commit b53e849e92ca9defab6eede768ad85aad6e8e702
Author: Kathy Brade <brade(a)pearlcrescent.com>
Date: Tue Jan 17 10:27:25 2017 -0500
Bug 20989: Browser sandbox profile is too restrictive on OSX 10.12.2
Allow full read access to all files under /usr/lib.
Allow full read access to /Library/Preferences/com.apple.ViewBridge.plist.
Allow writes to TorBrowser-Data/Browser/profiles.ini (otherwise, a new
browser profile is created each time the browser is opened).
---
projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb b/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb
index eda7a1f..385e914 100644
--- a/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb
+++ b/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb
@@ -28,6 +28,7 @@
(allow file-read*
(path "/Library/Preferences/com.apple.HIToolbox.plist")
+ (path "/Library/Preferences/com.apple.ViewBridge.plist")
(path "/Library/Preferences/.GlobalPreferences.plist")
(path "/dev/random")
(path "/dev/urandom")
@@ -41,6 +42,7 @@
(subpath "/Library/Fonts")
(subpath "/System")
(subpath "/private/var/folders")
+ (subpath "/usr/lib")
(subpath "/usr/share")
(home-subpath "/Downloads")
(home-subpath "/Library/Input Methods")
@@ -66,7 +68,6 @@
(path "/private/var/db/.AppleSetupDone")
(path "/tmp")
(path "/var")
- (subpath "/usr/lib")
(torbrowser-data-dir-path "/Tor/control.socket")
(torbrowser-data-dir-path "/Tor/socks.socket")
(path-regex "/private/tmp/Tor[-0-9]*/control.socket")
@@ -86,11 +87,6 @@
(path "/Library/Preferences/.GlobalPreferences.plist")
)
-; Disallow writes to the profiles ini file.
-(deny file-write*
- (torbrowser-data-dir-subpath "/Browser/profiles.ini")
-)
-
(allow iokit-open)
(allow ipc-posix-shm