1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
; Copyright 2017 The Chromium Authors
; Use of this source code is governed by a BSD-style license that can be
; found in the LICENSE file.
; --- The contents of common.sb implicitly included here. ---
; Allow cf prefs to work.
(allow user-preference-read)
(allow-cvms-blobs)
(allow ipc-posix-shm)
; Allow communication between the GPU process and the UI server.
(allow mach-lookup
; Needed for AudioToolbox AAC encoding (https://crbug.com/1321287) and
; xHE-AAC decoding (https://crbug.com/1289825).
(global-name "com.apple.audio.AudioComponentRegistrar")
(global-name "com.apple.bsd.dirhelper")
(global-name "com.apple.CARenderServer")
(global-name "com.apple.cfprefsd.agent")
(global-name "com.apple.cfprefsd.daemon")
(global-name "com.apple.CoreServices.coreservicesd")
(global-name "com.apple.coreservices.launchservicesd")
(global-name "com.apple.cvmsServ")
(global-name "com.apple.gpumemd.source")
(global-name "com.apple.lsd.mapdb")
(global-name "com.apple.lsd.modifydb")
(global-name "com.apple.powerlog.plxpclogger.xpc")
(global-name "com.apple.PowerManagement.control")
(global-name "com.apple.SecurityServer")
(global-name "com.apple.system.notification_center")
(global-name "com.apple.system.opendirectoryd.membership") ; https://crbug.com/1126350#c5
(global-name "com.apple.tsm.uiserver")
(global-name "com.apple.windowserver.active")
; Needed for VideoToolbox usage - https://crbug.com/767037
(xpc-service-name "com.apple.coremedia.videodecoder")
(xpc-service-name "com.apple.coremedia.videoencoder")
(xpc-service-name-regex #"\.apple-extension-service$")
)
; Needed for metal decoding - https://crbug.com/957217
(allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService"))
; Allow access to the Apple Neural Engine for the Shape Detection API.
; https://crbug.com/1382442
(if (>= os-version 1300)
(begin
(allow mach-lookup (global-name "com.apple.appleneuralengine"))
(allow iokit-open
(iokit-user-client-class "H11ANEInDirectPathClient"))
)
)
; Needed for VideoToolbox H.264 SW and VP9 decoding - https://crbug.com/1113936
(if (>= os-version 1016)
(begin
(allow mach-lookup (global-name "com.apple.trustd.agent"))
(allow file-read* (path "/Library/Preferences/com.apple.security.plist"))
)
)
; Needed for WebGL - https://crbug.com/75343
(allow iokit-open
(iokit-connection "IOAccelerator")
(iokit-user-client-class "AGPMClient")
(iokit-user-client-class "AppleGraphicsControlClient")
(iokit-user-client-class "AppleGraphicsPolicyClient")
(iokit-user-client-class "AppleIntelMEUserClient")
(iokit-user-client-class "AppleMGPUPowerControlClient")
(iokit-user-client-class "AppleSNBFBUserClient")
(iokit-user-client-class "IOAccelerationUserClient")
(iokit-user-client-class "IOFramebufferSharedUserClient")
(iokit-user-client-class "IOHIDParamUserClient")
(iokit-user-client-class "IOSurfaceRootUserClient")
(iokit-user-client-class "IOSurfaceSendRight")
(iokit-user-client-class "RootDomainUserClient")
)
(allow iokit-set-properties
(require-all (iokit-connection "IODisplay")
(require-any (iokit-property "brightness")
(iokit-property "linear-brightness")
(iokit-property "commit")
(iokit-property "rgcs")
(iokit-property "ggcs")
(iokit-property "bgcs")
)))
(allow ipc-posix-shm-read-data
(ipc-posix-name "apple.shm.notification_center"))
(allow sysctl-read
(sysctl-name "hw.busfrequency_max")
(sysctl-name "hw.cachelinesize")
(sysctl-name "hw.logicalcpu_max")
(sysctl-name "hw.memsize")
(sysctl-name "hw.model")
(sysctl-name "kern.osvariant_status")
)
(allow file-read-data
(path "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
(path "/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
(regex (user-homedir-path #"/Library/Preferences/(.*/)?com\.apple\.driver\..*\.plist"))
(regex (user-homedir-path #"/Library/Preferences/ByHost/com.apple.AppleGVA.*"))
)
(allow file-read*
(path (user-homedir-path "/Library/Preferences")) ; List contents of preference directories https://crbug.com/1126350#c14.
(path (user-homedir-path "/Library/Preferences/ByHost"))
(subpath "/Library/GPUBundles")
(subpath "/Library/Video/Plug-Ins")
(subpath "/System/Library/ColorSync/Profiles")
(subpath "/System/Library/Components/AudioCodecs.component")
(subpath "/System/Library/CoreServices/RawCamera.bundle")
(subpath "/System/Library/Extensions") ; https://crbug.com/515280
(subpath "/System/Library/Video/Plug-Ins")
)
; crbug.com/980134
(allow file-read* file-write*
(subpath (param darwin-user-cache-dir))
(subpath (param darwin-user-dir))
(subpath (param darwin-user-temp-dir))
)
; Metal issues a sandbox extension to permit MTLCompilerService to read source
; files from disk. It's much broader than we'd like (https://crbug.com/41485470).
(allow file-issue-extension
(require-all
(extension-class "com.apple.app-sandbox.read")
(subpath "/")))
(if (not (maybe-disable-metal-shader-cache))
(maybe-allow-metal-shader-cache-access))
; Needed for WebNN Core ML backend - https://crbug.com/344935458
(if (and (>= os-version 1400) (param-defined? helper-bundle-id))
(let ((helper-bundle-cache-dir
(user-homedir-path (string-append "/Library/Caches/"
(param helper-bundle-id) "/com.apple.e5rt.e5bundlecache"))))
(allow file-read* file-write*
(subpath helper-bundle-cache-dir)
)))
|
