;;; Copyright (c) 2017 Apple Inc. All Rights reserved. ;;; ;;; WARNING: The sandbox rules in this file currently constitute ;;; Apple System Private Interface and are subject to change at any time and ;;; without notice. ;;; (version 1) (deny default) (deny file-map-executable process-info* nvram*) (import "com.apple.iMessage.shared.sb") ;; Your preference domain (allow user-preference-read (preference-domain "com.apple.imtransferservices.IMTransferAgent") (preference-domain "IMTransferAgent") (preference-domain "com.apple.CFNetwork") (preference-domain "com.apple.mmcs") (preference-domain "com.apple.registration") (preference-domain "com.apple.messages.commsafety") (preference-domain "com.apple.messages") ) (allow user-preference-write (preference-domain "com.apple.mmcs") (preference-domain "com.apple.facetime.bag") (preference-domain "com.apple.imessage.bag") ) ;; Read/write cache access (let ((cache-path-filter (home-subpath "/Library/Caches/com.apple.imtransferservices.IMTransferAgent"))) (allow file-read* file-write* cache-path-filter) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write") cache-path-filter))) (allow mach-lookup (global-name "com.apple.analyticsd") (global-name "com.apple.AppSSO.service-xpc") (global-name "com.apple.apsd") (global-name "com.apple.AssetCacheLocatorService") (global-name "com.apple.awdd") (global-name "com.apple.backupd.xpc") (global-name "com.apple.cfnetwork.cfnetworkagent") (global-name "com.apple.cookied") (global-name "com.apple.cloudd") (global-name "com.apple.identityservicesd.desktop.auth") (global-name "com.apple.logind") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.ManagedSettingsAgent") (global-name "com.apple.ManagedSettingsAgent.publisher") (global-name "com.apple.nehelper") (global-name "com.apple.SecurityServer") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.usymptomsd") (global-name "com.apple.containermanagerd") (global-name "com.apple.windowserver.active") (global-name "com.apple.mediaanalysisd.analysis") (global-name "com.apple.coremedia.videocodecd.compressionsession") (global-name "com.apple.coremedia.videocodecd.decompressionsession") ) ;; IMTransferAgent should not be able to launch WebKit services (deny mach-lookup (with send-signal SIGKILL)(with telemetry)(with message "Unexpected WebKit Usage") (xpc-service-name-prefix "com.apple.WebKit")) (allow network-outbound) (allow system-socket) (allow file* (subpath temp-directory) (home-subpath "/Library/Messages") (darwin-user-root-subpath "/T/com.apple.imagent") (darwin-user-root-subpath "/T/com.apple.identityservicesd") ) (allow file-read* (darwin-user-root-subpath "/T/com.apple.imagent") (subpath "/private/var/tmp/com.apple.identityservicesd") (subpath "/private/etc/services") (subpath "/Library/Keychains/System.keychain") (home-subpath "/Library/Caches/CloudKit/com.apple.imtransferagent") (home-subpath "/Library/com.apple.ManagedSettings/") (extension "com.apple.sandbox.application-group") (extension "com.apple.app-sandbox.read") ) (allow ipc-posix-shm-read-data ipc-posix-shm-write-create ipc-posix-shm-write-data (global-name "com.apple.AppleDatabaseChanged") ) (deny syscall-unix (with telemetry)(with message "syscall-unix-denied")) (allow syscall-unix (syscall-group-bsdthread) (syscall-group-close) (syscall-group-fcntl) (syscall-group-getfsstat) (syscall-group-kevent) (syscall-group-kqueue) (syscall-group-mkdir) (syscall-group-necp-client) (syscall-group-network-channel) (syscall-group-open-dprotected) (syscall-group-open) (syscall-group-pthread) (syscall-group-read) (syscall-group-recv) (syscall-group-rlimit) (syscall-group-select) (syscall-group-send) (syscall-group-signal) (syscall-group-sockopt) (syscall-group-stat) (syscall-group-statfs) (syscall-group-ulock) (syscall-group-write) (syscall-number SYS___disable_threadsignal SYS___mac_syscall SYS___semwait_signal SYS___semwait_signal_nocancel SYS_abort_with_payload SYS_access SYS_access_extended SYS_change_fdguard_np SYS_chdir SYS_csrctl SYS_debug_syscall_reject SYS_exit SYS_faccessat SYS_fgetattrlist SYS_fgetxattr SYS_fileport_makefd SYS_fileport_makeport SYS_flistxattr SYS_flock SYS_fpathconf SYS_fsetattrlist SYS_fsgetpath SYS_fsync SYS_ftruncate SYS_getattrlist SYS_getattrlistbulk SYS_getaudit_addr SYS_getdirentries64 SYS_getegid SYS_getentropy SYS_geteuid SYS_getgid SYS_getgroups SYS_getpid SYS_getppid SYS_gettid SYS_gettimeofday SYS_getuid SYS_getxattr SYS_issetugid SYS_kdebug_trace_string SYS_kdebug_trace64 SYS_kdebug_typefilter SYS_kevent_id SYS_kevent_qos SYS_listxattr SYS_lseek SYS_madvise SYS_mmap SYS_mprotect SYS_mremap_encrypted SYS_munmap SYS_openbyid_np SYS_os_fault_with_payload SYS_pathconf SYS_persona SYS_psynch_mutexdrop SYS_psynch_mutexwait SYS_readlink SYS_rename SYS_renameatx_np SYS_rmdir SYS_setattrlist SYS_shared_region_check_np SYS_shutdown SYS_socketpair SYS_terminate_with_payload SYS_thread_selfid SYS_workq_kernreturn SYS_workq_open) ) (allow iokit-open (iokit-user-client-class "IGAccelDevice" "IGAccelSharedUserClient" "IGAccelVideoContextMain" "IGAccelVideoContextMedia" "IGAccelVideoContextVEBox" "IOSurfaceRootUserClient" "AppleAVE2UserClient" ;; Makes writing heic work ) ) (allow file-map-executable (subpath "/System/Library/Video/Plug-Ins") ) ;; Syscall subcommand filtering - fsctl (when (defined? 'system-fsctl) (deny system-fsctl) (allow system-fsctl (fsctl-command APFSIOC_GET_CLONE_INFO APFSIOC_PURGEABLE_LABEL_PURGEABLE)))