;;
;; Copyright (c) 2011 The Chromium Authors. All rights reserved.
;; Use of this source code is governed by a BSD-style license that can be
;; found in the LICENSE file.
;;
; This is the Sandbox configuration file used for safeguarding the utility
; process which is used for performing sandboxed operations that need to touch
; the filesystem like decoding theme images and unpacking extensions.
;
; This configuration locks everything down, except access to one configurable
; directory.  This is different from other sandbox configuration files where
; file system access is entireley restricted.

; *** The contents of common.sb are implicitly included here. ***

; No additional resource access needed.

; This is available in 10.15+, and rolled out as a Finch experiment.
(if (param-true? filter-syscalls-debug)
  (when (defined? 'syscall-unix)
    (deny syscall-unix (with send-signal SIGSYS))
    (allow syscall-unix
      (syscall-number SYS_psynch_cvwait)
      (syscall-number SYS_sendto)
      (syscall-number SYS_socketpair)
)))