1 (version 1) 2 3 ; TODO: (deny default) 4 (allow default (with report)) 5 6 ; Import apple-defined rules for bsd daemons 7 (import "bsd.sb") 8 9 ; Allow reading of any file 10 (allow file-read*) 11 12 ; Allow writing to $OUT_DIR and $DIST_DIR 13 (allow file-write* 14 (subpath (param "OUT_DIR")) 15 (subpath (param "DIST_DIR"))) 16 17 ; Java attempts to write usage data to ~/.oracle_jre_usage, just ignore 18 (deny file-write* (with no-log) 19 (subpath (string-append (param "HOME") "/.oracle_jre_usage"))) 20 21 ; Allow writes to user-specific temp folders (Java stores hsperfdata there) 22 (allow file-write* 23 (subpath "/private/var/folders")) 24 25 ; Allow writing to the terminal 26 (allow file-write-data 27 (subpath "/dev/tty")) 28 29 ; Java 30 (allow mach-lookup 31 (global-name "com.apple.SystemConfiguration.configd") ; Java 32 (global-name "com.apple.CoreServices.coreservicesd") ; xcodebuild in Soong 33 (global-name "com.apple.FSEvents") ; xcodebuild in Soong 34 (global-name "com.apple.lsd.mapdb") ; xcodebuild in Soong 35 (global-name-regex #"^com\.apple\.distributed_notifications") ; xcodebuild in Soong 36 ) 37 38 ; Allow executing any file 39 (allow process-exec*) 40 (allow process-fork) 41
