1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
#include "swift/Basic/Sandbox.h"
#include "swift/Basic/LLVM.h"
#include "swift/Basic/StringExtras.h"
#include "llvm/ADT/SmallString.h"
#if defined(__APPLE__)
#include <TargetConditionals.h>
#endif
using namespace swift;
using namespace Sandbox;
#if defined(__APPLE__) && TARGET_OS_OSX
static StringRef sandboxProfile(llvm::BumpPtrAllocator &Alloc) {
llvm::SmallString<256> contents;
contents += "(version 1)\n";
// Deny everything by default.
contents += "(deny default)\n";
// Import the system sandbox profile.
contents += "(import \"system.sb\")\n";
// Allow reading file metadata of any files.
contents += "(allow file-read-metadata)\n";
// Allow reading dylibs.
contents += "(allow file-read* (regex #\"\\.dylib$\"))\n";
// This is required to launch any processes (execve(2)).
contents += "(allow process-exec*)\n";
return NullTerminatedStringRef(StringRef(contents), Alloc);
}
#endif
bool swift::Sandbox::apply(llvm::SmallVectorImpl<llvm::StringRef> &command,
llvm::BumpPtrAllocator &Alloc) {
#if defined(__APPLE__) && TARGET_OS_OSX
auto profile = sandboxProfile(Alloc);
command.insert(command.begin(), {"/usr/bin/sandbox-exec", "-p", profile});
#endif
return false;
}
|
