202
edits
Sandbox/OS X Rule Set: Difference between revisions
Jump to navigation
Jump to search
Update level1 and level2 specific rules to match recent code changes.
Haftandilian (talk | contribs) (Tweaks) |
Haftandilian (talk | contribs) (Update level1 and level2 specific rules to match recent code changes.) |
||
| Line 510: | Line 510: | ||
/private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*<br> | /private/var/folders/[^/][^/][^/]+/[^/]org.chromium.[a-Z0-9]*<br> | ||
Not found on my 10.11 system. | Not found on my 10.11 system. | ||
|- id=aar_lib_ext | |- id=aar_lib_ext | ||
| | | | ||
| Line 521: | Line 523: | ||
|| | || | ||
See the docs on extensions.autoDisableScopes for more information on these paths. The first path allow access to an Extensions directory that applies to all of a user's profiles. The second is for a system-wide Extensions directory that applies to all users. The setting of extensions.autoDisableScopes controls whether or not these locations are used. | See the docs on extensions.autoDisableScopes for more information on these paths. The first path allow access to an Extensions directory that applies to all of a user's profiles. The second is for a system-wide Extensions directory that applies to all users. The setting of extensions.autoDisableScopes controls whether or not these locations are used. | ||
|- id= | |||
|- id=level1_fs_rules | |||
| | | | ||
[[# | [[#level1_fs_rules|link]] | ||
<pre style="border:none;"> | <pre style="border:none;"> | ||
"; | "; The following rules impose file access restrictions which get\n" | ||
" | "; more restrictive in higher levels. When file-origin-specific\n" | ||
" | "; content processes are used for file:// origin browsing, the\n" | ||
" ( | "; global file-read* permission should be removed from each level.\n" | ||
"\n" | |||
"; level 1: global read access permitted, no home write access\n" | |||
" (if (= sandbox-level 1)\n" | |||
" (begin\n" | |||
" (allow file-read*)\n" | |||
" (allow file-write* (require-not (subpath home-path)))))\n" | |||
</pre> | </pre> | ||
|| | || Level 1-specifc filesystem rules: allow reading to anywhere the OS permits. Do not allow writing anywhere in the home directory. | ||
|- id=level2_fs_rules | |||
|- id= | |||
| | | | ||
[[# | [[#level2_fs_rules|link]] | ||
<pre style="border:none;"> | <pre style="border:none;"> | ||
"; | "; level 2: global read access permitted, no home write access,\n" | ||
"; | "; no read/write access to ~/Library,\n" | ||
" (if ( | "; no read/write access to $PROFILE,\n" | ||
"; read access permitted to $PROFILE/{extensions,weave}\n" | |||
" (if (= sandbox-level 2)\n" | |||
" (if (not (zero? hasProfileDir))\n" | " (if (not (zero? hasProfileDir))\n" | ||
" ( | " ; we have a profile dir\n" | ||
" | " (begin\n" | ||
" (allow file-read* (require-all\n" | |||
" (require-not (home-subpath \"/Library\"))\n" | " (require-not (home-subpath \"/Library\"))\n" | ||
" (require-not (subpath profileDir))))\n" | " (require-not (subpath profileDir))))\n" | ||
" | " (allow file-write* (require-all\n" | ||
" | " (require-not (subpath home-path))\n" | ||
" | " (require-not (subpath profileDir))))\n" | ||
" | " (allow file-read*\n" | ||
" | " (profile-subpath \"/extensions\")\n" | ||
" | " (profile-subpath \"/weave\")))\n" | ||
" | " ; we don't have a profile dir\n" | ||
" (begin\n" | |||
" (allow file-read*\n" | |||
" (require-not (home-subpath \"/Library\")))\n" | |||
" (allow file-write* (require-all\n" | |||
" (require-not (subpath home-path)))))))\n" | |||
</pre> | </pre> | ||
|| | || Level 2-specifc filesystem rules: do not allow writing anywhere in the home directory. Allow reading to anywhere the OS permits except ~/Library or the PROFILE dir. Allow reading from PROFILE/extensions and PROFILE/weave. | ||
|- id=aar_printpreview | |- id=aar_printpreview | ||
| | | | ||