" (ipc-posix-name-regex \"^AudioIO\"))\n"Īccess via IPC shared memory to services with names matching these regexes? TBD Macros for dealing with some form of OS X preferences. " (home-regex (string-append \"/Library/Preferences/\" (regex-quote domain)))))\n" " (home-regex (string-append \"/Library/Preferences/ByHost/\" " (home-literal (string-append \"/Library/Preferences/\" domain \".plist\"))\n" " (allow user-preference-read (preference-domain domain)))\n" " (if (defined? `user-preference-read)\n"
" (define (allow-shared-preferences-read domain)\n" Text substitution macros for dealing with paths. " (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n" " (define (var-folders2-regex var-folders2-relative-regex)\n" " (resolving-regex (string-append var-folders-re var-folders-relative-regex)))\n" " (define (var-folders-regex var-folders-relative-regex)\n"
" (resolving-literal (string-append home-path home-relative-literal)))\n" " (define (home-literal home-relative-literal)\n" " (resolving-subpath (string-append home-path home-relative-subpath)))\n" " (define (home-subpath home-relative-subpath)\n" " (resolving-regex (string-append \"^\" (regex-quote home-path) home-relative-regex)))\n" " (define (home-regex home-relative-regex)\n" " (define var-folders2-re (string-append var-folders-re \"/+/\"))\n" " (define var-folders-re \"^/private/var/folders/\")\n" These log entries are easily viewed using the OS X "Console" application and filtering on "sandbox". i.e., for any capability not explicitly allowed here, do not allow it to be used.įor any rule that causes an action to be denied, log something in system.log. Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and othersĪ subset of the rules originally from /System/Library/Sandbox/Profiles/system.sb which ships with OS X.īy default, we deny. Could be removed, but since root privileges are required to read /dev/dtracehelper this wouldn't be exploitable unless Firefox was run as root or with sudo. Wondering if we need write access to these.Īids debugging the plugin-container using dtrace. autofs_nowait TBD, probably allows non-blocking I/O to autofs paths (used for network mounts and other pseudo mount points.) dev/random, /dev/urandom Used for randomization code. (require-any (subpath "/Library/Filesystems/NetFSPlugins")Īllow these directories and any contained directories and files to be read if the file's permission permits any user to read them.Īllow reading of metadata of these directories. Allow read access to standard system paths. (define appTempDir "/Users//Library/Caches/TemporaryItems/Temp-") (define appDir "/./NightlyDebug.app/Contents/Resources/browser") (define appBinaryPath "/./NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container") (define appPath "/./NightlyDebug.app/Contents/MacOS/plugin-container.app") See the next row for examples of what they evaulate to on a Nightly build.Įxample output of the above macros after running a Nightly build. These setup some macros to be used later in the policy.
References states only version 1 is supported. Link static const char contentSandboxRules =
Sandboxie osx mac#
The Mac policies can be found in SandboxPolicies.h.
Sandboxie osx code#
Refer to the source code to learn more about the sandbox rules.
+ Matches 1 or more non-slash characters. matches a single character that is not a '/'. This is used in some of the regular expressions.
Sandboxie osx full#
Refers to the full path to the home directory of the user.
0 kommentar(er)
