[or-cvs] r22363: {} Fork IronFox seatbelt wrapper for inclusion in Mac OS X TBB (in torbrowser/trunk/build-scripts/config: . sb)
Jacob Appelbaum
jacob at appelbaum.net
Tue May 18 22:53:15 UTC 2010
Author: ioerror
Date: 2010-05-18 22:53:15 +0000 (Tue, 18 May 2010)
New Revision: 22363
Added:
torbrowser/trunk/build-scripts/config/sb/
torbrowser/trunk/build-scripts/config/sb/firefox-profile.sb
torbrowser/trunk/build-scripts/config/sb/flashplugin.sb
torbrowser/trunk/build-scripts/config/sb/javaplugin.sb
torbrowser/trunk/build-scripts/config/sb/script
Log:
Fork IronFox seatbelt wrapper for inclusion in Mac OS X TBB
Added: torbrowser/trunk/build-scripts/config/sb/firefox-profile.sb
===================================================================
--- torbrowser/trunk/build-scripts/config/sb/firefox-profile.sb (rev 0)
+++ torbrowser/trunk/build-scripts/config/sb/firefox-profile.sb 2010-05-18 22:53:15 UTC (rev 22363)
@@ -0,0 +1,148 @@
+(version 1)
+
+(deny default)
+(debug deny)
+
+(allow network-outbound)
+
+;plugins
+(import "%%PATH%%javaplugin.sb")
+(import "%%PATH%%flashplugin.sb")
+
+
+(allow file-ioctl
+ (literal "/Applications/Firefox.app/Contents/MacOS/firefox")
+ (literal "/Applications/Firefox.app/Contents/MacOS/run-mozilla.sh")
+ (literal "/dev/urandom")
+ (literal "/dev/dtracehelper"))
+
+(allow file-read-data
+ (subpath "/Library/Application Support/Mozilla/Extensions")
+ (subpath "/Users/%%username%%/Library/Caches/TemporaryItems")
+ (subpath "/Users/%%username%%/Library/Internet Plug-Ins")
+ (subpath "/Library/Internet Plug-Ins")
+ (subpath "/Library/Fonts")
+ (subpath "/Applications/IronFox.app")
+ (subpath "/Applications/Firefox.app")
+ (literal "/Library/Preferences/.GlobalPreferences.plist")
+ (subpath "/Users/%%username%%/Library/Caches/Firefox")
+ (literal "/Users/%%username%%/Library/Preferences/.GlobalPreferences.plist")
+ (literal "/Users/%%username%%/Library/Preferences/ByHost/.GlobalPreferences.4D2C4220-FFCD-5A24-A485-037FD5AEAD4A.plist")
+ (literal "/Users/%%username%%/Library/Preferences/org.mozilla.firefox.plist")
+ (literal "/Users/%%username%%/Library/Preferences/com.apple.internetconfigpriv.plist")
+ (literal "/Users/%%username%%/Library/Preferences/com.apple.LaunchServices.plist")
+ (subpath "/Users/%%username%%/Downloads")
+ (literal "/Users/%%username%%")
+ (literal "/Users")
+ (literal "/dev/dtracehelper")
+ (literal "/dev/null")
+ (literal "/dev/tty")
+ (literal "/dev/urandom")
+ (literal "/usr")
+ (literal "/usr/bin/open/..namedfork/rsrc")
+ (subpath "/Users/%%username%%/Library/Application Support/Firefox")
+ (subpath "/Users/%%username%%/Library/Application Support/Mozilla")
+ (subpath "/private")
+ (subpath "/System")
+ (subpath "/usr/lib")
+ (subpath "/usr/share"))
+
+(allow file-read-metadata
+ (subpath "/Library/Application Support/Mozilla/Extensions")
+ (subpath "/Users/%%username%%/Library/Caches/TemporaryItems")
+ (subpath "/Users/%%username%%/Library/Internet Plug-Ins")
+ (subpath "/Library/Internet Plug-Ins")
+ (subpath "/Library/Fonts")
+ (subpath "/Applications/IronFox.app")
+ (literal "/Applications/MacVim.app")
+ (literal "/Applications/Safari.app")
+ (literal "/Applications/TextEdit.app")
+ (literal "/Developer")
+ (literal "/Developer/Applications/Dashcode.app")
+ (literal "/")
+ (literal "/Applications")
+ (subpath "/Applications/Firefox.app")
+ (literal "/Library")
+ (subpath "/Library/Fonts")
+ (literal "/Library/Preferences/.GlobalPreferences.plist")
+ (literal "/Users")
+ (literal "/Users/%%username%%")
+ (subpath "/Users/%%username%%/Downloads")
+ (literal "/Users/%%username%%/Library/Application Support")
+ (subpath "/Users/%%username%%/Library/Application Support/Firefox")
+ (literal "/Users/%%username%%/Library/Caches")
+ (subpath "/Users/%%username%%/Library/Caches/Firefox")
+ (literal "/Users/%%username%%/Library/Preferences/.GlobalPreferences.plist")
+ (literal "/Users/%%username%%/Library/Preferences/ByHost/.GlobalPreferences.4D2C4220-FFCD-5A24-A485-037FD5AEAD4A.plist")
+ (literal "/Users/%%username%%/Library/Preferences/org.mozilla.firefox.plist")
+ (literal "/Users/%%username%%/Library/Preferences/com.apple.internetconfigpriv.plist")
+ (literal "/Users/%%username%%/Library/Preferences/com.apple.LaunchServices.plist")
+ (literal "/Users/%%username%%/Library")
+ (literal "/Users/%%username%%/Library/PreferencePanes")
+ (subpath "/Users/%%username%%/Library/Application Support/Mozilla")
+ (literal "/Library/Application Support")
+ (subpath "/Library/Application Support/Mozilla")
+ (literal "/Library/PreferencePanes")
+ (subpath "/Library/PreferencePanes/Growl.prefPane")
+ (literal "/etc")
+ (literal "/usr")
+ (literal "/usr/bin/open")
+ (literal "/usr/bin/basename")
+ (literal "/usr/bin/dirname")
+ (literal "/usr/bin/uname")
+ (subpath "/Users/%%username%%/Library/Preferences")
+ (subpath "/System")
+ (subpath "/usr/lib")
+ (subpath "/private")
+ (subpath "/usr/share")
+ (literal "/dev/urandom")
+ (literal "/private/etc/passwd")
+ (literal "/tmp")
+ (literal "/usr/sbin/netstat")
+ (literal "/var"))
+
+(allow file-write-data
+
+ (literal "/dev/dtracehelper")
+ (literal "/dev/tty"))
+
+(allow file-write*
+ (subpath "/Users/%%username%%/Library/Caches/TemporaryItems")
+ (subpath "/Users/%%username%%/Library/Caches/Firefox")
+ (subpath "/private/var/folders")
+ (subpath "/Users/%%username%%/Library/Application Support/Firefox/Crash Reports")
+ (regex "^/Users/%%username%%/Library/Preferences/org.mozilla.firefox.*$")
+ (regex "^/Users/%%username%%/Library/Preferences/.GlobalPreferences.plist\..*$")
+ (subpath "/Users/%%username%%/Downloads")
+ (subpath "/Users/%%username%%/Library/Application Support/Firefox/Profiles"))
+
+(allow ipc-posix-shm)
+
+(allow mach-lookup
+ (global-name "com.apple.CoreServices.coreservicesd")
+ (global-name "com.apple.SecurityServer")
+ (global-name "com.apple.SystemConfiguration.configd")
+ (global-name "com.apple.distributed_notifications.2")
+ (global-name "com.apple.dock.server")
+ (global-name "com.apple.FontServer")
+ (global-name "com.apple.FontObjectsServer")
+ (global-name "com.apple.metadata.mds")
+ (global-name "com.apple.tsm.uiserver")
+ (global-name "com.apple.system.DirectoryService.libinfo_v1")
+ (global-name "com.apple.system.DirectoryService.membership_v1")
+ (global-name "com.apple.system.logger")
+ (global-name "com.apple.system.notification_center")
+ (global-name "com.apple.pasteboard.1")
+ (global-name "com.apple.windowserver.session")
+ (global-name "com.apple.windowserver.active"))
+
+(allow process-exec
+ (literal "/Applications/Firefox.app/Contents/MacOS/firefox-bin")
+ (literal "/usr/bin/basename"))
+
+(allow process-fork)
+(allow job-creation)
+
+(allow sysctl-read)
+
+(allow system-socket)
Added: torbrowser/trunk/build-scripts/config/sb/flashplugin.sb
===================================================================
--- torbrowser/trunk/build-scripts/config/sb/flashplugin.sb (rev 0)
+++ torbrowser/trunk/build-scripts/config/sb/flashplugin.sb 2010-05-18 22:53:15 UTC (rev 22363)
@@ -0,0 +1,14 @@
+; This file is a subinclude to IronFox to allow it to do
+; flash.
+(version 1)
+(deny default)
+(debug deny)
+
+(allow file-read-data
+ (subpath "/Library/Application Support/Macromedia")
+ (subpath "/Users/%%username%%/Library/Preferences/Macromedia/Flash Player"))
+(allow file-read-metadata
+ (subpath "/Library/Application Support/Macromedia")
+ (subpath "/Users/%%username%%/Library/Preferences/Macromedia/Flash Player"))
+(allow file-write*
+ (subpath "/Users/%%username%%/Library/Preferences/Macromedia/Flash Player"))
Added: torbrowser/trunk/build-scripts/config/sb/javaplugin.sb
===================================================================
--- torbrowser/trunk/build-scripts/config/sb/javaplugin.sb (rev 0)
+++ torbrowser/trunk/build-scripts/config/sb/javaplugin.sb 2010-05-18 22:53:15 UTC (rev 22363)
@@ -0,0 +1,27 @@
+; This file is suposed to be included in the ironfox sb
+; profile to provide java. Note that java is most likely
+; heavily restricted.
+(version 1)
+(deny default)
+(debug deny)
+
+(allow file-read-data
+ (subpath "/Users/%%username%%/Library/Caches/Java")
+ (subpath "/Users/%%username%%/Library/Java")
+ (subpath "/Users/%%username%%/Library/Logs")
+ (subpath "/Library/Java")
+ (literal "/dev/random"))
+
+(allow file-read-metadata
+ (literal "/dev/random")
+ (subpath "/Users/%%username%%/Library/Caches/Java")
+ (subpath "/Users/%%username%%/Library/Java")
+ (subpath "/Users/%%username%%/Library/Logs")
+ (subpath "/Library/Java"))
+
+(allow file-write-data
+ (literal "/dev/null"))
+
+(allow file-write*
+ (literal "/Users/%%username%%/Library/Logs/Java Console.log")
+ (subpath "/Users/%%username%%/Library/Caches/Java"))
Added: torbrowser/trunk/build-scripts/config/sb/script
===================================================================
--- torbrowser/trunk/build-scripts/config/sb/script (rev 0)
+++ torbrowser/trunk/build-scripts/config/sb/script 2010-05-18 22:53:15 UTC (rev 22363)
@@ -0,0 +1,11 @@
+#!/bin/bash
+username=$(whoami)
+processed_template_location=$(mktemp -d -t firefox-sandbox)
+DIR=`pwd`
+sed -e "s/%%username%%/${username}/g" -e "s=%%PATH%%=${processed_template_location}/=g" ${DIR}/firefox-profile.sb > ${processed_template_location}/firefox-profile.sb
+sed -e "s/%%username%%/${username}/g" ${DIR}/flashplugin.sb > ${processed_template_location}/flashplugin.sb
+sed -e "s/%%username%%/${username}/g" ${DIR}/javaplugin.sb > ${processed_template_location}/javaplugin.sb
+
+cd ${processed_template_location}
+/usr/bin/sandbox-exec -f "${processed_template_location}/firefox-profile.sb" "/usr/bin/basename" &> /dev/null
+/usr/bin/sandbox-exec -f "${processed_template_location}/firefox-profile.sb" "/Applications/Firefox.app/Contents/MacOS/firefox-bin"
More information about the tor-commits
mailing list