| OLD | NEW |
|---|
| 1 ; Copyright 2017 The Chromium Authors. All rights reserved. | 1 ; Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 ; Use of this source code is governed by a BSD-style license that can be | 2 ; Use of this source code is governed by a BSD-style license that can be |
| 3 ; found in the LICENSE file. | 3 ; found in the LICENSE file. |
| 4 (version 1) | 4 (version 1) |
| 5 | 5 |
| 6 ; The top of this will be the V2 common profile. | 6 ; The top of this will be the V2 common profile. |
| 7 | 7 |
| 8 ; Helper function to check if a param is set to true. | 8 ; Helper function to check if a param is set to true. |
| 9 (define (param-true? str) (string=? (param str) "TRUE")) | 9 (define (param-true? str) (string=? (param str) "TRUE")) |
| 10 | 10 |
| 11 ; Helper function to determine if a parameter is defined or not. | 11 ; Helper function to determine if a parameter is defined or not. |
| 12 (define (param-defined? str) (string? (param str))) | 12 (define (param-defined? str) (string? (param str))) |
| 13 | 13 |
| 14 ; Define constants for all of the parameter strings passed in. | 14 ; Define constants for all of the parameter strings passed in. |
| 15 (define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING") | 15 (define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING") |
| 16 (define enable-logging "ENABLE_LOGGING") | 16 (define enable-logging "ENABLE_LOGGING") |
| 17 (define homedir-as-literal "USER_HOMEDIR_AS_LITERAL") | 17 (define homedir-as-literal "USER_HOMEDIR_AS_LITERAL") |
| 18 (define elcap-or-later "ELCAP_OR_LATER") | 18 (define elcap-or-later "ELCAP_OR_LATER") |
| 19 (define is-mavericks "IS_MAVERICKS") |
| 19 (define bundle-path "BUNDLE_PATH") | 20 (define bundle-path "BUNDLE_PATH") |
| 20 (define executable-path "EXECUTABLE_PATH") | 21 (define executable-path "EXECUTABLE_PATH") |
| 21 (define chromium-pid "CHROMIUM_PID") | 22 (define chromium-pid "CHROMIUM_PID") |
| 22 (define log-file-path "LOG_FILE_PATH") | 23 (define log-file-path "LOG_FILE_PATH") |
| 23 (define bundle-id "BUNDLE_ID") | 24 (define bundle-id "BUNDLE_ID") |
| 24 (define component-path "COMPONENT_PATH") | 25 (define component-path "COMPONENT_PATH") |
| 25 | 26 |
| 26 ; Backwards compatibility for 10.9 | 27 ; Backwards compatibility for 10.9 |
| 27 (define (path x) (literal x)) | 28 (define (path x) (literal x)) |
| 29 (define (iokit-registry-entry-class x) (iokit-user-client-class x)) |
| 28 | 30 |
| 29 ; --enable-sandbox-logging causes the sandbox to log failures to the syslog. | 31 ; --enable-sandbox-logging causes the sandbox to log failures to the syslog. |
| 30 (if (param-true? disable-sandbox-denial-logging) | 32 (if (param-true? disable-sandbox-denial-logging) |
| 31 (deny default (with no-log)) | 33 (deny default (with no-log)) |
| 32 (deny default)) | 34 (deny default)) |
| 33 | 35 |
| 34 (if (param-true? enable-logging) (debug deny)) | 36 (if (param-true? enable-logging) (debug deny)) |
| 35 | 37 |
| 36 ; Allow sending signals to self - https://crbug.com/20370 | 38 ; Allow sending signals to self - https://crbug.com/20370 |
| 37 (allow signal (target self)) | 39 (allow signal (target self)) |
| 38 | 40 |
| 39 ; Consumes a subpath and appends it to the user's homedir path. | 41 ; Consumes a subpath and appends it to the user's homedir path. |
| 40 (define (user-homedir-path subpath) | 42 (define (user-homedir-path subpath) |
| 41 (string-append (param homedir-as-literal) subpath)) | 43 (string-append (param homedir-as-literal) subpath)) |
| 42 | 44 |
| 43 ; Allow logging for all processes. | 45 ; Allow logging for all processes. |
| 44 (allow file-write* (path (param log-file-path))) | 46 (allow file-write* (path (param log-file-path))) |
| 45 | 47 |
| 46 ; Allow component builds to work. | 48 ; Allow component builds to work. |
| 47 (if (param-defined? component-path) | 49 (if (param-defined? component-path) |
| 48 (allow file-read* (subpath (param component-path)))) | 50 (allow file-read* (subpath (param component-path)))) |
| 49 | 51 |
| 50 (allow process-exec* (path (param executable-path))) | 52 (allow process-exec (path (param executable-path))) |
| 51 (allow file-read* (path (param executable-path))) | 53 (allow file-read* (path (param executable-path))) |
| 52 | 54 |
| 53 (allow mach-lookup (global-name (string-append (param bundle-id) | 55 (allow mach-lookup (global-name (string-append (param bundle-id) |
| 54 ".rohitfork." | 56 ".rohitfork." |
| 55 (param chromium-pid)))) | 57 (param chromium-pid)))) |
| 56 ; Allow realpath() to work. | 58 ; Allow realpath() to work. |
| 57 (allow file-read-metadata (subpath "/")) | 59 (allow file-read-metadata (subpath "/")) |
| 58 | 60 |
| 59 ; Allow cf prefs to work. | 61 ; Allow cf prefs to work. |
| 60 (allow user-preference-read) | 62 (allow user-preference-read) |
| (...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 115 ; mach IPC | 117 ; mach IPC |
| 116 (allow mach-lookup | 118 (allow mach-lookup |
| 117 (global-name "com.apple.distributed_notifications@Uv3") | 119 (global-name "com.apple.distributed_notifications@Uv3") |
| 118 (global-name "com.apple.fonts") | 120 (global-name "com.apple.fonts") |
| 119 (global-name "com.apple.logd") | 121 (global-name "com.apple.logd") |
| 120 (global-name "com.apple.system.logger") | 122 (global-name "com.apple.system.logger") |
| 121 (global-name "com.apple.system.notification_center") | 123 (global-name "com.apple.system.notification_center") |
| 122 (global-name "com.apple.system.opendirectoryd.libinfo") | 124 (global-name "com.apple.system.opendirectoryd.libinfo") |
| 123 (global-name "com.apple.windowserver.active")) | 125 (global-name "com.apple.windowserver.active")) |
| 124 | 126 |
| 127 ; MacOS dropped FontServer to replace it with the (XPC based) com.apple.fonts. |
| 128 (if (param-true? is-mavericks) |
| 129 (allow mach-lookup (global-name "com.apple.FontServer"))) |
| 130 |
| 125 ; sysctl | 131 ; sysctl |
| 126 (allow sysctl-read | 132 (if (param-true? is-mavericks) |
| 127 (sysctl-name "hw.activecpu") | 133 (allow sysctl-read) |
| 128 (sysctl-name "hw.busfrequency_compat") | 134 ; else |
| 129 (sysctl-name "hw.byteorder") | 135 (allow sysctl-read |
| 130 (sysctl-name "hw.cachelinesize_compat") | 136 (sysctl-name "hw.activecpu") |
| 131 (sysctl-name "hw.cpufrequency_compat") | 137 (sysctl-name "hw.busfrequency_compat") |
| 132 (sysctl-name "hw.cputype") | 138 (sysctl-name "hw.byteorder") |
| 133 (sysctl-name "hw.machine") | 139 (sysctl-name "hw.cachelinesize_compat") |
| 134 (sysctl-name "hw.ncpu") | 140 (sysctl-name "hw.cpufrequency_compat") |
| 135 (sysctl-name "hw.pagesize_compat") | 141 (sysctl-name "hw.cputype") |
| 136 (sysctl-name "hw.physicalcpu_max") | 142 (sysctl-name "hw.machine") |
| 137 (sysctl-name "hw.tbfrequency_compat") | 143 (sysctl-name "hw.ncpu") |
| 138 (sysctl-name "hw.vectorunit") | 144 (sysctl-name "hw.pagesize_compat") |
| 139 (sysctl-name "kern.hostname") | 145 (sysctl-name "hw.physicalcpu_max") |
| 140 (sysctl-name "kern.maxfilesperproc") | 146 (sysctl-name "hw.tbfrequency_compat") |
| 141 (sysctl-name "kern.osrelease") | 147 (sysctl-name "hw.vectorunit") |
| 142 (sysctl-name "kern.ostype") | 148 (sysctl-name "kern.hostname") |
| 143 (sysctl-name "kern.osversion") | 149 (sysctl-name "kern.maxfilesperproc") |
| 144 (sysctl-name "kern.version")) | 150 (sysctl-name "kern.osrelease") |
| 151 (sysctl-name "kern.ostype") |
| 152 (sysctl-name "kern.osversion") |
| 153 (sysctl-name "kern.version"))) |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2973453002:
Fix sandbox profile for MacOS 10.9 Mavericks. (Closed)
