blob: bae2989545dc3d7150b351c661e40d7af8092eda (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
;;
;; Copyright (c) 2011 The Chromium Authors. All rights reserved.
;; Use of this source code is governed by a BSD-style license that can be
;; found in the LICENSE file.
;;
; *** The contents of common.sb are implicitly included here. ***
; Needed for Fonts.
(allow file-read* (subpath "/System/Library/Fonts"))
(allow file-read* (subpath "/Library/Fonts"))
(allow mach-lookup (global-name "com.apple.FontObjectsServer"))
(allow mach-lookup (global-name "com.apple.FontServer"))
(allow mach-lookup (global-name "com.apple.fonts"))
(allow file-read* (extension "com.apple.app-sandbox.read")) ; https://crbug.com/662686
; Allow read-only connection to launchservicesd. https://crbug.com/533537
(allow mach-lookup (global-name "com.apple.lsd.mapdb"))
(allow file-read*
(subpath "/System/Library/ColorSync") ; https://crbug.com/46648
(subpath "/System/Library/Keyboard Layouts") ; https://crbug.com/152566
(literal "/Library/Preferences/.GlobalPreferences.plist") ; https://crbug.com/60917
(literal (user-homedir-path "/Library/Preferences/.GlobalPreferences.plist")))
; https://crbug.com/11269
(allow file-read* (subpath (user-homedir-path "/Library/Fonts")))
; https://crbug.com/60917
(allow file-read-metadata
(literal "/")
(literal "/var"))
; https://crbug.com/288697
(allow file-read*
(path "/private/etc/localtime"))
; https://crbug.com/754280
(if (param-true? macos-1013)
(begin (allow file-read* (subpath "/private/var/db/timezone"))
(allow file-read-data (subpath "/usr/share/zoneinfo.default")))
(allow file-read-data (subpath "/usr/share/zoneinfo")))
; Allow access to the metadata of the /etc symlink.
(allow file-read-metadata (path "/etc"))
; Allow access to the symlink target as well.
(allow file-read-metadata (path "/private/etc"))
; https://crbug.com/605840
; file-read-metadata /System/Library/LinguisticData/en/US/hyphenation.dat
; for CFStringIsHyphenationAvailableForLocale and CFStringGetHyphenationLocationBeforeIndex
(allow file-read* (subpath "/System/Library/LinguisticData"))
; https://crbug.com/850021
(allow mach-lookup (global-name "com.apple.cvmsServ"))
; Reads of signed Mach-O blobs created by the CVMS server.
; https://crbug.com/850021
(allow file-read*
(extension "com.apple.cvms.kernel")
(prefix "/private/tmp/cvmsCodeSignObj")
(subpath "/private/var/db/CVMS"))
; Reads from /Library.
(allow file-read-data
(subpath "/Library/GPUBundles")) ; https://crbug.com/850021
|
