; Copyright (C) 2010-2019 Apple Inc. All rights reserved. ; ; Redistribution and use in source and binary forms, with or without ; modification, are permitted provided that the following conditions ; are met: ; 1. Redistributions of source code must retain the above copyright ; notice, this list of conditions and the following disclaimer. ; 2. Redistributions in binary form must reproduce the above copyright ; notice, this list of conditions and the following disclaimer in the ; documentation and/or other materials provided with the distribution. ; ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF ; THE POSSIBILITY OF SUCH DAMAGE. (version 1) (deny default (with partial-symbolication)) (allow system-audit file-read-metadata) ;;; ;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can ;;; remove unneeded sandbox extensions. ;;; (import "util.sb") (import "carrier-bundle-allowed.sb") (define-once (allow-read-and-issue-generic-extensions . filters) (allow file-read* (apply require-any filters)) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (apply require-any filters)))) (define-once (allow-read-write-and-issue-generic-extensions . filters) (allow file-read* file-write* (apply require-any filters)) (allow file-read-metadata (apply require-any filters)) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read") (apply require-any filters)))) (define-once (managed-configuration-read-public) (allow file-read* (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo") (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo"))) (define-once (managed-configuration-read . files) (if (null? files) (allow file-read* (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles") (front-user-home-subpath "/Library/ConfigurationProfiles") (front-user-home-subpath "/Library/UserConfigurationProfiles")) (for-each (lambda (file) (allow file-read* (well-known-system-group-container-literal (string-append "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/" file)) (front-user-home-literal (string-append "/Library/ConfigurationProfiles/" file) (string-append "/Library/UserConfigurationProfiles/" file)))) files))) (define-once (allow-preferences-common) (allow file-read-metadata (home-literal "") (home-literal "/Library/Preferences"))) (define-once (mobile-preferences-read . domains) (allow-preferences-common) (allow user-preference-read (apply preference-domain domains))) (define-once (mobile-preferences-read-write . domains) (allow-preferences-common) (allow user-preference-read user-preference-write (apply preference-domain domains))) (define-once (framebuffer-access) (allow iokit-open (iokit-user-client-class "IOMobileFramebufferUserClient")) (mobile-preferences-read "com.apple.iokit.IOMobileGraphicsFamily")) (define-once (asset-access . options) (let ((asset-access-filter (require-all (require-any (home-subpath "/Library/Assets") (subpath "/private/var/MobileAsset")) (extension "com.apple.assets.read")))) ;; ;; (allow file-read* asset-access-filter) (if (memq 'with-media-playback options) (play-media asset-access-filter)) (allow mach-lookup (with report) (with telemetry) (global-name "com.apple.mobileassetd" "com.apple.mobileassetd.v2")) (mobile-preferences-read "com.apple.MobileAsset"))) (define-once (mobile-keybag-access) (allow iokit-open (iokit-user-client-class "AppleKeyStoreUserClient"))) (define-once (location-services) (allow mach-lookup (global-name "com.apple.locationd.registration")) (allow-carrier-bundle) ;; (mobile-preferences-read "com.apple.AppSupport" "com.apple.GEO" "com.apple.locationd")) (define-once (play-audio) (allow mach-lookup (global-name "com.apple.audio.AURemoteIOServer")) (allow mach-lookup (with report) (with telemetry) (xpc-service-name "com.apple.audio.toolbox.reporting.service"))) (define-once (play-media . filters) (if (not (null? filters)) ;; (allow file-issue-extension (require-all (apply require-any filters) (extension-class "com.apple.mediaserverd.read")))) (allow file-issue-extension (require-all (extension-class "com.apple.mediaserverd.read") (extension "com.apple.security.exception.files.absolute-path.read-only" "com.apple.security.exception.files.absolute-path.read-write" "com.apple.security.exception.files.home-relative-path.read-only" "com.apple.security.exception.files.home-relative-path.read-write"))) (allow file-issue-extension (require-all (extension-class "com.apple.mediaserverd.read-write") (extension "com.apple.security.exception.files.absolute-path.read-write" "com.apple.security.exception.files.home-relative-path.read-write"))) ;; CoreMedia framework. (allow mach-lookup (global-name "com.apple.coremedia.admin") (global-name "com.apple.coremedia.asset.xpc") (global-name "com.apple.coremedia.assetimagegenerator.xpc") (global-name "com.apple.coremedia.audiodeviceclock.xpc") ; Needed for CMTimeBase (global-name "com.apple.coremedia.audioprocessingtap.xpc") (global-name "com.apple.coremedia.capturesession") ; Actually for video capture (global-name "com.apple.coremedia.capturesource") ; Also for video capture (). (global-name "com.apple.coremedia.cpe.xpc") ; Needed for HDR playback. (global-name "com.apple.coremedia.customurlloader.xpc") ; Needed for custom media loading (global-name "com.apple.coremedia.formatreader.xpc") (global-name "com.apple.coremedia.player.xpc") (global-name "com.apple.coremedia.remaker") (global-name "com.apple.coremedia.remotequeue") (global-name "com.apple.coremedia.routediscoverer.xpc") (global-name "com.apple.coremedia.routingcontext.xpc") (global-name "com.apple.coremedia.samplebufferaudiorenderer.xpc") (global-name "com.apple.coremedia.samplebufferrendersynchronizer.xpc") (global-name "com.apple.coremedia.sandboxserver.xpc") (global-name "com.apple.coremedia.systemcontroller.xpc") (global-name "com.apple.coremedia.volumecontroller.xpc")) (allow mach-lookup (with report) (with telemetry) (global-name "com.apple.coremedia.cpeprotector.xpc") (global-name "com.apple.coremedia.endpoint.xpc") (global-name "com.apple.coremedia.figcontentkeysession.xpc") (global-name "com.apple.coremedia.figcpecryptor") (global-name "com.apple.coremedia.routingsessionmanager.xpc") (global-name "com.apple.coremedia.sts")) (mobile-preferences-read "com.apple.avfoundation" "com.apple.coreaudio" "com.apple.coremedia" "com.apple.corevideo" "com.apple.itunesstored" ; Needed by MediaPlayer framework "com.apple.mobileipod" ; Ditto "com.apple.audio.virtualaudio" ; ) ;; AVF needs to see these network preferences: (allow file-read* (literal "/private/var/preferences/com.apple.networkd.plist")) ;; Required by the MediaPlayer framework. (allow mach-lookup (global-name "com.apple.audio.AudioSession")) (allow mach-lookup (with report) (with telemetry) (global-name "com.apple.airplay.apsynccontroller.xpc")) ;; Allow mediaserverd to issue file extensions for the purposes of reading media (allow file-issue-extension (require-all (extension "com.apple.app-sandbox.read") (extension-class "com.apple.mediaserverd.read"))) ) (define-once (media-remote) (mobile-preferences-read "com.apple.mediaremote" "com.apple.mobileipod") (allow mach-lookup (global-name "com.apple.mediaremoted.xpc")) (allow mach-lookup (with report) (with telemetry) (xpc-service-name "com.apple.MediaPlayer.RemotePlayerService")) ) (define-once (media-capture-support) ;; Media capture, microphone access (with-filter (extension "com.apple.webkit.microphone") (allow device-microphone)) ;; Media capture, camera access (with-filter (extension "com.apple.webkit.camera") (allow user-preference-read (preference-domain "com.apple.coremedia")) (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")) (allow mach-lookup (extension "com.apple.app-sandbox.mach")) (allow device-camera)) ;; Support incoming video connections (allow mach-lookup (global-name "com.apple.coremedia.compressionsession") (global-name "com.apple.coremedia.decompressionsession") (global-name "com.apple.coremedia.videoqueue")) ) (define-once (accessibility-support) (allow mach-register (local-name "com.apple.iphone.axserver")) (mobile-preferences-read "com.apple.Accessibility") ;; (deny file-write-create (home-prefix "/Library/Preferences/com.apple.Accessibility.plist") (with no-report)) ) (define-once (media-accessibility-support) ;; (allow mach-lookup (global-name "com.apple.accessibility.mediaaccessibilityd")) ;; (mobile-preferences-read "com.apple.mediaaccessibility") (mobile-preferences-read-write "com.apple.mediaaccessibility.public") ) (define-once (url-translation) ;; For translating http:// & https:// URLs referencing itms:// URLs. ;; (allow file-read* (home-literal "/Library/Caches/com.apple.itunesstored/url-resolution.plist"))) ;;; ;;; Declare that the application uses the OpenGL, Metal, and CoreML hardware & frameworks. ;;; (define-once (opengl) (allow iokit-open (iokit-connection "IOGPU") (iokit-user-client-class "AGXCommandQueue" "AGXDevice" "AGXDeviceUserClient" "AGXSharedUserClient" "IOAccelContext" "IOAccelDevice" "IOAccelSharedUserClient" "IOAccelSubmitter2" "IOAccelContext2" "IOAccelDevice2" "IOAccelSharedUserClient2")) (allow iokit-get-properties (iokit-property "IOGLBundleName") (iokit-property "IOGLESBundleName") (iokit-property "IOGLESDefaultUseMetal") (iokit-property "IOGLESMetalBundleName") (iokit-property "MetalPluginClassName") (iokit-property "MetalPluginName") ) (allow sysctl-read (sysctl-name #"kern.bootsessionuuid")) (allow mach-lookup (with report) (with telemetry) (xpc-service-name-prefix "com.apple.AGXCompilerService")) (allow mach-lookup ;; (xpc-service-name "com.apple.MTLCompilerService")) (mobile-preferences-read "com.apple.Metal" ;; "com.apple.opengl" ;; ) ) (define-once (debugging-support) (allow file-read* file-map-executable (subpath "/Developer")) (allow ipc-posix-shm (ipc-posix-name-regex #"^stack-logs") (ipc-posix-name-regex #"^OA-") (ipc-posix-name-regex #"^/FSM-")) (allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink (ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$")) (with-filter (system-attribute apple-internal) ;; ;; (allow file-read* file-map-executable (subpath "/AppleInternal") (subpath "/usr/local/lib"))) (with-elevated-precedence (allow file-read* file-map-executable file-issue-extension (front-user-home-subpath "/XcodeBuiltProducts"))) ;; (allow file-read* file-map-executable (subpath "/System/Library/Frameworks") (subpath "/System/Library/PrivateFrameworks")) ;; (mobile-preferences-read "com.apple.hangtracer")) (define-once (device-access) (deny file-read* file-write* (vnode-type BLOCK-DEVICE CHARACTER-DEVICE)) (allow file-read* file-write-data (literal "/dev/null") (literal "/dev/zero")) (allow file-read* file-write-data file-ioctl (literal "/dev/dtracehelper")) (allow file-read* (literal "/dev/random") (literal "/dev/urandom")) ;; (deny file-write-data (with no-report) (literal "/dev/random") (literal "/dev/urandom")) (allow file-read* file-write-data file-ioctl (literal "/dev/aes_0"))) (define-once (awd-log-directory daemon-name) (let* ((base-directory (home-relative-path "/Library/Logs/awd"))) (allow-create-directory (literal base-directory)) (allow file-read* file-write* (prefix (string-append base-directory "/awd-" daemon-name ".log"))) (allow mach-lookup (with report) (with telemetry) (global-name "com.apple.awdd")))) (define-once (logd-diagnostic-paths) (require-any (subpath "/private/var/db/diagnostics") (subpath "/private/var/db/timesync") (subpath "/private/var/db/uuidtext") (subpath "/private/var/userdata/diagnostics"))) (define-once (logd-diagnostic-client) (with-filter (require-all (require-any (require-entitlement "com.apple.private.logging.diagnostic") (require-entitlement "com.apple.diagnosticd.diagnostic")) (extension "com.apple.logd.read-only")) (allow file-read* (logd-diagnostic-paths)))) (define required-etc-files (literal "/private/etc/fstab" "/private/etc/hosts" "/private/etc/group" "/private/etc/passwd" "/private/etc/protocols" "/private/etc/services")) (define-once (speech-synthesis-and-voiceover) ;; Speak Selection & VoiceOver ;; AX: Sandbox violation with changing Language while VO is on ;; and (mobile-preferences-read "com.apple.SpeakSelection" ; Needed for WebSpeech "com.apple.VoiceOverTouch" ; Needed for non-US english language synthesis "com.apple.voiceservices") ; Ditto ;; Access to high quality speech voices ;; Needed for WebSpeech (allow file-read* (home-subpath "/Library/VoiceServices/Assets") (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice")) ) (define-once (core-motion) ;; CoreMotion (mobile-preferences-read "com.apple.CoreMotion") ;; CoreMotion’s deviceMotion API (with-filter (require-any (iokit-registry-entry-class "AppleOscarNub") (iokit-registry-entry-class "AppleSPUHIDInterface")) (allow iokit-get-properties (iokit-property "gyro-interrupt-calibration"))) (with-filter (iokit-registry-entry-class "IOHIDEventServiceFastPathUserClient") (allow iokit-open) (allow iokit-get-properties iokit-set-properties (iokit-property "interval" "mode" "QueueSize" "useMag")) (allow iokit-get-properties (iokit-property "client"))) ) ;; Things required by UIKit (define-once (uikit-requirements) (mobile-preferences-read "com.apple.UIKit" "com.apple.WebUI" "com.apple.airplay" "com.apple.avkit" "com.apple.coreanimation" "com.apple.mt" "com.apple.preferences.sounds") (allow mach-lookup (with report) (with telemetry) (global-name "com.apple.frontboard.systemappservices") ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier() (global-name "com.apple.iohideventsystem") ) (allow mach-lookup (global-name "com.apple.CARenderServer")) (allow mach-lookup (with report) (with telemetry) (global-name-regex #"^com\.apple\.uikit\.viewservice\..+") (xpc-service-name-regex #"\.apple-extension-service$") ;; (xpc-service-name-regex #"\.viewservice$") ;; ) ; UIKit-required IOKit nodes. (allow iokit-open (iokit-user-client-class "AppleJPEGDriverUserClient") (iokit-user-client-class "IOSurfaceAcceleratorClient") (iokit-user-client-class "IOSurfaceSendRight") ;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow (iokit-user-client-class "IOSurfaceRootUserClient")) ;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist. ;; (deny file-write-create (home-prefix "/Library/Preferences/com.apple.UIKit.plist") (with no-report)) ) (define-once (dictionary-support) ; Dictionary Services used by UITextFields. ; (allow-create-directory (home-literal "/Library/Caches/com.apple.DictionaryServices")) ; Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data (allow file-read* ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari) (subpath "/Library/Dictionaries") (home-subpath "/Library/Dictionaries")) ) (define-once (network-extensions-support) ;; Network Extensions / VPN helper. (allow mach-lookup (global-name "com.apple.nehelper") (global-name "com.apple.nesessionmanager.content-filter")) ;; ) (deny file-map-executable) (deny file-write-mount file-write-unmount) (allow file-read-metadata (with no-times) (vnode-type DIRECTORY)) (with-filter (apple-signed-executable?) (allow file-read-metadata (vnode-type DIRECTORY))) (with-filter (apple-signed-executable?) (managed-configuration-read "CloudConfigurationDetails.plist") (managed-configuration-read "CloudConfigurationSetAsideDetails.plist") (mobile-preferences-read "com.apple.security")) (with-filter (system-attribute apple-internal) (mobile-preferences-read "com.apple.PrototypeTools")) (with-elevated-precedence (allow file-read* (subpath "/usr/lib" "/usr/share" "/private/var/db/timezone")) (allow-read-and-issue-generic-extensions (subpath "/Library/RegionFeatures" "/System/Library")) (allow file-issue-extension (require-all (extension-class "com.apple.mediaserverd.read") (subpath "/System/Library"))) (let ((hw-identifying-paths (require-any (literal "/System/Library/Caches/apticket.der") (subpath "/System/Library/Caches/com.apple.kernelcaches") (subpath "/System/Library/Caches/com.apple.factorydata")))) (deny file-issue-extension file-read* hw-identifying-paths)) (allow file-map-executable (subpath "/System/Library") (subpath "/usr/lib")) (allow file-read-metadata (vnode-type SYMLINK)) ;;; (allow file-read* (subpath "/private/var/preferences/Logging")) (mobile-preferences-read "kCFPreferencesAnyApplication") (allow file-read* (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist")) (allow file-read* (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist")) (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication")) (allow file-read-metadata (home-literal "/Library/Caches/powerlog.launchd")) (allow-read-and-issue-generic-extensions (executable-bundle)) (allow file-map-executable (executable-bundle)) ;; (deny file-read-data file-issue-extension file-map-executable (require-all (executable-bundle) (regex #"/[^/]+/SC_Info/"))) (unless (defined? 'restrictive-extension) (with-filter (extension "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write" "com.apple.quicklook.readonly" "com.apple.security.exception.files.absolute-path.read-only" "com.apple.security.exception.files.absolute-path.read-write" "com.apple.security.exception.files.home-relative-path.read-only" "com.apple.security.exception.files.home-relative-path.read-write" "com.apple.sharing.airdrop.readonly") (allow file-read* file-read-metadata) (allow file-issue-extension (extension-class "com.apple.app-sandbox.read" "com.apple.mediaserverd.read" "com.apple.quicklook.readonly" "com.apple.sharing.airdrop.readonly"))) (with-filter (extension "com.apple.app-sandbox.read-write" "com.apple.security.exception.files.absolute-path.read-write" "com.apple.security.exception.files.home-relative-path.read-write") (allow file-write*) (allow file-issue-extension (extension-class "com.apple.app-sandbox.read-write" "com.apple.mediaserverd.read-write")))) ;; (with-filter (global-name-prefix "") (allow mach-register (extension "com.apple.security.exception.mach-register.global-name"))) (with-filter (local-name-prefix "") (allow mach-register (extension "com.apple.security.exception.mach-register.local-name"))) (allow-read-and-issue-generic-extensions (extension "com.apple.security.exception.files.absolute-path.read-only") (extension "com.apple.security.exception.files.home-relative-path.read-only")) (allow-read-write-and-issue-generic-extensions (extension "com.apple.security.exception.files.absolute-path.read-write") (extension "com.apple.security.exception.files.home-relative-path.read-write")) (allow iokit-open (extension "com.apple.security.exception.iokit-user-client-class")) (allow managed-preference-read (extension "com.apple.security.exception.managed-preference.read-only")) (allow user-preference-read (extension "com.apple.security.exception.shared-preference.read-only")) (allow user-preference-read user-preference-write (extension "com.apple.security.exception.shared-preference.read-write")) (allow file-issue-extension (require-all (extension-class "com.apple.nsurlstorage.extension-cache") (extension "com.apple.security.exception.files.home-relative-path.read-write") (require-any (prefix "/private/var/root/Library/Caches/") (front-user-home-prefix "/Library/Caches/")))) ) (debugging-support) (allow file-read* required-etc-files (literal "/")) (allow file-read* (subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs")) (device-access) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read") (extension "com.apple.fileprovider.read-write"))) (allow mach-lookup (global-name "com.apple.logd") (global-name "com.apple.logd.events") (global-name "com.apple.distributed_notifications@1v3") (global-name "com.apple.aggregated") (global-name "com.apple.cfprefsd.daemon")) (allow mach-lookup (with report) (with telemetry) (global-name "com.apple.tccd")) (allow ipc-posix-shm-read* (ipc-posix-name-prefix "apple.cfprefs.")) (allow mach-lookup (with report) (with telemetry) (global-name "com.apple.lsd.open") (global-name "com.apple.lsd.mapdb")) ;; (allow file-read* (well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist")) (allow iokit-get-properties (iokit-property "IORegistryEntryPropertyKeys")) (allow ipc-posix-sem-open (ipc-posix-name "containermanagerd.fb_check")) (with-filter (ipc-posix-name "purplebuddy.sentinel") (deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait) (allow ipc-posix-sem-open)) (allow mach-lookup (with telemetry) (global-name "com.apple.runningboard")) ;; Needed by process assertion code (ProcessTaskStateObserver). (allow system-sched (require-entitlement "com.apple.private.kernel.override-cpumon")) (deny sysctl-read (with no-report) (sysctl-name "sysctl.proc_native")) (with-filter (system-attribute apple-internal) (allow sysctl-read sysctl-write (sysctl-name "vm.footprint_suspend"))) (allow mach-lookup (with report) (with telemetry) (global-name "com.apple.system.logger")) (allow file-read-metadata network-outbound (literal "/private/var/run/syslog")) (allow mach-lookup (global-name "com.apple.system.notification_center")) (allow ipc-posix-shm-read* (ipc-posix-name "apple.shm.notification_center")) (allow mach-lookup (with report) (with telemetry) (global-name "com.apple.diagnosticd")) (logd-diagnostic-client) (managed-configuration-read-public) (deny system-info (with no-report) (info-type "net.link.addr")) (allow file-read* (subpath "/private/var/db/datadetectors/sys")) (allow-well-known-system-group-container-subpath-read "/systemgroup.com.apple.icloud.findmydevice.managed/Library") (allow mach-task-name (target self)) (allow process-info-pidinfo (target self)) (allow process-info-pidfdinfo (target self)) (allow process-info-pidfileportinfo (target self)) (allow process-info-setcontrol (target self)) (allow process-info-dirtycontrol (target self)) (allow process-info-rusage (target self)) (allow process-info-codesignature (target self)) (with-filter (apple-signed-executable?) (mobile-preferences-read "com.apple.demo-settings")) ;;; ;;; End common.sb content ;;; (deny mach-lookup (xpc-service-name-prefix "")) (deny iokit-get-properties (with partial-symbolication)) (deny lsopen) ;;; ;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can ;;; remove unneeded sandbox extensions. ;;; ;; Any app can play audio & movies. (play-audio) (play-media) ;; Access to media controls (media-remote) (url-translation) ;; TextInput framework (allow mach-lookup (with report) (with telemetry) (global-name "com.apple.TextInput")) (mobile-preferences-read "com.apple.da") (speech-synthesis-and-voiceover) (allow mach-lookup (with report) (with telemetry) (global-name "com.apple.audio.AudioComponentRegistrar")) ;; Permit reading assets via MobileAsset framework. (asset-access 'with-media-playback) (network-extensions-support) ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache (allow-well-known-system-group-container-literal-read "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin") ;; Access the keyboards (allow file-read* (home-subpath "/Library/Caches/com.apple.keyboards")) ;; Power logging (allow mach-lookup (global-name "com.apple.powerlog.plxpclogger.xpc")) ;; (mobile-preferences-read "com.apple.EmojiPreferences" ; com.apple.InputModePreferences "com.apple.InputModePreferences" ; Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist "com.apple.keyboard" ; "com.apple.Preferences" "com.apple.lookup.shared" ; Needed for DataDetector (Spotlight) support ) ;; Silently deny unnecessary accesses caused by MessageUI framework. ;; This can be removed once is resolved. (deny file-read* (home-literal "/Library/Preferences/com.apple.mobilemail.plist") (with no-log)) ;; Need read access to /var/mobile/Library/Fonts to all apps (allow file-read* (home-subpath "/Library/Fonts")) ;; LaunchServices app icons (allow file-read* (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache")) (allow mach-lookup (with report) (with telemetry) (xpc-service-name "com.apple.iconservices") (global-name "com.apple.iconservices")) (allow-preferences-common) (core-motion) ;; Home Button (with-filter (iokit-registry-entry-class "IOPlatformDevice") (allow iokit-get-properties (iokit-property "home-button-type"))) (uikit-requirements) ;; (mobile-preferences-read "kCFPreferencesAnyApplication") (dictionary-support) ; (allow file-read* (home-literal "/Library/Caches/DateFormats.plist")) ; Silently deny writes when CFData attempts to write to the cache directory. (deny file-write* (home-literal "/Library/Caches/DateFormats.plist") (with no-log)) (framebuffer-access) ;; (mobile-keybag-access) ; , (opengl) (location-services) ; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist ; which will attempt to create the plist if it doesn't exist -- from any application. Only SpringBoard is ; allowed to write its plist; ignore all others, they don't know what they are doing. ; See for sample backtraces. (deny file-write* (home-prefix "/Library/Preferences/com.apple.springboard.plist") (with no-log)) ;; (mobile-preferences-read "com.apple.indigo") ;;; ;;; End UIKit-apps.sb content ;;; (deny sysctl*) (allow sysctl-read (sysctl-name "hw.activecpu" "hw.availcpu" "hw.cachelinesize" "hw.cputype" "hw.l2cachesize" "hw.logicalcpu" "hw.logicalcpu_max" "hw.ncpu" "hw.machine" "hw.memsize" "hw.model" "hw.pagesize_compat" "hw.physicalcpu" "hw.physicalcpu_max" "kern.bootargs" "kern.hostname" "kern.memorystatus_level" "kern.osproductversion" "kern.osrelease" "kern.osvariant_status" "kern.secure_kernel" "kern.version" "vm.footprint_suspend")) (allow iokit-get-properties (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)") (iokit-property "APTDevice") (iokit-property "AVCSupported") (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI|RSTLogging))") (iokit-property "BaseAddressAlignmentRequirement") (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)") (iokit-property "HEVCSupported") (iokit-property-regex #"IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler)") (iokit-property "IOClassNameOverride") (iokit-property "IOPlatformUUID") (iokit-property "IOSurfaceAcceleratorCapabilitiesDict") (iokit-property "Protocol Characteristics") (iokit-property "als-colorCfg") ;; (iokit-property "artwork-device-idiom") ;; (iokit-property "artwork-device-subtype") (iokit-property "artwork-display-gamut") ;; (iokit-property "artwork-dynamic-displaymode") ;; (iokit-property "artwork-scale-factor") ;; (iokit-property-regex #"(canvas-height|canvas-width)") (iokit-property "chip-id") ;; (iokit-property "class-code") (iokit-property "color-accuracy-index") (iokit-property "compatible") ;; (iokit-property "compatible-device-fallback") ;; (iokit-property "device-colors") ;; (iokit-property "device-id") (iokit-property "device-perf-memory-class") (iokit-property "display-corner-radius") ;; (iokit-property "emu") (iokit-property "graphics-featureset-class") ;; (iokit-property "graphics-featureset-fallbacks") ;; (iokit-property "hdcp-hoover-protocol") (iokit-property "iommu-present") (iokit-property "oled-display") ;; (iokit-property "product-description") ;; (iokit-property "product-id") (iokit-property "region-info") ;; (iokit-property "regulatory-model-number") ;; (iokit-property "soc-generation") ;; (iokit-property "software-behavior") (iokit-property "vendor-id") (iokit-property "udid-version") ;; (iokit-property "ui-pip") ;; ) ;; Read-only preferences and data (mobile-preferences-read "com.apple.LaunchServices" "com.apple.WebFoundation" "com.apple.avfoundation.frecents" ;; "com.apple.avfoundation.videoperformancehud" ;; "com.apple.voiceservices.logging") ;; Sandbox extensions (define (apply-read-and-issue-extension op path-filter) (op file-read* path-filter) (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter))) (define (apply-write-and-issue-extension op path-filter) (op file-write* path-filter) (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter))) (define (read-only-and-issue-extensions path-filter) (apply-read-and-issue-extension allow path-filter)) (define (read-write-and-issue-extensions path-filter) (apply-read-and-issue-extension allow path-filter) (apply-write-and-issue-extension allow path-filter)) (read-only-and-issue-extensions (extension "com.apple.app-sandbox.read")) (read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write")) ;; Access to client's cache folder & re-vending to CFNetwork. (allow file-issue-extension (require-all (extension "com.apple.app-sandbox.read-write") (extension-class "com.apple.nsurlstorage.extension-cache"))) (accessibility-support) (media-accessibility-support) ;; Remote Web Inspector (allow mach-lookup (global-name "com.apple.webinspector")) ;; Various services required by CFNetwork and other frameworks (allow mach-lookup (global-name "com.apple.PowerManagement.control") (global-name "com.apple.analyticsd")) (deny file-write-create (vnode-type SYMLINK)) (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\.")) ;; Allow loading injected bundles. (allow file-map-executable) ;; AWD logging (awd-log-directory "com.apple.WebKit.WebContent") ;; Allow ManagedPreference access (allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist")) (allow file-read-data (literal "/usr/local/lib/log") ; ) (allow mach-lookup (require-all (extension "com.apple.webkit.extension.mach") (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.AGXCompilerService"))) (media-capture-support) ;; These services have been identified as unused during living-on. ;; This list overrides some definitions above and in common.sb. ;; FIXME: remove overridden rules once the final list has been ;; established, see https://bugs.webkit.org/show_bug.cgi?id=193840 (deny mach-lookup (global-name "com.apple.webkit.camera") )