;;; ;;; /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd ;;; IDS - Foundation | all ;;; (version 1) (deny default dynamic-code-generation file-map-executable nvram*) ;(deny file-link) ;(deny iokit-get-properties) (deny process-info* process-info-codesignature) ;(deny socket-ioctl) (import "system.sb") (import "opendirectory.sb") ; home-* (define (home-literal relative) (literal (string-append (param "_HOME") relative))) (define (home-prefix relative) (prefix (string-append (param "_HOME") relative))) (define (home-subpath relative) (subpath (string-append (param "_HOME") relative))) (define (home-regex relative-regex) (regex (string-append "^" (regex-quote (param "_HOME")) relative-regex))) (allow device-microphone) (allow file-read-metadata) ;;; IdentityServices (allow file-read* (subpath "/AppleInternal/Library/IdentityServices")) (allow file-read* file-write* (home-subpath "/Library/IdentityServices") (home-subpath "/Library/Application Support/identityservicesd")) ;;; Keychain (allow file-read* (prefix "/Library/Keychains/FileVaultMaster.keychain") (prefix "/Library/Keychains/System.keychain") (prefix "/Library/Keychains/apsd.keychain") (literal "/System/Library/Keychains/SystemTrustSettings.plist")) (allow file-read* file-write* (home-subpath "/Library/Keychains")) ;;; Security.framework ; mds: mds.lock, mdsDirectory.db, mdsObject.db ; 1. extension "mds" ; uid == 0: r+w /private/var/db/mds/system ; uid > 0: r+w <_DARWIN_USER_CACHE_DIR>/mds ; 2. /private/var/db/mds/system/{mdsDirectory.db,mdsObject.db} ; uid == 0: r+w (already covered by (extension "identityservicesd:mds")) ; uid > 0: r (allow file-read* file-write* (extension "identityservicesd:mds")) (allow file-read* (literal "/private/var/db/mds/system/mdsDirectory.db") (literal "/private/var/db/mds/system/mdsObject.db")) ; 3. se_SecurityMessages: ; uid < 500: /private/var/db/mds/messages/se_SecurityMessages ; uid >= 500: /private/var/db/mds/messages//se_SecurityMessages (allow file-read* (literal (param "SECURITY_MESSAGES_DIR"))) (allow ipc-posix-shm-read-data ipc-posix-shm-write-data (ipc-posix-name "com.apple.AppleDatabaseChanged")) (allow file-read* (literal "/Library/Preferences/com.apple.security-common.plist") (home-literal "/Library/Preferences/com.apple.security.plist") (literal "/Library/Preferences/com.apple.security.plist") (literal "/private/var/db/DetachedSignatures")) ; Darwin user cache + temp directories (allow file-read* file-write* (subpath (param "_DARWIN_USER_CACHE")) (subpath (param "_DARWIN_USER_TEMP"))) ;;; Misc (allow file-read* (home-literal ".CFUserTextEncoding") (literal "/AppleInternal/Library/Monaco/Environments.plist") (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") (literal "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree") (literal "/Library/Preferences/SystemConfiguration/preferences.plist") (literal "/Library/Preferences/com.apple.ViewBridge.plist") (subpath "/System/Library/CoreServices/Encodings") (subpath "/System/Library/CoreServices/SystemFolderLocalizations") (subpath "/System/Library/CoreServices/SystemVersion.bundle") (literal "/System/Library/CoreServices/SystemVersion.plist") (literal "/private/var/setup/.AppleSetupUser")) (allow lsopen) ; idstool, imtool? (allow file-read* (literal "/usr/local/bin/idstool") (literal "/usr/local/bin/imtool")) ; SecTrustedApplicationCreateFromPath(): bundles, code-signing (allow file-read* (literal "/") (subpath "/Applications/Messages.app") (literal "/usr/local/bin")) ;;; IOKit properties + NVRAM (allow nvram-get (nvram-variable "4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:MLB") (nvram-variable "4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14:ROM")) (allow iokit-get-properties) (allow iokit-open (iokit-user-client-class "RootDomainUserClient")) ;;; MACH services (allow mach-lookup (global-name "com.apple.CompanionLink") (global-name "com.apple.CoreServices.coreservicesd") (global-name "com.apple.DiskArbitration.diskarbitrationd") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.SecurityServer") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.UNCUserNotification") (global-name "com.apple.accountsd.accountmanager") (global-name "com.apple.ak.anisette.xpc") (global-name "com.apple.ak.auth.xpc") (global-name "com.apple.analyticsd") (global-name "com.apple.apsd") (global-name "com.apple.audio.audiohald") (global-name "com.apple.awdd") (global-name "com.apple.backupd.xpc") (global-name "com.apple.cmfsyncagent.auth") (global-name "com.apple.commcenter.coretelephony.xpc") (global-name "com.apple.CoreAuthentication.agent") (global-name "com.apple.coreservices.quarantine-resolver") (global-name "com.apple.ctkd.token-client") (global-name "com.apple.distributed_notifications@Uv3") (global-name "com.apple.imtransferservices.IMTransferAgent") (global-name "com.apple.logind") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.marco") (global-name "com.apple.networkd_privileged") (global-name "com.apple.ocspd") (global-name "com.apple.passd.in-app-payment") (global-name "com.apple.rtcreportingd") (global-name "com.apple.securityd.xpc") (global-name "com.apple.usernoted.daemon_client") (global-name "com.apple.videoconference.camera") (global-name "com.apple.windowserver.active") (global-name "com.apple.wirelessproxd") (global-name "com.apple.ctkd.token-client") (global-name "com.apple.commcenter.coretelephony.xpc") (global-name "com.apple.passd.in-app-payment") (global-name "com.apple.cloudd") (global-name "com.apple.transparencyd") (global-name "com.apple.mobileactivationd") (global-name "com.apple.familycircle.agent") (global-name "com.apple.cfnetwork.cfnetworkagent") (global-name "com.apple.cfnetwork.AuthBrokerAgent") (global-name "com.apple.StatusKit.presence") (global-name "com.apple.StatusKit.subscribe") (global-name "com.apple.StatusKit.publish") (global-name "com.apple.aa.usernotifications.xpc") (global-name "com.apple.usernotifications.usernotificationservice") (global-name "com.apple.usernotifications.listener") (global-name "com.apple.transparencyd.ids") (global-name "com.apple.kvsd") (global-name "com.apple.powerlog.plxpclogger.xpc") (global-name "com.apple.symptom_diagnostics") (global-name "com.apple.lsd.xpc") (global-name "com.apple.communicationtrustd.service") (global-name-regex #"-idswake$")) ;;; Audio ;;; [internal feature: play audio when registration occurs] (allow iokit-open (iokit-user-client-class "IOAudioEngineUserClient") (iokit-user-client-class "IOAudioControlUserClient") (iokit-user-client-class "com_apple_driver_FairPlayIOKitUserClient")) (allow file-read* ; (subpath "/Library/Audio/Plug-Ins/HAL") ? (literal "/Library/Audio/Plug-Ins/HAL")) ;;; Networking (system-network) (allow network-bind (local ip)) (allow network-inbound (local udp)) (allow network-outbound (path "/private/var/run/mDNSResponder") (remote ip) (control-name "com.apple.net.netagent")) (with-filter (system-attribute apple-internal) (allow process-fork) (allow process-exec (literal "/usr/local/bin/netdiagnose") (literal "/usr/bin/lskq") (literal "/usr/bin/lsof") (with no-sandbox))) ;;; process-info (allow process-info-codesignature) (allow process-info-pidinfo process-info-setcontrol (target self)) ;;; fsctl (allow system-fsctl (fsctl-command (_IO "z" 23)) ; 31255 == 0x7A17: afpfsByteRangeLock2FSCTL (fsctl-command (_IO "h" 47))) ; 26671 == 0x682F: HFSIOC_SET_HOTFILE_STATE ;; Preferences (allow user-preference-read user-preference-write (preference-domain "com.apple.facetime.bag") (preference-domain "com.apple.identityservices.idstatuscache") (preference-domain "com.apple.identityservices.serviceDisablement") (preference-domain "com.apple.identityservicesd") (preference-domain "com.apple.ids") (preference-domain "com.apple.ids.debug") (preference-domain "com.apple.ids.deviceproperties") (preference-domain "com.apple.ids.subservices") (preference-domain "com.apple.imessage.bag") (preference-domain "com.apple.registration")) (allow user-preference-read (preference-domain "com.apple.Messages") (preference-domain "com.apple.imessage") (preference-domain "com.apple.jett.switch-icloud") (preference-domain "kCFPreferencesAnyApplication")) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (home-subpath "/Library/IdentityServices")) (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath (param "_DARWIN_USER_TEMP")))) (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write")) (allow file-map-executable (subpath "/System/Library/Extensions/AppleHDA.kext/Contents/PlugIns/AppleHDAHALPlugIn.bundle")) ;;; Contacts (import "contacts.sb") (contacts-client (param "_HOME") (param "_DARWIN_USER_TEMP"))