;; Copyright (c) 2007-2022 Apple Inc. All Rights reserved. ;; ;; WARNING: The sandbox rules in this file currently constitute ;; Apple System Private Interface and are subject to change at any time and ;; without notice. The contents of this file are also auto-generated and not ;; user editable; it may be overwritten at any time. ;; (version 1) (deny default) (import "system.sb") (import "com.apple.corefoundation.sb") (import "contacts.sb") (contacts-client (param "_HOME") (param "_DARWIN_USER_TEMP")) (allow distributed-notification-post) (allow process-info* (target self)) (allow process-info-codesignature) (allow process-info-pidinfo) ; Darwin user directory defines. (define (darwin-user-cache-subpath relative) (subpath (string-append (param "_DARWIN_USER_CACHE") relative)) ) (define (darwin-user-temp-subpath relative) (subpath (string-append (param "_DARWIN_USER_TEMP") relative)) ) ; Home directory defines. (define (home-literal relative) (literal (string-append (param "_HOME") relative)) ) (define (home-prefix relative) (prefix (string-append (param "_HOME") relative)) ) (define (home-subpath relative) (subpath (string-append (param "_HOME") relative)) ) (define (home-regex relative-regex) (regex (string-append "^" (regex-quote (param "_HOME")) relative-regex)) ) (allow file-read-data (subpath "/System/Library/CoreServices") (literal "/private/var/db") (literal "/private/var/db/mds/system/mdsObject.db") (literal "/Library/Managed Preferences/local/.GlobalPreferences.plist") (literal "/private/var/db/.AppleSetupDone") (home-subpath "/Library/com.apple.bluetoothuser") (home-subpath "/Library/Preferences/com.apple.voicetrigger.plist") ) (allow file-read* (subpath "/usr/libexec") (subpath "/Applications") (home-subpath "/Library/com.apple.bluetoothuser") ) (allow file-read-metadata (literal "/") (literal "/Users") (regex (string-append "^" (regex-quote (param "_HOME")))) (literal "/Library") (literal "/private") (literal "/private/var") (literal "/private/var/db") (literal "/private/var/root") (literal "/private/var/db/mds") (literal "/private/var/db/mds/system") (literal "/private/var/db/mds/system/mdsDirectory.db") (literal "/private/var/db/mds/system/mdsObject.db") (literal "/private/var/run/systemkeychaincheck.done") (literal "/Library/Keychains") (literal "/Library/Keychains/System.keychain") (literal "/Library/Preferences/com.apple.security.plist") (literal "/private/var/db/.AppleSetupDone") (literal "/private/etc") (literal "/usr") (literal "/usr/libexec") (literal "/usr/libexec/bluetoothuserd") ) (allow file-read* file-write* (regex #"^/Library/Keychains/System.keychain") (home-subpath "/Library/Keychains") (home-subpath "/Library/Caches/CloudKit/com.apple.bluetoothuserd") (home-subpath "/Library/com.apple.bluetoothuser") ) (allow file-write-create (regex (string-append "^" (param "_HOME") #"/Library/Keychains/login\.keychain\.sb-\..*\$")) (home-subpath "/Library/com.apple.bluetoothuser") ) (allow file-read* file-write* (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C($|/)") ; (regex #"^(/private)?/var/folders/[^/]+/[^/]+/T($|/)") ; ) (allow file-read-metadata (literal "/private/var/folders") (regex #"^(/private)?/var/folders/[^/]+$") (regex #"^(/private)?/var/folders/[^/]+/[^/]+$") (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C$") (regex #"^(/private)?/var/folders/[^/]+/[^/]+/T$") (literal "/private/var/db") (regex #"^(/private)?/var/db/[^/]+$") (regex #"^(/private)?/var/db/[^/]+/[^/]+$") (regex #"^(/private)?/var/db/[^/]+/[^/]+/C$") (regex #"^(/private)?/var/db/[^/]+/[^/]+/T$") ) (allow file-read* (literal "/Library/Preferences/SystemConfiguration/preferences.plist") (literal "/Library/Preferences/com.apple.security.plist") (literal "/private/var/db/DetachedSignatures") (literal "/private/var/db/mds/messages/se_SecurityMessages") (literal "/private/var/db/mds/system/mdsDirectory.db") (literal "/private/var/run/diagnosticd/dyld_shared_cache_x86_64") (literal "/private/var/db/.AppleSetupDone") ) (allow file-read-metadata (literal "/") (literal "/AppleInternal") (literal "/Library") (literal "/Library/Security/Trust Settings/Admin.plist") (literal "/private/var/run/systemkeychaincheck.done") (literal "/private/var/db/.AppleSetupDone") ) (allow ipc-posix-shm-read-data (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.[0-9]+$") (ipc-posix-name "FNetwork.defaultStorageSession") (ipc-posix-name "com.apple.AppleDatabaseChanged")) (allow ipc-posix-shm-write-data (ipc-posix-name "com.apple.AppleDatabaseChanged")) (allow network-outbound (literal "/private/var/run/systemkeychaincheck.socket") ) (allow file-read* (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.bluetoothuserd.plist")) (literal (string-append (param "_HOME") "/Library/Preferences/.GlobalPreferences.plist")) (regex (string-append "^" (param "_HOME") #"/Library/Preferences/ByHost/com\.apple\.Bluetooth\..*\.plist$")) (regex (string-append "^" (param "_HOME") #"/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")) ) (allow file-read* file-write-create file-write-data file-write-flags (literal "/private/var/log/bluetoothuserd.log") (literal "/private/var/log/bluetoothFramework.log") (literal "/Library/Preferences/com.apple.Bluetooth.plist") (literal "/Library/Preferences/.GlobalPreferences.plist") (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.bluetoothuserd.plist")) (regex (string-append "^" (param "_HOME") #"/Library/Preferences/ByHost/com\.apple\.Bluetooth\..*\.plist$")) (home-subpath "/Library/com.apple.bluetoothuser") (literal "/private/var/root/Library/Preferences/com.apple.BTServer.plist") ) (allow file-read-data (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.logging.plist")) (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist")) (home-subpath "/Library/com.apple.bluetoothuser") ) (allow mach-lookup (global-name "com.apple.accountsd.accountmanager") (global-name "com.apple.aps.bluetoothuserd") (global-name "com.apple.apsd") (global-name "com.apple.biome.access.user") (global-name "com.apple.bluetooth.cloudkit.xpc") (global-name "com.apple.bluetooth.xpc") (global-name "com.apple.BluetoothDOServer") (global-name "com.apple.BTServer.cloudpairing") (global-name "com.apple.cloudd") (global-name "com.apple.CompanionLink") (global-name "com.apple.contactsd") (global-name "com.apple.CoreServices.coreservicesd") (global-name "com.apple.coreservices.quarantine-resolver") (global-name "com.apple.kvsd") (global-name "com.apple.identityservicesd.desktop.auth") (global-name "com.apple.marco") (global-name "com.apple.metadata.mds") (global-name "com.apple.logind") (global-name "com.apple.SecurityServer") (global-name "com.apple.securityd.xpc") (global-name "com.apple.SystemConfiguration.configd") (global-name-regex #"^com\.apple\.distributed_notifications") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.lsd.modifydb") (global-name "com.apple.SharingServices") (global-name "com.apple.server.bluetooth") (global-name "com.apple.server.bluetooth.classic.xpc") (global-name "com.apple.server.bluetooth.le.att.xpc") (global-name "com.apple.powerlog.plxpclogger.xpc") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.tccd.system") (global-name "com.apple.usernotifications.listener") (global-name "com.apple.usernotifications.usernotificationservice") (global-name "com.apple.windowserver.active") (global-name "com.apple.xpchelper") ) (allow mach-register (global-name "com.apple.aps.bluetoothuserd") (global-name "com.apple.BluetoothServices") (global-name "com.apple.BluetoothCloudServices") (global-name "com.apple.BTServer.cloudpairing") ) (allow iokit-open (iokit-user-client-class "AppleKeyStoreUserClient") (iokit-user-client-class "IOBluetoothDeviceUserClient") (iokit-user-client-class "IOHIDResourceDeviceUserClient") (iokit-user-client-class "IOBluetoothHCIUserClient") (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient") (iokit-user-client-class "IOHIDLibUserClient") (iokit-user-client-class "RootDomainUserClient") ) (allow network-outbound (literal "/private/var/run/mDNSResponder") (remote tcp "*:25" ) ;; outgoing mail for CSS notifications (remote tcp "*:443" ) ;; CSS/cryptobot ) (allow system-fsctl (fsctl-command HFSIOC_SET_HOTFILE_STATE) ) (allow user-preference-read user-preference-write (preference-domain "com.apple.bluetoothuser") (preference-domain "com.apple.bluetooth") (preference-domain "com.apple.BTServer") (preference-domain "com.apple.coreaudio") (preference-domain "com.apple.CloudKit") (preference-domain "com.apple.applicationaccess") ) (allow lsopen)