(version 1) (deny default) (import "system.sb") (import "com.apple.corefoundation.sb") (import "bsd.sb") (import "contacts.sb") (system-network) (corefoundation) (contacts-client (param "_HOME") (param "_USER_TEMP_DIR")) ;; Sandbox Extensions (with-filter (extension "com.apple.app-sandbox.read") (allow file-read*)) (with-filter (extension "com.apple.app-sandbox.read-write") (allow file-read* file-write*)) (allow mach-lookup (global-name "com.apple.apsd") (global-name "com.apple.biome.access.user") (global-name "com.apple.biome.access.system") (global-name "com.apple.biome.compute.source") (global-name "com.apple.biome.compute.source.user") (global-name "com.apple.biome.compute.publisher.service") (global-name "com.apple.biome.compute.publisher.service.user") (global-name "com.apple.bird.token") (global-name "com.apple.cloudd") (global-name "com.apple.CompanionLink") (global-name "com.apple.cookied") (global-name "com.apple.coreduet.knowledge.sync.push") (global-name "com.apple.coreduetd.context") (global-name "com.apple.CoreServices.coreservicesd") (global-name "com.apple.coreservices.quarantine-resolver") (global-name "com.apple.coreduetd.knowledge.user") (global-name "com.apple.coreduetd.knowledge") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.powerlog.plxpclogger.xpc") (global-name "com.apple.rapport.people") (global-name "com.apple.SecurityServer") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.windowserver") (global-name "com.apple.windowserver.active") (global-name "com.apple.ScreenTimeAgent") (global-name "com.apple.ScreenTimeAgent.private") (global-name "com.apple.coreduetd.people.user") (global-name "com.apple.proactive.PersonalizationPortrait.Contact") (global-name "com.apple.remindd") (global-name "com.apple.identityservicesd.idquery.desktop.auth") (global-name "com.apple.proactive.SuggestionRequest.ps_unstructured_reminder_interaction_suggestions") (global-name "com.apple.proactive.SuggestionRequest.cd_calendar_interaction_suggestions") (global-name "com.apple.proactive.SuggestionRequest.ps_unstructured_calendar_interaction_suggestions") (global-name "com.apple.proactive.SuggestionRequest.ps_facetime_interaction_model") (global-name "com.apple.proactive.SuggestionRequest.ps_facetime_fallback_interaction_model") (global-name "com.apple.CalendarAgent") (global-name "com.apple.CalendarAgent.proxy") (global-name "com.apple.corerecents.recentsd") (global-name "com.apple.tccd") (global-name "com.apple.tccd.system") (global-name "com.apple.proactive.ProactiveSuggestionClientModel.xpc") (global-name "com.apple.coreduetd.people") (global-name "com.apple.accountsd.accountmanager") (global-name "com.apple.CalendarAgent.database") (global-name "com.apple.progressd") (global-name "com.apple.system.opendirectoryd.api") (global-name "com.apple.spotlight.CSExattrCryptoService") (global-name "com.apple.synapse.DocumentWorkflowsService") (global-name "com.apple.triald.namespace-management") (global-name "com.apple.siri.uaf.service") (global-name "com.apple.siri.uaf.subscription.service") (global-name "com.apple.mobileasset.autoasset") (xpc-service-name "com.apple.imdpersistence.IMDPersistenceAgent") ) (allow mach-register (global-name "com.apple.coreduet.knowledge.sync.push")) (allow file-read* file-write* (subpath (param "_USER_TEMP_DIR")) (subpath (string-append (param "_HOME") "/Library/Caches/knowledge-agent")) (literal (string-append (param "_HOME") "/Library/Preferences/knowledge-agent.plist")) (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.CoreDuet.plist")) (subpath (string-append (param "_HOME") "/Library/Application Support/Knowledge")) (subpath "/private/var/db/CoreDuet")) (when (param "EXEC_DIR") (allow file-read* (subpath (param "EXEC_DIR")))) (allow file-read* file-write* (subpath (string-append (param "_HOME") "/Library/Caches/CloudKit/com.apple.knowledge-agent")) (subpath (string-append (param "_HOME") "/Library/Assistant/SiriVocabulary")) ) (allow file-read-metadata (subpath (string-append (param "_HOME") "/Library")) (subpath "/usr")) (allow file-read-data (literal "/usr/libexec") (subpath "/usr/libexec/knowledge-agent") (subpath "/private/var/db/assetsubscriptiond") (literal "/Library/Preferences/.GlobalPreferences.plist") (literal (string-append (param "_HOME") "/Library/Preferences/.GlobalPreferences.plist")) (literal (string-append (param "_HOME") "/Library/Preferences/knowledge-agent.plist")) (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.CoreDuet.plist")) (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.assistant.backedup.plist")) (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/\.GlobalPreferences\.[^/]*\.plist$")) (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/knowledge-agent\.[^/]*\.plist$")) (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/com.apple.CoreDuet.plist\.[^/]*\.plist$"))) (allow file-read-metadata (literal "/AppleInternal") (literal (param "_HOME"))) (allow file-read* (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") ; for CrashReporter (literal "/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree") ; for MessageTracer (subpath (string-append (param "_HOME") "/Library/Trial")) ) (allow network-outbound (literal "/private/var/run/mDNSResponder")) ; to resolve host names (allow ipc-posix-shm-read-data (ipc-posix-name "FNetwork.defaultStorageSession")) (allow network-outbound (remote ip)) ; to download policy updates (allow ipc-posix-shm* (ipc-posix-name "CDPM/knowledge-agent")) ; for perf metrics (allow distributed-notification-post) (allow user-preference-read (preference-domain "com.apple.CloudKit")) (allow user-preference-read user-preference-write (preference-domain "com.apple.iCal") (preference-domain "com.apple.knowledge-agent") (preference-domain "com.apple.CoreDuet")) (allow iokit-open (iokit-user-client-class "AppleKeyStoreUserClient") )