;;; ;;; Sandbox profile for /usr/libexec/avconferencd ;;; ;;; Copyright (c) 2016 Apple Inc. All Rights reserved. ;;; ;;; WARNING: The sandbox rules in this file currently constitute ;;; Apple System Private Interface and are subject to change at any time and ;;; without notice. The contents of this file are also auto-generated and ;;; not user editable; it may be overwritten at any time. (version 1) (deny default) (define (home-regex home-relative-regex) (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex))) (define regex-home home-regex) (define (home-subpath home-relative-subpath) (subpath (string-append (param "HOME_DIR") home-relative-subpath))) (define (home-literal home-relative-literal) (literal (string-append (param "HOME_DIR") home-relative-literal))) (import "system.sb") (system-graphics) (system-network) (import "com.apple.corefoundation.sb") (corefoundation) (with-filter (system-attribute apple-internal) (allow file-read-data file-map-executable (subpath "/usr/local/lib"))) (allow file-read-data (literal "/Library/Preferences/.GlobalPreferences.plist") (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences") (home-subpath "/Library/Preferences/.GlobalPreferences.plist")) (allow file-read* (literal "/") (literal "/Library/Keychains/apsd.keychain") (literal "/Library/Preferences/com.apple.security.plist") (literal "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist") (subpath "/Library/CoreMediaIO/Plug-Ins/DAL") (subpath "/AppleInternal/Library/Audio") (subpath "/Library/Apple/Audio/Plug-Ins/HAL") (subpath "/private/tmp/vp/inject") (subpath "/usr/libexec") (extension "com.apple.app-sandbox.read")) ;; support consuming com.apple.app-sandbox.read adhoc extensions (allow file-read-metadata (subpath "/")) (allow file-read* file-write* (home-subpath "/Library/Caches/com.apple.VideoConference") (home-subpath "/Library/Logs/CrashReporter/VideoProcessing") (home-subpath "/Library/Logs/DiagnosticReports") (home-regex #"/Library/Preferences/ByHost/com\.apple\.Bluetooth\..*\.plist$") (subpath (param "DARWIN_USER_TEMP_DIR")) (subpath (param "DARWIN_USER_CACHE_DIR")) (subpath "/private/var/db/mds") (subpath "/private/tmp/AudioCapture") (subpath "/private/var/tmp/AVConference") (subpath "/private/tmp/AudioCapture/VP") (subpath "/private/tmp/vcp") (subpath "/Library/Keychains") (subpath "/private/var/tmp") (subpath (string-append (param "HOME_DIR") "/Library/Biome")) (extension "com.apple.app-sandbox.read-write")) ;; support consuming com.apple.app-sandbox.read-write adhoc extensions (allow file-issue-extension (require-all (extension-class "com.apple.rtcreporting.upload") (home-subpath "/Library/Caches/com.apple.VideoConference/logs"))) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath (param "DARWIN_USER_TEMP_DIR")))) (allow user-preference-read (preference-domain "com.apple.VideoConference") (preference-domain "com.apple.coremedia") (preference-domain "com.apple.security") (preference-domain "com.apple.facetime.bag") (preference-domain "com.apple.cmio") (preference-domain "com.apple.avfoundation") (preference-domain "com.apple.VideoProcessing") (preference-domain "com.apple.registration")) (allow user-preference-read user-preference-write (preference-domain "com.apple.FaceTime") (preference-domain "com.apple.facetime") (preference-domain "com.apple.FaceTime.controlcenter") (preference-domain "com.apple.coreaudio")) (allow device-camera) (allow iokit-open (iokit-user-client-class "IOUSBDeviceUserClientV2") (iokit-user-client-class "IOUSBInterfaceUserClientV2") (iokit-user-client-class "H11ANEInDirectPathClient") (iokit-user-client-class "IOUserUserClient") (iokit-user-client-class "IO80211APIUserClient") (iokit-user-client-class "IOTimeSyncClockManagerUserClient") (iokit-user-client-class "IOTimeSyncUserClient") (iokit-user-client-class "IOTimeSyncgPTPManagerUserClient") (iokit-user-client-class "IOTimeSyncDomainUserClient") (iokit-user-client-class "IOTimeSyncNetworkPortUserClient") (iokit-user-client-class "AppleVideoToolboxParavirtualizationUserClient")) (allow device-microphone) (allow iokit-open (iokit-registry-entry-class "IGAccelDevice") (iokit-registry-entry-class "IGAccelSharedUserClient") (iokit-registry-entry-class "IGAccelVideoContextMain") (iokit-registry-entry-class "IGAccelVideoContextMedia") (iokit-registry-entry-class "IGAccelVideoContextVEBox") (iokit-registry-entry-class "IOAudioControlUserClient") (iokit-registry-entry-class "IOAudioEngineUserClient") (iokit-registry-entry-class "RootDomainUserClient") (iokit-registry-entry-class "AppleAVE2UserClient") (iokit-registry-entry-class "IOBluetoothHCIUserClient") (iokit-registry-entry-class "H11ANEInDirectPathClient")) (allow mach-lookup (global-name "com.apple.triald.namespace-management") (global-name "com.apple.AirPlayXPCHelper") (global-name "com.apple.symptom_diagnostics") (global-name "com.apple.SystemConfiguration.NetworkInformation") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.apsd") (global-name "com.apple.applecamerad") (global-name "com.apple.CARenderServer") (global-name "com.apple.airportd") (global-name "com.apple.audioanalyticsd") (global-name "com.apple.audio.audiohald") (global-name "com.apple.audio.AudioSession") (global-name "com.apple.cmio.AppleCameraAssistant") (global-name "com.apple.cmio.VDCAssistant") (global-name "com.apple.cmio.IIDCVideoAssistant") (global-name "com.apple.cmio.AVCAssistant") (global-name "com.apple.cmio.iOSScreenCaptureAssistant") (global-name "com.apple.coreservices.launchservicesd") (global-name "com.apple.identityservicesd.desktop.auth") (global-name "com.apple.logind") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.marco") (global-name "com.apple.private.corewifi-xpc") (global-name "com.apple.remoted") (global-name "com.apple.rtcreportingd") (global-name "com.apple.windowserver.active") (global-name "com.apple.SecurityServer") (global-name "com.apple.securityd.xpc") (global-name "com.apple.WirelessCoexManager") (global-name "com.apple.audio.AudioComponentRegistrar") (global-name "com.apple.distributed_notifications@1v3") (global-name "com.apple.distributed_notifications@Uv3") (global-name "com.apple.mediaanalysisd.realtime") (global-name "com.apple.spindump") (global-name "com.apple.audio.session-manager") (global-name "com.apple.coremedia.virtualdisplaycg") (global-name "com.apple.tccd") (global-name "com.apple.tccd.system") (global-name "com.apple.cmio.registerassistantservice") (global-name "com.apple.cmio.registerassistantservice.system-extensions") (global-name "com.apple.appleh13camerad") (global-name "com.apple.appleneuralengine") (global-name "com.apple.biome.PublicStreamAccessService") (global-name "com.apple.biome.compute.source.user") (global-name "com.apple.relatived.tempest") (global-name "com.apple.timesync.expositor") (global-name "com.apple.timesync.manager") (global-name "com.apple.timesync.ptp.manager") (global-name "com.apple.replayd") (global-name "com.apple.replaykit.sharingsession") (global-name "com.apple.replaykit.sharingsession.notification") (global-name "com.apple.wifip2pd") (global-name "com.apple.spindump") (global-name "com.apple.UNCUserNotification") (global-name "com.apple.tailspind") (global-name "com.apple.audio.driver-registrar") (global-name "com.apple.translationd") (global-name "com.apple.videoconference.speechtranslation") (global-name "com.apple.sirittsd")) (allow network-inbound (local tcp "*:*") (local udp "*:*")) (allow network-outbound (literal "/private/var/run/mDNSResponder") (remote tcp "*:*") (remote udp "*:*")) (allow ipc-posix-shm-read-data (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.[0-9]+$") (ipc-posix-name-regex #"^AudioIO") (ipc-posix-name "FNetwork.defaultStorageSession") (ipc-posix-name "com.apple.AppleDatabaseChanged")) (allow ipc-posix-shm-write-data (ipc-posix-name-regex #"^AudioIO") (ipc-posix-name "com.apple.AppleDatabaseChanged")) (allow ipc-posix-shm-read-metadata (ipc-posix-name-regex #"^AudioIO")) ;; Allow read-only access to $HOME/Library/Trial (allow file-read* (home-subpath "/Library/Trial")) ;; Allow OSALog upload (allow file-issue-extension (require-all (extension-class "com.apple.osanalytics-sandbox.read-write") (home-subpath "/Library/Logs/DiagnosticReports/")))