File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ {
2+ "label" : " Cookbook"
3+ "position" : 5
4+ }
5+
Original file line number Diff line number Diff line change 1+ # Common Expression Language (CEL)
2+
3+ This page lists well-known and/or community-contributed CEL expressions.
4+
5+ ## Apps signed since X
6+
7+ This will prevent executions of an app where the specific binary was signed
8+ before the provided date. This is particularly useful when attached to a
9+ ` TEAMID ` or ` SIGNINGID ` rule.
10+
11+ ``` clike
12+ target.signing_time >= timestamp('2025-05-31T00:00:00Z')
13+ ```
14+
Original file line number Diff line number Diff line change 1+ # File-Access Authorization
2+
3+ This page lists well-known and/or community-contributed file-access
4+ authorization policy fragments.
5+
6+ ## Chrome Browser Cookies
7+
8+ This policy will prevent reads of cookies from Google Chrome, from any profile
9+ managed by any user, except to Chrome itself and the Spotlight indexing
10+ process.
11+
12+ ``` xml
13+ <key >ChromeCookies</key >
14+ <dict >
15+ <key >Paths</key >
16+ <array >
17+ <dict >
18+ <key >Path</key >
19+ <string >/Users/*/Library/Application Support/Google/Chrome/*/Cookies</string >
20+ <key >IsPrefix</key >
21+ <true />
22+ </dict >
23+ </array >
24+ <key >Options</key >
25+ <dict >
26+ <key >AllowReadAccess</key >
27+ <false />
28+ <key >AuditOnly</key >
29+ <false />
30+ <key >RuleType</key >
31+ <string >PathsWithAllowedProcesses</string >
32+ </dict >
33+ <key >Processes</key >
34+ <array >
35+ <dict >
36+ <key >SigningID</key >
37+ <string >com.google.Chrome*</string >
38+ <key >TeamID</key >
39+ <string >EQHXZ8M8AV</string >
40+ </dict >
41+ <dict >
42+ <key >SigningID</key >
43+ <string >com.apple.mdworker_shared</string >
44+ <key >PlatformBinary</key >
45+ <true />
46+ </dict >
47+ </array >
48+ </dict >
49+ ```
50+
51+ ## Sudoers
52+
53+ This policy prevents the sudoers config file from being modified by any process
54+ except sudo itself. With this installed, users will have to use
55+ ` sudo -e /etc/sudoers ` to modify the policy.
56+
57+ ``` xml
58+ <key >Sudoers</key >
59+ <dict >
60+ <key >Paths</key >
61+ <array >
62+ <dict >
63+ <key >Path</key >
64+ <string >/private/etc/sudoers</string >
65+ </dict >
66+ <dict >
67+ <key >Path</key >
68+ <string >/private/etc/sudoers.d/*</string >
69+ <key >IsPrefix</key >
70+ <true />
71+ </dict >
72+ <dict >
73+ <key >Path</key >
74+ <string >/private/var/db/sudo/ts/*</string >
75+ <key >IsPrefix</key >
76+ <true />
77+ </dict >
78+ </array >
79+ <key >Options</key >
80+ <dict >
81+ <key >AllowReadAccess</key >
82+ <false />
83+ <key >AuditOnly</key >
84+ <false />
85+ <key >RuleType</key >
86+ <string >PathsWithAllowedProcesses</string >
87+ </dict >
88+ <key >Processes</key >
89+ <array >
90+ <dict >
91+ <key >SigningID</key >
92+ <string >com.apple.sudo</string >
93+ <key >PlatformBinary</key >
94+ <true />
95+ </dict >
96+ </array >
97+ </dict >
98+ ```
Original file line number Diff line number Diff line change 1+ # Transitive Allowlisting
2+
3+ This page lists well-known and/or community-contributed Transitive Allowlisting
4+ rules for various compiler toolchains.
5+
6+ For each toolchain it's important to note that the last binary that writes to
7+ the new binary is the one that should have a rule.
8+
9+ ## Xcode
10+
11+ To cover Xcode you will either need ` ld ` , ` lipo ` , or ` codesign ` , depending on
12+ how the project is configured:
13+
14+ * ` platform:com.apple.ld `
15+ * ` platform:com.apple.lipo `
16+ * ` platform:com.apple.security.codesign `
17+
18+ One important caveat: adding an ` ALLOWLIST_COMPILER ` rule for the codesign
19+ utility could potentially allow any binary to be re-signed and executed.
20+
You can’t perform that action at this time.
0 commit comments