blob: 0000dfa0d3bd693892ef9c9ca9df322ee0e4dd77 [file] [log] [blame]
; Copyright 2018 The Chromium Authors. All rights reserved.
; Use of this source code is governed by a BSD-style license that can be
; found in the LICENSE file.
; --- The contents of common.sb implicitly included here. ---
; Injected parameters.
(define network-service-storage-paths-count "NETWORK_SERVICE_STORAGE_PATHS_COUNT")
(define network-service-storage-path-n "NETWORK_SERVICE_STORAGE_PATH_")
; Allow access to the [0,N) storage location paths.
(let ((count (string->number (param network-service-storage-paths-count))))
(let loop ((i 0))
(if (< i count)
(begin
(allow file* (subpath
(param (string-append network-service-storage-path-n (number->string i)))))
(loop (+ i 1))))))
; DNS configuration watcher entries. This is a nesty mess of symlinks.
(allow file-read*
(path "/")
(path "/etc")
(path "/etc/hosts")
(path "/etc/resolv.conf")
(path "/private")
(path "/private/etc")
(path "/private/etc/hosts")
(path "/private/etc/resolv.conf")
(path "/private/var")
(path "/private/var/run")
(path "/private/var/run/resolv.conf")
(path "/var")
(path "/var/run")
)
; Local preferences.
(allow file-read*
(path (user-homedir-path (string-append "/Library/Preferences/" (param bundle-id) ".plist")))
)
; Certificate databases.
(allow file-read*
(path "/Library/Preferences/com.apple.security.plist")
(path "/System/Library/Keychains/SystemTrustSettings.plist")
(subpath "/Library/Keychains")
(subpath "/System/Library/Security")
(subpath "/private/var/db/mds")
(subpath (user-homedir-path "/Library/Keychains"))
)
(allow file-read* file-write*
(subpath (param darwin-user-cache-dir))
)
; Network socket access.
(allow network-outbound
(control-name "com.apple.netsrc")
(literal "/private/var/run/mDNSResponder")
(remote tcp)
(remote udp)
)
(allow network-bind network-inbound
(local tcp)
(local udp)
)
; DNS resolution.
(allow system-socket
(require-all (socket-domain AF_SYSTEM)
(socket-protocol 2)) ; SYSPROTO_CONTROL
(socket-domain AF_ROUTE)
)
; Distributed notifications memory.
(allow ipc-posix-shm-read-data
(ipc-posix-name "apple.shm.notification_center")
)
; Notification data from the security server database.
(allow ipc-posix-shm
(ipc-posix-name "com.apple.AppleDatabaseChanged")
)
(allow mach-lookup
; Set backup exclusion on cache files.
(global-name "com.apple.backupd.sandbox.xpc")
; Used to look up the _CS_DARWIN_USER_CACHE_DIR in the sandbox.
(global-name "com.apple.bsd.dirhelper")
(global-name "com.apple.system.opendirectoryd.membership")
; Allow notifications of DNS changes.
(global-name "com.apple.system.notification_center")
; Communicate with the security server for TLS certificate information.
(global-name "com.apple.SecurityServer")
(global-name "com.apple.ocspd")
(global-name "com.apple.trustd.agent")
; Read network configuration.
(global-name "com.apple.SystemConfiguration.DNSConfiguration")
(global-name "com.apple.SystemConfiguration.configd")
)
(allow sysctl-read
(sysctl-name-regex #"^net.routetable")
)