Sandbox/OS X Rule Set: Difference between revisions

Sandbox/OS X Rule Set (view source)

Revision as of 19:02, 8 June 2016

106 bytes added , 8 June 2016

→‎Notes

Haftandilian

202

edits

@@ Line 24: / Line 24: @@
 = Notes =
-One of the confusing things about the Mac file-system related rules is the redundancy. The rules start out with a (default deny) which means that unless something it is allowed, it is denied. Then we have several filesystem rules to allow read access to specific locations on the system. However, later we have a general rule that allows access to '''anything that is not in ~/Library''' (i.e., access to ~/Library is blocked) making many of the specific rules redundant. Lastly we have rules allowing access to specific directories in ~/Library. Bug 1083344 "Tighten rules for Mac OS content process sandbox on 10.9 and 10.10" documents how this came to be -- not allowing access to ~ broke too many things.
+# One of the confusing things about the Mac file-system related rules is the redundancy. The rules start out with a (default deny) which means that unless something is explicitly allowed, it is denied. Then we have several filesystem rules to allow read access to specific locations on the system. But later we have a general rule that allows access to '''anything that is not in ~/Library''' (i.e., access to ~/Library is blocked) making many of the specific rules redundant. Lastly we have rules allowing access to specific directories in ~/Library. Bug 1083344 "Tighten rules for Mac OS content process sandbox on 10.9 and 10.10" documents how this came to be -- not allowing access to ~ broke too many things.
+# An allow rule doesn't bypass OS filesystem permissions that would otherwise block a user's access.
 = Annotated Rules =