Skip to content

Commit da1fc22

Browse files
award999award999
committed
Sandbox config
1 parent 784164b commit da1fc22

File tree

2 files changed

+108
-5
lines changed

2 files changed

+108
-5
lines changed

docker/sandbox.sb

Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
(version 1)
2+
; Deny everything by default
3+
(deny default)
4+
5+
; Get fonts
6+
(import "system.sb")
7+
8+
; Helpers
9+
(define (param-regex param-name param-relative-regex)
10+
(regex (string-append "^" (regex-quote (param param-name)) param-relative-regex)))
11+
(define (param-subpath param-name param-relative-subpath)
12+
(subpath (string-append (param param-name) param-relative-subpath)))
13+
(define workspace
14+
(param "workspace"))
15+
16+
; Read
17+
(allow file-read-metadata
18+
(subpath "/"))
19+
(allow file-read*
20+
(subpath workspace)
21+
(path "/")
22+
(path "/private/etc/ssl/openssl.cnf")
23+
(path "/Library/Preferences/com.apple.dt.Xcode.plist")
24+
(path "/dev/dtracehelper")
25+
(path "/dev/fd")
26+
(path "/dev/null")
27+
(path "/dev/ptmx")
28+
(regex #"^/dev/tty.*")
29+
(path "/etc/shells")
30+
(path "/private/etc/shells")
31+
(path "/private/etc/ssl/cert.pem")
32+
(path "/usr/local/share/git-core/gitconfig")
33+
(subpath "/Users/award999/repos/sourcekit-lsp/.build") ; REMOVE
34+
(regex #"^/Users/[^/]+/.gitconfig$")
35+
(regex #"^/Users/[^/]+/.sourcekit-lsp.*")
36+
(regex #"^/Users/[^/]+/.swiftpm.*")
37+
(regex #"^/Users/[^/]+/Library/org.swift.swiftpm.*")
38+
(regex #"^/Users/[^/]+/Library/Developer/Toolchains")
39+
(regex #"^/Users/[^/]+/Library/Developer/Xcode/DerivedData.*")
40+
(regex #"^/Users/[^/]+/Library/Caches/org.swift.swiftpm.*")
41+
(regex #"^/Users/[^/]+/Library/Application Support/Code.*")
42+
(regex #"^/Users/[^/]+/Library/Saved Application State/com.microsoft.VSCode.savedState.*")
43+
(regex #"^/private/var/folders/[^/]+/[^/]+/.+")
44+
(subpath "/Library/Developer/Toolchains")
45+
(subpath "/Applications/Xcode.app")
46+
(subpath "/Applications/Xcode-beta.app")
47+
(subpath "/bin")
48+
(subpath "/usr/bin")
49+
(subpath "/usr/libexec/path_helper")
50+
(regex #"^/Users/[^/]+/.vscode/argv.json")
51+
)
52+
53+
(allow mach-lookup)
54+
(allow mach-register)
55+
56+
; Write
57+
(allow file-write*
58+
(subpath workspace)
59+
(path "/dev/null")
60+
(path "/dev/ptmx")
61+
(regex #"^/dev/tty.*")
62+
(regex #"^/Users/[^/]+/.sourcekit-lsp.*")
63+
(regex #"^/Users/[^/]+/Library/org.swift.swiftpm.*")
64+
(regex #"^/Users/[^/]+/Library/Caches/org.swift.swiftpm.*")
65+
(regex #"^/Users/[^/]+/Library/Developer/Xcode/DerivedData.*")
66+
(regex #"^/Users/[^/]+/Library/Application Support/Code.*")
67+
(regex #"^/private/var/folders/[^/]+/[^/]+/.+")
68+
(regex #"^/Users/[^/]+/.vscode/argv.json")
69+
)
70+
71+
; Execute
72+
(allow process-exec*)
73+
(allow process-fork)
74+
75+
; Network
76+
(allow system-socket)
77+
(allow network-outbound
78+
(path "/private/var/run/mDNSResponder")
79+
(remote tcp4 "*:443")
80+
)
81+
82+
; Open VSCode window
83+
(allow file-ioctl)
84+
; (allow file-issue-extension)
85+
(allow iokit-open-user-client)
86+
; (allow system-fsctl) ; HFSIOC_SET_HOTFILE_STATE
87+
88+
; VSCode sockets
89+
(allow network*
90+
(param-regex "workspace" "/.vscode-test/user-data/1\.[0-9]+-main\.sock")
91+
)
92+
93+
; VSCode terminal
94+
(allow pseudo-tty)
95+
96+
; SourceKit-LSP
97+
(allow job-creation)
98+
99+
; JSON language server
100+
(allow signal)
101+
102+
; Uncomment when connected to Ottawa office network
103+
(system-network)

docker/test-macos.sh

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -36,11 +36,11 @@ trap "cleanup" EXIT
3636
curl -O "https://nodejs.org/dist/v$NODE_VERSION/$NODE_ARCHIVE"
3737
curl -O "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt"
3838

39-
NODE_CHECKSUM="$(grep $NODE_ARCHIVE SHASUMS256.txt)"
39+
NODE_CHECKSUM="$(grep "$NODE_ARCHIVE" SHASUMS256.txt)"
4040

4141
grep "$NODE_ARCHIVE" SHASUMS256.txt | sha256sum -c -
4242

43-
tar -xzf $NODE_ARCHIVE -C $ARTIFACTS
43+
tar -xzf "$NODE_ARCHIVE" -C "$ARTIFACTS"
4444

4545
export NPM_CONFIG_CACHE="$ARTIFACTS/$NODE_NAME/cache"
4646
export NPM_CONFIG_PREFIX="$ARTIFACTS/$NODE_NAME"
@@ -50,7 +50,7 @@ export NPM_CONFIG_GLOBALCONFIG="$ARTIFACTS/$NODE_NAME/globalnpmrc"
5050
PATH="$ARTIFACTS/$NODE_NAME/bin:$PATH"
5151

5252
mkdir -p $(dirname "$VSCODE_SETTINGS")
53-
cat <<EOT > $VSCODE_SETTINGS
53+
cat <<EOT > "$VSCODE_SETTINGS"
5454
{
5555
"swift.buildArguments": [
5656
"--disable-sandbox",
@@ -60,8 +60,8 @@ cat <<EOT > $VSCODE_SETTINGS
6060
}
6161
EOT
6262

63-
mkdir -p $(dirname "$LSP_SETTINGS")
64-
cat <<EOT > $LSP_SETTINGS
63+
mkdir -p "$(dirname "$LSP_SETTINGS")"
64+
cat <<EOT > "$LSP_SETTINGS"
6565
{
6666
"swiftPM": {
6767
"disableSandbox": true,

0 commit comments

Comments
 (0)