commit b53e849e92ca9defab6eede768ad85aad6e8e702 Author: Kathy Brade brade@pearlcrescent.com Date: Tue Jan 17 10:27:25 2017 -0500
Bug 20989: Browser sandbox profile is too restrictive on OSX 10.12.2
Allow full read access to all files under /usr/lib. Allow full read access to /Library/Preferences/com.apple.ViewBridge.plist. Allow writes to TorBrowser-Data/Browser/profiles.ini (otherwise, a new browser profile is created each time the browser is opened). --- projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb b/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb index eda7a1f..385e914 100644 --- a/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb +++ b/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb @@ -28,6 +28,7 @@
(allow file-read* (path "/Library/Preferences/com.apple.HIToolbox.plist") + (path "/Library/Preferences/com.apple.ViewBridge.plist") (path "/Library/Preferences/.GlobalPreferences.plist") (path "/dev/random") (path "/dev/urandom") @@ -41,6 +42,7 @@ (subpath "/Library/Fonts") (subpath "/System") (subpath "/private/var/folders") + (subpath "/usr/lib") (subpath "/usr/share") (home-subpath "/Downloads") (home-subpath "/Library/Input Methods") @@ -66,7 +68,6 @@ (path "/private/var/db/.AppleSetupDone") (path "/tmp") (path "/var") - (subpath "/usr/lib") (torbrowser-data-dir-path "/Tor/control.socket") (torbrowser-data-dir-path "/Tor/socks.socket") (path-regex "/private/tmp/Tor[-0-9]*/control.socket") @@ -86,11 +87,6 @@ (path "/Library/Preferences/.GlobalPreferences.plist") )
-; Disallow writes to the profiles ini file. -(deny file-write* - (torbrowser-data-dir-subpath "/Browser/profiles.ini") -) - (allow iokit-open)
(allow ipc-posix-shm