com.apple.securityuploadd.sb [plain text]
(version 1)
(deny default)
(deny file-map-executable iokit-get-properties process-info* nvram*)
(deny dynamic-code-generation)
(deny mach-priv-host-port)
(import "system.sb")
(import "com.apple.corefoundation.sb")
(corefoundation)
;;; Homedir-relative path filters
(define (home-regex home-relative-regex)
(regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)))
(define (home-subpath home-relative-subpath)
(subpath (string-append (param "HOME") home-relative-subpath)))
(define (home-prefix home-relative-prefix)
(prefix (string-append (param "HOME") home-relative-prefix)))
(define (home-literal home-relative-literal)
(literal (string-append (param "HOME") home-relative-literal)))
(allow process-info* (target self))
;; For resolving symlinks, realpath(3), and equivalents.
(allow file-read-metadata)
;; For validating the entitlements of clients.
(allow process-info-codesignature)
(allow user-preference-read user-preference-write
(preference-domain "com.apple.security.analytics")
(preference-domain ".GlobalPreferences")
(preference-domain "com.apple.CFNetwork")
(preference-domain "com.apple.nsurlcache")
(preference-domain "kCFPreferencesAnyApplication"))
(allow file-read*
(literal "/usr/libexec")
(literal "/usr/libexec/securityuploadd")
(subpath "/private/var/protected/trustd/SupplementalsAssets/")
(literal "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist")
(regex "/private/var/db/mds/messages/([A-Za-z0-9]+/)?se_SecurityMessages"))
;; Read/write access to analytics DBs and reports directories
(allow file-read* file-write*
(subpath "/private/var/protected/")
(home-regex #"/Library/Keychains/[0-9A-F-]+/Analytics(/|$)")
(home-subpath #"/Library/Logs/DiagnosticReports/")
(home-subpath #"/Library/Application Support/com.apple.ProtectedCloudStorage/"))
;; Read/write cache access
(let ((cache-path-filter (home-subpath "/Library/Caches/com.apple.securityuploadd")))
(allow file-read* file-write* cache-path-filter)
(allow file-issue-extension
(require-all
(extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write")
cache-path-filter)))
(allow mach-lookup
(global-name "com.apple.securityd.ckks")
(global-name "com.apple.accountsd.accountmanager")
(global-name "com.apple.SystemConfiguration.configd")
(global-name "com.apple.AppSSO.service-xpc")
(global-name "com.apple.dnssd.service")
(global-name "com.apple.usymptomsd")
(global-name "com.apple.ak.auth.xpc"))
;; Legacy SecKey operations
(allow file-read* file-write*
(regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
(regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
(regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$"))
(allow mach-lookup
(global-name "com.apple.SecurityServer"))
;; allow network
(allow network-outbound)
(allow system-socket)