MozillaWiki

Sandbox/OS X Rule Set: Difference between revisions

Page Discussion

Sandbox/OS X Rule Set (view source)

Revision as of 00:52, 26 July 2016

355 bytes added ,  26 July 2016
Adding links to rows
(Adding links to rows)
(Adding links to rows)
Line 48: Line 48:
<pre style="border:none;">static const char contentSandboxRules[] =</pre>
<pre style="border:none;">static const char contentSandboxRules[] =</pre>
|- id=aar_version
|- id=aar_version
| [[#a_version|link]]
| [[#aar_version|link]]
<pre style="border:none;">
<pre style="border:none;">
(version 1)</pre>
(version 1)</pre>
Line 77: Line 77:
||
||
These setup some macros to be used later in the policy. See the next row for examples of what they evaulate to on a Nightly build.
These setup some macros to be used later in the policy. See the next row for examples of what they evaulate to on a Nightly build.
|-
|- id=aar_example
| colspan="2" |
| colspan="2" |
[[#aar_example|link]]
Example output of the above macros after running a Nightly build. Paths abbreviated with "...".
Example output of the above macros after running a Nightly build. Paths abbreviated with "...".


Line 91: Line 92:
</pre>
</pre>
|-
|-
|
| id=aar_syspaths1
[[#aar_syspaths|link]]
<pre style="border:none;">
<pre style="border:none;">
; Allow read access to standard system paths.
; Allow read access to standard system paths.
Line 104: Line 106:
||
||
Allow these directories and any contained directories and files to be read if the file's permission permits any user to read them.
Allow these directories and any contained directories and files to be read if the file's permission permits any user to read them.
|-
|- id=aar_syspaths2
|
|
[[#aar_syspaths2|link]]
<pre  style="border:none;">
<pre  style="border:none;">
(allow file-read-metadata
(allow file-read-metadata
Line 115: Line 118:
||
||
Allow reading of metadata of these directories.
Allow reading of metadata of these directories.
|-
|- id=aar_syspaths3
|
|
[[#aar_syspaths3|link]]
<pre  style="border:none;">
<pre  style="border:none;">
; Allow access to standard special files.
; Allow access to standard special files.
Line 126: Line 130:
||
||
/dev/random, /dev/urandom Used for randomization code. autofs_nowait TBD, probably allows non-blocking I/O to autofs paths (used for network mounts and other pseudo mount points.)
/dev/random, /dev/urandom Used for randomization code. autofs_nowait TBD, probably allows non-blocking I/O to autofs paths (used for network mounts and other pseudo mount points.)
|-
|- id=aar_syspaths4
|
|
[[#aar_syspaths4|link]]
<pre  style="border:none;">
<pre  style="border:none;">
(allow file-read*
(allow file-read*
Line 136: Line 141:
||
||
Wondering if we need write access to these.
Wondering if we need write access to these.
|-
|- id=aar_dtrace
|
|
[[#aar_dtrace|link]]
<pre  style="border:none;">
<pre  style="border:none;">
(allow file-read*
(allow file-read*
Line 146: Line 152:
||
||
Can be removed. Relates to using dtrace (debugging tool).
Can be removed. Relates to using dtrace (debugging tool).
|-
|- id=aar_apple1
|
|
[[#aar_apple1|link]]
<pre  style="border:none;">
<pre  style="border:none;">
(allow mach-lookup
(allow mach-lookup
Line 170: Line 177:
||
||
Miscellaneous undocumented services.
Miscellaneous undocumented services.
|-
|- id=aar_sysctl1
|
|
[[#aar_sysctl1|link]]
<pre  style="border:none;">
<pre  style="border:none;">
; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others
; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others
Line 178: Line 186:
||
||
A subset of the rules originally from /System/Library/Sandbox/Profiles/system.sb which ships with OS X.
A subset of the rules originally from /System/Library/Sandbox/Profiles/system.sb which ships with OS X.
|-
|- id=aar_defaultdeny
|<pre  style="border:none;">
|
[[#aar_defaultdeny|link]]
<pre  style="border:none;">
   "  (begin\n"
   "  (begin\n"
   "    (deny default)\n"
   "    (deny default)\n"
Haftandilian
202

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1141175"