;; Copyright (c) 2012 Apple Inc. All Rights reserved. ;; ;; WARNING: The sandbox rules in this file currently constitute ;; Apple System Private Interface and are subject to change at any time and ;; without notice. The contents of this file are also auto-generated and not ;; user editable; it may be overwritten at any time. ;; (version 1) (deny default) (import "system.sb") (system-network) (allow authorization-right-obtain (right-name "system.keychain.modify") (right-name "system.keychain.create.loginkc") (right-name "com.apple.wifi") (right-name "config.modify.com.apple.wifi") (right-name "system.preferences") ) (allow distributed-notification-post) (allow file-read-metadata) ;; Required to get kCFBundleIdentifierKey via CFBundleCopyInfoDictionaryForURL() for executables with embedded Info.plist, which is then used in [CLLocationManager authorizationStatusForBundleIdentifier:] to determine if LocationServices has been authorized for a command line tool (allow file-read-data) (allow file-read-xattr) (allow file* (literal "/dev/io8log") (literal "/dev/io8logmt") (literal "/dev/io8logtemp") (regex #"^/dev/pf") (regex #"^/dev/bpf") (regex #"/Library/Preferences/com.apple.wifi.*.plist$") (regex #"^/Library/Preferences/SystemConfiguration/preferences\.plist") (regex #"^/Library/Preferences/SystemConfiguration/com\.apple\.airport\.preferences\.plist") (regex #"^/Library/Preferences/SystemConfiguration/com\.apple\.wifi\.message-tracer\.plist") (subpath "/private/var/log") (literal "/private/var/run/wifi") (literal "/private/var/run/wifi-base-system") (subpath "/private/var/tmp") (subpath "/private/var/run/com.apple.wifivelocity") (subpath (param "TMP_DIR")) (subpath "/private/var/dextcores") (subpath (param "CONTAINER_DIR")) ) (allow file-read* (subpath "/Library/Keychains") (literal "/Library/Preferences/com.apple.security.plist") (literal "/Library/Preferences/com.apple.airport.opproam.plist") (literal "/Library/Preferences/com.apple.wifi.roaming_profiles.plist") (literal "/Library/Preferences/com.apple.crypto.plist") (regex #"^/Library/Preferences/\.GlobalPreferences\.plist") (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist") (literal "/Library/Preferences/SystemConfiguration/com.apple.network.eapolclient.configuration.plist") (literal "/Library/Security/Trust Settings/Admin.plist") (subpath "/private/var/db/mds") (regex #"^/private/var/root/Library/Preferences/\.GlobalPreferences\.plist") (regex #"^/private/var/root/Library/Preferences/ByHost/\.GlobalPreferences\.") (literal "/private/var/run/mDNSResponder") (subpath "/private/var/tmp/mds") (literal "/usr/libexec") (subpath "/usr/libexec/airportd") (literal "/usr/libexec/InternetSharing") (literal "/private/var/log") (literal "/private/var/db/DetachedSignatures") (literal "/dev/random") (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal") (literal "/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree") (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") (literal "/private/var/root/Library/Preferences/com.apple.airport.airportd.plist") (subpath "/Library/Logs") (literal "/private/var/db/os_eligibility/eligibility.plist") (subpath "/System/Volumes/iSCPreboot") ) (allow file-write* (literal "/private/var/db/mds/system/mds.lock") (literal "/private/var/log/wifi.log") (literal "/private/var/root/Library/Preferences/com.apple.airport.airportd.plist") (regex #"^/private/var/log/wifi") (regex #"^/private/var/log/AWDL") (subpath "/Library/Keychains") (subpath "/private/var/db/mds") (subpath "/private/var/tmp/mds") (subpath "/Library/Logs") (subpath "/System/Volumes/iSCPreboot") ) (allow iokit-set-properties (iokit-property "36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network") (iokit-property "36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks") (iokit-property "36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count") (iokit-property "40A0DDD2-77F8-4392-B4A3-1E7304206516:current-network") (iokit-property "40A0DDD2-77F8-4392-B4A3-1E7304206516:preferred-networks") (iokit-property "40A0DDD2-77F8-4392-B4A3-1E7304206516:preferred-count") (iokit-property "IONVRAM-SYNCNOW-PROPERTY") (iokit-property "IO80211InterfaceAwdlMacAddressInUse") (iokit-property "MWS_BT_TRAFFIC_IMPACT_BCN_OFFLOAD") (iokit-property "MWS_BT_TRAFFIC_IMPACT_SCAN_OFFLOAD") (iokit-property "IO80211DPSSymptomsInputParams") ) (with-filter (iokit-registry-entry-class "IOUserService") (allow iokit-get-properties (iokit-property "AppleWLANWatchdog") (iokit-property "WatchdogTriggered") (iokit-property "CrashIDNotification") ) ) ;; AppleWLANDriver (with-filter (iokit-registry-entry-class "IOUserService") (allow iokit-set-properties (iokit-property "AppleWLANWatchdog") (iokit-property "WatchdogTriggered") (iokit-property "CrashIDNotification") (iokit-property "cpu") (iokit-property "assertId") (iokit-property "file") (iokit-property "function") (iokit-property "line") (iokit-property "title_size") (iokit-property "title_str") ) ) ;; AppleWLANDriver (with-filter (iokit-registry-entry-class "IOService") (allow iokit-set-properties (iokit-property "bt-calibration-bcal") (iokit-property "wifi-calibration-oca2") (iokit-property "wifi-calibration-ocal") (iokit-property "wifi-calibration-wcal") (iokit-property "wifi-calibration-ifcal") (iokit-property "wifi-ifcal-fdr") (iokit-property "wifi-ifcal-disconn") ) ) ;; AppleSunriseHALDevice (with-filter (iokit-registry-entry-class "IOUserService") (allow iokit-set-properties (iokit-property "wifi-ifcal-saved") ) ) ;; AppleSunriseWLAN (allow iokit-open (iokit-user-client-class "IOUSBDeviceUserClientV2") (iokit-user-client-class "RootDomainUserClient") (iokit-user-client-class "IOReportUserClient") (iokit-user-client-class "IOUserUserClient") (iokit-user-client-class "IO80211APIUserClient") (iokit-user-client-class "AppleWLANWDUserClient") (iokit-user-client-class "AppleKeyStoreUserClient") (iokit-user-client-class "AppleSEPUserClient") (iokit-user-client-class "AppleNVMeEANUC") ) (allow ipc-posix-shm (ipc-posix-name "apple.shm.notification_center") (ipc-posix-name "com.apple.AppleDatabaseChanged") ) (allow ipc-posix-shm-read-data (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[^/]+$") ) (allow mach-lookup (global-name "com.apple.WiFiVelocityAgent") (global-name "com.apple.wifivelocityd") (global-name "com.apple.airport.wps") (global-name "com.apple.airportd") (global-name "com.apple.CoreServices.coreservicesd") (global-name "com.apple.d2d.ipc") (global-name "com.apple.distributed_notifications@1v3") (global-name "com.apple.network.EAPOLController") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.SecurityServer") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.SystemConfiguration.SCNetworkReachability") (global-name "com.apple.wifid") (global-name "com.apple.UNCUserNotification") (global-name "com.apple.coreservices.quarantine-resolver") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.awdd") (global-name "com.apple.corecaptured") (global-name "com.apple.locationd.desktop.registration") (global-name "com.apple.locationd.desktop.synchronous") (global-name "com.apple.securityd.xpc") (global-name "com.apple.analyticsd") (global-name "com.apple.wifi.WiFiAgent") (global-name "com.apple.windowserver.active") (global-name "com.apple.coreservices.launchservicesd") (global-name "com.apple.coreservices.appleevents") (global-name "com.apple.symptom_diagnostics") (global-name "com.apple.wifianalyticsd") (global-name "com.apple.private.corewifi.internal-xpc") (global-name "com.apple.private.corewifi.unrestricted-xpc") (global-name "com.apple.private.corewifi.user-agent-xpc") (global-name "com.apple.corewlan-xpc") (global-name "com.apple.tccd.system") (global-name "com.apple.symptoms.symptomsd.managed_events") (global-name "com.apple.CompanionLink") (global-name "com.apple.wifip2pd") (global-name "com.apple.countryd.update") (global-name "com.apple.networkd_privileged") (global-name "com.apple.CoreLocation.agent") (global-name "com.apple.mdmclient.daemon") (global-name "com.apple.mdmclient.daemon.unrestricted") (global-name "com.apple.ctkd.token-client") (global-name "com.apple.securityd.systemkeychain") (global-name "com.apple.network.IPConfiguration") (global-name "com.apple.NetworkSharing") (global-name "com.apple.containermanagerd") (global-name "com.apple.windowserver.active") (global-name "com.apple.networking.captivenetworksupport") (global-name "com.apple.duetactivityscheduler") ) (allow appleevent-send (appleevent-destination "com.apple.finder") ) (allow mach-per-user-lookup) (allow network-bind) (allow network-outbound) (allow network-inbound) (allow system-sched) (allow system-socket) (allow system-fsctl) (allow lsopen)