;; Copyright (c) 2017 Apple Inc. All Rights reserved. ;; ;; WARNING: The sandbox rules in this file currently constitute ;; Apple System Private Interface and are subject to change at any time and ;; without notice. ;; (version 1) (deny default) (import "system.sb") (import "com.apple.corefoundation.sb") ;;; initialize CF sandbox actions (corefoundation) (system-network) (allow network-outbound (literal "/private/var/run/usbmuxd") (literal "/private/var/run/mDNSResponder") (control-name "com.apple.network.statistics") (control-name "com.apple.netsrc") (remote ip) ) (allow network-inbound ) (allow network-bind (remote ip)) ;; For resolving symlinks, realpath(3), and equivalents. (allow file-read-metadata) (allow nvram-get (nvram-variable "BSD Name")) (allow process-info* (target self)) ;; For validating the entitlements of clients. (allow process-info-codesignature) (allow file-read* (subpath "/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/iOSScreenCapture.plugin/Contents/Resources") (subpath "/Library/CoreMediaIO/Plug-Ins/FCP-DAL/iOSScreenCapture.plugin/Contents/Resources") (subpath "/private/var/db/mds") (subpath "/Library/Audio/Plug-Ins/HAL") ) (allow file-write* (literal "/private/var/db/mds/system/mds.lock") (subpath "/private/tmp") ) ;; From com.apple.AirPlayXPCHelper (allow iokit-open (iokit-user-client-class "IOAudioControlUserClient") (iokit-user-client-class "IOAudioEngineUserClient") (iokit-user-client-class "IOAudio2DeviceUserClient") (iokit-user-client-class "RootDomainUserClient") (iokit-user-client-class "IOReportUserClient") (iokit-user-client-class "IOBluetoothHCIUserClient") (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient") (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient") (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient") (iokit-user-client-class "IOBluetoothDeviceUserClient") (iokit-user-client-class "IOTimeSyncUserClient") (iokit-user-client-class "IOTimeSyncClockManagerUserClient") (iokit-user-client-class "IOTimeSyncgPTPManagerUserClient") (iokit-user-client-class "IOTimeSyncDomainUserClient") (iokit-user-client-class "IOTimeSyncNetworkPortUserClient") ) ;; From com.apple.AirPlayXPCHelper (allow mach-lookup (global-name "com.apple.SecurityServer") (global-name "com.apple.SystemConfiguration.DNSConfiguration") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.metadata.mds") (global-name "com.apple.ocspd") (global-name "com.apple.pluginkit.pkd") (global-name "com.apple.spindump") (global-name "com.apple.PairingManager") (global-name "com.apple.audio.audiohald") (global-name "com.apple.audio.AudioComponentRegistrar") (global-name "com.apple.audio.AudioComponentRegistrar.daemon") (global-name "com.apple.wirelessproxd") (global-name "com.apple.windowserver.active") (global-name "com.apple.AirPlayXPCHelper") (global-name "com.apple.coremedia.endpoint.xpc") (global-name "com.apple.coremedia.endpointstream.xpc") (global-name "com.apple.coremedia.endpointplaybacksession.xpc") (global-name "com.apple.coremedia.endpointpicker.xpc") (global-name "com.apple.coremedia.endpointmanager.xpc") (global-name "com.apple.AirPlayAgent.xpc") (global-name "com.apple.AirPlayUIAgent.xpc") (global-name "com.apple.coresymbolicationd") (global-name "com.apple.awdd") (global-name "com.apple.SharingServices") (global-name "com.apple.bluetoothd") (global-name "com.apple.bluetoothaudiod") (global-name "com.apple.BluetoothDOServer") (global-name "com.apple.airportd") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.audio.coreaudiod") (global-name "com.apple.securityd.xpc") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.lsd.modifydb") (global-name "com.apple.coremedia.routediscoverer.xpc") (global-name "com.apple.coremedia.routingcontext.xpc") (global-name "com.apple.analyticsd") (global-name "com.apple.tccd.system") (global-name "com.apple.tccd") (global-name "com.apple.TrustEvaluationAgent") (global-name "com.apple.systemstatus.publisher") ) ;; Preferences (allow file-read* (literal "/private/var/root/Library/Preferences/com.apple.cmio.plist") (literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist") (literal "/Library/Preferences/.GlobalPreferences.plist") (literal "/Library/Preferences/com.apple.security.plist") (regex #"^/private/var/root/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$") ) ;; Preference domain. (allow user-preference-read (preference-domain "com.apple.airplay") (preference-domain "com.apple.coremedia") (preference-domain "com.apple.security") (preference-domain "com.apple.cmio") (preference-domain "com.apple.cmio.iOSScreenCaptureAssistant") ) (allow user-preference-write (preference-domain "com.apple.cmio.iOSScreenCaptureAssistant") ) (allow ipc-posix-shm-read-data (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.[0-9]+$") (ipc-posix-name-regex #"^AudioIO") (ipc-posix-name "FNetwork.defaultStorageSession") (ipc-posix-name "com.apple.AppleDatabaseChanged") ) (allow ipc-posix-shm-write-data (ipc-posix-name-regex #"^AudioIO") (ipc-posix-name "com.apple.AppleDatabaseChanged") ) (allow ipc-posix-shm-read-metadata (ipc-posix-name-regex #"^AudioIO") ) (allow file-map-executable (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal") (subpath "/System/Library/Extensions") ) ;; USB screen capture (allow iokit-open (iokit-user-client-class "IOUSBDeviceUserClientV2") (iokit-user-client-class "IOUSBInterfaceUserClientV3") ) (allow iokit-open (iokit-registry-entry-class "RootDomainUserClient") ) (allow iokit-get-properties)