Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.WebContent.sb

; Copyright (C) 2010-2018 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions
; are met:
; 1. Redistributions of source code must retain the above copyright
; notice, this list of conditions and the following disclaimer.
; 2. Redistributions in binary form must reproduce the above copyright
; notice, this list of conditions and the following disclaimer in the
; documentation and/or other materials provided with the distribution.
;
; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
; THE POSSIBILITY OF SUCH DAMAGE.

(version 1)
(deny default (with partial-symbolication))
(allow system-audit file-read-metadata)

(deny mach-lookup (xpc-service-name-prefix ""))

(import "common.sb")

;;;
;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
;;;

;;; <rdar://problem/29959382> Allow UIKit apps access to com.apple.TextInput.preferences mach service
(allow mach-lookup
    (global-name "com.apple.TextInput.preferences"))

(allow mach-lookup
    (xpc-service-name "com.apple.siri.context.service"))

(allow mach-lookup
    (global-name "com.apple.frontboard.systemappservices")                 ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier()
    (global-name-regex #"^com\.apple\.uikit\.viewservice\..+"))

;; Any app could use ubiquity.
(ubiquity-client)

;; Any app can play audio & movies.
(play-audio)
(play-media)

(url-translation)

;; For <rdar://problem/20812377> All applications need to be able to access the com.apple.UIKit.KeyboardManagement running in backboardd
;; renamed in <rdar://problem/20909914> Rename com.apple.UIKit.KeyboardManagement
(allow mach-lookup
    (global-name "com.apple.UIKit.KeyboardManagement")
    (global-name "com.apple.UIKit.KeyboardManagement.hosted"))

;; TextInput framework
(allow mach-lookup
    (global-name "com.apple.TextInput")
    (global-name "com.apple.TextInput.emoji")
    (global-name "com.apple.TextInput.image-cache-server")
    (global-name "com.apple.TextInput.lexicon-server")
    (global-name "com.apple.TextInput.rdt")
    (global-name "com.apple.TextInput.shortcuts"))
(mobile-preferences-read "com.apple.da")

;; Various Accessibility services.
(allow mach-lookup
    (xpc-service-name "com.apple.accessibility.AccessibilityUIServer")) ; Needed for Zoom focus updates

;; ZoomTouch
;; <rdar://problem/11823957>
(allow mach-lookup
    (global-name "com.apple.accessibility.AXBackBoardServer"))

;; Speak Selection & VoiceOver
;; <rdar://problem/12030530> AX: Sandbox violation with changing Language while VO is on
;; and <rdar://problem/13071747>
(mobile-preferences-read
    "com.apple.SpeakSelection") ; Needed for WebSpeech

(allow mach-lookup
    (global-name "com.apple.audio.AudioComponentPrefs")
    (global-name "com.apple.audio.AudioComponentRegistrar")
    (global-name "com.apple.audio.AudioQueueServer"))

(allow mach-register
    (local-name "com.apple.iphone.axserver")) ; Needed for Application Accessibility

;; <rdar://problem/14555119> Access to high quality speech voices
;; Needed for WebSpeech
(allow file-read*
    (home-subpath "/Library/VoiceServices/Assets")
    (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice"))

;; HearingAidSupport
(allow mach-lookup
    (xpc-service-name "com.apple.accessibility.heard"))

;; MediaAccessibility (captions)
;; <rdar://problem/12801477>
(mobile-preferences-read "com.apple.mediaaccessibility")
(allow mach-lookup (global-name "com.apple.accessibility.mediaaccessibilityd"))

;; Permit reading assets via MobileAsset framework.
(asset-access 'with-media-playback)

;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
(allow-well-known-system-group-container-literal-read
    "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")

;; Access the keyboards
(allow file-read*
    (home-subpath "/Library/Caches/com.apple.keyboards"))

;; NSExtension helper for supplying information not provided by PlugInKit
(allow mach-lookup
    (xpc-service-name "com.apple.uifoundation-bundle-helper"))

;; <rdar://problem/19525887>
(allow mach-lookup (xpc-service-name-regex #"\.apple-extension-service$"))
;; <rdar://problem/31252371>
(allow mach-lookup (xpc-service-name-regex #"\.viewservice$"))

;; Power logging
(allow mach-lookup
    (global-name "com.apple.powerlog.plxpclogger.xpc")) ;;  <rdar://problem/36442803>

(mobile-preferences-read
    "com.apple.EmojiPreferences"
    ; <rdar://problem/8477596> com.apple.InputModePreferences
    "com.apple.InputModePreferences"
    ; <rdar://problem/8206632> Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist
    "com.apple.keyboard"
    ; <rdar://problem/9384085>
    "com.apple.Preferences"
    "com.apple.lookup.shared" ; Needed for DataDetector (Spotlight) support
)

;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps
(allow file-read*
    (home-subpath "/Library/Fonts"))

;; <rdar://problem/7344719&26323449> LaunchServices app icons
(allow file-read*
    (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache"))
(allow mach-lookup
    (xpc-service-name "com.apple.lsdiconservice"))

;; Common mach services needed by UIKit.
(allow mach-lookup
    (global-name "com.apple.CARenderServer")
    (global-name "com.apple.KeyboardServices.TextReplacementService")
    (global-name "com.apple.assertiond.applicationstateconnection")
    (global-name "com.apple.assertiond.expiration")
    (global-name "com.apple.assertiond.processinfoservice")
    (global-name "com.apple.audio.SystemSoundServer-iOS")
    (global-name "com.apple.backboard.TouchDeliveryPolicyServer")
    (global-name "com.apple.backboard.animation-fence-arbiter")
    (global-name "com.apple.backboard.display.services")
    (global-name "com.apple.backboard.hid.focus")
    (global-name "com.apple.backboard.hid.services")
    (global-name "com.apple.iohideventsystem")
    (global-name "com.apple.iphone.axserver-systemwide")
    (global-name "com.apple.frontboard.workspace")
    (global-name "com.apple.frontboard.systemappservices"))

(allow-preferences-common)

;; CoreMotion
(mobile-preferences-read "com.apple.CoreMotion")

;; CoreMotion’s deviceMotion API
(with-filter
    (require-any
        (iokit-registry-entry-class "AppleOscarNub")
        (iokit-registry-entry-class "AppleSPUHIDInterface"))
    (allow iokit-get-properties
        (iokit-property "gyro-interrupt-calibration")))
(with-filter
    (iokit-registry-entry-class "IOHIDEventServiceFastPathUserClient")
    (allow iokit-open)
    (allow iokit-get-properties iokit-set-properties
        (iokit-property "interval"
                        "mode"
                        "QueueSize"
                        "useMag"))
    (allow iokit-get-properties
        (iokit-property "client")))

;; Home Button
(with-filter (iokit-registry-entry-class "IOPlatformDevice")
    (allow iokit-get-properties
        (iokit-property "home-button-type")))

;; Common preferences read by UIKit.
(mobile-preferences-read "com.apple.Accessibility"
    "com.apple.UIKit"
    "com.apple.WebUI"
    "com.apple.airplay"
    "com.apple.avkit"
    "com.apple.coreanimation"
    "com.apple.mt"
    "com.apple.preferences.sounds")

;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist.
;; <rdar://problem/13796537>
(deny file-write-create
    (home-prefix "/Library/Preferences/com.apple.UIKit.plist")
    (with no-report))

;; <rdar://problem/10809394>
(deny file-write-create
    (home-prefix "/Library/Preferences/com.apple.Accessibility.plist")
    (with no-report))

;; <rdar://problem/9404009>
(mobile-preferences-read "kCFPreferencesAnyApplication")

;; <rdar://problem/10266866>
(marco-logging-client)

;; <rdar://problem/12250145>
(mobile-preferences-read "com.apple.mediaaccessibility")

; Dictionary Services used by UITextFields.
; <rdar://problem/9386926>
(allow-create-directory
    (home-literal "/Library/Caches/com.apple.DictionaryServices"))

; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
(allow file-read*
    ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari)
    (subpath "/Library/Dictionaries")
    (home-subpath "/Library/Dictionaries"))

; <rdar://problem/8440231>
(allow file-read*
    (home-literal "/Library/Caches/DateFormats.plist"))
; Silently deny writes when CFData attempts to write to the cache directory.
(deny file-write*
    (home-literal "/Library/Caches/DateFormats.plist")
    (with no-log))

; UIKit-required IOKit nodes.
(allow iokit-open
    (iokit-user-client-class "AppleJPEGDriverUserClient")
    (iokit-user-client-class "IOSurfaceAcceleratorClient")
    (iokit-user-client-class "IOSurfaceSendRight")
    ;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow
    (iokit-user-client-class "IOSurfaceRootUserClient"))

;; <rdar://problem/12675621>
(allow iokit-open
    (iokit-user-client-class "IOHIDLibUserClient"))

(framebuffer-access)

;; <rdar://problem/7822790>
(mobile-keybag-access)

; <rdar://problem/7595408> , <rdar://problem/7643881>
(opengl)

(location-services)

; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist
; which will attempt to create the plist if it doesn't exist -- from any application.  Only SpringBoard is
; allowed to write its plist; ignore all others, they don't know what they are doing.
; See <rdar://problem/9375027> for sample backtraces.
(deny file-write*
    (home-prefix "/Library/Preferences/com.apple.springboard.plist")
    (with no-log))

;; <rdar://problem/34092690>
(allow mach-lookup
    (xpc-service-name "com.apple.avkit.SharedPreferences"))

;; <rdar://problem/34986314>
(mobile-preferences-read "com.apple.indigo")

;; <rdar://problem/35417382>, <rdar://problem/35518557>
(allow mach-lookup
    (global-name "com.apple.corespotlightservice"))

;; <rdar://problem/35446577>
(allow mach-lookup
    (global-name "com.apple.coremedia.endpointplaybacksession.xpc"))

;; <rdar://problem/35509194>
(allow mach-lookup
    (global-name "com.apple.coremedia.endpointremotecontrolsession.xpc"))

;;;
;;; End UIKit-apps.sb content
;;;

;; Access to media controls
(play-media)
(media-remote)

(deny sysctl*)
(allow sysctl-read
    (sysctl-name
        "hw.availcpu"
        "hw.ncpu"
        "hw.model"
        "kern.memorystatus_level"
        "vm.footprint_suspend"))

(deny iokit-get-properties (with partial-symbolication))
(allow iokit-get-properties
    (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
    (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI|RSTLogging))")
    (iokit-property "BaseAddressAlignmentRequirement")
    (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)")
    (iokit-property-regex #"^IOGL(|ES(|Metal))BundleName")
    (iokit-property "IOGLESDefaultUseMetal")
    (iokit-property "IOSurfaceAcceleratorCapabilitiesDict")
    (iokit-property-regex #"^MetalPlugin(Name|ClassName)")
    (iokit-property "emu")
    (iokit-property "hdcp-hoover-protocol")
    (iokit-property "iommu-present")
    (iokit-property "product-id")
    (iokit-property "software-behavior")
)

;; Read-only preferences and data
(mobile-preferences-read
    "com.apple.LaunchServices"
    "com.apple.WebFoundation"
    "com.apple.mobileipod"
    "com.apple.avfoundation.frecents" ;; <rdar://problem/33137029>
    "com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568>
    "com.apple.voiceservices.logging")

;; Sandbox extensions
(define (apply-read-and-issue-extension op path-filter)
    (op file-read* path-filter)
    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
(define (apply-write-and-issue-extension op path-filter)
    (op file-write* path-filter)
    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
(define (read-only-and-issue-extensions path-filter)
    (apply-read-and-issue-extension allow path-filter))
(define (read-write-and-issue-extensions path-filter)
    (apply-read-and-issue-extension allow path-filter)
    (apply-write-and-issue-extension allow path-filter))
(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))

;; Access to client's cache folder & re-vending to CFNetwork.
;; FIXME: Remove the webkti specific extension classes <rdar://problem/17755931>
(allow file-issue-extension (require-all
    (extension "com.apple.app-sandbox.read-write")
    (extension-class "com.apple.nsurlstorage.extension-cache")))

;; MediaAccessibility
(mobile-preferences-read "com.apple.mediaaccessibility")
(mobile-preferences-read-write "com.apple.mediaaccessibility.public")

;; Remote Web Inspector
(allow mach-lookup
       (global-name "com.apple.webinspector"))

;; Various services required by CFNetwork and other frameworks
(allow mach-lookup
    (global-name "com.apple.PowerManagement.control")
    (global-name "com.apple.accountsd.accountmanager")
    (global-name "com.apple.analyticsd")
    (global-name "com.apple.coremedia.audiodeviceclock"))

(deny file-write-create (vnode-type SYMLINK))
(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))

;; Allow loading injected bundles.
(allow file-map-executable)

;; AWD logging
(awd-log-directory "com.apple.WebKit.WebContent")

;; Allow ManagedPreference access
(allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))

(allow file-read-data
    (literal "/usr/local/lib/log") ; <rdar://problem/36629495>
)

;; Allow mediaserverd to issue file extensions for the purposes of reading media
(allow file-issue-extension (require-all
    (extension "com.apple.app-sandbox.read")
    (extension-class "com.apple.mediaserverd.read")))

;; Allow CoreMedia to communicate with mediaserverd in order to implement custom media loading
(allow mach-lookup
    (global-name "com.apple.coremedia.customurlloader.xpc"))

;; Media capture, microphone access
(with-filter (extension "com.apple.webkit.microphone")
    (allow device-microphone))

;; Media capture, camera access
(with-filter (extension "com.apple.webkit.camera")
    (allow user-preference-read
        (preference-domain "com.apple.coremedia"))
    (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL"))
    (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
    (allow device-camera))

;; Support incoming video connections
(allow mach-lookup
    (global-name "com.apple.audio.audiohald")
    (global-name "com.apple.coremedia.compressionsession")
    (global-name "com.apple.coremedia.decompressionsession")
    (global-name "com.apple.coremedia.videoqueue"))