Jump to content
  • Revista PROGRAMAR: Já está disponível a edição #60 da revista programar. Faz já o download aqui!

Rui Carlos

[MacOSX] Run Firefox in a protected sandbox

Recommended Posts

Rui Carlos
OS X has a built-in sandbox feature for applications, which can restrict their access to certain parts of the system. There isn't a lot of documentation available on the sandboxing system, but I've successfully been able to sandbox Firefox. It has some limitations, but my plug-ins and add-ons work though yours may not.

If you have issues, you'll have to search for the directories where your plug-ins are housed, and give read or read/write access permissions in the firefox-sandbox file. There is only write permission to the ~/Downloads directory, so if you want to save files in a different location, you will have to change the firefox-sandbox file or move them after the download has finished. First, create the following file and save it somewhere as firefox-sandbox:

;; http://codereview.chromium.org/379019/diff/1/2
(version 1) 
(deny default)

(allow file-write* file-read-data file-read-metadata
  (regex "^/Users/user_name/Downloads")
  (regex "^/Users/user_name/Library/Application Support/Mozilla")
  (regex "^/Users/user_name/Library/Application Support/Firefox")
  (regex "^/Users/user_name/Library/Preferences")
  (regex "^/Users/user_name/Library/PreferencePanes")
  (regex "^/Users/user_name/Library/Caches/Firefox")
  (regex "^/Users/user_name/Library/Caches/TemporaryItems")
  (regex "^/Applications/Firefox.app")
  (regex "^(/private)?/tmp/"))

(allow file-read-data file-read-metadata
  (regex "^/dev/autofs.*")
  (regex "^/Library/Preferences")
  (regex "^/Library/Internet Plug-Ins")
  (regex "^/Library/PreferencePanes")
  (regex "^/usr/share/icu")
  (regex "^/usr/share/locale")
  (regex "^/System/Library")
  (regex "^/Applications/Firefox.app")
  (regex "^/usr/lib")
  (regex "^/var")
  (regex #"Frameworks/SDL.framework")
; Our Module Directory Services cache
  (regex "^/private/var/tmp/mds/")
  (regex "^/private/var/tmp/mds/[0-9]+(/|$)")
  (regex "^/Users/user_name"))

(allow mach* sysctl-read)

(import "/usr/share/sandbox/bsd.sb")
(deny file-write-data
   (regex #"^(/private)?/etc/localtime$"
     #"^/usr/share/nls/"
 #"^/usr/share/zoneinfo/"))

(allow process-exec 
  (regex "^/Applications/Firefox.app"))
  
(allow network*)

Replace the /Applications/Firefox.app.... parts with the path to Firefox on your system. Also replace user_name with your username. Next, open up a Terminal and execute this command:

sandbox-exec -f firefox-sandbox /Applications/Firefox.app/Contents/MacOS/firefox-bin

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

By using this site you accept our Terms of Use and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.