;;;;;; Rules required to bootstrap a process with dyld.
;;;;;;
;;;;;; Copyright (c) 2022 Apple Inc.  All Rights reserved.
;;;;;;
;;;;;; WARNING: The sandbox rules in this file currently constitute
;;;;;; Apple System Private Interface and are subject to change at any time and
;;;;;; without notice. The contents of this file are also auto-generated and
;;;;;; not user editable; it may be overwritten at any time.

;;; NB: Add rules to this file judiciously.  Sandboxed binaries may come to
;;;     rely on the rules for other functionality, so it is difficult to
;;;     remove rules once added to this file.

(version 3)

(let
  ;; On a snapshot boot, /System/Cryptexes/{OS,App} are symlinks pointing to the
  ;; platform-specific preboot locations for the cryptex graft points:
  ;;
  ;;    Embedded:   /private/preboot/Cryptexes/{OS,App}
  ;;    macOS:      /System/Volumes/Preboot/Cryptexes/{OS,App}
  ;;
  ;; But in a live fs boot, these locations turn into real directories on the
  ;; system volume that have content which can be rooted. So we need to be able
  ;; to treat them either as symlinks or directories.
  ((cryptex-graft-points
     (list "/System/Volumes/Preboot/Cryptexes/App/System"
           "/System/Volumes/Preboot/Cryptexes/Incoming/OS"
           "/System/Volumes/Preboot/Cryptexes/OS"
           "/System/Cryptexes/App"
           "/System/Cryptexes/OS")))

  ;; Allow reading/mapping content from the cryptexes.
  (allow file-read* file-test-existence file-map-executable
    (apply subpath cryptex-graft-points))
  ;; Allow reading/stat'ing intermediate directories.
  (allow file-read* file-test-existence
    (apply path-ancestors cryptex-graft-points)))

;;; dyld support
(allow syscall-unix
       (syscall-number SYS___mac_syscall)
       (syscall-number SYS_getfsstat SYS_getfsstat64)
       (syscall-number SYS_map_with_linking_np))
(allow system-fcntl
       (fcntl-command F_ADDFILESIGS_RETURN
                      F_CHECK_LV
                      F_GETPATH))
(with-filter (mac-policy-name "Sandbox")
  (allow system-mac-syscall
         (mac-syscall-number 2)))   ; SYSCALL_CHECK_SANDBOX

;;; libignition needs to be able to open "/" so it can use it as an openat(2)
;;; root.
(allow file-read* file-test-existence
       (literal "/"))
(allow syscall-unix
       (syscall-number SYS_open)
       (syscall-number SYS_openat))

;;; libignition calls fstatat on the Cryptex root directories.
(allow syscall-unix
       (syscall-number SYS_fstatat SYS_fstatat64))

;;; libignition needs to be able to dup(2) file descriptors to manage
;;; descriptor ownership.
(allow syscall-unix
       (syscall-number SYS_dup))