Commit f55cbeea authored by Kathleen Brade's avatar Kathleen Brade Committed by Georg Koppen
Browse files

Bug 20989: Browser sandbox profile is too restrictive on OSX 10.12.2 

Allow full read access to all files under /usr/lib.
Allow full read access to /Library/Preferences/com.apple.ViewBridge.plist.
Allow writes to TorBrowser-Data/Browser/profiles.ini (otherwise, a new
  browser profile is created each time the browser is opened).
parent 2db14ba2

Bundle-Data/mac-sandbox/tb.sb

+2 −6
Original line number Diff line number Diff line
@@ -28,6 +28,7 @@ 


(allow file-read*

       (path "/Library/Preferences/com.apple.HIToolbox.plist")

       (path "/Library/Preferences/com.apple.ViewBridge.plist")

       (path "/Library/Preferences/.GlobalPreferences.plist")

       (path "/dev/random")

       (path "/dev/urandom")
@@ -41,6 +42,7 @@ 
       (subpath "/Library/Fonts")

       (subpath "/System")

       (subpath "/private/var/folders")

       (subpath "/usr/lib")

       (subpath "/usr/share")

       (home-subpath "/Downloads")

       (home-subpath "/Library/Input Methods")
@@ -66,7 +68,6 @@ 
       (path "/private/var/db/.AppleSetupDone")

       (path "/tmp")

       (path "/var")

       (subpath "/usr/lib")

       (torbrowser-data-dir-path "/Tor/control.socket")

       (torbrowser-data-dir-path "/Tor/socks.socket")

       (path-regex "/private/tmp/Tor[-0-9]*/control.socket")
@@ -86,11 +87,6 @@ 
       (path "/Library/Preferences/.GlobalPreferences.plist")

)



; Disallow writes to the profiles ini file.

(deny file-write*

       (torbrowser-data-dir-subpath "/Browser/profiles.ini")

)



(allow iokit-open)



(allow ipc-posix-shm