NaCl mac sandbox file. To be used with sandbox-exec.

src/trusted/sandbox/mac/nacl-sandbox.sb

+;;

[Mark Mentovai, 2009/11/10 02:12:44]

Needs lice: Copyright 2009 blahblah blah blah.

+;; nacl-sandbox.sb
+;; Policy to sandbox NaCl.
+;;
+;; Run with sandbox-exec -f ./nacl-sandbox.sb -- sel_ldr -f module.nexe

[jeremy, 2009/11/10 08:26:24]

In the rest of Chrome we turn on the Sandbox programmatically, could you do that
here too and add the code for that to this CL.

Also, rather than a whole custom sandbox definition, could you start off with
the contents of worker.sb and then add exceptions as needed.  This will also
help in the future when we hopefully have a common configuration we #include
from other configurations.

+
+(version 1)
+(debug deny)

[Mark Mentovai, 2009/11/10 02:12:44]

Is this going to be loaded by Chrome?  Jeremy put an ;ENABLE_LOGGING thing
before this line in Chrome's sandbox files, so that Chrome's sandbox file loader
can find it and adjust it at runtime depending on whether sandbox logging is
desired.

See chrome/common/sandbox_mac.mm sandbox::EnableSandbox at line 133 in the
current revision (r31091).

[jeremy, 2009/11/10 08:26:24]

Like Mark said, this is why I think it's best you start with worker.sb and add
exceptions as needed.

+(deny default)
+(allow file-read-data (regex #"Frameworks/SDL.framework"))

[Mark Mentovai, 2009/11/10 02:12:44]

Anchor the beginning and end with leading and trailing forward slashes.

Backslash the dot so that it does what you want in a regex.

[jeremy, 2009/11/10 08:26:24]

Are you sure you need this?  Can you load this programmatically before enabling
the Sandbox?  Same goes for the rest bellow - if you can access things before
turning on the Sandbox and remove these exceptions, that would be optimal.

+(allow file-read-data (regex #".nexe$"))

[Mark Mentovai, 2009/11/10 02:12:44]

Backslash the dot.

+(allow process-exec (regex #"^.*sel_ldr$"))

[Mark Mentovai, 2009/11/10 02:12:44]

What's up with ^.*?  Seems like you don't want to anchor with ^ at all.

On the other hand, you probably do want to anchor with a leading forward slash.

+
+;; provides basic access to devices, symlinks, and libraries.
+(import "/usr/share/sandbox/bsd.sb")

[jeremy, 2009/11/10 08:26:24]

Do you need all of this?  in Chrome we don't and we do alot of stuff in there. 
I recommend that you start from worker.sb and add exceptions as needed.

+
+;; bsd.sb allows write access to these paths.  We need read access, but there's
+;; no reason to write here.
+(deny file-write-data
+        (regex  #"^(/private)?/etc/localtime$"

[Mark Mentovai, 2009/11/10 02:12:44]

There are other things that bsd.sb allows writes to that we might want to block.
 It allows access to any file named .CFUserTextEncoding.  Should we?

+                #"^/usr/share/nls/"
+                #"^/usr/share/zoneinfo/"))
+
+(deny ipc-posix-shm)
+(allow sysctl-read)
+
+; allow mach-lookups to Apple stuff
+(allow mach-lookup (global-name

[jeremy, 2009/11/10 08:26:24]

Why do you need all of these?  we make do without them in the renderer?

+                                "com.apple.CoreServices.coreservicesd"
+                                "com.apple.DiskArbitration.diskarbitrationd"
+                                "com.apple.SecurityServer"
+                                "com.apple.SystemConfiguration.configd"
+                                "com.apple.bsd.dirhelper"
+                                "com.apple.FontObjectsServer"
+                                "com.apple.windowserver.session"
+                                "com.apple.windowserver.active"
+                                "com.apple.audio.coreaudiod"
+                                "com.apple.audio.systemsoundserver"
+                ))
+
+(deny network*)
+(allow network-outbound (to unix-socket))