mirror of
https://github.com/servo/servo.git
synced 2025-06-06 16:45:39 +00:00
67 lines
2.7 KiB
Rust
67 lines
2.7 KiB
Rust
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
use embedder_traits::resources;
|
|
use gaol::profile::{Operation, PathPattern, Profile};
|
|
use std::path::PathBuf;
|
|
|
|
/// Our content process sandbox profile on Mac. As restrictive as possible.
|
|
#[cfg(target_os = "macos")]
|
|
pub fn content_process_sandbox_profile() -> Profile {
|
|
use gaol::platform;
|
|
|
|
let mut operations = vec![
|
|
Operation::FileReadAll(PathPattern::Literal(PathBuf::from("/dev/urandom"))),
|
|
Operation::FileReadAll(PathPattern::Subpath(PathBuf::from("/Library/Fonts"))),
|
|
Operation::FileReadAll(PathPattern::Subpath(PathBuf::from("/System/Library/Fonts"))),
|
|
Operation::FileReadAll(PathPattern::Subpath(PathBuf::from(
|
|
"/System/Library/Frameworks/ApplicationServices.framework",
|
|
))),
|
|
Operation::FileReadAll(PathPattern::Subpath(PathBuf::from(
|
|
"/System/Library/Frameworks/CoreGraphics.framework",
|
|
))),
|
|
Operation::FileReadMetadata(PathPattern::Literal(PathBuf::from("/"))),
|
|
Operation::FileReadMetadata(PathPattern::Literal(PathBuf::from("/Library"))),
|
|
Operation::FileReadMetadata(PathPattern::Literal(PathBuf::from("/System"))),
|
|
Operation::FileReadMetadata(PathPattern::Literal(PathBuf::from("/etc"))),
|
|
Operation::SystemInfoRead,
|
|
Operation::PlatformSpecific(platform::macos::Operation::MachLookup(
|
|
b"com.apple.FontServer".to_vec(),
|
|
)),
|
|
];
|
|
|
|
operations.extend(
|
|
resources::sandbox_access_files()
|
|
.into_iter()
|
|
.map(|p| Operation::FileReadAll(PathPattern::Literal(p))),
|
|
);
|
|
operations.extend(
|
|
resources::sandbox_access_files_dirs()
|
|
.into_iter()
|
|
.map(|p| Operation::FileReadAll(PathPattern::Subpath(p))),
|
|
);
|
|
|
|
Profile::new(operations).expect("Failed to create sandbox profile!")
|
|
}
|
|
|
|
/// Our content process sandbox profile on Linux. As restrictive as possible.
|
|
#[cfg(not(target_os = "macos"))]
|
|
pub fn content_process_sandbox_profile() -> Profile {
|
|
let mut operations = vec![Operation::FileReadAll(PathPattern::Literal(PathBuf::from(
|
|
"/dev/urandom",
|
|
)))];
|
|
|
|
operations.extend(
|
|
resources::sandbox_access_files()
|
|
.into_iter()
|
|
.map(|p| Operation::FileReadAll(PathPattern::Literal(p))),
|
|
);
|
|
operations.extend(
|
|
resources::sandbox_access_files_dirs()
|
|
.into_iter()
|
|
.map(|p| Operation::FileReadAll(PathPattern::Subpath(p))),
|
|
);
|
|
|
|
Profile::new(operations).expect("Failed to create sandbox profile!")
|
|
}
|