;;; Copyright (c) 2020 Apple Inc. All Rights reserved. ;;; ;;; WARNING: The sandbox rules in this file currently constitute ;;; Apple System Private Interface and are subject to change at any time and ;;; without notice. ;;; (version 1) ;;; Training wheels ON... (allow (with report) default) (allow (with report) file-map-executable iokit-get-properties process-info* nvram*) (allow (with report) dynamic-code-generation) ;;; Training wheels OFF... ;;; (deny default) ;;; (deny file-map-executable iokit-get-properties process-info* nvram*) ;;; (deny dynamic-code-generation) (deny mach-priv-host-port) (import "system.sb") (import "com.apple.corefoundation.sb") (corefoundation) (define (home-regex home-relative-regex) (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)) ) (define (home-subpath home-relative-subpath) (subpath (string-append (param "HOME") home-relative-subpath)) ) (define (home-prefix home-relative-prefix) (prefix (string-append (param "HOME") home-relative-prefix)) ) (define (home-literal home-relative-literal) (literal (string-append (param "HOME") home-relative-literal)) ) (allow process-info* (target self)) (allow file-read-metadata) (allow process-info-codesignature) (allow user-preference-read user-preference-write (preference-domain "com.apple.UARPUpdaterServiceUSBPD") ) (allow file-read* file-write* (subpath (param "TMPDIR")) ) (let ((cache-path-filter (home-subpath "/Library/Caches/com.apple.UARPUpdaterServiceUSBPD"))) (allow file-read* file-write* cache-path-filter) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write") cache-path-filter ) ) ) (allow file-read* file-write* (subpath "/private/var/db/fud/") (subpath "/private/var/db/accessoryupdater/") (subpath "/private/var/run/fudinit/") (subpath "/private/var/db/mds/") (subpath "/private/var/db/com.apple.MobileAccessoryUpdater/") (subpath "/private/var/db/accessoryupdater/") ) (allow mach-lookup (global-name "com.apple.accessories.externalaccessory-server") (global-name "com.apple.corespeech.corespeechservices") (global-name "com.apple.mobileassetd") (global-name "com.apple.mobileassetd.v2") (global-name "com.apple.iokit.powerdxpc") (global-name "com.apple.PowerManagement.control") ) (allow iokit-get-properties (iokit-property "IOConsoleUsers") (iokit-property "AdapterDetails") ) (allow user-preference* (preference-domain "com.apple.mobileaccessoryupdater") (preference-domain "com.apple.MobileAccessoryUpdater") (preference-domain "kCFPreferencesAnyApplication") ) (allow mach-lookup (global-name "com.apple.accessoryupdater.uarp") ) (allow iokit-open (iokit-user-client-class "IOHIDLibUserClient") ) (allow mach-lookup (global-name "com.apple.ckdiscretionaryd") (global-name "com.apple.cloudd") ) (with-filter (system-attribute apple-internal) (allow mach-lookup (global-name "com.apple.ckdiscretionaryd.debug") (global-name "com.apple.cloudd.debug") ) ) (allow iokit-get-properties (iokit-property "OSKernelCPUType") (iokit-property "OSKernelCPUSubtype") (iokit-property "HIDDefaultBehavior") (iokit-property "IOUserClass") (iokit-property "bInterfaceClass") (iokit-property "bInterfaceSubClass") (iokit-property "IOProviderClass") (iokit-property "IOUserServerName") (iokit-property "IOProbeScore") (iokit-property "CFBundleIdentifier") (iokit-property "IOUserServerCDHash") (iokit-property "IOClass") (iokit-property "CFBundleIdentifierKernel") (iokit-property "IOMatchedPersonality") (iokit-property "IOServiceDEXTEntitlements") (iokit-property "RegisterService") (iokit-property "IOMatchCategory") (iokit-property "ReportInterval") (iokit-property "VendorID") (iokit-property "ProductID") (iokit-property "Transport") (iokit-property "VersionNumber") (iokit-property "CountryCode") (iokit-property "RequestTimeout") (iokit-property "LocationID") (iokit-property "Manufacturer") (iokit-property "Product") (iokit-property "SerialNumber") (iokit-property "ReportDescriptor") (iokit-property "HIDDKStart") (iokit-property "DebugState") (iokit-property "MaxInputReportSize") (iokit-property "MaxOutputReportSize") (iokit-property "MaxFeatureReportSize") (iokit-property "Elements") (iokit-property "InputReportElements") (iokit-property "PrimaryUsage") (iokit-property "PrimaryUsagePage") (iokit-property "DeviceUsagePairs") (iokit-property "BootProtocol") (iokit-property "IOPowerManagement") (iokit-property "IOCFPlugInTypes") (iokit-property "IOUserClientClass") (iokit-property "RequiresTCCAuthorization") (iokit-property "DeviceUsagePairs") (iokit-property "Transport") (iokit-property "IOCFPlugInTypes") (iokit-property "DeviceUsagePage") (iokit-property "HIDVirtualDevice") (iokit-property "Privileged") (iokit-property "DeviceUsage") (iokit-property "PredefinedMetadataKeys") (iokit-property "IOPortTransportStateCC") (iokit-property "Metadata") (iokit-property "TransportDescription") (iokit-property "TransportType") (iokit-property "TransportTypeDescription") (iokit-property "Index") (iokit-property "Tunneled") (iokit-property "Active") (iokit-property "ParentPortType") (iokit-property "ParentPortTypeDescription") (iokit-property "ParentPortNumber") (iokit-property "ParentPortBuiltIn") (iokit-property "ParentBuiltInPortType") (iokit-property "ParentBuiltInPortTypeDescription") (iokit-property "ParentBuiltInPortNumber") (iokit-property "DriverStatus") (iokit-property "DriverStatusDescription") (iokit-property "AuthenticationRequired") (iokit-property "AuthenticationStatus") (iokit-property "AuthenticationStatusDescription") (iokit-property "AuthenticationTimeoutS") (iokit-property "AuthorizationRequired") (iokit-property "AuthorizationStatus") (iokit-property "AuthorizationStatusDescription") (iokit-property "TRM_TransportSupervised") (iokit-property "HashStatus") (iokit-property "HashStatusDescription") (iokit-property "IOGeneralInterest") (iokit-property "Active") (iokit-property "Vendor ID (SOP1)") (iokit-property "Product ID (SOP1)") (iokit-property "AuthenticationRequired") (iokit-property "AuthenticationStatus") ) (allow file-map-executable (subpath "/System/Library/Extensions/IOHIDFamily.kext/") )