; Copyright (C) 2010-2019 Apple Inc. All rights reserved. ; ; Redistribution and use in source and binary forms, with or without ; modification, are permitted provided that the following conditions ; are met: ; 1. Redistributions of source code must retain the above copyright ; notice, this list of conditions and the following disclaimer. ; 2. Redistributions in binary form must reproduce the above copyright ; notice, this list of conditions and the following disclaimer in the ; documentation and/or other materials provided with the distribution. ; ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF ; THE POSSIBILITY OF SUCH DAMAGE. (version 1) (deny default (with partial-symbolication)) (allow system-audit file-read-metadata) (import "common.sb") (deny mach-lookup (xpc-service-name-prefix "")) (deny lsopen) ;;; ;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can ;;; remove unneeded sandbox extensions. ;;; (allow mach-lookup (global-name "com.apple.frontboard.systemappservices") ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier() (global-name-regex #"^com\.apple\.uikit\.viewservice\..+")) ;; Any app could use ubiquity. (ubiquity-client) ;; Any app can play audio & movies. (play-audio) (play-media) ;; Access to media controls (media-remote) (url-translation) ;; TextInput framework (allow mach-lookup (global-name "com.apple.TextInput")) (mobile-preferences-read "com.apple.da") ;; Speak Selection & VoiceOver ;; AX: Sandbox violation with changing Language while VO is on ;; and (mobile-preferences-read "com.apple.SpeakSelection" ; Needed for WebSpeech "com.apple.VoiceOverTouch" ; Needed for non-US english language synthesis "com.apple.voiceservices") ; Ditto (allow mach-lookup (global-name "com.apple.audio.AudioComponentRegistrar")) (allow mach-register (local-name "com.apple.iphone.axserver")) ; Needed for Application Accessibility ;; Access to high quality speech voices ;; Needed for WebSpeech (allow file-read* (home-subpath "/Library/VoiceServices/Assets") (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice")) ;; MediaAccessibility (captions) ;; (mobile-preferences-read "com.apple.mediaaccessibility") (allow mach-lookup (global-name "com.apple.accessibility.mediaaccessibilityd")) ;; Permit reading assets via MobileAsset framework. (asset-access 'with-media-playback) ;; Network Extensions / VPN helper. (allow mach-lookup (global-name "com.apple.nehelper") (global-name "com.apple.nesessionmanager.content-filter")) ;; ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache (allow-well-known-system-group-container-literal-read "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin") ;; Access the keyboards (allow file-read* (home-subpath "/Library/Caches/com.apple.keyboards")) ;; (allow mach-lookup (xpc-service-name-regex #"\.apple-extension-service$")) ;; (allow mach-lookup (xpc-service-name-regex #"\.viewservice$")) ;; Power logging (allow mach-lookup (global-name "com.apple.powerlog.plxpclogger.xpc")) ;; (mobile-preferences-read "com.apple.EmojiPreferences" ; com.apple.InputModePreferences "com.apple.InputModePreferences" ; Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist "com.apple.keyboard" ; "com.apple.Preferences" "com.apple.lookup.shared" ; Needed for DataDetector (Spotlight) support ) ;; Silently deny unnecessary accesses caused by MessageUI framework. ;; This can be removed once is resolved. (deny file-read* (home-literal "/Library/Preferences/com.apple.mobilemail.plist") (with no-log)) ;; Need read access to /var/mobile/Library/Fonts to all apps (allow file-read* (home-subpath "/Library/Fonts")) ;; LaunchServices app icons (allow file-read* (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache")) (allow mach-lookup (xpc-service-name "com.apple.iconservices") (global-name "com.apple.iconservices")) ;; Common mach services needed by UIKit. (allow mach-lookup (global-name "com.apple.CARenderServer") (global-name "com.apple.iohideventsystem") (global-name "com.apple.frontboard.systemappservices")) ;; (allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService")) (allow-preferences-common) ;; CoreMotion (mobile-preferences-read "com.apple.CoreMotion") ;; CoreMotion’s deviceMotion API (with-filter (require-any (iokit-registry-entry-class "AppleOscarNub") (iokit-registry-entry-class "AppleSPUHIDInterface")) (allow iokit-get-properties (iokit-property "gyro-interrupt-calibration"))) (with-filter (iokit-registry-entry-class "IOHIDEventServiceFastPathUserClient") (allow iokit-open) (allow iokit-get-properties iokit-set-properties (iokit-property "interval" "mode" "QueueSize" "useMag")) (allow iokit-get-properties (iokit-property "client"))) ;; Home Button (with-filter (iokit-registry-entry-class "IOPlatformDevice") (allow iokit-get-properties (iokit-property "home-button-type"))) ;; Common preferences read by UIKit. (mobile-preferences-read "com.apple.Accessibility" "com.apple.UIKit" "com.apple.WebUI" "com.apple.airplay" "com.apple.avkit" "com.apple.coreanimation" "com.apple.mt" "com.apple.preferences.sounds") ;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist. ;; (deny file-write-create (home-prefix "/Library/Preferences/com.apple.UIKit.plist") (with no-report)) ;; (deny file-write-create (home-prefix "/Library/Preferences/com.apple.Accessibility.plist") (with no-report)) ;; (mobile-preferences-read "kCFPreferencesAnyApplication") ;; (mobile-preferences-read "com.apple.mediaaccessibility") ; Dictionary Services used by UITextFields. ; (allow-create-directory (home-literal "/Library/Caches/com.apple.DictionaryServices")) ; Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data (allow file-read* ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari) (subpath "/Library/Dictionaries") (home-subpath "/Library/Dictionaries")) ; (allow file-read* (home-literal "/Library/Caches/DateFormats.plist")) ; Silently deny writes when CFData attempts to write to the cache directory. (deny file-write* (home-literal "/Library/Caches/DateFormats.plist") (with no-log)) ; UIKit-required IOKit nodes. (allow iokit-open (iokit-user-client-class "AppleJPEGDriverUserClient") (iokit-user-client-class "IOSurfaceAcceleratorClient") (iokit-user-client-class "IOSurfaceSendRight") ;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow (iokit-user-client-class "IOSurfaceRootUserClient")) (framebuffer-access) ;; (mobile-keybag-access) ; , (opengl) (location-services) ; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist ; which will attempt to create the plist if it doesn't exist -- from any application. Only SpringBoard is ; allowed to write its plist; ignore all others, they don't know what they are doing. ; See for sample backtraces. (deny file-write* (home-prefix "/Library/Preferences/com.apple.springboard.plist") (with no-log)) ;; (mobile-preferences-read "com.apple.indigo") ;;; ;;; End UIKit-apps.sb content ;;; (deny sysctl*) (allow sysctl-read (sysctl-name "hw.availcpu" "hw.ncpu" "hw.model" "kern.memorystatus_level" "vm.footprint_suspend")) (deny iokit-get-properties (with partial-symbolication)) (allow iokit-get-properties (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)") (iokit-property "APTDevice") (iokit-property "AVCSupported") (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI|RSTLogging))") (iokit-property "BaseAddressAlignmentRequirement") (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)") (iokit-property "HEVCSupported") (iokit-property-regex #"^IOGL(|ES(|Metal))BundleName") (iokit-property "IOGLESDefaultUseMetal") (iokit-property-regex #"IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler)") (iokit-property "IOClassNameOverride") (iokit-property "IOPlatformUUID") (iokit-property "IOSurfaceAcceleratorCapabilitiesDict") (iokit-property-regex #"^MetalPlugin(Name|ClassName)") (iokit-property "Protocol Characteristics") (iokit-property "artwork-device-idiom") ;; (iokit-property "artwork-device-subtype") (iokit-property "artwork-display-gamut") ;; (iokit-property "artwork-dynamic-displaymode") ;; (iokit-property "artwork-scale-factor") ;; (iokit-property-regex #"(canvas-height|canvas-width)") (iokit-property "class-code") (iokit-property "color-accuracy-index") (iokit-property "compatible") ;; (iokit-property "compatible-device-fallback") ;; (iokit-property "device-colors") ;; (iokit-property "device-id") (iokit-property "device-perf-memory-class") (iokit-property "display-corner-radius") ;; (iokit-property "emu") (iokit-property "graphics-featureset-class") ;; (iokit-property "graphics-featureset-fallbacks") ;; (iokit-property "hdcp-hoover-protocol") (iokit-property "iommu-present") (iokit-property "oled-display") ;; (iokit-property "product-description") ;; (iokit-property "product-id") (iokit-property "software-behavior") (iokit-property "vendor-id") (iokit-property "ui-pip") ;; ) ;; Read-only preferences and data (mobile-preferences-read "com.apple.LaunchServices" "com.apple.WebFoundation" "com.apple.mobileipod" "com.apple.avfoundation.frecents" ;; "com.apple.avfoundation.videoperformancehud" ;; "com.apple.voiceservices.logging") ;; Sandbox extensions (define (apply-read-and-issue-extension op path-filter) (op file-read* path-filter) (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter))) (define (apply-write-and-issue-extension op path-filter) (op file-write* path-filter) (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter))) (define (read-only-and-issue-extensions path-filter) (apply-read-and-issue-extension allow path-filter)) (define (read-write-and-issue-extensions path-filter) (apply-read-and-issue-extension allow path-filter) (apply-write-and-issue-extension allow path-filter)) (read-only-and-issue-extensions (extension "com.apple.app-sandbox.read")) (read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write")) ;; Access to client's cache folder & re-vending to CFNetwork. ;; FIXME: Remove the webkti specific extension classes (allow file-issue-extension (require-all (extension "com.apple.app-sandbox.read-write") (extension-class "com.apple.nsurlstorage.extension-cache"))) ;; MediaAccessibility (mobile-preferences-read "com.apple.mediaaccessibility") (mobile-preferences-read-write "com.apple.mediaaccessibility.public") ;; Remote Web Inspector (allow mach-lookup (global-name "com.apple.webinspector")) ;; Various services required by CFNetwork and other frameworks (allow mach-lookup (global-name "com.apple.PowerManagement.control") (global-name "com.apple.analyticsd")) (deny file-write-create (vnode-type SYMLINK)) (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\.")) ;; Allow loading injected bundles. (allow file-map-executable) ;; AWD logging (awd-log-directory "com.apple.WebKit.WebContent") ;; Allow ManagedPreference access (allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist")) (allow file-read-data (literal "/usr/local/lib/log") ; ) ;; Allow mediaserverd to issue file extensions for the purposes of reading media (allow file-issue-extension (require-all (extension "com.apple.app-sandbox.read") (extension-class "com.apple.mediaserverd.read"))) ;; Allow CoreMedia to communicate with mediaserverd in order to implement custom media loading (allow mach-lookup (global-name "com.apple.coremedia.customurlloader.xpc")) ;; Media capture, microphone access (with-filter (extension "com.apple.webkit.microphone") (allow device-microphone)) ;; Media capture, camera access (with-filter (extension "com.apple.webkit.camera") (allow user-preference-read (preference-domain "com.apple.coremedia")) (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")) (allow mach-lookup (extension "com.apple.app-sandbox.mach")) (allow device-camera)) ;; Support incoming video connections (allow mach-lookup (global-name "com.apple.coremedia.compressionsession") (global-name "com.apple.coremedia.decompressionsession") (global-name "com.apple.coremedia.videoqueue")) ;; FIXME: remove the send-signal when this rule is no longer generating crashes. (deny mach-lookup (with send-signal SIGKILL) (global-name "com.apple.backboard.hid.services")) (allow mach-lookup (extension "com.apple.webkit.extension.mach")) ;; These services have been identified as unused during living-on. ;; This list overrides some definitions above and in common.sb. ;; FIXME: remove overridden rules once the final list has been ;; established, see https://bugs.webkit.org/show_bug.cgi?id=193840 (deny mach-lookup (global-name "com.apple.CoreAuthentication.daemon.libxpc") (global-name "com.apple.FileCoordination") (global-name "com.apple.FileProvider") (global-name "com.apple.Honeybee.event-notify") (global-name "com.apple.MediaPlayer.RemotePlayerService") (global-name "com.apple.ReportCrash.SimulateCrash") (global-name "com.apple.accountsd.accountmanager") (global-name "com.apple.appsupport.cplogd") (global-name "com.apple.assertiond.processassertionconnection") (global-name "com.apple.audio.reporting.xpc") (global-name "com.apple.bird") (global-name "com.apple.bird.token") (global-name "com.apple.cfprefsd.agent") (global-name "com.apple.containermanagerd") (global-name "com.apple.coremedia.assetcacheinspector") (global-name "com.apple.coremedia.audiodeviceclock") (global-name "com.apple.coremedia.endpointremotecontrolsession.xpc") (global-name "com.apple.coremedia.sandboxserver") (global-name "com.apple.coremedia.videocompositor") (global-name "com.apple.coremedia.visualcontext.xpc") (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") (global-name "com.apple.ctkd.token-client") (global-name "com.apple.cvmsServ") (global-name "com.apple.duetknowledged.activity") (global-name "com.apple.dyld.closured") (global-name "com.apple.gpumemd.source") (global-name "com.apple.hangtracerd") (global-name "com.apple.itunescloudd.xpc") (global-name "com.apple.itunesstored.xpc") (global-name "com.apple.librariand") (global-name "com.apple.locationd.spi") (global-name "com.apple.locationd.synchronous") (global-name "com.apple.lsd") (global-name "com.apple.lsd.advertisingidentifiers") (global-name "com.apple.lsd.icons") (global-name "com.apple.lsd.openurl") (global-name "com.apple.lsdiconservice") (global-name "com.apple.managedconfiguration.profiled.public") (global-name "com.apple.marco") (global-name "com.apple.mediaserverd") (global-name "com.apple.mobile.usermanagerd.xpc") (global-name "com.apple.nesessionmanager") (global-name "com.apple.pegasus") (global-name "com.apple.pluginkit.pkd") (global-name "com.apple.pluginkit.plugin-service") (global-name "com.apple.quicklook.ThumbnailsAgent") (global-name "com.apple.revisiond") (global-name "com.apple.springboard.backgroundappservices") (global-name "com.apple.system.libinfo.muser") (global-name "com.apple.webkit.camera") ) (when (defined? 'syscall-unix) (deny syscall-unix (with send-signal SIGKILL)) (allow syscall-unix (syscall-number SYS_exit) (syscall-number SYS_read) (syscall-number SYS_write) (syscall-number SYS_open) (syscall-number SYS_close) (syscall-number SYS_unlink) (syscall-number SYS_chmod) (syscall-number SYS_getuid) (syscall-number SYS_geteuid) (syscall-number SYS_recvfrom) (syscall-number SYS_getpeername) (syscall-number SYS_access) (syscall-number SYS_dup) (syscall-number SYS_pipe) (syscall-number SYS_getegid) (syscall-number SYS_getgid) (syscall-number SYS_sigprocmask) (syscall-number SYS_sigaltstack) (syscall-number SYS_ioctl) (syscall-number SYS_readlink) (syscall-number SYS_umask) (syscall-number SYS_msync) (syscall-number SYS_munmap) (syscall-number SYS_mprotect) (syscall-number SYS_madvise) (syscall-number SYS_fcntl) (syscall-number SYS_select) (syscall-number SYS_fsync) (syscall-number SYS_setpriority) (syscall-number SYS_socket) (syscall-number SYS_connect) (syscall-number SYS_setsockopt) (syscall-number SYS_gettimeofday) (syscall-number SYS_getrusage) (syscall-number SYS_getsockopt) (syscall-number SYS_writev) (syscall-number SYS_fchmod) (syscall-number SYS_rename) (syscall-number SYS_flock) (syscall-number SYS_sendto) (syscall-number SYS_shutdown) (syscall-number SYS_socketpair) (syscall-number SYS_mkdir) (syscall-number SYS_rmdir) (syscall-number SYS_pread) (syscall-number SYS_pwrite) (syscall-number SYS_csops) (syscall-number SYS_csops_audittoken) (syscall-number SYS_kdebug_trace64) (syscall-number SYS_kdebug_trace) (syscall-number SYS_sigreturn) (syscall-number SYS_pathconf) (syscall-number SYS_getrlimit) (syscall-number SYS_setrlimit) (syscall-number SYS_mmap) (syscall-number SYS_lseek) (syscall-number SYS_ftruncate) (syscall-number SYS_sysctl) (syscall-number SYS_mlock) (syscall-number SYS_munlock) (syscall-number SYS_getattrlist) (syscall-number SYS_getxattr) (syscall-number SYS_fgetxattr) (syscall-number SYS_listxattr) (syscall-number SYS_shm_open) (syscall-number SYS_sem_wait) (syscall-number SYS_sem_post) (syscall-number SYS_sysctlbyname) (syscall-number SYS_psynch_mutexwait) (syscall-number SYS_psynch_mutexdrop) (syscall-number SYS_psynch_cvbroad) (syscall-number SYS_psynch_cvsignal) (syscall-number SYS_psynch_cvwait) (syscall-number SYS_psynch_rw_wrlock) (syscall-number SYS_psynch_rw_unlock) (syscall-number SYS_psynch_cvclrprepost) (syscall-number SYS_process_policy) (syscall-number SYS_issetugid) (syscall-number SYS___pthread_kill) (syscall-number SYS___pthread_markcancel) (syscall-number SYS___pthread_sigmask) (syscall-number SYS___disable_threadsignal) (syscall-number SYS___semwait_signal) (syscall-number SYS_proc_info) (syscall-number SYS_stat64) (syscall-number SYS_fstat64) (syscall-number SYS_lstat64) (syscall-number SYS_getdirentries64) (syscall-number SYS_statfs64) (syscall-number SYS_fstatfs64) (syscall-number SYS_getfsstat64) (syscall-number SYS_getaudit_addr) (syscall-number SYS_bsdthread_create) (syscall-number SYS_bsdthread_terminate) (syscall-number SYS_workq_kernreturn) (syscall-number SYS_thread_selfid) (syscall-number SYS_kevent_qos) (syscall-number SYS_kevent_id) (syscall-number SYS___mac_syscall) (syscall-number SYS_read_nocancel) (syscall-number SYS_write_nocancel) (syscall-number SYS_open_nocancel) (syscall-number SYS_close_nocancel) (syscall-number SYS_sendmsg_nocancel) (syscall-number SYS_recvfrom_nocancel) (syscall-number SYS_fcntl_nocancel) (syscall-number SYS_select_nocancel) (syscall-number SYS_connect_nocancel) (syscall-number SYS_sendto_nocancel) (syscall-number SYS_fsgetpath) (syscall-number SYS_fileport_makeport) (syscall-number SYS_guarded_open_np) (syscall-number SYS_guarded_close_np) (syscall-number SYS_change_fdguard_np) (syscall-number SYS_proc_rlimit_control) (syscall-number SYS_connectx) (syscall-number SYS_getattrlistbulk) (syscall-number SYS_openat) (syscall-number SYS_openat_nocancel) (syscall-number SYS_fstatat64) (syscall-number SYS_mkdirat) (syscall-number SYS_bsdthread_ctl) (syscall-number SYS_csrctl) (syscall-number SYS_guarded_pwrite_np) (syscall-number SYS_getentropy) (syscall-number SYS_necp_open) (syscall-number SYS_necp_client_action) (syscall-number SYS_ulock_wait) (syscall-number SYS_ulock_wake) (syscall-number SYS_kdebug_typefilter) (syscall-number SYS_shared_region_check_np) (syscall-number SYS_getpid) (syscall-number SYS_bsdthread_register) (syscall-number SYS_sigaction) (syscall-number SYS_gettid) (syscall-number SYS_workq_open) (syscall-number SYS_chdir) (syscall-number SYS_memorystatus_control) (syscall-number SYS_sem_open) (syscall-number SYS_sem_close) (syscall-number SYS_fsetattrlist) (syscall-number SYS_guarded_open_dprotected_np) ; (syscall-number SYS_mremap_encrypted) (syscall-number SYS_dup2) (syscall-number SYS_fileport_makefd) (syscall-number SYS_os_fault_with_payload) (syscall-number SYS_persona) (syscall-number SYS_work_interval_ctl) (syscall-number SYS_open_dprotected_np) (syscall-number SYS_pread_nocancel) (syscall-number SYS___semwait_signal_nocancel) (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see . (syscall-number SYS_fgetattrlist) ;; (syscall-number SYS_fsetxattr) ;; (syscall-number SYS_abort_with_payload) ;; (syscall-number SYS_kqueue) ;; (syscall-number SYS_kqueue_workloop_ctl) ;; (syscall-number SYS_psynch_rw_rdlock) ;; ) )