com.apple.securityd.sb   [plain text]

;;; Copyright (c) 2017 Apple Inc.  All Rights reserved.
;;;
;;; WARNING: The sandbox rules in this file currently constitute
;;; Apple System Private Interface and are subject to change at any time and
;;; without notice.
;;;
(version 1)

(deny default)
(deny file-map-executable process-info* nvram*)
(deny dynamic-code-generation)
(deny mach-priv-host-port)

(import "system.sb")
(import "com.apple.corefoundation.sb")
(corefoundation)

;; We inspect all the binaries,
;; resolve symlinks, realpath(3), and equivalents,
;; read preference files in-process
(allow file-read*)

(allow file-write* 
       (subpath "/private/var/db/mds"))
(allow file-ioctl (literal "/dev/auditsessions"))

(allow process-info* (target self))
(allow process-info-codesignature)
(allow process-info-pidinfo)

(when (string=? (param "LEGACY_TOKENS_ENABLED") "YES")
    (allow process-exec (with no-sandbox) (subpath "/Library/Security/tokend"))
    (allow process-fork)
    (allow signal (target children))
    (allow file-write* (subpath "/private/var/db/TokenCache")))

(allow user-preference-read 
       (preference-domain "com.apple.security")
       (preference-domain "com.apple.security.smartcard")
       (preference-domain "kCFPreferencesAnyApplication")
       (preference-domain "securityd"))

(allow system-audit)
(allow mach-lookup
       (global-name "com.apple.SecurityServer")
       (global-name "com.apple.CoreServices.coreservicesd")
       (global-name "com.apple.system.opendirectoryd.api")
       (global-name "com.apple.securitydservice")
       (global-name "com.apple.ocspd")
       (global-name "com.apple.PowerManagement.control")
       (global-name "com.apple.security.syspolicy")
       (global-name "com.apple.security.agent")
       (global-name "com.apple.security.agent.login"))

(allow ipc-posix-shm 
    (ipc-posix-name "com.apple.AppleDatabaseChanged")
    (ipc-posix-name "apple.cfprefs.daemonv1"))

(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))

(allow network-outbound
     (path "/private/var/run/systemkeychaincheck.socket"))

(with-filter (system-attribute apple-internal)
     (allow nvram-get
            (nvram-variable "AMFITrustedKeys")))