Last active
December 25, 2015 07:39
-
-
Save mologie/6941059 to your computer and use it in GitHub Desktop.
A (so far nicely working) attempt to throw Teeworlds into OS X's native sandbox.
Rename teeworld's executable to teeworlds-orig and save this script in its original location, then make it executable.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Teeworlds sandboxing script | |
| # Oliver Kuckertz <oliver.kucertz@mologie.de>, 2013-10-11, public domain | |
| abspath() { | |
| echo "$(cd $1; pwd)" | |
| } | |
| absdirname() { | |
| echo "$(abspath $(dirname $1))" | |
| } | |
| BIN_PATH="$(absdirname $0)" | |
| BUNDLE_PATH="$(abspath $BIN_PATH/../..)" | |
| TEEWORLDS_BIN="$BIN_PATH/teeworlds-orig" | |
| read -d '' RULES<<EOF | |
| ;; teeworlds - sandbox profile | |
| ;; Oliver Kuckertz <oliver.kucertz@mologie.de>, 2013-10-11, public domain | |
| (version 1) | |
| (import "bsd.sb") | |
| ;; By default, deny all requests, and log denied requets to system.log | |
| (deny default) | |
| (debug deny) | |
| ;; Permit using sockets and allow connecting and binding to any address | |
| (allow system-socket) | |
| (allow network*) | |
| ;; Allow executing the teeworlds executable | |
| (allow process-exec (literal "$TEEWORLDS_BIN")) | |
| ;; Permit write access to the teeworlds profile directory | |
| (allow file* | |
| (subpath "/Users/$USER/Library/Application Support/Teeworlds")) | |
| ;; Permit read access to the bundle itself, a set of preference files and all MacPorts system libraries | |
| (allow file-read* | |
| (subpath "$BUNDLE_PATH") | |
| (literal "/private/etc/hosts") | |
| (subpath "/opt/local/lib") | |
| (literal "/Library/Preferences/.GlobalPreferences.plist") | |
| (subpath "/Library/Audio/Plug-Ins/HAL") | |
| (subpath "/Users/$USER/Library/Keyboard Layouts") | |
| (subpath "/Users/$USER/Library/Input Methods") | |
| (literal "/Users/$USER/Library/Preferences/.GlobalPreferences.plist") | |
| (regex "^/Users/$USER/Library/Preferences/ByHost/.GlobalPreferences\\..+\\.plist$") | |
| (literal "/Users/$USER/Library/Preferences/com.apple.speech.recognition.AppleSpeechRecognition.prefs.plist") | |
| (subpath "/Users/$USER/Library/Autosave Information")) | |
| ;; Permit using the following interfaces | |
| (allow iokit-open | |
| (iokit-user-client-class "RootDomainUserClient") | |
| (iokit-user-client-class "IOAudioEngineUserClient")) | |
| ;; Permit communicating with the following services | |
| (allow mach-lookup | |
| (global-name "com.apple.audio.coreaudiod") | |
| (global-name "com.apple.audio.audiohald") | |
| (global-name "com.apple.CoreServices.coreservicesd") | |
| (global-name "com.apple.coreservices.appleevents") | |
| (global-name "com.apple.coresymbolicationd") | |
| (global-name "com.apple.distributed_notifications@Uv3") | |
| (global-name "com.apple.dock.server") | |
| (global-name "com.apple.FontServer") | |
| (global-name "com.apple.FontObjectsServer") | |
| (global-name "com.apple.pasteboard.1") | |
| (global-name "com.apple.networkd") | |
| (global-name "com.apple.tsm.uiserver") | |
| (global-name "com.apple.window_proxies") | |
| (global-name "com.apple.windowserver.active")) | |
| ;; Silently deny access to the following classes | |
| (deny iokit-open | |
| (iokit-user-client-class "IOHIDParamUserClient")(with no-log)) | |
| ;; Permit access to graphic hardware and services | |
| (system-graphics) | |
| EOF | |
| sandbox-exec -p "$RULES" "$BIN_PATH/teeworlds-orig" "$@" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment