(version 1) (define macosMajorVersion %d) (define macosMinorVersion %d) (define appPath "%s") (define appBinaryPath "%s") (define appDir "%s") (define home-path "%s") (import "/System/Library/Sandbox/Profiles/system.sb") (if (< macosMinorVersion 19) (allow default) (begin (deny default) (debug deny) (define resolving-literal literal) (define resolving-subpath subpath) (define resolving-regex regex) (define container-path appPath) (define appdir-path appDir) (define var-folders-re "^/private/var/folders/[a-z0-9][a-z0-9]") (define var-folders2-re (string-append var-folders-re "/[^/]*/[^/]")) (define (home-regex home-relative-regex) (resolving-regex (string-append "^" (regex-quote home-path) home-relative-regex))) (define (home-subpath home-relative-subpath) (resolving-subpath (string-append home-path home-relative-subpath))) (define (home-literal home-relative-literal) (resolving-literal (string-append home-path home-relative-literal))) (define (container-regex container-relative-regex) (resolving-regex (string-append "^" (regex-quote container-path) container-relative-regex))) (define (container-subpath container-relative-subpath) (resolving-subpath (string-append container-path container-relative-subpath))) (define (container-literal container-relative-literal) (resolving-literal (string-append container-path container-relative-literal))) (define (var-folders-regex var-folders-relative-regex) (resolving-regex (string-append var-folders-re var-folders-relative-regex))) (define (var-folders2-regex var-folders2-relative-regex) (resolving-regex (string-append var-folders2-re var-folders2-relative-regex))) (define (appdir-regex appdir-relative-regex) (resolving-regex (string-append "^" (regex-quote appdir-path) appdir-relative-regex))) (define (appdir-subpath appdir-relative-subpath) (resolving-subpath (string-append appdir-path appdir-relative-subpath))) (define (appdir-literal appdir-relative-literal) (resolving-literal (string-append appdir-path appdir-relative-literal))) (define (%protect-preference-symlink domain) (deny file-unlink (container-literal (string-append "/Library/Preferences/" domain ".plist")) (container-regex (string-append "/Library/Preferences/ByHost/" (regex-quote domain) "\\..*\\.plist$")))) (define (allow-shared-preferences-read domain) (begin (if (defined? `user-preference-read) (allow user-preference-read (preference-domain domain))) (allow file-read* (home-literal (string-append "/Library/Preferences/" domain ".plist")) (home-regex (string-append "/Library/Preferences/ByHost/" (regex-quote domain) "\\..*\\.plist$"))) )) (define (allow-shared-list domain) (allow file-read* (home-regex (string-append "/Library/Preferences/" (regex-quote domain))))) (allow file-read-metadata) (allow ipc-posix-shm (ipc-posix-name-regex "^CFPBS:") (ipc-posix-name-regex "^AudioIO")) (allow file-read-metadata (literal "/home") (literal "/net") (regex "^/private/tmp/KSInstallAction\.") (var-folders-regex "/") (home-subpath "/Library")) (allow signal (target self)) (allow job-creation (literal "/Library/CoreMediaIO/Plug-Ins/DAL")) (allow mach-lookup (global-name "com.apple.coreservices.appleevents") (global-name "com.apple.pasteboard.1") (global-name "com.apple.window_proxies") (global-name "com.apple.windowserver.active") (global-name "com.apple.cvmsServ") (global-name "com.apple.audio.coreaudiod") (global-name "com.apple.audio.audiohald") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.cmio.VDCAssistant") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.printuitool.agent") (global-name "com.apple.printtool.agent") (global-name "com.apple.printtool.daemon")) (allow iokit-open (iokit-user-client-class "AppleGraphicsControlClient") (iokit-user-client-class "IOHIDParamUserClient") (iokit-user-client-class "IOAudioControlUserClient") (iokit-user-client-class "IOAudioEngineUserClient") (iokit-user-client-class "IGAccelDevice") (iokit-user-client-class "nvDevice") (iokit-user-client-class "AGPMClient") (iokit-user-client-class "IOSurfaceRootUserClient") (iokit-user-client-class "IGAccelSharedUserClient") (iokit-user-client-class "IGAccelVideoContextMain") (iokit-user-client-class "IGAccelVideoContextMedia") (iokit-user-client-class "IGAccelVideoContextVEBox") (iokit-user-client-class "RootDomainUserClient") (iokit-user-client-class "IOUSBDeviceUserClientV2") (iokit-user-client-class "IOUSBInterfaceUserClientV2")) (allow user-preference-read (preference-domain "com.apple.HIToolbox")) (allow file-read* (subpath "/Library/Fonts") (subpath "/Library/Audio/Plug-Ins") (subpath "/Library/CoreMediaIO/Plug-Ins/DAL") (subpath "/private/etc/cups/ppd") (subpath "/private/var/run/cupsd") (literal "/Library/Preferences/com.apple.HIToolbox.plist") (literal "/") (literal "/private/tmp") (literal "/private/var/tmp") (home-subpath "/Library/Colors") (home-subpath "/Library/Fonts") (home-subpath "/Library/FontCollections") (home-subpath "/Library/Keyboard Layouts") (home-subpath "/Library/Input Methods") ; (appDir-regex "(/XUL)|(\.(js|jsm|css|xml|properties|ent|dtd|png|svg|gif|dylib))$") (literal appPath) (literal appBinaryPath)) (allow-shared-list "org.mozilla.plugincontainer") (allow device-microphone) (allow device-camera) (allow file* (var-folders2-regex "/com\.apple\.IntlDataCache\.le$")) (allow file-read* (var-folders2-regex "/com\.apple\.IconServices/")) (allow file-write* (var-folders2-regex "/org\.chromium\.[a-zA-Z0-9]*$")) ; printing (allow authorization-right-obtain (right-name "system.print.operator") (right-name "system.printingmanager")) (allow mach-lookup (global-name "com.apple.printuitool.agent") (global-name "com.apple.printtool.agent") (global-name "com.apple.printtool.daemon") (global-name "com.apple.sharingd") (global-name "com.apple.metadata.mds") (global-name "com.apple.mtmd.xpc") (global-name "com.apple.FSEvents") (global-name "com.apple.locum")) (allow file-read* (home-literal "/.cups/lpoptions") (home-literal "/.cups/client.conf") (literal "/private/etc/cups/lpoptions") (literal "/private/etc/cups/client.conf") (subpath "/private/etc/cups/ppd") (subpath "/private/var/run/cupsd")) (allow-shared-preferences-read "org.cups.PrintingPrefs") (allow-shared-preferences-read "com.apple.finder") (allow-shared-preferences-read "com.apple.LaunchServices") (allow-shared-preferences-read ".GlobalPreferences") (allow network-outbound (literal "/private/var/run/cupsd") (literal "/private/var/run/mDNSResponder")) ; print preview (allow file-write* file-issue-extension (var-folders2-regex "/")) (allow file-read-xattr (literal "/Applications/Preview.app")) (allow mach-task-name) (allow mach-register) (allow file-read-data (regex "^/Library/Printers/[^/]+/PDEs/[^/]+.plugin") (subpath "/Library/PDF Services") (subpath "/Applications/Preview.app") (home-literal "/Library/Preferences/com.apple.ServicesMenu.Services.plist")) (allow mach-lookup (global-name "com.apple.pbs.fetch_services") (global-name "com.apple.tsm.uiserver") (global-name "com.apple.ls.boxd")) (allow appleevent-send (appleevent-destination "com.apple.preview") (appleevent-destination "com.apple.imagecaptureextension2")) ) )