;;; Copyright (c) 2017 Apple Inc. All Rights reserved. ;;; ;;; WARNING: The sandbox rules in this file currently constitute ;;; Apple System Private Interface and are subject to change at any time and ;;; without notice. ;;; (version 1) (deny default) (deny file-map-executable iokit-get-properties nvram*) (deny dynamic-code-generation) (deny mach-priv-host-port) (import "system.sb") (import "com.apple.corefoundation.sb") (corefoundation) ;;; Homedir-relative path filters (define (home-regex home-relative-regex) (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex))) (define (home-subpath home-relative-subpath) (subpath (string-append (param "HOME") home-relative-subpath))) (define (home-prefix home-relative-prefix) (prefix (string-append (param "HOME") home-relative-prefix))) (define (home-literal home-relative-literal) (literal (string-append (param "HOME") home-relative-literal))) (allow process-info*) ;; For calling auditon on macOS for BGST (allow system-audit) ;; For resolving symlinks, realpath(3), and equivalents. (allow file-read-metadata) ;; For validating the entitlements of clients. (allow process-info-codesignature) ;; IOKit Properties (allow iokit-get-properties (iokit-property "AdapterDetails") (iokit-property "AdapterInfo") (iokit-property "Amperage") (iokit-property "AppleRawAdapterDetails") (iokit-property "AppleRawCurrentCapacity") (iokit-property "AppleRawMaxCapacity") (iokit-property "AvgTimeToEmpty") (iokit-property "AvgTimeToFull") (iokit-property "built-in") (iokit-property "builtin-battery") (iokit-property "BatteryData") (iokit-property "BatteryInstalled") (iokit-property "BatteryInvalidWakeSeconds") (iokit-property "BatteryInvalidWakeSeconds") (iokit-property "BestAdapterIndex") (iokit-property "BootPathUpdated") (iokit-property "ChargerData") (iokit-property "ChargingOverride") (iokit-property "CurrentCapacity") (iokit-property "CycleCount") (iokit-property "DesignCapacity") (iokit-property "DesignCycleCount70") (iokit-property "DesignCycleCount9C") (iokit-property "DeviceName") (iokit-property "ExternalChargeCapable") (iokit-property "ExternalConnected") (iokit-property "FirmwareSerialNumber") (iokit-property "FullPathUpdated") (iokit-property "FullyCharged") (iokit-property "IOGeneralInterest") (iokit-property "IOReportLegend") (iokit-property "IOReportLegendPublic") (iokit-property "InstantAmperage") (iokit-property "InstantTimeToEmpty") (iokit-property "IsCharging") (iokit-property "LegacyBatteryInfo") (iokit-property "Location") (iokit-property "Manufacturer") (iokit-property "ManufacturerData") (iokit-property "MaxCapacity") (iokit-property "MaxErr") (iokit-property "OperationStatus") (iokit-property "PackReserve") (iokit-property "PermanentFailureStatus") (iokit-property "PostChargeWaitSeconds") (iokit-property "PostDischargeWaitSeconds") (iokit-property "PowerTelemetryData") (iokit-property "Serial") (iokit-property "Temperature") (iokit-property "TimeRemaining") (iokit-property "UpdateTime") (iokit-property "UserVisiblePathUpdated") (iokit-property "Voltage")) ;; IOKit User (allow iokit-open-user-client (iokit-user-client-class "AppleKeyStoreUserClient")) ;; Mach Lookups (allow mach-lookup (global-name "com.apple.biome.access.system") (global-name "com.apple.biome.access.user") (global-name "com.apple.coreduetd.context") (global-name "com.apple.coreduetd.knowledge") (global-name "com.apple.coreservices.launchservicesd") (global-name "com.apple.coreservices.quarantine-resolver") (global-name "com.apple.duetactivityscheduler") (global-name "com.apple.iokit.powerdxpc") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.lsd.modifydb") (global-name "com.apple.powerlog.plxpclogger.xpc") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.MobileInternetSharing") (global-name "com.apple.backgroundtaskmanagement") (global-name "com.apple.diagnosticpipeline.service")) ;; Preference Domains (allow user-preference-read (preference-domain "com.apple.CrashReporter")) (allow user-preference-read (preference-domain "com.apple.da")) (allow user-preference-read (preference-domain "kCFPreferencesAnyApplication")) (allow user-preference-read user-preference-write (preference-domain "com.apple.CoreDuet")) (allow user-preference-read user-preference-write (preference-domain "com.apple.dasd.datacollectiontasks")) (allow user-preference-read user-preference-write (preference-domain "com.apple.dasd.testingDefaults")) (allow user-preference-read user-preference-write (preference-domain "com.apple.duetactivityscheduler")) (allow user-preference-read user-preference-write (preference-domain "com.apple.duetactivityscheduler.plugin")) (allow user-preference-read user-preference-write (preference-domain "com.apple.das.fairscheduling")) (allow user-preference-read user-preference-write (preference-domain "com.apple.dasd.swapkills")) (allow user-preference-read user-preference-write (preference-domain "com.apple.bg.system.task")) (allow user-preference-read user-preference-write (preference-domain "com.apple.duetactivityscheduler.trial")) (allow user-preference-read user-preference-write (preference-domain "com.apple.duetactivityscheduler.policydatacollection")) (allow user-preference-read user-preference-write (preference-domain "com.apple.gridDataServices.config")) (allow user-preference-read (preference-domain "com.apple.triald")) (allow user-preference-read user-preference-write (preference-domain "com.apple.dasd.activityDurationTracker")) ;; Read/write access to a temporary directory. (allow file-read* file-write* (subpath (param "TMPDIR")) (subpath (param "DARWIN_CACHE_DIR")) (regex #"^/private/var/db/DuetActivityScheduler")) (allow file-read-data (subpath "/usr/libexec") (literal "/Library/Preferences/com.apple.networkd.plist")) (allow file-read* (subpath "/Library/Trial")) (allow file-issue-extension (regex #"^/private/var/db/DuetActivityScheduler")) ;; Read/write cache access ;; TODO: Replace ${PRODUCT_BUNDLE_IDENTIFIER} with the actual bundle identifier. (let ((cache-path-filter (home-subpath "/Library/Caches/com.apple.dasd"))) (allow file-read* file-write* cache-path-filter) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write") cache-path-filter))) ;; File Open Permissions for Launch Services (allow lsopen) (allow ipc-posix-shm-read-data ipc-posix-shm-write-create ipc-posix-shm-write-data (ipc-posix-name "com.apple.dasd.budgets")) ;; PerfPowerServices db location on macOS (allow file-read-data file-write* (subpath "/private/var/db/powerlog"))