1(version 1) 2 3; TODO: (deny default) 4(allow default (with report)) 5 6; Import apple-defined rules for bsd daemons 7(import "bsd.sb") 8 9; Allow reading of any file 10(allow file-read*) 11 12; Allow writing to $OUT_DIR and $DIST_DIR 13(allow file-write* 14 (subpath (param "OUT_DIR")) 15 (subpath (param "DIST_DIR"))) 16 17; Java attempts to write usage data to ~/.oracle_jre_usage, just ignore 18(deny file-write* (with no-log) 19 (subpath (string-append (param "HOME") "/.oracle_jre_usage"))) 20 21; Allow writes to user-specific temp folders (Java stores hsperfdata there) 22(allow file-write* 23 (subpath "/private/var/folders")) 24 25; Allow writing to the terminal 26(allow file-write-data 27 (subpath "/dev/tty")) 28 29; Java 30(allow mach-lookup 31 (global-name "com.apple.SystemConfiguration.configd") ; Java 32 (global-name "com.apple.CoreServices.coreservicesd") ; xcodebuild in Soong 33 (global-name "com.apple.FSEvents") ; xcodebuild in Soong 34 (global-name "com.apple.lsd.mapdb") ; xcodebuild in Soong 35 (global-name-regex #"^com\.apple\.distributed_notifications") ; xcodebuild in Soong 36) 37 38; Allow suid /bin/ps to function 39(allow process-exec (literal "/bin/ps") (with no-sandbox)) 40 41; Allow path_interposer unix domain socket without logging 42(allow network-outbound (literal (string-append (param "OUT_DIR") "/.path_interposer_log"))) 43 44; Allow executing any file 45(allow process-exec*) 46(allow process-fork) 47