Narrow LibreOffice sandbox allowances

codex-rs/sandboxing/src/seatbelt_base_policy.sbpl

@@ -55,9 +55,7 @@
   (sysctl-name "hw.vectorunit")
   (sysctl-name "machdep.cpu.brand_string")
   (sysctl-name "kern.argmax")
-  (sysctl-name "kern.bootargs")
   (sysctl-name "kern.hostname")
-  (sysctl-name "kern.iossupportversion")
   (sysctl-name "kern.maxfilesperproc")
   (sysctl-name "kern.maxproc")
   (sysctl-name "kern.osproductversion")
@@ -68,8 +66,6 @@
   (sysctl-name "kern.secure_kernel")
   (sysctl-name "kern.usrstack64")
   (sysctl-name "kern.version")
-  (sysctl-name "kern.willshutdown")
-  (sysctl-name "security.mac.lockdown_mode_state")
   (sysctl-name "sysctl.proc_cputype")
   (sysctl-name "vm.loadavg")
   (sysctl-name-prefix "hw.perflevel")
@@ -106,13 +102,10 @@
   (global-name "com.apple.PowerManagement.control")
 )
 
-; AppKit and CoreServices can be initialized by app-bundle CLIs even when
-; running in headless modes such as document conversion.
+; LibreOffice initializes AppKit/CoreServices even for headless document
+; conversion. Keep this to the services observed as required for that flow.
 (allow mach-lookup
-  (global-name "com.apple.CoreServices.coreservicesd")
   (global-name "com.apple.coreservices.launchservicesd")
-  (global-name "com.apple.hiservices-xpcservice")
-  (global-name "com.apple.lsd.mapdb")
   (global-name "com.apple.windowserver.active")
 )
 

codex-rs/sandboxing/src/seatbelt_tests.rs

@@ -141,14 +141,7 @@ fn full_disk_read_policy_keeps_appkit_platform_ipc_allowances() {
     );
 
     for required in [
-        "(sysctl-name \"kern.bootargs\")",
-        "(sysctl-name \"kern.iossupportversion\")",
-        "(sysctl-name \"kern.willshutdown\")",
-        "(sysctl-name \"security.mac.lockdown_mode_state\")",
-        "(global-name \"com.apple.CoreServices.coreservicesd\")",
         "(global-name \"com.apple.coreservices.launchservicesd\")",
-        "(global-name \"com.apple.hiservices-xpcservice\")",
-        "(global-name \"com.apple.lsd.mapdb\")",
         "(global-name \"com.apple.windowserver.active\")",
         "(allow system-socket (socket-domain AF_UNIX))",
         "(allow network-bind (prefix \"/private/tmp/OSL_PIPE_\"))",
@@ -160,6 +153,13 @@ fn full_disk_read_policy_keeps_appkit_platform_ipc_allowances() {
     }
 
     for overly_broad in [
+        "(sysctl-name \"kern.bootargs\")",
+        "(sysctl-name \"kern.iossupportversion\")",
+        "(sysctl-name \"kern.willshutdown\")",
+        "(sysctl-name \"security.mac.lockdown_mode_state\")",
+        "(global-name \"com.apple.CoreServices.coreservicesd\")",
+        "(global-name \"com.apple.hiservices-xpcservice\")",
+        "(global-name \"com.apple.lsd.mapdb\")",
         "(global-name \"com.apple.windowserver\")",
         "(global-name \"com.apple.ViewBridgeAuxiliary\")",
         "(allow network-bind (local unix-socket (subpath \"/private/tmp\")))",