mirror of
https://github.com/pchuan98/codex.git
synced 2026-07-01 00:31:56 +08:00
Added seatbelt policy rule to allow os.cpus (#11277)
I don't think this policy change increases the risk, other than potentially exposing the caller to bugs in these kernel calls, which are unlikely. Without this change, some tools are silently failing or making incorrect decisions about the processor type (e.g. installing x86 binaries rather than Apple silicon binaries). This addresses #11210 --------- Co-authored-by: viyatb-oai <viyatb@openai.com>
This commit is contained in:
committed by
GitHub
Unverified
parent
c0ecc2e1e1
commit
fa767871cb
@@ -314,6 +314,18 @@ mod tests {
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn base_policy_allows_node_cpu_sysctls() {
|
||||
assert!(
|
||||
MACOS_SEATBELT_BASE_POLICY.contains("(sysctl-name \"machdep.cpu.brand_string\")"),
|
||||
"base policy must allow CPU brand lookup for os.cpus()"
|
||||
);
|
||||
assert!(
|
||||
MACOS_SEATBELT_BASE_POLICY.contains("(sysctl-name \"hw.model\")"),
|
||||
"base policy must allow hardware model lookup for os.cpus()"
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn create_seatbelt_args_routes_network_through_proxy_ports() {
|
||||
let policy = dynamic_network_policy(
|
||||
|
||||
@@ -39,6 +39,7 @@
|
||||
(sysctl-name "hw.l3cachesize_compat")
|
||||
(sysctl-name "hw.logicalcpu_max")
|
||||
(sysctl-name "hw.machine")
|
||||
(sysctl-name "hw.model")
|
||||
(sysctl-name "hw.memsize")
|
||||
(sysctl-name "hw.ncpu")
|
||||
(sysctl-name "hw.nperflevels")
|
||||
@@ -51,8 +52,11 @@
|
||||
(sysctl-name "hw.pagesize")
|
||||
(sysctl-name "hw.physicalcpu")
|
||||
(sysctl-name "hw.physicalcpu_max")
|
||||
(sysctl-name "hw.logicalcpu")
|
||||
(sysctl-name "hw.cpufrequency")
|
||||
(sysctl-name "hw.tbfrequency_compat")
|
||||
(sysctl-name "hw.vectorunit")
|
||||
(sysctl-name "machdep.cpu.brand_string")
|
||||
(sysctl-name "kern.argmax")
|
||||
(sysctl-name "kern.hostname")
|
||||
(sysctl-name "kern.maxfilesperproc")
|
||||
|
||||
Reference in New Issue
Block a user