;;; Sandbox profile for /usr/libexec/networkserviceproxy (version 1) (deny default) (import "system.sb") (allow system-socket sysctl-read sysctl-write) (allow signal) (allow file-read* (subpath "/usr/libexec") (literal "/Library/Preferences/com.apple.networkd.plist")) (allow network-outbound) (allow lsopen) (allow mach-lookup (global-name "com.apple.PowerManagement.control") (global-name "com.apple.nehelper") (global-name "com.apple.networkd") (global-name "com.apple.networkd_privileged") (global-name "com.apple.securityd") (global-name "com.apple.SystemConfiguration.NetworkInformation") (global-name "com.apple.CoreServices.coreservicesd") (global-name "com.apple.locationd.synchronous") (global-name "com.apple.locationd.registration") (global-name "com.apple.mobileactivationd") (global-name "com.apple.UNCUserNotification") (global-name "com.apple.ak.anisette.xpc") (global-name "com.apple.ind.cloudfeatures") (global-name "com.apple.coreservices.quarantine-resolver") (global-name "com.apple.usernotifications.usernotificationservice") (global-name "com.apple.usernotifications.listener") (global-name "com.apple.private.corewifi-xpc") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.locationd.desktop.synchronous") (global-name "com.apple.locationd.desktop.registration") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.remoted") (global-name "com.apple.securityd.xpc") (global-name "com.apple.SecurityServer") (global-name "com.apple.ctkd.token-client") (global-name "com.apple.CoreAuthentication.agent") (global-name "com.apple.CoreAuthentication.agent.libxpc") (global-name "com.apple.rtcreportingd") (global-name "com.apple.accountsd.accountmanager") (global-name "com.apple.xpc.amsaccountsd") (global-name "com.apple.SystemConfiguration.helper") (global-name "com.apple.mDNSResponder.control") (global-name "com.apple.privatecloudcompute") (global-name "com.apple.swtransparencyd") (global-name "com.apple.cfnetwork.cfnetworkagent") (global-name "com.apple.dnssd.service")) (allow file-read* file-write* (literal (string-append (param "_HOME") "/Library/Preferences/networkserviceproxy.plist"))) (allow file-read* (literal "/Library/Preferences/com.apple.networkextension.uuidcache.plist")) (allow user-preference-read user-preference-write (preference-domain "com.apple.networkserviceproxy")) (allow user-preference-read (preference-domain "kCFPreferencesAnyApplication")) (allow user-preference-read (preference-domain "com.apple.icloud.managed")) (allow file-read* (literal "/private/var/db/mds/system/mdsDirectory.db") (literal "/private/var/db/mds/system/mdsObject.db") (literal (param "SECURITY_MESSAGES"))) (allow system-fsctl (fsctl-command FSIOC_CAS_BSDFLAGS)) (allow file-read* file-write* (subpath (string-append (param "_HOME") "/Library/Keychains"))) (allow file-read* file-write* (extension "networkserviceproxy:mds")) (allow file-read-metadata) (allow network-inbound (socket-domain AF_SYSTEM)) (allow user-preference-read (preference-domain "com.apple.CloudSubscriptionFeatures.cache") (preference-domain "com.apple.CloudSubscriptionFeatures.gmCache")) (allow file-read* (literal "/Library/Preferences/com.apple.privateCloudCompute.plist")) (allow user-preference-read (preference-domain "com.apple.privateCloudCompute")) (define (home-subpath home-relative-subpath) (subpath (string-append (param "_HOME") home-relative-subpath))) ;; Allow read-only access to $HOME/Library/Trial (allow file-read* (home-subpath "/Library/Trial")) ;; CoreData needs read/write access to sandbox directory below (allow file-read* file-write* (home-subpath "/Library/Application Support/networkserviceproxy")) ;; Geoservices access (allow file-read* (home-subpath "/Library/Caches/GeoServices")) (allow user-preference-read (preference-domain "com.apple.GEO"))