blob: e32b64b6906cf8f85250fe445b8eb8a37849cbfc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
(version 1)
; TODO: (deny default)
(allow default (with report))
; Import apple-defined rules for bsd daemons
(import "bsd.sb")
; Allow reading of any file
(allow file-read*)
; Allow writing to $OUT_DIR and $DIST_DIR
(allow file-write*
(subpath (param "OUT_DIR"))
(subpath (param "DIST_DIR")))
; Java attempts to write usage data to ~/.oracle_jre_usage, just ignore
(deny file-write* (with no-log)
(subpath (string-append (param "HOME") "/.oracle_jre_usage")))
; Allow writes to user-specific temp folders (Java stores hsperfdata there)
(allow file-write*
(subpath "/private/var/folders"))
; Allow writing to the terminal
(allow file-write-data
(subpath "/dev/tty"))
; Java
(allow mach-lookup
(global-name "com.apple.SystemConfiguration.configd") ; Java
(global-name "com.apple.CoreServices.coreservicesd") ; xcodebuild in Soong
(global-name "com.apple.FSEvents") ; xcodebuild in Soong
(global-name "com.apple.lsd.mapdb") ; xcodebuild in Soong
(global-name-regex #"^com\.apple\.distributed_notifications") ; xcodebuild in Soong
)
; Allow suid /bin/ps to function
(allow process-exec (literal "/bin/ps") (with no-sandbox))
; Allow path_interposer unix domain socket without logging
(allow network-outbound (literal (string-append (param "OUT_DIR") "/.path_interposer_log")))
; Allow executing any file
(allow process-exec*)
(allow process-fork)
|
