[Mac] Add sandbox profile and mojom for System Proxy Resolver
This CL adds the foundation for Mac system proxy resolution in a
utility process, similar to Windows implementation. It includes:
- MacProxyResolutionStatus enum for error handling
- No behavior change in this part: service is not registered,
and PAC/network permissions are gated off by default
- Security owners for IPC interface
No functional changes yet - implementation follows in subsequent CLs.
Change-Id: I43203560b7f61ceff0b2335386951775787f0bc5
Bug: 442313607
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6904119
Reviewed-by: Mark Mentovai <mark@chromium.org>
Reviewed-by: Alex Gough <ajgo@chromium.org>
Commit-Queue: krishna dheeraj Pannala <kpannala@microsoft.com>
Reviewed-by: Kenichi Ishibashi <bashi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1553044}
NOKEYCHECK=True
GitOrigin-RevId: c6bc05aa1a3bbf351951277801d3ae6f5ca7d938
diff --git a/policy/mac/BUILD.gn b/policy/mac/BUILD.gn
index 8a6fba4..5d463ff 100644
--- a/policy/mac/BUILD.gn
+++ b/policy/mac/BUILD.gn
@@ -14,6 +14,7 @@
"on_device_model_execution.sb",
"print_backend.sb",
"print_compositor.sb",
+ "proxy_resolver.sb",
"renderer.sb",
"screen_ai.sb",
"speech_recognition.sb",
diff --git a/policy/mac/proxy_resolver.sb b/policy/mac/proxy_resolver.sb
new file mode 100644
index 0000000..b2c1e0d
--- /dev/null
+++ b/policy/mac/proxy_resolver.sb
@@ -0,0 +1,49 @@
+; Copyright 2025 The Chromium Authors
+; Use of this source code is governed by a BSD-style license that can be
+; found in the LICENSE file.
+
+; --- The contents of common.sb implicitly included here. ---
+
+; Injected parameters.
+; When true, grants additional allowances needed for PAC/WPAD fetching and
+; execution. This is intentionally off by default and must be explicitly
+; enabled by the embedder.
+(define system-proxy-network-access "SYSTEM_PROXY_NETWORK_ACCESS")
+
+; ===== REQUIRED: Basic proxy configuration reading =====
+; These permissions are always needed for basic proxy resolution via
+; SystemConfiguration APIs. Avoid direct reads of private on-disk config and
+; rely on configd instead.
+
+; Essential Mach services for proxy configuration.
+(allow mach-lookup
+ (global-name "com.apple.SystemConfiguration.configd")
+ (global-name "com.apple.SystemConfiguration.DNSConfiguration"))
+
+; ===== CONDITIONALLY REQUIRED: PAC script support =====
+; PAC-related permissions are disabled by default and can be enabled by the
+; embedder by setting SYSTEM_PROXY_NETWORK_ACCESS after evaluating system
+; configuration.
+
+(if (param-true? system-proxy-network-access)
+ (begin
+ ; Network access for PAC script fetching and execution. This includes:
+ ; - com.apple.netsrc: Network source control for outbound connections
+ ; - mDNSResponder: Local DNS resolver socket
+ ; - remote tcp: HTTP/HTTPS PAC script fetches
+ ; - remote udp: DNS queries (DNS may also use TCP)
+ ; CFNetworkExecuteProxyAutoConfigurationURL performs its own network and
+ ; DNS I/O internally when enabled.
+ (allow network-outbound
+ (control-name "com.apple.netsrc")
+ (literal "/private/var/run/mDNSResponder")
+ (remote tcp)
+ (remote udp))
+
+ ; TLS trust and certificate validation for HTTPS PAC fetches.
+ (allow mach-lookup
+ (global-name "com.apple.SecurityServer")
+ (global-name "com.apple.networkd")
+ (global-name "com.apple.ocspd")
+ (global-name "com.apple.trustd.agent"))
+ ))
diff --git a/policy/mac/sandbox_mac.mm b/policy/mac/sandbox_mac.mm
index bc9a33a..c877cd0 100644
--- a/policy/mac/sandbox_mac.mm
+++ b/policy/mac/sandbox_mac.mm
@@ -23,6 +23,7 @@
#include "sandbox/policy/mac/on_device_translation.sb.h"
#include "sandbox/policy/mac/print_backend.sb.h"
#include "sandbox/policy/mac/print_compositor.sb.h"
+#include "sandbox/policy/mac/proxy_resolver.sb.h"
#include "sandbox/policy/mac/renderer.sb.h"
#include "sandbox/policy/mac/screen_ai.sb.h"
#include "sandbox/policy/mac/speech_recognition.sb.h"
@@ -72,6 +73,8 @@
return kSeatbeltPolicyString_on_device_model_execution;
case sandbox::mojom::Sandbox::kOnDeviceTranslation:
return kSeatbeltPolicyString_on_device_translation;
+ case sandbox::mojom::Sandbox::kProxyResolver:
+ return kSeatbeltPolicyString_proxy_resolver;
// `kService` and `kUtility` are the same on OS_MAC, so fallthrough.
case sandbox::mojom::Sandbox::kService:
case sandbox::mojom::Sandbox::kServiceWithJit:
diff --git a/policy/mojom/sandbox.mojom b/policy/mojom/sandbox.mojom
index b018e6f..2d3a6a0 100644
--- a/policy/mojom/sandbox.mojom
+++ b/policy/mojom/sandbox.mojom
@@ -92,8 +92,9 @@
// |kXrCompositing| hosts XR Device Service on Windows.
[EnableIf=is_win] kXrCompositing,
- // Allows access to OS system proxy resolver APIs.
- [EnableIf=is_win] kProxyResolver,
+ // Allows access to OS system proxy resolver APIs (WinHTTP on Windows,
+ // SystemConfiguration/CFNetwork on macOS).
+ [EnableIf=is_win|is_mac] kProxyResolver,
// Used to protect processes that perform hardware video decode acceleration.
// Currently uses the same policy as the GPU process sandbox. Warm-up does
diff --git a/policy/sandbox_type.cc b/policy/sandbox_type.cc
index 143e49d..ad73a23 100644
--- a/policy/sandbox_type.cc
+++ b/policy/sandbox_type.cc
@@ -45,13 +45,16 @@
constexpr char kXrCompositingSandbox[] = "xr_compositing";
constexpr char kIconReaderSandbox[] = "icon_reader";
constexpr char kMediaFoundationCdmSandbox[] = "mf_cdm";
-constexpr char kProxyResolverSandbox[] = "proxy_resolver";
#endif // BUILDFLAG(IS_WIN)
#if BUILDFLAG(IS_MAC)
constexpr char kMirroringSandbox[] = "mirroring";
#endif // BUILDFLAG(IS_MAC)
+#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC)
+constexpr char kProxyResolverSandbox[] = "proxy_resolver";
+#endif // BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC)
+
#if BUILDFLAG(IS_FUCHSIA)
constexpr char kVideoCaptureSandbox[] = "video_capture";
#endif
@@ -133,7 +136,6 @@
case Sandbox::kPdfConversion:
case Sandbox::kIconReader:
case Sandbox::kMediaFoundationCdm:
- case Sandbox::kProxyResolver:
#endif // BUILDFLAG(IS_WIN)
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
case Sandbox::kShapeDetection:
@@ -150,6 +152,9 @@
#if BUILDFLAG(IS_MAC)
case Sandbox::kMirroring:
#endif // BUILDFLAG(IS_MAC)
+#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC)
+ case Sandbox::kProxyResolver:
+#endif // BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC)
#if BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_MAC) || \
BUILDFLAG(IS_WIN)
case Sandbox::kPrintBackend:
@@ -265,13 +270,15 @@
return kIconReaderSandbox;
case Sandbox::kMediaFoundationCdm:
return kMediaFoundationCdmSandbox;
- case Sandbox::kProxyResolver:
- return kProxyResolverSandbox;
#endif // BUILDFLAG(IS_WIN)
#if BUILDFLAG(IS_MAC)
case Sandbox::kMirroring:
return kMirroringSandbox;
-#endif
+#endif // BUILDFLAG(IS_MAC)
+#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC)
+ case Sandbox::kProxyResolver:
+ return kProxyResolverSandbox;
+#endif // BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC)
#if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
case Sandbox::kShapeDetection:
return kShapeDetectionSandbox;
@@ -353,15 +360,17 @@
if (sandbox_string == kMediaFoundationCdmSandbox) {
return Sandbox::kMediaFoundationCdm;
}
- if (sandbox_string == kProxyResolverSandbox) {
- return Sandbox::kProxyResolver;
- }
#endif
#if BUILDFLAG(IS_MAC)
if (sandbox_string == kMirroringSandbox) {
return Sandbox::kMirroring;
}
#endif
+#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC)
+ if (sandbox_string == kProxyResolverSandbox) {
+ return Sandbox::kProxyResolver;
+ }
+#endif
if (sandbox_string == kAudioSandbox) {
return Sandbox::kAudio;
}
