;;; Copyright (c) 2022 Apple Inc. All Rights reserved. ;;; ;;; WARNING: The sandbox rules in this file currently constitute ;;; Apple System Private Interface and are subject to change at any time and ;;; without notice. ;;; (version 1) (deny default) (deny file-map-executable process-info* nvram*) (deny dynamic-code-generation) (deny mach-priv-host-port) (import "system.sb") (import "com.apple.corefoundation.sb") (corefoundation) ;;; Homedir-relative path filters (define (home-regex home-relative-regex) (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex))) (define (home-subpath home-relative-subpath) (subpath (string-append (param "HOME") home-relative-subpath))) (define (home-prefix home-relative-prefix) (prefix (string-append (param "HOME") home-relative-prefix))) (define (home-literal home-relative-literal) (literal (string-append (param "HOME") home-relative-literal))) (allow process-info* (target self)) ;; For resolving symlinks, realpath(3), and equivalents. (allow file-read-metadata) ;; For validating the entitlements of clients. (allow process-info-codesignature) ;; To fetch/log name of clients (allow process-info-pidinfo) ;; Allow access to preferences (allow user-preference-read user-preference-write (preference-domain "kCFPreferencesAnyApplication") (preference-domain "com.apple.STExtractionService")) ;; Read/write access to a temporary directory. (allow file-read* file-write* (subpath (param "TMPDIR")) (subpath (param "DARWIN_CACHE_DIR"))) ;; Allow the service to extract archives into paths for which it has received an extension. (allow file-read* file-write* (extension "com.apple.STExtractionService")) ;; Allow the service to read the metadata of parent paths to resolve symlinks. ;; $$TODO$$ Not sure if this is needed since we allow file-read-metadata with now qualifications above (allow file-read-metadata (extension-path-ancestor)) ;; Allow loading extraction plugins from system and MobileAsset brain ;; On macOS, the MobileAsset brain gets mounted at a location with a UUID in the path: ;; /System/Volumes/Update/MobileAsset/MobileAssetBrain/ ;; Then the extraction plugins must be in the subdirectory .../System/Library/StreamingExtractorPlugins (allow file-write* file-map-executable (prefix "/System/Library/StreamingExtractorPlugins") (regex #"^/System/Volumes/Update/MobileAsset/MobileAssetBrain/.*/System/Library/StreamingExtractorPlugins")) ;; Allow fsctl(APFSIOC_GET_INTERNAL_FLAGS) for AppleArchive lib (allow system-fsctl (fsctl-command APFSIOC_GET_INTERNAL_FLAGS) (fsctl-command APFSIOC_FAST_PROMOTE_DATA) (fsctl-command APFSIOC_PIN_DATA)) ;; Read/write cache access ;; TODO: Replace ${PRODUCT_BUNDLE_IDENTIFIER} with the actual bundle identifier. ;; (let ((cache-path-filter (home-subpath "/Library/Caches/${PRODUCT_BUNDLE_IDENTIFIER}"))) ;; (allow file-read* file-write* cache-path-filter) ;; (allow file-issue-extension ;; (require-all ;; (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write") ;; cache-path-filter))) ;; Allow looking up the Mobile Gestalt service (allow mach-lookup (global-name "com.apple.mobilegestalt.xpc")) ;; Allow FairPlay operations (allow iokit-open-user-client (iokit-user-client-class "com_apple_driver_FairPlayIOKitUserClient"))