Google Git
Sign in
webkit / WebKit / 15e4da4b5ce83fcfe6de6863df44c60571019d5f / . / Source / WebKit / Resources / SandboxProfiles / ios / com.apple.WebKit.WebContent.sb.in
blob: 37a4d8b401bcfe3d55b93dcc84400982bf182f56 [file] [log] [blame]
; Copyright (C) 2010-2021 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions
; are met:
; 1. Redistributions of source code must retain the above copyright
; notice, this list of conditions and the following disclaimer.
; 2. Redistributions in binary form must reproduce the above copyright
; notice, this list of conditions and the following disclaimer in the
; documentation and/or other materials provided with the distribution.
;
; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
; THE POSSIBILITY OF SUCH DAMAGE.
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
(deny system-privilege)
(allow system-audit file-read-metadata)
;; Silence spurious logging due to rdar://20117923 and rdar://72366475
(deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
#include "Shared/Sandbox/util.sb"
;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
;;;
(define-once (allow-read-and-issue-generic-extensions . filters)
(allow file-read*
(apply require-any filters))
(allow file-issue-extension
(require-all
(extension-class "com.apple.app-sandbox.read")
(apply require-any filters))))
(define-once (allow-read-write-and-issue-generic-extensions . filters)
(allow file-read* file-write*
(apply require-any filters))
(allow file-read-metadata
(apply require-any filters))
(allow file-issue-extension
(require-all
(extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
(apply require-any filters))))
(define-once (managed-configuration-read-public)
(allow file-read*
(well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
(front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
(front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo")))
(define-once (managed-configuration-read . files)
(if (null? files)
(allow file-read*
(well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles")
(front-user-home-subpath "/Library/ConfigurationProfiles")
(front-user-home-subpath "/Library/UserConfigurationProfiles"))
(for-each
(lambda (file)
(allow file-read*
(well-known-system-group-container-literal
(string-append "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/" file))
(front-user-home-literal
(string-append "/Library/ConfigurationProfiles/" file)
(string-append "/Library/UserConfigurationProfiles/" file))))
files)))
(define-once (allow-preferences-common)
(allow file-read-metadata
(home-literal "")
(home-literal "/Library/Preferences")))
(define-once (mobile-preferences-read . domains)
(allow-preferences-common)
(for-each (lambda (domain)
(begin
(allow user-preference-read (preference-domain domain))
(allow file-read*
(home-literal (string-append "/Library/Preferences/" domain ".plist")))))
domains))
(define-once (framebuffer-access)
(allow iokit-open
(require-all
(extension "com.apple.webkit.extension.iokit")
(iokit-user-client-class "IOMobileFramebufferUserClient")
)
(when (defined? 'iokit-external-method)
(apply-message-filter
(deny (with telemetry)
iokit-async-external-method
iokit-external-method
iokit-external-trap)
(allow (with telemetry) iokit-external-method
(iokit-method-number
8
28
)
)
)
)
)
; IOMobileFramebuffer
(with-filter (iokit-registry-entry-class "IOMobileFramebuffer")
(allow iokit-get-properties
(iokit-property "AppleTV"
"DisplayPipePlaneBaseAlignment"
"DisplayPipeStrideRequirements"
"PerformanceStatistics"
"appleTV-VID0"
"appleTV-VID1"
"hdcp-hoover-protocol")))
(mobile-preferences-read "com.apple.iokit.IOMobileGraphicsFamily")
)
(define-once (asset-access . options)
(let ((asset-access-filter
(require-all
(require-any
(home-subpath "/Library/Assets")
(subpath "/private/var/MobileAsset"))
(extension "com.apple.assets.read"))))
;; <rdar://problem/10710883>
;; <rdar://problem/11569106>
(allow file-read* asset-access-filter)
(if (memq 'with-media-playback options)
(play-media asset-access-filter))
(mobile-preferences-read "com.apple.MobileAsset")))
(define-once (play-media . filters)
(if (not (null? filters))
;; <rdar://problem/9875794>
(allow file-issue-extension
(require-all
(apply require-any filters)
(extension-class "com.apple.mediaserverd.read"))))
(mobile-preferences-read
"com.apple.avfoundation"
"com.apple.coreaudio"
"com.apple.coremedia"
"com.apple.corevideo"
"com.apple.itunesstored" ; Needed by MediaPlayer framework
"com.apple.mobileipod" ; Ditto
"com.apple.audio.virtualaudio" ; <rdar://problem/57170333>
)
;; AVF needs to see these network preferences:
(allow file-read*
(literal "/private/var/preferences/com.apple.networkd.plist"))
;; Allow mediaserverd to issue file extensions for the purposes of reading media
(allow file-issue-extension (require-all
(extension "com.apple.app-sandbox.read")
(extension-class "com.apple.mediaserverd.read")))
)
(define-once (media-remote)
(mobile-preferences-read
"com.apple.mediaremote"
"com.apple.mobileipod")
)
(define-once (media-capture-support)
;; Media capture, microphone access
(with-filter (extension "com.apple.webkit.microphone")
(allow device-microphone))
;; Media capture, camera access
(with-filter (extension "com.apple.webkit.camera")
(allow user-preference-read
(preference-domain "com.apple.coremedia"))
(allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL"))
(allow mach-lookup (extension "com.apple.app-sandbox.mach"))
(allow device-camera))
)
(define-once (accessibility-support)
(allow mach-register
(local-name "com.apple.iphone.axserver"))
(mobile-preferences-read "com.apple.Accessibility")
;; <rdar://problem/10809394>
(deny file-write-create
(home-prefix "/Library/Preferences/com.apple.Accessibility.plist")
(with no-report))
)
(define-once (media-accessibility-support)
;; <rdar://problem/12250145>
(mobile-preferences-read "com.apple.mediaaccessibility")
(mobile-preferences-read "com.apple.mediaaccessibility.public")
)
(define-once (url-translation)
;; For translating http:// & https:// URLs referencing itms:// URLs.
;; <rdar://problem/11587338>
(allow file-read*
(home-literal "/Library/Caches/com.apple.itunesstored/url-resolution.plist")))
;;;
;;; Declare that the application uses the OpenGL, Metal, and CoreML hardware & frameworks.
;;;
(define-once (opengl)
;; Items not seen in testing
(deny iokit-open (with telemetry)
(iokit-connection "IOGPU")
(iokit-user-client-class
"AGXCommandQueue"
"AGXDevice"
"AGXSharedUserClient"
"IOAccelContext"
"IOAccelDevice"
"IOAccelSharedUserClient"
"IOAccelSubmitter2"
"IOAccelContext2"
"IOAccelDevice2"
"IOAccelSharedUserClient2"))
;; Items with known uses
(allow iokit-open
(require-all
(extension "com.apple.webkit.extension.iokit")
(iokit-connection "IOGPU")
)
(when (defined? 'iokit-external-method)
(apply-message-filter
(deny (with telemetry)
iokit-external-trap)
(allow (with telemetry) (with message "IOGPU")
iokit-async-external-method
iokit-external-method)
)
)
)
(allow iokit-open
(require-all
(extension "com.apple.webkit.extension.iokit")
(iokit-user-client-class "AGXDeviceUserClient") ;; Used by WebGL
)
(when (defined? 'iokit-external-method)
(apply-message-filter
(deny (with telemetry)
iokit-external-trap)
(deny (with telemetry) (with message "AGXDeviceUserClient")
iokit-async-external-method
iokit-external-method
)
(allow iokit-async-external-method
#if PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED < 150500
(iokit-method-number
43
)
#endif
)
(allow iokit-external-method
#if PLATFORM(IOS) && __IPHONE_OS_VERSION_MIN_REQUIRED < 150500
(iokit-method-number
0
2
4
5
6
7
8
9
10
11
12
13
14
15
16
25
26
27
36
38
39
40
42
44
)
#endif
)
)
)
)
(allow iokit-get-properties
(iokit-property "IOGLBundleName")
(iokit-property "IOGLESBundleName")
(iokit-property "IOGLESDefaultUseMetal")
(iokit-property "IOGLESMetalBundleName")
(iokit-property "MetalPluginClassName")
(iokit-property "MetalPluginName")
)
(allow sysctl-read
(sysctl-name #"kern.bootsessionuuid"))
;; <rdar://problem/47268166>
(allow mach-lookup
(require-all
(extension "com.apple.webkit.extension.mach")
(xpc-service-name "com.apple.MTLCompilerService")
)
)
;; This is just for logging. Remove when GPU process is enabled by default.
(allow mach-lookup
(with telemetry)
(require-all
(require-not (extension "com.apple.webkit.extension.mach"))
(xpc-service-name "com.apple.MTLCompilerService")
)
)
(mobile-preferences-read
"com.apple.Metal" ;; <rdar://problem/25535471>
"com.apple.opengl" ;; <rdar://problem/23321675>
)
)
(define-once (internal-debugging-support)
(allow file-read* file-map-executable
(subpath "/Developer"))
(allow ipc-posix-shm
(ipc-posix-name-prefix "stack-logs")
(ipc-posix-name-prefix "OA-")
(ipc-posix-name-prefix "/FSM-"))
(allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink
(ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$"))
(with-filter (system-attribute apple-internal)
;; <rdar://problem/8565035>
;; <rdar://problem/23857452>
;; <rdar://problem/72317112>
(allow file-read* file-map-executable
(subpath "/AppleInternal")
(subpath "/usr/local/lib")
(subpath "/usr/appleinternal/lib")))
(with-elevated-precedence
(allow file-read* file-map-executable file-issue-extension
(front-user-home-subpath "/XcodeBuiltProducts")))
;; <rdar://problem/8107758>
(allow file-read* file-map-executable
(subpath "/System/Library/Frameworks")
(subpath "/System/Library/PrivateFrameworks"))
;; <rdar://problem/32544921>
(mobile-preferences-read "com.apple.hangtracer"))
(define-once (device-access)
(deny file-read* file-write*
(vnode-type BLOCK-DEVICE CHARACTER-DEVICE))
(allow file-read* file-write-data
(literal "/dev/null")
(literal "/dev/zero"))
(with-filter (system-attribute apple-internal)
(allow file-read* file-write-data file-ioctl
(literal "/dev/dtracehelper"))
(allow nvram-get (nvram-variable "emu")) ;; <rdar://problem/78363040>
)
(allow file-read*
(literal "/dev/random")
(literal "/dev/urandom"))
;; <rdar://problem/14215718>
(deny file-write-data (with no-report)
(literal "/dev/random")
(literal "/dev/urandom"))
(allow file-read* file-write-data file-ioctl
(literal "/dev/aes_0")))
(define required-etc-files
(literal "/private/etc/fstab"
"/private/etc/hosts"
"/private/etc/group"
"/private/etc/passwd"
"/private/etc/protocols"
"/private/etc/services"))
(define-once (speech-synthesis-and-voiceover)
;; Speak Selection & VoiceOver
;; <rdar://problem/12030530> AX: Sandbox violation with changing Language while VO is on
;; and <rdar://problem/13071747>
(mobile-preferences-read
"com.apple.SpeakSelection" ; Needed for WebSpeech
"com.apple.VoiceOverTouch" ; Needed for non-US english language synthesis
"com.apple.voiceservices") ; Ditto
;; <rdar://problem/14555119> Access to high quality speech voices
;; Needed for WebSpeech
(allow file-read*
(home-subpath "/Library/VoiceServices/Assets")
(home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice"))
)
(define (IOSurfaceRootUserClientMethodFilter)
(when (defined? 'iokit-external-method)
(apply-message-filter
(deny (with telemetry)
iokit-async-external-method
iokit-external-trap)
(allow iokit-async-external-method
(iokit-method-number
40
)
)
(deny (with telemetry) (with message "IOSurfaceRootUserClient")
iokit-external-method)
(allow iokit-external-method
(iokit-method-number
0
1
2
3
5
9
10
11
12
13
14
15
20
21
23
27
31
32
34
35
36
38
39
40
41
)
)
)
)
)
;; Things required by UIKit
(define-once (uikit-requirements)
(mobile-preferences-read
"com.apple.UIKit"
"com.apple.WebUI"
"com.apple.airplay"
"com.apple.avkit"
"com.apple.coreanimation"
"com.apple.mt"
"com.apple.preferences.sounds")
(deny mach-lookup (with telemetry)
(global-name "com.apple.frontboard.systemappservices") ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier()
)
(allow mach-lookup
(global-name "com.apple.CARenderServer"))
; UIKit-required IOKit nodes.
(deny iokit-open (with telemetry)
(iokit-user-client-class "IOSurfaceSendRight")
)
; WebKit-required IOKit classes
(allow iokit-open
(require-all
(extension "com.apple.webkit.extension.iokit")
(iokit-user-client-class "IOSurfaceAcceleratorClient") ;; Media rendering into pixel buffers
)
(when (defined? 'iokit-external-method)
(apply-message-filter
(deny (with telemetry)
iokit-async-external-method
iokit-external-trap)
(deny (with telemetry) (with message "IOSurfaceAcceleratorClient")
iokit-external-method)
(allow iokit-external-method
(iokit-method-number
1
)
)
)
)
)
(allow iokit-open
(require-all
(extension "com.apple.webkit.extension.iokit")
(iokit-user-client-class "IOSurfaceRootUserClient") ;; Needed by Tiled Grid code.
)
(IOSurfaceRootUserClientMethodFilter)
)
;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist.
;; <rdar://problem/13796537>
(deny file-write-create
(home-prefix "/Library/Preferences/com.apple.UIKit.plist")
(with no-report))
)
(define-once (dictionary-support)
; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
(allow file-read*
; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari)
(subpath "/Library/Dictionaries")
(home-subpath "/Library/Dictionaries"))
)
(deny file-map-executable)
(deny file-write-mount file-write-unmount)
(allow file-read-metadata
(vnode-type DIRECTORY))
(mobile-preferences-read "com.apple.security")
(with-filter (system-attribute apple-internal)
(mobile-preferences-read "com.apple.PrototypeTools"))
(with-elevated-precedence
(allow file-read*
(subpath "/usr/lib"
"/usr/share"
"/private/var/db/timezone"))
(allow-read-and-issue-generic-extensions
(subpath "/Library/RegionFeatures"
"/System/Library"))
(allow file-issue-extension
(require-all
(extension-class "com.apple.mediaserverd.read")
(subpath "/System/Library")))
(let ((hw-identifying-paths
(require-any
(literal "/System/Library/Caches/apticket.der")
(subpath "/System/Library/Caches/com.apple.kernelcaches")
(subpath "/System/Library/Caches/com.apple.factorydata"))))
(deny file-issue-extension file-read* hw-identifying-paths))
(allow file-map-executable
(subpath "/System/Library")
(subpath "/usr/lib"))
(allow file-read-metadata
(vnode-type SYMLINK))
;;; <rdar://problem/24144418>
(allow file-read*
(subpath "/private/var/preferences/Logging"))
(allow user-preference-read (preference-domain "kCFPreferencesAnyApplication"))
(allow file-read*
(front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist")
(front-user-home-literal "/Library/Preferences/.GlobalPreferences_m.plist"))
(allow file-read*
(literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
(allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
(allow file-read-metadata
(home-literal "/Library/Caches/powerlog.launchd"))
(allow-read-and-issue-generic-extensions (executable-bundle))
(allow file-map-executable (executable-bundle))
;; <rdar://problem/13963294>
(deny file-read-data file-issue-extension file-map-executable
(require-all
(executable-bundle)
(regex #"/[^/]+/SC_Info/")))
(unless (defined? 'restrictive-extension)
(with-filter
(extension
"com.apple.app-sandbox.read"
"com.apple.app-sandbox.read-write"
"com.apple.sharing.airdrop.readonly")
(allow file-read* file-read-metadata)
(allow file-issue-extension
(extension-class "com.apple.app-sandbox.read"
"com.apple.mediaserverd.read"
"com.apple.sharing.airdrop.readonly")))
(with-filter
(extension
"com.apple.app-sandbox.read-write")
(allow file-write*)
(allow file-issue-extension
(extension-class "com.apple.app-sandbox.read-write"
"com.apple.mediaserverd.read-write"))))
;; <rdar://problem/16079361>
(allow managed-preference-read
(extension "com.apple.security.exception.managed-preference.read-only"))
(allow user-preference-read
(extension "com.apple.security.exception.shared-preference.read-only"))
)
(with-filter (system-attribute apple-internal)
(internal-debugging-support)
)
(allow file-read*
required-etc-files
(literal "/"))
(allow file-read*
(subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))
(device-access)
(allow file-issue-extension
(require-all
(extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
(extension "com.apple.fileprovider.read-write")))
(allow mach-lookup
(global-name "com.apple.logd")
(global-name "com.apple.logd.events")
)
(deny mach-lookup (with telemetry)
(global-name "com.apple.distributed_notifications@1v3"))
(allow ipc-posix-shm-read*
(ipc-posix-name-prefix "apple.cfprefs."))
(deny mach-lookup (with no-report)
(global-name "com.apple.lsd.mapdb"))
;; <rdar://problem/12413942>
(allow file-read*
(well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
(allow iokit-get-properties
(iokit-property "IORegistryEntryPropertyKeys"))
(allow ipc-posix-sem-open
(ipc-posix-name "containermanagerd.fb_check"))
(with-filter (ipc-posix-name "purplebuddy.sentinel")
(deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait)
(allow ipc-posix-sem-open))
(deny mach-lookup (with no-report)
(global-name "com.apple.runningboard")
)
(allow system-sched
(require-entitlement "com.apple.private.kernel.override-cpumon"))
(deny sysctl-read (with no-report)
(sysctl-name
"hw.cpufrequency_compat"
"hw.tbfrequency_compat" ;; <rdar://71740719>
"sysctl.proc_native"))
(with-filter (system-attribute apple-internal)
(allow sysctl-read sysctl-write
(sysctl-name "vm.footprint_suspend")))
(with-filter (system-attribute apple-internal)
(allow network-outbound
(literal "/private/var/run/syslog"))
)
(allow mach-lookup
(global-name "com.apple.system.notification_center")
(apply-message-filter
(deny mach-message-send (with telemetry))
(deny mach-message-send (with no-report) (message-number 1023))
(allow mach-message-send (message-number
1002
1009
1010
1011
1012
1016
1017
1018
1019
1021
1022
1025
1026
1028
1029
1030
1031
1032
))
)
)
(allow ipc-posix-shm-read*
(ipc-posix-name "apple.shm.notification_center"))
(managed-configuration-read-public)
(deny system-info (with no-report)
(info-type "net.link.addr"))
(allow file-read*
(subpath "/private/var/db/datadetectors/sys"))
(allow-well-known-system-group-container-subpath-read
"/systemgroup.com.apple.icloud.findmydevice.managed/Library")
(allow mach-task-name (target self))
;;; process-info* defaults to allow; deny it and then allow operations we actually need.
(deny process-info*)
(allow process-info-pidinfo (target self))
(allow process-info-pidfdinfo (target self))
(allow process-info-pidfileportinfo (target self))
(allow process-info-setcontrol (target self))
(allow process-info-dirtycontrol (target self))
(allow process-info-rusage (target self))
;;;
;;; End common.sb content
;;;
(deny mach-lookup (xpc-service-name-prefix ""))
(deny iokit-get-properties (with partial-symbolication))
(deny lsopen)
;;;
;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
;;;
;; Any app can play audio & movies.
(play-media)
;; Access to media controls
(media-remote)
(url-translation)
(mobile-preferences-read "com.apple.da")
(speech-synthesis-and-voiceover)
;; Permit reading assets via MobileAsset framework.
(asset-access 'with-media-playback)
;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
(allow-well-known-system-group-container-literal-read
"/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
;; Access the keyboards
(allow file-read*
(home-subpath "/Library/Caches/com.apple.keyboards"))
(mobile-preferences-read
"com.apple.EmojiPreferences"
; <rdar://problem/8477596> com.apple.InputModePreferences
"com.apple.InputModePreferences"
; <rdar://problem/8206632> Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist
"com.apple.keyboard"
; <rdar://problem/9384085>
"com.apple.Preferences"
"com.apple.lookup.shared" ; Needed for DataDetector (Spotlight) support
)
;; Silently deny unnecessary accesses caused by MessageUI framework.
;; This can be removed once <rdar://problem/47038102> is resolved.
(deny file-read*
(home-literal "/Library/Preferences/com.apple.mobilemail.plist")
(with no-log))
;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps
(allow file-read*
(home-subpath "/Library/Fonts"))
;; <rdar://problem/7344719&26323449> LaunchServices app icons
(allow file-read*
(well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache"))
(deny mach-lookup (with telemetry)
(xpc-service-name "com.apple.iconservices")
(global-name "com.apple.iconservices"))
(allow-preferences-common)
;; Home Button
(with-filter (iokit-registry-entry-class "IOPlatformDevice")
(allow iokit-get-properties
(iokit-property "home-button-type")))
(uikit-requirements)
(dictionary-support)
; <rdar://problem/8440231>
(allow file-read*
(home-literal "/Library/Caches/DateFormats.plist"))
; Silently deny writes when CFData attempts to write to the cache directory.
(deny file-write*
(home-literal "/Library/Caches/DateFormats.plist")
(with no-log))
(framebuffer-access)
; <rdar://problem/7595408> , <rdar://problem/7643881>
(opengl)
; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist
; which will attempt to create the plist if it doesn't exist -- from any application. Only SpringBoard is
; allowed to write its plist; ignore all others, they don't know what they are doing.
; See <rdar://problem/9375027> for sample backtraces.
(deny file-write*
(home-prefix "/Library/Preferences/com.apple.springboard.plist")
(with no-log))
;; <rdar://problem/34986314>
(mobile-preferences-read "com.apple.indigo")
;;;
;;; End UIKit-apps.sb content
;;;
(mobile-preferences-read "com.apple.AdLib.plist")
(deny file-read* (with no-report)
(home-literal
"/Library/Preferences/com.apple.WebKit.WebContent.plist"
"/Library/Preferences/com.apple.CFNetwork.plist"
"/Library/Preferences/com.apple.AppSupport.plist"
)
)
(deny sysctl*)
(allow sysctl-read
(sysctl-name
"hw.activecpu" ;; Needed by JSC engine.
"hw.availcpu"
"hw.byteorder"
"hw.cacheconfig" ;; <rdar://problem/78213563>
"hw.cachelinesize"
"hw.cachelinesize_compat"
"hw.cachesize" ;; <rdar://problem/78213563>
"hw.cpufamily" ;; <rdar://problem/58416475>
"hw.cpusubfamily"
"hw.cputhreadtype"
"hw.cputype"
"hw.l1dcachesize" ;; <rdar://problem/15721872>
"hw.l1icachesize" ;; <rdar://problem/15721872>
"hw.l2cachesize"
"hw.l3cachesize" ;; <rdar://problem/15721872>
"hw.logicalcpu"
"hw.logicalcpu_max"
"hw.ncpu"
"hw.machine"
"hw.memsize"
"hw.model"
"hw.ncpu" ;; <rdar://problem/76782530>
"hw.nperflevels" ;; <rdar://problem/76782530>
"hw.pagesize" ;; <rdar://problem/76782530>
"hw.pagesize_compat"
"hw.physicalcpu"
"hw.physicalcpu_max"
"hw.physmem" ;; <rdar://problem/76782530>
"hw.product"
"hw.vectorunit"
"kern.bootargs"
"kern.hostname"
"kern.hv_vmm_present"
"kern.maxfilesperproc" ;; <rdar://problem/65900517>
"kern.memorystatus_level"
"kern.osproductversion"
"kern.osrelease"
"kern.ostype"
"kern.osvariant_status"
"kern.osversion"
"kern.secure_kernel" ;; Needed by XPC bundle resolution
"kern.version"
"sysctl.name2oid"
"vm.footprint_suspend")
(sysctl-name-prefix "net.routetable") ;; <rdar://problem/57665153>
(sysctl-name-prefix "hw.optional.") ;; <rdar://problem/70973527>
(sysctl-name-prefix "hw.perflevel") ;; <rdar://problem/76782530>
)
(allow iokit-get-properties
(iokit-property "AAPL,DisplayPipe")
(iokit-property "AAPL,OpenCLdisabled")
(iokit-property "AAPL,IOGraphics_LER")
(iokit-property "AAPL,IOGraphics_LER_RegTag_0")
(iokit-property "AAPL,IOGraphics_LER_RegTag_1")
(iokit-property "AAPL,IOGraphics_LER_Busy_2")
(iokit-property "AAPL,alias-policy")
(iokit-property "AAPL,boot-display")
(iokit-property "AAPL,display-alias")
(iokit-property "AAPL,mux-switch-state")
(iokit-property "AAPL,ndrv-dev")
(iokit-property "AAPL,primary-display")
(iokit-property "AAPL,slot-name")
(iokit-property "APTDevice")
(iokit-property "AVCSupported")
(iokit-property "AppleJPEGNumCores")
(iokit-property "AppleJPEGSupportsAppleInterchangeFormats")
(iokit-property "AppleJPEGSupportsMissingEOI")
(iokit-property "AppleJPEGSupportsRSTLogging")
(iokit-property "BaseAddressAlignmentRequirement")
(iokit-property "DisplayPipePlaneBaseAlignment")
(iokit-property "DisplayPipeStrideRequirements")
(iokit-property "HEVCSupported")
(iokit-property "HEVCCanDecodeTileToCanvas")
(iokit-property "IOGVABGRAEnc")
(iokit-property "IOGVACodec")
(iokit-property "IOGVAEncoderRestricted")
(iokit-property "IOGVAScaler")
(iokit-property "IOClassNameOverride")
(iokit-property "IOPlatformUUID")
(iokit-property "IOSurfaceAcceleratorCapabilitiesDict")
(iokit-property "LGHSupported")
(iokit-property "Protocol Characteristics")
(iokit-property "als-colorCfg") ;; <rdar://problem/52903475>
(iokit-property "artwork-device-idiom") ;; <rdar://problem/49497720>
(iokit-property "artwork-device-subtype")
(iokit-property "artwork-display-gamut") ;; <rdar://problem/49497788>
(iokit-property "artwork-dynamic-displaymode") ;; <rdar://problem/49497720>
(iokit-property "artwork-scale-factor") ;; <rdar://problem/49497788>
(iokit-property "canvas-height")
(iokit-property "canvas-width")
(iokit-property "chip-id") ;; <rdar://problem/52903477>
(iokit-property "class-code")
(iokit-property "color-accuracy-index")
(iokit-property "compatible") ;; <rdar://problem/47523516>
(iokit-property "compatible-device-fallback") ;; <rdar://problem/49497720>
(iokit-property "device-colors") ;; <rdar://problem/51322072>
(iokit-property "device-id")
(iokit-property "device-perf-memory-class")
(iokit-property "dfr")
(iokit-property "display-corner-radius") ;; <rdar://problem/50602737>
(iokit-property "emu")
(iokit-property "external")
(iokit-property "graphics-featureset-class") ;; <rdar://problem/49497720>
(iokit-property "graphics-featureset-fallbacks") ;; <rdar://problem/51322072>
(iokit-property "hdcp-hoover-protocol")
(iokit-property "iommu-present")
(iokit-property "oled-display") ;; <rdar://problem/51322072>
(iokit-property "product-description") ;; <rdar://problem/49497788>
(iokit-property "product-id")
(iokit-property "soc-generation") ;; <rdar://problem/52903476>
(iokit-property "software-behavior")
(iokit-property "vendor-id")
(iokit-property "udid-version") ;; <rdar://problem/52903475>
(iokit-property "ui-pip") ;; <rdar://problem/48867037>
)
; IOPlatformExpertDevice
(with-filter (iokit-registry-entry-class "IOPlatformExpertDevice")
(allow iokit-get-properties
(iokit-property
"platform-name" ;; <rdar://problem/79334360>
"region-info" ;; <rdar://problem/52903475>
"regulatory-model-number" ;; <rdar://problem/52903475>
)
)
)
;; Read-only preferences and data
(mobile-preferences-read
"com.apple.LaunchServices"
"com.apple.WebFoundation"
"com.apple.avfoundation.frecents" ;; <rdar://problem/33137029>
"com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568>
"com.apple.voiceservices.logging")
;; Sandbox extensions
(define (apply-read-and-issue-extension op path-filter)
(op file-read* path-filter)
(op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
(define (apply-write-and-issue-extension op path-filter)
(op file-write* path-filter)
(op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
(define (read-only-and-issue-extensions path-filter)
(apply-read-and-issue-extension allow path-filter))
(define (read-write-and-issue-extensions path-filter)
(apply-read-and-issue-extension allow path-filter)
(apply-write-and-issue-extension allow path-filter))
(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
;; Access to client's cache folder & re-vending to CFNetwork.
(allow file-issue-extension (require-all
(extension "com.apple.app-sandbox.read-write")
(extension-class "com.apple.nsurlstorage.extension-cache")))
(accessibility-support)
(media-accessibility-support)
(deny mach-lookup (with no-report)
(global-name "com.apple.SystemConfiguration.configd")
(global-name "com.apple.aggregated")
(global-name "com.apple.diagnosticd")
(global-name "com.apple.fontservicesd")
)
(deny mach-lookup (with telemetry)
(global-name "com.apple.PowerManagement.control"))
(deny file-write-create (vnode-type SYMLINK))
(deny file-read-xattr file-write-xattr (xattr-prefix "com.apple.security.private."))
;; Allow loading injected bundles.
(allow file-map-executable)
;; Allow ManagedPreference access
(allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))
(allow file-read-data
(literal "/usr/local/lib/log") ; <rdar://problem/36629495>
)
;; <rdar://problem/60983812>
(deny file-write*
(home-subpath "/Library/Preferences/")
(with no-log))
(deny mach-lookup (with telemetry)
(global-name "com.apple.containermanagerd")
)
(deny mach-lookup (with telemetry)
(global-name "com.apple.mobilegestalt.xpc")
)
(deny mach-lookup (with no-log)
(xpc-service-name "com.apple.audio.toolbox.reporting.service")
)
(allow iokit-open (with telemetry)
(require-all
(require-not (extension "com.apple.webkit.extension.iokit"))
(iokit-user-client-class
"IOSurfaceRootUserClient"
)
)
(IOSurfaceRootUserClientMethodFilter)
)
(deny iokit-open (with telemetry)
(require-all
(require-not (extension "com.apple.webkit.extension.iokit"))
(iokit-user-client-class
"IOSurfaceAcceleratorClient"
)
)
)
(deny iokit-open (with no-log)
(iokit-user-client-class
"AppleJPEGDriverUserClient"
)
)
(allow iokit-open (with report) (with telemetry)
(require-all
(require-not (extension "com.apple.webkit.extension.iokit"))
(iokit-connection "IOGPU")
)
)
(allow mach-lookup
(require-all
(extension "com.apple.webkit.extension.mach")
(global-name
"com.apple.cfprefsd.agent"
"com.apple.cfprefsd.daemon"
"com.apple.containermanagerd"
"com.apple.diagnosticd"
"com.apple.iphone.axserver-systemwide"
"com.apple.mobileassetd.v2"
"com.apple.mobilegestalt.xpc"
"com.apple.nehelper"
"com.apple.nesessionmanager.content-filter"
"com.apple.osanalytics.osanalyticshelper"
"com.apple.tccd"
"com.apple.uikit.viewservice.com.apple.WebContentFilter.remoteUI"
"com.apple.webinspector"
;;; FIXME(207716): The following should be removed when the GPU process is complete
"com.apple.airplay.apsynccontroller.xpc" "com.apple.audio.AURemoteIOServer" "com.apple.audio.AudioComponentPrefs" "com.apple.audio.AudioComponentRegistrar"
"com.apple.audio.AudioQueueServer" "com.apple.audio.AudioSession" "com.apple.coremedia.admin" "com.apple.coremedia.asset.xpc"
"com.apple.coremedia.assetimagegenerator.xpc" "com.apple.coremedia.audiodeviceclock.xpc" "com.apple.coremedia.audioprocessingtap.xpc"
"com.apple.coremedia.capturesession" "com.apple.coremedia.capturesource" "com.apple.coremedia.compressionsession" "com.apple.coremedia.cpe.xpc"
"com.apple.coremedia.cpeprotector.xpc" "com.apple.coremedia.customurlloader.xpc" "com.apple.coremedia.decompressionsession"
"com.apple.coremedia.endpoint.xpc" "com.apple.coremedia.figcontentkeysession.xpc" "com.apple.coremedia.figcpecryptor"
"com.apple.coremedia.formatreader.xpc" "com.apple.coremedia.player.xpc" "com.apple.coremedia.remaker" "com.apple.coremedia.remotequeue"
"com.apple.coremedia.routediscoverer.xpc" "com.apple.coremedia.routingcontext.xpc" "com.apple.coremedia.routingsessionmanager.xpc"
"com.apple.coremedia.samplebufferaudiorenderer.xpc" "com.apple.coremedia.samplebufferrendersynchronizer.xpc" "com.apple.coremedia.sandboxserver.xpc"
"com.apple.coremedia.sts" "com.apple.coremedia.systemcontroller.xpc" "com.apple.coremedia.videoqueue" "com.apple.coremedia.volumecontroller.xpc"
"com.apple.coremedia.visualcontext.xpc" "com.apple.mediaremoted.xpc" "com.apple.accessibility.mediaaccessibilityd"
;;; FIXME(207716): End services to remove.
)))
;; Silence warnings about these connections if we have decided not to extend access to them:
(deny mach-lookup (with no-report)
(require-all
(require-not (extension "com.apple.webkit.extension.mach"))
(global-name
"com.apple.audio.AudioComponentRegistrar"
)
)
)
(allow mach-lookup
(require-all
(extension "com.apple.webkit.extension.mach")
(global-name
"com.apple.PowerManagement.control"
"com.apple.frontboard.systemappservices"
"com.apple.iconservices"
"com.apple.lsd.open"
)
)
)
(allow mach-lookup
(require-all
(extension "com.apple.webkit.extension.mach")
(xpc-service-name
;;; FIXME(207716): The following should be removed when the GPU process is complete
"com.apple.MediaPlayer.RemotePlayerService"
;;; FIXME(207716): End services to remove.
)
)
)
(allow iokit-open
(require-all
(extension "com.apple.webkit.extension.iokit")
(iokit-user-client-class
"AGXCommandQueue"
"AGXDevice"
"AGXSharedUserClient"
"IOAccelContext"
"IOAccelDevice"
"IOAccelSharedUserClient"
"IOAccelSubmitter2"
"IOAccelContext2"
"IOAccelDevice2"
"IOAccelSharedUserClient2"
)
)
)
(allow mach-lookup
(require-all
(extension "com.apple.webkit.extension.mach")
(xpc-service-name-prefix "com.apple.AGXCompilerService")))
(media-capture-support)
;; These services have been identified as unused during living-on.
;; This list overrides some definitions above and in common.sb.
;; FIXME: remove overridden rules once the final list has been
;; established, see https://bugs.webkit.org/show_bug.cgi?id=193840
(deny mach-lookup
(global-name "com.apple.webkit.camera")
)
(when (defined? 'syscall-unix)
(deny syscall-unix (with send-signal SIGKILL))
(allow syscall-unix
(syscall-number SYS___disable_threadsignal)
(syscall-number SYS___mac_syscall)
(syscall-number SYS_abort_with_payload) ;; <rdar://problem/50967271>
(syscall-number SYS_access)
(syscall-number SYS_bsdthread_create)
(syscall-number SYS_bsdthread_ctl)
(syscall-number SYS_bsdthread_register)
(syscall-number SYS_bsdthread_terminate)
(syscall-number SYS_change_fdguard_np)
(syscall-number SYS_chdir)
(syscall-number SYS_exit)
(syscall-number SYS_faccessat) ;; <rdar://problem/56998930>
(syscall-number SYS_fcntl)
(syscall-number SYS_fcntl_nocancel)
(syscall-number SYS_fgetattrlist) ;; <rdar://problem/50266257>
(syscall-number SYS_flock)
(syscall-number SYS_fsetattrlist) ;; MTLCompilerFSCache::openSync
(syscall-number SYS_fsetxattr) ;; <rdar://problem/49795964>
(syscall-number SYS_fsgetpath)
(syscall-number SYS_fstat64)
(syscall-number SYS_fstat64_extended) ;; <rdar://problem/61310019>
(syscall-number SYS_fstatfs64)
(syscall-number SYS_ftruncate)
(syscall-number SYS_getattrlist) ;; xpc_realpath and directory enumeration
(syscall-number SYS_getdirentries64)
(syscall-number SYS_getegid)
(syscall-number SYS_getentropy)
(syscall-number SYS_geteuid)
(syscall-number SYS_getfsstat64)
(syscall-number SYS_getpid)
(syscall-number SYS_getrlimit)
(syscall-number SYS_getrusage)
(syscall-number SYS_gettid)
(syscall-number SYS_gettimeofday)
(syscall-number SYS_getuid)
(syscall-number SYS_guarded_close_np)
(syscall-number SYS_guarded_open_dprotected_np) ; <rdar://problem/48166729>
(syscall-number SYS_guarded_open_np)
(syscall-number SYS_guarded_pwrite_np)
(syscall-number SYS_issetugid)
(syscall-number SYS_kdebug_trace64)
(syscall-number SYS_kevent_id)
(syscall-number SYS_kevent_qos)
(syscall-number SYS_kqueue) ;; <rdar://problem/49609201>
(syscall-number SYS_kqueue_workloop_ctl) ;; <rdar://problem/50999499>
(syscall-number SYS_listxattr)
(syscall-number SYS_lseek)
(syscall-number SYS_lstat64)
(syscall-number SYS_madvise)
(syscall-number SYS_memorystatus_control)
(syscall-number SYS_mkdir)
(syscall-number SYS_mmap)
(syscall-number SYS_mprotect)
(syscall-number SYS_msync)
(syscall-number SYS_munmap)
(syscall-number SYS_os_fault_with_payload)
(syscall-number SYS_pathconf)
(syscall-number SYS_pread)
(syscall-number SYS_psynch_cvbroad)
(syscall-number SYS_psynch_cvclrprepost)
(syscall-number SYS_psynch_cvsignal)
(syscall-number SYS_psynch_cvwait)
(syscall-number SYS_psynch_mutexdrop)
(syscall-number SYS_psynch_mutexwait)
(syscall-number SYS_psynch_rw_rdlock) ;; <rdar://problem/51134351>
(syscall-number SYS_psynch_rw_unlock)
(syscall-number SYS_read)
(syscall-number SYS_read_nocancel)
(syscall-number SYS_readlink)
(syscall-number SYS_rename)
(syscall-number SYS_shared_region_check_np)
(syscall-number SYS_shared_region_map_and_slide_2_np) ;; <rdar://problem/60294880>
(syscall-number SYS_sigaction)
(syscall-number SYS_stat64)
(syscall-number SYS_statfs64)
(syscall-number SYS_thread_selfid)
(syscall-number SYS_ulock_wait)
(syscall-number SYS_ulock_wait2) ;; <rdar://problem/58743778>
(syscall-number SYS_ulock_wake)
(syscall-number SYS_workq_kernreturn)
(syscall-number SYS_workq_open))
(allow syscall-unix (with telemetry-backtrace)
(syscall-number SYS___pthread_kill)
(syscall-number SYS___pthread_markcancel)
(syscall-number SYS___pthread_sigmask)
(syscall-number SYS___semwait_signal)
(syscall-number SYS___semwait_signal_nocancel)
(syscall-number SYS_chmod)
(syscall-number SYS_close)
(syscall-number SYS_close_nocancel)
(syscall-number SYS_connect)
(syscall-number SYS_connect_nocancel)
(syscall-number SYS_connectx)
(syscall-number SYS_csops) ;; used by Corefoundation initialization
(syscall-number SYS_csops_audittoken) ;; used by WK to get entitlments
(syscall-number SYS_csrctl)
(syscall-number SYS_dup)
(syscall-number SYS_dup2)
(syscall-number SYS_fchmod)
(syscall-number SYS_fgetxattr)
(syscall-number SYS_fileport_makefd)
(syscall-number SYS_fileport_makeport)
(syscall-number SYS_fstatat64)
(syscall-number SYS_fsync)
(syscall-number SYS_getattrlistbulk) ;; xpc_realpath and directory enumeration
(syscall-number SYS_getaudit_addr)
(syscall-number SYS_getgid)
(syscall-number SYS_getpeername)
(syscall-number SYS_getsockopt) ;; used by libwebrtc
(syscall-number SYS_getxattr)
(syscall-number SYS_ioctl) ;; needed by tcgetattr (TIOCGETA) - debugging
(syscall-number SYS_kdebug_trace)
(syscall-number SYS_mkdirat)
(syscall-number SYS_mlock)
(syscall-number SYS_mremap_encrypted)
(syscall-number SYS_munlock)
(syscall-number SYS_necp_client_action)
(syscall-number SYS_necp_open)
(syscall-number SYS_objc_bp_assist_cfg_np)
(syscall-number SYS_open)
(syscall-number SYS_open_dprotected_np)
(syscall-number SYS_open_nocancel)
(syscall-number SYS_openat)
(syscall-number SYS_openat_nocancel)
(syscall-number SYS_persona)
(syscall-number SYS_pipe)
(syscall-number SYS_pread_nocancel)
(syscall-number SYS_proc_info)
(syscall-number SYS_proc_rlimit_control)
(syscall-number SYS_process_policy)
(syscall-number SYS_psynch_rw_wrlock)
(syscall-number SYS_pwrite)
(syscall-number SYS_recvfrom)
(syscall-number SYS_recvfrom_nocancel)
(syscall-number SYS_rmdir)
(syscall-number SYS_select)
(syscall-number SYS_select_nocancel)
(syscall-number SYS_sem_close)
(syscall-number SYS_sem_open)
(syscall-number SYS_sem_post)
(syscall-number SYS_sem_wait)
(syscall-number SYS_sendmsg_nocancel)
(syscall-number SYS_sendto)
(syscall-number SYS_sendto_nocancel)
(syscall-number SYS_setpriority)
(syscall-number SYS_setrlimit)
(syscall-number SYS_setsockopt)
(syscall-number SYS_shm_open)
(syscall-number SYS_shutdown)
(syscall-number SYS_sigaltstack)
(syscall-number SYS_sigprocmask)
(syscall-number SYS_sigreturn)
(syscall-number SYS_socket)
(syscall-number SYS_socketpair)
(syscall-number SYS_sysctl)
(syscall-number SYS_sysctlbyname)
(syscall-number SYS_thread_selfusage)
(syscall-number SYS_umask)
(syscall-number SYS_unlink)
(syscall-number SYS_work_interval_ctl)
(syscall-number SYS_write)
(syscall-number SYS_write_nocancel)
(syscall-number SYS_writev))
)
(with-filter (system-attribute apple-internal)
(when (defined? 'syscall-unix)
(allow syscall-unix
(syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
(syscall-number SYS_kdebug_typefilter))))
(deny file-ioctl (with telemetry))
;; restrict to the two ioctl's /dev/aes_0 needs
(allow file-ioctl (with telemetry)
(ioctl-command (_IO "T" 101)) ;; IOAES_GET_INFO
(ioctl-command (_IO "T" 102))) ;; IOAES_ENCRYPT_DECRYPT
(deny socket-ioctl (with telemetry))
(when (defined? 'system-fcntl)
(deny system-fcntl (with telemetry))
(allow system-fcntl
(fcntl-command F_BARRIERFSYNC)
(fcntl-command F_GETCONFINED)
(fcntl-command F_GETFL) ;; LibJPEGReadPlugin::copyImageBlockSetStandard
(fcntl-command F_GETLK)
(fcntl-command F_GETSIGSINFO)
(fcntl-command F_NOCACHE)
(fcntl-command F_OFD_GETLK)
(fcntl-command F_OFD_SETLKWTIMEOUT)
(fcntl-command F_RDADVISE)
(fcntl-command F_SETCONFINED)
(fcntl-command F_GETPATH) ;; used by dyld4 and CGFontURLCreate, getcwd (at least)
(fcntl-command F_ADDFILESIGS_RETURN) ;; ImageLoaderMachO::loadCodeSignature
(fcntl-command F_CHECK_LV) ;; ImageLoaderMachO::loadCodeSignature
(fcntl-command F_SPECULATIVE_READ) ;; ImageLoaderMachO::mapSegments
(fcntl-command F_SETFD) ;; libwebrtc.dylib (no backtrace)
(fcntl-command F_GETFD) ;; libwebrtc.dylib (no backtrace)
(fcntl-command F_SETFL) ;; CMCapture uses when camera is enabled
(fcntl-command F_SETNOSIGPIPE)) ;; CMCapture uses when camera is enabled
(allow system-fcntl (with telemetry-backtrace)
(fcntl-command F_OFD_SETLK))
(allow system-fcntl
(fcntl-command F_GETPROTECTIONCLASS)
(fcntl-command F_SETPROTECTIONCLASS))
)
(when (defined? 'process-codesigning*)
;; csops/csops_audittoken
(deny process-codesigning-status-set (with telemetry))
(deny process-codesigning-text-offset-get (with telemetry))
(deny process-codesigning-cdhash-get (with telemetry))
(deny process-codesigning-blob-get (with telemetry))
(deny process-codesigning-teamid-get (with telemetry))
(allow process-codesigning-identity-get (target self)) ;; codeSigningIdentifierForCurrentProcess
(allow process-codesigning-entitlements-blob-get) ;; WK reading entitlments via SecTaskCopyValueForEntitlement and _getSelfParsedEntitlements (accessibility)
(allow process-codesigning-status-get) ;; _xpc_get_entitlements
(allow process-codesigning-status-set (target self))
(deny process-info-codesignature (with no-report)) ;; SecTaskCopyValueForEntitlement - granting this grants all the process-codesign-* checks
)
(when (not (defined? 'process-codesigning*))
(allow process-info-codesignature (target self))
)
(when (defined? 'socket-option-get)
;; getsockopt
(deny socket-option-get (with telemetry))
(allow socket-option-get
(require-all
(socket-option-level SOL_SOCKET)
(socket-option-name SO_ERROR))) ;; libwebrtc; physical_socket_server.cc, ProcessEvents. Called with fd=-1, so it fails. Not technically needed, but the code needs changing
)
(when (defined? 'socket-option-set)
;; setsockopt
(deny socket-option-set (with telemetry))
)
(define-once (mach-bootstrap-message-numbers)
(message-number
206
207
711
712
718
800
802
803
804
805
)
)
(if (defined? '*sbpl-version*)
(allow mach-bootstrap
(apply-message-filter
(deny mach-message-send (with telemetry))
(allow mach-message-send
(mach-bootstrap-message-numbers)
)
)
)
;; else
(allow mach-bootstrap
(apply-message-filter
(deny xpc-message-send (with telemetry))
(allow xpc-message-send
(mach-bootstrap-message-numbers)
)
)
)
)
(when (defined? 'syscall-mach)
(deny syscall-mach
(machtrap-number MSC_mach_wait_until)
)
(deny syscall-mach (with telemetry))
(allow syscall-mach
(machtrap-number MSC__kernelrpc_mach_port_allocate_trap)
(machtrap-number MSC__kernelrpc_mach_port_construct_trap)
(machtrap-number MSC__kernelrpc_mach_port_deallocate_trap)
(machtrap-number MSC__kernelrpc_mach_port_destruct_trap)
(machtrap-number MSC__kernelrpc_mach_port_extract_member_trap)
(machtrap-number MSC__kernelrpc_mach_port_get_attributes_trap)
(machtrap-number MSC__kernelrpc_mach_port_guard_trap)
(machtrap-number MSC__kernelrpc_mach_port_insert_member_trap)
(machtrap-number MSC__kernelrpc_mach_port_insert_right_trap)
(machtrap-number MSC__kernelrpc_mach_port_mod_refs_trap)
(machtrap-number MSC__kernelrpc_mach_port_request_notification_trap)
(machtrap-number MSC__kernelrpc_mach_port_type_trap)
(machtrap-number MSC__kernelrpc_mach_port_unguard_trap)
(machtrap-number MSC__kernelrpc_mach_vm_allocate_trap)
(machtrap-number MSC__kernelrpc_mach_vm_deallocate_trap)
(machtrap-number MSC__kernelrpc_mach_vm_map_trap)
(machtrap-number MSC__kernelrpc_mach_vm_protect_trap)
(machtrap-number MSC__kernelrpc_mach_vm_purgable_control_trap)
(machtrap-number MSC_host_create_mach_voucher_trap)
(machtrap-number MSC_host_self_trap)
(machtrap-number MSC_mach_generate_activity_id)
(machtrap-number MSC_mach_msg_trap)
(machtrap-number MSC_mach_reply_port)
(machtrap-number MSC_mach_timebase_info_trap)
(machtrap-number MSC_mach_voucher_extract_attr_recipe_trap)
(machtrap-number MSC_mk_timer_arm)
(machtrap-number MSC_mk_timer_cancel)
(machtrap-number MSC_mk_timer_create)
(machtrap-number MSC_mk_timer_destroy)
(machtrap-number MSC_pid_for_task)
(machtrap-number MSC_semaphore_signal_trap)
(machtrap-number MSC_semaphore_timedwait_trap)
(machtrap-number MSC_semaphore_wait_trap)
(machtrap-number MSC_syscall_thread_switch)
(machtrap-number MSC_task_name_for_pid)
(machtrap-number MSC_task_self_trap)
(machtrap-number MSC_thread_get_special_reply_port))
(allow syscall-mach (with telemetry-backtrace)
(machtrap-number MSC_mach_msg_overwrite_trap)
(machtrap-number MSC_mk_timer_arm_leeway)
(machtrap-number MSC_swtch_pri)
(machtrap-number MSC_thread_self_trap))
)
(when (defined? 'mach-kernel-endpoint)
(allow mach-kernel-endpoint
(apply-message-filter
(deny mach-message-send (with telemetry))
(allow mach-message-send (with telemetry-backtrace) (kernel-mig-routine
clock_get_time
host_request_notification
io_connect_add_client
io_connect_map_memory_into_task
(when (defined? 'io_connect_set_notification_port) io_connect_set_notification_port)
io_registry_entry_get_parent_iterator
io_service_add_notification_bin
io_service_add_notification_bin_64
io_service_close
mach_exception_raise
(when (defined? 'mach_make_memory_entry) mach_make_memory_entry)
(when (defined? 'mach_make_memory_entry_64) mach_make_memory_entry_64)
mach_memory_entry_ownership
mach_port_request_notification
mach_vm_region
mach_vm_region_recurse
task_set_exc_guard_behavior
task_threads_from_user
thread_info
thread_policy
thread_policy_set
(when (defined? 'vm_copy) vm_copy)
(when (defined? 'vm_remap_external) vm_remap_external)))
(allow mach-message-send (kernel-mig-routine
(when (defined? '_mach_make_memory_entry) _mach_make_memory_entry)
host_get_clock_service
host_get_io_master
host_get_special_port
host_info
io_connect_async_method
io_connect_method
io_connect_set_notification_port_64
io_iterator_next
io_registry_entry_from_path
io_registry_entry_get_property_bin_buf
io_registry_entry_get_property_bytes
io_registry_entry_get_registry_entry_id
io_server_version
io_service_get_matching_service_bin
io_service_get_matching_services_bin
io_service_open_extended
mach_port_get_context_from_user
mach_port_set_attributes
mach_vm_copy
mach_vm_map_external
mach_vm_remap_external
semaphore_create
semaphore_destroy
task_create_identity_token
task_get_special_port_from_user
task_info_from_user
task_restartable_ranges_register
task_restartable_ranges_synchronize
task_set_special_port
thread_get_state_to_user
thread_resume
thread_set_exception_ports
thread_suspend))
(when (defined? 'mach_port_is_connection_for_service)
(allow mach-message-send (kernel-mig-routine mach_port_is_connection_for_service))
)
)
)
)
(deny darwin-notification-post (with telemetry))
(allow darwin-notification-post
(notification-name
"_AXNotification_AXSClassicInvertColorsPreference"
"com.apple.WebContentFilter.remoteUI.WebContentAnalysisUI-com.apple.uikit.viewService.connectionRequest"
"com.apple.accessibility.AirPodsSpatialAudioLockToDeviceChanged"
"com.apple.accessibility.QuickSpeakEnabled"
"com.apple.accessibility.application.status"
"com.apple.accessibility.automation.enabled.status"
"com.apple.accessibility.darken.system.colors"
"com.apple.accessibility.enhance.background.contrast.status"
"com.apple.accessibility.monoaudio.status"
"com.apple.accessibility.reduce.motion.status"
"com.apple.accessibility.status"
"com.apple.accessibility.text.legibility.status"
"com.apple.accessibility.voiceovertouch.status"
"com.apple.accessibility.wob.status"
"com.apple.automation.stringlookupinfoenabled"
"com.apple.webinspectord.availability_check"))