SandboxPolicyGPU.h (9001B)
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ 2 /* This Source Code Form is subject to the terms of the Mozilla Public 3 * License, v. 2.0. If a copy of the MPL was not distributed with this 4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 5 6 #ifndef mozilla_SandboxPolicyGPU_h 7 #define mozilla_SandboxPolicyGPU_h 8 9 namespace mozilla { 10 11 static const char SandboxPolicyGPU[] = R"SANDBOX_LITERAL( 12 (version 1) 13 14 (define shouldLog (param "SHOULD_LOG")) 15 (define appPath (param "APP_PATH")) 16 (define userCacheDir (param "DARWIN_USER_CACHE_DIR")) 17 (define bundleIDCacheDir (param "BUNDLE_ID_CACHE_DIR")) 18 (define homePath (param "HOME_PATH")) 19 (define crashPort (param "CRASH_PORT")) 20 (define macosVersion (string->number (param "MAC_OS_VERSION"))) 21 (define isRosettaTranslated (param "IS_ROSETTA_TRANSLATED")) 22 23 (define (moz-deny feature) 24 (if (string=? shouldLog "TRUE") 25 (deny feature) 26 (deny feature (with no-log)))) 27 28 (moz-deny default) 29 (moz-deny process-info*) 30 (moz-deny nvram*) 31 (moz-deny iokit-get-properties) 32 (moz-deny file-map-executable) 33 34 (allow process-info-pidinfo process-info-setcontrol (target self)) 35 (allow user-preference-read) 36 (allow file-read-metadata (subpath "/")) 37 (allow file-map-executable file-read* 38 (subpath "/System") 39 (subpath "/usr/lib") 40 (subpath "/Library/GPUBundles") 41 (subpath appPath)) 42 43 (allow signal (target self)) 44 (allow file-read* 45 (literal "/dev/random") 46 (literal "/dev/urandom") 47 (subpath "/usr/share/icu")) 48 49 (if (string? crashPort) 50 (allow mach-lookup (global-name crashPort))) 51 52 (allow sysctl-read 53 (sysctl-name-regex #"^sysctl\.") 54 (sysctl-name "kern.ostype") 55 (sysctl-name "kern.osversion") 56 (sysctl-name "kern.osrelease") 57 (sysctl-name "kern.osproductversion") 58 (sysctl-name "kern.version") 59 (sysctl-name "kern.hostname") 60 (sysctl-name "hw.machine") 61 (sysctl-name "hw.memsize") 62 (sysctl-name "hw.model") 63 (sysctl-name "hw.ncpu") 64 (sysctl-name "hw.activecpu") 65 (sysctl-name "hw.byteorder") 66 (sysctl-name "hw.pagesize_compat") 67 (sysctl-name "hw.logicalcpu_max") 68 (sysctl-name "hw.physicalcpu_max") 69 (sysctl-name "hw.busfrequency_compat") 70 (sysctl-name "hw.busfrequency_max") 71 (sysctl-name "hw.cpufrequency") 72 (sysctl-name "hw.cpufrequency_compat") 73 (sysctl-name "hw.cpufrequency_max") 74 (sysctl-name "hw.l2cachesize") 75 (sysctl-name "hw.l3cachesize") 76 (sysctl-name "hw.cachelinesize") 77 (sysctl-name "hw.cachelinesize_compat") 78 (sysctl-name "hw.tbfrequency_compat") 79 (sysctl-name "hw.vectorunit") 80 (sysctl-name "hw.optional.sse2") 81 (sysctl-name "hw.optional.sse3") 82 (sysctl-name "hw.optional.sse4_1") 83 (sysctl-name "hw.optional.sse4_2") 84 (sysctl-name "hw.optional.avx1_0") 85 (sysctl-name "hw.optional.avx2_0") 86 (sysctl-name "hw.optional.avx512f") 87 (sysctl-name "hw.optional.avx512bw") 88 (sysctl-name "machdep.cpu.vendor") 89 (sysctl-name "machdep.cpu.family") 90 (sysctl-name "machdep.cpu.model") 91 (sysctl-name "machdep.cpu.stepping") 92 (sysctl-name "machdep.ptrauth_enabled") 93 (sysctl-name "debug.intel.gstLevelGST") 94 (sysctl-name "debug.intel.gstLoaderControl") 95 (sysctl-name "hw.perflevel0.logicalcpu") 96 (sysctl-name "hw.perflevel0.physicalcpu") 97 (sysctl-name "hw.perflevel0.physicalcpu_max") 98 (sysctl-name "hw.perflevel0.logicalcpu") 99 (sysctl-name "hw.perflevel0.logicalcpu_max") 100 (sysctl-name "hw.perflevel0.l1icachesize") 101 (sysctl-name "hw.perflevel0.l1dcachesize") 102 (sysctl-name "hw.perflevel0.l2cachesize") 103 (sysctl-name "hw.perflevel0.cpusperl2") 104 (sysctl-name "hw.perflevel0.name") 105 (sysctl-name "hw.perflevel1.logicalcpu") 106 (sysctl-name "hw.perflevel1.physicalcpu") 107 (sysctl-name "hw.perflevel1.physicalcpu_max") 108 (sysctl-name "hw.perflevel1.logicalcpu") 109 (sysctl-name "hw.perflevel1.logicalcpu_max") 110 (sysctl-name "hw.perflevel1.l1icachesize") 111 (sysctl-name "hw.perflevel1.l1dcachesize") 112 (sysctl-name "hw.perflevel1.l2cachesize") 113 (sysctl-name "hw.perflevel1.cpusperl2") 114 (sysctl-name "hw.perflevel1.name")) 115 116 (allow mach-lookup 117 (global-name "com.apple.system.opendirectoryd.libinfo") 118 (global-name "com.apple.system.opendirectoryd.membership") 119 (global-name "com.apple.CoreServices.coreservicesd") 120 (global-name "com.apple.lsd.mapdb") 121 ; Graphics 122 (global-name "com.apple.CARenderServer") 123 (global-name "com.apple.windowserver.active") 124 (global-name "com.apple.MTLCompilerService") 125 (global-name "com.apple.CARenderServer") 126 (global-name "com.apple.CoreDisplay.master") 127 (global-name "com.apple.CoreDisplay.Notification") 128 (global-name "com.apple.cvmsServ")) 129 130 ; Allow access to defaults services 131 (allow mach-lookup 132 (global-name "com.apple.cfprefsd.agent") 133 (global-name "com.apple.cfprefsd.daemon")) 134 (allow ipc-posix-shm-read-data 135 (ipc-posix-name-regex #"^apple\.cfprefs\..*")) 136 137 (define (home-subpath home-relative-subpath) 138 (subpath (string-append homePath home-relative-subpath))) 139 140 (allow file-read* 141 (subpath "/Library/ColorSync/Profiles") 142 (literal "/") 143 (literal "/private/tmp") 144 (literal "/private/var/tmp") 145 (home-subpath "/Library/Colors") 146 (home-subpath "/Library/ColorSync/Profiles")) 147 148 (allow file-read* (subpath "/private/var/db/CVMS")) 149 150 ; Allow creation of the bundle ID cache directory and files within. 151 (allow file-read* file-write* 152 (require-all 153 (require-not (vnode-type SYMLINK)) 154 (subpath bundleIDCacheDir))) 155 156 ; Allow issuing sandbox extensions for the MTLCompilerService process 157 ; to be able to read and write files in the bundle ID cache dir in the 158 ; "com.apple.{metalfe,gpuarchiver}" subdirectories. Only observed 159 ; to be needed on macOS 14 and earlier versions. 160 (if (<= macosVersion 1500) 161 (allow file-issue-extension 162 (require-all 163 (extension-class "com.apple.app-sandbox.read-write") 164 (require-not (vnode-type SYMLINK)) 165 (require-any 166 (subpath (string-append bundleIDCacheDir "/com.apple.metalfe")) 167 (subpath (string-append bundleIDCacheDir "/com.apple.gpuarchiver")))))) 168 169 (allow iokit-get-properties 170 (iokit-property "board-id") 171 (iokit-property "product-id") 172 (iokit-property "class-code") 173 (iokit-property "vendor-id") 174 (iokit-property "device-id") 175 (iokit-property "IODVDBundleName") 176 (iokit-property "IOGLBundleName") 177 (iokit-property "IOGVACodec") 178 (iokit-property "IOGVAHEVCDecode") 179 (iokit-property "IOAVDHEVCDecodeCapabilities") 180 (iokit-property "IOGVAHEVCEncode") 181 (iokit-property "IOGVAXDecode") 182 (iokit-property "IOAVDAV1DecodeCapabilities") 183 (iokit-property "IOPCITunnelled") 184 (iokit-property "IOVARendererID") 185 (iokit-property "MetalPluginName") 186 (iokit-property "MetalPluginClassName") 187 (iokit-property "gpu-core-count")) 188 189 (allow iokit-set-properties 190 (require-all 191 (iokit-connection "IODisplay") 192 (require-any 193 (iokit-property "brightness" 194 "linear-brightness" 195 "commit" 196 "rgcs" 197 "ggcs" 198 "bgcs")))) 199 200 (allow iokit-open 201 (iokit-connection "IOAccelerator") 202 (iokit-user-client-class "AppleIntelMEUserClient") 203 (iokit-user-client-class "AppleSNBFBUserClient") 204 (iokit-user-client-class "IOAccelerationUserClient") 205 (iokit-user-client-class "IOSurfaceRootUserClient") 206 (iokit-user-client-class "IOSurfaceSendRight") 207 (iokit-user-client-class "IOFramebufferSharedUserClient") 208 (iokit-user-client-class "AGPMClient") 209 (iokit-user-client-class "AppleGraphicsControlClient") 210 (iokit-user-client-class "IOHIDParamUserClient") 211 (iokit-user-client-class "RootDomainUserClient") 212 (iokit-user-client-class "AppleMGPUPowerControlClient") 213 (iokit-user-client-class "AppleGraphicsControlClient") 214 (iokit-user-client-class "AppleGraphicsPolicyClient")) 215 216 ; Fonts 217 (allow file-read* 218 (subpath "/Library/Fonts") 219 (subpath "/Library/Application Support/Apple/Fonts") 220 (home-subpath "/Library/Fonts") 221 ; Allow read access to paths allowed via sandbox extensions. 222 ; This is needed for fonts in non-standard locations normally 223 ; due to third party font managers. The extensions are 224 ; automatically issued by the font server in response to font 225 ; API calls. 226 (extension "com.apple.app-sandbox.read")) 227 ; Fonts may continue to work without explicitly allowing these 228 ; services because, at present, connections are made to the services 229 ; before the sandbox is enabled as a side-effect of some API calls. 230 (allow mach-lookup 231 (global-name "com.apple.fonts") 232 (global-name "com.apple.FontObjectsServer")) 233 234 (if (string=? isRosettaTranslated "TRUE") 235 (allow file-map-executable (subpath "/private/var/db/oah"))) 236 )SANDBOX_LITERAL"; 237 238 } // namespace mozilla 239 240 #endif // mozilla_SandboxPolicyGPU_h