| ; Copyright (C) 2020-2021 Apple Inc. All rights reserved. |
| ; |
| ; Redistribution and use in source and binary forms, with or without |
| ; modification, are permitted provided that the following conditions |
| ; are met: |
| ; 1. Redistributions of source code must retain the above copyright |
| ; notice, this list of conditions and the following disclaimer. |
| ; 2. Redistributions in binary form must reproduce the above copyright |
| ; notice, this list of conditions and the following disclaimer in the |
| ; documentation and/or other materials provided with the distribution. |
| ; |
| ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' |
| ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, |
| ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS |
| ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
| ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
| ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF |
| ; THE POSSIBILITY OF SUCH DAMAGE. |
| |
| (version 1) |
| (deny default (with partial-symbolication)) |
| (deny nvram*) |
| (deny system-privilege) |
| |
| ;; Silence spurious logging due to rdar://20117923 and rdar://72366475 |
| (deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report)) |
| |
| ;;; |
| ;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can |
| ;;; remove unneeded sandbox extensions. |
| ;;; |
| |
| (import "util.sb") |
| |
| (define-once (managed-configuration-read-public) |
| (allow file-read* |
| (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") |
| (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo") |
| (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo"))) |
| |
| (define-once (allow-preferences-common) |
| (allow file-read-metadata |
| (home-literal "") |
| (home-literal "/Library/Preferences"))) |
| |
| (define-once (mobile-preferences-read . domains) |
| (allow-preferences-common) |
| (for-each (lambda (domain) |
| (begin |
| (allow user-preference-read (preference-domain domain)) |
| (allow file-read* |
| (home-literal (string-append "/Library/Preferences/" domain ".plist"))))) |
| domains)) |
| |
| (define-once (internal-debugging-support) |
| (allow file-read* file-map-executable |
| (subpath "/Developer")) |
| |
| (allow ipc-posix-shm |
| (ipc-posix-name-prefix "stack-logs") |
| (ipc-posix-name-prefix "OA-") |
| (ipc-posix-name-prefix "/FSM-")) |
| |
| (allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink |
| (ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$")) |
| |
| (with-filter (system-attribute apple-internal) |
| ;; <rdar://problem/8565035> |
| ;; <rdar://problem/23857452> |
| ;; <rdar://problem/72317112> |
| (allow file-read* file-map-executable |
| (subpath |
| "/AppleInternal" |
| "/usr/local/lib" |
| "/usr/appleinternal/lib" |
| ) |
| ) |
| ) |
| (with-elevated-precedence |
| (allow file-read* file-map-executable file-issue-extension |
| (front-user-home-subpath "/XcodeBuiltProducts") |
| ) |
| ) |
| |
| ;; <rdar://problem/8107758> |
| (allow file-read* file-map-executable |
| (subpath |
| "/System/Library/Frameworks" |
| "/System/Library/PrivateFrameworks" |
| ) |
| ) |
| |
| ;; <rdar://problem/32544921> |
| (mobile-preferences-read "com.apple.hangtracer") |
| ) |
| |
| (define-once (device-access) |
| (deny file-read* file-write* |
| (vnode-type BLOCK-DEVICE CHARACTER-DEVICE)) |
| |
| (allow file-read* file-write-data |
| (literal |
| "/dev/null" |
| "/dev/zero" |
| ) |
| ) |
| |
| (allow file-read* |
| (literal |
| "/dev/random" |
| "/dev/urandom" |
| ) |
| ) |
| |
| (if (system-attribute apple-internal) |
| (allow file-read* file-write-data file-ioctl |
| (literal "/dev/dtracehelper")) |
| ; else |
| (deny (with no-log) file-read* file-write-data file-ioctl |
| (literal "/dev/dtracehelper")) |
| ) |
| |
| ;; <rdar://problem/14215718> |
| (deny file-write-data (with no-report) |
| (literal |
| "/dev/random" |
| "/dev/urandom" |
| ) |
| ) |
| |
| (allow file-read* file-write-data file-ioctl |
| (literal "/dev/aes_0") |
| ) |
| ) |
| |
| (define required-etc-files |
| (literal |
| "/private/etc/hosts" |
| "/private/etc/group" |
| "/private/etc/passwd" |
| "/private/etc/protocols" |
| "/private/etc/services" |
| ) |
| ) |
| |
| (deny file-map-executable) |
| |
| (deny file-write-mount file-write-unmount) |
| |
| (mobile-preferences-read "com.apple.security") |
| |
| (with-filter (system-attribute apple-internal) |
| (mobile-preferences-read "com.apple.PrototypeTools") |
| ) |
| |
| (with-elevated-precedence |
| (allow file-read* |
| (subpath |
| "/usr/lib" |
| "/usr/share" |
| "/private/var/db/timezone" |
| "/private/var/preferences/Logging" ;;; <rdar://problem/24144418> |
| "/System/Library" |
| ) |
| ) |
| |
| (let ((hw-identifying-paths |
| (require-any |
| (literal "/System/Library/Caches/apticket.der") |
| (subpath "/System/Library/Caches/com.apple.kernelcaches") |
| (subpath "/System/Library/Caches/com.apple.factorydata")))) |
| (deny file-issue-extension file-read* hw-identifying-paths)) |
| |
| (allow file-map-executable |
| (subpath |
| "/System/Library" |
| "/usr/lib" |
| ) |
| ) |
| |
| (allow file-read-metadata |
| (vnode-type |
| DIRECTORY |
| SYMLINK |
| ) |
| ) |
| |
| (allow user-preference-read (preference-domain "kCFPreferencesAnyApplication")) |
| (allow file-read* |
| (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist")) |
| (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication")) |
| |
| (allow file-read* |
| (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist") |
| (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") |
| ) |
| |
| (allow file-read-metadata |
| (home-literal "/Library/Caches/powerlog.launchd")) |
| |
| ;; <rdar://problem/13963294> |
| (deny file-read-data file-issue-extension file-map-executable |
| (require-all |
| (executable-bundle) |
| (regex #"/[^/]+/SC_Info/"))) |
| ) |
| |
| (with-filter (system-attribute apple-internal) |
| (internal-debugging-support) |
| ) |
| |
| (allow file-read* required-etc-files) |
| |
| (allow file-read* |
| (subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs")) |
| |
| (allow file-read-data |
| (literal "/usr/local/lib/log") ; <rdar://problem/36629495> |
| ) |
| |
| (device-access) |
| |
| (allow mach-lookup |
| (global-name |
| "com.apple.logd" |
| "com.apple.logd.events" |
| "com.apple.system.notification_center" |
| ) |
| ) |
| |
| (with-filter (system-attribute apple-internal) |
| (allow mach-lookup |
| (global-name |
| "com.apple.diagnosticd" |
| "com.apple.system.logger" |
| ) |
| ) |
| ) |
| |
| (deny mach-lookup (with no-report) |
| (global-name |
| "com.apple.aggregated" |
| ) |
| ) |
| |
| (allow ipc-posix-shm-read* |
| (ipc-posix-name-prefix "apple.cfprefs.")) |
| |
| ;; <rdar://problem/12413942> |
| (allow file-read* |
| (well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist")) |
| |
| (allow ipc-posix-shm-read* |
| (ipc-posix-name "apple.shm.notification_center")) |
| |
| (with-filter |
| (require-all |
| (system-attribute apple-internal) |
| (ipc-posix-name "purplebuddy.sentinel")) |
| (deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait) |
| (allow ipc-posix-sem-open) |
| ) |
| |
| (managed-configuration-read-public) |
| |
| (deny system-info (with no-report) |
| (info-type "net.link.addr")) |
| |
| (allow mach-task-name (target self)) |
| |
| (allow process-info-pidinfo (target self)) |
| (allow process-info-pidfdinfo (target self)) |
| (allow process-info-pidfileportinfo (target self)) |
| (allow process-info-setcontrol (target self)) |
| (allow process-info-dirtycontrol (target self)) |
| (allow process-info-rusage (target self)) |
| (allow process-info-codesignature (target self)) |
| |
| ;;; |
| ;;; End common.sb content |
| ;;; |
| |
| (deny mach-lookup (xpc-service-name-prefix "")) |
| (deny iokit-get-properties (with partial-symbolication)) |
| (deny lsopen) |
| |
| ;;; |
| ;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can |
| ;;; remove unneeded sandbox extensions. |
| ;;; |
| |
| (allow-preferences-common) |
| |
| ;; Home Button |
| (with-filter (iokit-registry-entry-class "IOPlatformDevice") |
| (allow iokit-get-properties (with telemetry) |
| (iokit-property "home-button-type"))) |
| |
| (deny file-write* |
| (home-literal |
| "/Library/Caches/DateFormats.plist" ; Silently deny writes when CFData attempts to write to the cache directory. |
| "/Library/Preferences/com.apple.springboard.plist" ;; <rdar://problem/9375027> |
| ) |
| (with no-log)) |
| |
| ;;; |
| ;;; End UIKit-apps.sb content |
| ;;; |
| |
| (deny sysctl*) |
| (allow sysctl-read |
| (sysctl-name |
| "hw.activecpu" |
| "hw.availcpu" |
| "hw.cacheconfig" ;; <rdar://problem/78213563> |
| "hw.cachelinesize" |
| "hw.cachesize" ;; <rdar://problem/78213563> |
| "hw.cpufamily" ;; <rdar://problem/15721872> |
| "hw.cpusubfamily" |
| "hw.cputhreadtype" |
| "hw.cputype" |
| "hw.l1dcachesize" ;; <rdar://problem/15721872> |
| "hw.l1icachesize" ;; <rdar://problem/15721872> |
| "hw.l2cachesize" |
| "hw.l3cachesize" ;; <rdar://problem/15721872> |
| "hw.logicalcpu" |
| "hw.logicalcpu_max" |
| "hw.ncpu" |
| "hw.machine" |
| "hw.memsize" |
| "hw.model" |
| "hw.ncpu" ;; <rdar://problem/76782530> |
| "hw.nperflevels" ;; <rdar://problem/76782530> |
| "hw.pagesize" ;; <rdar://problem/76782530> |
| "hw.pagesize_compat" |
| "hw.physicalcpu" |
| "hw.physicalcpu_max" |
| "hw.physmem" ;; <rdar://problem/76782530> |
| "hw.vectorunit" ;; <rdar://problem/76782530> |
| "kern.bootargs" |
| "kern.hostname" |
| "kern.hv_vmm_present" |
| "kern.maxfilesperproc" |
| "kern.memorystatus_level" |
| "kern.osproductversion" |
| "kern.osrelease" |
| "kern.osvariant_status" |
| "kern.osversion" |
| "kern.ostype" |
| "kern.secure_kernel" |
| "kern.version" |
| "vm.footprint_suspend") |
| (sysctl-name-prefix "hw.optional.") ;; <rdar://problem/70973527> |
| (sysctl-name-prefix "hw.perflevel") ;; <rdar://problem/76782530> |
| ) |
| |
| (with-filter (system-attribute apple-internal) |
| (allow sysctl-read sysctl-write |
| (sysctl-name |
| "vm.footprint_suspend" |
| ) |
| ) |
| ) |
| |
| ;; Silence noisy denials |
| (deny sysctl-read (with no-report) |
| (sysctl-name |
| "sysctl.proc_native" |
| ) |
| ) |
| |
| ;; Read-only preferences and data |
| (mobile-preferences-read "com.apple.LaunchServices") |
| |
| ;; Access to client's cache folder & re-vending to CFNetwork. |
| (allow file-issue-extension |
| (require-all |
| (extension "com.apple.app-sandbox.read-write") |
| (extension-class "com.apple.nsurlstorage.extension-cache"))) |
| |
| (deny file-write-create (vnode-type SYMLINK)) |
| (deny file-read-xattr file-write-xattr (xattr-prefix "com.apple.security.private.")) |
| |
| ;; FIXME: Can further restrict the following rules. |
| (allow iokit-get-properties (with report) (with telemetry)) |
| (allow iokit-set-properties (with report) (with telemetry)) |
| |
| (allow file-read* file-write* |
| (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/11599825> is fixed. |
| |
| (allow file-read* |
| (subpath "/Library/Keychains") |
| (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")) |
| |
| (allow file-read* |
| (subpath "/private/var/containers/Shared/SystemGroup") ;; FIXME<rdar://problem/71137389> |
| (literal "/private/var/preferences/com.apple.networkd.plist")) |
| |
| (allow mach-lookup |
| ;; Allow accesses to the Springboard view services. |
| (global-name |
| "com.apple.frontboard.systemappservices" |
| "com.apple.runningboard" |
| ) |
| |
| ;; Allow accesses to LocalAuthentication and RemoteService |
| (global-name |
| "com.apple.CoreAuthentication.daemon" |
| "com.apple.remoted" |
| "com.apple.tccd" |
| ) |
| |
| ;; Allow accesses to the SEP |
| (global-name "com.apple.ctkd.token-client") |
| |
| ;; Allow accesses to NFC |
| (global-name "com.apple.nfcd.hwmanager") |
| |
| ;; Allow accesses to the Keychain service |
| (global-name "com.apple.securityd") |
| |
| ;; Allow accesses to AAA and the network |
| (global-name |
| "com.apple.AppSSO.service-xpc" |
| "com.apple.nehelper" |
| "com.apple.usymptomsd" |
| "com.apple.dnssd.service" |
| "com.apple.trustd" |
| "com.apple.containermanagerd" |
| "com.apple.mobilegestalt.xpc" |
| ) |
| |
| ;; Allow accesses to the ASD |
| (global-name "com.apple.AuthenticationServicesCore.AuthenticationServicesAgent") |
| ) |
| |
| (allow iokit-open |
| ;; Allow accesses to HID |
| (iokit-user-client-class "IOHIDLibUserClient") |
| |
| ;; Allow access to the key store |
| (iokit-user-client-class "AppleKeyStoreUserClient") |
| ) |
| |
| (allow network-outbound |
| (literal "/private/var/run/mDNSResponder") |
| (remote tcp) |
| (remote udp) |
| ) |
| |
| (with-filter (system-attribute apple-internal) |
| (allow network-outbound |
| (literal "/private/var/run/syslog")) |
| ) |