| ; Copyright 2018 The Chromium Authors |
| ; Use of this source code is governed by a BSD-style license that can be |
| ; found in the LICENSE file. |
| |
| ; --- The contents of common.sb implicitly included here. --- |
| |
| ; File access. |
| (allow file-read* |
| (path (user-homedir-path "/Library/Caches/com.apple.coreaudio.components.plist")) |
| (regex (user-homedir-path #"/Library/Preferences/com.apple.coreaudio.*")) |
| (subpath "/Library/Audio/Plug-Ins") |
| (subpath "/Library/QuickTime") |
| (subpath "/System/Library/Components") |
| (subpath "/System/Library/Extensions") |
| (subpath (user-homedir-path "/Library/Audio/Plug-Ins")) |
| ) |
| |
| (allow device-microphone) |
| |
| (allow iokit-open |
| (iokit-user-client-class "IOAudioControlUserClient") |
| (iokit-user-client-class "IOAudioEngineUserClient") |
| ) |
| |
| (allow ipc-posix-shm-read* ipc-posix-shm-write-data |
| (ipc-posix-name-regex #"^AudioIO")) |
| |
| ; Mach IPC. |
| (allow mach-lookup |
| (global-name "com.apple.audio.AudioComponentRegistrar") |
| (global-name "com.apple.audio.AudioSession") |
| (global-name "com.apple.audio.audiohald") |
| (global-name "com.apple.audio.coreaudiod") |
| (global-name "com.apple.audio.SystemSoundServer-OSX") |
| (global-name "com.apple.audio.VDCAssistant") |
| (xpc-service-name "com.apple.audio.SandboxHelper") |
| ) |
| |
| ; Needed by ScreenCaptureKit. |
| (if (>= os-version 1300) |
| (begin |
| (allow mach-lookup (global-name "com.apple.replayd")) |
| (allow file-read* |
| (subpath "/System/Library/CoreServices/SystemAppearance.bundle") |
| (subpath "/System/Library/CoreServices/SystemFolderLocalizations") |
| ) |
| (allow sysctl-read |
| (sysctl-name "hw.optional.f16c") |
| (sysctl-name "hw.optional.avx512bw") |
| ) |
| )) |
| |
| ; sysctls. |
| (allow sysctl-read |
| (sysctl-name "hw.optional.avx1_0") |
| (sysctl-name "hw.optional.avx2_0") |
| (sysctl-name "hw.optional.sse2") |
| (sysctl-name "hw.optional.sse3") |
| (sysctl-name "hw.optional.sse4_1") |
| (sysctl-name "hw.optional.sse4_2") |
| ) |
| |
| ; This is available in 10.15+, and rolled out as a Finch experiment. |
| (if (param-true? filter-syscalls-debug) |
| (when (defined? 'syscall-unix) |
| (deny syscall-unix (with send-signal SIGSYS)) |
| (allow syscall-unix |
| (syscall-number SYS_csrctl) |
| (syscall-number SYS_mlock) |
| (syscall-number SYS_poll) |
| (syscall-number SYS_proc_rlimit_control) |
| (syscall-number SYS_psynch_cvbroad) |
| (syscall-number SYS_psynch_cvwait) |
| (syscall-number SYS_setsockopt) |
| (syscall-number SYS_socketpair) |
| (syscall-number SYS_work_interval_ctl) |
| (syscall-number SYS_write) |
| ))) |