1 files changed, 191 insertions, 0 deletions
diff --git a/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.PluginProcess.sb.in b/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.PluginProcess.sb.in
new file mode 100644
index 000000000..ea5241a39
--- /dev/null
+++ b/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.PluginProcess.sb.in
@@ -0,0 +1,191 @@
+(version 1)
+(deny default (with partial-symbolication))
+(allow ipc-posix-shm system-audit system-socket file-read-metadata)
+
+(import "system.sb")
+
+;; Utility functions for home directory relative path filters
+(define (home-regex home-relative-regex)
+  (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
+
+(define (home-subpath home-relative-subpath)
+  (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
+
+(define (home-literal home-relative-literal)
+  (literal (string-append (param "HOME_DIR") home-relative-literal)))
+
+;; Read-only preferences and data
+(allow file-read*
+       ;; Basic system paths
+       (subpath "/Library/Frameworks")
+       (subpath "/private/var/db/mds")
+
+       ;; System and user preferences
+       (literal "/Library/Preferences/.GlobalPreferences.plist")
+       (literal "/Library/Preferences/com.apple.Bluetooth.plist")
+       (literal "/Library/Preferences/com.apple.QuickTime.plist")
+       (regex #"^/Library/Preferences/com\.apple\.security")
+       (home-literal "/.CFUserTextEncoding")
+       (home-subpath "/Library/Audio")
+       (home-subpath "/Library/ColorPickers")
+       (home-subpath "/Library/ColorSync")
+       (home-subpath "/Library/Components")
+       (home-subpath "/Library/Input Methods")
+       (home-subpath "/Library/KeyBindings")
+       (home-subpath "/Library/Keyboard Layouts")
+       (home-subpath "/Library/Fonts")
+       (home-subpath "/Library/PDF Services")
+       (home-literal "/Library/Preferences/.GlobalPreferences.plist")
+       (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")
+       (home-regex #"/Library/Preferences/ByHost/com\.apple\.Bluetooth\.")
+       (home-literal "/Library/Preferences/com.apple.ATS.plist")
+       (home-literal "/Library/Preferences/com.apple.driver.AppleBluetoothMultitouch.mouse.plist")
+       (home-literal "/Library/Preferences/com.apple.driver.AppleBluetoothMultitouch.trackpad.plist")
+       (home-literal "/Library/Preferences/com.apple.driver.AppleHIDMouse.plist")
+       (home-literal "/Library/Preferences/com.apple.inputmethodkit.plist")
+       (home-literal "/Library/Preferences/com.apple.iWork.Pages.plist")
+       (home-literal "/Library/Preferences/com.apple.LaunchServices.plist")
+       (home-literal "/Library/Preferences/com.apple.MultitouchSupport.plist")
+       (home-literal "/Library/Preferences/com.apple.opengl.plist")
+       (home-literal "/Library/Preferences/com.apple.security.plist")
+       (home-literal "/Library/Preferences/com.apple.security_common.plist")
+       (home-literal "/Library/Preferences/com.apple.speech.voice.prefs.plist")
+       (home-literal "/Library/Preferences/com.apple.speech.synthesis.general.prefs.plist")
+       (home-literal "/Library/Preferences/com.apple.systemsound.plist")
+       (home-literal "/Library/Preferences/com.apple.universalaccess.plist")
+       (home-literal "/Library/Preferences/com.apple.WebFoundation.plist")
+       (home-literal "/Library/Preferences/com.nvidia.OpenGL.plist")
+       (home-literal "/Library/Preferences/pbs.plist")
+       (home-literal "/Library/Preferences/com.apple.ServicesMenu.Services.plist")
+       (home-literal "/Library/Preferences/QuickTime Preferences")
+
+       (home-literal "/Library/Caches/com.apple.coreaudio.components.plist")
+
+       (subpath "/Library/Audio/Plug-Ins/Components")
+       (home-subpath "/Library/Audio/Plug-Ins/Components")
+       (subpath "/Library/Audio/Plug-Ins/HAL")
+       (subpath "/Library/QuickTime")
+       (home-subpath "/Library/QuickTime")
+       (subpath "/Library/Video/Plug-Ins")
+
+       (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
+
+       (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
+
+       ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+       (subpath "/Library/Keychains")
+)
+
+;; Read-write preferences and data
+(allow file*
+       (home-regex #"/Library/Preferences/com\.apple\.WebKit\.PluginProcess\.plist")
+
+       (home-subpath "/Library/Caches/QuickTime")
+
+       ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
+       (home-subpath "/Library/Keychains"))
+
+;; IOKit user clients
+(allow iokit-open
+       (iokit-connection "IOAccelerator")
+       (iokit-user-client-class "AGPMClient")
+       (iokit-user-client-class "AppleGraphicsControlClient")
+       (iokit-user-client-class "AppleSNBFBUserClient")
+       (iokit-user-client-class "IOAccelerationUserClient")
+       (iokit-user-client-class "IOAudioControlUserClient")
+       (iokit-user-client-class "IOAudioEngineUserClient")
+       (iokit-user-client-class "IOFramebufferSharedUserClient")
+       (iokit-user-client-class "IOHIDParamUserClient")
+       (iokit-user-client-class "IOSurfaceRootUserClient")
+       (iokit-user-client-class "IOSurfaceSendRight")
+       (iokit-user-client-class "RootDomainUserClient"))
+
+;; Various services required by AppKit and other frameworks
+(allow mach-lookup
+       (global-name "com.apple.CoreServices.coreservicesd")
+       (global-name "com.apple.DiskArbitration.diskarbitrationd")
+       (global-name "com.apple.FileCoordination")
+       (global-name "com.apple.FontObjectsServer")
+       (global-name "com.apple.FontServer")
+       (global-name "com.apple.ImageCaptureExtension2.presence")
+       (global-name "com.apple.SecurityServer")
+       (global-name "com.apple.SystemConfiguration.configd")
+       (global-name "com.apple.audio.VDCAssistant")
+       (global-name "com.apple.audio.audiohald")
+       (global-name "com.apple.audio.coreaudiod")
+       (global-name "com.apple.cmio.VDCAssistant")
+       (global-name "com.apple.cookied") ;; FIXME: <rdar://problem/10790768> Limit access to cookies.
+       (global-name "com.apple.cvmsServ")
+       (global-name "com.apple.ocspd")
+       (global-name "com.apple.pasteboard.1")
+       (global-name "com.apple.window_proxies")
+       (global-name "com.apple.windowserver.active")
+       (global-name "com.apple.cfnetwork.AuthBrokerAgent")
+       (global-name "com.apple.PowerManagement.control")
+       (global-name-regex #"_OpenStep$")
+)
+
+;; Networking
+(allow system-socket (socket-domain AF_ROUTE))
+(allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2))) ; SYSPROTO_CONTROL
+(allow network-outbound
+       ;; Kernel controls
+       (control-name "com.apple.network.statistics")
+       (control-name "com.apple.netsrc")
+
+       ;; Local mDNSResponder for DNS, arbitrary outbound TCP
+       (literal "/private/var/run/mDNSResponder")
+       (remote tcp))
+
+(allow mach-lookup
+       (global-name "com.apple.tsm.uiserver")
+       (local-name "com.apple.tsm.portname")
+)
+
+;; Open and Save panels
+(define (apply-read-and-issue-extension op path-filter)
+       (op file-read* path-filter)
+       (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
+(define (apply-write-and-issue-extension op path-filter)
+       (op file-write* path-filter)
+       (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
+(define (read-write-and-issue-extensions path-filter)
+       (apply-read-and-issue-extension allow path-filter)
+       (apply-write-and-issue-extension allow path-filter))
+(allow qtn-user
+       (extension "com.apple.app-sandbox.read-write"))
+(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
+
+;; Printing
+(allow network-outbound (literal "/private/var/run/cupsd"))
+(allow mach-lookup
+       (global-name "com.apple.printuitool.agent")
+       (global-name "com.apple.printtool.agent")
+       (global-name "com.apple.printtool.daemon"))
+(allow file-read*
+       (home-literal "/.cups/lpoptions")
+       (home-literal "/.cups/client.conf")
+       (literal "/private/etc/cups/client.conf")
+       (literal "/private/etc/cups/lpoptions")
+       (subpath "/private/etc/cups/ppd")
+       (subpath "/private/var/run/cupsd")
+       (home-literal "/Library/Preferences/org.cups.PrintingPrefs.plist"))
+
+;; Text Services Manager
+(allow iokit-set-properties (iokit-property "CapsLockDelayOverride"))
+
+;; Image Capture (used by print preview dialog)
+(allow appleevent-send (appleevent-destination "com.apple.imagecaptureextension2"))
+
+;; Silently block access to some files
+(deny file-read* file-write* (with no-log)
+       (home-regex #"/Library/Preferences/com\.apple\.internetconfigpriv\.plist")
+       (home-regex #"/Library/Preferences/com\.apple\.internetconfig\.plist")
+
+       ;; FIXME: Should be removed after <rdar://problem/9422957> is fixed.
+       (home-literal "/Library/Caches/Cache.db")
+
+       ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
+       (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
+       (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
+