blob: ef69f83620e46b0cc24d698080cbd55ec1053ea2 [file] [log] [blame]
;; Copyright (c) 2012 The Chromium Authors. All rights reserved.
;; Use of this source code is governed by a BSD-style license that can be
;; found in the LICENSE file.
; This configuration file isn't used on it's own, but instead implicitly
; included at the start of all other sandbox configuration files in Chrome.
(version 1)
; Helper function to check if a param is set to true.
(define (param-true? str) (string=? (param str) "TRUE"))
; Helper function to determine if a parameter is defined or not.
(define (param-defined? str) (string? (param str)))
; Define constants for all of the parameter strings passed in.
(define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING")
(define enable-logging "ENABLE_LOGGING")
(define component-build-workaround "COMPONENT_BUILD_WORKAROUND")
(define permitted-dir "PERMITTED_DIR")
(define homedir-as-literal "USER_HOMEDIR_AS_LITERAL")
(define lion-or-later "LION_OR_LATER")
(define elcap-or-later "ELCAP_OR_LATER")
; Consumes a subpath and appends it to the user's homedir path.
(define (user-homedir-path subpath) (string-append (param homedir-as-literal) subpath))
; DISABLE_SANDBOX_DENIAL_LOGGING turns off log messages in the system log.
(if (param-true? disable-sandbox-denial-logging)
(deny default (with no-log))
(deny default))
; Support for programmatically enabling verbose debugging.
(if (param-true? enable-logging) (debug deny))
; Allow sending signals to self -
(allow signal (target self))
; Needed for full-page-zoomed controls -
(allow sysctl-read)
; Loading System Libraries.
(allow file-read*
(regex #"^/System/Library/Frameworks($|/)")
(regex #"^/System/Library/PrivateFrameworks($|/)")
(regex #"^/System/Library/CoreServices($|/)"))
(allow ipc-posix-shm)
; Allow direct access to /dev/urandom, similar to Linux/POSIX, to allow
; third party code (eg: bits of Adobe Flash and NSS) to function properly.
(allow file-read-data file-read-metadata (literal "/dev/urandom"))
; Enables reading file metadata for the Chrome bundle and its parent paths.
(if (and (param-defined? component-build-workaround)
(param-true? component-build-workaround))
(allow file-read-metadata ))