(version 1) (deny default) (deny file-map-executable nvram* process-info* process-info-codesignature) (deny file-link) (import "system.sb") (system-graphics) (system-network) (with-filter (extension "com.apple.app-sandbox.read") (allow file-read*) (allow file-issue-extension (extension-class "com.apple.app-sandbox.read"))) (with-filter (extension "com.apple.app-sandbox.read-write") (allow file-read* file-write*) (allow file-issue-extension (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write"))) (allow file-map-executable (subpath "/System/Library/Extensions")) ;; GPU drivers ;; WebKit will want dynamic-code-generation but it'll work (albeit slower) without it. (deny (with no-report) dynamic-code-generation device-microphone device-camera) ;; Networking ;; Network access needed at least for engagement requests, and perhaps for authenticate requests as well. (allow network-outbound (literal "/private/var/run/mDNSResponder") (remote ip)) ;; Process info (allow process-info-codesignature) (allow process-info* (target self)) ;; Misc. (allow system-audit) ;; via -[NSApplication init] (allow system-fsctl (fsctl-command HFSIOC_SET_HOTFILE_STATE)) (allow user-preference-read user-preference-write (preference-domain "com.apple.AppStoreDaemon.StoreUIService")) ;; File access ;; (define (home-subpath home-relative-subpath) (subpath (string-append (param "HOME") home-relative-subpath))) (define (home-literal home-relative-literal) (literal (string-append (param "HOME") home-relative-literal))) (define (home-path-ancestors home-relative-path) (path-ancestors (string-append (param "HOME") home-relative-path))) (define (home-regex home-relative-regex) (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex))) (let ((cache-path-filter (require-any (home-subpath "/Library/Caches/com.apple.AppStoreDaemon.StoreUIService")))) (allow file-read* file-write* cache-path-filter) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write") cache-path-filter))) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath "/System/Library") )) (allow file-read-metadata file-test-existence (home-literal "/Library") (home-literal "/Library/Caches") (literal (param "HOME")) (literal "/private/var/db") ) (allow file-read* (subpath "/Library/Preferences/Logging") (subpath "/System/Library/CoreServices") (literal "/private/var/db/.AppleSetupDone") ) (allow file-read* file-write* (subpath (param "DARWIN_USER_TEMP_DIR")) (subpath (param "DARWIN_USER_CACHE_DIR")) ) (allow file-read-data (literal "/Library/Preferences/com.apple.ViewBridge.plist") ) ;; AMS (allow mach-lookup (global-name "com.apple.CoreAuthentication.agent" "com.apple.adid" "com.apple.cmio.registerassistantservice" ;; -[AMSUIWebJSProperties _deviceProperties] "com.apple.commerce" "com.apple.ctkd.token-client" ;; AMSBiometrics "com.apple.fpsd" "com.apple.usernotifications.usernotificationservice" "com.apple.usernotifications.listener" "com.apple.xpc.amsaccountsd")) (allow file-read* file-write* (home-subpath "/Library/Caches/com.apple.AppleMediaServices") (home-subpath "/Library/Logs/com.apple.StoreServices")) (allow file-read* (literal "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist")) (allow user-preference* (preference-domain "com.apple.AppleMediaServices" "com.apple.AppleMediaServices.notbackedup" )) (with-filter (system-attribute apple-internal) (allow user-preference-read (preference-domain "com.apple.itunesstored" ;; +[AMSDefaults ss_ignoreServerTrustEvaluation] ))) ;; MDS (allow file-read* (literal "/private/var/db/mds/system/mdsDirectory.db") (literal "/private/var/db/mds/system/mdsObject.db")) (allow file-read* (literal (param "SECURITY_MESSAGES_FILE"))) ;; Security (define keychain-check-path "/private/var/run/systemkeychaincheck.done") (allow file-read-metadata (literal keychain-check-path) (literal "/Library/Keychains/System.keychain") (path-ancestors (param "DARWIN_USER_CACHE_DIR")) (path-ancestors "/Library/Keychains/System.keychain") (home-literal "/Library/Keychains/login.keychain-db") (home-path-ancestors "/Library/Keychains/login.keychain-db")) (allow network-outbound (literal keychain-check-path)) ;; WebKit (allow file-read* (home-subpath "/Library/WebKit")) (allow file-write* (home-subpath "/Library/WebKit/com.apple.AppStoreDaemon.StoreUIService")) (allow file-read-metadata (literal "/AppleInternal")) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Copied from application.sb ;; (allow file-read* (home-literal "/.CFUserTextEncoding") (home-subpath "/Library/Fonts") (home-subpath "/Library/Input Methods") (home-subpath "/Library/KeyBindings") (home-subpath "/Library/Keyboard Layouts") ) (allow user-preference-read (preference-domain "com.apple.AdLib" "com.apple.AppleMultitouchTrackpad" "com.apple.airplay" "com.apple.assistant.support" "com.apple.avfoundation" "com.apple.cmio" "com.apple.coreanimation" "com.apple.coremedia" "com.apple.coremediaio.support" "com.apple.corevideo" "com.apple.DictionaryServices" "com.apple.driver.AppleBluetoothMultitouch.mouse" "com.apple.driver.AppleBluetoothMultitouch.trackpad" "com.apple.driver.AppleHIDMouse" "com.apple.HIToolbox" "com.apple.inputmethodkit" "com.apple.inputsources" "com.apple.LaunchServices" "com.apple.lookup.shared" "com.apple.MultitouchSupport" "com.apple.security_common" "com.apple.security" "com.apple.ServicesMenu.Services" "com.apple.speech.recognition.AppleSpeechRecognition.prefs" "com.apple.speech.synthesis.general.prefs" "com.apple.speech.voice.prefs" "com.apple.systemsound" "com.apple.TelephonyUtilities" "com.apple.universalaccess" "kCFPreferencesAnyApplication" "pbs")) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Copied from appsandbox-common.sb ;; (allow generic-issue-extension (extension-class "com.apple.webkit.mach-bootstrap")) (allow mach-issue-extension (extension-class "com.apple.webkit.extension.mach")) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Copied from blastdoor.sb ;; (allow syscall-unix (syscall-number SYS_exit) (syscall-number SYS_kevent_qos) (syscall-number SYS_kevent_id) (syscall-number SYS_thread_selfid) (syscall-number SYS_bsdthread_ctl) (syscall-number SYS_kdebug_trace64) (syscall-number SYS_getattrlist) (syscall-number SYS_sigsuspend_nocancel) (syscall-number SYS_proc_info) (syscall-number SYS___disable_threadsignal) (syscall-number SYS___pthread_sigmask) (syscall-number SYS___mac_syscall) (syscall-number SYS___semwait_signal_nocancel) (syscall-number SYS_abort_with_payload) (syscall-number SYS_access) (syscall-number SYS_bsdthread_create) (syscall-number SYS_bsdthread_terminate) (syscall-number SYS_close) (syscall-number SYS_close_nocancel) (syscall-number SYS_connect) (syscall-number SYS_csops_audittoken) (syscall-number SYS_csrctl) (syscall-number SYS_fcntl) (syscall-number SYS_fsgetpath) (syscall-number SYS_fstat64) (syscall-number SYS_fstatfs64) (syscall-number SYS_getdirentries64) (syscall-number SYS_geteuid) (syscall-number SYS_getfsstat64) (syscall-number SYS_getgid) (syscall-number SYS_getrlimit) (syscall-number SYS_getuid) (syscall-number SYS_ioctl) (syscall-number SYS_issetugid) (syscall-number SYS_lstat64) (syscall-number SYS_madvise) (syscall-number SYS_mmap) (syscall-number SYS_munmap) (syscall-number SYS_mprotect) (syscall-number SYS_mremap_encrypted) (syscall-number SYS_open) (syscall-number SYS_open_nocancel) (syscall-number SYS_openat) (syscall-number SYS_pathconf) (syscall-number SYS_pread) (syscall-number SYS_read) (syscall-number SYS_readlink) (syscall-number SYS_shm_open) (syscall-number SYS_socket) (syscall-number SYS_stat64) (syscall-number SYS_statfs64) (syscall-number SYS_sysctl) (syscall-number SYS_sysctlbyname) (syscall-number SYS_workq_kernreturn) (syscall-number SYS_workq_open) ) (allow mach-lookup (global-name "com.apple.accountsd.accountmanager") (global-name "com.apple.ak.anisette.xpc") (global-name "com.apple.coreservices.launchservicesd") (global-name "com.apple.dock.server") (global-name "com.apple.SystemConfiguration.DNSConfiguration") (global-name "com.apple.coreservices.appleevents") (global-name "com.apple.iconservices") (global-name "com.apple.iconservices.store") (global-name "com.apple.inputmethodkit.getxpcendpoint") (global-name "com.apple.inputmethodkit.launchagent") (global-name "com.apple.inputmethodkit.launcher") (global-name "com.apple.system.opendirectoryd.api") ;; via AuthKit via AMS (global-name "com.apple.tsm.uiserver") ) (allow mach-lookup (global-name "com.apple.audio.AudioComponentRegistrar") (global-name "com.apple.audio.audiohald") (global-name "com.apple.audio.coreaudiod") (global-name "com.apple.audio.SystemSoundServer-OSX") (global-name "com.apple.containermanagerd") (global-name "com.apple.CoreServices.coreservicesd") (global-name "com.apple.coreservices.quarantine-resolver") (global-name "com.apple.cvmsServ") (global-name "com.apple.DiskArbitration.diskarbitrationd") (global-name "com.apple.distributed_notifications@1v3") (global-name "com.apple.distributed_notifications@Uv3") (global-name "com.apple.dock.fullscreen") (global-name "com.apple.FileCoordination") (global-name "com.apple.FontObjectsServer") (global-name "com.apple.fonts") (global-name "com.apple.ocspd") (global-name "com.apple.pasteboard.1") (global-name "com.apple.pluginkit.pkd") ;; WebKit process pool (global-name "com.apple.securityd.xpc") (global-name "com.apple.SecurityServer") (global-name "com.apple.spindump") (global-name "com.apple.storagekitd") (global-name "com.apple.symptom_analytics") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.tailspind") (global-name "com.apple.tccd") (global-name "com.apple.tccd.system") (global-name "com.apple.TrustEvaluationAgent") (global-name "com.apple.uiintelligencesupport.agent") (global-name "com.apple.VirtualDisplay") (global-name "com.apple.window_proxies") (global-name "com.apple.windowmanager.server") (global-name "com.apple.windowserver.active")) (allow user-preference-read (preference-domain "kCFPreferencesAnyApplication") (preference-domain "com.apple.Accessibility") (preference-domain "com.apple.CoreGraphics") ;; WebKit (preference-domain "com.apple.security") (preference-domain "com.apple.Safari.SandboxBroker")) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Copied from storeuid.sb ;; (allow file-issue-extension (subpath "/Library/Documentation/Help/MacHelp.help")) (allow file-read* (regex #"/CommerceKit\.framework") (subpath "/Volumes") (literal "/") (literal "/private/etc/hosts") (literal "/Library/Preferences/.GlobalPreferences.plist") (literal "/private/var/db/.MASManifest") (literal "/Library/Preferences/com.apple.AECT.plist") (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist") (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") (literal "/Library/Preferences/com.apple.loginwindow.plist") (literal "/private/var/db/PreviousSystemVersion.plist") (subpath "/Library/Documentation/Help/MacHelp.help") (literal "/Library/Preferences/com.apple.appstore.plist") (literal "/Library/Preferences/com.apple.LaunchServices.plist") (literal "/Library/Preferences/.GlobalPreferences.plist") (literal "/Library/Preferences/ByHost/.GlobalPreferences.") (literal "/Library/Preferences/com.apple.universalaccess.plist") (literal "/Library/Preferences/com.apple.security.plist") (literal "/.CFUserTextEncoding")) (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist") (literal "/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist")) (allow user-preference-read (preference-domain "com.apple.AppleMultitouchTrackpad") (preference-domain "com.apple.ServicesMenu.Services")) (allow ipc-posix-shm-read-data (ipc-posix-name "FNetwork.defaultStorageSession") (ipc-posix-name-regex #"ls\.[a-f0-9\.]+") (ipc-posix-name "apple.shm.notification_center") (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$")) (allow ipc-posix-shm-read* ipc-posix-shm-write* (ipc-posix-name "com.apple.AppleDatabaseChanged")) (allow mach-lookup (global-name "com.apple.iohideventsystem") (global-name "com.apple.touchbarserver.mig") (global-name "com.apple.touchbar.agent") (global-name "com.apple.pbs.fetch_services") (global-name "com.apple.UNCUserNotification") (global-name "com.apple.coreservices.launcherror-handler") (global-name "com.apple.storeassetd") (global-name "com.apple.storeaccountd") (global-name "com.apple.storedownloadd") (global-name "com.apple.storeainappd") (global-name "com.apple.storeuid") (global-name "com.apple.storeagent.pushservice-xpc") (global-name "com.apple.maspushagent-xpc") (global-name "com.apple.lateragent-xpc") (global-name "com.apple.SystemConfiguration.SCNetworkReachability") (global-name "com.apple.networkd") (global-name "com.apple.storehelper") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.distributed_notifications@Uv3") (global-name "com.apple.usernoted.daemon_client") (global-name "com.apple.metadata.mds") (global-name "com.apple.ls.boxd") (global-name "com.apple.ocspd") (global-name "com.apple.dock.appstore") (global-name "com.apple.installd") (global-name "com.apple.ProgressReporting") (global-name "com.apple.storereceiptinstaller") (global-name "com.apple.dock.launchpad") (global-name "com.apple.coreservices.sharedfilelistd.xpc") (global-name "com.apple.coreservices.sharedfilelistd.mig") (global-name "com.apple.coreservices.sharedfilelistd.async-mig") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.lsd.modifydb") (global-name "com.apple.cookied") (global-name "com.apple.FontServer") (global-name "com.apple.logind") (global-name "com.apple.familycontrols") (global-name "com.apple.nsurlstorage-cache") (global-name "com.apple.ak.auth.xpc") (global-name "com.apple.CrashReporterSupportHelper") (global-name "com.apple.cfnetwork.AuthBrokerAgent") (global-name "com.apple.cfnetwork.cfnetworkagent") (global-name "com.apple.analyticsd") (global-name "com.apple.CARenderServer") (global-name "com.apple.CoreDisplay.master") (global-name "com.apple.appstoreagent.xpc") (global-name "com.apple.nesessionmanager.content-filter")) (allow iokit-open-user-client (iokit-user-client-class "IOSurfaceSendRight") (iokit-user-client-class "IOSurfaceRootUserClient") (iokit-user-client-class "IGAccelCommandQueue") (iokit-user-client-class "AppleMultitouchDeviceUserClient") (iokit-user-client-class "IOFramebufferSharedUserClient") (iokit-user-client-class "RootDomainUserClient") (iokit-user-client-class-regex #"AccelDevice$") (iokit-user-client-class-regex #"SharedUserClient$") (iokit-user-client-class-regex #"GLContext$") (iokit-user-client-class "IOHIDParamUserClient") (iokit-user-client-class "AGXDevice") (iokit-user-client-class "AGXCommandQueue")) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Copied from application.sb and container.sb ;; (allow user-preference-read user-preference-write (preference-domain "com.apple.preferences.extensions.ServicesWithUI" "com.apple.preferences.extensions.ShareMenu" "com.apple.speech.voice.prefs"))