[tor-commits] [tor-browser-build/master] Bug 26438: Remove seatbelt profiles for macOS

boklm at torproject.org boklm at torproject.org
Thu Jun 21 11:04:15 UTC 2018


commit 767dd879b91584d5828998804ab1ee45499ca640
Author: Georg Koppen <gk at torproject.org>
Date:   Thu Jun 21 07:45:40 2018 +0000

    Bug 26438: Remove seatbelt profiles for macOS
    
    Starting with content sandboxing being enabled our seatbelt profiles
    have been broken (see: #22000). We should remove them for now to avoid
    a broken experience in the alphas.
---
 .../tor-browser/Bundle-Data/mac-sandbox/.DS_Store  | Bin 6148 -> 0 bytes
 .../tor-browser/Bundle-Data/mac-sandbox/README.txt |  29 -----
 .../mac-sandbox/start-browser-with-sandbox         |  24 ----
 .../Bundle-Data/mac-sandbox/start-tor-with-sandbox |  42 -------
 projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb | 122 ---------------------
 .../tor-browser/Bundle-Data/mac-sandbox/tor.sb     |  64 -----------
 projects/tor-browser/build                         |   5 -
 7 files changed, 286 deletions(-)

diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/.DS_Store b/projects/tor-browser/Bundle-Data/mac-sandbox/.DS_Store
deleted file mode 100644
index 6c49e24..0000000
Binary files a/projects/tor-browser/Bundle-Data/mac-sandbox/.DS_Store and /dev/null differ
diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/README.txt b/projects/tor-browser/Bundle-Data/mac-sandbox/README.txt
deleted file mode 100644
index 47d6e5c..0000000
--- a/projects/tor-browser/Bundle-Data/mac-sandbox/README.txt
+++ /dev/null
@@ -1,29 +0,0 @@
-Experimental Sandboxed Tor Browser for OS X
-
-Requirements:
-  Mac OS 10.9 or newer.
-  A willingness to run shell commands from Terminal.
-
-Follow these steps to use the sandbox profiles:
-
-1. Copy this folder ("Sandboxed Tor Browser") to a local drive, but do not
-   put it in /Applications.
-2. Copy the TorBrowser app into your "Sandboxed Tor Browser" folder.
-3. Open Terminal.
-4. Run start-tor-with-sandbox and wait for Tor bootstrapping to finish.
-5. Run start-browser-with-sandbox.
-
-Known Issues:
-
-You will need to manually kill start-tor-with-sandbox or the tor.real
-process after you exit the browser.
-
-The browser has full access to the Tor control port. Ideally, access
-would be limited to the things that are necessary for New Identity and
-for the circuit display features.
-
-Printing does not work.
-
-The built-in updater will not work.
-
-Files can only be downloaded or saved to ~/Downloads.
diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/start-browser-with-sandbox b/projects/tor-browser/Bundle-Data/mac-sandbox/start-browser-with-sandbox
deleted file mode 100755
index 31d4218..0000000
--- a/projects/tor-browser/Bundle-Data/mac-sandbox/start-browser-with-sandbox
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/bash
-
-# TODO: assumes not in /Applications
-# TODO: assumes app is in TorBrowser.app
-
-BASEDIR="`dirname \"$0\"`"
-BASEDIR="`(cd \"$BASEDIR\" && pwd)`"
-TORBROWSER_APP_DIR="$BASEDIR/TorBrowser.app"
-TORBROWSER_DATA_DIR="$BASEDIR/TorBrowser-Data"
-TOR_DATA_DIR="$TORBROWSER_DATA_DIR/Tor"
-SOCKETDIR="/tmp/Tor"
-
-export TOR_SKIP_LAUNCH=1
-export TOR_CONTROL_IPC_PATH="$SOCKETDIR/control.socket"
-export TOR_SOCKS_IPC_PATH="$SOCKETDIR/socks.socket"
-export TOR_CONTROL_COOKIE_AUTH_FILE="$TOR_DATA_DIR/control_auth_cookie"
-SB_PROFILE="`pwd`/tb.sb"
-cd "$TORBROWSER_APP_DIR"
-sandbox-exec -f "$SB_PROFILE"							\
-	-D "HOME_DIR=$HOME"									\
-	-D "CURRENT_DIR=$BASEDIR"							\
-	-D "TORBROWSER_APP_DIR=$TORBROWSER_APP_DIR"			\
-	-D "TORBROWSER_DATA_DIR=$TORBROWSER_DATA_DIR"		\
-	"./Contents/MacOS/firefox"
diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/start-tor-with-sandbox b/projects/tor-browser/Bundle-Data/mac-sandbox/start-tor-with-sandbox
deleted file mode 100755
index ec7f15e..0000000
--- a/projects/tor-browser/Bundle-Data/mac-sandbox/start-tor-with-sandbox
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/bash
-
-# TODO: assumes not in /Applications
-# TODO: assumes /tmp/Tor is not used by anyone else.
-# TODO: assumes app is in TorBrowser.app
-
-set -e
-
-BASEDIR="`dirname \"$0\"`"
-BASEDIR="`(cd \"$BASEDIR\" && pwd)`"
-TOR_DATA_DIR="$BASEDIR/TorBrowser-Data/Tor"
-TOR_STATIC_DATA_DIR="$BASEDIR/TorBrowser.app/Contents/Resources/TorBrowser/Tor"
-TOR_BIN_DIR="$BASEDIR/TorBrowser.app/Contents/MacOS/Tor"
-TORRC="$TOR_DATA_DIR/torrc"
-SOCKETDIR="/tmp/Tor"
-
-# Compiled Python modules require a compatible Python, which means 32-bit 2.6.
-export VERSIONER_PYTHON_VERSION=2.6
-export DYLD_LIBRARY_PATH=.:$DYLD_LIBRARY_PATH
-
-mkdir -p "$TOR_DATA_DIR"
-if [ ! -e "$TORRC" ]; then
-	touch "$TORRC"
-fi
-
-if [ ! -e "$SOCKETDIR" ]; then
-	mkdir -p "$SOCKETDIR"
-	chmod 700 "$SOCKETDIR"
-fi
-
-TOR="$TOR_BIN_DIR/tor.real"
-sandbox-exec -f tor.sb -D "TOR_DATA_DIR=$TOR_DATA_DIR" \
-	-D "TOR_STATIC_DATA_DIR=$TOR_STATIC_DATA_DIR" \
-	-D "TOR_BIN_DIR=$TOR_BIN_DIR" "$TOR" \
-	--defaults-torrc "$TOR_STATIC_DATA_DIR/torrc-defaults" \
-	-f "$TORRC" \
-	CookieAuthentication 1 \
-	DataDirectory "$TOR_DATA_DIR" \
-	GeoIPFile "$TOR_STATIC_DATA_DIR/geoip" \
-	GeoIPv6File "$TOR_STATIC_DATA_DIR/geoip6" \
-	ControlPort "unix:$SOCKETDIR/control.socket" \
-	SocksPort "unix:$SOCKETDIR/socks.socket"
diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb b/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb
deleted file mode 100644
index 385e914..0000000
--- a/projects/tor-browser/Bundle-Data/mac-sandbox/tb.sb
+++ /dev/null
@@ -1,122 +0,0 @@
-(version 1)
-
-;; Parameters:
-;;   HOME_DIR             the user's home directory
-;;   CURRENT_DIR          the current working directory
-;;   TORBROWSER_APP_DIR   the TorBrowser.app directory
-;;   TORBROWSER_DATA_DIR  the TorBrowser-Data directory
-
-;; TODO: can see all dirs but can download/save only in Downloads (no error reported though!)
-;; TODO: printing does not work (Save to PDF does).
-
-(deny default)
-
-(define (home-path aSubPath)
-    (path (string-append (param "HOME_DIR") aSubPath)))
-
-(define (home-subpath aSubPath)
-    (subpath (string-append (param "HOME_DIR") aSubPath)))
-
-(define (torbrowser-data-dir-path aSubPath)
-    (path (string-append (param "TORBROWSER_DATA_DIR") aSubPath)))
-
-(define (torbrowser-data-dir-subpath aSubPath)
-    (subpath (string-append (param "TORBROWSER_DATA_DIR") aSubPath)))
-
-(define (torbrowser-app-dir-path aSubPath)
-    (subpath (string-append (param "TORBROWSER_APP_DIR") aSubPath)))
-
-(allow file-read*
-       (path "/Library/Preferences/com.apple.HIToolbox.plist")
-       (path "/Library/Preferences/com.apple.ViewBridge.plist")
-       (path "/Library/Preferences/.GlobalPreferences.plist")
-       (path "/dev/random")
-       (path "/dev/urandom")
-       (path "/dev/dtracehelper")
-       (path "/private/etc/localtime")
-       (path "/private/etc/passwd")
-       (path "/private/tmp")
-       (path "/private/var/tmp")
-       (path (param "HOME_DIR"))
-       (subpath "/Library/Audio")
-       (subpath "/Library/Fonts")
-       (subpath "/System")
-       (subpath "/private/var/folders")
-       (subpath "/usr/lib")
-       (subpath "/usr/share")
-       (home-subpath "/Downloads")
-       (home-subpath "/Library/Input Methods")
-       (home-subpath "/Library/Keyboard Layouts")
-       (home-subpath "/Library/Preferences")
-       (torbrowser-app-dir-path "")
-       (torbrowser-data-dir-path "")
-       (torbrowser-data-dir-subpath "/Browser")
-       (torbrowser-data-dir-path "/Tor/control_auth_cookie")
-)
-
-(allow file-read-metadata
-       (home-path "/Desktop")
-       (home-path "/Library")
-       (home-path "/Library/Saved Application State")
-       (path (param "CURRENT_DIR"))
-       (path "/")
-       (path "/Applications")
-       (path "/Users")
-       (path "/etc")
-       (path "/home")
-       (path "/net")
-       (path "/private/var/db/.AppleSetupDone")
-       (path "/tmp")
-       (path "/var")
-       (torbrowser-data-dir-path "/Tor/control.socket")
-       (torbrowser-data-dir-path "/Tor/socks.socket")
-       (path-regex "/private/tmp/Tor[-0-9]*/control.socket")
-       (path-regex "/private/tmp/Tor[-0-9]*/socks.socket")
-)
-
-(allow file-write-data file-ioctl
-       (path "/dev/dtracehelper")
-)
-
-(allow file-write*
-       (home-subpath "/Downloads")
-       (home-path "/Library/Preferences/.GlobalPreferences.plist")
-       (torbrowser-data-dir-subpath "/Browser")
-       (subpath "/private/var/folders")
-       (path-regex (string-append "^" (param "HOME_DIR") "/Library/Preferences/org.mozilla.tor"))
-       (path "/Library/Preferences/.GlobalPreferences.plist")
-)
-
-(allow iokit-open)
-
-(allow ipc-posix-shm
-       (ipc-posix-name "apple.shm.notification_center")
-       (ipc-posix-name-regex "^/tmp/com.apple.csseed")
-       (ipc-posix-name-regex "^CFPBS:")
-       (ipc-posix-name-regex "^apple\.cfprefs\.")
-       (ipc-posix-name-regex "^apple\.shm\.cfprefs\.")
-       (ipc-posix-name-regex "^AudioIO")
-)
-
-(allow mach-lookup)
-
-(allow mach-register
-       (local-name "com.apple.CFPasteboardClient")
-       (local-name "com.apple.axserver")
-       (local-name "com.apple.coredrag")
-       (local-name "com.apple.tsm.portname")
-)
-
-(allow network-outbound
-       (path "/private/var/run/cupsd")
-       (torbrowser-data-dir-path "/Tor/control.socket")
-       (torbrowser-data-dir-path "/Tor/socks.socket")
-       (path-regex "/private/tmp/Tor[-0-9]*/control.socket")
-       (path-regex "/private/tmp/Tor[-0-9]*/socks.socket")
-)
-
-(allow process-exec*
-       (torbrowser-app-dir-path "/Contents/MacOS/firefox")
-)
-
-(allow sysctl-read)
diff --git a/projects/tor-browser/Bundle-Data/mac-sandbox/tor.sb b/projects/tor-browser/Bundle-Data/mac-sandbox/tor.sb
deleted file mode 100644
index 40abc9c..0000000
--- a/projects/tor-browser/Bundle-Data/mac-sandbox/tor.sb
+++ /dev/null
@@ -1,64 +0,0 @@
-(version 1)
-
-;; Parameters:
-;;   TOR_DATA_DIR         directory that contains writeable config, e.g, torrc
-;;   TOR_STATIC_DATA_DIR  directory for read-only config, e.g., torrc-defaults
-;;   TOR_BIN_DIR          directory that contains tor binaries, e.g., tor.real
-
-(deny default)
-
-(allow file-read* file-write-data file-ioctl
-       (path "/dev/dtracehelper")
-)
-
-(allow file-read*
-       (subpath (param "TOR_BIN_DIR"))
-       (subpath "/usr/local")
-       (subpath (param "TOR_DATA_DIR"))
-       (subpath (param "TOR_STATIC_DATA_DIR"))
-       (subpath (param "TOR_BIN_DIR"))
-       (path-regex "/private/tmp/Tor[-0-9]*")
-)
-
-(allow file-read-data
-       (path "/dev/random")
-       (path "/dev/srandom")
-       (path "/dev/urandom")
-       (subpath "/usr/share")
-)
-
-(allow file-read-metadata
-       (path "/etc")
-       (path "/private/etc/localtime")
-       (path "/tmp")
-       (subpath "/usr/lib")
-)
-
-(allow file-write*
-       (subpath (param "TOR_DATA_DIR"))
-)
-
-(allow ipc-posix-shm-read-data
-       (ipc-posix-name "apple.shm.notification_center")
-)
-
-(allow mach-lookup
-       (global-name "com.apple.system.notification_center")
-)
-
-(allow network-inbound file-write*
-       (path (string-append (param "TOR_DATA_DIR") "/control.socket"))
-       (path (string-append (param "TOR_DATA_DIR") "/socks.socket"))
-       (path-regex "/private/tmp/Tor[-0-9]*/control.socket")
-       (path-regex "/private/tmp/Tor[-0-9]*/socks.socket")
-)
-
-(allow network-outbound
-       (remote tcp "*:*")
-)
-
-(allow process-exec
-       (path (string-append (param "TOR_BIN_DIR") "/tor.real"))
-)
-
-(allow sysctl-read)
diff --git a/projects/tor-browser/build b/projects/tor-browser/build
index 65c752b..1c98c35 100644
--- a/projects/tor-browser/build
+++ b/projects/tor-browser/build
@@ -105,11 +105,6 @@ tar -C "$TBDIR[% IF ! c("var/osx") %]/TorBrowser[% END %]" -xf [% c('input_files
   mv "$TBDIR/$TORBINPATH/tor" "$TBDIR/$TORBINPATH/tor.real"
   cp Bundle-Data/mac-tor.sh "$TBDIR/$TORCONFIGPATH/tor"
 
-  [% IF ! c("var/release") -%]
-    SANDBOX_FOLDER="$TB_STAGE_DIR/Sandboxed Tor Browser"
-    mv Bundle-Data/mac-sandbox "$SANDBOX_FOLDER"
-  [% END -%]
-
   tar -C Bundle-Data/mac-applications.dmg -c . | tar -C $TB_STAGE_DIR -x
 [% END %]
 





More information about the tor-commits mailing list