diff options
| author | Olcan <[email protected]> | 2025-06-10 08:58:37 -0700 |
|---|---|---|
| committer | GitHub <[email protected]> | 2025-06-10 08:58:37 -0700 |
| commit | e38d2078cc70b0453ef70523a8ad38279941aca2 (patch) | |
| tree | b5a4024d1c006a2d116631ac7a51bb5b0eaf34a6 /packages/cli/src/utils/sandbox-macos-strict.sb | |
| parent | 895c1f132f9d1cc88bd56584e461fd22a5f23394 (diff) | |
restricted networking for all sandboxing methods, new seatbelt profiles, updated docs, fixes to sandbox build, debugging through sandbox (#891)
Diffstat (limited to 'packages/cli/src/utils/sandbox-macos-strict.sb')
| -rw-r--r-- | packages/cli/src/utils/sandbox-macos-strict.sb | 90 |
1 files changed, 0 insertions, 90 deletions
diff --git a/packages/cli/src/utils/sandbox-macos-strict.sb b/packages/cli/src/utils/sandbox-macos-strict.sb deleted file mode 100644 index 010fee00..00000000 --- a/packages/cli/src/utils/sandbox-macos-strict.sb +++ /dev/null @@ -1,90 +0,0 @@ -(version 1) - -;; deny everything by default -(deny default) - -;; allow reading files from anywhere on host -(allow file-read*) - -;; allow exec/fork (children inherit policy) -(allow process-exec) -(allow process-fork) - -;; allow signals to self, e.g. SIGPIPE on write to closed pipe -(allow signal (target self)) - -;; allow read access to specific information about system -;; from https://source.chromium.org/chromium/chromium/src/+/main:sandbox/policy/mac/common.sb;l=273-319;drc=7b3962fe2e5fc9e2ee58000dc8fbf3429d84d3bd -(allow sysctl-read - (sysctl-name "hw.activecpu") - (sysctl-name "hw.busfrequency_compat") - (sysctl-name "hw.byteorder") - (sysctl-name "hw.cacheconfig") - (sysctl-name "hw.cachelinesize_compat") - (sysctl-name "hw.cpufamily") - (sysctl-name "hw.cpufrequency_compat") - (sysctl-name "hw.cputype") - (sysctl-name "hw.l1dcachesize_compat") - (sysctl-name "hw.l1icachesize_compat") - (sysctl-name "hw.l2cachesize_compat") - (sysctl-name "hw.l3cachesize_compat") - (sysctl-name "hw.logicalcpu_max") - (sysctl-name "hw.machine") - (sysctl-name "hw.ncpu") - (sysctl-name "hw.nperflevels") - (sysctl-name "hw.optional.arm.FEAT_BF16") - (sysctl-name "hw.optional.arm.FEAT_DotProd") - (sysctl-name "hw.optional.arm.FEAT_FCMA") - (sysctl-name "hw.optional.arm.FEAT_FHM") - (sysctl-name "hw.optional.arm.FEAT_FP16") - (sysctl-name "hw.optional.arm.FEAT_I8MM") - (sysctl-name "hw.optional.arm.FEAT_JSCVT") - (sysctl-name "hw.optional.arm.FEAT_LSE") - (sysctl-name "hw.optional.arm.FEAT_RDM") - (sysctl-name "hw.optional.arm.FEAT_SHA512") - (sysctl-name "hw.optional.armv8_2_sha512") - (sysctl-name "hw.packages") - (sysctl-name "hw.pagesize_compat") - (sysctl-name "hw.physicalcpu_max") - (sysctl-name "hw.tbfrequency_compat") - (sysctl-name "hw.vectorunit") - (sysctl-name "kern.hostname") - (sysctl-name "kern.maxfilesperproc") - (sysctl-name "kern.osproductversion") - (sysctl-name "kern.osrelease") - (sysctl-name "kern.ostype") - (sysctl-name "kern.osvariant_status") - (sysctl-name "kern.osversion") - (sysctl-name "kern.secure_kernel") - (sysctl-name "kern.usrstack64") - (sysctl-name "kern.version") - (sysctl-name "sysctl.proc_cputype") - (sysctl-name-prefix "hw.perflevel") -) - -;; allow writes to specific paths -(allow file-write* - (subpath (param "TARGET_DIR")) - (subpath (param "TMP_DIR")) - (subpath (param "CACHE_DIR")) - (subpath (string-append (param "HOME_DIR") "/.gemini")) - (subpath (string-append (param "HOME_DIR") "/.npm")) - (subpath (string-append (param "HOME_DIR") "/.cache")) - (subpath (string-append (param "HOME_DIR") "/.gitconfig")) - (literal "/dev/stdout") - (literal "/dev/stderr") - (literal "/dev/null") -) - -;; allow outbound network connections -(allow network-outbound) - -;; allow inbound network connections to debugging port -(allow network-inbound (local ip (string-append "*:" "9229"))) - -;; allow communication with sysmond for process listing (e.g. for pgrep) -(allow mach-lookup (global-name "com.apple.sysmond")) - -;; enable terminal access required by ink -;; fixes setRawMode EPERM failure (at node:tty:81:24) -(allow file-ioctl (regex #"^/dev/tty.*")) |