Google Git
Sign in
webkit / WebKit / 15e4da4b5ce83fcfe6de6863df44c60571019d5f / . / Source / WebKit / Resources / SandboxProfiles / ios / com.apple.WebKit.WebAuthn.sb
blob: 8d4282747bbaf114dd066bd370c1755731e6ff39 [file] [log] [blame]
; Copyright (C) 2020-2021 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions
; are met:
; 1. Redistributions of source code must retain the above copyright
; notice, this list of conditions and the following disclaimer.
; 2. Redistributions in binary form must reproduce the above copyright
; notice, this list of conditions and the following disclaimer in the
; documentation and/or other materials provided with the distribution.
;
; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
; THE POSSIBILITY OF SUCH DAMAGE.
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
(deny system-privilege)
;; Silence spurious logging due to rdar://20117923 and rdar://72366475
(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
;;;
(import "util.sb")
(define-once (managed-configuration-read-public)
(allow file-read*
(well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
(front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
(front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo")))
(define-once (allow-preferences-common)
(allow file-read-metadata
(home-literal "")
(home-literal "/Library/Preferences")))
(define-once (mobile-preferences-read . domains)
(allow-preferences-common)
(for-each (lambda (domain)
(begin
(allow user-preference-read (preference-domain domain))
(allow file-read*
(home-literal (string-append "/Library/Preferences/" domain ".plist")))))
domains))
(define-once (internal-debugging-support)
(allow file-read* file-map-executable
(subpath "/Developer"))
(allow ipc-posix-shm
(ipc-posix-name-prefix "stack-logs")
(ipc-posix-name-prefix "OA-")
(ipc-posix-name-prefix "/FSM-"))
(allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink
(ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$"))
(with-filter (system-attribute apple-internal)
;; <rdar://problem/8565035>
;; <rdar://problem/23857452>
;; <rdar://problem/72317112>
(allow file-read* file-map-executable
(subpath
"/AppleInternal"
"/usr/local/lib"
"/usr/appleinternal/lib"
)
)
)
(with-elevated-precedence
(allow file-read* file-map-executable file-issue-extension
(front-user-home-subpath "/XcodeBuiltProducts")
)
)
;; <rdar://problem/8107758>
(allow file-read* file-map-executable
(subpath
"/System/Library/Frameworks"
"/System/Library/PrivateFrameworks"
)
)
;; <rdar://problem/32544921>
(mobile-preferences-read "com.apple.hangtracer")
)
(define-once (device-access)
(deny file-read* file-write*
(vnode-type BLOCK-DEVICE CHARACTER-DEVICE))
(allow file-read* file-write-data
(literal
"/dev/null"
"/dev/zero"
)
)
(allow file-read*
(literal
"/dev/random"
"/dev/urandom"
)
)
(if (system-attribute apple-internal)
(allow file-read* file-write-data file-ioctl
(literal "/dev/dtracehelper"))
; else
(deny (with no-log) file-read* file-write-data file-ioctl
(literal "/dev/dtracehelper"))
)
;; <rdar://problem/14215718>
(deny file-write-data (with no-report)
(literal
"/dev/random"
"/dev/urandom"
)
)
(allow file-read* file-write-data file-ioctl
(literal "/dev/aes_0")
)
)
(define required-etc-files
(literal
"/private/etc/hosts"
"/private/etc/group"
"/private/etc/passwd"
"/private/etc/protocols"
"/private/etc/services"
)
)
(deny file-map-executable)
(deny file-write-mount file-write-unmount)
(mobile-preferences-read "com.apple.security")
(with-filter (system-attribute apple-internal)
(mobile-preferences-read "com.apple.PrototypeTools")
)
(with-elevated-precedence
(allow file-read*
(subpath
"/usr/lib"
"/usr/share"
"/private/var/db/timezone"
"/private/var/preferences/Logging" ;;; <rdar://problem/24144418>
"/System/Library"
)
)
(let ((hw-identifying-paths
(require-any
(literal "/System/Library/Caches/apticket.der")
(subpath "/System/Library/Caches/com.apple.kernelcaches")
(subpath "/System/Library/Caches/com.apple.factorydata"))))
(deny file-issue-extension file-read* hw-identifying-paths))
(allow file-map-executable
(subpath
"/System/Library"
"/usr/lib"
)
)
(allow file-read-metadata
(vnode-type
DIRECTORY
SYMLINK
)
)
(allow user-preference-read (preference-domain "kCFPreferencesAnyApplication"))
(allow file-read*
(front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))
(allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
(allow file-read*
(front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist")
(literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist")
)
(allow file-read-metadata
(home-literal "/Library/Caches/powerlog.launchd"))
;; <rdar://problem/13963294>
(deny file-read-data file-issue-extension file-map-executable
(require-all
(executable-bundle)
(regex #"/[^/]+/SC_Info/")))
)
(with-filter (system-attribute apple-internal)
(internal-debugging-support)
)
(allow file-read* required-etc-files)
(allow file-read*
(subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))
(allow file-read-data
(literal "/usr/local/lib/log") ; <rdar://problem/36629495>
)
(device-access)
(allow mach-lookup
(global-name
"com.apple.logd"
"com.apple.logd.events"
"com.apple.system.notification_center"
)
)
(with-filter (system-attribute apple-internal)
(allow mach-lookup
(global-name
"com.apple.diagnosticd"
"com.apple.system.logger"
)
)
)
(deny mach-lookup (with no-report)
(global-name
"com.apple.aggregated"
)
)
(allow ipc-posix-shm-read*
(ipc-posix-name-prefix "apple.cfprefs."))
;; <rdar://problem/12413942>
(allow file-read*
(well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
(allow ipc-posix-shm-read*
(ipc-posix-name "apple.shm.notification_center"))
(with-filter
(require-all
(system-attribute apple-internal)
(ipc-posix-name "purplebuddy.sentinel"))
(deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait)
(allow ipc-posix-sem-open)
)
(managed-configuration-read-public)
(deny system-info (with no-report)
(info-type "net.link.addr"))
(allow mach-task-name (target self))
(allow process-info-pidinfo (target self))
(allow process-info-pidfdinfo (target self))
(allow process-info-pidfileportinfo (target self))
(allow process-info-setcontrol (target self))
(allow process-info-dirtycontrol (target self))
(allow process-info-rusage (target self))
(allow process-info-codesignature (target self))
;;;
;;; End common.sb content
;;;
(deny mach-lookup (xpc-service-name-prefix ""))
(deny iokit-get-properties (with partial-symbolication))
(deny lsopen)
;;;
;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
;;;
(allow-preferences-common)
;; Home Button
(with-filter (iokit-registry-entry-class "IOPlatformDevice")
(allow iokit-get-properties (with telemetry)
(iokit-property "home-button-type")))
(deny file-write*
(home-literal
"/Library/Caches/DateFormats.plist" ; Silently deny writes when CFData attempts to write to the cache directory.
"/Library/Preferences/com.apple.springboard.plist" ;; <rdar://problem/9375027>
)
(with no-log))
;;;
;;; End UIKit-apps.sb content
;;;
(deny sysctl*)
(allow sysctl-read
(sysctl-name
"hw.activecpu"
"hw.availcpu"
"hw.cacheconfig" ;; <rdar://problem/78213563>
"hw.cachelinesize"
"hw.cachesize" ;; <rdar://problem/78213563>
"hw.cpufamily" ;; <rdar://problem/15721872>
"hw.cpusubfamily"
"hw.cputhreadtype"
"hw.cputype"
"hw.l1dcachesize" ;; <rdar://problem/15721872>
"hw.l1icachesize" ;; <rdar://problem/15721872>
"hw.l2cachesize"
"hw.l3cachesize" ;; <rdar://problem/15721872>
"hw.logicalcpu"
"hw.logicalcpu_max"
"hw.ncpu"
"hw.machine"
"hw.memsize"
"hw.model"
"hw.ncpu" ;; <rdar://problem/76782530>
"hw.nperflevels" ;; <rdar://problem/76782530>
"hw.pagesize" ;; <rdar://problem/76782530>
"hw.pagesize_compat"
"hw.physicalcpu"
"hw.physicalcpu_max"
"hw.physmem" ;; <rdar://problem/76782530>
"hw.vectorunit" ;; <rdar://problem/76782530>
"kern.bootargs"
"kern.hostname"
"kern.hv_vmm_present"
"kern.maxfilesperproc"
"kern.memorystatus_level"
"kern.osproductversion"
"kern.osrelease"
"kern.osvariant_status"
"kern.osversion"
"kern.ostype"
"kern.secure_kernel"
"kern.version"
"vm.footprint_suspend")
(sysctl-name-prefix "hw.optional.") ;; <rdar://problem/70973527>
(sysctl-name-prefix "hw.perflevel") ;; <rdar://problem/76782530>
)
(with-filter (system-attribute apple-internal)
(allow sysctl-read sysctl-write
(sysctl-name
"vm.footprint_suspend"
)
)
)
;; Silence noisy denials
(deny sysctl-read (with no-report)
(sysctl-name
"sysctl.proc_native"
)
)
;; Read-only preferences and data
(mobile-preferences-read "com.apple.LaunchServices")
;; Access to client's cache folder & re-vending to CFNetwork.
(allow file-issue-extension
(require-all
(extension "com.apple.app-sandbox.read-write")
(extension-class "com.apple.nsurlstorage.extension-cache")))
(deny file-write-create (vnode-type SYMLINK))
(deny file-read-xattr file-write-xattr (xattr-prefix "com.apple.security.private."))
;; FIXME: Can further restrict the following rules.
(allow iokit-get-properties (with report) (with telemetry))
(allow iokit-set-properties (with report) (with telemetry))
(allow file-read* file-write*
(home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/11599825> is fixed.
(allow file-read*
(subpath "/Library/Keychains")
(home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain"))
(allow file-read*
(subpath "/private/var/containers/Shared/SystemGroup") ;; FIXME<rdar://problem/71137389>
(literal "/private/var/preferences/com.apple.networkd.plist"))
(allow mach-lookup
;; Allow accesses to the Springboard view services.
(global-name
"com.apple.frontboard.systemappservices"
"com.apple.runningboard"
)
;; Allow accesses to LocalAuthentication and RemoteService
(global-name
"com.apple.CoreAuthentication.daemon"
"com.apple.remoted"
"com.apple.tccd"
)
;; Allow accesses to the SEP
(global-name "com.apple.ctkd.token-client")
;; Allow accesses to NFC
(global-name "com.apple.nfcd.hwmanager")
;; Allow accesses to the Keychain service
(global-name "com.apple.securityd")
;; Allow accesses to AAA and the network
(global-name
"com.apple.AppSSO.service-xpc"
"com.apple.nehelper"
"com.apple.usymptomsd"
"com.apple.dnssd.service"
"com.apple.trustd"
"com.apple.containermanagerd"
"com.apple.mobilegestalt.xpc"
)
;; Allow accesses to the ASD
(global-name "com.apple.AuthenticationServicesCore.AuthenticationServicesAgent")
)
(allow iokit-open
;; Allow accesses to HID
(iokit-user-client-class "IOHIDLibUserClient")
;; Allow access to the key store
(iokit-user-client-class "AppleKeyStoreUserClient")
)
(allow network-outbound
(literal "/private/var/run/mDNSResponder")
(remote tcp)
(remote udp)
)
(with-filter (system-attribute apple-internal)
(allow network-outbound
(literal "/private/var/run/syslog"))
)