;; The missing OSX sandbox profile for Firefox by SecureInfo.eu
;;
;; Copyleft ()) 2012
;; What The Fuck Public License (WTFPL)
;;
;; This program is free software: you can redistribute it and/or modify
;; it under the terms of the WTFPL License as published by anyone,
;;
;; This program is distributed in the hope that it will be useful,
;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;; GNU General Public License for more details.
;;
;; You should have received a copy of the WTFPL
;; along with this program. If not, look WTFPL @DDG .
;;
;; Script written for Firefox for (Mac) OS X >= 10.7
;;
;;
;; Inscrire ce contenu dans : /Applications/Firefox.app/Contents/MacOS/firefox.sb
;; Désavantage: nécessite de répéter l'opération à chaque mise à jour
;;
;; cd /Applications/Firefox.app/Contents/MacOS/
;;
;; mv firefox firefox-bin
;;
;; echo '/usr/bin/sandbox-exec -f "firefox.sb" "firefox-launcher" "$@"' > firefox
;;
;; chmod u+x firefox
;;
;;
;; Thanks to :
;; andreas@romab.com (IronFox)
;; (2010-05-12 12:33 EDT)
;; http://codereview.chromium.org/379019
;; http://www.google.com/codesearch/p?hl=en#PwHPI3FoDE4/safari-policy.sb&q=%22allow%20process-exec%22&sa=N&cd=1&ct=rc
;; http://www.google.com/codesearch/p?hl=en#nuhRrvzZpRk/Configs/safari-sandbox/sandbox-safari.sb&q=%22allow%20process-exec%22&sa=N&cd=2&ct=rc
;; http://www.macosxhints.com/article.php?story=20100318044558156
;; http://techjournal.318.com/security/a-brief-introduction-to-mac-os-x-sandbox-technology/
;; Little documentation currently (2010) exists, but you can pull out some of the possible actions via:
;; strings /System/Library/Extensions/seatbelt.kext/Contents/MacOS/seatbelt | sort
;; Also see: tail -f /var/log/asl/YYYY.MM.DD.asl | strings
;;
(version 1)
(deny default)
(allow file*
(literal "/dev/dtracehelper")
(literal "/dev/urandom")
(literal "/dev/null")
(regex #"^/Users/[a-zA-Z0-9_]+/Library/Application Support/Firefox")
(regex #"^/Library/Application Support/Macromedia")
(regex #"^/Users/[a-zA-Z0-9_]+/Library/Caches/Adobe/Flash Player")
(regex #"^/Users/[a-zA-Z0-9_]+/dwhelper")
(subpath "/tmp")
(subpath "/private/tmp")
)
(allow file-read*
(regex #"^/Applications/Firefox.app")
(regex #"^/Library/Application Support/Adobe")
(subpath "/usr")
(subpath "/System/Library/Frameworks")
(regex #"^/Users/[a-zA-Z0-9_]+")
(subpath "/Library/Preferences")
(subpath "/Applications/Firefox.app")
(subpath "/var")
(subpath "/private/var")
(literal "/private/etc/hosts")
(literal "/etc/hosts")
(subpath "/Library/Internet Plug-Ins")
(subpath "/Library/Application Support/Mozilla")
(subpath "/Library/Application Support/Firefox")
(subpath "/Library/Firefox")
(subpath "/Library/ColorSync/Profiles/Displays")
(subpath "/Library/PreferencePanes")
)
(allow file-read-data
(literal "/")
(literal "/Users")
(literal "/Library")
(literal "/Library/Spelling")
(subpath "/Library/PDF Services")
(literal "/Library/Audio/Plug-Ins/HAL")
(literal "/Library/Application Support/Macromedia/FlashAuthor.cfg")
(literal "/dev/fd")
(literal "/Applications")
(subpath "/Applications/Preview.app")
(literal "/dev/random")
(subpath "/System/Library/CoreServices")
(subpath "/System/Library")
(subpath "/Library/Fonts")
(subpath "/Library/Internet Plug-Ins")
(subpath "/Library/InputManagers")
(subpath "/Applications/Safari.app")
(subpath "/Library/Application Support/Macromedia/FlashPlayerTrust")
(subpath "/Library/Dictionaries")
(literal "/Application/Sublime Text 2.app")
)
(allow file-read-metadata
(literal "/")
(literal "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container")
(literal "/private")
(subpath "/etc")
(subpath "/private/etc")
(subpath "/Applications")
(subpath "/System")
(subpath "/Library")
(subpath "/Users")
)
(allow file-write*
(literal "/Applications/Firefox.app/Contents/MacOS/update.test")
(subpath "/Library/Caches")
(subpath "/private/var/folders")
(regex #"^/Users/[a-zA-Z0-9_]+/Library/Caches/Firefox")
(regex #"^/Users/[a-zA-Z0-9_]+/Library/Preferences")
(regex #"^/Users/[a-zA-Z0-9_]+/Library/Caches/TemporaryItems")
(regex #"^/Users/[a-zA-Z0-9_]+/Pictures")
(regex #"^/Users/[a-zA-Z0-9_]+/Music")
(regex #"^/Users/[a-zA-Z0-9_]+/Downloads")
(regex #"^/Users/[a-zA-Z0-9_]+/Desktop")
(regex #"^/Users/[a-zA-Z0-9_]+/Library/Saved Application State")
(literal "/dev/dtracehelper")
(literal "/dev/tty"))
(allow file-read-xattr
(literal "/System/Library/Services/AppleSpell.service")
(literal "/System/Library/Image Capture/Support/Image Capture Extension.app"))
(allow mach-lookup
(global-name "DictationInputMethod_1_Connection")
(global-name "Multilingual (Apple)_OpenStep")
(global-name "fr (Apple)_OpenStep")
(global-name-regex "^com.apple.*")
(global-name-regex "^gecko-crash-server-pipe.*")
(global-name-regex "^org.mozilla.machname.*"))
(allow mach-register)
(allow process-fork)
(allow process-exec
(regex #"^/Applications/Firefox.app")
(regex #"^/Library/Internet Plug-Ins")
(regex #"^/Users/[a-zA-Z0-9_]+/Library/Preferences/Macromedia/Flash Player")
(regex #"^/Users/[a-zA-Z0-9_]+/Library/Caches/Adobe/Flash Player")
(literal "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" )
(literal "/Applications/Firefox.app/Contents/MacOS/firefox-bin")
(literal "/usr/sbin/netstat")
(literal "/usr/bin/basename")
)
(allow ipc-posix-shm)
(allow appleevent-send)
(allow file-issue-extension)
(allow job-creation)
(allow sysctl-read)
(allow system-socket)
(allow signal)
(allow iokit-open)
(allow network*) saelyx