(version 2) (deny default) (deny dynamic-code-generation) (import "dyld-support.sb") (allow file-read* (require-all (file-mode 4) (require-any (subpath "/System") (subpath "/usr/lib") (subpath "/usr/share") (subpath "/private/var/db/dyld")))) (allow file-map-executable (subpath "/System/Library") (subpath "/usr/lib")) (allow mach-bootstrap) (allow file-read-metadata) (allow file-read-metadata (literal "/etc") (literal "/tmp") (literal "/var") (literal "/private/etc/localtime")) (allow file-read* (literal "/dev/random") (literal "/dev/urandom")) (allow file-read* file-write-data (literal "/dev/null") (literal "/dev/zero")) (with-filter (system-attribute apple-internal) (allow file-read* file-write-data file-ioctl (literal "/dev/dtracehelper"))) (with-filter (system-attribute apple-internal) (allow file-write* (require-all (prefix "/cores/") (require-not (file-mode 0))))) (allow mach-lookup (global-name "com.apple.logd") (global-name "com.apple.system.logger") (global-name "com.apple.system.notification_center")) (with-filter (system-attribute apple-internal) (allow mach-lookup (global-name "com.apple.diagnosticd"))) (allow signal process-info-dirtycontrol process-info-pidinfo (target self)) (deny (with telemetry) sysctl-read) (allow sysctl-read (sysctl-name-prefix "hw.optional.") (sysctl-name-prefix "hw.perflevel0.") (sysctl-name-prefix "hw.perflevel1.") (sysctl-name "hw.cachelinesize" "hw.cpufamily" "hw.cpusubfamily" "hw.logicalcpu" "hw.logicalcpu_max" "hw.pagesize_compat" "hw.physicalcpu" "hw.physicalcpu_max" "hw.product" "hw.vectorunit" "kern.hv_vmm_present" "kern.osproductversion" "kern.secure_kernel" "machdep.ptrauth_enabled")) (with-filter (system-attribute apple-internal) (allow sysctl-write (sysctl-name "vm.footprint_suspend") (sysctl-name "vm.task_no_footprint_for_debug"))) (allow file-test-existence) (deny mach-lookup (xpc-service-name-prefix "")) (deny system-privilege) (deny syscall-unix (with send-signal SIGKILL) (with telemetry) (with message "101396075-syscall-unix")) (allow syscall-unix (syscall-group-bsdthread) (syscall-group-close) (syscall-group-fcntl) (syscall-group-getfsstat) (syscall-group-kevent) (syscall-group-mkdir) (syscall-group-pthread) (syscall-group-read) (syscall-group-rlimit) (syscall-group-send) (syscall-group-signal) (syscall-group-stat) (syscall-group-statfs) (syscall-group-ulock) (syscall-number SYS___disable_threadsignal SYS___mac_syscall SYS___semwait_signal_nocancel SYS_abort_with_payload SYS_access SYS_connect SYS_csops_audittoken SYS_csrctl SYS_dup SYS_exit SYS_faccessat SYS_fgetattrlist SYS_fgetxattr SYS_fsgetpath SYS_getattrlist SYS_getattrlistbulk SYS_getdirentries64 SYS_getentropy SYS_geteuid SYS_getegid SYS_getgid SYS_gethostuuid SYS_getrusage SYS_gettid SYS_gettimeofday SYS_getuid SYS_getxattr SYS_ioctl SYS_issetugid SYS_kdebug_trace SYS_kdebug_trace64 SYS_kdebug_trace_string SYS_kdebug_typefilter SYS_listxattr SYS_lseek SYS_madvise SYS_mmap SYS_mprotect SYS_mremap_encrypted SYS_munmap SYS_open SYS_open_nocancel SYS_openat SYS_os_fault_with_payload SYS_pathconf SYS_proc_info SYS_readlink SYS_rename SYS_rmdir SYS_shm_open SYS_socket SYS_sysctl SYS_sysctlbyname SYS_thread_selfid SYS_umask SYS_workq_kernreturn SYS_workq_open)) (deny syscall-mach (with send-signal SIGKILL) (with message "101396075-syscall-mach")) (allow syscall-mach (machtrap-number MSC__kernelrpc_mach_port_allocate_trap MSC__kernelrpc_mach_port_construct_trap MSC__kernelrpc_mach_port_deallocate_trap MSC__kernelrpc_mach_port_destruct_trap MSC__kernelrpc_mach_port_guard_trap MSC__kernelrpc_mach_port_insert_right_trap MSC__kernelrpc_mach_port_insert_member_trap MSC__kernelrpc_mach_port_mod_refs_trap MSC__kernelrpc_mach_port_request_notification_trap MSC__kernelrpc_mach_port_type_trap MSC__kernelrpc_mach_vm_allocate_trap MSC__kernelrpc_mach_vm_deallocate_trap MSC__kernelrpc_mach_vm_map_trap MSC__kernelrpc_mach_vm_protect_trap MSC__kernelrpc_mach_vm_purgable_control_trap MSC_host_self_trap MSC_iokit_user_client_trap MSC_mach_generate_activity_id MSC_mach_msg2_trap MSC_mach_reply_port MSC_mk_timer_arm MSC_mk_timer_create MSC_semaphore_signal_trap MSC_semaphore_timedwait_trap MSC_semaphore_wait_trap MSC_syscall_thread_switch MSC_thread_get_special_reply_port) (require-all (system-attribute apple-internal) (machtrap-number MSC_task_dyld_process_info_notify_get))) (deny system-mac-syscall (with telemetry)) (allow system-mac-syscall (mac-policy-name "AMFI" "Quarantine" "Sandbox")) (allow syscall-mig (with telemetry) (with message "101396075-syscall-mig")) (allow syscall-mig (kernel-mig-routine _mach_make_memory_entry clock_get_time host_get_io_master host_info io_connect_add_client io_connect_async_method io_connect_method io_connect_method_var_output io_iterator_is_valid io_iterator_next io_object_conforms_to io_registry_entry_create_iterator io_registry_entry_from_path io_registry_entry_get_child_iterator io_registry_entry_get_name_in_plane io_registry_entry_get_parent_iterator io_registry_entry_get_property_bin_buf io_registry_entry_get_registry_entry_id io_registry_get_root_entry io_server_version io_service_add_interest_notification_64 io_service_add_notification_bin_64 io_service_get_matching_service_bin io_service_get_matching_services_bin io_service_open_extended mach_exception_raise mach_port_get_context_from_user mach_port_get_refs mach_port_is_connection_for_service mach_port_set_attributes mach_vm_copy mach_vm_map_external semaphore_create semaphore_destroy task_get_special_port_from_user task_info_from_user task_restartable_ranges_synchronize)) (with-filter (system-attribute apple-internal) (allow syscall-mig (kernel-mig-routine mach_port_deallocate mach_vm_remap_external task_threads_from_user thread_resume thread_suspend thread_terminate))) (deny system-fcntl) (allow system-fcntl (fcntl-command F_ADDFILESIGS_RETURN F_CHECK_LV F_GETFD F_GETPATH F_GETPROTECTIONCLASS F_GETSIGSINFO F_NOCACHE F_SETFD F_SPECULATIVE_READ)) (allow process-codesigning-entitlements-blob-get) (allow process-codesigning-status-get) (deny process-codesigning-blob-get process-codesigning-cdhash-get process-codesigning-identity-get process-codesigning-status-set process-codesigning-text-offset-get process-codesigning-teamid-get) (deny process-info-codesignature (with no-report)) (deny file-ioctl) (allow file-read* (extension "com.apple.app-sandbox.read")) (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write")) (deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report)) (allow mach-lookup (global-name "com.apple.trustd.agent") (global-name "com.apple.audio.AudioComponentRegistrar") (global-name "com.apple.audio.SandboxHelper")) (deny iokit-get-properties) (with-filter (iokit-registry-entry-class "AGXFamilyAccelerator") (allow iokit-get-properties (iokit-property "MetalPluginClassName" "MetalPluginName" "AAPL,slot-name" "IOAVDHEVCDecodeCapabilities" "IOGVAHEVCDecode" "SafeEjectRequested"))) (with-filter (iokit-registry-entry-class "AppleAVD") (allow iokit-get-properties (iokit-property "IOAVDHEVCDecodeCapabilities" "IOGVAHEVCDecode"))) (with-filter (iokit-registry-entry-class "AppleDiskImageDevice") (allow iokit-get-properties (iokit-property "DiskImageURL"))) (with-filter (iokit-registry-entry-class "AppleM2ScalerCSCDriver") (allow iokit-get-properties (iokit-property "IOSurfaceAcceleratorCapabilitiesDict"))) (with-filter (iokit-registry-entry-class "IOBlockStorageDevice" "IOStorage") (allow iokit-get-properties (iokit-property "IOMediaIcon" "Protocol Characteristics"))) (with-filter (iokit-registry-entry-class "IOBufferCopyEngine") (allow iokit-get-properties (iokit-property "IOAVDHEVCDecodeCapabilities" "IOGVACodec" "IOGVAHEVCDecode"))) (with-filter (iokit-registry-entry-class "IOGraphicsAccelerator2") (allow iokit-get-properties (iokit-property "IODVDBundleName" "IOGVACodec" "IOGVAHEVCDecode" "IOVARendererID" "MetalPluginClassName" "MetalPluginName" "AAPL,slot-name" "IOAVDHEVCDecodeCapabilities" "IOPCIExpressLinkStatus" "SafeEjectRequested"))) (with-filter (iokit-registry-entry-class "IOHDIXHDDrive") (allow iokit-get-properties (iokit-property "image-path"))) (with-filter (iokit-registry-entry-class "IOMedia") (allow iokit-get-properties (iokit-property "Ejectable") (iokit-property "Removable"))) (with-filter (iokit-registry-entry-class "IOPCIDevice") (allow iokit-get-properties (iokit-property "AAPL,slot-name" "ATY,DeviceName" "ATY,FamilyName" "IOPCIExpressLinkStatus" "Thunderbolt Path" "built-in"))) (with-filter (iokit-registry-entry-class "IOPlatformDevice") (allow iokit-get-properties (iokit-property "soc-generation"))) (with-filter (iokit-registry-entry-class "IOSCSIProtocolInterface") (allow iokit-get-properties (iokit-property "Product Identification" "IOMediaIcon"))) (with-filter (iokit-registry-entry-class "IOThunderboltPort") (allow iokit-get-properties (iokit-property "Socket ID" "Supported Link Speed" "Supported Link Width"))) (allow iokit-get-properties (iokit-property "board-id")) (allow iokit-get-properties (iokit-property "IOClassNameOverride")) (deny iokit-open-user-client) (deny iokit-open-service (with telemetry) (with message "101396075-iokit-open-service")) (allow iokit-open-service (iokit-registry-entry-class-prefix "AGXAcceleratorG") (iokit-registry-entry-class "AppleJPEGDriver" "AppleM2ScalerCSCDriver" "IntelAccelerator" "IOSurfaceRoot")) (allow iokit-open-user-client (iokit-user-client-class "IOAccelCommandQueue") (apply-message-filter (deny iokit-async-external-method) (allow iokit-async-external-method (iokit-method-number 0)) (deny iokit-external-method) (allow iokit-external-method (iokit-method-number 1 2 5)))) (allow iokit-open-user-client (iokit-user-client-class "IOAccelDevice2") (apply-message-filter (deny iokit-external-method) (allow iokit-external-method (iokit-method-number 0 2 7 8 9 256)))) (allow iokit-open-user-client (iokit-user-client-class "IOAccelSharedUserClient2") (apply-message-filter (deny iokit-external-method) (allow iokit-external-method (iokit-method-number 0 1 4 7 8 9 10 12 259 268)))) (allow iokit-open-user-client (iokit-user-client-class "IGAccelCommandQueue") (apply-message-filter (deny iokit-async-external-method) (allow iokit-async-external-method (iokit-method-number 0)))) (allow iokit-open-user-client (iokit-user-client-class "IGAccelDevice") (apply-message-filter (deny iokit-external-method) (allow iokit-external-method (iokit-method-number 0 2 7 8 9 10 11 12 24)))) (allow iokit-open-user-client (iokit-user-client-class "IGAccelSharedUserClient") (apply-message-filter (deny iokit-external-method) (allow iokit-external-method (iokit-method-number 0 1 4 7 8 9 10 21 22)))) (allow iokit-open-user-client (iokit-user-client-class "IOSurfaceRootUserClient") (apply-message-filter (deny iokit-external-method) (allow iokit-external-method (iokit-method-number 11 20 0 1 2 3 9 10 12 13 14 15 23 27 32 34 35 44))))