| OLD | NEW |
|---|
| (Empty) | |
| 1 ; Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 ; Use of this source code is governed by a BSD-style license that can be |
| 3 ; found in the LICENSE file. |
| 4 (version 1) |
| 5 |
| 6 ; The top of this will be the V2 common profile. |
| 7 |
| 8 ; Helper function to check if a param is set to true. |
| 9 (define (param-true? str) (string=? (param str) "TRUE")) |
| 10 |
| 11 ; Helper function to determine if a parameter is defined or not. |
| 12 (define (param-defined? str) (string? (param str))) |
| 13 |
| 14 ; Define constants for all of the parameter strings passed in. |
| 15 (define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING") |
| 16 (define enable-logging "ENABLE_LOGGING") |
| 17 (define homedir-as-literal "USER_HOMEDIR_AS_LITERAL") |
| 18 (define elcap-or-later "ELCAP_OR_LATER") |
| 19 (define bundle-path "BUNDLE_PATH") |
| 20 (define executable-path "EXECUTABLE_PATH") |
| 21 (define chromium-pid "CHROMIUM_PID") |
| 22 (define log-file-path "LOG_FILE_PATH") |
| 23 (define bundle-id "BUNDLE_ID") |
| 24 (define component-path "COMPONENT_PATH") |
| 25 |
| 26 ; Backwards compatibility for 10.9 |
| 27 (define (path x) (literal x)) |
| 28 |
| 29 ; --enable-sandbox-logging causes the sandbox to log failures to the syslog. |
| 30 (if (param-true? disable-sandbox-denial-logging) |
| 31 (deny default (with no-log)) |
| 32 (deny default)) |
| 33 |
| 34 (if (param-true? enable-logging) (debug deny)) |
| 35 |
| 36 ; Allow sending signals to self - https://crbug.com/20370 |
| 37 (allow signal (target self)) |
| 38 |
| 39 ; Consumes a subpath and appends it to the user's homedir path. |
| 40 (define (user-homedir-path subpath) |
| 41 (string-append (param homedir-as-literal) subpath)) |
| 42 |
| 43 ; Allow logging for all processes. |
| 44 (allow file-write* (path (param log-file-path))) |
| 45 |
| 46 ; Allow component builds to work. |
| 47 (if (param-defined? component-path) |
| 48 (allow file-read* (subpath (param component-path)))) |
| 49 |
| 50 (allow process-exec* (path (param executable-path))) |
| 51 (allow file-read* (path (param executable-path))) |
| 52 |
| 53 (allow mach-lookup (global-name (string-append (param bundle-id) |
| 54 ".rohitfork." |
| 55 (param chromium-pid)))) |
| 56 ; Allow realpath() to work. |
| 57 (allow file-read-metadata (subpath "/")) |
| 58 |
| 59 ; Allow cf prefs to work. |
| 60 (allow user-preference-read) |
| 61 |
| 62 ; All processes can read the bundle contents. |
| 63 (allow file-read* (subpath (param bundle-path))) |
| 64 |
| 65 ; End of common.sb? |
| 66 (allow file-ioctl file-read-data file-write-data (path "/dev/dtracehelper")) |
| 67 |
| 68 ; File reads. |
| 69 ; Reads from the home directory. |
| 70 (allow file-read-data (path (user-homedir-path "/.CFUserTextEncoding"))) |
| 71 |
| 72 ; Reads of /dev devices. |
| 73 (allow file-read-data |
| 74 (path "/dev/autofs_nowait") |
| 75 (path "/dev/fd") |
| 76 (path "/dev/null") |
| 77 (path "/dev/urandom")) |
| 78 |
| 79 (allow file-write-data (path "/dev/null")) |
| 80 |
| 81 ; Reads from /usr. |
| 82 (allow file-read-data |
| 83 (path "/usr/lib/libexpat.1.dylib") |
| 84 (subpath "/usr/share/locale") |
| 85 (subpath "/usr/share/zoneinfo")) |
| 86 |
| 87 (allow file-read* (path "/usr/share/icu/icudt57l.dat")) |
| 88 |
| 89 ; Reads from /Library. |
| 90 (allow file-read-data (subpath "/Library/Fonts")) |
| 91 |
| 92 ; Reads from /System. |
| 93 (allow file-read-data |
| 94 (path "/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExcep
tions.bundle/Exceptions.plist") |
| 95 (path "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Except
ions.plist") |
| 96 (path "/System/Library/CoreServices/SystemVersion.plist") |
| 97 (path "/System/Library/Preferences/Logging/Subsystems/com.apple.SkyLight.plist
") |
| 98 (subpath "/System/Library/ColorSync/Profiles") |
| 99 (subpath "/System/Library/CoreServices/SystemAppearance.bundle") |
| 100 (subpath "/System/Library/CoreServices/SystemVersion.bundle") |
| 101 (subpath "/System/Library/Fonts") |
| 102 (subpath "/System/Library/Frameworks")) |
| 103 |
| 104 ; IOKit |
| 105 (allow iokit-open |
| 106 (iokit-registry-entry-class "IOSurfaceRootUserClient") |
| 107 (iokit-registry-entry-class "RootDomainUserClient")) |
| 108 |
| 109 ; POSIX IPC |
| 110 (allow ipc-posix-shm-read-data |
| 111 (ipc-posix-name "apple.cfprefs.317580v1") |
| 112 (ipc-posix-name "apple.cfprefs.daemonv1") |
| 113 (ipc-posix-name "apple.shm.notification_center")) |
| 114 |
| 115 ; mach IPC |
| 116 (allow mach-lookup |
| 117 (global-name "com.apple.distributed_notifications@Uv3") |
| 118 (global-name "com.apple.fonts") |
| 119 (global-name "com.apple.logd") |
| 120 (global-name "com.apple.system.logger") |
| 121 (global-name "com.apple.system.notification_center") |
| 122 (global-name "com.apple.system.opendirectoryd.libinfo") |
| 123 (global-name "com.apple.windowserver.active")) |
| 124 |
| 125 ; sysctl |
| 126 (allow sysctl-read |
| 127 (sysctl-name "hw.activecpu") |
| 128 (sysctl-name "hw.busfrequency_compat") |
| 129 (sysctl-name "hw.byteorder") |
| 130 (sysctl-name "hw.cachelinesize_compat") |
| 131 (sysctl-name "hw.cpufrequency_compat") |
| 132 (sysctl-name "hw.cputype") |
| 133 (sysctl-name "hw.machine") |
| 134 (sysctl-name "hw.ncpu") |
| 135 (sysctl-name "hw.pagesize_compat") |
| 136 (sysctl-name "hw.physicalcpu_max") |
| 137 (sysctl-name "hw.tbfrequency_compat") |
| 138 (sysctl-name "hw.vectorunit") |
| 139 (sysctl-name "kern.hostname") |
| 140 (sysctl-name "kern.maxfilesperproc") |
| 141 (sysctl-name "kern.osrelease") |
| 142 (sysctl-name "kern.ostype") |
| 143 (sysctl-name "kern.osversion") |
| 144 (sysctl-name "kern.version")) |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2920353002:
Add the V2 sandbox rules for renderer processes. (Closed)
