-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsandbox.sb
99 lines (77 loc) · 2.76 KB
/
sandbox.sb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
(version 1)
(deny default)
(define bundle-path "BUNDLE_PATH")
(define user-homedir "USER_HOME")
(define datadir "DATA_DIR")
(define ping-service "PING_SERVICE_NAME")
(define config-dir
(string-append (param user-homedir) "/.config"))
(allow signal (target self))
(allow user-preference-read)
(allow mach-lookup
; Used for LaunchServices registration
(global-name "com.apple.lsd.mapdb")
(global-name "com.apple.cfprefsd.daemon")
(global-name "com.apple.cfprefsd.agent")
(global-name "com.apple.CoreServices.coreservicesd")
(global-name "com.apple.DiskArbitration.diskarbitrationd")
; Used for keychain event and attributes access
(global-name "com.apple.SecurityServer")
(global-name "com.apple.bsd.dirhelper")
(global-name "com.apple.system.opendirectoryd.membership")
; Used to check for other running instances of the app
(global-name (param ping-service))
; Used for sending notifications
(global-name "com.apple.distributed_notifications@Uv3")
(global-name "com.apple.usernoted.client")
; Used for getting modifier app info
(global-name "com.apple.coreservices.launchservicesd")
; Intentionally no access to `com.apple.analyticsd` because its dumb.
)
(allow mach-register
; Used to check for other running instances of the app
(global-name (param ping-service))
)
(allow ipc-posix-shm-read-data)
(allow ipc-posix-shm-write-data)
(allow ipc-posix-shm-write-create)
(allow sysctl-read)
; Reads from /usr.
(allow file-read*
(subpath "/usr/share/icu")
)
; Allow realpath() to work.
(allow file-read-metadata (subpath "/"))
; Allow reading our own bundle contents :D
(allow file-read* (subpath (param bundle-path)))
; Allow reading ~/Library/Containers/<bundleid>/Data which is just for this app
(allow file-read* (subpath (param datadir)))
; Read metadata about ~/.config
(allow file-read-metadata (subpath config-dir))
; Do anything inside the app's own ~/.config subdirectory.
(allow file* (subpath (string-append config-dir "/keeper_of_keys")))
; Allow reads of system libraries and frameworks.
(allow file-read*
(subpath "/System/Library/CoreServices")
(subpath "/System/Library/Frameworks")
(subpath "/System/Library/Preferences/Logging")
(subpath "/System/Library/PrivateFrameworks")
(subpath "/System/Library/Security")
(subpath "/usr/lib")
)
; Reads from /Library.
(allow file-read-data
(subpath "/Library/Preferences/Logging")
)
; Reads from the system's keychains
; Used for correctly receiving/detecting events
(allow file-read-data
(subpath "/Library/Keychains")
(subpath (string-append (param user-homedir) "/Library/Keychains"))
)
; Access Security.framework MDS.
; Used for registering keychain callbacks and getting item attributres.
(allow file*
(subpath "/private/var/db/mds")
(regex #"/private/var/folders/.*/mds/")
)