| ; Copyright 2018 The Chromium Authors |
| ; Use of this source code is governed by a BSD-style license that can be |
| ; found in the LICENSE file. |
| |
| ; --- The contents of common.sb implicitly included here. --- |
| |
| ; Injected parameters. |
| (define network-service-storage-paths-count "NETWORK_SERVICE_STORAGE_PATHS_COUNT") |
| (define network-service-storage-path-n "NETWORK_SERVICE_STORAGE_PATH_") |
| (define network-service-test-certs-dir "NETWORK_SERVICE_TEST_CERTS_DIR") |
| |
| ; Allow access to the [0,N) storage location paths. |
| (let ((count (string->number (param network-service-storage-paths-count)))) |
| (let loop ((i 0)) |
| (if (< i count) |
| (begin |
| (allow file* (subpath |
| (param (string-append network-service-storage-path-n (number->string i))))) |
| (loop (+ i 1)))))) |
| |
| ; DNS configuration watcher entries. This is a nesty mess of symlinks. |
| (allow file-read* |
| (path "/") |
| (path "/etc") |
| (path "/etc/hosts") |
| (path "/etc/resolv.conf") |
| (path "/private") |
| (path "/private/etc") |
| (path "/private/etc/hosts") |
| (path "/private/etc/resolv.conf") |
| (path "/private/var") |
| (path "/private/var/run") |
| (path "/private/var/run/resolv.conf") |
| (path "/var") |
| (path "/var/run") |
| ) |
| |
| ; Certificate databases. |
| (allow file-read* |
| (path "/Library/Preferences/com.apple.security.plist") |
| (path (user-homedir-path "/Library/Preferences/com.apple.security.plist")) |
| ; https://crbug.com/1024000 |
| (path (user-homedir-path "/Library/Preferences/com.apple.security.revocation.plist")) |
| (subpath "/Library/Keychains") |
| (subpath "/System/Library/Keychains") |
| (subpath "/System/Library/Security") |
| (subpath "/private/var/db/mds") |
| (subpath (user-homedir-path "/Library/Keychains")) |
| ) |
| (allow file-read* file-write* |
| (subpath (param darwin-user-cache-dir)) |
| (subpath (param darwin-user-temp-dir)) |
| ) |
| (if (param-defined? network-service-test-certs-dir) |
| (allow file-read* (subpath (param network-service-test-certs-dir)))) |
| |
| ; Network socket access. |
| (allow network-outbound |
| (control-name "com.apple.netsrc") |
| (literal "/private/var/run/mDNSResponder") |
| (remote tcp) |
| (remote udp) |
| ) |
| (allow network-bind network-inbound |
| (local tcp) |
| (local udp) |
| ) |
| |
| ; DNS resolution. |
| (allow system-socket |
| (require-all (socket-domain AF_SYSTEM) |
| (socket-protocol 2)) ; SYSPROTO_CONTROL |
| (socket-domain AF_ROUTE) |
| ) |
| |
| ; Distributed notifications memory. |
| (allow ipc-posix-shm-read-data |
| (ipc-posix-name "apple.shm.notification_center") |
| ) |
| |
| ; Notification data from the security server database. |
| (allow ipc-posix-shm |
| (ipc-posix-name "com.apple.AppleDatabaseChanged") |
| ) |
| |
| (allow mach-lookup |
| ; Set backup exclusion on cache files. |
| (global-name "com.apple.backupd.sandbox.xpc") |
| |
| ; Used to look up the _CS_DARWIN_USER_CACHE_DIR in the sandbox. |
| (global-name "com.apple.bsd.dirhelper") |
| (global-name "com.apple.system.opendirectoryd.membership") |
| |
| ; Allow notifications of DNS changes. |
| (global-name "com.apple.system.notification_center") |
| |
| ; Communicate with the security server for TLS certificate information. |
| (global-name "com.apple.SecurityServer") |
| (global-name "com.apple.networkd") ; https://crbug.com/1024000 |
| (global-name "com.apple.ocspd") |
| (global-name "com.apple.trustd.agent") |
| |
| ; Read network configuration. |
| (global-name "com.apple.SystemConfiguration.DNSConfiguration") |
| (global-name "com.apple.SystemConfiguration.configd") |
| |
| ; If the system has a relay configured, system frameworks may call out |
| ; to nehelper to access its configuration (https://crbug.com/383306185) |
| (global-name "com.apple.nehelper") |
| ) |
| |
| (allow sysctl-read |
| (sysctl-name-regex #"^net.routetable") |
| ) |
| |
| ; Kerberos support. This should be removed after GSS is moved out of the |
| ; network service. https://crbug.com/1017830 |
| (allow mach-lookup |
| (global-name "com.apple.GSSCred") ; https://crbug.com/1134449 |
| (global-name "org.h5l.kcm") |
| ) |
| (allow file-read* |
| (path "/private/etc/krb5.conf") |
| (subpath "/System/Library/KerberosPlugins") ; https://crbug.com/1134449 |
| ) |