; ; Copyright (C) 2019 Apple Inc. All Rights Reserved. ; ; Sandbox profile for sharingd. ; (version 1) (deny default) (deny dynamic-code-generation file-map-executable nvram*) (deny process-info* process-info-codesignature) (deny syscall-unix) (import "com.apple.corefoundation.sb") (import "system.sb") (system-graphics) (system-network) (corefoundation) (import "contacts.sb") ;;; Darwin user directory defines (define (darwin-user-cache-subpath relative) (subpath (string-append (param "_DARWIN_USER_CACHE") relative)) ) (define (darwin-user-temp-subpath relative) (subpath (string-append (param "_DARWIN_USER_TEMP") relative)) ) ;;; Home directory defines (define (home-literal relative) (literal (string-append (param "_HOME") relative)) ) (define (home-prefix relative) (prefix (string-append (param "_HOME") relative)) ) (define (home-subpath relative) (subpath (string-append (param "_HOME") relative)) ) (define (home-regex relative-regex) (regex (string-append "^" (regex-quote (param "_HOME")) relative-regex)) ) ;;; sharingd rules (allow authorization-right-obtain (right-name "com.apple.opendirectoryd.linkidentity") (right-name "system.services.directory.configure") ) (allow distributed-notification-post) (allow file-issue-extension (extension-class "com.apple.app-sandbox.read") (extension-class "com.apple.app-sandbox.read-write") ) (allow file-map-executable (subpath "/System/Library/Address Book Plug-Ins") (subpath "/System/Library/Components/AudioCodecs.component") (subpath "/System/Library/CoreServices/Encodings") (subpath "/System/Library/Filesystems/NetFSPlugins") (subpath "/System/Library/Video/Plug-Ins") ) (allow file-read-data (literal "/Library/Keychains/System.keychain") (subpath "/usr/libexec") ) (allow file-read-metadata) (allow file-read* (extension "com.apple.app-sandbox.read") (home-literal "/.CFUserTextEncoding") (home-subpath "/.ssh") (home-subpath "/Library/Containers") (literal "/Library/Preferences/com.apple.security.plist") (literal "/Library/Preferences/com.apple.security.systemidentities.plist") (literal "/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist") (literal "/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist") (literal "/Library/Preferences/SystemConfiguration/preferences.plist") (subpath "/Library/Application Support/CrashReporter") (subpath "/Library/Preferences/SystemConfiguration") (subpath "/System/Library/Video/Plug-Ins") ) (allow file-read* file-write* (darwin-user-cache-subpath "/com.apple.sharingd") (darwin-user-temp-subpath "/com.apple.sharingd") (darwin-user-temp-subpath "/.AddressBookLocks") (extension "com.apple.app-sandbox.read-write") (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2") (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal") (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-shm") (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-wal") (home-subpath "/Library/Application Support/AddressBook") (home-subpath "/Library/Caches/Cleanup At Startup") (home-subpath "/Library/Keychains") (home-subpath "/Library/Sharing") ; This allows the system to create, read, write from temporary directories on any volume. For example, this ; allows AirDrop to create a temp directory on the volume where the user's Downloads directory is located (mount-relative-regex #"^/\.TemporaryItems(/|$)") (subpath "/private/var/run") (subpath "/private/tmp") ) ; Mounting smb servers (allow file-read* file-write* file-ioctl (regex #"^/dev/nsmb[0-9]+$") ) ;;; Security.framework ; mds: mds.lock, mdsDirectory.db, mdsObject.db ; 1. extension "mds" ; uid == 0: r+w /private/var/db/mds/system ; uid > 0: r+w <_DARWIN_USER_CACHE_DIR>/mds ; 2. /private/var/db/mds/system/{mdsDirectory.db,mdsObject.db} ; uid == 0: r+w (already covered by (extension "sharingd:mds")) ; uid > 0: r (allow file-read* file-write* (extension "sharingd:mds") ) (allow file-read* (literal "/private/var/db/mds/system/mdsDirectory.db") (literal "/private/var/db/mds/system/mdsObject.db") ) ; 3. se_SecurityMessages: ; uid < 500: /private/var/db/mds/messages/se_SecurityMessages ; uid >= 500: /private/var/db/mds/messages//se_SecurityMessages (allow file-read* (literal (param "_SECURITY_MESSAGES")) ) ;;; For Sharing Dashboard (with-filter (system-attribute apple-internal) (allow file-read* (literal "/AppleInternal/Library/Preferences/com.apple.coreutils.dashboard.plist") ) ) (allow iokit-get-properties) (allow iokit-open (iokit-registry-entry-class "AppleCredentialManagerUserClient") (iokit-registry-entry-class "AppleKeyStoreUserClient") (iokit-registry-entry-class "IOBluetoothHCIUserClient") (iokit-registry-entry-class "IOSurfaceRootUserClient") (iokit-registry-entry-class "RootDomainUserClient") (iokit-registry-entry-class "com_apple_AVEBridgeUserClient") (iokit-user-client-class "AppleAVE2UserClient") (iokit-user-client-class "IO80211APIUserClient") (iokit-user-client-class "IOUserUserClient") ) (allow ipc-posix-shm-read-data ipc-posix-shm-write-create ipc-posix-shm-write-data (ipc-posix-name "com.apple.AppleDatabaseChanged") ) (allow lsopen) (allow mach-register (global-name "com.apple.sharingd.ServiceProvider") ) (allow mach-lookup (global-name "com.apple.accountsd.accountmanager") (global-name "com.apple.AddressBook.abd") (global-name "com.apple.AddressBook.AddressBookApplicationFrameworkIPC") (global-name "com.apple.AddressBook.AssistantService") (global-name "com.apple.AddressBook.ContactsAccountsService") (global-name "com.apple.AddressBook.SourceSync") (global-name "com.apple.ak.anisette.xpc") (global-name "com.apple.ak.auth.xpc") (global-name "com.apple.airportd") (global-name "com.apple.apsd") (global-name "com.apple.audio.AudioComponentRegistrar") (global-name "com.apple.audio.SystemSoundServer-OSX") (global-name "com.apple.awdd") (global-name "com.apple.bird.token") (global-name "com.apple.bluetoothd") (global-name "com.apple.callkit.callcontrollerhost") (global-name "com.apple.cdp.daemon") (global-name "com.apple.cloudpaird") (global-name "com.apple.CloudSharing.SPIHelper") (global-name "com.apple.cmfsyncagent.auth") (global-name "com.apple.CompanionLink") (global-name "com.apple.CoreDisplay.master") (global-name "com.apple.coreduetd.context") (global-name "com.apple.coreduetd.people") (global-name "com.apple.coreduetd.people.user") (global-name "com.apple.CoreLocation.agent") (global-name "com.apple.coreservices.launchservicesd") (global-name "com.apple.coreservices.quarantine-resolver") (global-name "com.apple.coreservices.sharedfilelistd.xpc") (global-name "com.apple.diagnosticextensionsd.sharing-wakeup") (global-name "com.apple.DiskArbitration.diskarbitrationd") (global-name "com.apple.distributed_notifications@Uv3") (global-name "com.apple.dock.server") (global-name "com.apple.dmd.policy") (global-name "com.apple.familycircle.agent") (global-name "com.apple.FileCoordination") (global-name "com.apple.finder.ServiceProvider") (global-name "com.apple.fonts") (global-name "com.apple.findmy.findmylocate.settings") (global-name "com.apple.findmy.findmylocate.friendshipservice") (global-name "com.apple.findmy.findmylocate.locationservice") (global-name "com.apple.iconservices") (global-name "com.apple.iconservices.store") (global-name "com.apple.identityservicesd.desktop.auth") (global-name "com.apple.locationd.desktop.registration") (global-name "com.apple.logind") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.lsd.modifydb") (global-name "com.apple.lsd.open") (global-name "com.apple.metadata.mds") (global-name "com.apple.metadata.mdwrite") (global-name "com.apple.mobileactivationd") (global-name "com.apple.nearbyd.xpc.nearbyinteraction") (global-name "com.apple.netauth.user.auth") (global-name "com.apple.network.EAPOLController") (global-name "com.apple.ocspd") (global-name "com.apple.pasteboard.1") (global-name "com.apple.pbs.fetch_services") (global-name "com.apple.pluginkit.pkd") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.ProgressReporting") (global-name "com.apple.private.corewifi-xpc") (global-name "com.apple.rapport") (global-name "com.apple.rapport.people") (global-name "com.apple.remoted") (global-name "com.apple.runningboard") (global-name "com.apple.security.octagon") (global-name "com.apple.securityd.xpc") (global-name "com.apple.SecurityServer") (global-name "com.apple.server.bluetooth") (global-name "com.apple.server.bluetooth.classic.xpc") (global-name "com.apple.server.bluetooth.general.xpc") (global-name "com.apple.server.bluetooth.le.att.xpc") (global-name "com.apple.sharing.sharesheet") (global-name "com.apple.sharing.transfer-observer") (global-name "com.apple.sharingd.ServiceProvider") (global-name "com.apple.SharedWebCredentials") (global-name "com.apple.SharingServices") (global-name "com.apple.studentd") (global-name "com.apple.system.opendirectoryd.api") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") (global-name "com.apple.telephonyutilities.callservicesdaemon.callstatecontroller") (global-name "com.apple.tccd") (global-name "com.apple.tccd.system") (global-name "com.apple.UNCUserNotification") (global-name "com.apple.unmountassistant.useragent") (global-name "com.apple.usernoted.daemon_client") (global-name "com.apple.wifi.WiFiAgent") (global-name "com.apple.windowserver.active") (global-name "com.apple.wirelessproxd") (global-name "com.apple.bluetooth.xpc") (global-name "com.apple.networkd_privileged") (global-name "com.apple.mediaanalysisd.analysis") (global-name "com.apple.wifip2pd") (global-name "com.apple.cache_delete.public") (global-name "com.apple.cache_delete") ) (contacts-client (param "_HOME") (param "_DARWIN_USER_TEMP")) (allow network-bind (local ip) ) (allow network-inbound (local ip) ) (allow network-outbound (literal "/private/var/run/mDNSResponder") (remote ip) ) ;;; For Sharing Dashboard (with-filter (system-attribute apple-internal) (allow network-outbound (remote udp "*:16402") ) ) (allow process-exec* (with telemetry-backtrace) (literal "/usr/libexec/sharingd") ) (allow process-info-codesignature) (allow process-info-dirtycontrol (target self) ) (allow process-info-pidinfo) (allow process-info-setcontrol (target self) ) (allow system-fsctl (fsctl-command afpfsGetMountInfoFSCTL) (fsctl-command afpfsSleepWakeFSCTL) (fsctl-command afpfsSubMountFSCTL) ) (allow system-socket (socket-domain AF_RESERVED_36) (socket-domain AF_SYSTEM) ) (allow user-preference-read (preference-domain "com.apple.AddressBook.CardDAVPlugin") (preference-domain "com.apple.AppleGVA") (preference-domain "com.apple.applejpeg") (preference-domain "com.apple.AppleShareClient") (preference-domain "com.apple.AppleVPA") (preference-domain "com.apple.applicationaccess") (preference-domain "com.apple.Bluetooth") (preference-domain "com.apple.Bluetooth.debug") (preference-domain "com.apple.CFNetwork") (preference-domain "com.apple.coreaudio") (preference-domain "com.apple.CoreGraphics") (preference-domain "com.apple.coremedia") (preference-domain "com.apple.CoreServicesInternal") (preference-domain "com.apple.corevideo") (preference-domain "com.apple.demo-settings") (preference-domain "com.apple.dock") (preference-domain "com.apple.facetime.bag") (preference-domain "com.apple.FontParser") (preference-domain "com.apple.ids") (preference-domain "com.apple.ids.debug") (preference-domain "com.apple.ImageIO") (preference-domain "com.apple.logging") (preference-domain "com.apple.Metal") (preference-domain "com.apple.monaco") (preference-domain "com.apple.NetworkBrowser") (preference-domain "com.apple.scheduler") (preference-domain "com.apple.security") (preference-domain "com.apple.Sharing") (preference-domain "com.apple.universalaccess") (preference-domain "com.apple.videoprocessing") (preference-domain "kCFPreferencesAnyApplication") (preference-domain "pbs") ) (allow user-preference-read user-preference-write (preference-domain "com.apple.AddressBook") (preference-domain "com.apple.classroom") (preference-domain "com.apple.sharingd") ) ;;; Sandbox automatically infers syscalls based on allowed operations in the profile. ;;; For details see '/src/compiler/transforms/policy.scm' in the Sandbox project. ;;; Some syscalls can only be inferred after adopting (version 2) or (version 3). ;;; Syscalls that are not inferred should be added in the list below. (allow syscall-unix (syscall-group-bsdthread) (syscall-group-fcntl) ; (version > 1): system-fcntl or system-package-check (syscall-group-kevent) (syscall-group-necp-client) (syscall-group-network-channel) (syscall-group-open) (syscall-group-open-dprotected) (syscall-group-pthread-cv) (syscall-group-pthread) (syscall-group-recv) (syscall-group-send) (syscall-group-sockopt) (syscall-group-ulock) (syscall-number SYS_accept) (syscall-number SYS_access) (syscall-number SYS_audit_session_self) (syscall-number SYS_change_fdguard_np) (syscall-number SYS_csrctl) (syscall-number SYS___disable_threadsignal) (syscall-number SYS_dup) (syscall-number SYS_exit) (syscall-number SYS_faccessat) (syscall-number SYS_fgetattrlist) (syscall-number SYS_fgetxattr) (syscall-number SYS_fileport_makefd) (syscall-number SYS_fileport_makeport) (syscall-number SYS_flistxattr) (syscall-number SYS_flock) (syscall-number SYS_fpathconf) (syscall-number SYS_fsetattrlist) (syscall-number SYS_fsgetpath) (syscall-number SYS_fstat64) (syscall-number SYS_fstat64_extended) (syscall-number SYS_fstatat64) (syscall-number SYS_fstatfs64) (syscall-number SYS_fsync) (syscall-number SYS_ftruncate) (syscall-number SYS_getattrlist) (syscall-number SYS_getattrlistbulk) (syscall-number SYS_getaudit_addr) (syscall-number SYS_getdirentries64) (syscall-number SYS_getegid) (syscall-number SYS_getentropy) (syscall-number SYS_geteuid) (syscall-number SYS_getfsstat64) (syscall-number SYS_getgid) (syscall-number SYS_getgroups) (syscall-number SYS_gethostuuid) (syscall-number SYS_getpeername) (syscall-number SYS_getpid) (syscall-number SYS_getrlimit) (syscall-number SYS_getrusage) (syscall-number SYS_getsockname) (syscall-number SYS_gettid) (syscall-number SYS_gettimeofday) (syscall-number SYS_getuid) (syscall-number SYS_getxattr) (syscall-number SYS_guarded_close_np) (syscall-number SYS_guarded_pwrite_np) (syscall-number SYS_ioctl) (syscall-number SYS_issetugid) (syscall-number SYS_kdebug_trace) (syscall-number SYS_kdebug_trace_string) (syscall-number SYS_kdebug_trace64) (syscall-number SYS_kdebug_typefilter) (syscall-number SYS_kqueue) (syscall-number SYS_link) (syscall-number SYS_listen) (syscall-number SYS_listxattr) (syscall-number SYS_lseek) (syscall-number SYS_lstat64) (syscall-number SYS_lstat64_extended) (syscall-number SYS___mac_syscall) (syscall-number SYS_madvise) (syscall-number SYS_mkdir) (syscall-number SYS_mkdirat) (syscall-number SYS_mmap) (syscall-number SYS_mprotect) (syscall-number SYS_munmap) (syscall-number SYS_necp_session_action) (syscall-number SYS_posix_spawn) (syscall-number SYS_pread) (syscall-number SYS_read) (syscall-number SYS_read_nocancel) (syscall-number SYS_readlink) (syscall-number SYS_rename) (syscall-number SYS_rmdir) (syscall-number SYS_select) (syscall-number SYS_select_nocancel) (syscall-number SYS___semwait_signal) (syscall-number SYS___semwait_signal_nocancel) (syscall-number SYS_setattrlist) (syscall-number SYS_setrlimit) (syscall-number SYS_shared_region_check_np) (syscall-number SYS_shutdown) (syscall-number SYS_sigaction) (syscall-number SYS_sigprocmask) (syscall-number SYS_socketpair) (syscall-number SYS_stat64) (syscall-number SYS_stat64_extended) (syscall-number SYS_statfs64) (syscall-number SYS_symlink) (syscall-number SYS_sysctl) ; [system.sb] (allow sysctl-read) (syscall-number SYS_sysctlbyname) ; ==> could be inferred (syscall-number SYS_thread_selfid) (syscall-number SYS_workq_kernreturn) (syscall-number SYS_workq_open) ) (allow file-read* file-write* (extension "com.apple.sandbox.application-group")) (allow mach-lookup (global-name "com.apple.containermanagerd"))