domain[1024], /* Domain socket, if any */
request[1024], /* Quoted RequestRoot */
root[1024], /* Quoted ServerRoot */
+ state[1024], /* Quoted StateDir */
temp[1024]; /* Quoted TempDir */
const char *nodebug; /* " (with no-log)" for no debug */
cupsd_listener_t *lis; /* Current listening socket */
cupsd_requote(cache, CacheDir, sizeof(cache));
cupsd_requote(request, RequestRoot, sizeof(request));
cupsd_requote(root, ServerRoot, sizeof(root));
+ cupsd_requote(state, StateDir, sizeof(state));
cupsd_requote(temp, TempDir, sizeof(temp));
nodebug = LogLevel < CUPSD_LOG_DEBUG ? " (with no-log)" : "";
" #\"^%s/\"" /* TempDir/... */
" #\"^%s$\"" /* CacheDir */
" #\"^%s/\"" /* CacheDir/... */
+ " #\"^%s$\"" /* StateDir */
+ " #\"^%s/\"" /* StateDir/... */
"))\n",
- temp, temp, cache, cache);
+ temp, temp, cache, cache, state, state);
/* Read common folders */
cupsFilePrintf(fp,
"(allow file-read-data file-read-metadata\n"
" #\"^/Library/Application Support$\""
" #\"^/Library/Application Support/\""
" #\"^/Library/Caches$\""
+ " #\"^/Library/ColorSync$\""
+ " #\"^/Library/ColorSync/Profiles$\""
+ " #\"^/Library/ColorSync/Profiles/\""
" #\"^/Library/Fonts$\""
" #\"^/Library/Fonts/\""
" #\"^/Library/Frameworks$\""
" #\"^/Library/Security$\""
" #\"^/Library/Security/\""
" #\"^/Library/WebServer$\""
+ " #\"^/System/Library/ColorSync$\""
+ " #\"^/System/Library/ColorSync/Profiles$\""
+ " #\"^/System/Library/ColorSync/Profiles/\""
" #\"^%s/Library$\"" /* RequestRoot/Library */
" #\"^%s/Library/\"" /* RequestRoot/Library/... */
" #\"^%s$\"" /* ServerBin */
" #\"^/Library/Printers/PPD Plugins/\""
")%s)\n", nodebug);
}
- /* Allow execution of child processes */
- cupsFilePuts(fp, "(allow process-fork)\n");
- cupsFilePrintf(fp,
- "(allow process-exec\n"
- " (regex"
- " #\"^/bin/\"" /* /bin/... */
- " #\"^/usr/bin/\"" /* /usr/bin/... */
- " #\"^/usr/libexec/cups/\"" /* /usr/libexec/cups/... */
- " #\"^/usr/libexec/fax/\"" /* /usr/libexec/fax/... */
- " #\"^/usr/sbin/\"" /* /usr/sbin/... */
- " #\"^%s/\"" /* ServerBin/... */
- " #\"^/Library/Printers/.*/\""
- " #\"^/System/Library/Frameworks/Python.framework/\""
- "))\n",
- bin);
+ /* Allow execution of child processes as long as the programs are not in a user directory */
+ cupsFilePuts(fp, "(allow process*)\n");
+ cupsFilePuts(fp, "(deny process-exec (regex #\"^/Users/\"))\n");
if (RunUser && getenv("CUPS_TESTROOT"))
{
/* Allow source directory access in "make test" environment */
" (literal \"/usr/sbin/sendmail\")\n"
" (with no-sandbox))\n");
}
+ /* Allow access to Bluetooth, USB, and notify_post. */
+ cupsFilePuts(fp, "(allow iokit*)\n");
+ cupsFilePuts(fp, "(allow distributed-notification-post)\n");
/* Allow outbound networking to local services */
cupsFilePuts(fp, "(allow network-outbound"
"\n (regex #\"^/private/var/run/\" #\"^/private/tmp/\")");
cupsFilePrintf(fp, "\n (literal \"%s\")", domain);
}
}
- /* Allow access to Bluetooth, USB, and notify_post. */
- cupsFilePuts(fp, "(allow iokit*)\n");
- cupsFilePuts(fp, "(allow distributed-notification-post)\n");
if (allow_networking)
{
/* Allow TCP and UDP networking off the machine... */