90 lines
3.0 KiB
Plaintext
90 lines
3.0 KiB
Plaintext
(version 1)
|
|
|
|
;; deny everything by default
|
|
(deny default)
|
|
|
|
;; allow reading files from anywhere on host
|
|
(allow file-read*)
|
|
|
|
;; allow exec/fork (children inherit policy)
|
|
(allow process-exec)
|
|
(allow process-fork)
|
|
|
|
;; allow signals to self, e.g. SIGPIPE on write to closed pipe
|
|
(allow signal (target self))
|
|
|
|
;; allow read access to specific information about system
|
|
;; from https://source.chromium.org/chromium/chromium/src/+/main:sandbox/policy/mac/common.sb;l=273-319;drc=7b3962fe2e5fc9e2ee58000dc8fbf3429d84d3bd
|
|
(allow sysctl-read
|
|
(sysctl-name "hw.activecpu")
|
|
(sysctl-name "hw.busfrequency_compat")
|
|
(sysctl-name "hw.byteorder")
|
|
(sysctl-name "hw.cacheconfig")
|
|
(sysctl-name "hw.cachelinesize_compat")
|
|
(sysctl-name "hw.cpufamily")
|
|
(sysctl-name "hw.cpufrequency_compat")
|
|
(sysctl-name "hw.cputype")
|
|
(sysctl-name "hw.l1dcachesize_compat")
|
|
(sysctl-name "hw.l1icachesize_compat")
|
|
(sysctl-name "hw.l2cachesize_compat")
|
|
(sysctl-name "hw.l3cachesize_compat")
|
|
(sysctl-name "hw.logicalcpu_max")
|
|
(sysctl-name "hw.machine")
|
|
(sysctl-name "hw.ncpu")
|
|
(sysctl-name "hw.nperflevels")
|
|
(sysctl-name "hw.optional.arm.FEAT_BF16")
|
|
(sysctl-name "hw.optional.arm.FEAT_DotProd")
|
|
(sysctl-name "hw.optional.arm.FEAT_FCMA")
|
|
(sysctl-name "hw.optional.arm.FEAT_FHM")
|
|
(sysctl-name "hw.optional.arm.FEAT_FP16")
|
|
(sysctl-name "hw.optional.arm.FEAT_I8MM")
|
|
(sysctl-name "hw.optional.arm.FEAT_JSCVT")
|
|
(sysctl-name "hw.optional.arm.FEAT_LSE")
|
|
(sysctl-name "hw.optional.arm.FEAT_RDM")
|
|
(sysctl-name "hw.optional.arm.FEAT_SHA512")
|
|
(sysctl-name "hw.optional.armv8_2_sha512")
|
|
(sysctl-name "hw.packages")
|
|
(sysctl-name "hw.pagesize_compat")
|
|
(sysctl-name "hw.physicalcpu_max")
|
|
(sysctl-name "hw.tbfrequency_compat")
|
|
(sysctl-name "hw.vectorunit")
|
|
(sysctl-name "kern.hostname")
|
|
(sysctl-name "kern.maxfilesperproc")
|
|
(sysctl-name "kern.osproductversion")
|
|
(sysctl-name "kern.osrelease")
|
|
(sysctl-name "kern.ostype")
|
|
(sysctl-name "kern.osvariant_status")
|
|
(sysctl-name "kern.osversion")
|
|
(sysctl-name "kern.secure_kernel")
|
|
(sysctl-name "kern.usrstack64")
|
|
(sysctl-name "kern.version")
|
|
(sysctl-name "sysctl.proc_cputype")
|
|
(sysctl-name-prefix "hw.perflevel")
|
|
)
|
|
|
|
;; allow writes to specific paths
|
|
(allow file-write*
|
|
(subpath (param "TARGET_DIR"))
|
|
(subpath (param "TMP_DIR"))
|
|
(subpath (param "CACHE_DIR"))
|
|
(subpath (string-append (param "HOME_DIR") "/.gemini"))
|
|
(subpath (string-append (param "HOME_DIR") "/.npm"))
|
|
(subpath (string-append (param "HOME_DIR") "/.cache"))
|
|
(subpath (string-append (param "HOME_DIR") "/.gitconfig"))
|
|
(literal "/dev/stdout")
|
|
(literal "/dev/stderr")
|
|
(literal "/dev/null")
|
|
)
|
|
|
|
;; allow communication with sysmond for process listing (e.g. for pgrep)
|
|
(allow mach-lookup (global-name "com.apple.sysmond"))
|
|
|
|
;; enable terminal access required by ink
|
|
;; fixes setRawMode EPERM failure (at node:tty:81:24)
|
|
(allow file-ioctl (regex #"^/dev/tty.*"))
|
|
|
|
;; allow inbound network traffic on debugger port
|
|
(allow network-inbound (local ip "localhost:9229"))
|
|
|
|
;; allow all outbound network traffic
|
|
(allow network-outbound) |