202
edits
Sandbox/OS X Rule Set: Difference between revisions
Jump to navigation
Jump to search
Undo revision 1149210 by Haftandilian (talk)
Haftandilian (talk | contribs) (Undo revision 1149211 by Haftandilian (talk)) |
Haftandilian (talk | contribs) (Undo revision 1149210 by Haftandilian (talk)) |
||
| Line 536: | Line 536: | ||
|| | || | ||
These allow access to the extensions and weave subdirectories within the current profile. Read and write access to the profile director is blocked (in other rules). Bug 1295700 was filed to address removing access to sensitive weave sync data. | These allow access to the extensions and weave subdirectories within the current profile. Read and write access to the profile director is blocked (in other rules). Bug 1295700 was filed to address removing access to sensitive weave sync data. | ||
|- id=aar_home_lib | |||
| | |||
[[#aar_home_lib|link]] | |||
<pre style="border:none;"> | |||
"; the following rules should be removed when printing and\n" | |||
"; opening a file from disk are brokered through the main process\n" | |||
" (if (< sandbox-level 2)\n" | |||
" (if (not (zero? hasProfileDir))\n" | |||
" (allow file*\n" | |||
" (require-all\n" | |||
" (require-not (home-subpath \"/Library\"))\n" | |||
" (require-not (subpath profileDir))))\n" | |||
" (allow file*\n" | |||
" (require-not (home-subpath \"/Library\"))))\n" | |||
" (allow file*\n" | |||
" (require-all\n" | |||
" (subpath home-path)\n" | |||
" (require-not\n" | |||
" (home-subpath \"/Library\")))))\n" | |||
</pre> | |||
|| File read and write access for $HOME excluding ~/Library and the current profile directory. We need write access for printing. We need read access to allow user to read files from $HOME. i.e., file:// resources. | |||
|- id=aar_printing1 | |- id=aar_printing1 | ||
| | | | ||