@downcity/shell 0.1.12 → 0.1.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"MacOsSeatbeltSandbox.d.ts","sourceRoot":"","sources":["../../src/sandbox/MacOsSeatbeltSandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,KAAK,EACV,kBAAkB,EAClB,kBAAkB,EACnB,MAAM,mCAAmC,CAAC;
|
|
1
|
+
{"version":3,"file":"MacOsSeatbeltSandbox.d.ts","sourceRoot":"","sources":["../../src/sandbox/MacOsSeatbeltSandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,KAAK,EACV,kBAAkB,EAClB,kBAAkB,EACnB,MAAM,mCAAmC,CAAC;AAiI3C,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CAAC,UAAU,CA+B1F;AAED;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,kBAAkB,GAAG;IAAE,SAAS,EAAE,MAAM,CAAA;CAAE,GACjD,OAAO,CAAC,kBAAkB,CAAC,CA4C7B"}
|
|
@@ -51,6 +51,32 @@ function buildWritablePaths(params) {
|
|
|
51
51
|
params.config.cacheDir,
|
|
52
52
|
]);
|
|
53
53
|
}
|
|
54
|
+
/**
|
|
55
|
+
* 构建 macOS Seatbelt TLS/HTTPS 相关规则。
|
|
56
|
+
*
|
|
57
|
+
* 关键点(中文)
|
|
58
|
+
* - macOS Seatbelt 会阻止 sandbox 内进程读取系统 SSL 配置、根证书和用户钥匙串。
|
|
59
|
+
* - libressl/openssl 初始化时需要 `/private/etc/ssl/openssl.cnf` 和 `/etc/ssl/cert.pem`。
|
|
60
|
+
* - curl 在 macOS 上默认走 SecureTransport,需要访问系统钥匙串和 `trustd`/`SecurityServer`。
|
|
61
|
+
* - 这里显式放行 HTTPS 握手所需的最小文件集合和服务,避免把 TLS 请求误判为网络不通。
|
|
62
|
+
*/
|
|
63
|
+
function buildTlsRules() {
|
|
64
|
+
return [
|
|
65
|
+
// `/etc` 在 macOS 上是 `/private/etc` 的 symlink;seatbelt subpath 匹配通常按真实路径解析,
|
|
66
|
+
// 因此需要单独放行 `/private/etc`,否则 openssl 读取 `/private/etc/ssl/openssl.cnf` 会被拒绝。
|
|
67
|
+
`(allow file-read* (subpath "/private/etc"))`,
|
|
68
|
+
// 系统根证书(旧版 .keychain 与新版 .keychain-db)。
|
|
69
|
+
`(allow file-read* (literal "/System/Library/Keychains/SystemRootCertificates.keychain"))`,
|
|
70
|
+
`(allow file-read* (literal "/System/Library/Keychains/SystemRootCertificates.keychain-db"))`,
|
|
71
|
+
`(allow file-read* (literal "/Library/Keychains/System.keychain"))`,
|
|
72
|
+
`(allow file-read* (literal "/Library/Keychains/System.keychain-db"))`,
|
|
73
|
+
// 当前用户钥匙串,用于访问用户证书或自定义根证书。
|
|
74
|
+
`(allow file-read* (regex #"^/Users/[^/]+/Library/Keychains/.*"))`,
|
|
75
|
+
// Security 框架服务,SecureTransport 校验证书链时需要。
|
|
76
|
+
`(allow mach-lookup (global-name "com.apple.SecurityServer"))`,
|
|
77
|
+
`(allow mach-lookup (global-name "com.apple.trustd"))`,
|
|
78
|
+
];
|
|
79
|
+
}
|
|
54
80
|
function buildNetworkRules(networkMode) {
|
|
55
81
|
if (networkMode === "restricted" || networkMode === "full") {
|
|
56
82
|
return ["(allow network-outbound)", "(allow network-inbound)"];
|
|
@@ -76,6 +102,7 @@ function buildSeatbeltProfile(params) {
|
|
|
76
102
|
...readablePaths.map((value) => `(allow file-read* (subpath "${escapeSeatbeltString(value)}"))`),
|
|
77
103
|
...writablePaths.map((value) => `(allow file-write* (subpath "${escapeSeatbeltString(value)}"))`),
|
|
78
104
|
...buildNetworkRules(params.config.networkMode),
|
|
105
|
+
...buildTlsRules(),
|
|
79
106
|
];
|
|
80
107
|
// 关键点(中文)
|
|
81
108
|
// - `cwd` 需要显式出现在读集合里,否则很多命令刚启动时就会因为工作目录不可见而失败。
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"MacOsSeatbeltSandbox.js","sourceRoot":"","sources":["../../src/sandbox/MacOsSeatbeltSandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,UAAU,CAAC;AAM1B,MAAM,kBAAkB,GACtB,gEAAgE,CAAC;AAEnE,SAAS,oBAAoB,CAAC,KAAa;IACzC,OAAO,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACzE,CAAC;AAED,SAAS,WAAW,CAAC,MAAgB;IACnC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;YAAE,SAAS;QAClD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,kBAAkB,CAAC,MAM3B;IACC,OAAO,WAAW,CAAC;QACjB,MAAM;QACN,MAAM;QACN,SAAS;QACT,MAAM;QACN,MAAM;QACN,UAAU;QACV,eAAe;QACf,YAAY;QACZ,MAAM,CAAC,QAAQ;QACf,MAAM,CAAC,UAAU;QACjB,MAAM,CAAC,MAAM;QACb,MAAM,CAAC,QAAQ;QACf,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC;KAC/B,CAAC,CAAC;AACL,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA0B;IACpD,OAAO,WAAW,CAAC;QACjB,GAAG,MAAM,CAAC,MAAM,CAAC,aAAa;QAC9B,MAAM,CAAC,YAAY;QACnB,MAAM,CAAC,MAAM,CAAC,UAAU;QACxB,MAAM,CAAC,MAAM,CAAC,MAAM;QACpB,MAAM,CAAC,MAAM,CAAC,QAAQ;KACvB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,iBAAiB,CAAC,WAAwD;IACjF,IAAI,WAAW,KAAK,YAAY,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;QAC3D,OAAO,CAAC,0BAA0B,EAAE,yBAAyB,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,oBAAoB,CAAC,MAE7B;IACC,MAAM,aAAa,GAAG,kBAAkB,CAAC;QACvC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;QAChC,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU;QACpC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM;QAC5B,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;KACjC,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,KAAK,GAAG;QACZ,aAAa;QACb,gBAAgB;QAChB,sBAAsB;QACtB,kBAAkB;QAClB,qBAAqB;QACrB,4BAA4B;QAC5B,GAAG,aAAa,CAAC,GAAG,CAClB,CAAC,KAAK,EAAE,EAAE,CAAC,+BAA+B,oBAAoB,CAAC,KAAK,CAAC,KAAK,CAC3E;QACD,GAAG,aAAa,CAAC,GAAG,CAClB,CAAC,KAAK,EAAE,EAAE,CAAC,gCAAgC,oBAAoB,CAAC,KAAK,CAAC,KAAK,CAC5E;QACD,GAAG,iBAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"MacOsSeatbeltSandbox.js","sourceRoot":"","sources":["../../src/sandbox/MacOsSeatbeltSandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,UAAU,CAAC;AAM1B,MAAM,kBAAkB,GACtB,gEAAgE,CAAC;AAEnE,SAAS,oBAAoB,CAAC,KAAa;IACzC,OAAO,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACzE,CAAC;AAED,SAAS,WAAW,CAAC,MAAgB;IACnC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;YAAE,SAAS;QAClD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,kBAAkB,CAAC,MAM3B;IACC,OAAO,WAAW,CAAC;QACjB,MAAM;QACN,MAAM;QACN,SAAS;QACT,MAAM;QACN,MAAM;QACN,UAAU;QACV,eAAe;QACf,YAAY;QACZ,MAAM,CAAC,QAAQ;QACf,MAAM,CAAC,UAAU;QACjB,MAAM,CAAC,MAAM;QACb,MAAM,CAAC,QAAQ;QACf,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC;KAC/B,CAAC,CAAC;AACL,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA0B;IACpD,OAAO,WAAW,CAAC;QACjB,GAAG,MAAM,CAAC,MAAM,CAAC,aAAa;QAC9B,MAAM,CAAC,YAAY;QACnB,MAAM,CAAC,MAAM,CAAC,UAAU;QACxB,MAAM,CAAC,MAAM,CAAC,MAAM;QACpB,MAAM,CAAC,MAAM,CAAC,QAAQ;KACvB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,aAAa;IACpB,OAAO;QACL,2EAA2E;QAC3E,6EAA6E;QAC7E,6CAA6C;QAE7C,wCAAwC;QACxC,0FAA0F;QAC1F,6FAA6F;QAC7F,mEAAmE;QACnE,sEAAsE;QAEtE,2BAA2B;QAC3B,kEAAkE;QAElE,0CAA0C;QAC1C,8DAA8D;QAC9D,sDAAsD;KACvD,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,WAAwD;IACjF,IAAI,WAAW,KAAK,YAAY,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;QAC3D,OAAO,CAAC,0BAA0B,EAAE,yBAAyB,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,oBAAoB,CAAC,MAE7B;IACC,MAAM,aAAa,GAAG,kBAAkB,CAAC;QACvC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;QAChC,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU;QACpC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM;QAC5B,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;KACjC,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,KAAK,GAAG;QACZ,aAAa;QACb,gBAAgB;QAChB,sBAAsB;QACtB,kBAAkB;QAClB,qBAAqB;QACrB,4BAA4B;QAC5B,GAAG,aAAa,CAAC,GAAG,CAClB,CAAC,KAAK,EAAE,EAAE,CAAC,+BAA+B,oBAAoB,CAAC,KAAK,CAAC,KAAK,CAC3E;QACD,GAAG,aAAa,CAAC,GAAG,CAClB,CAAC,KAAK,EAAE,EAAE,CAAC,gCAAgC,oBAAoB,CAAC,KAAK,CAAC,KAAK,CAC5E;QACD,GAAG,iBAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC;QAC/C,GAAG,aAAa,EAAE;KACnB,CAAC;IAEF,UAAU;IACV,gDAAgD;IAChD,0CAA0C;IAC1C,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9C,KAAK,CAAC,IAAI,CAAC,+BAA+B,oBAAoB,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACzF,CAAC;IACD,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,MAA0B;IACrE,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE;YAAE,SAAS;QACzD,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC;IAED,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1D,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC;YAAE,SAAS;QACrC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE;YAAE,SAAS;QACzD,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC;IAED,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,kBAAkB,CAAC,CAAC;IACzE,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;IACjC,GAAG,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;IACpC,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;IAClC,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;IAC/B,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;IAChC,GAAG,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;IACnC,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACvD,GAAG,CAAC,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;IAC5C,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;IACrB,GAAG,CAAC,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC;IAC9C,GAAG,CAAC,eAAe,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;IAC5C,GAAG,CAAC,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;IAC1C,GAAG,CAAC,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;IAC9C,GAAG,CAAC,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC;IAE7B,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,MAAkD;IAElD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;IAEzE,MAAM,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC7C,MAAM,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,MAAM,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC3C,MAAM,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAExC,MAAM,OAAO,GAAG,oBAAoB,CAAC;QACnC,GAAG,MAAM;KACV,CAAC,CAAC;IACH,MAAM,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAElD,MAAM,KAAK,GAAG,KAAK,CACjB,cAAc,EACd;QACE,IAAI;QACJ,WAAW;QACX,MAAM,CAAC,SAAS;QAChB,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI;QAC3B,MAAM,CAAC,GAAG;KACX,EACD;QACE,GAAG,EAAE,MAAM,CAAC,SAAS;QACrB,KAAK,EAAE,MAAM;QACb,GAAG,EAAE,4BAA4B,CAAC,MAAM,CAAC;KAC1C,CACF,CAAC;IAEF,KAAK,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACjC,KAAK,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IAEjC,OAAO;QACL,KAAK;QACL,GAAG,EAAE,MAAM,CAAC,SAAS;QACrB,SAAS,EAAE,IAAI;QACf,WAAW,EAAE,MAAM;QACnB,OAAO,EAAE,gBAAgB;QACzB,WAAW,EAAE,MAAM,CAAC,MAAM,CAAC,WAAW;QACtC,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU;QACpC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO;QAC9B,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM;QAC5B,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;KACjC,CAAC;AACJ,CAAC"}
|