(version 1) (debug deny) (deny default) (define (home-subpath home-relative-subpath) ; TODO: use (param "_HOME") (subpath (string-append "/Users/andre" home-relative-subpath))) (define (build-subpath build-relative-subpath) (home-subpath (string-append "/Programmes/mozilla-central" build-relative-subpath))) ; the base rules are for a bsd daemon (import "/System/Library/Sandbox/Profiles/bsd.sb") ; all which follow modify the base rules (deny file-write-data (subpath "/usr/share/nls") (subpath "/usr/share/zoneinfo") (regex #"^(/private)?/etc/localtime$")) (allow signal (target self)) (allow mach-lookup ; the system log indicates a denied access to this mach-lookup ; but the content process should not use apple events anyway ; (global-name "com.apple.coreservices.appleevents") (global-name "com.apple.ls.boxd") (global-name "com.apple.coreservices.launchservicesd") (global-name "com.apple.pasteboard.1") (global-name "com.apple.audio.audiohald") (global-name "com.apple.audio.coreaudiod") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.window_proxies") (global-name "com.apple.windowserver.active")) (allow iokit-open (iokit-user-client-class "AppleGraphicsControlClient") (iokit-user-client-class "IOAudioControlUserClient") (iokit-user-client-class "IOAudioEngineUserClient")) (allow file-read* (subpath "/Applications/TextWrangler.app") (subpath "/Applications/Xcode.app/Contents/Developer/Applications/iOS Simulator.app") (subpath "/Library/Fonts") (subpath "/Library/Audio/Plug-Ins") (literal "/Library/Preferences/com.apple.HIToolbox.plist") (home-subpath "/Library/Fonts") ; (home-subpath "/Library/Keyboard Layouts") ; (home-subpath "/Library/Input Methods") (home-subpath "/Library/Preferences/com.apple.HIToolbox.plist") ; application path (build-subpath "/obj-firefox.noindex/dist/Nightly.app") ; resources paths, those should be inside the installed application ; but they are outside the currently built application (build-subpath "/obj-firefox.noindex/toolkit/library/XUL") (require-all (build-subpath "") (regex #"\.(js|jsm|css|xml|properties|ent|dtd|png|svg)$")) ; (regex #"^/Users/andre/Programmes/mozilla-central/.*\.(js|jsm|css|xml|properties|ent|dtd|png|svg)$") (subpath "%s") (subpath "%s")) ; could probably factor those out (allow ipc-posix-shm-read-data) (allow ipc-posix-shm-read-metadata) (allow ipc-posix-shm-write-data) ; not sure yet why we need to write files from the content process ; but without this rule, the browser is broken, didn't investigate much here (allow file-write* (regex #"^/private/var/folders/x5/[^/]*/[^/]/org\.chromium\.[a-zA-Z0-9]*$"))