summaryrefslogtreecommitdiffstats
path: root/security/sandbox/mac/SandboxPolicies.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/sandbox/mac/SandboxPolicies.h')
-rw-r--r--security/sandbox/mac/SandboxPolicies.h8
1 files changed, 8 insertions, 0 deletions
diff --git a/security/sandbox/mac/SandboxPolicies.h b/security/sandbox/mac/SandboxPolicies.h
index 5ef002b..e9f47c5 100644
--- a/security/sandbox/mac/SandboxPolicies.h
+++ b/security/sandbox/mac/SandboxPolicies.h
@@ -131,6 +131,8 @@ static const char contentSandboxRules[] = R"SANDBOX_LITERAL(
(sysctl-name "kern.osversion")
(sysctl-name "kern.osrelease")
(sysctl-name "kern.version")
+ (sysctl-name "kern.tcsm_available")
+ (sysctl-name "kern.tcsm_enable")
; TODO: remove "kern.hostname". Without it the tests hang, but the hostname
; is arguably sensitive information, so we should see what can be done about
; removing it.
@@ -166,6 +168,9 @@ static const char contentSandboxRules[] = R"SANDBOX_LITERAL(
(sysctl-name "machdep.cpu.stepping")
(sysctl-name "debug.intel.gstLevelGST")
(sysctl-name "debug.intel.gstLoaderControl")))
+ (if (> macosMinorVersion 9)
+ (allow sysctl-write
+ (sysctl-name "kern.tcsm_enable")))
(define (home-regex home-relative-regex)
(regex (string-append "^" (regex-quote home-path) home-relative-regex)))
@@ -319,6 +324,9 @@ static const char contentSandboxRules[] = R"SANDBOX_LITERAL(
(allow user-preference-read (preference-domain "com.nvidia.OpenGL"))
(allow mach-lookup
(global-name "com.apple.cvmsServ"))
+ (if (>= macosMinorVersion 14)
+ (allow mach-lookup
+ (global-name "com.apple.MTLCompilerService")))
(allow iokit-open
(iokit-connection "IOAccelerator")
(iokit-user-client-class "IOAccelerationUserClient")