(version 1)
;; Parameters:
;; HOME_DIR the user's home directory
;; CURRENT_DIR the current working directory
;; TORBROWSER_APP_DIR the TorBrowser.app directory
;; TORBROWSER_DATA_DIR the TorBrowser-Data directory
;; TODO: can see all dirs but can download/save only in Downloads (no error reported though!)
;; TODO: printing does not work (Save to PDF does).
(deny default)
(define (home-path aSubPath)
(path (string-append (param "HOME_DIR") aSubPath)))
(define (home-subpath aSubPath)
(subpath (string-append (param "HOME_DIR") aSubPath)))
(define (torbrowser-data-dir-path aSubPath)
(path (string-append (param "TORBROWSER_DATA_DIR") aSubPath)))
(define (torbrowser-data-dir-subpath aSubPath)
(subpath (string-append (param "TORBROWSER_DATA_DIR") aSubPath)))
(define (torbrowser-app-dir-path aSubPath)
(subpath (string-append (param "TORBROWSER_APP_DIR") aSubPath)))
(allow file-read*
(path "/Library/Preferences/com.apple.HIToolbox.plist")
(path "/Library/Preferences/com.apple.ViewBridge.plist")
(path "/Library/Preferences/.GlobalPreferences.plist")
(path "/dev/random")
(path "/dev/urandom")
(path "/dev/dtracehelper")
(path "/private/etc/localtime")
(path "/private/etc/passwd")
(path "/private/tmp")
(path "/private/var/tmp")
(path (param "HOME_DIR"))
(subpath "/Library/Audio")
(subpath "/Library/Fonts")
(subpath "/System")
(subpath "/private/var/folders")
(subpath "/usr/lib")
(subpath "/usr/share")
(home-subpath "/Downloads")
(home-subpath "/Library/Input Methods")
(home-subpath "/Library/Keyboard Layouts")
(home-subpath "/Library/Preferences")
(torbrowser-app-dir-path "")
(torbrowser-data-dir-path "")
(torbrowser-data-dir-subpath "/Browser")
(torbrowser-data-dir-path "/Tor/control_auth_cookie")
)
(allow file-read-metadata
(home-path "/Desktop")
(home-path "/Library")
(home-path "/Library/Saved Application State")
(path (param "CURRENT_DIR"))
(path "/")
(path "/Applications")
(path "/Users")
(path "/etc")
(path "/home")
(path "/net")
(path "/private/var/db/.AppleSetupDone")
(path "/tmp")
(path "/var")
(torbrowser-data-dir-path "/Tor/control.socket")
(torbrowser-data-dir-path "/Tor/socks.socket")
(path-regex "/private/tmp/Tor[-0-9]*/control.socket")
(path-regex "/private/tmp/Tor[-0-9]*/socks.socket")
)
(allow file-write-data file-ioctl
(path "/dev/dtracehelper")
)
(allow file-write*
(home-subpath "/Downloads")
(home-path "/Library/Preferences/.GlobalPreferences.plist")
(torbrowser-data-dir-subpath "/Browser")
(subpath "/private/var/folders")
(path-regex (string-append "^" (param "HOME_DIR") "/Library/Preferences/org.mozilla.tor"))
(path "/Library/Preferences/.GlobalPreferences.plist")
)
(allow iokit-open)
(allow ipc-posix-shm
(ipc-posix-name "apple.shm.notification_center")
(ipc-posix-name-regex "^/tmp/com.apple.csseed")
(ipc-posix-name-regex "^CFPBS:")
(ipc-posix-name-regex "^apple\.cfprefs\.")
(ipc-posix-name-regex "^apple\.shm\.cfprefs\.")
(ipc-posix-name-regex "^AudioIO")
)
(allow mach-lookup)
(allow mach-register
(local-name "com.apple.CFPasteboardClient")
(local-name "com.apple.axserver")
(local-name "com.apple.coredrag")
(local-name "com.apple.tsm.portname")
)
(allow network-outbound
(path "/private/var/run/cupsd")
(torbrowser-data-dir-path "/Tor/control.socket")
(torbrowser-data-dir-path "/Tor/socks.socket")
(path-regex "/private/tmp/Tor[-0-9]*/control.socket")
(path-regex "/private/tmp/Tor[-0-9]*/socks.socket")
)
(allow process-exec*
(torbrowser-app-dir-path "/Contents/MacOS/firefox")
)
(allow sysctl-read)