path: root/chromium/content/common/common.sb

;;
;; Copyright (c) 2012 The Chromium Authors. All rights reserved.
;; Use of this source code is governed by a BSD-style license that can be
;; found in the LICENSE file.
;;
; This configuration file isn't used on it's own, but instead implicitly
; included at the start of all other sandbox configuration files in Chrome.
(version 1)

; Helper function to check if a param is set to true.
(define (param-true? str) (string=? (param str) "TRUE"))

; Helper function to determine if a parameter is defined or not.
(define (param-defined? str) (string? (param str)))

; Define constants for all of the parameter strings passed in.
(define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING")
(define enable-logging "ENABLE_LOGGING")
(define permitted-dir "PERMITTED_DIR")
(define homedir-as-literal "USER_HOMEDIR_AS_LITERAL")
(define elcap-or-later "ELCAP_OR_LATER")

; Consumes a subpath and appends it to the user's homedir path.
(define (user-homedir-path subpath) (string-append (param homedir-as-literal) subpath))

; DISABLE_SANDBOX_DENIAL_LOGGING turns off log messages in the system log.
(if (param-true? disable-sandbox-denial-logging)
    (deny default (with no-log))
    (deny default))

; Support for programmatically enabling verbose debugging.
(if (param-true? enable-logging) (debug deny))

; Allow sending signals to self - https://crbug.com/20370
(allow signal (target self))

; Needed for full-page-zoomed controls - https://crbug.com/11325
(allow sysctl-read)

; Loading System Libraries.
(allow file-read*
    (regex #"^/System/Library/Frameworks($|/)")
    (regex #"^/System/Library/PrivateFrameworks($|/)")
    (regex #"^/System/Library/CoreServices($|/)"))

(allow ipc-posix-shm)

; Allow direct access to /dev/urandom, similar to Linux/POSIX, to allow
; third party code (eg: bits of Adobe Flash and NSS) to function properly.
(allow file-read-data file-read-metadata (literal "/dev/urandom"))