; Copyright (C) 2010-2019 Apple Inc. All rights reserved. ; ; Redistribution and use in source and binary forms, with or without ; modification, are permitted provided that the following conditions ; are met: ; 1. Redistributions of source code must retain the above copyright ; notice, this list of conditions and the following disclaimer. ; 2. Redistributions in binary form must reproduce the above copyright ; notice, this list of conditions and the following disclaimer in the ; documentation and/or other materials provided with the distribution. ; ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF ; THE POSSIBILITY OF SUCH DAMAGE. (version 1) (deny default (with partial-symbolication)) (allow system-audit file-read-metadata) (import "common.sb") (deny mach-lookup (xpc-service-name-prefix "")) (deny lsopen) ;;; ;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can ;;; remove unneeded sandbox extensions. ;;; ;;; Allow UIKit apps access to com.apple.TextInput.preferences mach service (allow mach-lookup (global-name "com.apple.TextInput.preferences")) (allow mach-lookup (xpc-service-name "com.apple.siri.context.service")) (allow mach-lookup (global-name "com.apple.frontboard.systemappservices") ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier() (global-name-regex #"^com\.apple\.uikit\.viewservice\..+")) ;; Any app could use ubiquity. (ubiquity-client) ;; Any app can play audio & movies. (play-audio) (play-media) ;; Access to media controls (media-remote) (url-translation) ;; For All applications need to be able to access the com.apple.UIKit.KeyboardManagement running in backboardd ;; renamed in Rename com.apple.UIKit.KeyboardManagement (allow mach-lookup (global-name "com.apple.UIKit.KeyboardManagement") (global-name "com.apple.UIKit.KeyboardManagement.hosted")) ;; TextInput framework (allow mach-lookup (global-name "com.apple.TextInput") (global-name "com.apple.TextInput.emoji") (global-name "com.apple.TextInput.image-cache-server") (global-name "com.apple.TextInput.lexicon-server") (global-name "com.apple.TextInput.rdt") (global-name "com.apple.TextInput.shortcuts")) (mobile-preferences-read "com.apple.da") ;; Various Accessibility services. (allow mach-lookup (xpc-service-name "com.apple.accessibility.AccessibilityUIServer")) ; Needed for Zoom focus updates ;; ZoomTouch ;; (allow mach-lookup (global-name "com.apple.accessibility.AXBackBoardServer")) ;; Speak Selection & VoiceOver ;; AX: Sandbox violation with changing Language while VO is on ;; and (mobile-preferences-read "com.apple.SpeakSelection" ; Needed for WebSpeech "com.apple.VoiceOverTouch" ; Needed for non-US english language synthesis "com.apple.voiceservices") ; Ditto (allow mach-lookup (global-name "com.apple.audio.AudioComponentPrefs") (global-name "com.apple.audio.AudioComponentRegistrar") (global-name "com.apple.audio.AudioQueueServer")) (allow mach-register (local-name "com.apple.iphone.axserver")) ; Needed for Application Accessibility ;; Access to high quality speech voices ;; Needed for WebSpeech (allow file-read* (home-subpath "/Library/VoiceServices/Assets") (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice")) ;; HearingAidSupport (allow mach-lookup (xpc-service-name "com.apple.accessibility.heard")) ;; MediaAccessibility (captions) ;; (mobile-preferences-read "com.apple.mediaaccessibility") (allow mach-lookup (global-name "com.apple.accessibility.mediaaccessibilityd")) ;; Permit reading assets via MobileAsset framework. (asset-access 'with-media-playback) ;; Network Extensions / VPN helper. (allow mach-lookup (global-name "com.apple.nehelper") (global-name "com.apple.nesessionmanager")) ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache (allow-well-known-system-group-container-literal-read "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin") ;; Access the keyboards (allow file-read* (home-subpath "/Library/Caches/com.apple.keyboards")) ;; NSExtension helper for supplying information not provided by PlugInKit (allow mach-lookup (xpc-service-name "com.apple.uifoundation-bundle-helper")) ;; (allow mach-lookup (xpc-service-name-regex #"\.apple-extension-service$")) ;; (allow mach-lookup (xpc-service-name-regex #"\.viewservice$")) ;; Power logging (allow mach-lookup (global-name "com.apple.powerlog.plxpclogger.xpc")) ;; (mobile-preferences-read "com.apple.EmojiPreferences" ; com.apple.InputModePreferences "com.apple.InputModePreferences" ; Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist "com.apple.keyboard" ; "com.apple.Preferences" "com.apple.lookup.shared" ; Needed for DataDetector (Spotlight) support ) ;; Silently deny unnecessary accesses caused by MessageUI framework. ;; This can be removed once is resolved. (deny file-read* (home-literal "/Library/Preferences/com.apple.mobilemail.plist") (with no-log)) ;; Need read access to /var/mobile/Library/Fonts to all apps (allow file-read* (home-subpath "/Library/Fonts")) ;; LaunchServices app icons (allow file-read* (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache")) (allow mach-lookup (xpc-service-name "com.apple.lsdiconservice")) ;; Common mach services needed by UIKit. (allow mach-lookup (global-name "com.apple.CARenderServer") (global-name "com.apple.KeyboardServices.TextReplacementService") (global-name "com.apple.assertiond.applicationstateconnection") (global-name "com.apple.assertiond.expiration") (global-name "com.apple.assertiond.processinfoservice") (global-name "com.apple.audio.SystemSoundServer-iOS") (global-name "com.apple.backboard.TouchDeliveryPolicyServer") (global-name "com.apple.backboard.animation-fence-arbiter") (global-name "com.apple.backboard.display.services") (global-name "com.apple.backboard.hid.focus") (global-name "com.apple.backboard.hid.services") (global-name "com.apple.iohideventsystem") (global-name "com.apple.iphone.axserver-systemwide") (global-name "com.apple.frontboard.workspace") (global-name "com.apple.frontboard.systemappservices")) ;; (allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService")) (allow-preferences-common) ;; CoreMotion (mobile-preferences-read "com.apple.CoreMotion") ;; CoreMotion’s deviceMotion API (with-filter (require-any (iokit-registry-entry-class "AppleOscarNub") (iokit-registry-entry-class "AppleSPUHIDInterface")) (allow iokit-get-properties (iokit-property "gyro-interrupt-calibration"))) (with-filter (iokit-registry-entry-class "IOHIDEventServiceFastPathUserClient") (allow iokit-open) (allow iokit-get-properties iokit-set-properties (iokit-property "interval" "mode" "QueueSize" "useMag")) (allow iokit-get-properties (iokit-property "client"))) ;; Home Button (with-filter (iokit-registry-entry-class "IOPlatformDevice") (allow iokit-get-properties (iokit-property "home-button-type"))) ;; Common preferences read by UIKit. (mobile-preferences-read "com.apple.Accessibility" "com.apple.UIKit" "com.apple.WebUI" "com.apple.airplay" "com.apple.avkit" "com.apple.coreanimation" "com.apple.mt" "com.apple.preferences.sounds") ;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist. ;; (deny file-write-create (home-prefix "/Library/Preferences/com.apple.UIKit.plist") (with no-report)) ;; (deny file-write-create (home-prefix "/Library/Preferences/com.apple.Accessibility.plist") (with no-report)) ;; (mobile-preferences-read "kCFPreferencesAnyApplication") ;; (mobile-preferences-read "com.apple.mediaaccessibility") ; Dictionary Services used by UITextFields. ; (allow-create-directory (home-literal "/Library/Caches/com.apple.DictionaryServices")) ; Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data (allow file-read* ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari) (subpath "/Library/Dictionaries") (home-subpath "/Library/Dictionaries")) ; (allow file-read* (home-literal "/Library/Caches/DateFormats.plist")) ; Silently deny writes when CFData attempts to write to the cache directory. (deny file-write* (home-literal "/Library/Caches/DateFormats.plist") (with no-log)) ; UIKit-required IOKit nodes. (allow iokit-open (iokit-user-client-class "AppleJPEGDriverUserClient") (iokit-user-client-class "IOSurfaceAcceleratorClient") (iokit-user-client-class "IOSurfaceSendRight") ;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow (iokit-user-client-class "IOSurfaceRootUserClient")) ;; (allow iokit-open (iokit-user-client-class "IOHIDLibUserClient")) (framebuffer-access) ;; (mobile-keybag-access) ; , (opengl) (location-services) ; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist ; which will attempt to create the plist if it doesn't exist -- from any application. Only SpringBoard is ; allowed to write its plist; ignore all others, they don't know what they are doing. ; See for sample backtraces. (deny file-write* (home-prefix "/Library/Preferences/com.apple.springboard.plist") (with no-log)) ;; (allow mach-lookup (xpc-service-name "com.apple.avkit.SharedPreferences")) ;; (mobile-preferences-read "com.apple.indigo") ;; , (allow mach-lookup (global-name "com.apple.corespotlightservice")) ;; (allow mach-lookup (global-name "com.apple.coremedia.endpointplaybacksession.xpc")) ;; (allow mach-lookup (global-name "com.apple.coremedia.endpointremotecontrolsession.xpc")) ;;; ;;; End UIKit-apps.sb content ;;; (deny sysctl*) (allow sysctl-read (sysctl-name "hw.availcpu" "hw.ncpu" "hw.model" "kern.memorystatus_level" "vm.footprint_suspend")) (deny iokit-get-properties (with partial-symbolication)) (allow iokit-get-properties (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)") (iokit-property "APTDevice") (iokit-property "AVCSupported") (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI|RSTLogging))") (iokit-property "BaseAddressAlignmentRequirement") (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)") (iokit-property "HEVCSupported") (iokit-property-regex #"^IOGL(|ES(|Metal))BundleName") (iokit-property "IOGLESDefaultUseMetal") (iokit-property-regex #"IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler)") (iokit-property "IOClassNameOverride") (iokit-property "IOPlatformUUID") (iokit-property "IOSurfaceAcceleratorCapabilitiesDict") (iokit-property-regex #"^MetalPlugin(Name|ClassName)") (iokit-property "Protocol Characteristics") (iokit-property "artwork-device-subtype") (iokit-property-regex #"(canvas-height|canvas-width)") (iokit-property "class-code") (iokit-property "color-accuracy-index") (iokit-property "device-id") (iokit-property "device-perf-memory-class") (iokit-property "emu") (iokit-property "hdcp-hoover-protocol") (iokit-property "iommu-present") (iokit-property "product-id") (iokit-property "software-behavior") (iokit-property "vendor-id") ) ;; Read-only preferences and data (mobile-preferences-read "com.apple.LaunchServices" "com.apple.WebFoundation" "com.apple.mobileipod" "com.apple.avfoundation.frecents" ;; "com.apple.avfoundation.videoperformancehud" ;; "com.apple.voiceservices.logging") ;; Sandbox extensions (define (apply-read-and-issue-extension op path-filter) (op file-read* path-filter) (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter))) (define (apply-write-and-issue-extension op path-filter) (op file-write* path-filter) (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter))) (define (read-only-and-issue-extensions path-filter) (apply-read-and-issue-extension allow path-filter)) (define (read-write-and-issue-extensions path-filter) (apply-read-and-issue-extension allow path-filter) (apply-write-and-issue-extension allow path-filter)) (read-only-and-issue-extensions (extension "com.apple.app-sandbox.read")) (read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write")) ;; Access to client's cache folder & re-vending to CFNetwork. ;; FIXME: Remove the webkti specific extension classes (allow file-issue-extension (require-all (extension "com.apple.app-sandbox.read-write") (extension-class "com.apple.nsurlstorage.extension-cache"))) ;; MediaAccessibility (mobile-preferences-read "com.apple.mediaaccessibility") (mobile-preferences-read-write "com.apple.mediaaccessibility.public") ;; Remote Web Inspector (allow mach-lookup (global-name "com.apple.webinspector")) ;; Various services required by CFNetwork and other frameworks (allow mach-lookup (global-name "com.apple.PowerManagement.control") (global-name "com.apple.accountsd.accountmanager") (global-name "com.apple.analyticsd") (global-name "com.apple.coremedia.audiodeviceclock")) (deny file-write-create (vnode-type SYMLINK)) (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\.")) ;; Allow loading injected bundles. (allow file-map-executable) ;; AWD logging (awd-log-directory "com.apple.WebKit.WebContent") ;; Allow ManagedPreference access (allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist")) (allow file-read-data (literal "/usr/local/lib/log") ; ) ;; Allow mediaserverd to issue file extensions for the purposes of reading media (allow file-issue-extension (require-all (extension "com.apple.app-sandbox.read") (extension-class "com.apple.mediaserverd.read"))) ;; Allow CoreMedia to communicate with mediaserverd in order to implement custom media loading (allow mach-lookup (global-name "com.apple.coremedia.customurlloader.xpc")) ;; Media capture, microphone access (with-filter (extension "com.apple.webkit.microphone") (allow device-microphone)) ;; Media capture, camera access (with-filter (extension "com.apple.webkit.camera") (allow user-preference-read (preference-domain "com.apple.coremedia")) (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")) (allow mach-lookup (extension "com.apple.app-sandbox.mach")) (allow device-camera)) ;; Support incoming video connections (allow mach-lookup (global-name "com.apple.audio.audiohald") (global-name "com.apple.coremedia.compressionsession") (global-name "com.apple.coremedia.decompressionsession") (global-name "com.apple.coremedia.videoqueue"))