1; Copyright 2018 The Chromium Authors. All rights reserved. 2; Use of this source code is governed by a BSD-style license that can be 3; found in the LICENSE file. 4 5; --- The contents of common.sb implicitly included here. --- 6 7; Injected parameters. 8(define network-service-storage-paths-count "NETWORK_SERVICE_STORAGE_PATHS_COUNT") 9(define network-service-storage-path-n "NETWORK_SERVICE_STORAGE_PATH_") 10(define network-service-test-certs-dir "NETWORK_SERVICE_TEST_CERTS_DIR") 11 12; Allow access to the [0,N) storage location paths. 13(let ((count (string->number (param network-service-storage-paths-count)))) 14 (let loop ((i 0)) 15 (if (< i count) 16 (begin 17 (allow file* (subpath 18 (param (string-append network-service-storage-path-n (number->string i))))) 19 (loop (+ i 1)))))) 20 21; DNS configuration watcher entries. This is a nesty mess of symlinks. 22(allow file-read* 23 (path "/") 24 (path "/etc") 25 (path "/etc/hosts") 26 (path "/etc/resolv.conf") 27 (path "/private") 28 (path "/private/etc") 29 (path "/private/etc/hosts") 30 (path "/private/etc/resolv.conf") 31 (path "/private/var") 32 (path "/private/var/run") 33 (path "/private/var/run/resolv.conf") 34 (path "/var") 35 (path "/var/run") 36) 37 38; Local preferences. 39(allow file-read* 40 (path (user-homedir-path (string-append "/Library/Preferences/" (param bundle-id) ".plist"))) 41) 42 43; Certificate databases. 44(allow file-read* 45 (path "/Library/Preferences/com.apple.security.plist") 46 ; https://crbug.com/1024000 47 (path (user-homedir-path "/Library/Preferences/com.apple.security.revocation.plist")) 48 (subpath "/Library/Keychains") 49 (subpath "/System/Library/Keychains") 50 (subpath "/System/Library/Security") 51 (subpath "/private/var/db/mds") 52 (subpath (user-homedir-path "/Library/Keychains")) 53) 54(allow file-read* file-write* 55 (subpath (param darwin-user-cache-dir)) 56 (subpath (param darwin-user-temp-dir)) 57) 58(if (param-defined? network-service-test-certs-dir) 59 (allow file-read* (subpath (param network-service-test-certs-dir)))) 60 61; Network socket access. 62(allow network-outbound 63 (control-name "com.apple.netsrc") 64 (literal "/private/var/run/mDNSResponder") 65 (remote tcp) 66 (remote udp) 67) 68(allow network-bind network-inbound 69 (local tcp) 70 (local udp) 71) 72 73; DNS resolution. 74(allow system-socket 75 (require-all (socket-domain AF_SYSTEM) 76 (socket-protocol 2)) ; SYSPROTO_CONTROL 77 (socket-domain AF_ROUTE) 78) 79 80; Distributed notifications memory. 81(allow ipc-posix-shm-read-data 82 (ipc-posix-name "apple.shm.notification_center") 83) 84 85; Notification data from the security server database. 86(allow ipc-posix-shm 87 (ipc-posix-name "com.apple.AppleDatabaseChanged") 88) 89 90(allow mach-lookup 91 ; Set backup exclusion on cache files. 92 (global-name "com.apple.backupd.sandbox.xpc") 93 94 ; Used to look up the _CS_DARWIN_USER_CACHE_DIR in the sandbox. 95 (global-name "com.apple.bsd.dirhelper") 96 (global-name "com.apple.system.opendirectoryd.membership") 97 98 ; Allow notifications of DNS changes. 99 (global-name "com.apple.system.notification_center") 100 101 ; Communicate with the security server for TLS certificate information. 102 (global-name "com.apple.SecurityServer") 103 (global-name "com.apple.networkd") ; https://crbug.com/1024000 104 (global-name "com.apple.ocspd") 105 (global-name "com.apple.trustd.agent") 106 107 ; Read network configuration. 108 (global-name "com.apple.SystemConfiguration.DNSConfiguration") 109 (global-name "com.apple.SystemConfiguration.configd") 110) 111 112(allow sysctl-read 113 (sysctl-name-regex #"^net.routetable") 114) 115 116; Kerberos support. This should be removed after GSS is moved out of the 117; network service. https://crbug.com/1017830 118(allow mach-lookup 119 (global-name "org.h5l.kcm") 120) 121(allow file-read* 122 (path "/private/etc/krb5.conf") 123 (subpath "/System/Library/KerberosPlugins/KerberosFrameworkPlugins") 124) 125