| Dan Willemsen | 269a8c7 | 2017-05-03 17:15:47 -0700 | [diff] [blame^] | 1 | (version 1) |
| 2 | |
| 3 | ; TODO: (deny default) |
| 4 | (allow default (with report)) |
| 5 | |
| 6 | ; Import apple-defined rules for bsd daemons |
| 7 | (import "bsd.sb") |
| 8 | |
| 9 | ; Allow reading of any file |
| 10 | (allow file-read*) |
| 11 | |
| 12 | ; Allow writing to $OUT_DIR and $DIST_DIR |
| 13 | (allow file-write* |
| 14 | (subpath (param "OUT_DIR")) |
| 15 | (subpath (param "DIST_DIR"))) |
| 16 | |
| 17 | ; Java attempts to write usage data to ~/.oracle_jre_usage, just ignore |
| 18 | (deny file-write* (with no-log) |
| 19 | (subpath (string-append (param "HOME") "/.oracle_jre_usage"))) |
| 20 | |
| 21 | ; Allow writes to user-specific temp folders (Java stores hsperfdata there) |
| 22 | (allow file-write* |
| 23 | (subpath "/private/var/folders")) |
| 24 | |
| 25 | ; Allow writing to the terminal |
| 26 | (allow file-write-data |
| 27 | (subpath "/dev/tty")) |
| 28 | |
| 29 | ; Java |
| 30 | (allow mach-lookup |
| 31 | (global-name "com.apple.SystemConfiguration.configd") ; Java |
| 32 | (global-name "com.apple.CoreServices.coreservicesd") ; xcodebuild in Soong |
| 33 | (global-name "com.apple.FSEvents") ; xcodebuild in Soong |
| 34 | (global-name "com.apple.lsd.mapdb") ; xcodebuild in Soong |
| 35 | (global-name-regex #"^com\.apple\.distributed_notifications") ; xcodebuild in Soong |
| 36 | ) |
| 37 | |
| 38 | ; Allow executing any file |
| 39 | (allow process-exec*) |
| 40 | (allow process-fork) |