| ; Copyright 2017 The Chromium Authors. All rights reserved. |
| ; Use of this source code is governed by a BSD-style license that can be |
| ; found in the LICENSE file. |
| (version 1) |
| |
| ; Helper function to check if a param is set to true. |
| (define (param-true? str) (string=? (param str) "TRUE")) |
| |
| ; Helper function to determine if a parameter is defined or not. |
| (define (param-defined? str) (string? (param str))) |
| |
| ; Define constants for all of the parameter strings passed in. |
| (define browser-pid "BROWSER_PID") |
| (define bundle-id "BUNDLE_ID") |
| (define bundle-path "BUNDLE_PATH") |
| (define component-path "COMPONENT_PATH") |
| (define qt-prefix-path "QT_PREFIX_PATH") |
| (define current-pid "CURRENT_PID") |
| (define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING") |
| (define enable-logging "ENABLE_LOGGING") |
| (define executable-path "EXECUTABLE_PATH") |
| (define homedir-as-literal "USER_HOMEDIR_AS_LITERAL") |
| (define log-file-path "LOG_FILE_PATH") |
| (define os-version (string->number (param "OS_VERSION"))) |
| (define darwin-user-cache-dir "DARWIN_USER_CACHE_DIR") |
| |
| ; Backwards compatibility for 10.10. |
| (if (not (defined? 'path)) |
| (define path literal)) |
| ; Backwards compatibility for 10.11. |
| (if (not (defined? 'iokit-registry-entry-class)) |
| (define iokit-registry-entry-class iokit-user-client-class)) |
| |
| ; --enable-sandbox-logging causes the sandbox to log failures to the syslog. |
| (if (param-true? disable-sandbox-denial-logging) |
| (deny default (with no-log)) |
| (deny default)) |
| |
| (if (param-true? enable-logging) (debug deny)) |
| |
| ; Allow sending signals to self - https://crbug.com/20370 |
| (allow signal (target self)) |
| |
| ; Consumes a subpath and appends it to the user's homedir path. |
| (define (user-homedir-path subpath) |
| (string-append (param homedir-as-literal) subpath)) |
| |
| ; A function that specific profiles (i.e. renderer) can call to allow |
| ; font rendering. |
| (define (allow-font-access) |
| (begin |
| (allow file-read-data |
| (subpath "/Library/Fonts") |
| (subpath "/System/Library/Fonts") |
| (subpath (user-homedir-path "/Library/Fonts")) |
| ) |
| (allow mach-lookup |
| ; https://crbug.com/756145, https://crbug.com/786615 |
| (global-name "com.apple.FontObjectsServer") |
| (global-name "com.apple.fonts") |
| ) |
| (if (< os-version 1012) |
| (allow mach-lookup (global-name "com.apple.FontServer"))) |
| ; To allow accessing downloaded and other hidden fonts in |
| ; /System/Library/Asssets/com_apple_MobileAsset_Font*. |
| ; (https://crbug.com/662686) |
| (allow file-read* (extension "com.apple.app-sandbox.read")))) |
| |
| ; Reads of signed Mach-O blobs created by the CVMS server. |
| ; https://crbug.com/850021 |
| (define (allow-cvms-blobs) |
| (if (>= os-version 1014) |
| (begin |
| (allow file-read* file-write-unlink |
| (prefix "/private/tmp/cvmsCodeSignObj")) |
| (allow file-read* |
| (extension "com.apple.cvms.kernel") |
| (prefix "/private/var/db/CVMS/cvmsCodeSignObj")) |
| ))) |
| |
| ; Allow logging for all processes. |
| (allow file-write* |
| (require-all |
| (path (param log-file-path)) |
| (vnode-type REGULAR-FILE))) |
| |
| ; Allow component builds to work. |
| (if (param-defined? component-path) |
| (allow file-read* (subpath (param component-path)))) |
| |
| (if (param-defined? qt-prefix-path) |
| (allow file-read* (subpath (param qt-prefix-path)))) |
| |
| (allow process-exec (path (param executable-path))) |
| (allow file-read* (path (param executable-path))) |
| |
| ; The browser exposes Mach services at "bundle-id.service-name.browser-pid". |
| ; This macro is a helper for doing the string concatenation. |
| (define (browser-service-name service-name) |
| (global-name (string-append (param bundle-id) |
| "." service-name "." |
| (param browser-pid)))) |
| |
| (allow mach-lookup |
| (browser-service-name "MachPortRendezvousServer") |
| ) |
| |
| ; Allow realpath() to work. |
| (allow file-read-metadata (subpath "/")) |
| |
| ; All processes can read the bundle contents. |
| (allow file-read* (subpath (param bundle-path))) |
| |
| ; Allow reads of system libraries and frameworks. |
| (allow file-read* |
| (subpath "/System/Library/CoreServices/CoreTypes.bundle") |
| (subpath "/System/Library/CoreServices/SystemVersion.bundle") |
| (subpath "/System/Library/Frameworks") |
| (subpath "/System/Library/Preferences/Logging") |
| (subpath "/System/Library/PrivateFrameworks") |
| (subpath "/usr/lib") |
| ) |
| |
| ; Reads from /etc. |
| ; This is read by CFPrefs calling getpwuid in a loop. libinfo then fails to |
| ; contact any of the opendirectoryd mach services, and falls back to |
| ; the /etc/passwd file for the user info. The access is OK because |
| ; no actual password hashes are in /etc/passwd anymore. |
| (allow file-read-data (path "/private/etc/passwd")) |
| |
| ; Access to /dev. |
| (allow file-ioctl file-read-data file-write-data |
| (require-all |
| (path "/dev/dtracehelper") |
| (vnode-type CHARACTER-DEVICE))) |
| |
| (allow file-read-data |
| (path "/dev/null") |
| (path "/dev/random") |
| (path "/dev/urandom") |
| ) |
| |
| (if (>= os-version 1013) |
| (begin (allow file-read* (subpath "/private/var/db/timezone")) |
| (allow file-read-data (subpath "/usr/share/zoneinfo.default")))) |
| |
| (if (< os-version 1013) |
| (allow file-read-data (subpath "/usr/share/zoneinfo"))) |
| |
| ; Reads from /Library. |
| (allow file-read-data |
| (path "/Library/Preferences/.GlobalPreferences.plist") |
| ) |
| |
| ; Reads from /System. |
| (allow file-read-data |
| (path "/System/Library/CoreServices/SystemVersion.plist") |
| (path "/System/Library/CoreServices/checkfixlist") |
| ) |
| |
| ; Reads from /usr. |
| (allow file-read-data |
| (subpath "/usr/share/icu") |
| ) |
| |
| ; Access to the home directory. |
| (allow file-read-data |
| (path (string-append (user-homedir-path "/Library/Preferences/") (param bundle-id) ".plist")) |
| (path (user-homedir-path "/Library/Preferences/.GlobalPreferences.plist")) |
| (regex (user-homedir-path #"/Library/Preferences/ByHost/.GlobalPreferences.*")) |
| (path (user-homedir-path "/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist")) |
| ) |
| |
| ; Mach IPC needed by all Chromium Helper instances. |
| (allow mach-lookup |
| (global-name "com.apple.logd") ; https://crbug.com/792229 |
| (global-name "com.apple.system.logger") |
| (global-name "com.apple.system.opendirectoryd.libinfo") ; https://crbug.com/792228 |
| ) |
| |
| ; sysctls permitted. |
| (allow sysctl-read |
| (sysctl-name "hw.activecpu") |
| (sysctl-name "hw.busfrequency_compat") |
| (sysctl-name "hw.byteorder") |
| (sysctl-name "hw.cachelinesize_compat") |
| (sysctl-name "hw.cpufrequency_compat") |
| (sysctl-name "hw.cputype") |
| (sysctl-name "hw.logicalcpu_max") |
| (sysctl-name "hw.machine") |
| (sysctl-name "hw.ncpu") |
| (sysctl-name "hw.pagesize_compat") |
| (sysctl-name "hw.physicalcpu_max") |
| (sysctl-name "hw.tbfrequency_compat") |
| (sysctl-name "hw.vectorunit") |
| (sysctl-name "kern.hostname") |
| (sysctl-name "kern.maxfilesperproc") |
| (sysctl-name "kern.osrelease") |
| (sysctl-name "kern.ostype") |
| (sysctl-name "kern.osvariant_status") |
| (sysctl-name "kern.osversion") |
| (sysctl-name "kern.usrstack64") |
| (sysctl-name "kern.version") |
| (sysctl-name "sysctl.proc_cputype") |
| (sysctl-name (string-append "kern.proc.pid." (param current-pid))) |
| ) |
| |
| (allow network-outbound |
| (literal "/private/var/run/asl_input") |
| (literal "/private/var/run/syslog") |
| ) |