Firefox a son propre bac-à-sable, c'est à dire un environnemet limité. Cependant au Pwn2Own Firefox a montré 5 0days. C'est pourquoi je vous propose de limiter un peu plus la casse - sous OSX avec ce fichier de configuration.





0x01. FIREFOX


 
cd /Applications/Firefox.app/Contents/MacOS/
 
mv firefox firefox-bin
 
echo '/usr/bin/sandbox-exec -f "$0.sb" "$0-launcher" "$@"' > firefox
 
chmod u+x firefox
 




0x02. SANDBOX



Le contenu du fichier firefox.sb :


;; The missing sandbox profile for Firefox by SecureInfo.eu
;;
;; Copyleft ()) 2012
;; What The Fuck Public License (WTFPL)
;;
;; This program is free software: you can redistribute it and/or modify
;; it under the terms of the WTFPL License as published by anyone,
;;
;; This program is distributed in the hope that it will be useful,
;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;; GNU General Public License for more details.
;;
;; You should have received a copy of the WTFPL
;; along with this program.  If not, look WTFPL @DDG .
;;
;; Script written for Firefox for MacOS X >= 10.7
;;

;; Thanks to :
;; andreas@romab.com (IronFox)
;; (2010-05-12 12:33 EDT)
;; http://codereview.chromium.org/379019
;; http://www.google.com/codesearch/p?hl=en#PwHPI3FoDE4/safari-policy.sb&q=%22allow%20process-exec%22&sa=N&cd=1&ct=rc
;; http://www.google.com/codesearch/p?hl=en#nuhRrvzZpRk/Configs/safari-sandbox/sandbox-safari.sb&q=%22allow%20process-exec%22&sa=N&cd=2&ct=rc
;; http://www.macosxhints.com/article.php?story=20100318044558156
;; http://techjournal.318.com/security/a-brief-introduction-to-mac-os-x-sandbox-technology/
;; Little documentation currently (2010) exists, but you can pull out some of the possible actions via:
;; strings /System/Library/Extensions/seatbelt.kext/Contents/MacOS/seatbelt | sort
;; Also see: tail -f /var/log/asl/YYYY.MM.DD.asl | strings


;;
(version 1)

(deny default)

(allow file*
       (literal "/dev/dtracehelper")
       (literal "/dev/urandom")
       (literal "/dev/null")
       (regex #"^/Users/[a-zA-Z0-9_]+/Library/Application Support/Firefox")
       (regex #"^/Library/Application Support/Macromedia")
       (regex #"^/Users/[a-zA-Z0-9_]+/Library/Caches/Adobe/Flash Player")
       (regex #"^/Users/[a-zA-Z0-9_]+/dwhelper")
       (subpath "/tmp")
       (subpath "/private/tmp")
       )

(allow file-read*
       (regex #"^/Applications/Firefox.app")
       (regex #"^/Library/Application Support/Adobe")
       (subpath "/usr")
       (subpath "/System/Library/Frameworks")
       (regex #"^/Users/[a-zA-Z0-9_]+")
       (subpath "/Library/Preferences")
       (subpath "/Applications/Firefox.app")
       (subpath "/var")
       (subpath "/private/var")
       (literal "/private/etc/hosts")
       (literal "/etc/hosts")
       (subpath "/Library/Internet Plug-Ins")
       (subpath "/Library/Application Support/Mozilla")
       (subpath "/Library/Application Support/Firefox")
       (subpath "/Library/Firefox")
       (subpath "/Library/ColorSync/Profiles/Displays")
       (subpath "/Library/PreferencePanes")
       )

(allow file-read-data
       (literal "/")
       (literal "/Users")
       (literal "/Library")
       (literal "/Library/Spelling")
       (subpath "/Library/PDF Services")
       (literal "/Library/Audio/Plug-Ins/HAL")
       (literal "/Library/Application Support/Macromedia/FlashAuthor.cfg")
       (literal "/dev/fd")
       (literal "/Applications")
       (subpath "/Applications/Preview.app")
       (literal "/dev/random")
       (subpath "/System/Library/CoreServices")
       (subpath "/System/Library")
       (subpath "/Library/Fonts")
       (subpath "/Library/Internet Plug-Ins")
       (subpath "/Library/InputManagers")
       (subpath "/Applications/Safari.app")
       (subpath "/Library/Application Support/Macromedia/FlashPlayerTrust")
       (subpath "/Library/Dictionaries")
       (literal "/Application/Sublime Text 2.app")
       )

(allow file-read-metadata
       (literal "/")
       (literal "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container")
       (literal "/private")
       (subpath "/etc")
       (subpath "/private/etc")
       (subpath "/Applications")
       (subpath "/System")
       (subpath "/Library")
       (subpath "/Users")
       )

(allow file-write*
       (literal "/Applications/Firefox.app/Contents/MacOS/update.test")
       (subpath "/Library/Caches")
       (subpath "/private/var/folders")
       (regex #"^/Users/[a-zA-Z0-9_]+/Library/Caches/Firefox")
       (regex #"^/Users/[a-zA-Z0-9_]+/Library/Preferences")
       (regex #"^/Users/[a-zA-Z0-9_]+/Library/Caches/TemporaryItems")
       (regex #"^/Users/[a-zA-Z0-9_]+/Pictures")
       (regex #"^/Users/[a-zA-Z0-9_]+/Music")
       (regex #"^/Users/[a-zA-Z0-9_]+/Downloads")
       (regex #"^/Users/[a-zA-Z0-9_]+/Desktop")
       (regex #"^/Users/[a-zA-Z0-9_]+/Library/Saved Application State")
       (literal "/dev/dtracehelper")
       (literal "/dev/tty"))

(allow file-read-xattr
       (literal "/System/Library/Services/AppleSpell.service")
       (literal "/System/Library/Image Capture/Support/Image Capture Extension.app"))

(allow mach-lookup
       (global-name "DictationInputMethod_1_Connection")
       (global-name "Multilingual (Apple)_OpenStep")
       (global-name "fr (Apple)_OpenStep")
       (global-name-regex "^com.apple.*")
       (global-name-regex "^gecko-crash-server-pipe.*")
       (global-name-regex "^org.mozilla.machname.*"))
(allow mach-register)

(allow process-fork)
(allow process-exec
       (regex #"^/Applications/Firefox.app")
       (regex #"^/Library/Internet Plug-Ins")
       (regex #"^/Users/[a-zA-Z0-9_]+/Library/Preferences/Macromedia/Flash Player")
       (regex #"^/Users/[a-zA-Z0-9_]+/Library/Caches/Adobe/Flash Player")
       (literal "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" )
       (literal "/Applications/Firefox.app/Contents/MacOS/firefox-bin")
       (literal "/usr/sbin/netstat")
       (literal "/usr/bin/basename")
       )

(allow ipc-posix-shm)

(allow appleevent-send)

(allow file-issue-extension)

(allow job-creation)

(allow sysctl-read)

(allow system-socket)

(allow signal)

(allow iokit-open)

(allow network*)


   =>   Écrit par : Nicolas, le 25 juin 2015


 
Mots clés :  
  security 
  
  macos 
    >   Articles connexes :

Durcissement de Windows



Comment gagner du temps sur Internet



/tmp et /var/log en noexec sur macOS



5661582