| ; Copyright (C) 2010-2020 Apple Inc. All rights reserved. |
| ; |
| ; Redistribution and use in source and binary forms, with or without |
| ; modification, are permitted provided that the following conditions |
| ; are met: |
| ; 1. Redistributions of source code must retain the above copyright |
| ; notice, this list of conditions and the following disclaimer. |
| ; 2. Redistributions in binary form must reproduce the above copyright |
| ; notice, this list of conditions and the following disclaimer in the |
| ; documentation and/or other materials provided with the distribution. |
| ; |
| ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' |
| ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, |
| ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS |
| ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
| ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
| ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF |
| ; THE POSSIBILITY OF SUCH DAMAGE. |
| |
| (version 1) |
| (deny default (with partial-symbolication)) |
| (allow system-audit file-read-metadata) |
| |
| ;;; |
| ;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can |
| ;;; remove unneeded sandbox extensions. |
| ;;; |
| |
| (import "util.sb") |
| |
| (define-once (allow-read-and-issue-generic-extensions . filters) |
| (allow file-read* |
| (apply require-any filters)) |
| (allow file-issue-extension |
| (require-all |
| (extension-class "com.apple.app-sandbox.read") |
| (apply require-any filters)))) |
| |
| (define-once (allow-read-write-and-issue-generic-extensions . filters) |
| (allow file-read* file-write* |
| (apply require-any filters)) |
| (allow file-read-metadata |
| (apply require-any filters)) |
| (allow file-issue-extension |
| (require-all |
| (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read") |
| (apply require-any filters)))) |
| |
| (define-once (managed-configuration-read-public) |
| (allow file-read* |
| (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") |
| (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo") |
| (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo"))) |
| |
| (define-once (managed-configuration-read . files) |
| (if (null? files) |
| (allow file-read* |
| (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles") |
| (front-user-home-subpath "/Library/ConfigurationProfiles") |
| (front-user-home-subpath "/Library/UserConfigurationProfiles")) |
| (for-each |
| (lambda (file) |
| (allow file-read* |
| (well-known-system-group-container-literal |
| (string-append "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/" file)) |
| (front-user-home-literal |
| (string-append "/Library/ConfigurationProfiles/" file) |
| (string-append "/Library/UserConfigurationProfiles/" file)))) |
| files))) |
| |
| (define-once (allow-preferences-common) |
| (allow file-read-metadata |
| (home-literal "") |
| (home-literal "/Library/Preferences"))) |
| |
| (define-once (mobile-preferences-read . domains) |
| (allow-preferences-common) |
| (allow user-preference-read (apply preference-domain domains))) |
| |
| (define-once (mobile-preferences-read-write . domains) |
| (allow-preferences-common) |
| (allow user-preference-read user-preference-write (apply preference-domain domains))) |
| |
| (define-once (framebuffer-access) |
| (allow iokit-open |
| (iokit-user-client-class "IOMobileFramebufferUserClient")) |
| |
| ; IOMobileFramebuffer |
| (with-filter (iokit-registry-entry-class "IOMobileFramebuffer") |
| (allow iokit-get-properties |
| (iokit-property "AppleTV" |
| "DisplayPipePlaneBaseAlignment" |
| "DisplayPipeStrideRequirements" |
| "PerformanceStatistics" |
| "appleTV-VID0" |
| "appleTV-VID1" |
| "hdcp-hoover-protocol"))) |
| |
| (mobile-preferences-read "com.apple.iokit.IOMobileGraphicsFamily") |
| ) |
| |
| (define-once (asset-access . options) |
| (let ((asset-access-filter |
| (require-all |
| (require-any |
| (home-subpath "/Library/Assets") |
| (subpath "/private/var/MobileAsset")) |
| (extension "com.apple.assets.read")))) |
| ;; <rdar://problem/10710883> |
| ;; <rdar://problem/11569106> |
| (allow file-read* asset-access-filter) |
| (if (memq 'with-media-playback options) |
| (play-media asset-access-filter)) |
| (mobile-preferences-read "com.apple.MobileAsset"))) |
| |
| (define-once (play-media . filters) |
| (if (not (null? filters)) |
| ;; <rdar://problem/9875794> |
| (allow file-issue-extension |
| (require-all |
| (apply require-any filters) |
| (extension-class "com.apple.mediaserverd.read")))) |
| (allow file-issue-extension |
| (require-all |
| (extension-class "com.apple.mediaserverd.read") |
| (extension "com.apple.security.exception.files.absolute-path.read-only" |
| "com.apple.security.exception.files.absolute-path.read-write" |
| "com.apple.security.exception.files.home-relative-path.read-only" |
| "com.apple.security.exception.files.home-relative-path.read-write"))) |
| (allow file-issue-extension |
| (require-all |
| (extension-class "com.apple.mediaserverd.read-write") |
| (extension "com.apple.security.exception.files.absolute-path.read-write" |
| "com.apple.security.exception.files.home-relative-path.read-write"))) |
| |
| (mobile-preferences-read |
| "com.apple.avfoundation" |
| "com.apple.coreaudio" |
| "com.apple.coremedia" |
| "com.apple.corevideo" |
| "com.apple.itunesstored" ; Needed by MediaPlayer framework |
| "com.apple.mobileipod" ; Ditto |
| "com.apple.audio.virtualaudio" ; <rdar://problem/57170333> |
| ) |
| |
| ;; AVF needs to see these network preferences: |
| (allow file-read* |
| (literal "/private/var/preferences/com.apple.networkd.plist")) |
| |
| ;; Allow mediaserverd to issue file extensions for the purposes of reading media |
| (allow file-issue-extension (require-all |
| (extension "com.apple.app-sandbox.read") |
| (extension-class "com.apple.mediaserverd.read"))) |
| ) |
| |
| (define-once (media-remote) |
| (mobile-preferences-read |
| "com.apple.mediaremote" |
| "com.apple.mobileipod") |
| ) |
| |
| (define-once (media-capture-support) |
| ;; Media capture, microphone access |
| (with-filter (extension "com.apple.webkit.microphone") |
| (allow device-microphone)) |
| |
| ;; Media capture, camera access |
| (with-filter (extension "com.apple.webkit.camera") |
| (allow user-preference-read |
| (preference-domain "com.apple.coremedia")) |
| (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")) |
| (allow mach-lookup (extension "com.apple.app-sandbox.mach")) |
| (allow device-camera)) |
| ) |
| |
| (define-once (accessibility-support) |
| (allow mach-register |
| (local-name "com.apple.iphone.axserver")) |
| (mobile-preferences-read "com.apple.Accessibility") |
| |
| ;; <rdar://problem/10809394> |
| (deny file-write-create |
| (home-prefix "/Library/Preferences/com.apple.Accessibility.plist") |
| (with no-report)) |
| ) |
| |
| (define-once (media-accessibility-support) |
| ;; <rdar://problem/12250145> |
| (mobile-preferences-read "com.apple.mediaaccessibility") |
| (mobile-preferences-read-write "com.apple.mediaaccessibility.public") |
| ) |
| |
| (define-once (url-translation) |
| ;; For translating http:// & https:// URLs referencing itms:// URLs. |
| ;; <rdar://problem/11587338> |
| (allow file-read* |
| (home-literal "/Library/Caches/com.apple.itunesstored/url-resolution.plist"))) |
| |
| ;;; |
| ;;; Declare that the application uses the OpenGL, Metal, and CoreML hardware & frameworks. |
| ;;; |
| (define-once (opengl) |
| ;; Items not seen in testing |
| (allow iokit-open (with report) (with telemetry) |
| (iokit-connection "IOGPU") |
| (iokit-user-client-class |
| "AGXCommandQueue" |
| "AGXDevice" |
| "AGXSharedUserClient" |
| "IOAccelContext" |
| "IOAccelDevice" |
| "IOAccelSharedUserClient" |
| "IOAccelSubmitter2" |
| "IOAccelContext2" |
| "IOAccelDevice2" |
| "IOAccelSharedUserClient2")) |
| |
| ;; Items with known uses |
| (allow iokit-open |
| (iokit-connection "IOGPU") |
| (iokit-user-client-class |
| "AGXDeviceUserClient" ;; Used by WebGL |
| )) |
| |
| (allow iokit-get-properties |
| (iokit-property "IOGLBundleName") |
| (iokit-property "IOGLESBundleName") |
| (iokit-property "IOGLESDefaultUseMetal") |
| (iokit-property "IOGLESMetalBundleName") |
| (iokit-property "MetalPluginClassName") |
| (iokit-property "MetalPluginName") |
| ) |
| |
| (allow sysctl-read |
| (sysctl-name #"kern.bootsessionuuid")) |
| |
| (allow mach-lookup |
| ;; <rdar://problem/47268166> |
| (xpc-service-name "com.apple.MTLCompilerService")) |
| |
| (mobile-preferences-read |
| "com.apple.Metal" ;; <rdar://problem/25535471> |
| "com.apple.opengl" ;; <rdar://problem/23321675> |
| ) |
| ) |
| |
| (define-once (debugging-support) |
| (allow file-read* file-map-executable |
| (subpath "/Developer")) |
| |
| (allow ipc-posix-shm |
| (ipc-posix-name-regex #"^stack-logs") |
| (ipc-posix-name-regex #"^OA-") |
| (ipc-posix-name-regex #"^/FSM-")) |
| |
| (allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink |
| (ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$")) |
| |
| (with-filter (system-attribute apple-internal) |
| ;; <rdar://problem/8565035> |
| ;; <rdar://problem/23857452> |
| (allow file-read* file-map-executable |
| (subpath "/AppleInternal") |
| (subpath "/usr/local/lib"))) |
| (with-elevated-precedence |
| (allow file-read* file-map-executable file-issue-extension |
| (front-user-home-subpath "/XcodeBuiltProducts"))) |
| |
| ;; <rdar://problem/8107758> |
| (allow file-read* file-map-executable |
| (subpath "/System/Library/Frameworks") |
| (subpath "/System/Library/PrivateFrameworks")) |
| |
| ;; <rdar://problem/32544921> |
| (mobile-preferences-read "com.apple.hangtracer")) |
| |
| (define-once (device-access) |
| (deny file-read* file-write* |
| (vnode-type BLOCK-DEVICE CHARACTER-DEVICE)) |
| |
| (allow file-read* file-write-data |
| (literal "/dev/null") |
| (literal "/dev/zero")) |
| |
| (allow file-read* file-write-data file-ioctl |
| (literal "/dev/dtracehelper")) |
| |
| (allow file-read* |
| (literal "/dev/random") |
| (literal "/dev/urandom")) |
| ;; <rdar://problem/14215718> |
| (deny file-write-data (with no-report) |
| (literal "/dev/random") |
| (literal "/dev/urandom")) |
| |
| (allow file-read* file-write-data file-ioctl |
| (literal "/dev/aes_0"))) |
| |
| (define-once (logd-diagnostic-paths) |
| (require-any |
| (subpath "/private/var/db/diagnostics") |
| (subpath "/private/var/db/timesync") |
| (subpath "/private/var/db/uuidtext") |
| (subpath "/private/var/userdata/diagnostics"))) |
| (define-once (logd-diagnostic-client) |
| (with-filter |
| (require-all |
| (require-any |
| (require-entitlement "com.apple.private.logging.diagnostic") |
| (require-entitlement "com.apple.diagnosticd.diagnostic")) |
| (extension "com.apple.logd.read-only")) |
| (allow file-read* |
| (logd-diagnostic-paths)))) |
| |
| (define required-etc-files |
| (literal "/private/etc/fstab" |
| "/private/etc/hosts" |
| "/private/etc/group" |
| "/private/etc/passwd" |
| "/private/etc/protocols" |
| "/private/etc/services")) |
| |
| (define-once (speech-synthesis-and-voiceover) |
| ;; Speak Selection & VoiceOver |
| ;; <rdar://problem/12030530> AX: Sandbox violation with changing Language while VO is on |
| ;; and <rdar://problem/13071747> |
| (mobile-preferences-read |
| "com.apple.SpeakSelection" ; Needed for WebSpeech |
| "com.apple.VoiceOverTouch" ; Needed for non-US english language synthesis |
| "com.apple.voiceservices") ; Ditto |
| |
| ;; <rdar://problem/14555119> Access to high quality speech voices |
| ;; Needed for WebSpeech |
| (allow file-read* |
| (home-subpath "/Library/VoiceServices/Assets") |
| (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice")) |
| ) |
| |
| ;; Things required by UIKit |
| (define-once (uikit-requirements) |
| (mobile-preferences-read |
| "com.apple.UIKit" |
| "com.apple.WebUI" |
| "com.apple.airplay" |
| "com.apple.avkit" |
| "com.apple.coreanimation" |
| "com.apple.mt" |
| "com.apple.preferences.sounds") |
| |
| (deny mach-lookup (with telemetry-backtrace) |
| (global-name "com.apple.frontboard.systemappservices") ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier() |
| ) |
| |
| (allow mach-lookup |
| (global-name "com.apple.CARenderServer")) |
| |
| ; UIKit-required IOKit nodes. |
| (allow iokit-open (with report) (with telemetry) |
| (iokit-user-client-class "AppleJPEGDriverUserClient") |
| (iokit-user-client-class "IOSurfaceSendRight") |
| ) |
| |
| ; WebKit-required IOKit classes |
| (allow iokit-open |
| (iokit-user-client-class "IOSurfaceAcceleratorClient") ;; Media rendering into pixel buffers |
| (iokit-user-client-class "IOSurfaceRootUserClient") ;; Needed by Tiled Grid code. |
| ) |
| |
| ;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist. |
| ;; <rdar://problem/13796537> |
| (deny file-write-create |
| (home-prefix "/Library/Preferences/com.apple.UIKit.plist") |
| (with no-report)) |
| ) |
| |
| (define-once (dictionary-support) |
| ; Dictionary Services used by UITextFields. |
| ; <rdar://problem/9386926> |
| (allow-create-directory |
| (home-literal "/Library/Caches/com.apple.DictionaryServices")) |
| |
| ; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data |
| (allow file-read* |
| ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari) |
| (subpath "/Library/Dictionaries") |
| (home-subpath "/Library/Dictionaries")) |
| ) |
| |
| (deny file-map-executable) |
| |
| (deny file-write-mount file-write-unmount) |
| |
| (allow file-read-metadata |
| (vnode-type DIRECTORY)) |
| |
| (mobile-preferences-read "com.apple.security") |
| |
| (with-filter (system-attribute apple-internal) |
| (mobile-preferences-read "com.apple.PrototypeTools")) |
| |
| (with-elevated-precedence |
| (allow file-read* |
| (subpath "/usr/lib" |
| "/usr/share" |
| "/private/var/db/timezone")) |
| (allow-read-and-issue-generic-extensions |
| (subpath "/Library/RegionFeatures" |
| "/System/Library")) |
| (allow file-issue-extension |
| (require-all |
| (extension-class "com.apple.mediaserverd.read") |
| (subpath "/System/Library"))) |
| (let ((hw-identifying-paths |
| (require-any |
| (literal "/System/Library/Caches/apticket.der") |
| (subpath "/System/Library/Caches/com.apple.kernelcaches") |
| (subpath "/System/Library/Caches/com.apple.factorydata")))) |
| (deny file-issue-extension file-read* hw-identifying-paths)) |
| |
| (allow file-map-executable |
| (subpath "/System/Library") |
| (subpath "/usr/lib")) |
| (allow file-read-metadata |
| (vnode-type SYMLINK)) |
| |
| ;;; <rdar://problem/24144418> |
| (allow file-read* |
| (subpath "/private/var/preferences/Logging")) |
| |
| (mobile-preferences-read "kCFPreferencesAnyApplication") |
| (allow file-read* |
| (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist")) |
| |
| (allow file-read* |
| (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist")) |
| (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication")) |
| |
| (allow file-read-metadata |
| (home-literal "/Library/Caches/powerlog.launchd")) |
| |
| (allow-read-and-issue-generic-extensions (executable-bundle)) |
| (allow file-map-executable (executable-bundle)) |
| |
| ;; <rdar://problem/13963294> |
| (deny file-read-data file-issue-extension file-map-executable |
| (require-all |
| (executable-bundle) |
| (regex #"/[^/]+/SC_Info/"))) |
| |
| (unless (defined? 'restrictive-extension) |
| (with-filter |
| (extension |
| "com.apple.app-sandbox.read" |
| "com.apple.app-sandbox.read-write" |
| "com.apple.quicklook.readonly" |
| "com.apple.security.exception.files.absolute-path.read-only" |
| "com.apple.security.exception.files.absolute-path.read-write" |
| "com.apple.security.exception.files.home-relative-path.read-only" |
| "com.apple.security.exception.files.home-relative-path.read-write" |
| "com.apple.sharing.airdrop.readonly") |
| (allow file-read* file-read-metadata) |
| (allow file-issue-extension |
| (extension-class "com.apple.app-sandbox.read" |
| "com.apple.mediaserverd.read" |
| "com.apple.quicklook.readonly" |
| "com.apple.sharing.airdrop.readonly"))) |
| (with-filter |
| (extension |
| "com.apple.app-sandbox.read-write" |
| "com.apple.security.exception.files.absolute-path.read-write" |
| "com.apple.security.exception.files.home-relative-path.read-write") |
| (allow file-write*) |
| (allow file-issue-extension |
| (extension-class "com.apple.app-sandbox.read-write" |
| "com.apple.mediaserverd.read-write")))) |
| |
| ;; <rdar://problem/16079361> |
| (with-filter (global-name-prefix "") |
| (allow mach-register |
| (extension "com.apple.security.exception.mach-register.global-name"))) |
| (with-filter (local-name-prefix "") |
| (allow mach-register |
| (extension "com.apple.security.exception.mach-register.local-name"))) |
| (allow-read-and-issue-generic-extensions |
| (extension "com.apple.security.exception.files.absolute-path.read-only") |
| (extension "com.apple.security.exception.files.home-relative-path.read-only")) |
| (allow-read-write-and-issue-generic-extensions |
| (extension "com.apple.security.exception.files.absolute-path.read-write") |
| (extension "com.apple.security.exception.files.home-relative-path.read-write")) |
| (allow iokit-open |
| (extension "com.apple.security.exception.iokit-user-client-class")) |
| (allow managed-preference-read |
| (extension "com.apple.security.exception.managed-preference.read-only")) |
| (allow user-preference-read |
| (extension "com.apple.security.exception.shared-preference.read-only")) |
| (allow user-preference-read user-preference-write |
| (extension "com.apple.security.exception.shared-preference.read-write")) |
| |
| (allow file-issue-extension |
| (require-all |
| (extension-class "com.apple.nsurlstorage.extension-cache") |
| (extension "com.apple.security.exception.files.home-relative-path.read-write") |
| (require-any |
| (prefix "/private/var/root/Library/Caches/") |
| (front-user-home-prefix "/Library/Caches/")))) |
| ) |
| |
| (debugging-support) |
| |
| (allow file-read* |
| required-etc-files |
| (literal "/")) |
| |
| (allow file-read* |
| (subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs")) |
| |
| (device-access) |
| |
| (allow file-issue-extension |
| (require-all |
| (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read") |
| (extension "com.apple.fileprovider.read-write"))) |
| |
| (allow mach-lookup |
| (global-name "com.apple.logd") |
| (global-name "com.apple.logd.events") |
| ) |
| |
| (deny mach-lookup (with telemetry-backtrace) |
| (global-name "com.apple.distributed_notifications@1v3")) |
| |
| (allow ipc-posix-shm-read* |
| (ipc-posix-name-prefix "apple.cfprefs.")) |
| |
| (deny mach-lookup (with telemetry-backtrace) |
| (global-name "com.apple.lsd.mapdb")) |
| |
| ;; <rdar://problem/12413942> |
| (allow file-read* |
| (well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist")) |
| (allow iokit-get-properties |
| (iokit-property "IORegistryEntryPropertyKeys")) |
| |
| (allow ipc-posix-sem-open |
| (ipc-posix-name "containermanagerd.fb_check")) |
| |
| (with-filter (ipc-posix-name "purplebuddy.sentinel") |
| (deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait) |
| (allow ipc-posix-sem-open)) |
| |
| (allow mach-lookup (with telemetry) |
| (global-name "com.apple.runningboard") ;; Needed by process assertion code (ProcessTaskStateObserver). |
| ) |
| |
| (allow system-sched |
| (require-entitlement "com.apple.private.kernel.override-cpumon")) |
| |
| (deny sysctl-read (with no-report) |
| (sysctl-name "sysctl.proc_native")) |
| |
| (with-filter (system-attribute apple-internal) |
| (allow sysctl-read sysctl-write |
| (sysctl-name "vm.footprint_suspend"))) |
| |
| (allow file-read-metadata network-outbound |
| (literal "/private/var/run/syslog")) |
| |
| (allow mach-lookup |
| (global-name "com.apple.system.notification_center")) |
| (allow ipc-posix-shm-read* |
| (ipc-posix-name "apple.shm.notification_center")) |
| |
| (logd-diagnostic-client) |
| |
| (managed-configuration-read-public) |
| |
| (deny system-info (with no-report) |
| (info-type "net.link.addr")) |
| |
| (allow file-read* |
| (subpath "/private/var/db/datadetectors/sys")) |
| |
| (allow-well-known-system-group-container-subpath-read |
| "/systemgroup.com.apple.icloud.findmydevice.managed/Library") |
| |
| (allow mach-task-name (target self)) |
| |
| (allow process-info-pidinfo (target self)) |
| (allow process-info-pidfdinfo (target self)) |
| (allow process-info-pidfileportinfo (target self)) |
| (allow process-info-setcontrol (target self)) |
| (allow process-info-dirtycontrol (target self)) |
| (allow process-info-rusage (target self)) |
| (allow process-info-codesignature (target self)) |
| |
| ;;; |
| ;;; End common.sb content |
| ;;; |
| |
| (deny mach-lookup (xpc-service-name-prefix "")) |
| (deny iokit-get-properties (with partial-symbolication)) |
| (deny lsopen) |
| |
| ;;; |
| ;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can |
| ;;; remove unneeded sandbox extensions. |
| ;;; |
| |
| ;; Any app can play audio & movies. |
| (play-media) |
| |
| ;; Access to media controls |
| (media-remote) |
| |
| (url-translation) |
| |
| (mobile-preferences-read "com.apple.da") |
| |
| (speech-synthesis-and-voiceover) |
| |
| ;; Permit reading assets via MobileAsset framework. |
| (asset-access 'with-media-playback) |
| |
| ;; FIXME(209309): Remove this telemetry once we have confirmed there are no more lookups. |
| (deny mach-lookup (with telemetry-backtrace) |
| (global-name "com.apple.mobileassetd" "com.apple.mobileassetd.v2")) |
| |
| ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache |
| (allow-well-known-system-group-container-literal-read |
| "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin") |
| |
| ;; Access the keyboards |
| (allow file-read* |
| (home-subpath "/Library/Caches/com.apple.keyboards")) |
| |
| (mobile-preferences-read |
| "com.apple.EmojiPreferences" |
| ; <rdar://problem/8477596> com.apple.InputModePreferences |
| "com.apple.InputModePreferences" |
| ; <rdar://problem/8206632> Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist |
| "com.apple.keyboard" |
| ; <rdar://problem/9384085> |
| "com.apple.Preferences" |
| "com.apple.lookup.shared" ; Needed for DataDetector (Spotlight) support |
| ) |
| |
| ;; Silently deny unnecessary accesses caused by MessageUI framework. |
| ;; This can be removed once <rdar://problem/47038102> is resolved. |
| (deny file-read* |
| (home-literal "/Library/Preferences/com.apple.mobilemail.plist") |
| (with no-log)) |
| |
| ;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps |
| (allow file-read* |
| (home-subpath "/Library/Fonts")) |
| |
| ;; <rdar://problem/7344719&26323449> LaunchServices app icons |
| (allow file-read* |
| (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache")) |
| (deny mach-lookup (with telemetry-backtrace) |
| (xpc-service-name "com.apple.iconservices") |
| (global-name "com.apple.iconservices")) |
| |
| (allow-preferences-common) |
| |
| ;; Home Button |
| (with-filter (iokit-registry-entry-class "IOPlatformDevice") |
| (allow iokit-get-properties |
| (iokit-property "home-button-type"))) |
| |
| (uikit-requirements) |
| |
| ;; <rdar://problem/9404009> |
| (mobile-preferences-read "kCFPreferencesAnyApplication") |
| |
| (dictionary-support) |
| |
| ; <rdar://problem/8440231> |
| (allow file-read* |
| (home-literal "/Library/Caches/DateFormats.plist")) |
| ; Silently deny writes when CFData attempts to write to the cache directory. |
| (deny file-write* |
| (home-literal "/Library/Caches/DateFormats.plist") |
| (with no-log)) |
| |
| (framebuffer-access) |
| |
| ; <rdar://problem/7595408> , <rdar://problem/7643881> |
| (opengl) |
| |
| ; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist |
| ; which will attempt to create the plist if it doesn't exist -- from any application. Only SpringBoard is |
| ; allowed to write its plist; ignore all others, they don't know what they are doing. |
| ; See <rdar://problem/9375027> for sample backtraces. |
| (deny file-write* |
| (home-prefix "/Library/Preferences/com.apple.springboard.plist") |
| (with no-log)) |
| |
| ;; <rdar://problem/34986314> |
| (mobile-preferences-read "com.apple.indigo") |
| |
| ;;; |
| ;;; End UIKit-apps.sb content |
| ;;; |
| |
| (deny sysctl*) |
| (allow sysctl-read |
| (sysctl-name |
| "hw.activecpu" ;; Needed by JSC engine. |
| "hw.availcpu" |
| "hw.cachelinesize" |
| "hw.cpufamily" ;; <rdar://problem/58416475> |
| "hw.cputype" |
| "hw.l2cachesize" |
| "hw.logicalcpu" |
| "hw.logicalcpu_max" |
| "hw.ncpu" |
| "hw.machine" |
| "hw.memsize" |
| "hw.model" |
| "hw.pagesize_compat" |
| "hw.physicalcpu" |
| "hw.physicalcpu_max" |
| "kern.bootargs" |
| "kern.hostname" |
| "kern.memorystatus_level" |
| "kern.osproductversion" |
| "kern.osrelease" |
| "kern.ostype" |
| "kern.osvariant_status" |
| "kern.secure_kernel" ;; Needed by XPC bundle resolution |
| "kern.version" |
| "sysctl.name2oid" |
| "vm.footprint_suspend") |
| (sysctl-name-regex #"^net.routetable") ;; <rdar://problem/57665153> |
| ) |
| |
| (allow iokit-get-properties |
| (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)") |
| (iokit-property "APTDevice") |
| (iokit-property "AVCSupported") |
| (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI|RSTLogging))") |
| (iokit-property "BaseAddressAlignmentRequirement") |
| (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)") |
| (iokit-property "HEVCSupported") |
| (iokit-property-regex #"IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler)") |
| (iokit-property "IOClassNameOverride") |
| (iokit-property "IOPlatformUUID") |
| (iokit-property "IOSurfaceAcceleratorCapabilitiesDict") |
| (iokit-property "LGHSupported") |
| (iokit-property "Protocol Characteristics") |
| (iokit-property "als-colorCfg") ;; <rdar://problem/52903475> |
| (iokit-property "artwork-device-idiom") ;; <rdar://problem/49497720> |
| (iokit-property "artwork-device-subtype") |
| (iokit-property "artwork-display-gamut") ;; <rdar://problem/49497788> |
| (iokit-property "artwork-dynamic-displaymode") ;; <rdar://problem/49497720> |
| (iokit-property "artwork-scale-factor") ;; <rdar://problem/49497788> |
| (iokit-property-regex #"(canvas-height|canvas-width)") |
| (iokit-property "chip-id") ;; <rdar://problem/52903477> |
| (iokit-property "class-code") |
| (iokit-property "color-accuracy-index") |
| (iokit-property "compatible") ;; <rdar://problem/47523516> |
| (iokit-property "compatible-device-fallback") ;; <rdar://problem/49497720> |
| (iokit-property "device-colors") ;; <rdar://problem/51322072> |
| (iokit-property "device-id") |
| (iokit-property "device-perf-memory-class") |
| (iokit-property "dfr") |
| (iokit-property "display-corner-radius") ;; <rdar://problem/50602737> |
| (iokit-property "emu") |
| (iokit-property "external") |
| (iokit-property "graphics-featureset-class") ;; <rdar://problem/49497720> |
| (iokit-property "graphics-featureset-fallbacks") ;; <rdar://problem/51322072> |
| (iokit-property "hdcp-hoover-protocol") |
| (iokit-property "iommu-present") |
| (iokit-property "oled-display") ;; <rdar://problem/51322072> |
| (iokit-property "product-description") ;; <rdar://problem/49497788> |
| (iokit-property "product-id") |
| (iokit-property "region-info") ;; <rdar://problem/52903475> |
| (iokit-property "regulatory-model-number") ;; <rdar://problem/52903475> |
| (iokit-property "soc-generation") ;; <rdar://problem/52903476> |
| (iokit-property "software-behavior") |
| (iokit-property "vendor-id") |
| (iokit-property "udid-version") ;; <rdar://problem/52903475> |
| (iokit-property "ui-pip") ;; <rdar://problem/48867037> |
| ) |
| |
| ;; Read-only preferences and data |
| (mobile-preferences-read |
| "com.apple.LaunchServices" |
| "com.apple.WebFoundation" |
| "com.apple.avfoundation.frecents" ;; <rdar://problem/33137029> |
| "com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568> |
| "com.apple.voiceservices.logging") |
| |
| ;; Sandbox extensions |
| (define (apply-read-and-issue-extension op path-filter) |
| (op file-read* path-filter) |
| (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter))) |
| (define (apply-write-and-issue-extension op path-filter) |
| (op file-write* path-filter) |
| (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter))) |
| (define (read-only-and-issue-extensions path-filter) |
| (apply-read-and-issue-extension allow path-filter)) |
| (define (read-write-and-issue-extensions path-filter) |
| (apply-read-and-issue-extension allow path-filter) |
| (apply-write-and-issue-extension allow path-filter)) |
| (read-only-and-issue-extensions (extension "com.apple.app-sandbox.read")) |
| (read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write")) |
| |
| ;; Access to client's cache folder & re-vending to CFNetwork. |
| (allow file-issue-extension (require-all |
| (extension "com.apple.app-sandbox.read-write") |
| (extension-class "com.apple.nsurlstorage.extension-cache"))) |
| |
| (accessibility-support) |
| |
| (media-accessibility-support) |
| |
| (deny mach-lookup (with telemetry-backtrace) |
| (global-name "com.apple.PowerManagement.control")) |
| |
| (deny file-write-create (vnode-type SYMLINK)) |
| (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\.")) |
| |
| ;; Allow loading injected bundles. |
| (allow file-map-executable) |
| |
| ;; Allow ManagedPreference access |
| (allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist")) |
| |
| (allow file-read-data |
| (literal "/usr/local/lib/log") ; <rdar://problem/36629495> |
| ) |
| |
| ;; <rdar://problem/60983812> |
| (deny file-write* |
| (home-subpath "/Library/Preferences/") |
| (with no-log)) |
| |
| (allow mach-lookup |
| (require-all |
| (extension "com.apple.webkit.extension.mach") |
| (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.nehelper" "com.apple.nesessionmanager.content-filter" "com.apple.uikit.viewservice.com.apple.WebContentFilter.remoteUI" "com.apple.diagnosticd" "com.apple.lsd.open" "com.apple.mobileassetd" "com.apple.mobileassetd.v2" "com.apple.frontboard.systemappservices" "com.apple.iconservices" "com.apple.webinspector" "com.apple.PowerManagement.control" "com.apple.cfprefsd.daemon" "com.apple.lsd.mapdb" |
| |
| ;;; FIXME(207716): The following should be removed when the GPU process is complete |
| "com.apple.airplay.apsynccontroller.xpc" "com.apple.audio.AURemoteIOServer" "com.apple.audio.AudioComponentRegistrar" |
| "com.apple.audio.AudioComponentRegistrar" "com.apple.audio.AudioSession" "com.apple.coremedia.admin" "com.apple.coremedia.asset.xpc" |
| "com.apple.coremedia.assetimagegenerator.xpc" "com.apple.coremedia.audiodeviceclock.xpc" "com.apple.coremedia.audioprocessingtap.xpc" |
| "com.apple.coremedia.capturesession" "com.apple.coremedia.capturesource" "com.apple.coremedia.compressionsession" "com.apple.coremedia.cpe.xpc" |
| "com.apple.coremedia.cpeprotector.xpc" "com.apple.coremedia.customurlloader.xpc" "com.apple.coremedia.decompressionsession" |
| "com.apple.coremedia.endpoint.xpc" "com.apple.coremedia.figcontentkeysession.xpc" "com.apple.coremedia.figcpecryptor" |
| "com.apple.coremedia.formatreader.xpc" "com.apple.coremedia.player.xpc" "com.apple.coremedia.remaker" "com.apple.coremedia.remotequeue" |
| "com.apple.coremedia.routediscoverer.xpc" "com.apple.coremedia.routingcontext.xpc" "com.apple.coremedia.routingsessionmanager.xpc" |
| "com.apple.coremedia.samplebufferaudiorenderer.xpc" "com.apple.coremedia.samplebufferrendersynchronizer.xpc" "com.apple.coremedia.sandboxserver.xpc" |
| "com.apple.coremedia.sts" "com.apple.coremedia.systemcontroller.xpc" "com.apple.coremedia.videoqueue" "com.apple.coremedia.volumecontroller.xpc" |
| "com.apple.coremedia.visualcontext.xpc" "com.apple.mediaremoted.xpc" |
| ;;; FIXME(207716): End services to remove. |
| ))) |
| |
| (allow mach-lookup |
| (require-all |
| (extension "com.apple.webkit.extension.mach") |
| (xpc-service-name |
| ;;; FIXME(207716): The following should be removed when the GPU process is complete |
| "com.apple.MediaPlayer.RemotePlayerService" |
| "com.apple.accessibility.mediaaccessibilityd" |
| "com.apple.audio.toolbox.reporting.service" |
| ;;; FIXME(207716): End services to remove. |
| ) |
| ) |
| ) |
| |
| (allow mach-lookup |
| (require-all |
| (extension "com.apple.webkit.extension.mach") |
| (xpc-service-name-prefix "com.apple.AGXCompilerService"))) |
| |
| (media-capture-support) |
| |
| ;; These services have been identified as unused during living-on. |
| ;; This list overrides some definitions above and in common.sb. |
| ;; FIXME: remove overridden rules once the final list has been |
| ;; established, see https://bugs.webkit.org/show_bug.cgi?id=193840 |
| (deny mach-lookup |
| (global-name "com.apple.webkit.camera") |
| ) |
| |
| (when (defined? 'syscall-unix) |
| (deny syscall-unix (with send-signal SIGKILL)) |
| (allow syscall-unix |
| (syscall-number SYS_exit) |
| (syscall-number SYS_read) |
| (syscall-number SYS_write) |
| (syscall-number SYS_open) |
| (syscall-number SYS_close) |
| (syscall-number SYS_unlink) |
| (syscall-number SYS_chmod) |
| (syscall-number SYS_getuid) |
| (syscall-number SYS_geteuid) |
| (syscall-number SYS_recvfrom) |
| (syscall-number SYS_getpeername) |
| (syscall-number SYS_access) |
| (syscall-number SYS_dup) |
| (syscall-number SYS_pipe) |
| (syscall-number SYS_getegid) |
| (syscall-number SYS_getgid) |
| (syscall-number SYS_sigprocmask) |
| (syscall-number SYS_sigaltstack) |
| (syscall-number SYS_ioctl) |
| (syscall-number SYS_readlink) |
| (syscall-number SYS_umask) |
| (syscall-number SYS_msync) |
| (syscall-number SYS_munmap) |
| (syscall-number SYS_mprotect) |
| (syscall-number SYS_madvise) |
| (syscall-number SYS_fcntl) |
| (syscall-number SYS_select) |
| (syscall-number SYS_fsync) |
| (syscall-number SYS_setpriority) |
| (syscall-number SYS_socket) |
| (syscall-number SYS_connect) |
| (syscall-number SYS_setsockopt) |
| (syscall-number SYS_gettimeofday) |
| (syscall-number SYS_getrusage) |
| (syscall-number SYS_getsockopt) |
| (syscall-number SYS_writev) |
| (syscall-number SYS_fchmod) |
| (syscall-number SYS_rename) |
| (syscall-number SYS_flock) |
| (syscall-number SYS_sendto) |
| (syscall-number SYS_shutdown) |
| (syscall-number SYS_socketpair) |
| (syscall-number SYS_mkdir) |
| (syscall-number SYS_rmdir) |
| (syscall-number SYS_pread) |
| (syscall-number SYS_pwrite) |
| (syscall-number SYS_csops) |
| (syscall-number SYS_csops_audittoken) |
| (syscall-number SYS_kdebug_trace64) |
| (syscall-number SYS_kdebug_trace) |
| (syscall-number SYS_sigreturn) |
| (syscall-number SYS_pathconf) |
| (syscall-number SYS_getrlimit) |
| (syscall-number SYS_setrlimit) |
| (syscall-number SYS_mmap) |
| (syscall-number SYS_lseek) |
| (syscall-number SYS_ftruncate) |
| (syscall-number SYS_sysctl) |
| (syscall-number SYS_mlock) |
| (syscall-number SYS_munlock) |
| (syscall-number SYS_getattrlist) |
| (syscall-number SYS_getxattr) |
| (syscall-number SYS_fgetxattr) |
| (syscall-number SYS_listxattr) |
| (syscall-number SYS_shm_open) |
| (syscall-number SYS_sem_wait) |
| (syscall-number SYS_sem_post) |
| (syscall-number SYS_sysctlbyname) |
| (syscall-number SYS_psynch_mutexwait) |
| (syscall-number SYS_psynch_mutexdrop) |
| (syscall-number SYS_psynch_cvbroad) |
| (syscall-number SYS_psynch_cvsignal) |
| (syscall-number SYS_psynch_cvwait) |
| (syscall-number SYS_psynch_rw_wrlock) |
| (syscall-number SYS_psynch_rw_unlock) |
| (syscall-number SYS_psynch_cvclrprepost) |
| (syscall-number SYS_process_policy) |
| (syscall-number SYS_issetugid) |
| (syscall-number SYS___pthread_kill) |
| (syscall-number SYS___pthread_markcancel) |
| (syscall-number SYS___pthread_sigmask) |
| (syscall-number SYS___disable_threadsignal) |
| (syscall-number SYS___semwait_signal) |
| (syscall-number SYS_proc_info) |
| (syscall-number SYS_stat64) |
| (syscall-number SYS_fstat64) |
| (syscall-number SYS_lstat64) |
| (syscall-number SYS_getdirentries64) |
| (syscall-number SYS_statfs64) |
| (syscall-number SYS_fstatfs64) |
| (syscall-number SYS_getfsstat64) |
| (syscall-number SYS_getaudit_addr) |
| (syscall-number SYS_bsdthread_create) |
| (syscall-number SYS_bsdthread_terminate) |
| (syscall-number SYS_workq_kernreturn) |
| (syscall-number SYS_thread_selfid) |
| (syscall-number SYS_kevent_qos) |
| (syscall-number SYS_kevent_id) |
| (syscall-number SYS___mac_syscall) |
| (syscall-number SYS_read_nocancel) |
| (syscall-number SYS_write_nocancel) |
| (syscall-number SYS_open_nocancel) |
| (syscall-number SYS_close_nocancel) |
| (syscall-number SYS_sendmsg_nocancel) |
| (syscall-number SYS_recvfrom_nocancel) |
| (syscall-number SYS_fcntl_nocancel) |
| (syscall-number SYS_select_nocancel) |
| (syscall-number SYS_connect_nocancel) |
| (syscall-number SYS_sendto_nocancel) |
| (syscall-number SYS_fsgetpath) |
| (syscall-number SYS_fileport_makeport) |
| (syscall-number SYS_guarded_open_np) |
| (syscall-number SYS_guarded_close_np) |
| (syscall-number SYS_change_fdguard_np) |
| (syscall-number SYS_proc_rlimit_control) |
| (syscall-number SYS_connectx) |
| (syscall-number SYS_getattrlistbulk) |
| (syscall-number SYS_openat) |
| (syscall-number SYS_openat_nocancel) |
| (syscall-number SYS_fstatat64) |
| (syscall-number SYS_mkdirat) |
| (syscall-number SYS_bsdthread_ctl) |
| (syscall-number SYS_csrctl) |
| (syscall-number SYS_guarded_pwrite_np) |
| (syscall-number SYS_getentropy) |
| (syscall-number SYS_necp_open) |
| (syscall-number SYS_necp_client_action) |
| (syscall-number SYS_ulock_wait) |
| (syscall-number SYS_ulock_wake) |
| (syscall-number SYS_kdebug_typefilter) |
| (syscall-number SYS_shared_region_check_np) |
| (syscall-number SYS_getpid) |
| (syscall-number SYS_bsdthread_register) |
| (syscall-number SYS_sigaction) |
| (syscall-number SYS_gettid) |
| (syscall-number SYS_workq_open) |
| (syscall-number SYS_chdir) |
| (syscall-number SYS_memorystatus_control) |
| (syscall-number SYS_sem_open) |
| (syscall-number SYS_sem_close) |
| (syscall-number SYS_fsetattrlist) |
| (syscall-number SYS_guarded_open_dprotected_np) ; <rdar://problem/48166729> |
| (syscall-number SYS_mremap_encrypted) |
| (syscall-number SYS_dup2) |
| (syscall-number SYS_fileport_makefd) |
| (syscall-number SYS_os_fault_with_payload) |
| (syscall-number SYS_persona) |
| (syscall-number SYS_work_interval_ctl) |
| (syscall-number SYS_open_dprotected_np) |
| (syscall-number SYS_pread_nocancel) |
| (syscall-number SYS___semwait_signal_nocancel) |
| (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>. |
| (syscall-number SYS_fgetattrlist) ;; <rdar://problem/50266257> |
| (syscall-number SYS_fsetxattr) ;; <rdar://problem/49795964> |
| (syscall-number SYS_abort_with_payload) ;; <rdar://problem/50967271> |
| (syscall-number SYS_kqueue) ;; <rdar://problem/49609201> |
| (syscall-number SYS_kqueue_workloop_ctl) ;; <rdar://problem/50999499> |
| (syscall-number SYS_psynch_rw_rdlock) ;; <rdar://problem/51134351> |
| (syscall-number SYS_faccessat) ;; <rdar://problem/56998930> |
| (syscall-number SYS_objc_bp_assist_cfg_np) ;; <rdar://problem/55924791> |
| (syscall-number SYS_shared_region_map_and_slide_2_np) ;; <rdar://problem/60294880> |
| (syscall-number SYS_ulock_wait2) ;; <rdar://problem/58743778> |
| ) |
| ) |
| |
| (when (defined? 'mach-bootstrap) |
| (allow mach-bootstrap |
| (apply-message-filter |
| (allow xpc-message-send (with report) (with telemetry)) |
| (allow xpc-message-send (message-number 206)) |
| (allow xpc-message-send (message-number 207)) |
| (allow xpc-message-send (message-number 711)) |
| (allow xpc-message-send (message-number 712)) |
| (allow xpc-message-send (message-number 718)) |
| (allow xpc-message-send (message-number 800)) |
| (allow xpc-message-send (message-number 803)) |
| (allow xpc-message-send (message-number 804)) |
| (allow xpc-message-send (message-number 805)) |
| ) |
| ) |
| ) |
| |
| (when (defined? 'syscall-mach) |
| (allow syscall-mach (with report) (with telemetry)) |
| (allow syscall-mach |
| (machtrap-number MSC__kernelrpc_mach_port_allocate_trap) |
| (machtrap-number MSC__kernelrpc_mach_port_construct_trap) |
| (machtrap-number MSC__kernelrpc_mach_port_deallocate_trap) |
| (machtrap-number MSC__kernelrpc_mach_port_destruct_trap) |
| (machtrap-number MSC__kernelrpc_mach_port_extract_member_trap) |
| (machtrap-number MSC__kernelrpc_mach_port_get_attributes_trap) |
| (machtrap-number MSC__kernelrpc_mach_port_guard_trap) |
| (machtrap-number MSC__kernelrpc_mach_port_insert_member_trap) |
| (machtrap-number MSC__kernelrpc_mach_port_insert_right_trap) |
| (machtrap-number MSC__kernelrpc_mach_port_mod_refs_trap) |
| (machtrap-number MSC__kernelrpc_mach_port_request_notification_trap) |
| (machtrap-number MSC__kernelrpc_mach_port_type_trap) |
| (machtrap-number MSC__kernelrpc_mach_vm_allocate_trap) |
| (machtrap-number MSC__kernelrpc_mach_vm_deallocate_trap) |
| (machtrap-number MSC__kernelrpc_mach_vm_map_trap) |
| (machtrap-number MSC__kernelrpc_mach_vm_protect_trap) |
| (machtrap-number MSC__kernelrpc_mach_vm_purgable_control_trap) |
| (machtrap-number MSC_host_create_mach_voucher_trap) |
| (machtrap-number MSC_host_self_trap) |
| (machtrap-number MSC_mach_generate_activity_id) |
| (machtrap-number MSC_mach_msg_trap) |
| (machtrap-number MSC_mach_reply_port) |
| (machtrap-number MSC_mach_voucher_extract_attr_recipe_trap) |
| (machtrap-number MSC_mk_timer_arm) |
| (machtrap-number MSC_mk_timer_arm_leeway) |
| (machtrap-number MSC_mk_timer_cancel) |
| (machtrap-number MSC_mk_timer_create) |
| (machtrap-number MSC_mk_timer_destroy) |
| (machtrap-number MSC_pid_for_task) |
| (machtrap-number MSC_semaphore_signal_trap) |
| (machtrap-number MSC_semaphore_timedwait_trap) |
| (machtrap-number MSC_semaphore_wait_trap) |
| (machtrap-number MSC_swtch_pri) |
| (machtrap-number MSC_thread_get_special_reply_port) |
| (machtrap-number MSC_thread_self_trap) |
| ) |
| ) |
| |
| (when (defined? 'mach-kernel-endpoint) |
| (allow mach-kernel-endpoint |
| (apply-message-filter |
| (allow mach-message-send (with report) (with telemetry)) |
| ) |
| ) |
| ) |
| |
| (when (defined? 'iokit-external-method) |
| (allow iokit-open |
| (apply-message-filter (with report) (with telemetry) |
| (allow |
| iokit-external-method |
| iokit-async-external-method |
| iokit-external-trap) |
| ) |
| ) |
| ) |
