(version 1) (define macosMajorVersion %d) (define macosMinorVersion %d) (define appPath "%s") (define appBinaryPath "%s") (define home-path "%s") (import "/System/Library/Sandbox/Profiles/system.sb") (if (< macosMinorVersion 9) (allow default) (begin (deny default) (debug deny) (define resolving-literal literal) (define resolving-subpath subpath) (define resolving-regex regex) (define container-path appPath) (define var-folders-re "^/private/var/folders/[a-z0-9][a-z0-9]") (define var-folders2-re (string-append var-folders-re "/[^/]*/[^/]")) (define (home-regex home-relative-regex) (resolving-regex (string-append "^" (regex-quote home-path) home-relative-regex))) (define (home-subpath home-relative-subpath) (resolving-subpath (string-append home-path home-relative-subpath))) (define (home-literal home-relative-literal) (resolving-literal (string-append home-path home-relative-literal))) (define (container-regex container-relative-regex) (resolving-regex (string-append "^" (regex-quote container-path) container-relative-regex))) (define (container-subpath container-relative-subpath) (resolving-subpath (string-append container-path container-relative-subpath))) (define (container-literal container-relative-literal) (resolving-literal (string-append container-path container-relative-literal))) (define (var-folders-regex var-folders-relative-regex) (resolving-regex (string-append var-folders-re var-folders-relative-regex))) (define (var-folders2-regex var-folders2-relative-regex) (resolving-regex (string-append var-folders2-re var-folders2-relative-regex))) (allow ipc-posix-shm (ipc-posix-name-regex "^CFPBS:") (ipc-posix-name-regex "^AudioIO")) (allow file-read-metadata (literal "/home") (literal "/net") (regex "^/private/tmp/KSInstallAction\.") (var-folders-regex "/") (home-subpath "/Library")) (allow signal (target self)) (allow job-creation (literal "/Library/CoreMediaIO/Plug-Ins/DAL")) (allow authorization-right-obtain (right-name "system.print.operator") (right-name "system.printingmanager")) (allow mach-lookup (global-name "com.apple.coreservices.appleevents") (global-name "com.apple.pasteboard.1") (global-name "com.apple.window_proxies") (global-name "com.apple.windowserver.active") (global-name "com.apple.cvmsServ") (global-name "com.apple.audio.coreaudiod") (global-name "com.apple.audio.audiohald") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.cmio.VDCAssistant") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.printuitool.agent") (global-name "com.apple.printtool.agent") (global-name "com.apple.printtool.daemon")) (allow iokit-open (iokit-user-client-class "AppleGraphicsControlClient") (iokit-user-client-class "IOHIDParamUserClient") (iokit-user-client-class "IOAudioControlUserClient") (iokit-user-client-class "IOAudioEngineUserClient") (iokit-user-client-class "IGAccelDevice") (iokit-user-client-class "nvDevice") (iokit-user-client-class "AGPMClient") (iokit-user-client-class "IOSurfaceRootUserClient") (iokit-user-client-class "IGAccelSharedUserClient") (iokit-user-client-class "IGAccelVideoContextMain") (iokit-user-client-class "IGAccelVideoContextMedia") (iokit-user-client-class "IGAccelVideoContextVEBox") (iokit-user-client-class "RootDomainUserClient") (iokit-user-client-class "IOUSBDeviceUserClientV2") (iokit-user-client-class "IOUSBInterfaceUserClientV2")) (allow user-preference-read (preference-domain "com.apple.HIToolbox")) (allow file-read* (subpath "/Library/Fonts") (subpath "/Library/Audio/Plug-Ins") (subpath "/Library/CoreMediaIO/Plug-Ins/DAL") (subpath "/private/etc/cups/ppd") (subpath "/private/var/run/cupsd") (literal "/Library/Preferences/com.apple.HIToolbox.plist") (literal "/") (literal "/private/tmp") (literal "/private/var/tmp") (literal "/private/etc/cups/client.conf") (literal "/private/etc/cups/lpoptions") (home-subpath "/Library/Colors") (home-subpath "/Library/Fonts") (home-subpath "/Library/FontCollections") (home-subpath "/Library/Keyboard Layouts") (home-subpath "/Library/Input Methods") (home-literal "/.cups/lpoptions") (home-literal "/.cups/client.conf") (container-regex "(/XUL)|(\.(js|jsm|css|xml|properties|ent|dtd|png|svg|gif|dylib))$") (literal appPath) (literal appBinaryPath)) (shared-preferences-read "org.cups.PrintingPrefs") (allow device-microphone) (allow device-camera) (allow file* (var-folders2-regex "/com\.apple\.IntlDataCache\.le$")) (allow file-write* (var-folders2-regex "/org\.chromium\.[a-zA-Z0-9]*$")) ) )