| ; Copyright (C) 2014-2019 Apple Inc. All rights reserved. |
| ; |
| ; Redistribution and use in source and binary forms, with or without |
| ; modification, are permitted provided that the following conditions |
| ; are met: |
| ; 1. Redistributions of source code must retain the above copyright |
| ; notice, this list of conditions and the following disclaimer. |
| ; 2. Redistributions in binary form must reproduce the above copyright |
| ; notice, this list of conditions and the following disclaimer in the |
| ; documentation and/or other materials provided with the distribution. |
| ; |
| ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' |
| ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, |
| ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS |
| ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
| ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
| ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF |
| ; THE POSSIBILITY OF SUCH DAMAGE. |
| |
| (version 1) |
| (deny default (with partial-symbolication)) |
| (allow system-audit file-read-metadata) |
| |
| ;;; |
| ;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can |
| ;;; remove unneeded sandbox extensions. |
| ;;; |
| |
| (import "util.sb") |
| |
| (define-once (allow-read-and-issue-generic-extensions . filters) |
| (allow file-read* |
| (apply require-any filters)) |
| (allow file-issue-extension |
| (require-all |
| ;; APP_SANDBOX_READ - default for sandbox_issue_extension() & sandbox_issue_fs_extension(). |
| (extension-class "com.apple.app-sandbox.read") |
| (apply require-any filters)))) |
| |
| (define-once (allow-read-write-and-issue-generic-extensions . filters) |
| (allow file-read* file-write* |
| (apply require-any filters)) |
| (allow file-read-metadata |
| (apply require-any filters)) |
| (allow file-issue-extension |
| (require-all |
| (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read") |
| (apply require-any filters)))) |
| |
| (define-once (allow-network-common) |
| ;; <rdar://problem/8645367> |
| (allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2))) |
| (allow network-outbound |
| (control-name "com.apple.network.statistics") |
| (control-name "com.apple.netsrc")) |
| |
| (allow sysctl-read |
| (sysctl-name "kern.ipc.maxsockbuf") |
| (sysctl-name "kern.nisdomainname") |
| (sysctl-name-prefix "net.routetable.") |
| (sysctl-name "net.statistics")) |
| |
| ;; <rdar://problem/10642881> |
| (allow file-read* |
| (literal "/private/var/preferences/com.apple.networkd.plist")) |
| |
| ;; <rdar://problem/27580907> |
| (allow file-read* |
| (literal "/private/var/Managed Preferences/mobile/com.apple.SystemConfiguration.plist")) |
| |
| ;; <rdar://problem/13679154> |
| (allow file-read* |
| (literal "/private/var/preferences/com.apple.NetworkStatistics.plist")) |
| |
| ;; <rdar://problem/15711661> |
| (allow mach-lookup |
| (global-name "com.apple.nesessionmanager")) |
| |
| ;; <rdar://problem/7693463> |
| (allow system-socket (socket-domain AF_ROUTE)) |
| |
| (if gizmo? |
| (with-filter |
| (require-any |
| (require-entitlement "com.apple.security.network.client") |
| (require-entitlement "com.apple.security.network.server")) |
| (allow network-outbound (literal "/private/var/run/mDNSResponder"))) |
| (allow network-outbound (literal "/private/var/run/mDNSResponder"))) |
| |
| ;; <rdar://problem/10962803> |
| ;; <rdar://problem/13238730> |
| (allow mach-lookup |
| (global-name "com.apple.SystemConfiguration.configd") |
| (global-name "com.apple.SystemConfiguration.helper") |
| (global-name "com.apple.SystemConfiguration.SCNetworkReachability") |
| (global-name "com.apple.SystemConfiguration.DNSConfiguration") |
| (global-name "com.apple.SystemConfiguration.PPPController") |
| (global-name "com.apple.SystemConfiguration.NetworkInformation")) |
| |
| ;; <rdar://problem/11792470> |
| ;; <rdar://problem/13305819> |
| (allow mach-lookup |
| (global-name "com.apple.commcenter.xpc") |
| (global-name "com.apple.commcenter.cupolicy.xpc")) |
| |
| (allow mach-lookup |
| (global-name "com.apple.securityd") |
| (global-name "com.apple.trustd")) |
| (allow file-read* |
| (literal "/private/var/preferences/com.apple.security.plist")) |
| |
| ;; <rdar://problem/13301795> |
| (allow mach-lookup |
| (global-name "com.apple.usymptomsd") |
| (global-name "com.apple.symptomsd") |
| (global-name "com.apple.symptoms.symptomsd.managed_events")) ; <rdar://problem/32768772> |
| |
| (with-filter (entitlement-is-present "com.apple.private.networkextension.configuration") |
| (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.plist"))) |
| |
| (with-filter (apple-signed-executable?) |
| (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.uuidcache.plist"))) |
| |
| (allow mach-lookup |
| (global-name "com.apple.AppSSO.service-xpc")) |
| (allow ipc-posix-shm-read-data |
| (ipc-posix-name "/com.apple.AppSSO.version")) |
| |
| ;; <rdar://problem/30452093> |
| (multipath-tcp)) |
| |
| (define-once (network-client . filters) |
| (allow-network-common) |
| |
| ;; <rdar://problem/9193431> |
| (allow mach-lookup |
| (global-name "com.apple.networkd")) |
| |
| ;; <rdar://problem/20094008> |
| ;; <rdar://problem/24689958> |
| (with-filter (require-any |
| (require-entitlement "com.apple.networkd.advisory_socket") |
| (require-entitlement "com.apple.networkd.disable_opportunistic") |
| (require-entitlement "com.apple.networkd.modify_settings") |
| (require-entitlement "com.apple.networkd.persistent_interface") |
| (require-entitlement "com.apple.networkd_privileged")) |
| (allow mach-lookup |
| (global-name "com.apple.networkd_privileged"))) |
| |
| ;; <rdar://problem/20201593> |
| (with-filter (require-any |
| (apple-signed-executable?) |
| (require-entitlement "com.apple.authkit.client") |
| (require-entitlement "com.apple.authkit.client.private") |
| (require-entitlement "com.apple.authkit.client.internal")) |
| (allow mach-lookup |
| (global-name "com.apple.ak.anisette.xpc") |
| (global-name "com.apple.ak.auth.xpc"))) |
| |
| ;; <rdar://problem/15897781> |
| (allow mach-lookup |
| (global-name "com.apple.nsurlsessiond")) |
| (allow file-issue-extension |
| (require-all |
| (executable-bundle) |
| (extension-class "com.apple.nsurlsessiond.readonly"))) |
| |
| ;; <rdar://problem/20617514> |
| (when gizmo? |
| (allow mach-lookup |
| (global-name "com.apple.nsurlsessiond.NSURLSessionProxyService") |
| (global-name "com.apple.sharingd.NSURLSessionProxyService"))) |
| |
| ;; <rdar://problem/15608009> |
| (allow mach-lookup |
| (global-name "com.apple.nsurlstorage-cache")) |
| |
| ;; <rdar://problem/10423007> |
| (allow mach-lookup |
| (global-name "com.apple.cfnetwork.AuthBrokerAgent") |
| (global-name "com.apple.cfnetwork.cfnetworkagent")) |
| |
| ;; <rdar://problem/12620714> |
| (deny file-write-create (with no-report) |
| (home-prefix "/Library/Logs/CrashReporter/CFNetwork_")) |
| |
| (allow mach-lookup |
| (global-name "com.apple.cookied")) |
| |
| ;; <rdar://problem/17910466> |
| (allow mach-lookup |
| (global-name "com.apple.accountsd.accountmanager")) |
| |
| ;; GSS-API |
| (allow mach-lookup |
| (global-name "com.apple.GSSCred")) |
| |
| ;; <rdar://problem/17853959> |
| (mobile-keybag-access) |
| |
| (allow mach-lookup |
| (global-name "com.apple.nehelper")) |
| |
| (allow-well-known-system-group-container-literal-read |
| "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin") |
| |
| ;; <rdar://problem/33277999> |
| (mobile-preferences-read "com.apple.CFNetwork") |
| |
| (if (null? filters) |
| (allow network-outbound) |
| ; else |
| (allow network-outbound (apply require-any filters)))) |
| |
| (define-once (multipath-tcp) |
| (allow system-socket (socket-domain 39))) |
| |
| (define-once (managed-configuration-read-public) |
| (allow file-read* |
| (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") |
| (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo") |
| (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo")) |
| (allow mach-lookup |
| (global-name "com.apple.managedconfiguration.profiled.public"))) |
| |
| (define-once (allow-preferences-common) |
| (allow file-read-metadata |
| (home-literal "") |
| (home-literal "/Library/Preferences"))) |
| |
| (define-once (mobile-preferences-read . domains) |
| (allow-preferences-common) |
| (allow user-preference-read (apply preference-domain domains))) |
| |
| (define-once (mobile-keybag-access) |
| (allow iokit-open (with report) (with telemetry) |
| (iokit-user-client-class "AppleKeyStoreUserClient"))) |
| |
| (define-once (debugging-support) |
| ;; <rdar://problem/8379706> |
| ;; <rdar://problem/12868101> |
| ;; <rdar://problem/22766887> |
| ;; <rdar://problem/22880365> |
| (allow file-read* file-map-executable |
| (subpath "/Developer")) |
| |
| ;; <rdar://problem/7674121> |
| ;; <rdar://problem/9151290> |
| (allow ipc-posix-shm |
| (ipc-posix-name-regex #"^stack-logs") |
| (ipc-posix-name-regex #"^OA-") |
| (ipc-posix-name-regex #"^/FSM-")) |
| |
| (with-filter (system-attribute apple-internal) |
| ;; <rdar://problem/8565035> |
| ;; <rdar://problem/23857452> |
| (allow file-read* file-map-executable |
| (subpath "/AppleInternal") |
| (subpath "/usr/local/lib"))) |
| (with-elevated-precedence |
| (allow file-read* file-map-executable file-issue-extension |
| (front-user-home-subpath "/XcodeBuiltProducts"))) |
| |
| ;; <rdar://problem/8107758> |
| (allow file-read* file-map-executable |
| (subpath "/System/Library/Frameworks") |
| (subpath "/System/Library/PrivateFrameworks")) |
| |
| ;; <rdar://problem/11455762> |
| (allow mach-lookup |
| (global-name "com.apple.hangtracerd")) |
| ;; <rdar://problem/32544921> |
| (mobile-preferences-read "com.apple.hangtracer") |
| |
| ;; <rdar://problem/9090627> |
| (with-filter (apple-signed-executable?) |
| (allow mach-lookup |
| (global-name "com.apple.ReportCrash.SimulateCrash")))) |
| |
| (define-once (logd-diagnostic-paths) |
| (require-any |
| (subpath "/private/var/db/diagnostics") |
| (subpath "/private/var/db/timesync") |
| (subpath "/private/var/db/uuidtext") |
| (subpath "/private/var/userdata/diagnostics"))) |
| (define-once (logd-diagnostic-client) |
| (with-filter |
| (require-all |
| (require-any |
| (require-entitlement "com.apple.private.logging.diagnostic") |
| (require-entitlement "com.apple.diagnosticd.diagnostic")) |
| (extension "com.apple.logd.read-only")) |
| (allow file-read* |
| (logd-diagnostic-paths)))) |
| |
| (define required-etc-files |
| (literal "/private/etc/fstab" |
| "/private/etc/hosts" |
| "/private/etc/group" |
| "/private/etc/passwd" |
| "/private/etc/protocols" |
| "/private/etc/services")) |
| |
| (define-once (allow-multi-instance-xpc-services) |
| ;; <rdar://problem/46716068> |
| (allow mach-lookup |
| (with telemetry) |
| (with message "Create a radar and set it as a blocker to rdar://problem/48527566") |
| (xpc-service-name "com.apple.WebKit.Networking" |
| "com.apple.WebKit.WebContent") |
| )) |
| |
| (allow sysctl-read |
| (sysctl-name "kern.bootsessionuuid")) |
| |
| (deny file-map-executable) |
| (deny file-write-mount file-write-unmount) |
| (allow file-read-metadata |
| (vnode-type DIRECTORY)) |
| |
| (mobile-preferences-read "com.apple.security") |
| |
| (with-elevated-precedence |
| ;; System files. |
| (allow file-read* |
| (subpath "/usr/lib" |
| "/usr/share" |
| "/private/var/db/timezone")) |
| (allow-read-and-issue-generic-extensions |
| (subpath "/Library/RegionFeatures" |
| "/System/Library")) |
| |
| (allow file-map-executable |
| (subpath "/System/Library") |
| (subpath "/usr/lib")) |
| |
| (allow file-read-metadata |
| (vnode-type SYMLINK)) |
| |
| (allow file-read* |
| (subpath "/private/var/preferences/Logging")) |
| |
| (mobile-preferences-read "kCFPreferencesAnyApplication") |
| (allow file-read* |
| (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist")) |
| |
| (allow file-read* |
| (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist")) |
| (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication")) |
| |
| (allow file-read-metadata |
| (home-literal "/Library/Caches/powerlog.launchd")) |
| |
| (allow-read-and-issue-generic-extensions (executable-bundle)) |
| (allow file-map-executable (executable-bundle)) |
| |
| (deny file-read-data file-issue-extension file-map-executable |
| (require-all |
| (executable-bundle) |
| (regex #"/[^/]+/SC_Info/"))) |
| |
| (with-filter (global-name-prefix "") |
| (allow mach-lookup |
| (extension "com.apple.security.exception.mach-lookup.global-name")) |
| (allow mach-register |
| (extension "com.apple.security.exception.mach-register.global-name"))) |
| (with-filter (local-name-prefix "") |
| (allow mach-lookup |
| (extension "com.apple.security.exception.mach-lookup.local-name")) |
| (allow mach-register |
| (extension "com.apple.security.exception.mach-register.local-name"))) |
| (allow-read-and-issue-generic-extensions |
| (extension "com.apple.security.exception.files.absolute-path.read-only") |
| (extension "com.apple.security.exception.files.home-relative-path.read-only")) |
| (allow-read-write-and-issue-generic-extensions |
| (extension "com.apple.security.exception.files.absolute-path.read-write") |
| (extension "com.apple.security.exception.files.home-relative-path.read-write")) |
| (allow iokit-open |
| (extension "com.apple.security.exception.iokit-user-client-class")) |
| (allow managed-preference-read |
| (extension "com.apple.security.exception.managed-preference.read-only")) |
| (allow user-preference-read |
| (extension "com.apple.security.exception.shared-preference.read-only")) |
| (allow user-preference-read user-preference-write |
| (extension "com.apple.security.exception.shared-preference.read-write")) |
| (allow sysctl-read |
| (extension "com.apple.security.exception.sysctl.read-only")) |
| (allow sysctl-read sysctl-write |
| (extension "com.apple.security.exception.sysctl.read-write")) |
| |
| (allow file-issue-extension |
| (require-all |
| (extension-class "com.apple.nsurlstorage.extension-cache") |
| (extension "com.apple.security.exception.files.home-relative-path.read-write") |
| (require-any |
| (prefix "/private/var/root/Library/Caches/") |
| (front-user-home-prefix "/Library/Caches/")))) |
| |
| (with-filter (require-entitlement "com.apple.security.exception.process-info") |
| (allow process-info-pidinfo process-info-pidfdinfo process-info-pidfileportinfo process-info-rusage process-info-codesignature) |
| (allow sysctl-read |
| (sysctl-name-prefix "kern.proc.") |
| (sysctl-name-prefix "kern.procargs2.")))) |
| |
| (debugging-support) |
| |
| (allow file-read* |
| required-etc-files |
| (literal "/")) |
| |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.logd") |
| (global-name "com.apple.logd.events")) |
| |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.cfprefsd.daemon") |
| (global-name "com.apple.cfprefsd.agent") |
| (local-name "com.apple.cfprefsd.agent")) |
| (allow ipc-posix-shm-read* |
| (ipc-posix-name-prefix "apple.cfprefs.")) |
| |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.runningboard")) |
| |
| (allow-multi-instance-xpc-services) |
| |
| (allow system-sched |
| (require-entitlement "com.apple.private.kernel.override-cpumon")) |
| |
| (allow sysctl-read (with report) (with telemetry) |
| (sysctl-name "hw.activecpu") |
| (sysctl-name "hw.busfrequency") |
| (sysctl-name "hw.busfrequency_compat") |
| (sysctl-name "hw.byteorder") |
| (sysctl-name "hw.cachelinesize") |
| (sysctl-name "hw.cachelinesize_compat") |
| (sysctl-name "hw.cpu64bit_capable") |
| (sysctl-name "hw.cpufamily") |
| (sysctl-name "hw.cpufrequency") |
| (sysctl-name "hw.cpufrequency_compat") |
| (sysctl-name "hw.cpufrequency_max") |
| (sysctl-name "hw.cpusubtype") |
| (sysctl-name "hw.cputype") |
| (sysctl-name "hw.l1dcachesize") |
| (sysctl-name "hw.l1dcachesize_compat") |
| (sysctl-name "hw.l1icachesize") |
| (sysctl-name "hw.l1icachesize_compat") |
| (sysctl-name "hw.l2cachesize") |
| (sysctl-name "hw.l2cachesize_compat") |
| (sysctl-name "hw.l2settings") |
| (sysctl-name "hw.l3cachesize") |
| (sysctl-name "hw.l3cachesize_compat") |
| (sysctl-name "hw.l3settings") |
| (sysctl-name "hw.logicalcpu") |
| (sysctl-name "hw.logicalcpu_max") |
| (sysctl-name "hw.machine") |
| (sysctl-name "hw.memsize") |
| (sysctl-name "hw.pagesize") |
| (sysctl-name "hw.pagesize_compat") |
| (sysctl-name "hw.physicalcpu") |
| (sysctl-name "hw.physicalcpu_max") |
| (sysctl-name "hw.physmem") |
| (sysctl-name "hw.tbfrequency") |
| (sysctl-name "hw.tbfrequency_compat") |
| (sysctl-name "hw.usermem") |
| (sysctl-name "hw.vectorunit") |
| (sysctl-name "kern.bootargs") |
| (sysctl-name "kern.boottime") |
| (sysctl-name "kern.clockrate") |
| (sysctl-name "kern.development") |
| (sysctl-name "kern.hostid") |
| (sysctl-name "kern.hostname") |
| (sysctl-name "kern.maxproc") |
| (sysctl-name "kern.maxvnodes") |
| (sysctl-name-prefix "kern.monotonicclock") |
| (sysctl-name "kern.monotoniclock_offset_usecs") |
| (sysctl-name "kern.ngroups") |
| (sysctl-name "kern.osproductversion") |
| (sysctl-name "kern.osrelease") |
| (sysctl-name "kern.ostype") |
| (sysctl-name "kern.osvariant_status") |
| (sysctl-name "kern.osversion") |
| (sysctl-name "kern.saved_ids") |
| (sysctl-name "kern.secure_kernel") |
| (sysctl-name "kern.usrstack") |
| (sysctl-name "kern.usrstack64") |
| (sysctl-name "kern.version") |
| (sysctl-name "kern.waketime") |
| (sysctl-name "security.mac.sandbox.sentinel") |
| (sysctl-name "sysctl.name2oid") |
| (sysctl-name "vm.loadavg") |
| (sysctl-name-prefix "kern.argmax") |
| (sysctl-name-prefix "kern.proc.pid.") |
| ) |
| |
| (with-filter (system-attribute apple-internal) |
| (allow sysctl-read |
| (sysctl-name "kern.dtrace.dof_mode")) |
| (allow sysctl-read sysctl-write |
| (sysctl-name "vm.footprint_suspend"))) |
| |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.system.logger")) |
| (allow file-read-metadata network-outbound (with report) (with telemetry) |
| (literal "/private/var/run/syslog")) |
| |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.system.notification_center")) |
| (allow ipc-posix-shm-read* (with report) (with telemetry) |
| (ipc-posix-name "apple.shm.notification_center")) |
| |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.distributed_notifications@1v3")) |
| |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.diagnosticd")) |
| |
| (logd-diagnostic-client) |
| |
| (managed-configuration-read-public) |
| |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.ctkd.token-client")) |
| |
| (deny system-info (with no-report) |
| (info-type "net.link.addr")) |
| |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.system.libinfo.muser")) |
| |
| (allow mach-task-name (target self)) |
| |
| (allow process-info-pidinfo (target self)) |
| (allow process-info-pidfdinfo (target self)) |
| (allow process-info-pidfileportinfo (target self)) |
| (allow process-info-setcontrol (target self)) |
| (allow process-info-dirtycontrol (target self)) |
| (allow process-info-rusage (target self)) |
| (allow process-info-codesignature (target self)) |
| |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.analyticsd")) |
| |
| ;;; |
| ;;; End rules originally copied from 'common.sb' |
| ;;; |
| |
| (deny mach-lookup (xpc-service-name-prefix "")) |
| |
| (deny lsopen) |
| |
| (deny sysctl*) |
| (allow sysctl-read |
| (sysctl-name |
| "hw.availcpu" |
| "hw.ncpu" |
| "hw.model" |
| "kern.maxfilesperproc" |
| "kern.memorystatus_level" |
| "kern.tcsm_available" ;; Needed for IndexedDB support. |
| "vm.footprint_suspend")) |
| |
| ;; Access to client's cache folder & re-vending to CFNetwork. |
| ;; FIXME: Remove the webkit specific extension classes <rdar://problem/17755931> |
| (allow file-issue-extension (require-all |
| (extension "com.apple.app-sandbox.read-write") |
| (extension-class "com.apple.nsurlstorage.extension-cache"))) |
| |
| ;; App sandbox extensions |
| (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write")) |
| (allow file-read* (extension "com.apple.app-sandbox.read")) |
| |
| ;; FIXME: <rdar://problem/17909681> SSO expects to be able to walk the parent |
| ;; bundle to find Info plists, so we jump through a few hoops here to provide |
| ;; enough access to make it possible. |
| |
| ;; IOKit user clients |
| (allow iokit-open |
| (iokit-user-client-class "RootDomainUserClient") ;; Needed by PowerObserver |
| ) |
| |
| ;; Various services required by CFNetwork and other frameworks |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.PowerManagement.control")) |
| |
| (network-client (remote tcp) (remote udp)) |
| |
| ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache |
| (allow-well-known-system-group-container-subpath-read |
| "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin") |
| |
| (allow file-read-data |
| (literal "/usr/local/lib/log") ; <rdar://problem/36629495> |
| ) |
| |
| ;; Security framework |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.ocspd") |
| (global-name "com.apple.securityd")) |
| |
| ;; PassKit framework |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.passd.in-app-payment") |
| (global-name "com.apple.passd.library")) |
| |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.FileCoordination") |
| (global-name "com.apple.dmd.policy") |
| (global-name "com.apple.siri.context.service") |
| (global-name "com.apple.ctcategories.service")) |
| |
| (deny file-write-create |
| (vnode-type SYMLINK)) |
| |
| ;; FIXME should be removed when <rdar://problem/30498072> is fixed. |
| (allow network* |
| (local udp) |
| (remote udp) |
| (local tcp) |
| (remote tcp)) |
| |
| ;; Various services required by system frameworks |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.lsd.mapdb") |
| (global-name "com.apple.analyticsd") |
| (global-name "com.apple.AppSSO.service-xpc")) |
| |
| ;; For reporting progress for active downloads <rdar://problem/44405661> |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.ProgressReporting")) |
| |
| ;; <rdar://problem/47598758> |
| (allow mach-lookup (with report) (with telemetry) |
| (global-name "com.apple.nesessionmanager.content-filter")) |
| |
| ;; Various shared memory accesses required by system frameworks |
| (allow ipc-posix-shm-read-data |
| (ipc-posix-name "/com.apple.AppSSO.version")) |