;;; Copyright (c) 2020 Apple Inc. All Rights reserved. ;;; ;;; WARNING: The sandbox rules in this file currently constitute ;;; Apple System Private Interface and are subject to change at any time and ;;; without notice. ;;; (version 1) ;; Training wheels (allow = ON) (deny = OFF) (deny default) (deny file-map-executable process-info* nvram*) (deny dynamic-code-generation) (import "system.sb") (import "com.apple.corefoundation.sb") (corefoundation) ;;; Homedir-relative path filters (define (home-regex home-relative-regex) (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex))) (define (home-subpath home-relative-subpath) (subpath (string-append (param "HOME") home-relative-subpath))) (define (home-prefix home-relative-prefix) (prefix (string-append (param "HOME") home-relative-prefix))) (define (home-literal home-relative-literal) (literal (string-append (param "HOME") home-relative-literal))) (define (enterprise-context-regex enterprise-context-relative-regex) (regex (string-append "^/Volumes/[^/]+/Library/Daemon Containers/[^/]+/Data" enterprise-context-relative-regex))) (allow process-info* (target self)) (allow process-info-pidinfo) (allow distributed-notification-post) ;; Networking (system-network) (allow system-socket) (allow network-outbound) ;; For validating client entitlements. (allow process-info-codesignature) ;; File read/write (allow file-read-metadata) (allow file-read-data) (allow file-read* file-write* (subpath (param "TMPDIR")) (subpath (param "DARWIN_CACHE_DIR")) (literal "/Library/Keychains/System.keychain") (home-literal "/Library/Keychains/login.keychain-db") (home-subpath "/Library/Application Support/com.apple.akd") (enterprise-context-regex #"/com\.apple\.akd") (home-subpath "/Library/HTTPStorages") (home-subpath "/Library/HTTPStorages/HTTPStorages/com.apple.akd") ) (allow file-read* (literal (param "SECURITY_MESSAGES")) (subpath "/private/var/db/mds/system") ) (allow file-read-data (literal "/usr/libexec" "/usr/libexec/sharingd" ) (subpath "/private/var/db/os_eligibility/eligibility.plist" "/private/var/db/eligibilityd/eligibility.plist" ) ) ;; Opening pref pane (allow lsopen) ;; Read/write cache access (let ((cache-path-filter (home-subpath "/Library/Caches/com.apple.akd"))) (allow file-read* file-write* cache-path-filter) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write") cache-path-filter))) ;; Read/write cache access Apple Media Services (let ((cache-path-filter (home-subpath "/Library/Caches/com.apple.AppleMediaServices"))) (allow file-read* file-write* cache-path-filter) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write") cache-path-filter))) ;; NVRAM (allow nvram-get (nvram-variable "4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:MLB" "4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:ROM" ) ) ;; IOKit (allow iokit-get-properties) (allow iokit-open (iokit-registry-entry-class "AppleKeyStoreUserClient") (iokit-user-client-class "AppleNVMeEANUC" "AvpFairPlayUserClient" ) ) ;; IPC (allow ipc-posix-shm-read-data ipc-posix-shm-write-create ipc-posix-shm-write-data (ipc-posix-name "com.apple.AppleDatabaseChanged" "FNetwork.defaultStorageSession" ) ) ;; Mach-lookup (allow mach-lookup (global-name "com.apple.accountsd.accountmanager" "com.apple.adid" "com.apple.ak.anisette.xpc" "com.apple.ak.auth.xpc" "com.apple.ak.custodian.xpc" "com.apple.ak.privateemail.xpc" "com.apple.ak.puffin.xpc" "com.apple.ak.appleidpasskey.xpc" "com.apple.ak.signinwithapple.xpc" "com.apple.ak.symmetrickey.xpc" "com.apple.analyticsd" "com.apple.AppSSO.service-xpc" "com.apple.apsd" "com.apple.appstorecomponentsd.xpc" "com.apple.AuthenticationServicesCore.AuthenticationServicesAgent" "com.apple.awdd" "com.apple.cdp.daemon" "com.apple.containermanagerd" "com.apple.cookied" "com.apple.corefollowup.agent" "com.apple.CoreServices.coreservicesd" "com.apple.coreservices.quarantine-resolver" "com.apple.cfnetwork.cfnetworkagent" "com.apple.DiskArbitration.diskarbitrationd" "com.apple.diskmanagementd" "com.apple.dnssd.service" "com.apple.iconservices" "com.apple.iconservices.store" "com.apple.lsd.mapdb" "com.apple.mdmclient.agent" "com.apple.mdmclient.daemon" "com.apple.mdmclient.agent.unrestricted" "com.apple.mdmclient.daemon.unrestricted" "com.apple.mobile.keybagd.xpc" "com.apple.mobile.keybagd.UserManager.xpc" "com.apple.mobile.usermanagerd.xpc" "com.apple.nsurlstorage-cache" "com.apple.pluginkit.pkd" "com.apple.security.kcsharing" "com.apple.security.octagon" "com.apple.securityd.xpc" "com.apple.SecurityServer" "com.apple.SharedWebCredentials" "com.apple.storagekitd" "com.apple.system.opendirectoryd.api" "com.apple.SystemConfiguration.configd" "com.apple.SystemConfiguration.DNSConfiguration" "com.apple.UNCUserNotification" "com.apple.usernoted.daemon_client" "com.apple.windowserver.active" "com.apple.xpc.amsengagementd" "com.apple.nesessionmanager.content-filter" "com.apple.ak.walrus.xpc" "com.apple.devicecheckd" "com.apple.xpc.amsaccountsd" "com.apple.remoted" "com.apple.bluetooth.xpc" "com.apple.server.bluetooth.le.att.xpc" "com.apple.PairingManager" "com.apple.tccd" "com.apple.tccd.system" "com.apple.timed.xpc" "com.apple.mobileactivationd" "com.apple.CoreAuthentication.agent" "com.apple.CoreAuthentication.agent.libxpc" "com.apple.CoreAuthentication.daemon" "com.apple.CoreAuthentication.daemon.libxpc" "com.apple.ctkd.token-client" "com.apple.metadata.mds" "com.apple.securityd.systemkeychain" ) ) ;; Mach-register (allow mach-register (global-name "com.apple.ak.aps") ) ;; User Preferences (allow user-preference-read (preference-domain "com.apple.CFNetwork" "com.apple.CoreServicesInternal" "com.apple.GEO" "com.apple.ImageIO" "com.apple.mdmclient" "com.apple.nsurlcache" "com.apple.security" ) ) (allow user-preference-read user-preference-write (preference-domain "com.apple.akd" "com.apple.AuthKit" "com.apple.AuthKit.AgeRangeSettingsCache" "com.apple.itunesstored" "com.apple.AppleMediaServices" "kCFPreferencesAnyApplication" ) ) ;; Misc (allow file-map-executable (subpath "/System/Library/CoreServices/RawCamera.bundle") (literal "/System/Library/CoreServices/ManagedClient.app/Contents/PlugIns/MCXToolsInterface.bundle/Contents/MacOS/MCXToolsInterface") )