com.apple.WebKit.WebAuthn.sb [plain text]
; Copyright (C) 2020 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions
; are met:
; 1. Redistributions of source code must retain the above copyright
; notice, this list of conditions and the following disclaimer.
; 2. Redistributions in binary form must reproduce the above copyright
; notice, this list of conditions and the following disclaimer in the
; documentation and/or other materials provided with the distribution.
;
; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
; THE POSSIBILITY OF SUCH DAMAGE.
(version 1)
(deny default (with partial-symbolication))
(allow system-audit file-read-metadata)
;;;
;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
;;;
(import "util.sb")
(define-once (allow-read-and-issue-generic-extensions . filters)
(allow file-read*
(apply require-any filters))
(allow file-issue-extension
(require-all
(extension-class "com.apple.app-sandbox.read")
(apply require-any filters))))
(define-once (allow-read-write-and-issue-generic-extensions . filters)
(allow file-read* file-write*
(apply require-any filters))
(allow file-read-metadata
(apply require-any filters))
(allow file-issue-extension
(require-all
(extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
(apply require-any filters))))
(define-once (managed-configuration-read-public)
(allow file-read*
(well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
(front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
(front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo")))
(define-once (managed-configuration-read . files)
(if (null? files)
(allow file-read*
(well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles")
(front-user-home-subpath "/Library/ConfigurationProfiles")
(front-user-home-subpath "/Library/UserConfigurationProfiles"))
(for-each
(lambda (file)
(allow file-read*
(well-known-system-group-container-literal
(string-append "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/" file))
(front-user-home-literal
(string-append "/Library/ConfigurationProfiles/" file)
(string-append "/Library/UserConfigurationProfiles/" file))))
files)))
(define-once (allow-preferences-common)
(allow file-read-metadata
(home-literal "")
(home-literal "/Library/Preferences")))
(define-once (mobile-preferences-read . domains)
(allow-preferences-common)
(allow user-preference-read (apply preference-domain domains)))
(define-once (mobile-preferences-read-write . domains)
(allow-preferences-common)
(allow user-preference-read user-preference-write (apply preference-domain domains)))
(define-once (framebuffer-access)
(allow iokit-open
(iokit-user-client-class "IOMobileFramebufferUserClient"))
(mobile-preferences-read "com.apple.iokit.IOMobileGraphicsFamily"))
(define-once (url-translation)
;; For translating http:// & https:// URLs referencing itms:// URLs.
;; <rdar://problem/11587338>
(allow file-read*
(home-literal "/Library/Caches/com.apple.itunesstored/url-resolution.plist")))
(define-once (debugging-support)
(allow file-read* file-map-executable
(subpath "/Developer"))
(allow ipc-posix-shm
(ipc-posix-name-regex #"^stack-logs")
(ipc-posix-name-regex #"^OA-")
(ipc-posix-name-regex #"^/FSM-"))
(allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink
(ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$"))
(with-filter (system-attribute apple-internal)
;; <rdar://problem/8565035>
;; <rdar://problem/23857452>
(allow file-read* file-map-executable
(subpath "/AppleInternal")
(subpath "/usr/local/lib")
(subpath "/usr/appleinternal/lib/sanitizers")))
(with-elevated-precedence
(allow file-read* file-map-executable file-issue-extension
(front-user-home-subpath "/XcodeBuiltProducts")))
;; <rdar://problem/8107758>
(allow file-read* file-map-executable
(subpath "/System/Library/Frameworks")
(subpath "/System/Library/PrivateFrameworks"))
;; <rdar://problem/32544921>
(mobile-preferences-read "com.apple.hangtracer"))
(define-once (device-access)
(deny file-read* file-write*
(vnode-type BLOCK-DEVICE CHARACTER-DEVICE))
(allow file-read* file-write-data
(literal "/dev/null")
(literal "/dev/zero"))
(allow file-read* file-write-data file-ioctl
(literal "/dev/dtracehelper"))
(allow file-read*
(literal "/dev/random")
(literal "/dev/urandom"))
;; <rdar://problem/14215718>
(deny file-write-data (with no-report)
(literal "/dev/random")
(literal "/dev/urandom"))
(allow file-read* file-write-data file-ioctl
(literal "/dev/aes_0")))
(define-once (logd-diagnostic-paths)
(require-any
(subpath "/private/var/db/diagnostics")
(subpath "/private/var/db/timesync")
(subpath "/private/var/db/uuidtext")
(subpath "/private/var/userdata/diagnostics")))
(define-once (logd-diagnostic-client)
(with-filter
(require-all
(require-any
(require-entitlement "com.apple.private.logging.diagnostic")
(require-entitlement "com.apple.diagnosticd.diagnostic"))
(extension "com.apple.logd.read-only"))
(allow file-read*
(logd-diagnostic-paths))))
(define required-etc-files
(literal "/private/etc/fstab"
"/private/etc/hosts"
"/private/etc/group"
"/private/etc/passwd"
"/private/etc/protocols"
"/private/etc/services"))
;; Things required by UIKit
(define-once (uikit-requirements)
(mobile-preferences-read
"com.apple.UIKit"
"com.apple.WebUI"
"com.apple.airplay"
"com.apple.avkit"
"com.apple.coreanimation"
"com.apple.mt"
"com.apple.preferences.sounds")
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.frontboard.systemappservices") ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier()
)
(allow mach-lookup
(global-name "com.apple.CARenderServer"))
(allow mach-lookup (with report) (with telemetry)
(global-name-regex #"^com\.apple\.uikit\.viewservice\..+")
(xpc-service-name-regex #"\.viewservice$") ;; <rdar://problem/31252371>
)
; UIKit-required IOKit nodes.
(allow iokit-open
(iokit-user-client-class "AppleJPEGDriverUserClient")
(iokit-user-client-class "IOSurfaceAcceleratorClient")
(iokit-user-client-class "IOSurfaceSendRight")
;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow
(iokit-user-client-class "IOSurfaceRootUserClient"))
;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist.
;; <rdar://problem/13796537>
(deny file-write-create
(home-prefix "/Library/Preferences/com.apple.UIKit.plist")
(with no-report))
)
(deny file-map-executable)
(deny file-write-mount file-write-unmount)
(allow file-read-metadata
(vnode-type DIRECTORY))
(mobile-preferences-read "com.apple.security")
(with-filter (system-attribute apple-internal)
(mobile-preferences-read "com.apple.PrototypeTools"))
(with-elevated-precedence
(allow file-read*
(subpath "/usr/lib"
"/usr/share"
"/private/var/db/timezone"))
(allow-read-and-issue-generic-extensions
(subpath "/Library/RegionFeatures"
"/System/Library"))
(allow file-issue-extension
(require-all
(extension-class "com.apple.mediaserverd.read")
(subpath "/System/Library")))
(let ((hw-identifying-paths
(require-any
(literal "/System/Library/Caches/apticket.der")
(subpath "/System/Library/Caches/com.apple.kernelcaches")
(subpath "/System/Library/Caches/com.apple.factorydata"))))
(deny file-issue-extension file-read* hw-identifying-paths))
(allow file-map-executable
(subpath "/System/Library")
(subpath "/usr/lib"))
(allow file-read-metadata
(vnode-type SYMLINK))
;;; <rdar://problem/24144418>
(allow file-read*
(subpath "/private/var/preferences/Logging"))
(mobile-preferences-read "kCFPreferencesAnyApplication")
(allow file-read*
(front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))
(allow file-read*
(literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
(allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
(allow file-read-metadata
(home-literal "/Library/Caches/powerlog.launchd"))
(allow-read-and-issue-generic-extensions (executable-bundle))
(allow file-map-executable (executable-bundle))
;; <rdar://problem/13963294>
(deny file-read-data file-issue-extension file-map-executable
(require-all
(executable-bundle)
(regex #"/[^/]+/SC_Info/")))
(unless (defined? 'restrictive-extension)
(with-filter
(extension
"com.apple.app-sandbox.read"
"com.apple.app-sandbox.read-write"
"com.apple.quicklook.readonly"
"com.apple.security.exception.files.absolute-path.read-only"
"com.apple.security.exception.files.absolute-path.read-write"
"com.apple.security.exception.files.home-relative-path.read-only"
"com.apple.security.exception.files.home-relative-path.read-write"
"com.apple.sharing.airdrop.readonly")
(allow file-read* file-read-metadata)
(allow file-issue-extension
(extension-class "com.apple.app-sandbox.read"
"com.apple.mediaserverd.read"
"com.apple.quicklook.readonly"
"com.apple.sharing.airdrop.readonly")))
(with-filter
(extension
"com.apple.app-sandbox.read-write"
"com.apple.security.exception.files.absolute-path.read-write"
"com.apple.security.exception.files.home-relative-path.read-write")
(allow file-write*)
(allow file-issue-extension
(extension-class "com.apple.app-sandbox.read-write"
"com.apple.mediaserverd.read-write"))))
;; <rdar://problem/16079361>
(with-filter (global-name-prefix "")
(allow mach-register
(extension "com.apple.security.exception.mach-register.global-name")))
(with-filter (local-name-prefix "")
(allow mach-register
(extension "com.apple.security.exception.mach-register.local-name")))
(allow-read-and-issue-generic-extensions
(extension "com.apple.security.exception.files.absolute-path.read-only")
(extension "com.apple.security.exception.files.home-relative-path.read-only"))
(allow-read-write-and-issue-generic-extensions
(extension "com.apple.security.exception.files.absolute-path.read-write")
(extension "com.apple.security.exception.files.home-relative-path.read-write"))
(allow managed-preference-read
(extension "com.apple.security.exception.managed-preference.read-only"))
(allow user-preference-read
(extension "com.apple.security.exception.shared-preference.read-only"))
(allow file-issue-extension
(require-all
(extension-class "com.apple.nsurlstorage.extension-cache")
(extension "com.apple.security.exception.files.home-relative-path.read-write")
(require-any
(prefix "/private/var/root/Library/Caches/")
(front-user-home-prefix "/Library/Caches/"))))
)
(debugging-support)
(allow file-read*
required-etc-files
(literal "/"))
(allow file-read*
(subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))
(device-access)
(allow file-issue-extension
(require-all
(extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
(extension "com.apple.fileprovider.read-write")))
(allow mach-lookup
(global-name "com.apple.logd")
(global-name "com.apple.logd.events")
(global-name "com.apple.distributed_notifications@1v3")
(global-name "com.apple.aggregated")
(global-name "com.apple.cfprefsd.daemon"))
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.tccd"))
(allow ipc-posix-shm-read*
(ipc-posix-name-prefix "apple.cfprefs."))
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.lsd.mapdb"))
;; <rdar://problem/12413942>
(allow file-read*
(well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
(allow iokit-get-properties
(iokit-property "IORegistryEntryPropertyKeys"))
(allow ipc-posix-sem-open
(ipc-posix-name "containermanagerd.fb_check"))
(with-filter (ipc-posix-name "purplebuddy.sentinel")
(deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait)
(allow ipc-posix-sem-open))
(allow mach-lookup (with telemetry)
(global-name "com.apple.runningboard")) ;; Needed by process assertion code (ProcessTaskStateObserver).
(allow system-sched
(require-entitlement "com.apple.private.kernel.override-cpumon"))
(deny sysctl-read (with no-report)
(sysctl-name "sysctl.proc_native"))
(with-filter (system-attribute apple-internal)
(allow sysctl-read sysctl-write
(sysctl-name "vm.footprint_suspend")))
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.system.logger"))
(allow file-read-metadata network-outbound
(literal "/private/var/run/syslog"))
(allow mach-lookup
(global-name "com.apple.system.notification_center"))
(allow ipc-posix-shm-read*
(ipc-posix-name "apple.shm.notification_center"))
(allow mach-lookup (with report) (with telemetry)
(global-name "com.apple.diagnosticd"))
(logd-diagnostic-client)
(managed-configuration-read-public)
(deny system-info (with no-report)
(info-type "net.link.addr"))
(allow file-read*
(subpath "/private/var/db/datadetectors/sys"))
(allow-well-known-system-group-container-subpath-read
"/systemgroup.com.apple.icloud.findmydevice.managed/Library")
(allow mach-task-name (target self))
(allow process-info-pidinfo (target self))
(allow process-info-pidfdinfo (target self))
(allow process-info-pidfileportinfo (target self))
(allow process-info-setcontrol (target self))
(allow process-info-dirtycontrol (target self))
(allow process-info-rusage (target self))
(allow process-info-codesignature (target self))
;;;
;;; End common.sb content
;;;
(deny mach-lookup (xpc-service-name-prefix ""))
(deny iokit-get-properties (with partial-symbolication))
(deny lsopen)
;;;
;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can
;;; remove unneeded sandbox extensions.
;;;
(url-translation)
(mobile-preferences-read "com.apple.da")
;; Access the keyboards
(allow file-read*
(home-subpath "/Library/Caches/com.apple.keyboards"))
;; Power logging
(allow mach-lookup
(global-name "com.apple.powerlog.plxpclogger.xpc")) ;; <rdar://problem/36442803>
;; Silently deny unnecessary accesses caused by MessageUI framework.
;; This can be removed once <rdar://problem/47038102> is resolved.
(deny file-read*
(home-literal "/Library/Preferences/com.apple.mobilemail.plist")
(with no-log))
;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps
(allow file-read*
(home-subpath "/Library/Fonts"))
(allow-preferences-common)
;; Home Button
(with-filter (iokit-registry-entry-class "IOPlatformDevice")
(allow iokit-get-properties
(iokit-property "home-button-type")))
(uikit-requirements)
;; <rdar://problem/9404009>
(mobile-preferences-read "kCFPreferencesAnyApplication")
; <rdar://problem/8440231>
(allow file-read*
(home-literal "/Library/Caches/DateFormats.plist"))
; Silently deny writes when CFData attempts to write to the cache directory.
(deny file-write*
(home-literal "/Library/Caches/DateFormats.plist")
(with no-log))
; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist
; which will attempt to create the plist if it doesn't exist -- from any application. Only SpringBoard is
; allowed to write its plist; ignore all others, they don't know what they are doing.
; See <rdar://problem/9375027> for sample backtraces.
(deny file-write*
(home-prefix "/Library/Preferences/com.apple.springboard.plist")
(with no-log))
;; <rdar://problem/34986314>
(mobile-preferences-read "com.apple.indigo")
;;;
;;; End UIKit-apps.sb content
;;;
(deny sysctl*)
(allow sysctl-read
(sysctl-name
"hw.activecpu"
"hw.availcpu"
"hw.cachelinesize"
"hw.cputype"
"hw.l2cachesize"
"hw.logicalcpu"
"hw.logicalcpu_max"
"hw.ncpu"
"hw.machine"
"hw.memsize"
"hw.model"
"hw.pagesize_compat"
"hw.physicalcpu"
"hw.physicalcpu_max"
"kern.bootargs"
"kern.hostname"
"kern.memorystatus_level"
"kern.osproductversion"
"kern.osrelease"
"kern.osvariant_status"
"kern.osversion"
"kern.secure_kernel"
"kern.version"
"vm.footprint_suspend"))
(allow iokit-get-properties
(iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
(iokit-property "APTDevice")
(iokit-property "AVCSupported")
(iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI|RSTLogging))")
(iokit-property "BaseAddressAlignmentRequirement")
(iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)")
(iokit-property "HEVCSupported")
(iokit-property-regex #"IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler)")
(iokit-property "IOClassNameOverride")
(iokit-property "IOPlatformUUID")
(iokit-property "IOSurfaceAcceleratorCapabilitiesDict")
(iokit-property "Protocol Characteristics")
(iokit-property "als-colorCfg") ;; <rdar://problem/52903475>
(iokit-property "artwork-device-idiom") ;; <rdar://problem/49497720>
(iokit-property "artwork-device-subtype")
(iokit-property "artwork-display-gamut") ;; <rdar://problem/49497788>
(iokit-property "artwork-dynamic-displaymode") ;; <rdar://problem/49497720>
(iokit-property "artwork-scale-factor") ;; <rdar://problem/49497788>
(iokit-property-regex #"(canvas-height|canvas-width)")
(iokit-property "chip-id") ;; <rdar://problem/52903477>
(iokit-property "class-code")
(iokit-property "color-accuracy-index")
(iokit-property "compatible") ;; <rdar://problem/47523516>
(iokit-property "compatible-device-fallback") ;; <rdar://problem/49497720>
(iokit-property "device-colors") ;; <rdar://problem/51322072>
(iokit-property "device-id")
(iokit-property "device-perf-memory-class")
(iokit-property "dfr")
(iokit-property "display-corner-radius") ;; <rdar://problem/50602737>
(iokit-property "emu")
(iokit-property "graphics-featureset-class") ;; <rdar://problem/49497720>
(iokit-property "graphics-featureset-fallbacks") ;; <rdar://problem/51322072>
(iokit-property "hdcp-hoover-protocol")
(iokit-property "iommu-present")
(iokit-property "oled-display") ;; <rdar://problem/51322072>
(iokit-property "product-description") ;; <rdar://problem/49497788>
(iokit-property "product-id")
(iokit-property "region-info") ;; <rdar://problem/52903475>
(iokit-property "regulatory-model-number") ;; <rdar://problem/52903475>
(iokit-property "soc-generation") ;; <rdar://problem/52903476>
(iokit-property "software-behavior")
(iokit-property "vendor-id")
(iokit-property "udid-version") ;; <rdar://problem/52903475>
(iokit-property "ui-pip") ;; <rdar://problem/48867037>
)
;; Read-only preferences and data
(mobile-preferences-read
"com.apple.LaunchServices"
"com.apple.WebFoundation"
"com.apple.avfoundation.frecents" ;; <rdar://problem/33137029>
"com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568>
"com.apple.voiceservices.logging")
;; Sandbox extensions
(define (apply-read-and-issue-extension op path-filter)
(op file-read* path-filter)
(op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
(define (apply-write-and-issue-extension op path-filter)
(op file-write* path-filter)
(op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
(define (read-only-and-issue-extensions path-filter)
(apply-read-and-issue-extension allow path-filter))
(define (read-write-and-issue-extensions path-filter)
(apply-read-and-issue-extension allow path-filter)
(apply-write-and-issue-extension allow path-filter))
(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
;; Access to client's cache folder & re-vending to CFNetwork.
(allow file-issue-extension (require-all
(extension "com.apple.app-sandbox.read-write")
(extension-class "com.apple.nsurlstorage.extension-cache")))
;; Various services required by CFNetwork and other frameworks
(allow mach-lookup
(global-name "com.apple.PowerManagement.control")
(global-name "com.apple.analyticsd"))
(deny file-write-create (vnode-type SYMLINK))
(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
;; Allow loading injected bundles.
(allow file-map-executable)
;; Allow ManagedPreference access
(allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))
(allow file-read-data
(literal "/usr/local/lib/log") ; <rdar://problem/36629495>
)
(allow mach-lookup
(require-all
(extension "com.apple.webkit.extension.mach")
(global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.AGXCompilerService")))
;; These services have been identified as unused during living-on.
;; This list overrides some definitions above and in common.sb.
;; FIXME: remove overridden rules once the final list has been
;; established, see https://bugs.webkit.org/show_bug.cgi?id=193840
(deny mach-lookup
(global-name "com.apple.webkit.camera")
)
;; Allow accesses to HID
(allow iokit-open
(iokit-user-client-class "IOHIDLibUserClient"))
;; FIXME: Can further restrict the following rules.
(allow iokit-get-properties)
(allow iokit-set-properties)
;; Allow accesses to LocalAuthentication and RemoteService
(allow mach-lookup
(global-name "com.apple.CoreAuthentication.daemon")
(global-name "com.apple.remoted"))
;; Allow accesses to NFC
(allow mach-lookup
(global-name "com.apple.nfcd.hwmanager"))
;; Allow accesses to the Springboard view services.
(allow mach-lookup
(global-name "com.apple.frontboard.systemappservices"))
;; Allow accesses to the Keychain service
(allow mach-lookup
(global-name "com.apple.securityd"))
(allow file-read* file-write* (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
(allow file-read*
(subpath "/Library/Keychains")
(home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain"))
;; Allow accesses to the SEP
(allow mach-lookup
(global-name "com.apple.ctkd.token-client"))
;; Allow accesses to AAA and the network
(allow mach-lookup
(global-name "com.apple.nehelper")
(global-name "com.apple.usymptomsd")
(global-name "com.apple.dnssd.service")
(global-name "com.apple.trustd")
(global-name "com.apple.containermanagerd")
(global-name "com.apple.mobilegestalt.xpc"))
(allow file-read*
(subpath "/private/var/containers/Shared/SystemGroup") ;; FIXME<rdar://problem/71137389>
(literal "/private/var/preferences/com.apple.networkd.plist"))
(allow iokit-open
(iokit-user-client-class "AppleKeyStoreUserClient"))
(allow network-outbound
(literal "/private/var/run/mDNSResponder")
(remote tcp)
(remote udp))
(allow sysctl-read
(sysctl-name
"kern.maxfilesperproc"
"kern.ostype"))