(version 1) (deny default) (deny file-map-executable process-info* nvram*) (import "system.sb") (import "com.apple.corefoundation.sb") (corefoundation) (define (home-subpath home-relative-subpath) (subpath (string-append (param "_HOME") home-relative-subpath))) (define (home-literal home-relative-literal) (literal (string-append (param "_HOME") home-relative-literal))) (define (home-regex home-relative-regex) (regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex))) (allow mach-register (global-name "com.apple.aps.appstoreagent") (global-name "com.apple.appstoreagent.legacy") (global-name "com.apple.appstoreagent.xpc") (global-name "com.apple.storekitservice")) (allow mach-lookup (global-name "com.apple.accountsd.accountmanager") (global-name "com.apple.adid") (global-name "com.apple.ak.anisette.xpc") (global-name "com.apple.ak.auth.xpc") (global-name "com.apple.ak.authorizationservices.xpc") (global-name "com.apple.amsprivateidentifiers") (global-name "com.apple.analyticsd") (global-name "com.apple.ap.adservicesd.statusconditionservice") (global-name "com.apple.appinstalld") (global-name "com.apple.AppSSO.service-xpc") (global-name "com.apple.appstored.xpc") (global-name "com.apple.apsd") (global-name "com.apple.askpermissiond") (global-name "com.apple.assertiond.processassertionconnection") (global-name "com.apple.AssetCacheLocatorService") (global-name "com.apple.backgroundassets.system") (global-name "com.apple.bird") (global-name "com.apple.biome.access.user") (global-name "com.apple.biome.PublicStreamAccessService") (global-name "com.apple.cache_delete") (global-name "com.apple.cache_delete.public") (global-name "com.apple.cfnetwork.AuthBrokerAgent") (global-name "com.apple.cfnetwork.cfnetworkagent") (global-name "com.apple.commerce") (global-name "com.apple.cookied") (global-name "com.apple.commcenter.coretelephony.xpc") (global-name "com.apple.containermanagerd") (global-name "com.apple.CoreAuthentication.agent") (global-name "com.apple.CoreAuthentication.agent.libxpc") (global-name "com.apple.coreservices.appleevents") (global-name "com.apple.coreservices.launchservicesd") (global-name "com.apple.coreservices.quarantine-resolver") (global-name "com.apple.CrashReporterSupportHelper") (global-name "com.apple.ctkd.token-client") (global-name "com.apple.cvmsServ") (global-name "com.apple.DiskArbitration.diskarbitrationd") (global-name "com.apple.dnssd.service") (global-name "com.apple.dock.appstore") (global-name "com.apple.dock.server") (global-name "com.apple.duetactivityscheduler") (global-name "com.apple.fpsd") (global-name "com.apple.fairplayd.versioned") (global-name "com.apple.gamed") (global-name "com.apple.GSSCred") (global-name "com.apple.installcoordinationd") (global-name "com.apple.installd") (global-name "com.apple.installd.Preflight") (global-name "com.apple.lsd.advertisingidentifiers") (global-name "com.apple.lsd.encryption") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.lsd.modifydb") (global-name "com.apple.managedappdistributionagent.xpc.legacy") (global-name "com.apple.mdmclient.agent.unrestricted") (global-name "com.apple.mdmclient.daemon.unrestricted") (global-name "com.apple.metadata.mds") (global-name "com.apple.mobile.keybagd.xpc") (global-name "com.apple.mobile.keybagd.UserManager.xpc") (global-name "com.apple.mobile.usermanagerd.xpc") (global-name "com.apple.mobileactivationd") (global-name "com.apple.nehelper") (global-name "com.apple.nesessionmanager.content-filter") (global-name "com.apple.nfcd.hwmanager") (global-name "com.apple.nsurlsessiond") (global-name "com.apple.nsurlstorage-cache") (global-name "com.apple.ocspd") (global-name "com.apple.pasteboard.1") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.pluginkit.pkd") (global-name "com.apple.ProgressReporting") (global-name "com.apple.runningboard") (global-name "com.apple.securityd.xpc") (global-name "com.apple.SecurityServer") (global-name "com.apple.spaceattributiond") (global-name "com.apple.spotlight.IndexAgent") (global-name "com.apple.spotlight.IndexDelegateAgent") (global-name "com.apple.storagekitd") (global-name "com.apple.storeassetd") (global-name "com.apple.storedownloadd") (global-name "com.apple.storeuid") (global-name "com.apple.system.opendirectoryd.api") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.SystemConfiguration.DNSConfiguration") (global-name "com.apple.system_installd") (global-name "com.apple.tccd.system") (global-name "com.apple.UNCUserNotification") (global-name "com.apple.uninstalld") (global-name "com.apple.uninstall.service") (global-name "com.apple.usernoted.daemon_client") (global-name "com.apple.usernotifications.usernotificationservice") (global-name "com.apple.usernotifications.listener") (global-name "com.apple.usymptomsd") (global-name "com.apple.windowserver.active") (global-name "com.apple.xpc.amsaccountsd") (global-name "com.apple.xpc.amsengagementd") (global-name "com.apple.xpc.amstoold")) (allow file-read-metadata) (allow user-preference-read (preference-domain "com.apple.AppleMediaServices") (preference-domain "com.apple.appstored") (preference-domain "com.apple.backgroundassets") (preference-domain "com.apple.commerce") (preference-domain "com.apple.gamecenter") (preference-domain "com.apple.iclouddrive.features")) (allow user-preference-write (preference-domain "com.apple.AppleMediaServices") (preference-domain "com.apple.appstored")) (allow file-read* (literal "/usr/libexec/mdmclient") (literal "/Applications") (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") (literal "/private/etc/services") (literal "/private/var/db/nsurlstoraged/dafsaData.bin") (literal "/Library/Application Support/App Store/adoption.plist") (literal "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist") (literal "/Library/Preferences/com.apple.networkd.plist") (literal "/Library/Preferences/com.apple.networkextension.uuidcache.plist") (mount-relative-subpath "/") (regex #"\.app(/|$)") (regex #"\.appdownload(/|$)") (regex #"/Library/Caches/com\.apple\.AppleMediaServices") (regex #"/Library/Preferences/.GlobalPreferences.plist$") (regex #"/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$") (regex #"/Library/Preferences/com\.apple\.LaunchServices/com\.apple\.launchservices\.secure\.plist$") (regex #"/Library/Preferences/com\.apple\.security\.plist") (subpath "/Library/InstallerSandboxes") (subpath "/System/Applications/App Store.app") (subpath "/System/Library/Caches/OnDemandResources/AssetPacks/") (subpath "/Users/Shared") (subpath "/usr/local/bin")) (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write") (extension "com.apple.sandbox.application-group") (literal "/Library/Logs/ManagedClient/ManagedClient.log") (literal "/private/var/tmp/_Error_Occurrences.plist") (subpath "/Library/AppStore") (subpath "/private/var/db/installcoordinationd") (subpath "/Users/Shared/adi") (subpath "/Users/Shared/SC Info") (subpath (param "_DARWIN_USER_CACHE_DIR")) (subpath (param "_DARWIN_USER_TEMP_DIR")) (mount-relative-regex #"^/\.AppInstallationStaging(/|$)") (mount-relative-regex #"^/\.AppStoreSandbox(/|$)") (mount-relative-regex #"^/\.TemporaryItems(/|$)") (home-regex #"/Library/Containers/[^/]+/Data/(Library/Caches/)?StoreKit(/|$)") (home-subpath "/Library/com.apple.AppleMediaServices") (home-subpath "/Library/Caches/com.apple.AppleMediaServices/") (regex #"/Library/Caches/com\.apple\.AppleMediaServices") (regex #"/Library/Caches/com\.apple\.appstoreagent") (regex #"/Library/HTTPStorages/com\.apple\.appstoreagent") (regex #"/Library/Logs/com\.apple\.StoreServices")) (allow file-read* file-write* (require-all (vnode-type DIRECTORY) (require-any (mount-relative-regex #"^/Applications/.*\.appdownload(/Contents)?$") (regex #"\.app/Contents/_MASReceipt$"))) (require-all (vnode-type REGULAR-FILE) (require-any (mount-relative-regex #"\.appdownload/Contents/placeholderinfo$") (mount-relative-regex #"\.appdownload/Icon") (regex #"\.app/Contents/_MASReceipt/receipt$"))) (mount-relative-literal "/Applications") (mount-relative-literal "/.TemporaryItems") (mount-relative-regex #"^/\.TemporaryItems/folders.[0-9]+(/|$)") ) (allow file-read-xattr (regex #"\.app(/|$)")) (allow file-issue-extension (subpath "/private/var/db/installcoordinationd") (regex #"/Library/Caches/com\.apple\.AppleMediaServices") (regex #"/Library/Caches/com\.apple\.appstoreagent")) (allow file-issue-extension (require-any (require-all (subpath "/System/Library/Caches/OnDemandResources/AssetPacks/") (extension-class "com.apple.odr-assets")) (extension-class "com.apple.StreamingUnzipService"))) (allow file-map-executable (literal "/System/Library/CoreServices/ManagedClient.app/Contents/PlugIns/MCXToolsInterface.bundle/Contents/MacOS/MCXToolsInterface")) (allow system-fsctl (fsctl-command APFSIOC_SNAP_LOOKUP)) ;; This is used for ODR to enable dir stats before marking a directory as purgeable (allow system-fsctl (fsctl-command APFSIOC_MAINTAIN_DIR_STATS)) (allow ipc-posix-shm-read-data (ipc-posix-name "/com.apple.AppSSO.version") (ipc-posix-name "FNetwork.defaultStorageSession") (ipc-posix-name-prefix "/tmp/com.apple.csseed.")) (allow ipc-posix-shm-read* ipc-posix-shm-write* (ipc-posix-name "com.apple.AppleDatabaseChanged")) (allow authorization-right-obtain (right-name "com.apple.uninstalld.uninstall") (right-name "system.install.apple-config-data") (right-name "system.install.apple-software") (right-name "system.install.apple-software.standard-user") (right-name "system.install.app-store-software") (right-name "system.install.app-store-software.standard-user") (right-name "system.install.software") (right-name "system.install.software.iap") (right-name "system.install.software.mdm-provided")) (allow iokit-open* (iokit-user-client-class "AGXDeviceUserClient") (iokit-user-client-class "AppleJPEGDriverUserClient") (iokit-user-client-class "AppleKeyStoreUserClient") (iokit-user-client-class "BootPolicyUserClient") (iokit-user-client-class "IOSurfaceRootUserClient")) (allow nvram-get) (allow process-info-pidinfo) (allow process-info-setcontrol (target self)) (allow sysctl-read sysctl-write (sysctl-name "kern.tcsm_enable") (sysctl-name "kern.hv_vmm_present")) (allow distributed-notification-post) (allow lsopen) (allow network-outbound) (allow system-socket) (with-filter (system-attribute apple-internal) (allow sysctl-write (sysctl-name "vm.task_no_footprint_for_debug"))) ;; mds: mds.lock, mdsDirectory.db, mdsObject.db ;; 1. extension "appstoreagent:mds" ;; uid == 0: r+w /private/var/db/mds/system ;; uid > 0: r+w <_DARWIN_USER_CACHE_DIR>/mds ;; 2. /private/var/db/mds/system/{mdsDirectory.db,mdsObject.db} ;; uid == 0: r+w (already covered by (extension "appstoreagent:mds")) ;; uid > 0: r (allow file-read* file-write* (extension "appstoreagent:mds")) (allow file-read* (literal "/private/var/db/mds/system/mdsDirectory.db") (literal "/private/var/db/mds/system/mdsObject.db")) ;; 3. se_SecurityMessages: ;; uid < 500: /private/var/db/mds/messages/se_SecurityMessages ;; uid >= 500: /private/var/db/mds/messages//se_SecurityMessages (allow file-read* (literal (param "_SECURITY_MESSAGES_FILE"))) ;; ;; FairPlay DLL Support. See rdar://problem/54211948 ;; Please do not append to this section unless it is specifically for FairPlay (allow file-read* (subpath "/bin") (subpath "/etc") (subpath "/private/etc") (subpath "/private/tmp") (subpath "/private/var/log") (subpath "/private/var/run") (subpath "/Library/Updates") (subpath "/sbin") (subpath "/System/Library/Caches") (subpath "/tmp") (subpath "/usr/lib") (subpath "/var/log") (subpath "/var/run") (subpath (param "_HOME")))