OLD | NEW |
(Empty) | |
| 1 ;; |
| 2 ;; Copyright (c) 2009 The Chromium Authors. All rights reserved. |
| 3 ;; Use of this source code is governed by a BSD-style license that can be |
| 4 ;; found in the LICENSE file. |
| 5 ;; |
| 6 ; This is the Sandbox configuration file used for safeguarding the utility |
| 7 ; process which is used for performing sandboxed operations that need to touch |
| 8 ; the filesystem like decoding theme images and unpacking extensions. |
| 9 ; |
| 10 ; This configuration locks everything down, except access to one configurable |
| 11 ; directory. This is different from other sandbox configuration files where |
| 12 ; file system access is entireley restricted. |
| 13 (version 1) |
| 14 (deny default) |
| 15 ; Support for programmatically enabling verbose debugging. |
| 16 ;ENABLE_LOGGING (debug deny) |
| 17 |
| 18 ; Allow sending signals to self - http://crbug.com/20370 |
| 19 (allow signal (target self)) |
| 20 |
| 21 ; Needed for full-page-zoomed controls - http://crbug.com/11325 |
| 22 (allow sysctl-read) |
| 23 |
| 24 ; Each line is marked with the System version that needs it. |
| 25 ; This profile is tested with the following system versions: |
| 26 ; 10.5.6, 10.6 |
| 27 |
| 28 ; Allow following symlinks |
| 29 (allow file-read-metadata) ; 10.5.6 |
| 30 |
| 31 ; Loading System Libraries. |
| 32 (allow file-read-data (regex #"^/System/Library/Frameworks")) ; 10.5.6 |
| 33 (allow file-read-data (regex #"^/System/Library/PrivateFrameworks")) ; 10.5.6 |
| 34 (allow file-read-data (regex #"^/System/Library/CoreServices")) ; 10.5.6 |
| 35 |
| 36 ; Needed for IPC on 10.6 |
| 37 ;10.6_ONLY (allow ipc-posix-shm) |
| 38 |
| 39 ; Enable full access to given directory. |
| 40 (allow file-read* file-write* (regex #"^DIR_TO_ALLOW_ACCESS")) |
OLD | NEW |