blob: 0b5394faaf49b54cb037c715f1a93b91377c6f6d [file] [log] [blame]
;;
;; Copyright (c) 2012 The Chromium Authors. All rights reserved.
;; Use of this source code is governed by a BSD-style license that can be
;; found in the LICENSE file.
;;
; This configuration file isn't used on it's own, but instead implicitly
; included at the start of all other sandbox configuration files in Chrome.
(version 1)
; Helper function to check if a param is set to true.
(define (param-true? str) (string=? (param str) "TRUE"))
; Helper function to determine if a parameter is defined or not.
(define (param-defined? str) (string? (param str)))
; Define constants for all of the parameter strings passed in.
(define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING")
(define enable-logging "ENABLE_LOGGING")
(define permitted-dir "PERMITTED_DIR")
(define homedir-as-literal "USER_HOMEDIR_AS_LITERAL")
(define elcap-or-later "ELCAP_OR_LATER")
; Consumes a subpath and appends it to the user's homedir path.
(define (user-homedir-path subpath) (string-append (param homedir-as-literal) subpath))
; DISABLE_SANDBOX_DENIAL_LOGGING turns off log messages in the system log.
(if (param-true? disable-sandbox-denial-logging)
(deny default (with no-log))
(deny default))
; Support for programmatically enabling verbose debugging.
(if (param-true? enable-logging) (debug deny))
; Allow sending signals to self - https://crbug.com/20370
(allow signal (target self))
; Needed for full-page-zoomed controls - https://crbug.com/11325
(allow sysctl-read)
; Loading System Libraries.
(allow file-read*
(regex #"^/System/Library/Frameworks($|/)")
(regex #"^/System/Library/PrivateFrameworks($|/)")
(regex #"^/System/Library/CoreServices($|/)"))
(allow ipc-posix-shm)
; Allow direct access to /dev/urandom, similar to Linux/POSIX, to allow
; third party code (eg: bits of Adobe Flash and NSS) to function properly.
(allow file-read-data file-read-metadata (literal "/dev/urandom"))