commit 767dd879b91584d5828998804ab1ee45499ca640 Author: Georg Koppen gk@torproject.org Date: Thu Jun 21 07:45:40 2018 +0000
Bug 26438: Remove seatbelt profiles for macOS
Starting with content sandboxing being enabled our seatbelt profiles have been broken (see: #22000). We should remove them for now to avoid a broken experience in the alphas. --- .../tor-browser/Bundle-Data/mac-sandbox/.DS_Store | Bin 6148 -> 0 bytes .../tor-browser/Bundle-Data/mac-sandbox/README.txt | 29 ----- .../mac-sandbox/start-browser-with-sandbox | 24 ---- .../Bundle-Data/mac-sandbox/start-tor-with-sandbox | 42 ------- projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb | 122 --------------------- .../tor-browser/Bundle-Data/mac-sandbox/tor.sb | 64 ----------- projects/tor-browser/build | 5 - 7 files changed, 286 deletions(-)
diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/.DS_Store b/projects/tor-browser/Bundle-Data/mac-sandbox/.DS_Store deleted file mode 100644 index 6c49e24..0000000 Binary files a/projects/tor-browser/Bundle-Data/mac-sandbox/.DS_Store and /dev/null differ diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/README.txt b/projects/tor-browser/Bundle-Data/mac-sandbox/README.txt deleted file mode 100644 index 47d6e5c..0000000 --- a/projects/tor-browser/Bundle-Data/mac-sandbox/README.txt +++ /dev/null @@ -1,29 +0,0 @@ -Experimental Sandboxed Tor Browser for OS X - -Requirements: - Mac OS 10.9 or newer. - A willingness to run shell commands from Terminal. - -Follow these steps to use the sandbox profiles: - -1. Copy this folder ("Sandboxed Tor Browser") to a local drive, but do not - put it in /Applications. -2. Copy the TorBrowser app into your "Sandboxed Tor Browser" folder. -3. Open Terminal. -4. Run start-tor-with-sandbox and wait for Tor bootstrapping to finish. -5. Run start-browser-with-sandbox. - -Known Issues: - -You will need to manually kill start-tor-with-sandbox or the tor.real -process after you exit the browser. - -The browser has full access to the Tor control port. Ideally, access -would be limited to the things that are necessary for New Identity and -for the circuit display features. - -Printing does not work. - -The built-in updater will not work. - -Files can only be downloaded or saved to ~/Downloads. diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/start-browser-with-sandbox b/projects/tor-browser/Bundle-Data/mac-sandbox/start-browser-with-sandbox deleted file mode 100755 index 31d4218..0000000 --- a/projects/tor-browser/Bundle-Data/mac-sandbox/start-browser-with-sandbox +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -# TODO: assumes not in /Applications -# TODO: assumes app is in TorBrowser.app - -BASEDIR="`dirname "$0"`" -BASEDIR="`(cd "$BASEDIR" && pwd)`" -TORBROWSER_APP_DIR="$BASEDIR/TorBrowser.app" -TORBROWSER_DATA_DIR="$BASEDIR/TorBrowser-Data" -TOR_DATA_DIR="$TORBROWSER_DATA_DIR/Tor" -SOCKETDIR="/tmp/Tor" - -export TOR_SKIP_LAUNCH=1 -export TOR_CONTROL_IPC_PATH="$SOCKETDIR/control.socket" -export TOR_SOCKS_IPC_PATH="$SOCKETDIR/socks.socket" -export TOR_CONTROL_COOKIE_AUTH_FILE="$TOR_DATA_DIR/control_auth_cookie" -SB_PROFILE="`pwd`/tb.sb" -cd "$TORBROWSER_APP_DIR" -sandbox-exec -f "$SB_PROFILE" \ - -D "HOME_DIR=$HOME" \ - -D "CURRENT_DIR=$BASEDIR" \ - -D "TORBROWSER_APP_DIR=$TORBROWSER_APP_DIR" \ - -D "TORBROWSER_DATA_DIR=$TORBROWSER_DATA_DIR" \ - "./Contents/MacOS/firefox" diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/start-tor-with-sandbox b/projects/tor-browser/Bundle-Data/mac-sandbox/start-tor-with-sandbox deleted file mode 100755 index ec7f15e..0000000 --- a/projects/tor-browser/Bundle-Data/mac-sandbox/start-tor-with-sandbox +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash - -# TODO: assumes not in /Applications -# TODO: assumes /tmp/Tor is not used by anyone else. -# TODO: assumes app is in TorBrowser.app - -set -e - -BASEDIR="`dirname "$0"`" -BASEDIR="`(cd "$BASEDIR" && pwd)`" -TOR_DATA_DIR="$BASEDIR/TorBrowser-Data/Tor" -TOR_STATIC_DATA_DIR="$BASEDIR/TorBrowser.app/Contents/Resources/TorBrowser/Tor" -TOR_BIN_DIR="$BASEDIR/TorBrowser.app/Contents/MacOS/Tor" -TORRC="$TOR_DATA_DIR/torrc" -SOCKETDIR="/tmp/Tor" - -# Compiled Python modules require a compatible Python, which means 32-bit 2.6. -export VERSIONER_PYTHON_VERSION=2.6 -export DYLD_LIBRARY_PATH=.:$DYLD_LIBRARY_PATH - -mkdir -p "$TOR_DATA_DIR" -if [ ! -e "$TORRC" ]; then - touch "$TORRC" -fi - -if [ ! -e "$SOCKETDIR" ]; then - mkdir -p "$SOCKETDIR" - chmod 700 "$SOCKETDIR" -fi - -TOR="$TOR_BIN_DIR/tor.real" -sandbox-exec -f tor.sb -D "TOR_DATA_DIR=$TOR_DATA_DIR" \ - -D "TOR_STATIC_DATA_DIR=$TOR_STATIC_DATA_DIR" \ - -D "TOR_BIN_DIR=$TOR_BIN_DIR" "$TOR" \ - --defaults-torrc "$TOR_STATIC_DATA_DIR/torrc-defaults" \ - -f "$TORRC" \ - CookieAuthentication 1 \ - DataDirectory "$TOR_DATA_DIR" \ - GeoIPFile "$TOR_STATIC_DATA_DIR/geoip" \ - GeoIPv6File "$TOR_STATIC_DATA_DIR/geoip6" \ - ControlPort "unix:$SOCKETDIR/control.socket" \ - SocksPort "unix:$SOCKETDIR/socks.socket" diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb b/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb deleted file mode 100644 index 385e914..0000000 --- a/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb +++ /dev/null @@ -1,122 +0,0 @@ -(version 1) - -;; Parameters: -;; HOME_DIR the user's home directory -;; CURRENT_DIR the current working directory -;; TORBROWSER_APP_DIR the TorBrowser.app directory -;; TORBROWSER_DATA_DIR the TorBrowser-Data directory - -;; TODO: can see all dirs but can download/save only in Downloads (no error reported though!) -;; TODO: printing does not work (Save to PDF does). - -(deny default) - -(define (home-path aSubPath) - (path (string-append (param "HOME_DIR") aSubPath))) - -(define (home-subpath aSubPath) - (subpath (string-append (param "HOME_DIR") aSubPath))) - -(define (torbrowser-data-dir-path aSubPath) - (path (string-append (param "TORBROWSER_DATA_DIR") aSubPath))) - -(define (torbrowser-data-dir-subpath aSubPath) - (subpath (string-append (param "TORBROWSER_DATA_DIR") aSubPath))) - -(define (torbrowser-app-dir-path aSubPath) - (subpath (string-append (param "TORBROWSER_APP_DIR") aSubPath))) - -(allow file-read* - (path "/Library/Preferences/com.apple.HIToolbox.plist") - (path "/Library/Preferences/com.apple.ViewBridge.plist") - (path "/Library/Preferences/.GlobalPreferences.plist") - (path "/dev/random") - (path "/dev/urandom") - (path "/dev/dtracehelper") - (path "/private/etc/localtime") - (path "/private/etc/passwd") - (path "/private/tmp") - (path "/private/var/tmp") - (path (param "HOME_DIR")) - (subpath "/Library/Audio") - (subpath "/Library/Fonts") - (subpath "/System") - (subpath "/private/var/folders") - (subpath "/usr/lib") - (subpath "/usr/share") - (home-subpath "/Downloads") - (home-subpath "/Library/Input Methods") - (home-subpath "/Library/Keyboard Layouts") - (home-subpath "/Library/Preferences") - (torbrowser-app-dir-path "") - (torbrowser-data-dir-path "") - (torbrowser-data-dir-subpath "/Browser") - (torbrowser-data-dir-path "/Tor/control_auth_cookie") -) - -(allow file-read-metadata - (home-path "/Desktop") - (home-path "/Library") - (home-path "/Library/Saved Application State") - (path (param "CURRENT_DIR")) - (path "/") - (path "/Applications") - (path "/Users") - (path "/etc") - (path "/home") - (path "/net") - (path "/private/var/db/.AppleSetupDone") - (path "/tmp") - (path "/var") - (torbrowser-data-dir-path "/Tor/control.socket") - (torbrowser-data-dir-path "/Tor/socks.socket") - (path-regex "/private/tmp/Tor[-0-9]*/control.socket") - (path-regex "/private/tmp/Tor[-0-9]*/socks.socket") -) - -(allow file-write-data file-ioctl - (path "/dev/dtracehelper") -) - -(allow file-write* - (home-subpath "/Downloads") - (home-path "/Library/Preferences/.GlobalPreferences.plist") - (torbrowser-data-dir-subpath "/Browser") - (subpath "/private/var/folders") - (path-regex (string-append "^" (param "HOME_DIR") "/Library/Preferences/org.mozilla.tor")) - (path "/Library/Preferences/.GlobalPreferences.plist") -) - -(allow iokit-open) - -(allow ipc-posix-shm - (ipc-posix-name "apple.shm.notification_center") - (ipc-posix-name-regex "^/tmp/com.apple.csseed") - (ipc-posix-name-regex "^CFPBS:") - (ipc-posix-name-regex "^apple.cfprefs.") - (ipc-posix-name-regex "^apple.shm.cfprefs.") - (ipc-posix-name-regex "^AudioIO") -) - -(allow mach-lookup) - -(allow mach-register - (local-name "com.apple.CFPasteboardClient") - (local-name "com.apple.axserver") - (local-name "com.apple.coredrag") - (local-name "com.apple.tsm.portname") -) - -(allow network-outbound - (path "/private/var/run/cupsd") - (torbrowser-data-dir-path "/Tor/control.socket") - (torbrowser-data-dir-path "/Tor/socks.socket") - (path-regex "/private/tmp/Tor[-0-9]*/control.socket") - (path-regex "/private/tmp/Tor[-0-9]*/socks.socket") -) - -(allow process-exec* - (torbrowser-app-dir-path "/Contents/MacOS/firefox") -) - -(allow sysctl-read) diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/tor.sb b/projects/tor-browser/Bundle-Data/mac-sandbox/tor.sb deleted file mode 100644 index 40abc9c..0000000 --- a/projects/tor-browser/Bundle-Data/mac-sandbox/tor.sb +++ /dev/null @@ -1,64 +0,0 @@ -(version 1) - -;; Parameters: -;; TOR_DATA_DIR directory that contains writeable config, e.g, torrc -;; TOR_STATIC_DATA_DIR directory for read-only config, e.g., torrc-defaults -;; TOR_BIN_DIR directory that contains tor binaries, e.g., tor.real - -(deny default) - -(allow file-read* file-write-data file-ioctl - (path "/dev/dtracehelper") -) - -(allow file-read* - (subpath (param "TOR_BIN_DIR")) - (subpath "/usr/local") - (subpath (param "TOR_DATA_DIR")) - (subpath (param "TOR_STATIC_DATA_DIR")) - (subpath (param "TOR_BIN_DIR")) - (path-regex "/private/tmp/Tor[-0-9]*") -) - -(allow file-read-data - (path "/dev/random") - (path "/dev/srandom") - (path "/dev/urandom") - (subpath "/usr/share") -) - -(allow file-read-metadata - (path "/etc") - (path "/private/etc/localtime") - (path "/tmp") - (subpath "/usr/lib") -) - -(allow file-write* - (subpath (param "TOR_DATA_DIR")) -) - -(allow ipc-posix-shm-read-data - (ipc-posix-name "apple.shm.notification_center") -) - -(allow mach-lookup - (global-name "com.apple.system.notification_center") -) - -(allow network-inbound file-write* - (path (string-append (param "TOR_DATA_DIR") "/control.socket")) - (path (string-append (param "TOR_DATA_DIR") "/socks.socket")) - (path-regex "/private/tmp/Tor[-0-9]*/control.socket") - (path-regex "/private/tmp/Tor[-0-9]*/socks.socket") -) - -(allow network-outbound - (remote tcp "*:*") -) - -(allow process-exec - (path (string-append (param "TOR_BIN_DIR") "/tor.real")) -) - -(allow sysctl-read) diff --git a/projects/tor-browser/build b/projects/tor-browser/build index 65c752b..1c98c35 100644 --- a/projects/tor-browser/build +++ b/projects/tor-browser/build @@ -105,11 +105,6 @@ tar -C "$TBDIR[% IF ! c("var/osx") %]/TorBrowser[% END %]" -xf [% c('input_files mv "$TBDIR/$TORBINPATH/tor" "$TBDIR/$TORBINPATH/tor.real" cp Bundle-Data/mac-tor.sh "$TBDIR/$TORCONFIGPATH/tor"
- [% IF ! c("var/release") -%] - SANDBOX_FOLDER="$TB_STAGE_DIR/Sandboxed Tor Browser" - mv Bundle-Data/mac-sandbox "$SANDBOX_FOLDER" - [% END -%] - tar -C Bundle-Data/mac-applications.dmg -c . | tar -C $TB_STAGE_DIR -x [% END %]