blob: 0e90c9ab2f61aacceb1ca60893445881339b834a [file] [log] [blame]
;; Copyright (c) 2012 The Chromium Authors. All rights reserved.
;; Use of this source code is governed by a BSD-style license that can be
;; found in the LICENSE file.
; This configuration file isn't used on it's own, but instead implicitly
; included at the start of all other sandbox configuration files in Chrome.
(version 1)
; Helper function to check if a param is set to true.
(define (param-true? str) (string=? (param str) "TRUE"))
; Helper function to determine if a parameter is defined or not.
(define (param-defined? str) (string? (param str)))
; Define constants for all of the parameter strings passed in.
(define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING")
(define enable-logging "ENABLE_LOGGING")
(define homedir-as-literal "USER_HOMEDIR_AS_LITERAL")
(define elcap-or-later "ELCAP_OR_LATER")
(define macos-1013 "MACOS_1013")
; Consumes a subpath and appends it to the user's homedir path.
(define (user-homedir-path subpath)
(string-append (param homedir-as-literal) subpath))
; (path) is not supported until 10.10.
; TODO(kerrnel): remove this when 10.9 is no longer supported.
(define (path x) (literal x))
; DISABLE_SANDBOX_DENIAL_LOGGING turns off log messages in the system log.
(if (param-true? disable-sandbox-denial-logging)
(deny default (with no-log))
(deny default))
; Support for programmatically enabling verbose debugging.
(if (param-true? enable-logging) (debug deny))
; Allow sending signals to self -
(allow signal (target self))
; Needed for full-page-zoomed controls -
(allow sysctl-read)
; Loading System Libraries.
(allow file-read*
(subpath "/System/Library/Frameworks")
(subpath "/System/Library/PrivateFrameworks")
(subpath "/System/Library/CoreServices"))
(allow ipc-posix-shm)
; Allow direct access to /dev/urandom, similar to Linux/POSIX, to allow
; third party code (eg: bits of Adobe Flash and NSS) to function properly.
(allow file-read-data file-read-metadata (literal "/dev/urandom"))