;;; Copyright (c) 2020 Apple Inc. All Rights reserved. ;;; ;;; WARNING: The sandbox rules in this file currently constitute ;;; Apple System Private Interface and are subject to change at any time and ;;; without notice. ;;; (version 1) (import "system.sb") ;;; Denials ;; Swap these in for debugging ; (allow (with report) default) ; (allow (with report) file-map-executable iokit-get-properties process-info* nvram*) ; (allow (with report) dynamic-code-generation) (deny default) (deny file-map-executable iokit-get-properties nvram*) (deny dynamic-code-generation) ;;; Constants (define home-path (param "HOME_DIR")) (define temp-path (param "TEMP_DIR")) (define cache-path (param "CACHE_DIR")) ;;; Functions (define (home-subpath home-relative-subpath) (subpath (string-append home-path home-relative-subpath))) ;;; Permissions ; Because of an issue with NetworkExtensions, helper-processes of Chromium-based apps are not considered as part of its "effective application". ; To workaround, we crawl assessment app's bundle and build network rules based on any executable we find. This means we need to be able to read from anywhere (allow file-read*) (allow process-info-dirtycontrol (target self)) (allow process-info-pidinfo (target self)) (allow iokit-get-properties) (allow iokit-set-properties (iokit-property "HIDParameters")) (allow iokit-open (iokit-user-client-class "IOHIDParamUserClient")) (allow user-preference-read user-preference-write (preference-domain "com.apple.driver.AppleBluetoothMultitouch.trackpad") (preference-domain "com.apple.AppleMultitouchTrackpad") (preference-domain "com.apple.assessmentmode") (preference-domain "assessmentagent") (preference-domain "kCFPreferencesAnyApplication")) (allow file-map-executable (literal "/System/Library/CoreServices/ManagedClient.app/Contents/PlugIns/MCXToolsInterface.bundle/Contents/MacOS/MCXToolsInterface")) (allow file-write* (home-subpath "/Library/Containers/com.apple.assessmentagent") (home-subpath "/Library/Preferences/.GlobalPreferences.plist") (home-subpath "/Library/Preferences/com.apple.AppleMultitouchTrackpad.plist") (home-subpath "/Library/Preferences/com.apple.driver.AppleBluetoothMultitouch.trackpad.plist") (subpath temp-path)) (allow mach-lookup (global-name "com.apple.coreservices.launchservicesd") (global-name "com.apple.mediaremoted.xpc") (global-name "com.apple.mdmclient.agent") (global-name "com.apple.mdmclient.daemon") (global-name "com.apple.mdmclient.agent.unrestricted") (global-name "com.apple.mdmclient.daemon.unrestricted") (global-name "com.apple.nehelper") (global-name "com.apple.pasteboard.1") (global-name "com.apple.siri.invoke") (global-name "com.apple.tccd") (global-name "com.apple.tccd.system") (global-name "com.apple.windowserver.active") (global-name "com.apple.BezelServices") (global-name "com.apple.iohideventsystem") (global-name "com.apple.security.syspolicy") (global-name-regex #"^com\.apple\.distributed_notifications") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.lsd.modifydb") (global-name "com.apple.CoreServices.coreservicesd") (global-name "com.apple.replayd") (global-name "com.apple.audio.SystemSoundServer-OSX")) (allow mach-register (global-name "com.apple.screencapture.interactive")) (allow distributed-notification-post) (allow process-fork) (allow process-exec (literal "/usr/sbin/screencapture")) (allow iokit-open-user-client (iokit-user-client-class "AppleAVE2UserClient") (iokit-user-client-class "IOSurfaceRootUserClient") (iokit-user-client-class "AGXDeviceUserClient") (iokit-user-client-class "IOSurfaceAcceleratorClient") (iokit-user-client-class "AppleKeyStoreUserClient")) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath "/usr/sbin")))