;;; Copyright (c) 2017 Apple Inc. All Rights reserved. ;;; ;;; WARNING: The sandbox rules in this file currently constitute ;;; Apple System Private Interface and are subject to change at any time and ;;; without notice. ;;; (version 1) (deny default) (deny file-map-executable process-info* nvram*) (deny dynamic-code-generation) (import "system.sb") (import "com.apple.corefoundation.sb") (corefoundation) ;;; Homedir-relative path filters (define (home-regex home-relative-regex) (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex))) (define (home-subpath home-relative-subpath) (subpath (string-append (param "HOME") home-relative-subpath))) (define (home-prefix home-relative-prefix) (prefix (string-append (param "HOME") home-relative-prefix))) (define (home-literal home-relative-literal) (literal (string-append (param "HOME") home-relative-literal))) (allow process-info* (target self)) ;; For resolving symlinks, realpath(3), and equivalents. (allow file-read-metadata) ;; For validating the entitlements of clients. (allow process-info-codesignature) ;; Your preference domain (allow user-preference-read user-preference-write (preference-domain "nfcd") (preference-domain "com.apple.stockholm") (preference-domain "com.apple.stockholm.analytics") (preference-domain "com.apple.stockholm.atl")) ;; Read only prefs - not ours (allow user-preference-read (preference-domain "kCFPreferencesAnyApplication")) ;; Need read / write / create (allow file-read* file-write* (home-prefix "/Library/Preferences/com.apple.stockholm.plist") (home-prefix "/Library/Preferences/com.apple.stockholm.atl.plist") (home-prefix "/Library/Preferences/com.apple.stockholm.analytics.plist") (home-prefix "/Library/Preferences/nfcd.plist") (home-subpath "/Library") (home-subpath "/Library/Preferences") (home-subpath "/Library/NFStorage")) (with-filter (extension-class "com.apple.cfprefsd.read" "com.apple.cfprefsd.read-write") (allow file-issue-extension (home-literal "/Library/Preferences/com.apple.stockholm.plist") (home-literal "/Library/Preferences/com.apple.stockholm.atl.plist") (home-literal "/Library/Preferences/com.apple.stockholm.analytics.plist") (home-literal "/Library/Preferences/nfcd.plist") ) ) (allow file-read* file-write-data file-ioctl (prefix "/dev/nfc.log" "/dev/spmi.nfc") (literal "/dev/tty.stockholm")) ;; Read/write access to a temporary directory. (allow file-read* file-write* (subpath (param "TMPDIR")) (subpath (param "DARWIN_CACHE_DIR"))) ;; XPC connections (allow mach-lookup (global-name "com.apple.nfrestore") (global-name "com.apple.remoted") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.CoreAuthentication.daemon.libxpc") ;; (global-name "com.apple.CoreAuthentication.daemon") ;; -- note we can remove previous line before ship (global-name "com.apple.mobileactivationd") ;; (global-name "com.apple.UNCUserNotification") (global-name "com.apple.coreservices.launchservicesd") (global-name "com.apple.passd.nf-events") (global-name "com.apple.stockholm.services.NFRestoreService") (global-name "com.apple.stockholm.services.NFStorageServer")) ;; Self lookup (allow file-read* (literal "/usr/libexec") (literal "/usr/libexec/nfcd")) ;; Logs (allow file-read* file-write* (literal "/Library/Logs/AppleSSE.log")) ;; Process info lookup (allow process-info-pidinfo) (allow mach-priv-host-port) (allow iokit-open (iokit-user-client-class "AppleStockholmControlUserClient") (iokit-user-client-class "RootDomainUserClient") (iokit-user-client-class "AppleCredentialManagerUserClient") (iokit-user-client-class "AppleSSEUserClient") (iokit-user-client-class "AppleKeyStoreUserClient")) ;; (allow authorization-right-obtain (right-name "default") (right-name "com.apple.applepay.reset")) (allow system-socket (socket-domain AF_SYSTEM)) (allow network-outbound (control-name-prefix "com.apple.spmi.nfc") (control-name "com.apple.uart.stockholm")) ;; SEP needs this for some key related stuff in their library (allow sysctl-read (sysctl-name-prefix "net.routetable.")) (with-filter (iokit-registry-entry-class "AppleDialogSPMIPMU") (allow iokit-set-properties (iokit-property "IOPMUBootLPMCtrl" "IOPMUBootLPMState"))) (allow iokit-get-properties)