services/service_manager/sandbox/mac/renderer.sb - chromium/src - Git at Google

 ;;
 ;; Copyright (c) 2011 The Chromium Authors. All rights reserved.
 ;; Use of this source code is governed by a BSD-style license that can be
 ;; found in the LICENSE file.
 ;;

 ; *** The contents of common.sb are implicitly included here. ***

 ; Needed for Fonts.
 (allow file-read* (subpath "/System/Library/Fonts"))
 (allow file-read* (subpath "/Library/Fonts"))
 (allow mach-lookup (global-name "com.apple.FontObjectsServer"))
 (allow mach-lookup (global-name "com.apple.FontServer"))
 (allow mach-lookup (global-name "com.apple.fonts"))
 (allow file-read* (extension "com.apple.app-sandbox.read")) ; https://crbug.com/662686

 ; Allow read-only connection to launchservicesd. https://crbug.com/533537
 (allow mach-lookup (global-name "com.apple.lsd.mapdb"))

 (allow file-read*
   (subpath "/System/Library/ColorSync")  ; https://crbug.com/46648
   (subpath "/System/Library/Keyboard Layouts")  ; https://crbug.com/152566
   (literal "/Library/Preferences/.GlobalPreferences.plist") ; https://crbug.com/60917
   (literal (user-homedir-path "/Library/Preferences/.GlobalPreferences.plist")))

 ; https://crbug.com/11269
 (allow file-read* (subpath (user-homedir-path "/Library/Fonts")))

 ; https://crbug.com/60917
 (allow file-read-metadata
   (literal "/")
   (literal "/var"))

 ; https://crbug.com/288697
 (allow file-read*
   (path "/private/etc/localtime"))

 ; https://crbug.com/754280
 (if (param-true? macos-1013)
   (begin (allow file-read* (subpath "/private/var/db/timezone"))
          (allow file-read-data (subpath "/usr/share/zoneinfo.default")))
   (allow file-read-data (subpath "/usr/share/zoneinfo")))

 ; Allow access to the metadata of the /etc symlink.
 (allow file-read-metadata (path "/etc"))
 ; Allow access to the symlink target as well.
 (allow file-read-metadata (path "/private/etc"))

 ; https://crbug.com/605840
 ; file-read-metadata /System/Library/LinguisticData/en/US/hyphenation.dat
 ; for CFStringIsHyphenationAvailableForLocale and CFStringGetHyphenationLocationBeforeIndex
 (allow file-read* (subpath "/System/Library/LinguisticData"))
	;;
	;; Copyright (c) 2011 The Chromium Authors. All rights reserved.
	;; Use of this source code is governed by a BSD-style license that can be
	;; found in the LICENSE file.
	;;

	; * The contents of common.sb are implicitly included here. *

	; Needed for Fonts.
	(allow file-read* (subpath "/System/Library/Fonts"))
	(allow file-read* (subpath "/Library/Fonts"))
	(allow mach-lookup (global-name "com.apple.FontObjectsServer"))
	(allow mach-lookup (global-name "com.apple.FontServer"))
	(allow mach-lookup (global-name "com.apple.fonts"))
	(allow file-read* (extension "com.apple.app-sandbox.read")) ; https://crbug.com/662686

	; Allow read-only connection to launchservicesd. https://crbug.com/533537
	(allow mach-lookup (global-name "com.apple.lsd.mapdb"))

	(allow file-read*
	(subpath "/System/Library/ColorSync") ; https://crbug.com/46648
	(subpath "/System/Library/Keyboard Layouts") ; https://crbug.com/152566
	(literal "/Library/Preferences/.GlobalPreferences.plist") ; https://crbug.com/60917
	(literal (user-homedir-path "/Library/Preferences/.GlobalPreferences.plist")))

	; https://crbug.com/11269
	(allow file-read* (subpath (user-homedir-path "/Library/Fonts")))

	; https://crbug.com/60917
	(allow file-read-metadata
	(literal "/")
	(literal "/var"))

	; https://crbug.com/288697
	(allow file-read*
	(path "/private/etc/localtime"))

	; https://crbug.com/754280
	(if (param-true? macos-1013)
	(begin (allow file-read* (subpath "/private/var/db/timezone"))
	(allow file-read-data (subpath "/usr/share/zoneinfo.default")))
	(allow file-read-data (subpath "/usr/share/zoneinfo")))

	; Allow access to the metadata of the /etc symlink.
	(allow file-read-metadata (path "/etc"))
	; Allow access to the symlink target as well.
	(allow file-read-metadata (path "/private/etc"))

	; https://crbug.com/605840
	; file-read-metadata /System/Library/LinguisticData/en/US/hyphenation.dat
	; for CFStringIsHyphenationAvailableForLocale and CFStringGetHyphenationLocationBeforeIndex
	(allow file-read* (subpath "/System/Library/LinguisticData"))