newbie-lad · August 20, 2023 06:18 · newbie-lad · Aug 20, 2023
diff --git a/chroam.sb b/chroam.sb
 ;; chrome.app sandbox profile
 (version 1)
 (debug deny)

 ;; allow processes to traverse symlinks
 (allow file-read-metadata)

 (allow file-read-data file-read-metadata
  (regex
    ; Allow reading system dylibs and frameworks
    #"^/usr/lib/.*\.dylib$"
    #"^/usr/lib/info/.*\.so$"
    #"^/System/"
    #"^/private/var/db/dyld/"
    #"^(/private)?/etc/hosts\.(allow|deny)$"
  ))

 (allow file-read-data file-write-data
  (regex
    ; Allow files accessed by system dylibs and frameworks
    #"^/dev/null$"
    #"^(/private)?/var/run/syslog$"
    #"^/dev/u?random$"
    #"^/dev/autofs_nowait$"
    #"^/dev/dtracehelper$"
    #"/\.CFUserTextEncoding$"
    #"^(/private)?/etc/localtime$"
    #"^/usr/share/nls/"
    #"^/usr/share/zoneinfo/"
  ))

 (allow file-ioctl
  (regex
    ; Allow access to dtracehelper by dyld
    #"^/dev/dtracehelper$"))

 (allow mach-lookup
  (global-name "com.apple.bsd.dirhelper")
  (global-name "com.apple.system.DirectoryService.libinfo_v1")
  (global-name "com.apple.system.DirectoryService.membership_v1")
  (global-name "com.apple.system.logger")
  (global-name "com.apple.system.notification_center"))

 (allow ipc-posix-shm) ; Libnotify

 ;; (allow sysctl-read)

 (allow signal (target self))

 (deny default)

 (allow file-write* file-read-data file-read-metadata
  (regex "^/Users/finch/Library/Saved Application State/com.Haiku.HaikuForDesignersAndEngineers")
  (regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/com\.Haiku\.HaikuForDesignersAndEngineers")
  (regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/\.org.chromium.Chromium")
  (regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/tmp.*")
  (regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/mds/mds.lock")
  (regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/com.apple.iconservices/store.index")
  (regex "^/Users/finch/Library/Application Support/haiku")
  (regex "^/Users/finch/Library/Preferences/com.Haiku.HaikuForDesignersAndEngineers.helper.plist")
  (regex "^/Users/finch/Library/Preferences/com.Haiku.HaikuForDesignersAndEngineers.plist")
  (regex "^/Users/finch/Library/Logs/Haiku")
  (regex "^/Applications/Haiku.app")
  (regex "^/Users/finch/.haiku")
  (regex "^(/private)?/tmp/"))

 (allow file-read-data file-read-metadata
  (literal "/")
  (subpath "/")
  (regex "^/dev")
  (regex "^/dev/autofs.*")
  (regex "^/Library/Preferences")
  (regex "^/Library/Fonts")
 ;;  (regex "^/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
 ;;  (regex "^/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
  (regex "^/usr/share/icu")
  (regex "^/usr/share/locale")
  (regex "^/System/Library")
  (regex "^/Applications/Haiku.app")
  (regex "^/usr/lib")
  (regex "^/usr/local/lib")
  (regex "^/var")
  (regex "^/private/var/tmp/")
  (regex "^/private/etc/hosts")
  (regex "^/private/var/db/timezone/tz/")
  (regex "^/private/tmp/")
  (regex "^/private/etc")
  (regex "^/private/var/run/resolv.conf")
  (regex "^/Users/finch")
  (regex #"Frameworks/SDL.framework"))

 (allow file-read-xattr
  (regex "^/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist")
  (regex "^/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist"))

 (allow mach* sysctl-read)

 (deny file-write-data
   (regex #"^(/private)?/etc/localtime$"
     #"^/usr/share/nls/"
 	 #"^/usr/share/zoneinfo/"))

 (allow process-exec*
  (regex "^/Applications/Haiku.app"))

 (allow process-exec*)

 (allow network*)
 (allow iokit-open)
 (allow ipc-posix-shm)
 (allow process-fork)
 (allow system-socket)
diff --git a/chroma b/chroma
 #!/bin/bash
 # Why not extend security?
 # Also should be a good idea to make use of Ramdisk, as disk operations in modern browsers sux
 # codesign --force -s - .app/Contents/MacOS/app # Ut laudatio tibi sit – https://7402.org/blog/2020/macos-sandboxing-of-folder.html

 sandbox-exec -f ~/sandbox/haiku.sb ~/Applications/Haiku.app/Contents/MacOS/Haiku
	;; chrome.app sandbox profile
	(version 1)
	(debug deny)

	;; allow processes to traverse symlinks
	(allow file-read-metadata)

	(allow file-read-data file-read-metadata
	(regex
	; Allow reading system dylibs and frameworks
	#"^/usr/lib/.*\.dylib$"
	#"^/usr/lib/info/.*\.so$"
	#"^/System/"
	#"^/private/var/db/dyld/"
	#"^(/private)?/etc/hosts\.(allow\|deny)$"
	))

	(allow file-read-data file-write-data
	(regex
	; Allow files accessed by system dylibs and frameworks
	#"^/dev/null$"
	#"^(/private)?/var/run/syslog$"
	#"^/dev/u?random$"
	#"^/dev/autofs_nowait$"
	#"^/dev/dtracehelper$"
	#"/\.CFUserTextEncoding$"
	#"^(/private)?/etc/localtime$"
	#"^/usr/share/nls/"
	#"^/usr/share/zoneinfo/"
	))

	(allow file-ioctl
	(regex
	; Allow access to dtracehelper by dyld
	#"^/dev/dtracehelper$"))

	(allow mach-lookup
	(global-name "com.apple.bsd.dirhelper")
	(global-name "com.apple.system.DirectoryService.libinfo_v1")
	(global-name "com.apple.system.DirectoryService.membership_v1")
	(global-name "com.apple.system.logger")
	(global-name "com.apple.system.notification_center"))

	(allow ipc-posix-shm) ; Libnotify

	;; (allow sysctl-read)

	(allow signal (target self))

	(deny default)

	(allow file-write* file-read-data file-read-metadata
	(regex "^/Users/finch/Library/Saved Application State/com.Haiku.HaikuForDesignersAndEngineers")
	(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/com\.Haiku\.HaikuForDesignersAndEngineers")
	(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/\.org.chromium.Chromium")
	(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/tmp.*")
	(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/mds/mds.lock")
	(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/com.apple.iconservices/store.index")
	(regex "^/Users/finch/Library/Application Support/haiku")
	(regex "^/Users/finch/Library/Preferences/com.Haiku.HaikuForDesignersAndEngineers.helper.plist")
	(regex "^/Users/finch/Library/Preferences/com.Haiku.HaikuForDesignersAndEngineers.plist")
	(regex "^/Users/finch/Library/Logs/Haiku")
	(regex "^/Applications/Haiku.app")
	(regex "^/Users/finch/.haiku")
	(regex "^(/private)?/tmp/"))

	(allow file-read-data file-read-metadata
	(literal "/")
	(subpath "/")
	(regex "^/dev")
	(regex "^/dev/autofs.*")
	(regex "^/Library/Preferences")
	(regex "^/Library/Fonts")
	;; (regex "^/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
	;; (regex "^/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
	(regex "^/usr/share/icu")
	(regex "^/usr/share/locale")
	(regex "^/System/Library")
	(regex "^/Applications/Haiku.app")
	(regex "^/usr/lib")
	(regex "^/usr/local/lib")
	(regex "^/var")
	(regex "^/private/var/tmp/")
	(regex "^/private/etc/hosts")
	(regex "^/private/var/db/timezone/tz/")
	(regex "^/private/tmp/")
	(regex "^/private/etc")
	(regex "^/private/var/run/resolv.conf")
	(regex "^/Users/finch")
	(regex #"Frameworks/SDL.framework"))

	(allow file-read-xattr
	(regex "^/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist")
	(regex "^/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist"))

	(allow mach* sysctl-read)

	(deny file-write-data
	(regex #"^(/private)?/etc/localtime$"
	#"^/usr/share/nls/"
	#"^/usr/share/zoneinfo/"))

	(allow process-exec*
	(regex "^/Applications/Haiku.app"))

	(allow process-exec*)

	(allow network*)
	(allow iokit-open)
	(allow ipc-posix-shm)
	(allow process-fork)
	(allow system-socket)
	#!/bin/bash
	# Why not extend security?
	# Also should be a good idea to make use of Ramdisk, as disk operations in modern browsers sux
	# codesign --force -s - .app/Contents/MacOS/app # Ut laudatio tibi sit – https://7402.org/blog/2020/macos-sandboxing-of-folder.html

	sandbox-exec -f ~/sandbox/haiku.sb ~/Applications/Haiku.app/Contents/MacOS/Haiku