services/service_manager/sandbox/mac/common.sb - chromium/src - Git at Google

 ;;
 ;; Copyright (c) 2012 The Chromium Authors. All rights reserved.
 ;; Use of this source code is governed by a BSD-style license that can be
 ;; found in the LICENSE file.
 ;;
 ; This configuration file isn't used on it's own, but instead implicitly
 ; included at the start of all other sandbox configuration files in Chrome.
 (version 1)

 ; Helper function to check if a param is set to true.
 (define (param-true? str) (string=? (param str) "TRUE"))

 ; Helper function to determine if a parameter is defined or not.
 (define (param-defined? str) (string? (param str)))

 ; Define constants for all of the parameter strings passed in.
 (define bundle-version-path "BUNDLE_VERSION_PATH")
 (define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING")
 (define enable-logging "ENABLE_LOGGING")
 (define homedir-as-literal "USER_HOMEDIR_AS_LITERAL")
 (define elcap-or-later "ELCAP_OR_LATER")
 (define macos-1013 "MACOS_1013")
 (define field-trial-server-name "FIELD_TRIAL_SERVER_NAME")

 ; Consumes a subpath and appends it to the user's homedir path.
 (define (user-homedir-path subpath)
   (string-append (param homedir-as-literal) subpath))

 ; (path) is not supported until 10.10.
 ; TODO(kerrnel): remove this when 10.9 is no longer supported.
 (define (path x) (literal x))

 ; DISABLE_SANDBOX_DENIAL_LOGGING turns off log messages in the system log.
 (if (param-true? disable-sandbox-denial-logging)
     (deny default (with no-log))
     (deny default))

 ; Support for programmatically enabling verbose debugging.
 (if (param-true? enable-logging) (debug deny))

 (allow mach-lookup (global-name (param field-trial-server-name)))

 ; Allow sending signals to self - https://crbug.com/20370
 (allow signal (target self))

 ; Needed for full-page-zoomed controls - https://crbug.com/11325
 (allow sysctl-read)

 ; Loading System Libraries.
 (allow file-read*
     (subpath "/System/Library/Frameworks")
     (subpath "/System/Library/PrivateFrameworks")
     (subpath "/System/Library/CoreServices"))

 (allow ipc-posix-shm)

 ; Allow direct access to /dev/urandom, similar to Linux/POSIX, to allow
 ; third party code (eg: bits of Adobe Flash and NSS) to function properly.
 (allow file-read-data file-read-metadata (literal "/dev/urandom"))
	;;
	;; Copyright (c) 2012 The Chromium Authors. All rights reserved.
	;; Use of this source code is governed by a BSD-style license that can be
	;; found in the LICENSE file.
	;;
	; This configuration file isn't used on it's own, but instead implicitly
	; included at the start of all other sandbox configuration files in Chrome.
	(version 1)

	; Helper function to check if a param is set to true.
	(define (param-true? str) (string=? (param str) "TRUE"))

	; Helper function to determine if a parameter is defined or not.
	(define (param-defined? str) (string? (param str)))

	; Define constants for all of the parameter strings passed in.
	(define bundle-version-path "BUNDLE_VERSION_PATH")
	(define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING")
	(define enable-logging "ENABLE_LOGGING")
	(define homedir-as-literal "USER_HOMEDIR_AS_LITERAL")
	(define elcap-or-later "ELCAP_OR_LATER")
	(define macos-1013 "MACOS_1013")
	(define field-trial-server-name "FIELD_TRIAL_SERVER_NAME")

	; Consumes a subpath and appends it to the user's homedir path.
	(define (user-homedir-path subpath)
	(string-append (param homedir-as-literal) subpath))

	; (path) is not supported until 10.10.
	; TODO(kerrnel): remove this when 10.9 is no longer supported.
	(define (path x) (literal x))

	; DISABLE_SANDBOX_DENIAL_LOGGING turns off log messages in the system log.
	(if (param-true? disable-sandbox-denial-logging)
	(deny default (with no-log))
	(deny default))

	; Support for programmatically enabling verbose debugging.
	(if (param-true? enable-logging) (debug deny))

	(allow mach-lookup (global-name (param field-trial-server-name)))

	; Allow sending signals to self - https://crbug.com/20370
	(allow signal (target self))

	; Needed for full-page-zoomed controls - https://crbug.com/11325
	(allow sysctl-read)

	; Loading System Libraries.
	(allow file-read*
	(subpath "/System/Library/Frameworks")
	(subpath "/System/Library/PrivateFrameworks")
	(subpath "/System/Library/CoreServices"))

	(allow ipc-posix-shm)

	; Allow direct access to /dev/urandom, similar to Linux/POSIX, to allow
	; third party code (eg: bits of Adobe Flash and NSS) to function properly.
	(allow file-read-data file-read-metadata (literal "/dev/urandom"))