File: renderer.sb

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (100 lines) | stat: -rw-r--r-- 3,143 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
; Copyright 2017 The Chromium Authors
; Use of this source code is governed by a BSD-style license that can be
; found in the LICENSE file.

; --- The contents of common.sb implicitly included here. ---

; Put the denials first.
; crbug.com/799149: These operations are allowed by default.
(if (param-true? disable-sandbox-denial-logging)
  (deny iokit-get-properties process-info* nvram* (with no-log))
  (deny iokit-get-properties process-info* nvram*)
)

; Allow cf prefs to work.
(allow user-preference-read)

; process-info
(allow process-info-pidinfo)
(allow process-info-setcontrol (target self))

; File reads.
; Reads from the home directory.
(allow file-read-data
  (path (user-homedir-path "/.CFUserTextEncoding"))
  (path (user-homedir-path "/Library/Preferences/com.apple.universalaccess.plist"))
)

; Reads of /dev devices.
(allow file-read-data
  (path "/dev/autofs_nowait")
  (path "/dev/fd")
)

(allow-cvms-blobs)

(allow file-write-data
  (require-all
    (path "/dev/null")
    (vnode-type CHARACTER-DEVICE)))

; Needed for Fonts.
(allow-font-access)

; Reads from /System.
(allow file-read-data
  (path "/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist")
  (path "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist")
  (path "/System/Library/Preferences/Logging/Subsystems/com.apple.SkyLight.plist")
  (subpath "/System/Library/ColorSync/Profiles")
  (subpath "/System/Library/CoreServices/SystemAppearance.bundle")
  (subpath "/System/Library/CoreServices/SystemVersion.bundle")
  (subpath "/System/Library/Extensions")  ; https://crbug.com/847518
  (subpath "/System/Library/LinguisticData")
)

; Reads from /Library.
(allow file-read-data
  (subpath "/Library/GPUBundles")  ; https://crbug.com/850021
)

; IOKit
(allow iokit-open
  (iokit-registry-entry-class "IOSurfaceRootUserClient")
  (iokit-registry-entry-class "RootDomainUserClient")
  (iokit-user-client-class "IOSurfaceSendRight")
)

; POSIX IPC
(allow ipc-posix-shm-read-data
  (ipc-posix-name "apple.cfprefs.317580v1")
  (ipc-posix-name "apple.cfprefs.daemonv1")
  (ipc-posix-name "apple.shm.notification_center")  ; https://crbug.com/792217
)

; mach IPC
(allow mach-lookup
  (global-name "com.apple.cvmsServ")  ; https://crbug.com/850021
  (global-name "com.apple.distributed_notifications@Uv3")  ; https://crbug.com/792257
  (global-name "com.apple.lsd.mapdb")
  (global-name "com.apple.system.notification_center")  ; https://crbug.com/792217
)

; IOKit properties.
(allow iokit-get-properties
  (iokit-property "CaseSensitive")
  (iokit-property "CoreStorage Encrypted")
  (iokit-property "Ejectable")
  (iokit-property "Encrypted")
  (iokit-property "IOClassNameOverride")
  (iokit-property "IOMediaIcon")
  (iokit-property "Product Identification")
  (iokit-property "Protocol Characteristics")
  (iokit-property "Removable")
  (iokit-property "image-encrypted")
)

; For V8 to use in thread calculations.
(allow sysctl-read (sysctl-name "kern.tcsm_enable"))
(allow sysctl-write (sysctl-name "kern.tcsm_enable"))
(allow sysctl-read (sysctl-name "kern.tcsm_available"))