;;; ;;; callservicesd ;;; /System/Library/PrivateFrameworks/TelephonyUtilities.framework/callservicesd ;;; TelephonyUtilities | all ;;; (version 1) (deny default) (deny file-map-executable process-info* nvram*) (deny dynamic-code-generation) (import "system.sb") (import "opendirectory.sb") (import "contacts.sb") ;;; Allow for IPC communication for properly Skywalk communication through the network framework (IE: GroupActivities) but not full system networking ;;; itself (allow file-read* file-test-existence (literal "/Library/Preferences/com.apple.networkd.plist") (literal "/private/var/db/com.apple.networkextension.tracker-info") (literal "/private/var/db/nsurlstoraged/dafsaData.bin")) (allow mach-lookup (global-name "com.apple.SystemConfiguration.PPPController") (global-name "com.apple.SystemConfiguration.SCNetworkReachability") (global-name "com.apple.dnssd.service") (global-name "com.apple.nehelper") (global-name "com.apple.nesessionmanager") (global-name "com.apple.networkd") (global-name "com.apple.symptomsd") (global-name "com.apple.screensharing.MessagesAgent") (global-name "com.apple.screensharing.ShareScreenInvitation") (global-name "com.apple.usymptomsd") (global-name "com.apple.usernotifications.listener") (global-name "com.apple.coreduetd.knowledge") (global-name "com.apple.facetimemessagestored.service") (global-name "com.apple.callintelligenced.service") (global-name "com.apple.translationd") (global-name "com.apple.system.opendirectoryd.api") (global-name "com.apple.siri.uaf.subscription.service") (global-name "com.apple.remindd") (global-name "com.apple.corerecents.recentsd") ) ; Create some custom filters that allow us to include paths relative to the home directory (define (home-regex home-relative-regex) (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)) ) (define (home-subpath home-relative-subpath) (subpath (string-append (param "HOME") home-relative-subpath)) ) (define (home-prefix home-relative-prefix) (prefix (string-append (param "HOME") home-relative-prefix)) ) (define (home-literal home-relative-literal) (literal (string-append (param "HOME") home-relative-literal)) ) ; For resolving symlinks, realpath(3), and equivalents. (allow file-read-metadata) ; callservicesd’s preference domain. (allow user-preference-read user-preference-write (preference-domain "com.apple.TelephonyUtilities") (preference-domain "com.apple.TelephonyUtilities.sharePlayAppPolicies") ) ; Allow access to lockdown mode state (allow sysctl-read (sysctl-name "security.mac.lockdown_mode_state")) ; Read/write access to our temporary directories. (allow file-read* file-write* (subpath (param "TMPDIR")) (subpath (param "DARWIN_CACHE_DIR")) (extension "com.apple.sandbox.application-group") (subpath "/private/tmp") ) ; Support for issuing extensions in our temporary directories. (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write") (require-any (subpath (param "TMPDIR")) (subpath (param "DARWIN_CACHE_DIR")) (extension "com.apple.sandbox.application-group") ) ) ) ; For Contacts (contacts-client (param "HOME") (param "TMPDIR")) ;;; -------------------------------------------------------------------------------------------- ;;; ;;; Mach Traps ;;; -------------------------------------------------------------------------------------------- ;;; ;; To be uncommented once the mach trap allow list is complete ;; (deny syscall-mach (with send-signal SIGKILL)) ;; Still allow the mach trap but report in log (allow (with telemetry) syscall-mach) (allow syscall-mach ;; Mach Trap allow list (machtrap-number MSC__kernelrpc_mach_port_extract_member_trap MSC_mach_msg_trap MSC__kernelrpc_mach_port_destruct_trap MSC__kernelrpc_mach_port_mod_refs_trap MSC_mach_reply_port MSC__kernelrpc_mach_port_deallocate_trap MSC__kernelrpc_mach_vm_deallocate_trap MSC__kernelrpc_mach_port_guard_trap MSC__kernelrpc_mach_port_insert_right_trap MSC_host_create_mach_voucher_trap MSC__kernelrpc_mach_vm_map_trap MSC__kernelrpc_mach_port_allocate_trap MSC__kernelrpc_mach_port_construct_trap MSC__kernelrpc_mach_port_insert_member_trap MSC_mk_timer_create MSC__kernelrpc_mach_port_request_notification_trap MSC_host_self_trap MSC_mk_timer_arm MSC_thread_get_special_reply_port MSC_mach_voucher_extract_attr_recipe_trap MSC__kernelrpc_mach_vm_allocate_trap MSC_mach_generate_activity_id MSC_task_name_for_pid MSC__kernelrpc_mach_port_type_trap MSC__kernelrpc_mach_vm_protect_trap MSC_semaphore_wait_trap MSC_semaphore_signal_trap MSC__kernelrpc_mach_port_get_attributes_trap MSC_thread_self_trap MSC_semaphore_timedwait_trap MSC__kernelrpc_mach_vm_purgable_control_trap MSC_mk_timer_cancel MSC_mk_timer_destroy MSC_syscall_thread_switch MSC_mach_timebase_info_trap MSC_task_self_trap MSC_thread_self_trap) ;; For Instruments (require-all (system-attribute apple-internal) (machtrap-number MSC_task_dyld_process_info_notify_get))) ;; To be uncommented once the system call allow list is complete ;; (deny syscall-unix (with send-signal SIGKILL)) ;; Still allow the system call but report in log (allow (with telemetry) syscall-unix) (allow syscall-unix (syscall-group-fcntl) (syscall-group-mkdir) (syscall-group-pthread) (syscall-group-read) (syscall-group-signal) (syscall-number SYS_fcntl SYS_kevent_id SYS_bsdthread_ctl SYS___channel_get_info SYS___channel_open SYS___channel_sync SYS___disable_threadsignal SYS___mac_syscall SYS_access SYS_bsdthread_create SYS_bsdthread_terminate SYS_csrctl SYS_fgetattrlist SYS_fgetxattr SYS_flock SYS_fsetattrlist SYS_fstat64 SYS_fstat64_extended SYS_fstatat64 SYS_fstatfs64 SYS_fsync SYS_ftruncate SYS_getattrlist SYS_getattrlistbulk SYS_getaudit_addr SYS_getentropy SYS_geteuid SYS_getfsstat64 SYS_getgid SYS_getuid SYS_getxattr SYS_guarded_close_np SYS_guarded_open_dprotected_np SYS_issetugid SYS_kdebug_trace SYS_kdebug_trace_string SYS_kdebug_trace64 SYS_kdebug_typefilter SYS_kevent_qos SYS_kqueue_workloop_ctl SYS_lstat64 SYS_lstat64_extended SYS_madvise SYS_mmap SYS_mprotect SYS_munmap SYS_open_dprotected_np SYS_setrlimit SYS_socket SYS_stat64 SYS_stat64_extended SYS_statfs64 SYS_work_interval_ctl SYS_workq_kernreturn SYS_workq_open SYS_access SYS_bsdthread_register SYS_csops SYS_csops_audittoken SYS_csrctl SYS_fgetattrlist SYS_fsgetpath SYS_fstat64 SYS_fstatfs64 SYS_getattrlist SYS_getdirentries64 SYS_getegid SYS_getentropy SYS_geteuid SYS_getpid SYS_getrlimit SYS_gettid SYS_getuid SYS_issetugid SYS_kdebug_trace_string SYS_kdebug_trace64 SYS_lseek SYS_lstat64 SYS_madvise SYS_mkdir SYS_mmap SYS_mprotect SYS_munmap SYS_objc_bp_assist_cfg_np SYS_pread SYS_proc_info SYS_read SYS_read_nocancel SYS_readlink SYS_shared_region_check_np SYS_sigaction SYS_stat64 SYS_faccessat)) ; Read/write access to our cache. (allow file-read* file-write* (home-subpath "/Library/Caches/com.apple.TelephonyUtilities") ) ; For validating entitlements and looking up process information of XPC clients (allow process-info-codesignature) (allow process-info-pidinfo) (allow process-info* (target self)) (allow device-microphone) (allow distributed-notification-post) (allow iokit-get-properties) (allow lsopen) (allow user-preference-read (preference-domain "com.apple.assistant" "com.apple.security" ".GlobalPreferences" "com.apple.AddressBook" "com.apple.iChat" "com.apple.Messages" "com.apple.facetime.bag" "com.apple.imessage.bag" "kCFPreferencesAnyApplication" "com.apple.VideoConference" "com.apple.VideoProcessing" "com.apple.ncprefs" "com.apple.universalaccess" "com.apple.accessibility" "com.apple.assistant.backedup" "com.apple.assistant.support" "com.apple.mobilesms" "com.apple.CommunicationTrust" "com.apple.voiceservices" "com.apple.applicationaccess" "com.apple.ironwood.support") ) (allow user-preference-read user-preference-write (preference-domain "com.apple.TelephonyUtilities" "com.apple.messages.facetime") ) (allow iokit-open (iokit-registry-entry-class "RootDomainUserClient") (iokit-registry-entry-class "IOAudioControlUserClient") (iokit-registry-entry-class "IOAudioEngineUserClient") ) (allow mach-lookup (global-name "com.apple.BluetoothServices") (global-name "com.apple.CallHistorySyncHelper") (global-name "com.apple.CompanionLink") (global-name "com.apple.CoreServices.coreservicesd") (global-name "com.apple.group-activities.conversationmanagerhost") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.SecurityServer") (global-name "com.apple.SharingServices") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.analyticsd") (global-name "com.apple.apsd") (global-name "com.apple.audio.AudioComponentRegistrar") (global-name "com.apple.audio.audiohald") (global-name "com.apple.awdd") (global-name "com.apple.commcenter.xpc") (global-name "com.apple.commcenter.coretelephony.xpc") (global-name "com.apple.coreservices.launchservicesd") (global-name "com.apple.coreservices.lsbestappsuggestionmanager.xpc") (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") (global-name "com.apple.coreservices.quarantine-resolver") (global-name "com.apple.distributed_notifications@Uv3") (global-name "com.apple.familycircle.agent") (global-name "com.apple.identityservicesd.desktop.auth") (global-name "com.apple.identityservicesd.idquery.desktop.auth") (global-name "com.apple.imagent.desktop.auth") (global-name "com.apple.incoming-call-filter-server") (global-name "com.apple.logind") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.marco") (global-name "com.apple.powerlog.plxpclogger.xpc") (global-name "com.apple.rtcreportingd") (global-name "com.apple.ScreenTimeAgent.communication") (global-name "com.apple.securityd.xpc") (global-name "com.apple.siri.external_request") (global-name "com.apple.sirittsd") (global-name "com.apple.soagent") (global-name "com.apple.tccd") (global-name "com.apple.usernoted.daemon_client") (global-name "com.apple.videoconference.camera") (global-name "com.apple.videoconference.speechtranslation") (global-name "com.apple.photos.service") (global-name "com.apple.ScreenTimeAgent") (global-name "com.apple.ScreenTimeAgent.private") (global-name "com.apple.dmd.policy") (global-name "com.apple.dmd.emergency-mode") (global-name "com.apple.accountsd.accountmanager") (global-name "com.apple.windowserver.active") (global-name "com.apple.UNCUserNotification") (global-name "com.apple.donotdisturb.service") (global-name "com.apple.cmfsyncagent.auth") (global-name "com.apple.imtransferservices.IMTransferAgent") (global-name "com.apple.replaykit.sharingsession") (global-name "com.apple.replaykit.sharingsession.notification") (global-name "com.apple.coreduetd.context") (global-name "com.apple.gamed") (global-name "com.apple.SharedWebCredentials") (global-name "com.apple.identityservicesd.nsxpc") (global-name "com.apple.bluetooth.xpc") (global-name "com.apple.audio.AudioSession") (global-name "com.apple.containermanagerd") (global-name "com.apple.FTLivePhotoService") (global-name "com.apple.kvsd") (global-name "com.apple.SensitiveContentAnalysis.analysishistory") (global-name "com.apple.CARenderServer") (global-name "com.apple.cmio.registerassistantservice.system-extensions") (global-name "com.apple.dock.server") (global-name "com.apple.frontboard.systemappservices") (global-name "com.apple.mobileassetd.v2") (global-name "com.apple.pasteboard.1") (global-name "com.apple.suggestd.contacts") (global-name "com.apple.synapse.backlink-service") (global-name "com.apple.telephonyutilities.callservicesdaemon.callstatecontroller") (global-name "com.apple.communicationtrustd.service") (global-name "com.apple.corerecents.recentsd") (global-name "com.apple.linkd.transcript") (global-name "com.apple.appintents.LiveEntityService") ) (allow file-read* (extension "com.apple.app-sandbox.read") (literal "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree") (literal "/Library/Preferences/com.apple.security.plist") (subpath "/Applications/FaceTime.app") (subpath "/Library/Audio/Plug-Ins/HAL") (subpath "/private/tmp") (home-literal ".CFUserTextEncoding") (home-literal "/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist") (home-subpath "/Library/Caches/GeoServices") ) (allow file-read* file-write* (regex #"^/private/var/folders/[^/]+/[^/]+/T/\.AddressBookLocks($|/)") (home-subpath "/Library/Application Support/AddressBook") (home-subpath "/Library/Application Support/CallHistoryDB") (home-subpath "/Library/CallServices") (extension "com.apple.avconference.moments") (extension "com.apple.identityservices.deliver") (extension "com.apple.app-sandbox.read-write") ) (allow file-map-executable (subpath "/System/Library/Address Book Plug-Ins") (literal "/System/Library/Components/AudioCodecs.component/Contents/MacOS/AudioCodecs") (literal "/System/Library/Components/CoreAudio.component/Contents/MacOS/CoreAudio") (literal "/System/Library/Extensions/AppleHDA.kext/Contents/PlugIns/AppleHDAHALPlugIn.bundle/Contents/MacOS/AppleHDAHALPlugIn") ) ; For sending files via -[IDSService sendResourceAtURL:metadata:toDestinations:priority:options:identifier:error:] (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath (param "TMPDIR")) ) (home-subpath "/Library/CallServices") ) (allow process-exec* (path "/System/Library/Frameworks/AddressBook.framework/Versions/A/Helpers/AddressBookSync.app/Contents/MacOS/AddressBookSync") ) (allow ipc-posix-shm-write-create ipc-posix-shm-read-data ipc-posix-shm-write-data (ipc-posix-name "com.apple.AppleDatabaseChanged") (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.[0-9]+$") ) ; Keychain db and lock files. (allow file-read* file-write* (home-subpath "/Library/Keychains") ) ;;; Security.framework files that are dependent on uid. Some paths are covered by extensions that callservicesd issues to itself before entering the sandbox ; mds: mds.lock, mdsDirectory.db, mdsObject.db ; 1. extension "mds" ; uid == 0: r+w /private/var/db/mds/system ; uid > 0: r+w <_DARWIN_USER_CACHE_DIR>/mds ; 2. /private/var/db/mds/system/{mdsDirectory.db,mdsObject.db} ; uid == 0: r+w (already covered by (extension "com.apple.telephonyutilities.callservicesd.mds")) ; uid > 0: r ; 3. se_SecurityMessages: ; uid < 500: /private/var/db/mds/messages/se_SecurityMessages ; uid >= 500: /private/var/db/mds/messages//se_SecurityMessages (allow file-read* file-write* (extension "com.apple.telephonyutilities.callservicesd.mds") ) (allow file-read* (literal (param "SECURITY_MESSAGES_FILE")) ) (allow file-read* (literal "/private/var/db/mds/system/mdsDirectory.db") (literal "/private/var/db/mds/system/mdsObject.db") (literal "/private/var/db/os_eligibility/eligibility.plist") ) (allow file-read* file-read-metadata (subpath "/private/var/db/assetsubscriptiond/"))