| ; Copyright 2017 The Chromium Authors |
| ; Use of this source code is governed by a BSD-style license that can be |
| ; found in the LICENSE file. |
| |
| ; --- The contents of common.sb implicitly included here. --- |
| |
| ; Allow cf prefs to work. |
| (allow user-preference-read) |
| |
| (allow-cvms-blobs) |
| |
| (allow ipc-posix-shm) |
| |
| ; Allow communication between the GPU process and the UI server. |
| (allow mach-lookup |
| ; Needed for AudioToolbox AAC encoding (https://crbug.com/1321287) and |
| ; xHE-AAC decoding (https://crbug.com/1289825). |
| (global-name "com.apple.audio.AudioComponentRegistrar") |
| (global-name "com.apple.bsd.dirhelper") |
| (global-name "com.apple.CARenderServer") |
| (global-name "com.apple.cfprefsd.agent") |
| (global-name "com.apple.cfprefsd.daemon") |
| (global-name "com.apple.CoreServices.coreservicesd") |
| (global-name "com.apple.coreservices.launchservicesd") |
| (global-name "com.apple.cvmsServ") |
| (global-name "com.apple.gpumemd.source") |
| (global-name "com.apple.lsd.mapdb") |
| (global-name "com.apple.lsd.modifydb") |
| (global-name "com.apple.powerlog.plxpclogger.xpc") |
| (global-name "com.apple.PowerManagement.control") |
| (global-name "com.apple.SecurityServer") |
| (global-name "com.apple.system.notification_center") |
| (global-name "com.apple.system.opendirectoryd.membership") ; https://crbug.com/1126350#c5 |
| (global-name "com.apple.tsm.uiserver") |
| (global-name "com.apple.windowserver.active") |
| ; Needed for VideoToolbox usage - https://crbug.com/767037 |
| (xpc-service-name "com.apple.coremedia.videodecoder") |
| (xpc-service-name "com.apple.coremedia.videoencoder") |
| (xpc-service-name-regex #"\.apple-extension-service$") |
| ) |
| |
| ; Needed for metal decoding - https://crbug.com/957217 |
| (allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService")) |
| |
| ; Allow access to the Apple Neural Engine for the Shape Detection API. |
| ; https://crbug.com/1382442 |
| (if (>= os-version 1300) |
| (begin |
| (allow mach-lookup (global-name "com.apple.appleneuralengine")) |
| (allow iokit-open |
| (iokit-user-client-class "H11ANEInDirectPathClient")) |
| ) |
| ) |
| |
| ; Needed for VideoToolbox H.264 SW and VP9 decoding - https://crbug.com/1113936 |
| (if (>= os-version 1016) |
| (begin |
| (allow mach-lookup (global-name "com.apple.trustd.agent")) |
| (allow file-read* (path "/Library/Preferences/com.apple.security.plist")) |
| ) |
| ) |
| |
| ; Needed for WebGL - https://crbug.com/75343 |
| (allow iokit-open |
| (iokit-connection "IOAccelerator") |
| (iokit-user-client-class "AGPMClient") |
| (iokit-user-client-class "AppleGraphicsControlClient") |
| (iokit-user-client-class "AppleGraphicsPolicyClient") |
| (iokit-user-client-class "AppleIntelMEUserClient") |
| (iokit-user-client-class "AppleMGPUPowerControlClient") |
| (iokit-user-client-class "AppleSNBFBUserClient") |
| (iokit-user-client-class "IOAccelerationUserClient") |
| (iokit-user-client-class "IOFramebufferSharedUserClient") |
| (iokit-user-client-class "IOHIDParamUserClient") |
| (iokit-user-client-class "IOSurfaceRootUserClient") |
| (iokit-user-client-class "IOSurfaceSendRight") |
| (iokit-user-client-class "RootDomainUserClient") |
| ) |
| |
| (allow iokit-set-properties |
| (require-all (iokit-connection "IODisplay") |
| (require-any (iokit-property "brightness") |
| (iokit-property "linear-brightness") |
| (iokit-property "commit") |
| (iokit-property "rgcs") |
| (iokit-property "ggcs") |
| (iokit-property "bgcs") |
| ))) |
| |
| (allow ipc-posix-shm-read-data |
| (ipc-posix-name "apple.shm.notification_center")) |
| |
| (allow sysctl-read |
| (sysctl-name "hw.busfrequency_max") |
| (sysctl-name "hw.cachelinesize") |
| (sysctl-name "hw.logicalcpu_max") |
| (sysctl-name "hw.memsize") |
| (sysctl-name "hw.model") |
| (sysctl-name "kern.osvariant_status") |
| ) |
| |
| (allow file-read-data |
| (path "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree") |
| (path "/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree") |
| (regex (user-homedir-path #"/Library/Preferences/(.*/)?com\.apple\.driver\..*\.plist")) |
| (regex (user-homedir-path #"/Library/Preferences/ByHost/com.apple.AppleGVA.*")) |
| ) |
| |
| (allow file-read* |
| (path (user-homedir-path "/Library/Preferences")) ; List contents of preference directories https://crbug.com/1126350#c14. |
| (path (user-homedir-path "/Library/Preferences/ByHost")) |
| (subpath "/Library/GPUBundles") |
| (subpath "/Library/Video/Plug-Ins") |
| (subpath "/System/Library/ColorSync/Profiles") |
| (subpath "/System/Library/Components/AudioCodecs.component") |
| (subpath "/System/Library/CoreServices/RawCamera.bundle") |
| (subpath "/System/Library/Extensions") ; https://crbug.com/515280 |
| (subpath "/System/Library/Video/Plug-Ins") |
| ) |
| |
| ; crbug.com/980134 |
| (allow file-read* file-write* |
| (subpath (param darwin-user-cache-dir)) |
| (subpath (param darwin-user-dir)) |
| (subpath (param darwin-user-temp-dir)) |
| ) |
| |
| ; Metal issues a sandbox extension to permit MTLCompilerService to read source |
| ; files from disk. It's much broader than we'd like (https://crbug.com/41485470). |
| (allow file-issue-extension |
| (require-all |
| (extension-class "com.apple.app-sandbox.read") |
| (subpath "/"))) |
| |
| (if (param-true? filter-syscalls-debug) |
| (when (defined? 'syscall-unix) |
| (deny syscall-unix (with send-signal SIGSYS)) |
| (allow syscall-unix |
| (syscall-number SYS_csrctl) |
| (syscall-number SYS_getentropy) |
| (syscall-number SYS_getxattr) |
| (syscall-number SYS_kdebug_typefilter) |
| (syscall-number SYS_sigaltstack) |
| (syscall-number SYS_write) |
| (syscall-number SYS_write_nocancel) |
| ))) |
| |
| (if (not (maybe-disable-metal-shader-cache)) |
| (maybe-allow-metal-shader-cache-access)) |
| |
| ; Needed for WebNN Core ML backend - https://crbug.com/344935458 |
| (if (and (>= os-version 1400) (param-defined? helper-bundle-id)) |
| (let ((helper-bundle-cache-dir |
| (user-homedir-path (string-append "/Library/Caches/" |
| (param helper-bundle-id) "/com.apple.e5rt.e5bundlecache")))) |
| (allow file-read* file-write* |
| (subpath helper-bundle-cache-dir) |
| ))) |