Google Git
Sign in
webkit / WebKit / 68ae80dbd852513426dc763371e83df226c8fcb9 / . / Source / WebKit / Resources / SandboxProfiles / ios / com.apple.WebKit.Networking.sb
blob: 41a5bfc8b4e45fa9b27033136c1aa0e713446327 [file] [log] [blame]
; Copyright (C) 2014-2020 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions
; are met:
; 1. Redistributions of source code must retain the above copyright
; notice, this list of conditions and the following disclaimer.
; 2. Redistributions in binary form must reproduce the above copyright
; notice, this list of conditions and the following disclaimer in the
; documentation and/or other materials provided with the distribution.
;
; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
; THE POSSIBILITY OF SUCH DAMAGE.
(version 1)
(deny default (with partial-symbolication))
(allow system-audit file-read-metadata)
;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
;;;
(import "util.sb")
(define-once (allow-read-and-issue-generic-extensions . filters)
(allow file-read*
(apply require-any filters))
(allow file-issue-extension
(require-all
;; APP_SANDBOX_READ - default for sandbox_issue_extension() & sandbox_issue_fs_extension().
(extension-class "com.apple.app-sandbox.read")
(apply require-any filters))))
(define-once (allow-read-write-and-issue-generic-extensions . filters)
(allow file-read* file-write*
(apply require-any filters))
(allow file-read-metadata
(apply require-any filters))
(allow file-issue-extension
(require-all
(extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
(apply require-any filters))))
(define-once (allow-network-common)
;; <rdar://problem/8645367>
(allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2)))
(allow network-outbound
(control-name "com.apple.network.statistics")
(control-name "com.apple.netsrc"))
(allow sysctl-read
(sysctl-name "kern.ipc.maxsockbuf")
(sysctl-name "kern.nisdomainname")
(sysctl-name-prefix "net.routetable.")
(sysctl-name "net.statistics"))
;; <rdar://problem/10642881>
(allow file-read*
(literal "/private/var/preferences/com.apple.networkd.plist"))
;; <rdar://problem/27580907>
(allow file-read*
(literal "/private/var/Managed Preferences/mobile/com.apple.SystemConfiguration.plist"))
;; <rdar://problem/13679154>
(allow file-read*
(literal "/private/var/preferences/com.apple.NetworkStatistics.plist"))
;; <rdar://problem/15711661>
(allow mach-lookup
(global-name "com.apple.nesessionmanager"))
;; <rdar://problem/7693463>
(allow system-socket (socket-domain AF_ROUTE))
(if gizmo?
(with-filter
(require-any
(require-entitlement "com.apple.security.network.client")
(require-entitlement "com.apple.security.network.server"))
(allow network-outbound (literal "/private/var/run/mDNSResponder"))
(allow mach-lookup (global-name "com.apple.dnssd.service"))) ;; <rdar://problem/55562091>
(begin
(allow network-outbound (literal "/private/var/run/mDNSResponder"))
(allow mach-lookup (global-name "com.apple.dnssd.service")))) ;; <rdar://problem/55562091>
;; <rdar://problem/10962803>
;; <rdar://problem/13238730>
(allow mach-lookup
(global-name "com.apple.SystemConfiguration.configd")
(global-name "com.apple.SystemConfiguration.helper")
(global-name "com.apple.SystemConfiguration.SCNetworkReachability")
(global-name "com.apple.SystemConfiguration.DNSConfiguration")
(global-name "com.apple.SystemConfiguration.PPPController")
(global-name "com.apple.SystemConfiguration.NetworkInformation"))
;; <rdar://problem/11792470>
;; <rdar://problem/13305819>
(allow mach-lookup
(global-name "com.apple.commcenter.xpc")
(global-name "com.apple.commcenter.cupolicy.xpc"))
(allow mach-lookup
(global-name "com.apple.securityd")
(global-name "com.apple.trustd"))
(allow file-read*
(literal "/private/var/preferences/com.apple.security.plist"))
;; <rdar://problem/13301795>
(allow mach-lookup
(global-name "com.apple.usymptomsd")
(global-name "com.apple.symptomsd")
(global-name "com.apple.symptoms.symptomsd.managed_events")) ; <rdar://problem/32768772>
(with-filter (entitlement-is-present "com.apple.private.networkextension.configuration")
(allow file-read* (literal "/private/var/preferences/com.apple.networkextension.plist")))
(allow file-read* (literal "/private/var/preferences/com.apple.networkextension.uuidcache.plist"))
(allow mach-lookup
(global-name "com.apple.AppSSO.service-xpc"))
(allow ipc-posix-shm-read-data
(ipc-posix-name "/com.apple.AppSSO.version"))
;; <rdar://problem/30452093>
(multipath-tcp))
(define-once (network-client . filters)
(allow-network-common)
;; <rdar://problem/9193431>
(allow mach-lookup
(global-name "com.apple.networkd"))
;; <rdar://problem/20094008>
;; <rdar://problem/24689958>
(with-filter (require-any
(require-entitlement "com.apple.networkd.advisory_socket")
(require-entitlement "com.apple.networkd.disable_opportunistic")
(require-entitlement "com.apple.networkd.modify_settings")
(require-entitlement "com.apple.networkd.persistent_interface")
(require-entitlement "com.apple.networkd_privileged"))
(allow mach-lookup
(global-name "com.apple.networkd_privileged")))
;; <rdar://problem/20201593>
(allow mach-lookup
(global-name "com.apple.ak.anisette.xpc")
(global-name "com.apple.ak.auth.xpc"))
;; <rdar://problem/15897781>
(allow mach-lookup
(global-name "com.apple.nsurlsessiond"))
(allow file-issue-extension
(require-all
(executable-bundle)
(extension-class "com.apple.nsurlsessiond.readonly")))
;; <rdar://problem/20617514>
(when gizmo?
(allow mach-lookup
(global-name "com.apple.nsurlsessiond.NSURLSessionProxyService")
(global-name "com.apple.sharingd.NSURLSessionProxyService")))
;; <rdar://problem/15608009>
(allow mach-lookup
(global-name "com.apple.nsurlstorage-cache"))
;; <rdar://problem/10423007>
(allow mach-lookup
(global-name "com.apple.cfnetwork.AuthBrokerAgent")
(global-name "com.apple.cfnetwork.cfnetworkagent"))
;; <rdar://problem/12620714>
(deny file-write-create (with no-report)
(home-prefix "/Library/Logs/CrashReporter/CFNetwork_"))
(allow mach-lookup
(global-name "com.apple.cookied"))
;; <rdar://problem/17910466>
(allow mach-lookup
(global-name "com.apple.accountsd.accountmanager"))
;; GSS-API
(allow mach-lookup
(global-name "com.apple.GSSCred"))
;; <rdar://problem/17853959>
(mobile-keybag-access)
(allow mach-lookup
(global-name "com.apple.nehelper"))
(allow-well-known-system-group-container-literal-read
"/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
;; <rdar://problem/33277999>
(mobile-preferences-read "com.apple.CFNetwork")
(if (null? filters)
(allow network-outbound)
; else
(allow network-outbound (apply require-any filters))))
(define-once (multipath-tcp)
(allow system-socket (socket-domain 39)))
(define-once (managed-configuration-read-public)
(allow file-read*
(well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
(front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
(front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo"))
(allow mach-lookup
(global-name "com.apple.managedconfiguration.profiled.public")))
(define-once (allow-preferences-common)
(allow file-read-metadata
(home-literal "")
(home-literal "/Library/Preferences")))
(define-once (mobile-preferences-read . domains)
(allow-preferences-common)
(allow user-preference-read (apply preference-domain domains)))
(define-once (mobile-keybag-access)
(allow iokit-open (with telemetry)
(iokit-user-client-class "AppleKeyStoreUserClient") ;; Needed by NSURLCache
))
(define-once (debugging-support)
;; <rdar://problem/8379706>
;; <rdar://problem/12868101>
;; <rdar://problem/22766887>
;; <rdar://problem/22880365>
(allow file-read* file-map-executable
(subpath "/Developer"))
;; <rdar://problem/7674121>
;; <rdar://problem/9151290>
(allow ipc-posix-shm
(ipc-posix-name-regex #"^stack-logs")
(ipc-posix-name-regex #"^OA-")
(ipc-posix-name-regex #"^/FSM-"))
(with-filter (system-attribute apple-internal)
;; <rdar://problem/8565035>
;; <rdar://problem/23857452>
(allow file-read* file-map-executable
(subpath "/AppleInternal")
(subpath "/usr/local/lib")))
(with-elevated-precedence
(allow file-read* file-map-executable file-issue-extension
(front-user-home-subpath "/XcodeBuiltProducts")))
;; <rdar://problem/8107758>
(allow file-read* file-map-executable
(subpath "/System/Library/Frameworks")
(subpath "/System/Library/PrivateFrameworks"))
;; <rdar://problem/11455762>
(allow mach-lookup
(global-name "com.apple.hangtracerd"))
;; <rdar://problem/32544921>
(mobile-preferences-read "com.apple.hangtracer")
;; <rdar://problem/9090627>
(allow mach-lookup
(global-name "com.apple.osanalytics.osanalyticshelper")))
(define-once (logd-diagnostic-paths)
(require-any
(subpath "/private/var/db/diagnostics")
(subpath "/private/var/db/timesync")
(subpath "/private/var/db/uuidtext")
(subpath "/private/var/userdata/diagnostics")))
(define-once (logd-diagnostic-client)
(with-filter
(require-all
(require-any
(require-entitlement "com.apple.private.logging.diagnostic")
(require-entitlement "com.apple.diagnosticd.diagnostic"))
(extension "com.apple.logd.read-only"))
(allow file-read*
(logd-diagnostic-paths))))
(define required-etc-files
(literal "/private/etc/fstab"
"/private/etc/hosts"
"/private/etc/group"
"/private/etc/passwd"
"/private/etc/protocols"
"/private/etc/services"))
(define-once (allow-multi-instance-xpc-services)
;; <rdar://problem/46716068>
(allow mach-lookup
(with telemetry)
(with message "Create a radar and set it as a blocker to rdar://problem/48527566")
(xpc-service-name "com.apple.WebKit.Networking"
"com.apple.WebKit.WebContent")
))
(allow sysctl-read
(sysctl-name "kern.bootsessionuuid"))
(deny file-map-executable)
(deny file-write-mount file-write-unmount)
(allow file-read-metadata
(vnode-type DIRECTORY))
(mobile-preferences-read "com.apple.security")
(with-elevated-precedence
;; System files.
(allow file-read*
(subpath "/usr/lib"
"/usr/share"
"/private/var/db/timezone"))
(allow-read-and-issue-generic-extensions
(subpath "/Library/RegionFeatures"
"/System/Library"))
(allow file-map-executable
(subpath "/System/Library")
(subpath "/usr/lib"))
(allow file-read-metadata
(vnode-type SYMLINK))
(allow file-read*
(subpath "/private/var/preferences/Logging"))
(mobile-preferences-read "kCFPreferencesAnyApplication")
(allow file-read*
(front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))
(allow file-read*
(literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
(allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
(allow file-read-metadata
(home-literal "/Library/Caches/powerlog.launchd"))
(allow-read-and-issue-generic-extensions (executable-bundle))
(allow file-map-executable (executable-bundle))
(deny file-read-data file-issue-extension file-map-executable
(require-all
(executable-bundle)
(regex #"/[^/]+/SC_Info/")))
(with-filter (global-name-prefix "")
(allow mach-lookup
(extension "com.apple.security.exception.mach-lookup.global-name"))
(allow mach-register
(extension "com.apple.security.exception.mach-register.global-name")))
(with-filter (local-name-prefix "")
(allow mach-lookup
(extension "com.apple.security.exception.mach-lookup.local-name"))
(allow mach-register
(extension "com.apple.security.exception.mach-register.local-name")))
(allow-read-and-issue-generic-extensions
(extension "com.apple.security.exception.files.absolute-path.read-only")
(extension "com.apple.security.exception.files.home-relative-path.read-only"))
(allow-read-write-and-issue-generic-extensions
(extension "com.apple.security.exception.files.absolute-path.read-write")
(extension "com.apple.security.exception.files.home-relative-path.read-write"))
(allow iokit-open
(extension "com.apple.security.exception.iokit-user-client-class"))
(allow managed-preference-read
(extension "com.apple.security.exception.managed-preference.read-only"))
(allow user-preference-read
(extension "com.apple.security.exception.shared-preference.read-only"))
(allow user-preference-read user-preference-write
(extension "com.apple.security.exception.shared-preference.read-write"))
(allow sysctl-read
(extension "com.apple.security.exception.sysctl.read-only"))
(allow sysctl-read sysctl-write
(extension "com.apple.security.exception.sysctl.read-write"))
(allow file-issue-extension
(require-all
(extension-class "com.apple.nsurlstorage.extension-cache")
(extension "com.apple.security.exception.files.home-relative-path.read-write")
(require-any
(prefix "/private/var/root/Library/Caches/")
(front-user-home-prefix "/Library/Caches/"))))
(with-filter (require-entitlement "com.apple.security.exception.process-info")
(allow process-info-pidinfo process-info-pidfdinfo process-info-pidfileportinfo process-info-rusage process-info-codesignature)
(allow sysctl-read
(sysctl-name-prefix "kern.proc.")
(sysctl-name-prefix "kern.procargs2."))))
(debugging-support)
(allow file-read*
required-etc-files
(literal "/"))
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.logd")
(global-name "com.apple.logd.events"))
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.cfprefsd.agent")
(local-name "com.apple.cfprefsd.agent")
)
(allow mach-lookup (with telemetry)
(global-name "com.apple.cfprefsd.daemon") ;; Needed by _CFPreferencesGetAppBooleanValueWithContainer and others.
)
(allow ipc-posix-shm-read*
(ipc-posix-name-prefix "apple.cfprefs."))
(allow mach-lookup (with telemetry)
(global-name "com.apple.runningboard")) ;; Needed by process assertion code (ProcessTaskStateObserver).
(allow-multi-instance-xpc-services)
(allow system-sched
(require-entitlement "com.apple.private.kernel.override-cpumon"))
(allow sysctl-read (with report) (with telemetry)
(sysctl-name "hw.busfrequency")
(sysctl-name "hw.busfrequency_compat")
(sysctl-name "hw.byteorder")
(sysctl-name "hw.cachelinesize")
(sysctl-name "hw.cachelinesize_compat")
(sysctl-name "hw.cpu64bit_capable")
(sysctl-name "hw.cpufamily")
(sysctl-name "hw.cpufrequency")
(sysctl-name "hw.cpufrequency_compat")
(sysctl-name "hw.cpufrequency_max")
(sysctl-name "hw.cpusubtype")
(sysctl-name "hw.cputype")
(sysctl-name "hw.l1dcachesize")
(sysctl-name "hw.l1dcachesize_compat")
(sysctl-name "hw.l1icachesize")
(sysctl-name "hw.l1icachesize_compat")
(sysctl-name "hw.l2cachesize")
(sysctl-name "hw.l2cachesize_compat")
(sysctl-name "hw.l2settings")
(sysctl-name "hw.l3cachesize")
(sysctl-name "hw.l3cachesize_compat")
(sysctl-name "hw.l3settings")
(sysctl-name "hw.logicalcpu")
(sysctl-name "hw.logicalcpu_max")
(sysctl-name "hw.memsize")
(sysctl-name "hw.pagesize")
(sysctl-name "hw.physicalcpu")
(sysctl-name "hw.physicalcpu_max")
(sysctl-name "hw.physmem")
(sysctl-name "hw.tbfrequency")
(sysctl-name "hw.tbfrequency_compat")
(sysctl-name "hw.usermem")
(sysctl-name "hw.vectorunit")
(sysctl-name "kern.boottime")
(sysctl-name "kern.clockrate")
(sysctl-name "kern.development")
(sysctl-name "kern.hostid")
(sysctl-name "kern.hostname")
(sysctl-name "kern.maxproc")
(sysctl-name "kern.maxvnodes")
(sysctl-name-prefix "kern.monotonicclock")
(sysctl-name "kern.monotoniclock_offset_usecs")
(sysctl-name "kern.ngroups")
(sysctl-name "kern.saved_ids")
(sysctl-name "kern.usrstack")
(sysctl-name "kern.usrstack64")
(sysctl-name "kern.version")
(sysctl-name "kern.waketime")
(sysctl-name "security.mac.sandbox.sentinel")
(sysctl-name "sysctl.name2oid")
(sysctl-name "vm.loadavg")
(sysctl-name-prefix "kern.argmax")
(sysctl-name-prefix "kern.proc.pid.")
)
(with-filter (system-attribute apple-internal)
(allow sysctl-read
(sysctl-name "kern.dtrace.dof_mode"))
(allow sysctl-read sysctl-write
(sysctl-name "vm.footprint_suspend")))
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.system.logger"))
;; Needed by WebKit LOG macros and ASL logging.
(allow file-read-metadata network-outbound
(literal "/private/var/run/syslog"))
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.system.notification_center"))
(allow ipc-posix-shm-read* (with telemetry)
(ipc-posix-name "apple.shm.notification_center")) ;; Needed by os_log_create
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.distributed_notifications@1v3"))
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.diagnosticd"))
(logd-diagnostic-client)
(managed-configuration-read-public)
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.ctkd.token-client"))
(deny system-info (with no-report)
(info-type "net.link.addr"))
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.system.libinfo.muser"))
(allow mach-task-name (target self))
(allow process-info-pidinfo (target self))
(allow process-info-pidfdinfo (target self))
(allow process-info-pidfileportinfo (target self))
(allow process-info-setcontrol (target self))
(allow process-info-dirtycontrol (target self))
(allow process-info-rusage (target self))
(allow process-info-codesignature (target self))
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.analyticsd"))
;;;
;;; End rules originally copied from 'common.sb'
;;;
(deny mach-lookup (xpc-service-name-prefix ""))
(deny lsopen)
(deny sysctl*)
(allow sysctl-read
(sysctl-name
"hw.activecpu" ;; Needed by JSC engine.
"hw.availcpu"
"hw.ncpu"
"hw.machine" ;; Needed by CFNetwork (CFURLProtocols)
"hw.model" ;; Needed for bundle loading
"hw.pagesize_compat" ;; Needed by bmalloc
"kern.bootargs" ;; Needed for bundle loading
"kern.maxfilesperproc"
"kern.memorystatus_level"
"kern.osproductversion" ;; Needed by CFNetwork (HSTS store and others)
"kern.ostype" ;; Needed by NSURLSession
"kern.osrelease" ;; Ditto.
"kern.osvariant_status" ;; Needed for bundle loading
"kern.osversion" ;; Needed by WebKit and ASL logging.
"kern.secure_kernel" ;; Needed by XPC bundle resolution
"kern.tcsm_available" ;; Needed for IndexedDB support
"vm.footprint_suspend"))
;; Access to client's cache folder & re-vending to CFNetwork.
;; FIXME: Remove the webkit specific extension classes <rdar://problem/17755931>
(allow file-issue-extension (require-all
(extension "com.apple.app-sandbox.read-write")
(extension-class "com.apple.nsurlstorage.extension-cache")))
;; App sandbox extensions
(allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
(allow file-read* (extension "com.apple.app-sandbox.read"))
;; FIXME: <rdar://problem/17909681> SSO expects to be able to walk the parent
;; bundle to find Info plists, so we jump through a few hoops here to provide
;; enough access to make it possible.
;; IOKit user clients
(allow iokit-open
(iokit-user-client-class "RootDomainUserClient") ;; Needed by PowerObserver
)
;; Various services required by CFNetwork and other frameworks
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.PowerManagement.control"))
(network-client (remote tcp) (remote udp))
;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
(allow-well-known-system-group-container-subpath-read
"/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
(allow file-read-data
(literal "/usr/local/lib/log") ; <rdar://problem/36629495>
)
;; Security framework
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.ocspd")
(global-name "com.apple.securityd"))
;; PassKit framework
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.passd.in-app-payment")
(global-name "com.apple.passd.library"))
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.FileCoordination")
(global-name "com.apple.dmd.policy")
(global-name "com.apple.siri.context.service")
(global-name "com.apple.ctcategories.service"))
(deny file-write-create
(vnode-type SYMLINK))
;; FIXME should be removed when <rdar://problem/30498072> is fixed.
(allow network*
(local udp)
(remote udp)
(local tcp)
(remote tcp))
;;; <rdar://problem/9876970>
(deny network-outbound
(remote tcp "localhost:62078"))
;; Various services required by system frameworks
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.lsd.mapdb")
(global-name "com.apple.analyticsd")
(global-name "com.apple.AppSSO.service-xpc"))
;; For reporting progress for active downloads <rdar://problem/44405661>
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.ProgressReporting"))
;; <rdar://problem/47598758>
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.nesessionmanager.content-filter"))
;; Various shared memory accesses required by system frameworks
(allow ipc-posix-shm-read-data
(ipc-posix-name "/com.apple.AppSSO.version"))
;; Access to ContainerManager
(allow mach-lookup
(global-name "com.apple.containermanagerd"))
(allow ipc-posix-sem-open
(ipc-posix-name "containermanagerd.fb_check"))
(allow file-read*
(literal "/dev/aes_0")
(literal "/dev/random")
(literal "/dev/urandom"))
;; Access to MobileGestalt
(allow mach-lookup
(global-name "com.apple.mobilegestalt.xpc"))
(allow file-read*
(well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
(allow iokit-get-properties
(iokit-property "IORegistryEntryPropertyKeys"))
;; Needed for TCC.
(allow mach-lookup
(global-name "com.apple.tccd"))