File: network.sb

package info (click to toggle)
chromium 139.0.7258.127-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 6,122,156 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (125 lines) | stat: -rw-r--r-- 3,969 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
 
; Copyright 2018 The Chromium Authors
; Use of this source code is governed by a BSD-style license that can be
; found in the LICENSE file.

; --- The contents of common.sb implicitly included here. ---

; Injected parameters.
(define network-service-storage-paths-count "NETWORK_SERVICE_STORAGE_PATHS_COUNT")
(define network-service-storage-path-n "NETWORK_SERVICE_STORAGE_PATH_")
(define network-service-test-certs-dir "NETWORK_SERVICE_TEST_CERTS_DIR")

; Allow access to the [0,N) storage location paths.
(let ((count (string->number (param network-service-storage-paths-count))))
  (let loop ((i 0))
    (if (< i count)
      (begin
        (allow file* (subpath
          (param (string-append network-service-storage-path-n (number->string i)))))
        (loop (+ i 1))))))

; DNS configuration watcher entries. This is a nesty mess of symlinks.
(allow file-read*
  (path "/")
  (path "/etc")
  (path "/etc/hosts")
  (path "/etc/resolv.conf")
  (path "/private")
  (path "/private/etc")
  (path "/private/etc/hosts")
  (path "/private/etc/resolv.conf")
  (path "/private/var")
  (path "/private/var/run")
  (path "/private/var/run/resolv.conf")
  (path "/var")
  (path "/var/run")
)

; Certificate databases.
(allow file-read*
  (path "/Library/Preferences/com.apple.security.plist")
  (path (user-homedir-path "/Library/Preferences/com.apple.security.plist"))
  ; https://crbug.com/1024000
  (path (user-homedir-path "/Library/Preferences/com.apple.security.revocation.plist"))
  (subpath "/Library/Keychains")
  (subpath "/System/Library/Keychains")
  (subpath "/System/Library/Security")
  (subpath "/private/var/db/mds")
  (subpath (user-homedir-path "/Library/Keychains"))
)
(allow file-read* file-write*
  (subpath (param darwin-user-cache-dir))
  (subpath (param darwin-user-temp-dir))
)
(if (param-defined? network-service-test-certs-dir)
  (allow file-read* (subpath (param network-service-test-certs-dir))))

; Network socket access.
(allow network-outbound
  (control-name "com.apple.netsrc")
  (literal "/private/var/run/mDNSResponder")
  (remote tcp)
  (remote udp)
)
(allow network-bind network-inbound
  (local tcp)
  (local udp)
)

; DNS resolution.
(allow system-socket
  (require-all (socket-domain AF_SYSTEM)
               (socket-protocol 2)) ; SYSPROTO_CONTROL
  (socket-domain AF_ROUTE)
)

; Distributed notifications memory.
(allow ipc-posix-shm-read-data
  (ipc-posix-name "apple.shm.notification_center")
)

; Notification data from the security server database.
(allow ipc-posix-shm
  (ipc-posix-name "com.apple.AppleDatabaseChanged")
)

(allow mach-lookup
  ; Set backup exclusion on cache files.
  (global-name "com.apple.backupd.sandbox.xpc")

  ; Used to look up the _CS_DARWIN_USER_CACHE_DIR in the sandbox.
  (global-name "com.apple.bsd.dirhelper")
  (global-name "com.apple.system.opendirectoryd.membership")

  ; Allow notifications of DNS changes.
  (global-name "com.apple.system.notification_center")

  ; Communicate with the security server for TLS certificate information.
  (global-name "com.apple.SecurityServer")
  (global-name "com.apple.networkd") ; https://crbug.com/1024000
  (global-name "com.apple.ocspd")
  (global-name "com.apple.trustd.agent")

  ; Read network configuration.
  (global-name "com.apple.SystemConfiguration.DNSConfiguration")
  (global-name "com.apple.SystemConfiguration.configd")

  ; If the system has a relay configured, system frameworks may call out
  ; to nehelper to access its configuration (https://crbug.com/383306185)
  (global-name "com.apple.nehelper")
)

(allow sysctl-read
  (sysctl-name-regex #"^net.routetable")
)

; Kerberos support. This should be removed after GSS is moved out of the
; network service. https://crbug.com/1017830
(allow mach-lookup
  (global-name "com.apple.GSSCred") ; https://crbug.com/1134449
  (global-name "org.h5l.kcm")
)
(allow file-read*
  (path "/private/etc/krb5.conf")
  (subpath "/System/Library/KerberosPlugins") ; https://crbug.com/1134449
)