Preferences/com.apple.lookup.shared.plist")
78        (home-regex #"/Library/Preferences/com\.apple\.driver\.(AppleBluetoothMultitouch\.mouse|AppleBluetoothMultitouch\.trackpad|AppleHIDMouse)\.plist$")
79        (home-literal "/.CFUserTextEncoding")
80
81        ;; FIXME: This should be removed when <rdar://problem/8957845> is fixed.
82        (home-subpath "/Library/Fonts")
83
84        ;; FIXME: These should be removed when <rdar://problem/9217757> is fixed.
85        (home-subpath "/Library/Audio/Plug-Ins/Components")
86        (home-subpath "/Library/Preferences/QuickTime Preferences")
87        (home-literal "/Library/Caches/com.apple.coreaudio.components.plist")
88        (subpath "/Library/Audio/Plug-Ins/Components")
89        (subpath "/Library/Audio/Plug-Ins/HAL")
90        (subpath "/Library/Video/Plug-Ins")
91        (subpath "/Library/QuickTime")
92
93        (home-subpath "/Library/Dictionaries"))
94
95 ;; On-disk WebKit2 framework location, to account for debug installations outside of /System/Library/Frameworks,
96 ;; and to allow issuing extensions.
97 (allow-read-directory-and-issue-read-extensions (param "WEBKIT2_FRAMEWORK_DIR"))
98
99 ;; Allow issuing extensions to system libraries that the Network process can already read.
100 ;; This is to avoid warnings attempting to create extensions for these resources.
101 (allow-read-directory-and-issue-read-extensions "/System/Library/PrivateFrameworks/WebInspectorUI.framework")
102
103 ;; Sandbox extensions
104 (define (apply-read-and-issue-extension op path-filter)
105     (op file-read* path-filter)
106     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
107 (define (apply-write-and-issue-extension op path-filter)
108     (op file-write* path-filter)
109     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
110 (define (read-only-and-issue-extensions path-filter)
111     (apply-read-and-issue-extension allow path-filter))
112 (define (read-write-and-issue-extensions path-filter)
113     (apply-read-and-issue-extension allow path-filter)
114     (apply-write-and-issue-extension allow path-filter))
115 (read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
116 (read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
117 (allow mach-lookup (extension "com.apple.app-sandbox.mach")) ;; FIXME: Should be removed when <rdar://problem/13066206> is fixed.
118
119 ;; Allow the OpenGL Profiler to attach.
120 (if (defined? 'mach-register)
121     (allow mach-register (global-name-regex #"^_oglprof_attach_<[0-9]+>$")))
122
123 ;; MediaAccessibility
124 (allow file-read* (home-literal "/Library/Preferences/com.apple.mediaaccessibility.plist"))
125 (allow file-read* file-write* (home-literal "/Library/Preferences/com.apple.mediaaccessibility.public.plist"))
126
127 (if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
128     (allow file* (subpath (param "DARWIN_USER_CACHE_DIR"))))
129
130 (if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
131     (allow file* (subpath (param "DARWIN_USER_TEMP_DIR"))))
132
133 ;; IOKit user clients
134 (allow iokit-open
135        (iokit-user-client-class "AppleUpstreamUserClient")
136        (iokit-user-client-class "IOHIDParamUserClient")
137        (iokit-user-client-class "RootDomainUserClient")
138        (iokit-user-client-class "IOAudioControlUserClient")
139        (iokit-user-client-class "IOAudioEngineUserClient"))
140
141 ;; cookied.
142 ;; FIXME: Update for <rdar://problem/13642852>.
143 (allow ipc-posix-shm-read-data
144     (ipc-posix-name "FNetwork.defaultStorageSession")
145     (ipc-posix-name-regex #"\.PrivateBrowsing-")
146     (ipc-posix-name-regex #"^WebKit Test-"))
147
148 ;; ColorSync
149 (allow ipc-posix-shm*
150     (ipc-posix-name "com.apple.ColorSync.Gen.lock")
151     (ipc-posix-name "com.apple.ColorSync.Disp.lock")
152     (ipc-posix-name "com.apple.ColorSync.Gray2.2")
153     (ipc-posix-name "com.apple.ColorSync.sRGB")
154     (ipc-posix-name "com.apple.ColorSync.GenGray")
155     (ipc-posix-name "com.apple.ColorSync.GenRGB"))
156
157 ;; Audio
158 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
159     (ipc-posix-name-regex #"^AudioIO"))
160
161 ;; Remote Web Inspector
162 (allow mach-lookup
163        (global-name "com.apple.webinspector"))
164
165 ;; Various services required by AppKit and other frameworks
166 (allow mach-lookup
167        (global-name "com.apple.DiskArbitration.diskarbitrationd")
168        (global-name "com.apple.FileCoordination")
169        (global-name "com.apple.FontObjectsServer")
170 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 101200
171        (global-name "com.apple.FontServer")
172 #endif
173        (global-name "com.apple.SystemConfiguration.configd")
174        (global-name "com.apple.SystemConfiguration.PPPController")
175        (global-name "com.apple.audio.SystemSoundServer-OSX")
176        (global-name "com.apple.audio.VDCAssistant")
177        (global-name "com.apple.audio.audiohald")
178        (global-name "com.apple.audio.coreaudiod")
179        (global-name "com.apple.awdd")
180        (global-name "com.apple.cookied")
181        (global-name "com.apple.dock.server")
182        (global-name "com.apple.fonts")
183        (global-name "com.apple.system.opendirectoryd.api")
184        (global-name "com.apple.tccd")
185        (global-name "com.apple.tccd.system")
186        (global-name "com.apple.window_proxies")
187        (global-name "com.apple.windowserver.active")
188        (global-name "com.apple.cfnetwork.AuthBrokerAgent")
189        (global-name "com.apple.PowerManagement.control")
190        (global-name "com.apple.speech.speechsynthesisd")
191        (global-name "com.apple.speech.synthesis.console")
192        (global-name "com.apple.coreservices.launchservicesd")
193        (global-name "com.apple.iconservices")
194        (global-name "com.apple.iconservices.store")
195 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101100
196        (global-name "com.apple.nesessionmanager.flow-divert-token")
197 #endif
198 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
199        (global-name "com.apple.mediaremoted.xpc")
200 #endif
201 )
202
203 ;; Security framework
204 (allow mach-lookup
205        (global-name "com.apple.ctkd.token-client") 
206        (global-name "com.apple.ocspd")
207        (global-name "com.apple.securityd.xpc") 
208        (global-name "com.apple.CoreAuthentication.agent.libxpc")
209        (global-name "com.apple.SecurityServer"))
210
211 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 101240
212 (allow file-read* file-write* (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
213 #endif
214
215 (allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
216
217 (allow file-read*
218 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 101240
219        (subpath "/Library/Keychains")
220 #endif
221        (subpath "/private/var/db/mds")
222        (literal "/private/var/db/DetachedSignatures")
223        (literal "/Library/Preferences/com.apple.crypto.plist")
224        (literal "/Library/Preferences/com.apple.security.plist")
225        (literal "/Library/Preferences/com.apple.security.common.plist")
226        (literal "/Library/Preferences/com.apple.security.revocation.plist")
227        (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
228        (home-literal "/Library/Preferences/com.apple.security.plist")
229        (home-literal "/Library/Preferences/com.apple.security.revocation.plist"))
230
231 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
232        (ipc-posix-name "com.apple.AppleDatabaseChanged"))
233
234 ;; CoreFoundation. We don't import com.apple.corefoundation.sb, because it allows unnecessary access to pasteboard.
235 (allow mach-lookup
236     (global-name-regex #"^com.apple.distributed_notifications")                                                       
237     (global-name "com.apple.CoreServices.coreservicesd"))
238 (allow file-read-data
239     (literal "/dev/autofs_nowait")) ; Used by CF to circumvent automount triggers
240 (allow ipc-posix-shm
241     (ipc-posix-name-regex #"^CFPBS:")) ; <rdar://problem/13757475>
242 (allow system-fsctl (fsctl-command (_IO "h" 47)))
243
244 ;; Graphics
245 (system-graphics)
246
247 ;; Networking
248 (system-network)
249 (allow network-outbound
250        ;; Local mDNSResponder for DNS, arbitrary outbound TCP
251        (literal "/private/var/run/mDNSResponder")
252        (remote tcp))
253
254 ;; Needed for NSAttributedString, <rdar://problem/10844321>.
255 (allow file-read*
256        (home-literal "/Library/Preferences/pbs.plist")
257        (home-literal "/Library/Preferences/com.apple.ServicesMenu.Services.plist"))
258 (allow mach-lookup
259        (global-name "com.apple.pbs.fetch_services"))
260
261 ;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
262 (allow mach-lookup
263        (global-name "org.h5l.kcm")
264        (global-name "com.apple.GSSCred")
265        (global-name "com.apple.system.logger")
266        (global-name "com.apple.system.notification_center"))
267 (allow network-outbound
268        (remote udp))
269 (allow file-read*
270         (home-subpath "/Library/Preferences/com.apple.Kerberos.plist")
271         (home-subpath "/Library/Preferences/com.apple.GSS.plist")
272         (home-subpath "/Library/Preferences/edu.mit.Kerberos")
273         (literal "/Library/Preferences/com.apple.Kerberos.plist")
274         (literal "/Library/Preferences/com.apple.GSS.plist")
275         (literal "/Library/Preferences/edu.mit.Kerberos")
276         (literal "/private/etc/krb5.conf")
277         (literal "/private/etc/services")
278         (literal "/private/etc/host")
279         (subpath "/Library/KerberosPlugins/GSSAPI")
280         (subpath "/Library/KerberosPlugins/KerberosFrameworkPlugins"))
281
282 (if (defined? 'vnode-type)
283         (deny file-write-create (vnode-type SYMLINK)))
284
285 ;; Reserve a namespace for additional protected extended attributes.
286 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
287
288 (deny file-read* file-write* (with no-log)
289        ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
290        (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
291        (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
292
293 ;; Deny access needed for unnecessary NSApplication initialization.
294 ;; FIXME: This can be removed once <rdar://problem/13011633> is fixed.
295 (deny file-read* (with no-log)
296        (home-literal "/Library/Preferences/com.apple.speech.recognition.AppleSpeechRecognition.prefs.plist")
297        (subpath "/Library/InputManagers")
298        (home-subpath "/Library/InputManagers"))
299 (deny mach-lookup (with no-log)
300        (global-name "com.apple.coreservices.appleevents")
301        (global-name "com.apple.pasteboard.1")
302        (global-name "com.apple.speech.recognitionserver"))
303 ;; Also part of unnecessary NSApplication initialization, but we can't block access to these yet, see <rdar://problem/13869765>.
304 (allow file-read*
305        (subpath "/Library/Components")
306        (subpath "/Library/Keyboard Layouts")
307        (subpath "/Library/Input Methods")
308        (home-subpath "/Library/Components")
309        (home-subpath "/Library/Keyboard Layouts")
310        (home-subpath "/Library/Input Methods"))
311
312 ;; AirPlay
313 (allow mach-lookup
314     (global-name "com.apple.coremedia.endpoint.xpc")
315     (global-name "com.apple.coremedia.endpointstream.xpc")
316     (global-name "com.apple.coremedia.endpointplaybacksession.xpc")
317     (global-name "com.apple.coremedia.endpointpicker.xpc"))
318
319 ;; Data Detectors
320 (allow file-read* (subpath "/private/var/db/datadetectors/sys"))
321
322 ;; Media capture, utilities
323 (if (not (defined? 'sbpl-filter?))
324   (define (sbpl-filter? x)
325       (and (list? x)
326            (eq? (car x) 'filter))))
327
328 (macro (with-filter form)
329    (let* ((ps (cdr form))
330           (extra-filter (car ps))
331           (rules (cdr ps)))
332     `(letrec
333         ((collect
334              (lambda (l filters non-filters)
335                  (if (null? l)
336                      (list filters non-filters)
337                      (let* 
338                          ((x (car l))
339                           (rest (cdr l)))
340                          (if (sbpl-filter? x)
341                              (collect rest (cons x filters) non-filters)
342                              (collect rest filters (cons x non-filters)))))))
343          (inject-filter
344              (lambda args
345                  (let* ((collected (collect args '() '()))
346                         (filters (car collected))
347                         (non-filters (cadr collected)))
348                  (if (null? filters)
349                      (cons ,extra-filter non-filters)
350                      (cons (require-all (apply require-any filters) ,extra-filter) non-filters)))))
351          (orig-allow allow)
352          (orig-deny deny)
353          (wrapper
354              (lambda (action)
355                  (lambda args (apply action (apply inject-filter args))))))
356         (set! allow (wrapper orig-allow))
357         (set! deny (wrapper orig-deny))
358         ,@rules
359         (set! deny orig-deny)
360         (set! allow orig-allow))))
361
362 (define (home-library-preferences-regex home-library-preferences-relative-regex)
363     (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_PREFERENCES_DIR")) home-library-preferences-relative-regex)))
364
365 (define (home-library-preferences-literal home-library-preferences-relative-literal)
366     (literal (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-literal)))
367
368 (define (shared-preferences-read . domains)
369   (for-each (lambda (domain)
370               (begin
371                 (if (defined? `user-preference-read)
372                     (allow user-preference-read (preference-domain domain)))
373                 ; (Temporary) backward compatibility with non-CFPreferences readers.
374                 (allow file-read*
375                        (literal (string-append "/Library/Preferences/" domain ".plist"))
376                        (home-library-preferences-literal (string-append "/" domain ".plist"))
377                        (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
378             domains))
379
380 ;; Media capture, microphone access
381 (with-filter (extension "com.apple.webkit.microphone")
382     (allow device-microphone))
383
384 ;; Media capture, camera access
385 (with-filter (extension "com.apple.webkit.camera")
386     (shared-preferences-read "com.apple.coremedia")
387     (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
388     (allow mach-lookup
389         (global-name "com.apple.cmio.AppleCameraAssistant")
390         ;; Apple DAL assistants
391         (global-name "com.apple.cmio.VDCAssistant")
392         (global-name "com.apple.cmio.AVCAssistant")
393         (global-name "com.apple.cmio.IIDCVideoAssistant")
394         ;; QuickTimeIIDCDigitizer assistant
395         (global-name "com.apple.IIDCAssistant"))
396     (allow iokit-open
397         ;; QuickTimeUSBVDCDigitizer
398         (iokit-user-client-class "IOUSBDeviceUserClientV2")
399         (iokit-user-client-class "IOUSBInterfaceUserClientV2"))
400     (allow device-camera))