; Copyright 2017 The Chromium Authors
; Use of this source code is governed by a BSD-style license that can be
; found in the LICENSE file.
; --- The contents of common.sb implicitly included here. ---
; Allow cf prefs to work.
(allow user-preference-read)
(allow-cvms-blobs)
(allow ipc-posix-shm)
; Allow communication between the GPU process and the UI server.
(allow mach-lookup
; Needed for AudioToolbox AAC encoding (https://crbug.com/1321287) and
; xHE-AAC decoding (https://crbug.com/1289825).
(global-name "com.apple.audio.AudioComponentRegistrar")
(global-name "com.apple.bsd.dirhelper")
(global-name "com.apple.CARenderServer")
(global-name "com.apple.cfprefsd.agent")
(global-name "com.apple.cfprefsd.daemon")
(global-name "com.apple.CoreServices.coreservicesd")
(global-name "com.apple.coreservices.launchservicesd")
(global-name "com.apple.cvmsServ")
(global-name "com.apple.gpumemd.source")
(global-name "com.apple.lsd.mapdb")
(global-name "com.apple.lsd.modifydb")
(global-name "com.apple.powerlog.plxpclogger.xpc")
(global-name "com.apple.PowerManagement.control")
(global-name "com.apple.SecurityServer")
(global-name "com.apple.system.notification_center")
(global-name "com.apple.system.opendirectoryd.membership") ; https://crbug.com/1126350#c5
(global-name "com.apple.tsm.uiserver")
(global-name "com.apple.windowserver.active")
; Needed for VideoToolbox usage - https://crbug.com/767037
(xpc-service-name "com.apple.coremedia.videodecoder")
(xpc-service-name "com.apple.coremedia.videoencoder")
(xpc-service-name-regex #"\.apple-extension-service$")
)
; Needed for metal decoding - https://crbug.com/957217
(allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService"))
; Allow access to the Apple Neural Engine for the Shape Detection API.
; https://crbug.com/1382442
(if (>= os-version 1300)
(begin
(allow mach-lookup (global-name "com.apple.appleneuralengine"))
(allow iokit-open
(iokit-user-client-class "H11ANEInDirectPathClient"))
)
)
; Needed for VideoToolbox H.264 SW and VP9 decoding - https://crbug.com/1113936
(if (>= os-version 1016)
(begin
(allow mach-lookup (global-name "com.apple.trustd.agent"))
(allow file-read* (path "/Library/Preferences/com.apple.security.plist"))
)
)
; Needed for WebGL - https://crbug.com/75343
(allow iokit-open
(iokit-connection "IOAccelerator")
(iokit-user-client-class "AGPMClient")
(iokit-user-client-class "AppleGraphicsControlClient")
(iokit-user-client-class "AppleGraphicsPolicyClient")
(iokit-user-client-class "AppleIntelMEUserClient")
(iokit-user-client-class "AppleMGPUPowerControlClient")
(iokit-user-client-class "AppleSNBFBUserClient")
(iokit-user-client-class "IOAccelerationUserClient")
(iokit-user-client-class "IOFramebufferSharedUserClient")
(iokit-user-client-class "IOHIDParamUserClient")
(iokit-user-client-class "IOSurfaceRootUserClient")
(iokit-user-client-class "IOSurfaceSendRight")
(iokit-user-client-class "RootDomainUserClient")
)
(allow iokit-set-properties
(require-all (iokit-connection "IODisplay")
(require-any (iokit-property "brightness")
(iokit-property "linear-brightness")
(iokit-property "commit")
(iokit-property "rgcs")
(iokit-property "ggcs")
(iokit-property "bgcs")
)))
(allow ipc-posix-shm-read-data
(ipc-posix-name "apple.shm.notification_center"))
(allow sysctl-read
(sysctl-name "hw.busfrequency_max")
(sysctl-name "hw.cachelinesize")
(sysctl-name "hw.logicalcpu_max")
(sysctl-name "hw.memsize")
(sysctl-name "hw.model")
(sysctl-name "kern.osvariant_status")
)
(allow file-read-data
(path "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
(path "/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
(regex (user-homedir-path #"/Library/Preferences/(.*/)?com\.apple\.driver\..*\.plist"))
(regex (user-homedir-path #"/Library/Preferences/ByHost/com.apple.AppleGVA.*"))
)
(allow file-read*
(path (user-homedir-path "/Library/Preferences")) ; List contents of preference directories https://crbug.com/1126350#c14.
(path (user-homedir-path "/Library/Preferences/ByHost"))
(subpath "/Library/GPUBundles")
(subpath "/Library/Video/Plug-Ins")
(subpath "/System/Library/ColorSync/Profiles")
(subpath "/System/Library/Components/AudioCodecs.component")
(subpath "/System/Library/CoreServices/RawCamera.bundle")
(subpath "/System/Library/Extensions") ; https://crbug.com/515280
(subpath "/System/Library/Video/Plug-Ins")
)
; crbug.com/980134
(allow file-read* file-write*
(subpath (param darwin-user-cache-dir))
(subpath (param darwin-user-dir))
(subpath (param darwin-user-temp-dir))
)
; Metal issues a sandbox extension to permit MTLCompilerService to read source
; files from disk. It's much broader than we'd like (https://crbug.com/41485470).
(allow file-issue-extension
(require-all
(extension-class "com.apple.app-sandbox.read")
(subpath "/")))
(if (param-true? filter-syscalls-debug)
(when (defined? 'syscall-unix)
(deny syscall-unix (with send-signal SIGSYS))
(allow syscall-unix
(syscall-number SYS_csrctl)
(syscall-number SYS_getentropy)
(syscall-number SYS_getxattr)
(syscall-number SYS_kdebug_typefilter)
(syscall-number SYS_sigaltstack)
(syscall-number SYS_write)
(syscall-number SYS_write_nocancel)
)))
(if (not (maybe-disable-metal-shader-cache))
(maybe-allow-metal-shader-cache-access))
Codebase Browser
chromium