; Copyright (C) 2020-2021 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions
; are met:
; 1. Redistributions of source code must retain the above copyright
; notice, this list of conditions and the following disclaimer.
; 2. Redistributions in binary form must reproduce the above copyright
; notice, this list of conditions and the following disclaimer in the
; documentation and/or other materials provided with the distribution.
;
; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
; THE POSSIBILITY OF SUCH DAMAGE.

(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
(deny system-privilege)

;; Silence spurious logging due to rdar://20117923 and rdar://72366475
(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))

;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
;;;

(import "util.sb")

(define-once (managed-configuration-read-public)
    (allow file-read*
           (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
           (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
           (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo")))

(define-once (allow-preferences-common)
    (allow file-read-metadata
        (home-literal "")
        (home-literal "/Library/Preferences")))

(define-once (mobile-preferences-read . domains)
    (allow-preferences-common)
    (for-each (lambda (domain)
        (begin
            (allow user-preference-read (preference-domain domain))
            (allow file-read*
                (home-literal (string-append "/Library/Preferences/" domain ".plist")))))
        domains))

(define-once (internal-debugging-support)
    (allow file-read* file-map-executable
        (subpath "/Developer"))

    (allow ipc-posix-shm
        (ipc-posix-name-prefix "stack-logs")
        (ipc-posix-name-prefix "OA-")
        (ipc-posix-name-prefix "/FSM-"))

    (allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink
        (ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$"))

    (with-filter (system-attribute apple-internal)
        ;; <rdar://problem/8565035>
        ;; <rdar://problem/23857452>
        ;; <rdar://problem/72317112>
        (allow file-read* file-map-executable
            (subpath
                "/AppleInternal"
                "/usr/local/lib"
                "/usr/appleinternal/lib"
            )
        )
    )
    (with-elevated-precedence
        (allow file-read* file-map-executable file-issue-extension
           (front-user-home-subpath "/XcodeBuiltProducts")
        )
    )

    ;; <rdar://problem/8107758>
    (allow file-read* file-map-executable
        (subpath
            "/System/Library/Frameworks"
            "/System/Library/PrivateFrameworks"
        )
    )

    ;; <rdar://problem/32544921>
    (mobile-preferences-read "com.apple.hangtracer")
)

(define-once (device-access)
    (deny file-read* file-write*
        (vnode-type BLOCK-DEVICE CHARACTER-DEVICE))

    (allow file-read* file-write-data
        (literal
            "/dev/null"
            "/dev/zero"
        )
    )

    (allow file-read*
        (literal
            "/dev/random"
            "/dev/urandom"
        )
    )

    (if (system-attribute apple-internal)
        (allow file-read* file-write-data file-ioctl
            (literal "/dev/dtracehelper"))
    ; else
        (deny (with no-log) file-read* file-write-data file-ioctl
            (literal "/dev/dtracehelper"))
    )

    ;; <rdar://problem/14215718>
    (deny file-write-data (with no-report)
        (literal
            "/dev/random"
            "/dev/urandom"
        )
    )

    (allow file-read* file-write-data file-ioctl
        (literal "/dev/aes_0")
    )
)

(define required-etc-files
    (literal
        "/private/etc/hosts"
        "/private/etc/group"
        "/private/etc/passwd"
        "/private/etc/protocols"
        "/private/etc/services"
    )
)

(deny file-map-executable)

(deny file-write-mount file-write-unmount)

(mobile-preferences-read "com.apple.security")

(with-filter (system-attribute apple-internal)
    (mobile-preferences-read "com.apple.PrototypeTools")
)

(with-elevated-precedence
    (allow file-read*
        (subpath
            "/usr/lib"
            "/usr/share"
            "/private/var/db/timezone"
            "/private/var/preferences/Logging" ;;; <rdar://problem/24144418>
            "/System/Library"
        )
    )

    (let ((hw-identifying-paths
            (require-any
                (literal "/System/Library/Caches/apticket.der")
                (subpath "/System/Library/Caches/com.apple.kernelcaches")
                (subpath "/System/Library/Caches/com.apple.factorydata"))))
        (deny file-issue-extension file-read* hw-identifying-paths))
    
    (allow file-map-executable
        (subpath
            "/System/Library"
            "/usr/lib"
        )
    )

    (allow file-read-metadata
        (vnode-type
            DIRECTORY
            SYMLINK
        )
    )

    (allow user-preference-read (preference-domain "kCFPreferencesAnyApplication"))
    (allow file-read*
        (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))
    (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
    
    (allow file-read*
        (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist")
        (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist")
    )

    (allow file-read-metadata
        (home-literal "/Library/Caches/powerlog.launchd"))

    ;; <rdar://problem/13963294>
    (deny file-read-data file-issue-extension file-map-executable
        (require-all
            (executable-bundle)
            (regex #"/[^/]+/SC_Info/")))
)

(with-filter (system-attribute apple-internal)
    (internal-debugging-support)
)

(allow file-read* required-etc-files)

(allow file-read*
    (subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))

(allow file-read-data
    (literal "/usr/local/lib/log") ; <rdar://problem/36629495>
)

(device-access)

(allow mach-lookup
    (global-name
        "com.apple.logd"
        "com.apple.logd.events"
        "com.apple.system.notification_center"
    )
)

(with-filter (system-attribute apple-internal)
    (allow mach-lookup
        (global-name
            "com.apple.diagnosticd"
            "com.apple.system.logger"
        )
    )
)

(deny mach-lookup (with no-report)
    (global-name
        "com.apple.aggregated"
    )
)

(allow ipc-posix-shm-read*
    (ipc-posix-name-prefix "apple.cfprefs."))
 
;; <rdar://problem/12413942>
(allow file-read*
    (well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))

(allow ipc-posix-shm-read*
    (ipc-posix-name "apple.shm.notification_center"))

(with-filter
    (require-all
        (system-attribute apple-internal)
        (ipc-posix-name "purplebuddy.sentinel"))
    (deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait)
    (allow ipc-posix-sem-open)
)

(managed-configuration-read-public)

(deny system-info (with no-report)
    (info-type "net.link.addr"))

(allow mach-task-name (target self))

(allow process-info-pidinfo (target self))
(allow process-info-pidfdinfo (target self))
(allow process-info-pidfileportinfo (target self))
(allow process-info-setcontrol (target self))
(allow process-info-dirtycontrol (target self))
(allow process-info-rusage (target self))
(allow process-info-codesignature (target self))

;;;
;;; End common.sb content
;;;

(deny mach-lookup (xpc-service-name-prefix ""))
(deny iokit-get-properties (with partial-symbolication))
(deny lsopen)

;;;
;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
;;;

(allow-preferences-common)

;; Home Button
(with-filter (iokit-registry-entry-class "IOPlatformDevice")
    (allow iokit-get-properties (with telemetry)
        (iokit-property "home-button-type")))

(deny file-write*
    (home-literal
        "/Library/Caches/DateFormats.plist" ; Silently deny writes when CFData attempts to write to the cache directory.
        "/Library/Preferences/com.apple.springboard.plist" ;; <rdar://problem/9375027>
    )
    (with no-log))

;;;
;;; End UIKit-apps.sb content
;;;

(deny sysctl*)
(allow sysctl-read
    (sysctl-name
        "hw.activecpu"
        "hw.availcpu"
        "hw.cacheconfig" ;; <rdar://problem/78213563>
        "hw.cachelinesize"
        "hw.cachesize" ;; <rdar://problem/78213563>
        "hw.cpufamily" ;; <rdar://problem/15721872>
        "hw.cpusubfamily"
        "hw.cputhreadtype"
        "hw.cputype"
        "hw.l1dcachesize" ;; <rdar://problem/15721872>
        "hw.l1icachesize" ;; <rdar://problem/15721872>
        "hw.l2cachesize"
        "hw.l3cachesize" ;; <rdar://problem/15721872>
        "hw.logicalcpu"
        "hw.logicalcpu_max"
        "hw.ncpu"
        "hw.machine"
        "hw.memsize"
        "hw.model"
        "hw.ncpu" ;; <rdar://problem/76782530>
        "hw.nperflevels" ;; <rdar://problem/76782530>
        "hw.pagesize" ;; <rdar://problem/76782530>
        "hw.pagesize_compat"
        "hw.physicalcpu"
        "hw.physicalcpu_max"
        "hw.physmem" ;; <rdar://problem/76782530>
        "hw.vectorunit" ;; <rdar://problem/76782530>
        "kern.bootargs"
        "kern.hostname"
        "kern.hv_vmm_present"
        "kern.maxfilesperproc"
        "kern.memorystatus_level"
        "kern.osproductversion"
        "kern.osrelease"
        "kern.osvariant_status"
        "kern.osversion"
        "kern.ostype"
        "kern.secure_kernel"
        "kern.version"
        "vm.footprint_suspend")
    (sysctl-name-prefix "hw.optional.") ;; <rdar://problem/70973527>
    (sysctl-name-prefix "hw.perflevel") ;; <rdar://problem/76782530>
)

(with-filter (system-attribute apple-internal)
    (allow sysctl-read sysctl-write
        (sysctl-name
            "vm.footprint_suspend"
        )
    )
)

;; Silence noisy denials
(deny sysctl-read (with no-report)
    (sysctl-name
        "sysctl.proc_native"
    )
)

;; Read-only preferences and data
(mobile-preferences-read "com.apple.LaunchServices")

;; Access to client's cache folder & re-vending to CFNetwork.
(allow file-issue-extension
    (require-all
        (extension "com.apple.app-sandbox.read-write")
        (extension-class "com.apple.nsurlstorage.extension-cache")))

(deny file-write-create (vnode-type SYMLINK))
(deny file-read-xattr file-write-xattr (xattr-prefix "com.apple.security.private."))

;; FIXME: Can further restrict the following rules.
(allow iokit-get-properties (with report) (with telemetry))
(allow iokit-set-properties (with report) (with telemetry))

(allow file-read* file-write*
    (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/11599825> is fixed.

(allow file-read*
    (subpath "/Library/Keychains")
    (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain"))

(allow file-read*
    (subpath "/private/var/containers/Shared/SystemGroup") ;; FIXME<rdar://problem/71137389>
    (literal "/private/var/preferences/com.apple.networkd.plist"))

(allow mach-lookup
    ;; Allow accesses to the Springboard view services.
    (global-name
        "com.apple.frontboard.systemappservices"
        "com.apple.runningboard"
    )

    ;; Allow accesses to LocalAuthentication and RemoteService
    (global-name
        "com.apple.CoreAuthentication.daemon"
        "com.apple.remoted"
        "com.apple.tccd"
    )

    ;; Allow accesses to the SEP
    (global-name "com.apple.ctkd.token-client")

    ;; Allow accesses to NFC
    (global-name "com.apple.nfcd.hwmanager")

    ;; Allow accesses to the Keychain service
    (global-name "com.apple.securityd")

    ;; Allow accesses to AAA and the network
    (global-name
        "com.apple.AppSSO.service-xpc"
        "com.apple.nehelper"
        "com.apple.usymptomsd"
        "com.apple.dnssd.service"
        "com.apple.trustd"
        "com.apple.containermanagerd"
        "com.apple.mobilegestalt.xpc"
    )

    ;; Allow accesses to the ASD
    (global-name "com.apple.AuthenticationServicesCore.AuthenticationServicesAgent")
)

(allow iokit-open
    ;; Allow accesses to HID
    (iokit-user-client-class "IOHIDLibUserClient")

    ;; Allow access to the key store
    (iokit-user-client-class "AppleKeyStoreUserClient")
)

(allow network-outbound
    (literal "/private/var/run/mDNSResponder")
    (remote tcp)
    (remote udp)
)

(with-filter (system-attribute apple-internal)
    (allow network-outbound
        (literal "/private/var/run/syslog"))
)