From a94fe6cf47f5b7a2f39df11b26c53d0ddd31545d Mon Sep 17 00:00:00 2001
From: msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
Date: Wed, 2 Jul 2014 12:14:02 +0000
Subject: [PATCH] More tweaks to sandbox profiles.

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11981 a1ca3aef-8c08-0410-bb20-df032aa958be
---
 doc/help/man-cupsd.html |  4 ++--
 scheduler/process.c     | 24 ++++++------------------
 2 files changed, 8 insertions(+), 20 deletions(-)

diff --git a/doc/help/man-cupsd.html b/doc/help/man-cupsd.html
index 0985443cf..15d3c6d0e 100644
--- a/doc/help/man-cupsd.html
+++ b/doc/help/man-cupsd.html
@@ -99,8 +99,8 @@ in the foreground with a test configuration file called
 <a href="man-backend.html?TOPIC=Man+Pages"><b>backend</b>(7),</a>
 <a href="man-classes.conf.html?TOPIC=Man+Pages"><b>classes.conf</b>(5),</a>
 <a href="man-cups.html?TOPIC=Man+Pages"><b>cups</b>(1),</a>
-<a href="man-cups-deviced.html?TOPIC=Man+Pages"><b>cups-deviced</b>(8),</a>
-<a href="man-cups-driverd.html?TOPIC=Man+Pages"><b>cups-driverd</b>(8),</a>
+<b>cups-deviced</b>(8),
+<b>cups-driverd</b>(8),
 <a href="man-cups-lpd.html?TOPIC=Man+Pages"><b>cups-lpd</b>(8),</a>
 <a href="man-cupsd.conf.html?TOPIC=Man+Pages"><b>cupsd.conf</b>(5),</a>
 <a href="man-filter.html?TOPIC=Man+Pages"><b>filter</b>(7),</a>
diff --git a/scheduler/process.c b/scheduler/process.c
index a3a798021..ec68ed449 100644
--- a/scheduler/process.c
+++ b/scheduler/process.c
@@ -259,21 +259,9 @@ cupsdCreateProfile(int job_id,		/* I - Job ID or 0 for none */
 		   " #\"^/Library/Printers/PPD Plugins/\""
 		   ")%s)\n", nodebug);
   }
-  /* Allow execution of child processes */
-  cupsFilePuts(fp, "(allow process-fork)\n");
-  cupsFilePrintf(fp,
-                 "(allow process-exec\n"
-                 "  (regex"
-                 " #\"^/bin/\""		/* /bin/... */
-                 " #\"^/usr/bin/\""	/* /usr/bin/... */
-                 " #\"^/usr/libexec/cups/\""	/* /usr/libexec/cups/... */
-                 " #\"^/usr/libexec/fax/\""	/* /usr/libexec/fax/... */
-                 " #\"^/usr/sbin/\""	/* /usr/sbin/... */
-		 " #\"^%s/\""		/* ServerBin/... */
-		 " #\"^/Library/Printers/.*/\""
-		 " #\"^/System/Library/Frameworks/Python.framework/\""
-		 "))\n",
-		 bin);
+  /* Allow execution of child processes as long as the programs are not in a user directory */
+  cupsFilePuts(fp, "(allow process*)\n");
+  cupsFilePuts(fp, "(deny process-exec (regex #\"^/Users/\"))\n");
   if (RunUser && getenv("CUPS_TESTROOT"))
   {
     /* Allow source directory access in "make test" environment */
@@ -311,6 +299,9 @@ cupsdCreateProfile(int job_id,		/* I - Job ID or 0 for none */
 		 "  (literal \"/usr/sbin/sendmail\")\n"
 		 "  (with no-sandbox))\n");
   }
+  /* Allow access to Bluetooth, USB, and notify_post. */
+  cupsFilePuts(fp, "(allow iokit*)\n");
+  cupsFilePuts(fp, "(allow distributed-notification-post)\n");
   /* Allow outbound networking to local services */
   cupsFilePuts(fp, "(allow network-outbound"
 		   "\n       (regex #\"^/private/var/run/\" #\"^/private/tmp/\")");
@@ -324,9 +315,6 @@ cupsdCreateProfile(int job_id,		/* I - Job ID or 0 for none */
       cupsFilePrintf(fp, "\n       (literal \"%s\")", domain);
     }
   }
-  /* Allow access to Bluetooth, USB, and notify_post. */
-  cupsFilePuts(fp, "(allow iokit*)\n");
-  cupsFilePuts(fp, "(allow distributed-notification-post)\n");
   if (allow_networking)
   {
     /* Allow TCP and UDP networking off the machine... */
-- 
2.39.2