47 lines
1.4 KiB
Plaintext
47 lines
1.4 KiB
Plaintext
(version 1)
|
|
|
|
; TODO: (deny default)
|
|
(allow default (with report))
|
|
|
|
; Import apple-defined rules for bsd daemons
|
|
(import "bsd.sb")
|
|
|
|
; Allow reading of any file
|
|
(allow file-read*)
|
|
|
|
; Allow writing to $OUT_DIR and $DIST_DIR
|
|
(allow file-write*
|
|
(subpath (param "OUT_DIR"))
|
|
(subpath (param "DIST_DIR")))
|
|
|
|
; Java attempts to write usage data to ~/.oracle_jre_usage, just ignore
|
|
(deny file-write* (with no-log)
|
|
(subpath (string-append (param "HOME") "/.oracle_jre_usage")))
|
|
|
|
; Allow writes to user-specific temp folders (Java stores hsperfdata there)
|
|
(allow file-write*
|
|
(subpath "/private/var/folders"))
|
|
|
|
; Allow writing to the terminal
|
|
(allow file-write-data
|
|
(subpath "/dev/tty"))
|
|
|
|
; Java
|
|
(allow mach-lookup
|
|
(global-name "com.apple.SystemConfiguration.configd") ; Java
|
|
(global-name "com.apple.CoreServices.coreservicesd") ; xcodebuild in Soong
|
|
(global-name "com.apple.FSEvents") ; xcodebuild in Soong
|
|
(global-name "com.apple.lsd.mapdb") ; xcodebuild in Soong
|
|
(global-name-regex #"^com\.apple\.distributed_notifications") ; xcodebuild in Soong
|
|
)
|
|
|
|
; Allow suid /bin/ps to function
|
|
(allow process-exec (literal "/bin/ps") (with no-sandbox))
|
|
|
|
; Allow path_interposer unix domain socket without logging
|
|
(allow network-outbound (literal (string-append (param "OUT_DIR") "/.path_interposer_log")))
|
|
|
|
; Allow executing any file
|
|
(allow process-exec*)
|
|
(allow process-fork)
|