More tweaks to sandbox profiles.

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11981 a1ca3aef-8c08-0410-bb20-df032aa958be

diff --git a/doc/help/man-cupsd.html b/doc/help/man-cupsd.html
index 0985443cf98fe9b84ad22be17326ee528677e32e..15d3c6d0e324b27988313d14928819d41c7041fc 100644 (file)
--- a/doc/help/man-cupsd.html
+++ b/doc/help/man-cupsd.html
@@ -99,8 +99,8 @@ in the foreground with a test configuration file called
 <a href="man-backend.html?TOPIC=Man+Pages"><b>backend</b>(7),</a>
 <a href="man-classes.conf.html?TOPIC=Man+Pages"><b>classes.conf</b>(5),</a>
 <a href="man-cups.html?TOPIC=Man+Pages"><b>cups</b>(1),</a>
-<a href="man-cups-deviced.html?TOPIC=Man+Pages"><b>cups-deviced</b>(8),</a>
-<a href="man-cups-driverd.html?TOPIC=Man+Pages"><b>cups-driverd</b>(8),</a>
+<b>cups-deviced</b>(8),
+<b>cups-driverd</b>(8),
 <a href="man-cups-lpd.html?TOPIC=Man+Pages"><b>cups-lpd</b>(8),</a>
 <a href="man-cupsd.conf.html?TOPIC=Man+Pages"><b>cupsd.conf</b>(5),</a>
 <a href="man-filter.html?TOPIC=Man+Pages"><b>filter</b>(7),</a>

diff --git a/scheduler/process.c b/scheduler/process.c
index a3a79802142858723508591c1ee9bf1f282ae7e7..ec68ed4497af3fcb0db5176ad45bc43d11e1df4f 100644 (file)
--- a/scheduler/process.c
+++ b/scheduler/process.c
@@ -259,21 +259,9 @@ cupsdCreateProfile(int job_id,             /* I - Job ID or 0 for none */
                   " #\"^/Library/Printers/PPD Plugins/\""
                   ")%s)\n", nodebug);
   }
-  /* Allow execution of child processes */
-  cupsFilePuts(fp, "(allow process-fork)\n");
-  cupsFilePrintf(fp,
-                 "(allow process-exec\n"
-                 "  (regex"
-                 " #\"^/bin/\""                /* /bin/... */
-                 " #\"^/usr/bin/\""    /* /usr/bin/... */
-                 " #\"^/usr/libexec/cups/\""   /* /usr/libexec/cups/... */
-                 " #\"^/usr/libexec/fax/\""    /* /usr/libexec/fax/... */
-                 " #\"^/usr/sbin/\""   /* /usr/sbin/... */
-                " #\"^%s/\""           /* ServerBin/... */
-                " #\"^/Library/Printers/.*/\""
-                " #\"^/System/Library/Frameworks/Python.framework/\""
-                "))\n",
-                bin);
+  /* Allow execution of child processes as long as the programs are not in a user directory */
+  cupsFilePuts(fp, "(allow process*)\n");
+  cupsFilePuts(fp, "(deny process-exec (regex #\"^/Users/\"))\n");
   if (RunUser && getenv("CUPS_TESTROOT"))
   {
     /* Allow source directory access in "make test" environment */
@@ -311,6 +299,9 @@ cupsdCreateProfile(int job_id,              /* I - Job ID or 0 for none */
                 "  (literal \"/usr/sbin/sendmail\")\n"
                 "  (with no-sandbox))\n");
   }
+  /* Allow access to Bluetooth, USB, and notify_post. */
+  cupsFilePuts(fp, "(allow iokit*)\n");
+  cupsFilePuts(fp, "(allow distributed-notification-post)\n");
   /* Allow outbound networking to local services */
   cupsFilePuts(fp, "(allow network-outbound"
                   "\n       (regex #\"^/private/var/run/\" #\"^/private/tmp/\")");
@@ -324,9 +315,6 @@ cupsdCreateProfile(int job_id,              /* I - Job ID or 0 for none */
       cupsFilePrintf(fp, "\n       (literal \"%s\")", domain);
     }
   }
-  /* Allow access to Bluetooth, USB, and notify_post. */
-  cupsFilePuts(fp, "(allow iokit*)\n");
-  cupsFilePuts(fp, "(allow distributed-notification-post)\n");
   if (allow_networking)
   {
     /* Allow TCP and UDP networking off the machine... */