mirror of
https://github.com/google-gemini/gemini-cli.git
synced 2026-04-02 01:11:24 -07:00
95 lines
2.5 KiB
TypeScript
95 lines
2.5 KiB
TypeScript
/**
|
|
* @license
|
|
* Copyright 2026 Google LLC
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
*/
|
|
|
|
/**
|
|
* The base macOS Seatbelt (SBPL) profile for tool execution.
|
|
*
|
|
* This uses a strict allowlist (deny default) but imports Apple's base system profile
|
|
* to handle undocumented internal dependencies, sysctls, and IPC mach ports required
|
|
* by standard tools to avoid "Abort trap: 6".
|
|
*/
|
|
export const BASE_SEATBELT_PROFILE = `(version 1)
|
|
(deny default)
|
|
|
|
(import "system.sb")
|
|
|
|
; Core execution requirements
|
|
(allow process-exec)
|
|
(allow process-fork)
|
|
(allow signal (target same-sandbox))
|
|
(allow process-info* (target same-sandbox))
|
|
|
|
; Allow basic read access to system frameworks and libraries required to run
|
|
(allow file-read*
|
|
(subpath "/System")
|
|
(subpath "/usr/lib")
|
|
(subpath "/usr/share")
|
|
(subpath "/usr/bin")
|
|
(subpath "/bin")
|
|
(subpath "/sbin")
|
|
(subpath "/usr/local/bin")
|
|
(subpath "/opt/homebrew")
|
|
(subpath "/Library")
|
|
(subpath "/private/var/run")
|
|
(subpath "/private/var/db")
|
|
(subpath "/private/etc")
|
|
)
|
|
|
|
; PTY and Terminal support
|
|
(allow pseudo-tty)
|
|
(allow file-read* file-write* file-ioctl (literal "/dev/ptmx"))
|
|
(allow file-read* file-write* file-ioctl (regex #"^/dev/ttys[0-9]+"))
|
|
|
|
; Allow read/write access to temporary directories and common device nodes
|
|
(allow file-read* file-write*
|
|
(literal "/dev/null")
|
|
(literal "/dev/zero")
|
|
(subpath "/tmp")
|
|
(subpath "/private/tmp")
|
|
(subpath (param "TMPDIR"))
|
|
)
|
|
|
|
; Workspace access using parameterized paths
|
|
(allow file-read* file-write*
|
|
(subpath (param "WORKSPACE"))
|
|
)
|
|
`;
|
|
|
|
/**
|
|
* The network-specific macOS Seatbelt (SBPL) profile rules.
|
|
*
|
|
* These rules are appended to the base profile when network access is enabled,
|
|
* allowing standard socket creation, DNS resolution, and TLS certificate validation.
|
|
*/
|
|
export const NETWORK_SEATBELT_PROFILE = `
|
|
; Network Access
|
|
(allow network*)
|
|
|
|
(allow system-socket
|
|
(require-all
|
|
(socket-domain AF_SYSTEM)
|
|
(socket-protocol 2)
|
|
)
|
|
)
|
|
|
|
(allow mach-lookup
|
|
(global-name "com.apple.bsd.dirhelper")
|
|
(global-name "com.apple.system.opendirectoryd.membership")
|
|
(global-name "com.apple.SecurityServer")
|
|
(global-name "com.apple.networkd")
|
|
(global-name "com.apple.ocspd")
|
|
(global-name "com.apple.trustd.agent")
|
|
(global-name "com.apple.mDNSResponder")
|
|
(global-name "com.apple.mDNSResponderHelper")
|
|
(global-name "com.apple.SystemConfiguration.DNSConfiguration")
|
|
(global-name "com.apple.SystemConfiguration.configd")
|
|
)
|
|
|
|
(allow sysctl-read
|
|
(sysctl-name-regex #"^net.routetable")
|
|
)
|
|
`;
|