Add read access to /private/var/tmp, socket access to /private/var/tmp, and

read access to all of /Library and /System/Library (STR #4471, <rdar://problem/17483959>)

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12102 a1ca3aef-8c08-0410-bb20-df032aa958be

diff --git a/CHANGES.txt b/CHANGES.txt
index 8fd31f0477d66a2df5f350017ce8953801a71e37..b11ddec24a1fe38ed572974874c4d93cd79a7861 100644 (file)
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,4 @@
-CHANGES.txt - 2.0rc1 - 2014-08-29
+CHANGES.txt - 2.0rc1 - 2014-08-20
 ---------------------------------
 
 CHANGES IN CUPS V2.0rc1
@@ -8,6 +8,8 @@ CHANGES IN CUPS V2.0rc1
          on OS X (<rdar://problem/17523218>)
        - The ippserver test program now passes the IPP Everywhere self-
          certification tests (STR #4101)
+       - Relaxed the new OS X filter sandbox slightly (STR #4471,
+         <rdar://problem/17483959>)
 
 
 CHANGES IN CUPS V2.0b1

diff --git a/scheduler/process.c b/scheduler/process.c
index 639d6464fcdc89cff6f5127dea8c39101cf2d327..788bcc396fb8b1422497eafaf7ac06e8bf548916 100644 (file)
--- a/scheduler/process.c
+++ b/scheduler/process.c
@@ -215,6 +215,8 @@ cupsdCreateProfile(int job_id,              /* I - Job ID or 0 for none */
                  " #\"^/private/var/mysql$\""
                  " #\"^/private/var/run$\""
                  " #\"^/private/var/spool$\""
+                 " #\"^/private/var/tmp$\""
+                 " #\"^/private/var/tmp/\""
                  " #\"^/usr/bin$\""    /* /usr/bin */
                  " #\"^/usr/bin/\""    /* /usr/bin/... */
                  " #\"^/usr/libexec/cups$\""   /* /usr/libexec/cups */
@@ -223,27 +225,10 @@ cupsdCreateProfile(int job_id,            /* I - Job ID or 0 for none */
                  " #\"^/usr/libexec/fax/\""    /* /usr/libexec/fax/... */
                  " #\"^/usr/sbin$\""   /* /usr/sbin */
                  " #\"^/usr/sbin/\""   /* /usr/sbin/... */
-                " #\"^/Library/Application Support$\""
-                " #\"^/Library/Application Support/\""
-                " #\"^/Library/Caches$\""
-                " #\"^/Library/ColorSync$\""
-                " #\"^/Library/ColorSync/Profiles$\""
-                " #\"^/Library/ColorSync/Profiles/\""
-                " #\"^/Library/Fonts$\""
-                " #\"^/Library/Fonts/\""
-                " #\"^/Library/Frameworks$\""
-                " #\"^/Library/Frameworks/\""
-                " #\"^/Library/Keychains$\""
-                " #\"^/Library/Keychains/\""
-                " #\"^/Library/Logs$\""
-                " #\"^/Library/Printers$\""
-                " #\"^/Library/Printers/\""
-                " #\"^/Library/Security$\""
-                " #\"^/Library/Security/\""
-                " #\"^/Library/WebServer$\""
-                " #\"^/System/Library/ColorSync$\""
-                " #\"^/System/Library/ColorSync/Profiles$\""
-                " #\"^/System/Library/ColorSync/Profiles/\""
+                " #\"^/Library$\""     /* /Library */
+                " #\"^/Library/\""     /* /Library/... */
+                " #\"^/System$\""      /* /System */
+                " #\"^/System/\""      /* /System/... */
                 " #\"^%s/Library$\""   /* RequestRoot/Library */
                 " #\"^%s/Library/\""   /* RequestRoot/Library/... */
                 " #\"^%s$\""           /* ServerBin */
@@ -292,6 +277,7 @@ cupsdCreateProfile(int job_id,              /* I - Job ID or 0 for none */
                   " #\"^%s/\""         /* CUPS_TESTROOT/... */
                   "))\n",
                   testroot);
+    cupsFilePrintf(fp, "(allow sysctl*)\n");
   }
   if (job_id)
   {
@@ -314,7 +300,7 @@ cupsdCreateProfile(int job_id,              /* I - Job ID or 0 for none */
   cupsFilePuts(fp, "(allow distributed-notification-post)\n");
   /* Allow outbound networking to local services */
   cupsFilePuts(fp, "(allow network-outbound"
-                  "\n       (regex #\"^/private/var/run/\" #\"^/private/tmp/\")");
+                  "\n       (regex #\"^/private/var/run/\" #\"^/private/tmp/\" #\"^/private/var/tmp/\")");
   for (lis = (cupsd_listener_t *)cupsArrayFirst(Listeners);
        lis;
        lis = (cupsd_listener_t *)cupsArrayNext(Listeners))