From 82d1ebb9c63dead1d5505612a61ae3a9c59c562d Mon Sep 17 00:00:00 2001 From: msweet Date: Wed, 6 Aug 2014 18:59:13 +0000 Subject: [PATCH] Add section on OS X sandboxing (STR #4464) git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12085 a1ca3aef-8c08-0410-bb20-df032aa958be --- CHANGES.txt | 3 ++- cups/api-filter.shtml | 26 ++++++++++++++++++++++++-- doc/help/api-filter.html | 27 +++++++++++++++++++++++++-- 3 files changed, 51 insertions(+), 5 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index 5acbd89a57..c164e5e58e 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,8 +1,9 @@ -CHANGES.txt - 2.0rc1 - 2014-08-04 +CHANGES.txt - 2.0rc1 - 2014-08-06 --------------------------------- CHANGES IN CUPS V2.0rc1 + - Documentation updates (STR #4464) - The scheduler incorrectly called launch_activate_socket multiple times on OS X () diff --git a/cups/api-filter.shtml b/cups/api-filter.shtml index 4b8372edda..eb08da3b04 100644 --- a/cups/api-filter.shtml +++ b/cups/api-filter.shtml @@ -3,7 +3,7 @@ Filter and backend programming introduction for CUPS. - Copyright 2007-2013 by Apple Inc. + Copyright 2007-2014 by Apple Inc. Copyright 1997-2006 by Easy Software Products, all rights reserved. These coded instructions, statements, and computer programs are the @@ -81,7 +81,7 @@ directory to write to.

In addition, some operating systems provide additional security mechanisms that further limit file system access, even for backends running as root. On -OS X, for example, no backend may write to a user's home directory.

+OS X, for example, no backend may write to a user's home directory. See the Sandboxing on OS X section for more information.

Canceled Jobs and Signal Handling

@@ -852,3 +852,25 @@ void *my_data; cupsSNMPSideChannelWalk(".1.3.6.1.2.1.43", 5.0, my_callback, my_data); + +

Sandboxing on OS X

+ +

Starting with OS X 10.6, filters and backends are run inside a security "sandbox" which further limits (beyond the normal UNIX user/group permissions) what a filter or backend can do. This helps to both secure the printing system from malicious software and enforce the functional separation of components in the CUPS filter chain. What follows is a list of actions that are explicitly allowed for all filters and backends:

+ +
    + +
  1. Reading of files: pursuant to normal UNIX file permissions, filters and backends can read files for the current job from the /private/var/spool/cups directory and other files on mounted filesystems except for user home directories under /Users.
    2. + +
  2. Writing of files: pursuant to normal UNIX file permissions, filters and backends can read/write files to the cache directory specified by the CUPS_CACHEDIR environment variable, to the state directory specified by the CUPS_STATEDIR environment variable, to the temporary directory specified by the TMPDIR environment variable, and under the /private/var/db, /private/var/folders, /private/var/lib, /private/var/mysql, /private/var/run, /private/var/spool (except /private/var/spool/cups), /Library/Application Support, /Library/Caches, /Library/Logs, /Library/Preferences, /Library/WebServer, and /Users/Shared directories.
    3. + +
  3. Execution of programs: pursuant to normal UNIX file permissions, filters and backends can execute any program not located under the /Users directory. Child processes inherit the sandbox and are subject to the same restrictions as the parent.
    4. + +
  4. Bluetooth and USB: backends can access Bluetooth and USB printers through IOKit. Filters cannot access Bluetooth and USB printers directly.
    5. + +
  5. Network: filters and backends can access UNIX domain sockets under the /private/var/run and /private/var/tmp directories. Backends can also create IPv4 and IPv6 TCP (outgoing) and UDP (incoming and outgoing) socket, and bind to local source ports. Filters cannot directly create IPv4 and IPv6 TCP or UDP sockets.
    6. + +
  6. Notifications: filters and backends can send notifications via the Darwin notify_post() API.
    7. + +
+ +
Note: The sandbox profile used in CUPS 2.0 still allows some actions that are not listed above - these privileges will be removed over time until the profile matches the list above.
diff --git a/doc/help/api-filter.html b/doc/help/api-filter.html index 416e2fbab4..c62b6c8439 100644 --- a/doc/help/api-filter.html +++ b/doc/help/api-filter.html @@ -408,6 +408,7 @@ div.contents ul.subcontents li {
  • Communicating with Filters
  • Doing SNMP Queries with Network Printers
    • +
  • Sandboxing on OS X
  • Functions
    • cupsBackChannelRead
    • cupsBackChannelWrite
      • @@ -442,7 +443,7 @@ div.contents ul.subcontents li { Filter and backend programming introduction for CUPS. - Copyright 2007-2013 by Apple Inc. + Copyright 2007-2014 by Apple Inc. Copyright 1997-2006 by Easy Software Products, all rights reserved. These coded instructions, statements, and computer programs are the @@ -520,7 +521,7 @@ directory to write to.

      In addition, some operating systems provide additional security mechanisms that further limit file system access, even for backends running as root. On -OS X, for example, no backend may write to a user's home directory.

      +OS X, for example, no backend may write to a user's home directory. See the Sandboxing on OS X section for more information.

      Canceled Jobs and Signal Handling

      @@ -1291,6 +1292,28 @@ void *my_data; cupsSNMPSideChannelWalk(".1.3.6.1.2.1.43", 5.0, my_callback, my_data); + +

      Sandboxing on OS X

      + +

      Starting with OS X 10.6, filters and backends are run inside a security "sandbox" which further limits (beyond the normal UNIX user/group permissions) what a filter or backend can do. This helps to both secure the printing system from malicious software and enforce the functional separation of components in the CUPS filter chain. What follows is a list of actions that are explicitly allowed for all filters and backends:

      + +
        + +
      1. Reading of files: pursuant to normal UNIX file permissions, filters and backends can read files for the current job from the /private/var/spool/cups directory and other files on mounted filesystems except for user home directories under /Users.
        2. + +
      2. Writing of files: pursuant to normal UNIX file permissions, filters and backends can read/write files to the cache directory specified by the CUPS_CACHEDIR environment variable, to the state directory specified by the CUPS_STATEDIR environment variable, to the temporary directory specified by the TMPDIR environment variable, and under the /private/var/db, /private/var/folders, /private/var/lib, /private/var/mysql, /private/var/run, /private/var/spool (except /private/var/spool/cups), /Library/Application Support, /Library/Caches, /Library/Logs, /Library/Preferences, /Library/WebServer, and /Users/Shared directories.
        3. + +
      3. Execution of programs: pursuant to normal UNIX file permissions, filters and backends can execute any program not located under the /Users directory. Child processes inherit the sandbox and are subject to the same restrictions as the parent.
        4. + +
      4. Bluetooth and USB: backends can access Bluetooth and USB printers through IOKit. Filters cannot access Bluetooth and USB printers directly.
        5. + +
      5. Network: filters and backends can access UNIX domain sockets under the /private/var/run and /private/var/tmp directories. Backends can also create IPv4 and IPv6 TCP (outgoing) and UDP (incoming and outgoing) socket, and bind to local source ports. Filters cannot directly create IPv4 and IPv6 TCP or UDP sockets.
        6. + +
      6. Notifications: filters and backends can send notifications via the Darwin notify_post() API.
        7. + +
      + +
      Note: The sandbox profile used in CUPS 2.0 still allows some actions that are not listed above - these privileges will be removed over time until the profile matches the list above.

      Functions

       CUPS 1.2/OS X 10.5 cupsBackChannelRead

      Read data from the backchannel.

      -- 2.47.2