(version 1) (deny default) (import "system.sb") ; System is read only (allow system-socket sysctl-read sysctl-write) (allow file-read-metadata) ; Allow read of everything so that we can get the Mach-O UUIDs from arbitrary executables configured via per-app rules (allow file-read*) (allow file-write* (regex #"^/Library/Keychains/System.keychain" #"^/Library/Keychains/\." #"^(/private)?/var/db/mds/system/mds.lock$" ) (regex #"^/Library/Preferences/com\.apple\.networkextension(\.[_a-zA-Z0-9-]+)?\.plist") (regex #"^/Library/Preferences/com\.apple\.networkd(\.[_a-zA-Z0-9-]+)?\.plist") (regex #"^/Library/Preferences/Logging/Subsystems/com\.apple\.network\.plist") (regex #"^/Library/Preferences/Logging/Subsystems/com\.apple\.networkextension\.plist") (regex #"^/Library/Preferences/SystemConfiguration/preferences\.plist") (regex #"^/Library/Preferences/SystemConfiguration/VPN-[^/]+\.plist") (literal "/private/var/db/com.apple.networkextension.tracker-info") (literal "/private/var/db/com.apple.networkextension.tracker-info.temp") (subpath (param "TEMPDIR"))) (allow mach-register (global-name "com.apple.nehelper") (global-name "com.apple.networkd_privileged")) (allow iokit-open (iokit-user-client-class "AppleMobileFileIntegrityUserClient") (iokit-user-client-class "AppleKeyStoreUserClient")) (allow ipc-posix-shm (ipc-posix-name "apple.shm.notification_center")) (allow ipc-posix-shm-read-data ipc-posix-shm-write-data (ipc-posix-name "com.apple.AppleDatabaseChanged")) (allow ipc-posix-shm-read-data (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$")) (system-network) (allow mach-lookup (global-name "com.apple.SecurityServer") (global-name "com.apple.nehelper") (global-name "com.apple.nesessionmanager") (global-name "com.apple.neagent.lsproxy") (global-name "com.apple.system.logger") (global-name "com.apple.distributed_notifications@1v3") (global-name "com.apple.distributed_notifications@Uv3") (global-name "com.apple.system.notification_center") (global-name "com.apple.CoreServices.coreservicesd") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.SystemConfiguration.SCNetworkReachability") (global-name "com.apple.SystemConfiguration.NetworkInformation") (global-name "com.apple.networkd") (global-name "com.apple.private.corewifi-xpc") (global-name "com.apple.ocspd") (global-name "com.apple.networking.captivenetworksupport") (global-name "com.apple.SystemConfiguration.helper") (global-name "com.apple.metadata.mds") (global-name "com.apple.UNCUserNotification") (global-name "com.apple.DiskArbitration.diskarbitrationd") (global-name "com.apple.lsd.modifydb") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.mobileassetd") (global-name "com.apple.mobileassetd.v2") (global-name "com.apple.security.xpc") (global-name "com.apple.securityd.xpc") (global-name "com.apple.securityd.systemkeychain") (global-name "com.apple.CoreAuthentication.daemon") (global-name "com.apple.airportd") (global-name "com.apple.ALF.ApplicationFirewall.message") (global-name "com.apple.locationd.desktop.synchronous") (global-name "com.apple.SharedWebCredentials") (global-name "com.apple.mDNSResponder.control") (global-name "com.apple.ctkd.token-client")) ;;; MobileAsset (allow user-preference-read (preference-domain "com.apple.MobileAsset")) (allow user-preference-read (preference-domain "com.apple.SoftwareUpdate")) (allow sysctl-read) (allow sysctl* (sysctl-name "kern.ipc.io_policy.throttled") (sysctl-name-prefix "net.")) ;;; Allow creating specific kernel control sockets (allow network-outbound (control-name "com.apple.net.necp_control") (control-name "com.apple.net.netagent") (control-name "com.apple.net.utun_control") (control-name "com.apple.net.ipsec_control") (control-name "com.apple.content-filter") (control-name "com.apple.flow-divert") (control-name "com.apple.network.advisory")) ;;; Allow TCP probes (allow network-outbound (literal "/private/var/run/mDNSResponder") (remote tcp)) ;;; Allow creating IKE sockets (allow network* (local udp "*:500" "*:4500") (remote udp "*:*") (literal "/private/var/run/racoon.sock")) (allow authorization-right-obtain (right-name "system.keychain.modify") (right-name "system.services.systemconfiguration.network")) (allow system-fsctl (fsctl-command (_IO "h" 47))) ; HFSIOC_SET_HOTFILE_STATE