| (version 1) |
| |
| ; TODO: (deny default) |
| (allow default (with report)) |
| |
| ; Import apple-defined rules for bsd daemons |
| (import "bsd.sb") |
| |
| ; Allow reading of any file |
| (allow file-read*) |
| |
| ; Allow writing to $OUT_DIR and $DIST_DIR |
| (allow file-write* |
| (subpath (param "OUT_DIR")) |
| (subpath (param "DIST_DIR"))) |
| |
| ; Java attempts to write usage data to ~/.oracle_jre_usage, just ignore |
| (deny file-write* (with no-log) |
| (subpath (string-append (param "HOME") "/.oracle_jre_usage"))) |
| |
| ; Allow writes to user-specific temp folders (Java stores hsperfdata there) |
| (allow file-write* |
| (subpath "/private/var/folders")) |
| |
| ; Allow writing to the terminal |
| (allow file-write-data |
| (subpath "/dev/tty")) |
| |
| ; Java |
| (allow mach-lookup |
| (global-name "com.apple.SystemConfiguration.configd") ; Java |
| (global-name "com.apple.CoreServices.coreservicesd") ; xcodebuild in Soong |
| (global-name "com.apple.FSEvents") ; xcodebuild in Soong |
| (global-name "com.apple.lsd.mapdb") ; xcodebuild in Soong |
| (global-name-regex #"^com\.apple\.distributed_notifications") ; xcodebuild in Soong |
| ) |
| |
| ; Allow suid /bin/ps to function |
| (allow process-exec (literal "/bin/ps") (with no-sandbox)) |
| |
| ; Allow path_interposer unix domain socket without logging |
| (allow network-outbound (literal (string-append (param "OUT_DIR") "/.path_interposer_log"))) |
| |
| ; Allow executing any file |
| (allow process-exec*) |
| (allow process-fork) |