; Copyright (C) 2010-2019 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions
; are met:
; 1. Redistributions of source code must retain the above copyright
; notice, this list of conditions and the following disclaimer.
; 2. Redistributions in binary form must reproduce the above copyright
; notice, this list of conditions and the following disclaimer in the
; documentation and/or other materials provided with the distribution.
;
; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
; THE POSSIBILITY OF SUCH DAMAGE.

(version 1)
(deny default (with partial-symbolication))
(allow system-audit file-read-metadata)

;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
;;;

(import "util.sb")
(import "carrier-bundle-allowed.sb")

(define-once (allow-read-and-issue-generic-extensions . filters)
    (allow file-read*
           (apply require-any filters))
    (allow file-issue-extension
        (require-all
            (extension-class "com.apple.app-sandbox.read")
            (apply require-any filters))))

(define-once (allow-read-write-and-issue-generic-extensions . filters)
    (allow file-read* file-write*
           (apply require-any filters))
    (allow file-read-metadata
           (apply require-any filters))
    (allow file-issue-extension
        (require-all
            (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
            (apply require-any filters))))

(define-once (managed-configuration-read-public)
    (allow file-read*
           (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
           (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
           (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo")))

(define-once (managed-configuration-read . files)
    (if (null? files)
        (allow file-read*
               (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles")
               (front-user-home-subpath "/Library/ConfigurationProfiles")
               (front-user-home-subpath "/Library/UserConfigurationProfiles"))
        (for-each
            (lambda (file)
                (allow file-read*
                    (well-known-system-group-container-literal
                        (string-append "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/" file))
                    (front-user-home-literal
                        (string-append "/Library/ConfigurationProfiles/" file)
                        (string-append "/Library/UserConfigurationProfiles/" file))))
            files)))

(define-once (allow-preferences-common)
    (allow file-read-metadata
           (home-literal "")
           (home-literal "/Library/Preferences")))

(define-once (mobile-preferences-read . domains)
    (allow-preferences-common)
    (allow user-preference-read (apply preference-domain domains)))

(define-once (mobile-preferences-read-write . domains)
    (allow-preferences-common)
    (allow user-preference-read user-preference-write (apply preference-domain domains)))

(define-once (framebuffer-access)
    (allow iokit-open (with report) (with telemetry)
           (iokit-user-client-class "IOMobileFramebufferUserClient"))

    ; IOMobileFramebuffer
    (with-filter (iokit-registry-entry-class "IOMobileFramebuffer")
        (allow iokit-get-properties
               (iokit-property "AppleTV"
                               "DisplayPipePlaneBaseAlignment"
                               "DisplayPipeStrideRequirements"
                               "PerformanceStatistics"
                               "appleTV-VID0"
                               "appleTV-VID1"
                               "hdcp-hoover-protocol")))

    (mobile-preferences-read "com.apple.iokit.IOMobileGraphicsFamily")
)

(define-once (asset-access . options)
    (let ((asset-access-filter
            (require-all
              (require-any
                (home-subpath "/Library/Assets")
                (subpath "/private/var/MobileAsset"))
              (extension "com.apple.assets.read"))))
        ;; <rdar://problem/10710883>
        ;; <rdar://problem/11569106>
        (allow file-read* asset-access-filter)
        (if (memq 'with-media-playback options)
            (play-media asset-access-filter))
        (allow mach-lookup (with report) (with telemetry)
               (global-name "com.apple.mobileassetd" "com.apple.mobileassetd.v2"))
        (mobile-preferences-read "com.apple.MobileAsset")))

(define-once (mobile-keybag-access)
     (allow iokit-open (with report) (with telemetry)
            (iokit-user-client-class "AppleKeyStoreUserClient")))

(define-once (location-services)
    (allow-carrier-bundle) ;; <rdar://problem/21192365>
    (mobile-preferences-read
        "com.apple.AppSupport"
        "com.apple.GEO"
        "com.apple.locationd"))

(define-once (play-audio)
    (allow mach-lookup
           (global-name "com.apple.audio.AURemoteIOServer"))
    (allow mach-lookup (with report) (with telemetry)
           (xpc-service-name "com.apple.audio.toolbox.reporting.service")))

(define-once (play-media . filters)
    (if (not (null? filters))
        ;; <rdar://problem/9875794>
        (allow file-issue-extension
            (require-all
                (apply require-any filters)
                (extension-class "com.apple.mediaserverd.read"))))
    (allow file-issue-extension
        (require-all
            (extension-class "com.apple.mediaserverd.read")
            (extension "com.apple.security.exception.files.absolute-path.read-only"
                       "com.apple.security.exception.files.absolute-path.read-write"
                       "com.apple.security.exception.files.home-relative-path.read-only"
                       "com.apple.security.exception.files.home-relative-path.read-write")))
    (allow file-issue-extension
        (require-all
            (extension-class "com.apple.mediaserverd.read-write")
            (extension "com.apple.security.exception.files.absolute-path.read-write"
                       "com.apple.security.exception.files.home-relative-path.read-write")))
    ;; CoreMedia framework.
    (allow mach-lookup
           (global-name "com.apple.coremedia.admin")
           (global-name "com.apple.coremedia.asset.xpc")
           (global-name "com.apple.coremedia.assetimagegenerator.xpc")
           (global-name "com.apple.coremedia.audioprocessingtap.xpc")
           (global-name "com.apple.coremedia.capturesession")      ; Actually for video capture
           (global-name "com.apple.coremedia.capturesource")       ; Also for video capture (<rdar://problem/15794291>).
           (global-name "com.apple.coremedia.customurlloader.xpc") ; Needed for custom media loading
           (global-name "com.apple.coremedia.formatreader.xpc")
           (global-name "com.apple.coremedia.player.xpc")
           (global-name "com.apple.coremedia.remaker")
           (global-name "com.apple.coremedia.remotequeue")
           (global-name "com.apple.coremedia.routediscoverer.xpc")
           (global-name "com.apple.coremedia.routingcontext.xpc")
           (global-name "com.apple.coremedia.samplebufferaudiorenderer.xpc")
           (global-name "com.apple.coremedia.samplebufferrendersynchronizer.xpc")
           (global-name "com.apple.coremedia.sandboxserver.xpc")
           (global-name "com.apple.coremedia.systemcontroller.xpc")
           (global-name "com.apple.coremedia.volumecontroller.xpc"))

    (allow mach-lookup (with report) (with telemetry)
        (global-name "com.apple.coremedia.endpoint.xpc")
        (global-name "com.apple.coremedia.figcpecryptor"))

    (mobile-preferences-read
        "com.apple.avfoundation"
        "com.apple.coreaudio"
        "com.apple.coremedia"
        "com.apple.corevideo"
        "com.apple.itunesstored" ; Needed by MediaPlayer framework
        "com.apple.mobileipod" ; Ditto
        "com.apple.audio.virtualaudio" ; <rdar://problem/57170333>
    )

    ;; Required by the MediaPlayer framework.
    (allow mach-lookup
        (global-name "com.apple.audio.AudioSession"))

    (allow mach-lookup (with report) (with telemetry)
        (global-name "com.apple.airplay.apsynccontroller.xpc"))

    ;; Allow mediaserverd to issue file extensions for the purposes of reading media
    (allow file-issue-extension (require-all
        (extension "com.apple.app-sandbox.read")
        (extension-class "com.apple.mediaserverd.read")))
)

(define-once (media-remote)
    (mobile-preferences-read
        "com.apple.mediaremote"
        "com.apple.mobileipod")
    (allow mach-lookup
           (global-name "com.apple.mediaremoted.xpc"))
    (allow mach-lookup (with report) (with telemetry)
        (xpc-service-name "com.apple.MediaPlayer.RemotePlayerService"))
)

(define-once (media-capture-support)
    ;; Media capture, microphone access
    (with-filter (extension "com.apple.webkit.microphone")
        (allow device-microphone))

    ;; Media capture, camera access
    (with-filter (extension "com.apple.webkit.camera")
        (allow user-preference-read
            (preference-domain "com.apple.coremedia"))
        (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL"))
        (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
        (allow device-camera))

    ;; Support incoming video connections
    (allow mach-lookup
        (global-name "com.apple.coremedia.compressionsession")
        (global-name "com.apple.coremedia.decompressionsession")
        (global-name "com.apple.coremedia.videoqueue"))
)

(define-once (accessibility-support)
    (allow mach-register
        (local-name "com.apple.iphone.axserver"))
    (mobile-preferences-read "com.apple.Accessibility")
    
    ;; <rdar://problem/10809394>
    (deny file-write-create
        (home-prefix "/Library/Preferences/com.apple.Accessibility.plist")
        (with no-report))
)

(define-once (media-accessibility-support)
    ;; <rdar://problem/12801477>
    (allow mach-lookup
        (global-name "com.apple.accessibility.mediaaccessibilityd"))

    ;; <rdar://problem/12250145>
    (mobile-preferences-read "com.apple.mediaaccessibility")
    (mobile-preferences-read-write "com.apple.mediaaccessibility.public")
)

(define-once (url-translation)
    ;; For translating http:// & https:// URLs referencing itms:// URLs.
    ;; <rdar://problem/11587338>
    (allow file-read*
           (home-literal "/Library/Caches/com.apple.itunesstored/url-resolution.plist")))

;;;
;;; Declare that the application uses the OpenGL, Metal, and CoreML hardware & frameworks.
;;;
(define-once (opengl)
    (allow iokit-open
           (iokit-connection "IOGPU")
           (iokit-user-client-class
                "AGXCommandQueue"
                "AGXDevice"
                "AGXDeviceUserClient"
                "AGXSharedUserClient"
                "IOAccelContext"
                "IOAccelDevice"
                "IOAccelSharedUserClient"
                "IOAccelSubmitter2"
                "IOAccelContext2"
                "IOAccelDevice2"
                "IOAccelSharedUserClient2"))

    (allow iokit-get-properties
        (iokit-property "IOGLBundleName")
        (iokit-property "IOGLESBundleName")
        (iokit-property "IOGLESDefaultUseMetal")
        (iokit-property "IOGLESMetalBundleName")
        (iokit-property "MetalPluginClassName")
        (iokit-property "MetalPluginName")
    )

    (allow sysctl-read
           (sysctl-name #"kern.bootsessionuuid"))

    (allow mach-lookup
       ;; <rdar://problem/47268166>
       (xpc-service-name "com.apple.MTLCompilerService"))
    
    (mobile-preferences-read
        "com.apple.Metal" ;; <rdar://problem/25535471>
        "com.apple.opengl" ;; <rdar://problem/23321675>
    )
)

(define-once (debugging-support)
        (allow file-read* file-map-executable
               (subpath "/Developer"))

        (allow ipc-posix-shm
               (ipc-posix-name-regex #"^stack-logs")
               (ipc-posix-name-regex #"^OA-")
               (ipc-posix-name-regex #"^/FSM-"))

        (allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink
               (ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$"))

        (with-filter (system-attribute apple-internal)
            ;; <rdar://problem/8565035>
            ;; <rdar://problem/23857452>
            (allow file-read* file-map-executable
                   (subpath "/AppleInternal")
                   (subpath "/usr/local/lib")))
            (with-elevated-precedence
                (allow file-read* file-map-executable file-issue-extension
                   (front-user-home-subpath "/XcodeBuiltProducts")))

        ;; <rdar://problem/8107758>
        (allow file-read* file-map-executable
               (subpath "/System/Library/Frameworks")
               (subpath "/System/Library/PrivateFrameworks"))

        ;; <rdar://problem/32544921>
        (mobile-preferences-read "com.apple.hangtracer"))

(define-once (device-access)
    (deny file-read* file-write*
          (vnode-type BLOCK-DEVICE CHARACTER-DEVICE))

    (allow file-read* file-write-data
           (literal "/dev/null")
           (literal "/dev/zero"))

    (allow file-read* file-write-data file-ioctl
           (literal "/dev/dtracehelper"))

    (allow file-read*
           (literal "/dev/random")
           (literal "/dev/urandom"))
    ;; <rdar://problem/14215718>
    (deny file-write-data (with no-report)
          (literal "/dev/random")
          (literal "/dev/urandom"))

    (allow file-read* file-write-data file-ioctl
           (literal "/dev/aes_0")))

(define-once (awd-log-directory daemon-name)
    (let*
        ((base-directory (home-relative-path "/Library/Logs/awd")))
        (allow-create-directory (literal base-directory))
        (allow file-read* file-write*
            (prefix (string-append base-directory "/awd-" daemon-name ".log")))
))

(define-once (logd-diagnostic-paths)
    (require-any
        (subpath "/private/var/db/diagnostics")
        (subpath "/private/var/db/timesync")
        (subpath "/private/var/db/uuidtext")
        (subpath "/private/var/userdata/diagnostics")))
(define-once (logd-diagnostic-client)
    (with-filter
        (require-all
            (require-any
                (require-entitlement "com.apple.private.logging.diagnostic")
                (require-entitlement "com.apple.diagnosticd.diagnostic"))
            (extension "com.apple.logd.read-only"))
        (allow file-read*
               (logd-diagnostic-paths))))

(define required-etc-files
  (literal "/private/etc/fstab"
           "/private/etc/hosts"
           "/private/etc/group"
           "/private/etc/passwd"
           "/private/etc/protocols"
           "/private/etc/services"))

(define-once (speech-synthesis-and-voiceover)
    ;; Speak Selection & VoiceOver
    ;; <rdar://problem/12030530> AX: Sandbox violation with changing Language while VO is on
    ;; and <rdar://problem/13071747>
    (mobile-preferences-read
        "com.apple.SpeakSelection" ; Needed for WebSpeech
        "com.apple.VoiceOverTouch" ; Needed for non-US english language synthesis
        "com.apple.voiceservices") ; Ditto

    ;; <rdar://problem/14555119> Access to high quality speech voices
    ;; Needed for WebSpeech
    (allow file-read*
        (home-subpath "/Library/VoiceServices/Assets")
        (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice"))
)

(define-once (core-motion)
    ;; CoreMotion
    (mobile-preferences-read "com.apple.CoreMotion")

    ;; CoreMotion’s deviceMotion API
    (with-filter
        (require-any
            (iokit-registry-entry-class "AppleOscarNub")
            (iokit-registry-entry-class "AppleSPUHIDInterface"))
        (allow iokit-get-properties
            (iokit-property "gyro-interrupt-calibration")))
    (with-filter
        (iokit-registry-entry-class "IOHIDEventServiceFastPathUserClient")
        (allow iokit-open (with report) (with telemetry))
        (allow iokit-get-properties iokit-set-properties
            (iokit-property "interval"
                            "mode"
                            "QueueSize"
                            "useMag"))
        (allow iokit-get-properties
            (iokit-property "client")))
)

;; Things required by UIKit
(define-once (uikit-requirements)
    (mobile-preferences-read
        "com.apple.UIKit"
        "com.apple.WebUI"
        "com.apple.airplay"
        "com.apple.avkit"
        "com.apple.coreanimation"
        "com.apple.mt"
        "com.apple.preferences.sounds")

    (allow mach-lookup (with report) (with telemetry)
        (global-name "com.apple.frontboard.systemappservices")                 ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier()
    )

    (allow mach-lookup
        (global-name "com.apple.CARenderServer"))

    (allow mach-lookup (with report) (with telemetry)
        (global-name-regex #"^com\.apple\.uikit\.viewservice\..+")
    )

    ; UIKit-required IOKit nodes.
    (allow iokit-open
        (iokit-user-client-class "AppleJPEGDriverUserClient")
        (iokit-user-client-class "IOSurfaceAcceleratorClient")
        (iokit-user-client-class "IOSurfaceSendRight")
        (iokit-user-client-class "IOSurfaceRootUserClient") ;; Needed by Tiled Grid code.
    )

    ;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist.
    ;; <rdar://problem/13796537>
    (deny file-write-create
        (home-prefix "/Library/Preferences/com.apple.UIKit.plist")
        (with no-report))
)

(define-once (dictionary-support)
    ; Dictionary Services used by UITextFields.
    ; <rdar://problem/9386926>
    (allow-create-directory
        (home-literal "/Library/Caches/com.apple.DictionaryServices"))

    ; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
    (allow file-read*
        ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari)
        (subpath "/Library/Dictionaries")
        (home-subpath "/Library/Dictionaries"))
)

(deny file-map-executable)

(deny file-write-mount file-write-unmount)

(allow file-read-metadata (with no-times)
       (vnode-type DIRECTORY))
(with-filter (apple-signed-executable?)
  (allow file-read-metadata
         (vnode-type DIRECTORY)))

(with-filter (apple-signed-executable?)
  (managed-configuration-read "CloudConfigurationDetails.plist")
  (managed-configuration-read "CloudConfigurationSetAsideDetails.plist")
  (mobile-preferences-read "com.apple.security"))

(with-filter (system-attribute apple-internal)
  (mobile-preferences-read "com.apple.PrototypeTools"))

(with-elevated-precedence
    (allow file-read*
           (subpath "/usr/lib"
                    "/usr/share"
                    "/private/var/db/timezone"))
    (allow-read-and-issue-generic-extensions
        (subpath "/Library/RegionFeatures"
                 "/System/Library"))
    (allow file-issue-extension
        (require-all
            (extension-class "com.apple.mediaserverd.read")
            (subpath "/System/Library")))
    (let ((hw-identifying-paths
            (require-any
                (literal "/System/Library/Caches/apticket.der")
                (subpath "/System/Library/Caches/com.apple.kernelcaches")
                (subpath "/System/Library/Caches/com.apple.factorydata"))))
        (deny file-issue-extension file-read* hw-identifying-paths))
    
    (allow file-map-executable
           (subpath "/System/Library")
           (subpath "/usr/lib"))
    (allow file-read-metadata
           (vnode-type SYMLINK))

    ;;; <rdar://problem/24144418>
    (allow file-read*
           (subpath "/private/var/preferences/Logging"))

    (mobile-preferences-read "kCFPreferencesAnyApplication")
    (allow file-read*
           (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))

    (allow file-read*
           (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
    (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))

    (allow file-read-metadata
           (home-literal "/Library/Caches/powerlog.launchd"))

    (allow-read-and-issue-generic-extensions (executable-bundle))
    (allow file-map-executable (executable-bundle))

    ;; <rdar://problem/13963294>
    (deny file-read-data file-issue-extension file-map-executable
        (require-all
            (executable-bundle)
            (regex #"/[^/]+/SC_Info/")))

    (unless (defined? 'restrictive-extension)
        (with-filter
            (extension
                "com.apple.app-sandbox.read"
                "com.apple.app-sandbox.read-write"
                "com.apple.quicklook.readonly"
                "com.apple.security.exception.files.absolute-path.read-only"
                "com.apple.security.exception.files.absolute-path.read-write"
                "com.apple.security.exception.files.home-relative-path.read-only"
                "com.apple.security.exception.files.home-relative-path.read-write"
                "com.apple.sharing.airdrop.readonly")
            (allow file-read* file-read-metadata)
            (allow file-issue-extension
                   (extension-class "com.apple.app-sandbox.read"
                                    "com.apple.mediaserverd.read"
                                    "com.apple.quicklook.readonly"
                                    "com.apple.sharing.airdrop.readonly")))
        (with-filter
            (extension
                "com.apple.app-sandbox.read-write"
                "com.apple.security.exception.files.absolute-path.read-write"
                "com.apple.security.exception.files.home-relative-path.read-write")
            (allow file-write*)
            (allow file-issue-extension
                   (extension-class "com.apple.app-sandbox.read-write"
                                    "com.apple.mediaserverd.read-write"))))

    ;; <rdar://problem/16079361>
    (with-filter (global-name-prefix "")
        (allow mach-register
               (extension "com.apple.security.exception.mach-register.global-name")))
    (with-filter (local-name-prefix "")
        (allow mach-register
               (extension "com.apple.security.exception.mach-register.local-name")))
    (allow-read-and-issue-generic-extensions
           (extension "com.apple.security.exception.files.absolute-path.read-only")
           (extension "com.apple.security.exception.files.home-relative-path.read-only"))
    (allow-read-write-and-issue-generic-extensions
           (extension "com.apple.security.exception.files.absolute-path.read-write")
           (extension "com.apple.security.exception.files.home-relative-path.read-write"))
    (allow iokit-open
           (extension "com.apple.security.exception.iokit-user-client-class"))
    (allow managed-preference-read
           (extension "com.apple.security.exception.managed-preference.read-only"))
    (allow user-preference-read
           (extension "com.apple.security.exception.shared-preference.read-only"))
    (allow user-preference-read user-preference-write
           (extension "com.apple.security.exception.shared-preference.read-write"))

    (allow file-issue-extension
          (require-all
              (extension-class "com.apple.nsurlstorage.extension-cache")
              (extension "com.apple.security.exception.files.home-relative-path.read-write")
              (require-any
                  (prefix "/private/var/root/Library/Caches/")
                  (front-user-home-prefix "/Library/Caches/"))))
)

(debugging-support)

(allow file-read*
    required-etc-files
    (literal "/"))

(allow file-read*
       (subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))

(device-access)

(allow file-issue-extension
    (require-all
        (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
        (extension "com.apple.fileprovider.read-write")))

(allow mach-lookup
    (global-name "com.apple.logd")
    (global-name "com.apple.logd.events")
    (global-name "com.apple.cfprefsd.daemon"))

(allow mach-lookup (with report) (with telemetry)
    (global-name "com.apple.aggregated")
    (global-name "com.apple.distributed_notifications@1v3")
    (global-name "com.apple.tccd"))

(allow ipc-posix-shm-read*
       (ipc-posix-name-prefix "apple.cfprefs."))
 
(allow mach-lookup (with report) (with telemetry)
    (global-name "com.apple.lsd.open")
    (global-name "com.apple.lsd.mapdb"))

;; <rdar://problem/12413942>
(allow file-read*
       (well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
(allow iokit-get-properties
       (iokit-property "IORegistryEntryPropertyKeys"))

(allow ipc-posix-sem-open
       (ipc-posix-name "containermanagerd.fb_check"))

(with-filter (ipc-posix-name "purplebuddy.sentinel")
    (deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait)
    (allow ipc-posix-sem-open))

(allow mach-lookup (with telemetry)
    (global-name "com.apple.runningboard") ;; Needed by process assertion code (ProcessTaskStateObserver).
)

(allow system-sched
       (require-entitlement "com.apple.private.kernel.override-cpumon"))

(deny sysctl-read (with no-report)
      (sysctl-name "sysctl.proc_native"))

(with-filter (system-attribute apple-internal)
    (allow sysctl-read sysctl-write
           (sysctl-name "vm.footprint_suspend")))

(allow file-read-metadata network-outbound
       (literal "/private/var/run/syslog"))

(allow mach-lookup
       (global-name "com.apple.system.notification_center"))
(allow ipc-posix-shm-read*
       (ipc-posix-name "apple.shm.notification_center"))

(logd-diagnostic-client)

(managed-configuration-read-public)

(deny system-info (with no-report)
      (info-type "net.link.addr"))

(allow file-read*
       (subpath "/private/var/db/datadetectors/sys"))

(allow-well-known-system-group-container-subpath-read
       "/systemgroup.com.apple.icloud.findmydevice.managed/Library")

(allow mach-task-name (target self))

(allow process-info-pidinfo (target self))
(allow process-info-pidfdinfo (target self))
(allow process-info-pidfileportinfo (target self))
(allow process-info-setcontrol (target self))
(allow process-info-dirtycontrol (target self))
(allow process-info-rusage (target self))
(allow process-info-codesignature (target self))

(with-filter (apple-signed-executable?)
    (mobile-preferences-read "com.apple.demo-settings"))

;;;
;;; End common.sb content
;;;

(deny mach-lookup (xpc-service-name-prefix ""))
(deny iokit-get-properties (with partial-symbolication))
(deny lsopen)

;;;
;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
;;;

;; Any app can play audio & movies.
(play-audio)
(play-media)

;; Access to media controls
(media-remote)

(url-translation)

(mobile-preferences-read "com.apple.da")

(speech-synthesis-and-voiceover)

(allow mach-lookup (with report) (with telemetry)
    (global-name "com.apple.audio.AudioComponentRegistrar"))

;; Permit reading assets via MobileAsset framework.
(asset-access 'with-media-playback)

;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
(allow-well-known-system-group-container-literal-read
    "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")

;; Access the keyboards
(allow file-read*
    (home-subpath "/Library/Caches/com.apple.keyboards"))

(mobile-preferences-read
    "com.apple.EmojiPreferences"
    ; <rdar://problem/8477596> com.apple.InputModePreferences
    "com.apple.InputModePreferences"
    ; <rdar://problem/8206632> Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist
    "com.apple.keyboard"
    ; <rdar://problem/9384085>
    "com.apple.Preferences"
    "com.apple.lookup.shared" ; Needed for DataDetector (Spotlight) support
)

;; Silently deny unnecessary accesses caused by MessageUI framework.
;; This can be removed once <rdar://problem/47038102> is resolved.
(deny file-read*
    (home-literal "/Library/Preferences/com.apple.mobilemail.plist")
    (with no-log))

;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps
(allow file-read*
    (home-subpath "/Library/Fonts"))

;; <rdar://problem/7344719&26323449> LaunchServices app icons
(allow file-read*
    (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache"))
(allow mach-lookup (with report) (with telemetry)
    (xpc-service-name "com.apple.iconservices")
    (global-name "com.apple.iconservices"))

(allow-preferences-common)

(core-motion)

;; Home Button
(with-filter (iokit-registry-entry-class "IOPlatformDevice")
    (allow iokit-get-properties
        (iokit-property "home-button-type")))

(uikit-requirements)

;; <rdar://problem/9404009>
(mobile-preferences-read "kCFPreferencesAnyApplication")

(dictionary-support)

; <rdar://problem/8440231>
(allow file-read*
    (home-literal "/Library/Caches/DateFormats.plist"))
; Silently deny writes when CFData attempts to write to the cache directory.
(deny file-write*
    (home-literal "/Library/Caches/DateFormats.plist")
    (with no-log))

(framebuffer-access)

;; <rdar://problem/7822790>
(mobile-keybag-access)

; <rdar://problem/7595408> , <rdar://problem/7643881>
(opengl)

(location-services)

; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist
; which will attempt to create the plist if it doesn't exist -- from any application.  Only SpringBoard is
; allowed to write its plist; ignore all others, they don't know what they are doing.
; See <rdar://problem/9375027> for sample backtraces.
(deny file-write*
    (home-prefix "/Library/Preferences/com.apple.springboard.plist")
    (with no-log))

;; <rdar://problem/34986314>
(mobile-preferences-read "com.apple.indigo")

;;;
;;; End UIKit-apps.sb content
;;;

(deny sysctl*)
(allow sysctl-read
    (sysctl-name
        "hw.activecpu"
        "hw.availcpu"
        "hw.cachelinesize"
        "hw.cpufamily" ;; <rdar://problem/58416475>
        "hw.cputype"
        "hw.l2cachesize"
        "hw.logicalcpu"
        "hw.logicalcpu_max"
        "hw.ncpu"
        "hw.machine"
        "hw.memsize"
        "hw.model"
        "hw.pagesize_compat"
        "hw.physicalcpu"
        "hw.physicalcpu_max"
        "kern.bootargs"
        "kern.hostname"
        "kern.memorystatus_level"
        "kern.osproductversion"
        "kern.osrelease"
        "kern.osvariant_status"
        "kern.secure_kernel"
        "kern.version"
        "vm.footprint_suspend"))

(allow iokit-get-properties
    (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
    (iokit-property "APTDevice")
    (iokit-property "AVCSupported")
    (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI|RSTLogging))")
    (iokit-property "BaseAddressAlignmentRequirement")
    (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)")
    (iokit-property "HEVCSupported")
    (iokit-property-regex #"IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler)")
    (iokit-property "IOClassNameOverride")
    (iokit-property "IOPlatformUUID")
    (iokit-property "IOSurfaceAcceleratorCapabilitiesDict")
    (iokit-property "Protocol Characteristics")
    (iokit-property "als-colorCfg") ;; <rdar://problem/52903475>
    (iokit-property "artwork-device-idiom") ;; <rdar://problem/49497720>
    (iokit-property "artwork-device-subtype")
    (iokit-property "artwork-display-gamut") ;; <rdar://problem/49497788>
    (iokit-property "artwork-dynamic-displaymode") ;; <rdar://problem/49497720>
    (iokit-property "artwork-scale-factor") ;; <rdar://problem/49497788>
    (iokit-property-regex #"(canvas-height|canvas-width)")
    (iokit-property "chip-id") ;; <rdar://problem/52903477>
    (iokit-property "class-code")
    (iokit-property "color-accuracy-index")
    (iokit-property "compatible") ;; <rdar://problem/47523516>
    (iokit-property "compatible-device-fallback") ;; <rdar://problem/49497720>
    (iokit-property "device-colors") ;; <rdar://problem/51322072>
    (iokit-property "device-id")
    (iokit-property "device-perf-memory-class")
    (iokit-property "display-corner-radius") ;; <rdar://problem/50602737>
    (iokit-property "emu")
    (iokit-property "graphics-featureset-class") ;; <rdar://problem/49497720>
    (iokit-property "graphics-featureset-fallbacks") ;; <rdar://problem/51322072>
    (iokit-property "hdcp-hoover-protocol")
    (iokit-property "iommu-present")
    (iokit-property "oled-display") ;; <rdar://problem/51322072>
    (iokit-property "product-description") ;; <rdar://problem/49497788>
    (iokit-property "product-id")
    (iokit-property "region-info") ;; <rdar://problem/52903475>
    (iokit-property "regulatory-model-number") ;; <rdar://problem/52903475>
    (iokit-property "soc-generation") ;; <rdar://problem/52903476>
    (iokit-property "software-behavior")
    (iokit-property "vendor-id")
    (iokit-property "udid-version") ;; <rdar://problem/52903475>
    (iokit-property "ui-pip") ;; <rdar://problem/48867037>
)

;; Read-only preferences and data
(mobile-preferences-read
    "com.apple.LaunchServices"
    "com.apple.WebFoundation"
    "com.apple.avfoundation.frecents" ;; <rdar://problem/33137029>
    "com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568>
    "com.apple.voiceservices.logging")

;; Sandbox extensions
(define (apply-read-and-issue-extension op path-filter)
    (op file-read* path-filter)
    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
(define (apply-write-and-issue-extension op path-filter)
    (op file-write* path-filter)
    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
(define (read-only-and-issue-extensions path-filter)
    (apply-read-and-issue-extension allow path-filter))
(define (read-write-and-issue-extensions path-filter)
    (apply-read-and-issue-extension allow path-filter)
    (apply-write-and-issue-extension allow path-filter))
(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))

;; Access to client's cache folder & re-vending to CFNetwork.
(allow file-issue-extension (require-all
    (extension "com.apple.app-sandbox.read-write")
    (extension-class "com.apple.nsurlstorage.extension-cache")))

(accessibility-support)

(media-accessibility-support)

;; Remote Web Inspector
(allow mach-lookup
       (global-name "com.apple.webinspector"))

;; Various services required by CFNetwork and other frameworks
(allow mach-lookup
    (global-name "com.apple.analyticsd"))

(allow mach-lookup (with report) (with telemetry)
    (global-name "com.apple.PowerManagement.control"))

(deny file-write-create (vnode-type SYMLINK))
(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))

;; Allow loading injected bundles.
(allow file-map-executable)

;; AWD logging
(awd-log-directory "com.apple.WebKit.WebContent")

;; Allow ManagedPreference access
(allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))

(allow file-read-data
    (literal "/usr/local/lib/log") ; <rdar://problem/36629495>
)

(allow mach-lookup
    (require-all
        (extension "com.apple.webkit.extension.mach")
        (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.nehelper" "com.apple.nesessionmanager.content-filter" "com.apple.uikit.viewservice.com.apple.WebContentFilter.remoteUI" "com.apple.diagnosticd" "com.apple.lsd.open")))

(allow mach-lookup
    (require-all
        (extension "com.apple.webkit.extension.mach")
        (xpc-service-name-prefix "com.apple.AGXCompilerService")))

(media-capture-support)

;; These services have been identified as unused during living-on.
;; This list overrides some definitions above and in common.sb.
;; FIXME: remove overridden rules once the final list has been
;; established, see https://bugs.webkit.org/show_bug.cgi?id=193840
(deny mach-lookup
    (global-name "com.apple.webkit.camera")
)

(when (defined? 'syscall-unix)
    (deny syscall-unix (with send-signal SIGKILL))
    (allow syscall-unix
        (syscall-number SYS_exit)
        (syscall-number SYS_read)
        (syscall-number SYS_write)
        (syscall-number SYS_open)
        (syscall-number SYS_close)
        (syscall-number SYS_unlink)
        (syscall-number SYS_chmod)
        (syscall-number SYS_getuid)
        (syscall-number SYS_geteuid)
        (syscall-number SYS_recvfrom)
        (syscall-number SYS_getpeername)
        (syscall-number SYS_access)
        (syscall-number SYS_dup)
        (syscall-number SYS_pipe)
        (syscall-number SYS_getegid)
        (syscall-number SYS_getgid)
        (syscall-number SYS_sigprocmask)
        (syscall-number SYS_sigaltstack)
        (syscall-number SYS_ioctl)
        (syscall-number SYS_readlink)
        (syscall-number SYS_umask)
        (syscall-number SYS_msync)
        (syscall-number SYS_munmap)
        (syscall-number SYS_mprotect)
        (syscall-number SYS_madvise)
        (syscall-number SYS_fcntl)
        (syscall-number SYS_select)
        (syscall-number SYS_fsync)
        (syscall-number SYS_setpriority)
        (syscall-number SYS_socket)
        (syscall-number SYS_connect)
        (syscall-number SYS_setsockopt)
        (syscall-number SYS_gettimeofday)
        (syscall-number SYS_getrusage)
        (syscall-number SYS_getsockopt)
        (syscall-number SYS_writev)
        (syscall-number SYS_fchmod)
        (syscall-number SYS_rename)
        (syscall-number SYS_flock)
        (syscall-number SYS_sendto)
        (syscall-number SYS_shutdown)
        (syscall-number SYS_socketpair)
        (syscall-number SYS_mkdir)
        (syscall-number SYS_rmdir)
        (syscall-number SYS_pread)
        (syscall-number SYS_pwrite)
        (syscall-number SYS_csops)
        (syscall-number SYS_csops_audittoken)
        (syscall-number SYS_kdebug_trace64)
        (syscall-number SYS_kdebug_trace)
        (syscall-number SYS_sigreturn)
        (syscall-number SYS_pathconf)
        (syscall-number SYS_getrlimit)
        (syscall-number SYS_setrlimit)
        (syscall-number SYS_mmap)
        (syscall-number SYS_lseek)
        (syscall-number SYS_ftruncate)
        (syscall-number SYS_sysctl)
        (syscall-number SYS_mlock)
        (syscall-number SYS_munlock)
        (syscall-number SYS_getattrlist)
        (syscall-number SYS_getxattr)
        (syscall-number SYS_fgetxattr)
        (syscall-number SYS_listxattr)
        (syscall-number SYS_shm_open)
        (syscall-number SYS_sem_wait)
        (syscall-number SYS_sem_post)
        (syscall-number SYS_sysctlbyname)
        (syscall-number SYS_psynch_mutexwait)
        (syscall-number SYS_psynch_mutexdrop)
        (syscall-number SYS_psynch_cvbroad)
        (syscall-number SYS_psynch_cvsignal)
        (syscall-number SYS_psynch_cvwait)
        (syscall-number SYS_psynch_rw_wrlock)
        (syscall-number SYS_psynch_rw_unlock)
        (syscall-number SYS_psynch_cvclrprepost)
        (syscall-number SYS_process_policy)
        (syscall-number SYS_issetugid)
        (syscall-number SYS___pthread_kill)
        (syscall-number SYS___pthread_markcancel)
        (syscall-number SYS___pthread_sigmask)
        (syscall-number SYS___disable_threadsignal)
        (syscall-number SYS___semwait_signal)
        (syscall-number SYS_proc_info)
        (syscall-number SYS_stat64)
        (syscall-number SYS_fstat64)
        (syscall-number SYS_lstat64)
        (syscall-number SYS_getdirentries64)
        (syscall-number SYS_statfs64)
        (syscall-number SYS_fstatfs64)
        (syscall-number SYS_getfsstat64)
        (syscall-number SYS_getaudit_addr)
        (syscall-number SYS_bsdthread_create)
        (syscall-number SYS_bsdthread_terminate)
        (syscall-number SYS_workq_kernreturn)
        (syscall-number SYS_thread_selfid)
        (syscall-number SYS_kevent_qos)
        (syscall-number SYS_kevent_id)
        (syscall-number SYS___mac_syscall)
        (syscall-number SYS_read_nocancel)
        (syscall-number SYS_write_nocancel)
        (syscall-number SYS_open_nocancel)
        (syscall-number SYS_close_nocancel)
        (syscall-number SYS_sendmsg_nocancel)
        (syscall-number SYS_recvfrom_nocancel)
        (syscall-number SYS_fcntl_nocancel)
        (syscall-number SYS_select_nocancel)
        (syscall-number SYS_connect_nocancel)
        (syscall-number SYS_sendto_nocancel)
        (syscall-number SYS_fsgetpath)
        (syscall-number SYS_fileport_makeport)
        (syscall-number SYS_guarded_open_np)
        (syscall-number SYS_guarded_close_np)
        (syscall-number SYS_change_fdguard_np)
        (syscall-number SYS_proc_rlimit_control)
        (syscall-number SYS_connectx)
        (syscall-number SYS_getattrlistbulk)
        (syscall-number SYS_openat)
        (syscall-number SYS_openat_nocancel)
        (syscall-number SYS_fstatat64)
        (syscall-number SYS_mkdirat)
        (syscall-number SYS_bsdthread_ctl)
        (syscall-number SYS_csrctl)
        (syscall-number SYS_guarded_pwrite_np)
        (syscall-number SYS_getentropy)
        (syscall-number SYS_necp_open)
        (syscall-number SYS_necp_client_action)
        (syscall-number SYS_ulock_wait)
        (syscall-number SYS_ulock_wake)
        (syscall-number SYS_kdebug_typefilter)
        (syscall-number SYS_shared_region_check_np)
        (syscall-number SYS_getpid)
        (syscall-number SYS_bsdthread_register)
        (syscall-number SYS_sigaction)
        (syscall-number SYS_gettid)
        (syscall-number SYS_workq_open)
        (syscall-number SYS_chdir)
        (syscall-number SYS_memorystatus_control)
        (syscall-number SYS_sem_open)
        (syscall-number SYS_sem_close)
        (syscall-number SYS_fsetattrlist)
        (syscall-number SYS_guarded_open_dprotected_np) ; <rdar://problem/48166729>
        (syscall-number SYS_mremap_encrypted)
        (syscall-number SYS_dup2)
        (syscall-number SYS_fileport_makefd)
        (syscall-number SYS_os_fault_with_payload)
        (syscall-number SYS_persona)
        (syscall-number SYS_work_interval_ctl)
        (syscall-number SYS_open_dprotected_np)
        (syscall-number SYS_pread_nocancel)
        (syscall-number SYS___semwait_signal_nocancel)
        (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
        (syscall-number SYS_fgetattrlist) ;; <rdar://problem/50266257>
        (syscall-number SYS_fsetxattr) ;; <rdar://problem/49795964>
        (syscall-number SYS_abort_with_payload) ;; <rdar://problem/50967271>
        (syscall-number SYS_kqueue) ;; <rdar://problem/49609201>
        (syscall-number SYS_kqueue_workloop_ctl) ;; <rdar://problem/50999499>
        (syscall-number SYS_psynch_rw_rdlock) ;; <rdar://problem/51134351>
        (syscall-number SYS_faccessat) ;; <rdar://problem/56998930>
    )
)