blob: 2f513f66f32ac8f3a51ed79b19f92c091d6639f7 [file] [log] [blame]
; Copyright 2017 The Chromium Authors. All rights reserved.
; Use of this source code is governed by a BSD-style license that can be
; found in the LICENSE file.
; --- The contents of implicitly included here. ---
; Put the denials first.
; These operations are allowed by default.
(if (>= os-version 1013)
(deny iokit-get-properties process-info* nvram*)
; Allow cf prefs to work.
(allow user-preference-read)
; process-info
(if (>= os-version 1013)
(allow process-info-pidinfo)
(allow process-info-setcontrol (target self))
; File reads.
; Reads from the home directory.
(allow file-read-data
(path (user-homedir-path "/.CFUserTextEncoding"))
(path (user-homedir-path "/Library/Preferences/"))
; Reads of /dev devices.
(allow file-read-data
(path "/dev/autofs_nowait")
(path "/dev/fd")
(allow file-write-data
(path "/dev/null")
(vnode-type CHARACTER-DEVICE)))
; Needed for Fonts.
; Reads from /System.
(allow file-read-data
(path "/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist")
(path "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist")
(path "/System/Library/Preferences/Logging/Subsystems/")
(subpath "/System/Library/ColorSync/Profiles")
(subpath "/System/Library/CoreServices/SystemAppearance.bundle")
(subpath "/System/Library/CoreServices/SystemVersion.bundle")
(subpath "/System/Library/Extensions") ;
(subpath "/System/Library/LinguisticData")
; Reads from /Library.
(allow file-read-data
(subpath "/Library/GPUBundles") ;
; IOKit
(allow iokit-open
(iokit-registry-entry-class "IOSurfaceRootUserClient")
(iokit-registry-entry-class "RootDomainUserClient")
(allow ipc-posix-shm-read-data
(ipc-posix-name "apple.cfprefs.317580v1")
(ipc-posix-name "apple.cfprefs.daemonv1")
(ipc-posix-name "apple.shm.notification_center") ;
; mach IPC
(allow mach-lookup
(global-name "") ;
(global-name "") ;
(global-name "")
(global-name "") ;
; IOKit properties.
(if (>= os-version 1013)
(allow iokit-get-properties
(iokit-property "CaseSensitive")
(iokit-property "Ejectable")
(iokit-property "Encrypted")
(iokit-property "IOClassNameOverride")
(iokit-property "IOMediaIcon")
(iokit-property "Protocol Characteristics")
(iokit-property "Removable")
(iokit-property "image-encrypted")
; For V8 to use in thread calculations.
(if (>= os-version 1014)
(allow sysctl-read (sysctl-name "kern.tcsm_enable"))
(allow sysctl-write (sysctl-name "kern.tcsm_enable"))
(allow sysctl-read (sysctl-name "kern.tcsm_available"))