;;;;;; QuickLook Preview Profile ;;;;;; ;;;;;; Copyright (c) 2019 Apple Inc. All Rights reserved. ;;;;;; ;;;;;; WARNING: The sandbox rules in this file currently constitute ;;;;;; Apple System Private Interface and are subject to change at any time and ;;;;;; without notice. The contents of this file are also auto-generated and ;;;;;; not user editable; it may be overwritten at any time. (version 1) (deny default file-link) (import "system.sb") (import "appsandbox-common.sb") (allow system-audit mach-task-name) (appsandbox-process-common) (deny nvram*) (allow sysctl-read (sysctl-name "kern.tcsm_available")) (allow sysctl-read sysctl-write (sysctl-name "kern.tcsm_enable")) (allow file-read* (subpath "/Library")) (deny file-read* (subpath "/Library/Application Support/AppStoreContent") (subpath "/Library/Application Support/AppStore") (subpath "/Library/Caches") (subpath "/Library/Logs") (subpath "/Library/Managed Preferences") (subpath "/Library/Preferences")) (allow file-read* (subpath "/Library/Preferences/Logging")) (when (param "application_bundle") (allow-read-directory-contents (param "application_bundle")) (allow file-link (subpath (param "application_bundle")))) (allow-read-write-directory-contents (param "application_darwin_user_dir")) (allow file-mount file-unmount (subpath (param "application_darwin_user_dir"))) (allow-read-write-directory-contents (param "application_darwin_cache_dir")) (allow file-mount file-unmount (subpath (param "application_darwin_cache_dir"))) (appsandbox-tmpdir) (allow file-mount file-unmount (subpath (param "application_darwin_temp_dir"))) (dyld-injection-support) (appsandbox-container-common) (appsandbox-container-macos) (define (%protect-preference-symlink domain) (deny file-unlink (container-literal (string-append "/Library/Preferences/" domain ".plist")) (container-regex (string-append "/Library/Preferences/ByHost/" (regex-quote domain) "\\..*\\.plist$")))) (when (entitlement "com.apple.security.personal-information.location") (locationservices)) (when (entitlement "com.apple.security.personal-information.addressbook") (addressbook)) (when (entitlement "com.apple.security.personal-information.calendars") (calendar)) (sandbox-array-entitlement "com.apple.security.application-groups" (lambda (suite) (allow file-read-data (application-group-literal suite "")) (allow file-ioctl file-search (application-group-regex suite "/")) (read-only-and-issue-extensions (application-group-regex suite "/")) (allow file-read* (subpath (string-append "/Library/Application Support/AppStore/GroupContent/" suite))))) (appsandbox-extensions) (webkit-support) (webkit-xpc-services) (read-only-and-issue-extensions (subpath "/System")) (allow file-read* (home-literal "/.CFUserTextEncoding") (home-subpath "/Library/Audio") (home-subpath "/Library/Colors") (home-subpath "/Library/Compositions") (home-subpath "/Library/Dictionaries") (home-subpath "/Library/Filters") (home-subpath "/Library/FontCollections") (home-subpath "/Library/Fonts") (home-subpath "/Library/Keyboard Layouts") (home-subpath "/Library/Input Methods") (home-subpath "/Library/PDF Services") (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist") (home-subpath "/Library/Sounds") (home-subpath "/Library/Spelling")) (deny file-map-executable (home-subpath "/Library/ColorPickers")) (allow user-preference-read (preference-domain "com.apple.Accessibility" "com.apple.Accessibility.speech" "com.apple.AdLib" "com.apple.AppleMultitouchTrackpad" "com.apple.SpeakSelection" "com.apple.assistant.support" "com.apple.ATS" "com.apple.CoreGraphics" "com.apple.coremedia" "com.apple.mediaaccessibility" "com.apple.driver.AppleBluetoothMultitouch.mouse" "com.apple.driver.AppleBluetoothMultitouch.trackpad" "com.apple.driver.AppleHIDMouse" "com.apple.HIToolbox" "com.apple.inputsources" "com.apple.security_common" "com.apple.security" "com.apple.systemsound" "com.apple.universalaccess" "com.apple.WebFoundation" "kCFPreferencesAnyApplication")) (%protect-preference-symlink "com.apple.security_common") (%protect-preference-symlink "com.apple.security") (allow file-read* (home-literal "/Library/Preferences/com.apple.LaunchServices/com.apple.LaunchServices.plist")) (read-only-and-issue-extensions (require-any (home-subpath "/Library/Sounds") (home-subpath "/Library/Audio/Sounds") (home-subpath "/Library/Components") (home-subpath "/Library/QuickTime"))) (when (param "application_bundle_id") (allow file-read* (literal (string-append "/Library/Managed Preferences/" (param "application_bundle_id") ".plist")) (literal (string-append "/Library/Managed Preferences/" (param "_USER") "/" (param "application_bundle_id") ".plist")) (literal (string-append "/Library/Preferences/" (param "application_bundle_id") ".plist")) (subpath (string-append "/Library/Application Support/AppStore/Content/" (param "application_bundle_id"))))) (allow file-read-metadata) (allow file-read* (literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist") (subpath "/Library/PDF Services") (literal "/Library/Preferences/.GlobalPreferences.plist") (literal "/Library/Preferences/com.apple.AppleShareClient.plist") (literal "/Library/Preferences/com.apple.HIToolbox.plist") (literal "/Library/Preferences/com.apple.loginwindow.plist") (prefix "/Library/Preferences/com.apple.security.") (subpath "/Library/Preferences/Logging/Subsystems") (prefix "/Library/Preferences/com.apple.PowerManagement.") (literal "/Library/Preferences/SystemConfiguration/preferences.plist") (subpath "/Users/Shared/SC Info") (literal "/Volumes") (literal "/private/etc/group") (literal "/private/etc/hosts") (literal "/private/etc/openldap/ldap.conf") (literal "/private/etc/passwd") (literal "/private/etc/protocols") (literal "/private/etc/resolv.conf") (literal "/private/etc/services") (literal "/private/etc/ssl/cert.pem") (literal "/private/etc/ssl/openssl.cnf") (literal "/private/var/run/resolv.conf")) (allow file-read* (subpath (string-append "/Library/Application Support/AppStoreContent/" (param "application_container_id"))) (subpath "/Library/PDF Services") (subpath "/Applications")) (with-filter (system-attribute apple-internal) (allow file-read* (subpath "/AppleInternal/Applications"))) (allow mach-lookup (global-name "com.apple.containermanagerd") (global-name "com.apple.CoreServices.coreservicesd") (global-name "com.apple.coreservices.quarantine-resolver") (global-name "com.apple.cvmsServ") (global-name "com.apple.DiskArbitration.diskarbitrationd") (global-name "com.apple.distributed_notifications@1v3") (global-name "com.apple.distributed_notifications@Uv3") (global-name "com.apple.dock.fullscreen") (global-name "com.apple.dock.server") (global-name "com.apple.FileCoordination") (global-name "com.apple.FontObjectsServer") (global-name "com.apple.fonts") (global-name "com.apple.gputools.service") (global-name "com.apple.ocspd") (global-name "com.apple.pasteboard.1") (global-name "com.apple.securityd.xpc") (global-name "com.apple.SecurityServer") (global-name "com.apple.spindump") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.tailspind") (global-name "com.apple.tccd") (global-name "com.apple.tccd.system") (global-name "com.apple.TrustEvaluationAgent") (global-name "com.apple.uiintelligencesupport.agent") (global-name "com.apple.VirtualDisplay") (global-name "com.apple.window_proxies") (global-name "com.apple.windowmanager.server") (global-name "com.apple.windowserver.active")) (allow mach-lookup (global-name "PurplePPTServer") (global-name "PurpleSystemEventPort") (global-name "com.apple.awdd") (global-name "com.apple.itunesstored.xpc") (global-name "com.apple.lskdd")) (allow mach-lookup (global-name "com.apple.frontboard.systemappservices") (global-name "com.apple.frontboard.workspace") (global-name "com.apple.iphone.axserver-systemwide") (global-name "com.apple.powerlog.plxpclogger.xpc") (global-name "com.apple.remote-text-editing") (global-name "com.apple.remote-text-editing-legacy") (global-name "com.apple.runningboard") (global-name "com.apple.sharing.remote-text-editing")) (allow user-preference-read (preference-domain "com.apple.UIKit")) (allow mach-lookup (global-name "com.apple.iosmac.remote-text-editing") (global-name "com.apple.logind") (global-name "com.apple.rapport.remote-text-input") (global-name "com.apple.statskit") (global-name "com.apple.uikitsystemapp.services")) (coreaudio-services) (power-assertions) (with-filter (iokit-registry-entry-class "IODisplayWrangler") (allow iokit-set-properties (iokit-property "IORequestIdle"))) (allow iokit-open-user-client (iokit-user-client-class "IOHIDParamUserClient")) (system-graphics) (deny file-write-xattr (xattr "com.apple.quarantine") (with no-log)) (deny file-read-xattr file-write-xattr (xattr-prefix "com.apple.security.private.")) (audio-output) (allow iokit-open-user-client (iokit-user-client-class "AppleUpstreamUserClient") (iokit-user-client-class "AudioAUUC")) (allow ipc-posix-shm-read* ipc-posix-shm-write-data (ipc-posix-name-prefix "AudioIO")) (allow ipc-posix-shm-read* ipc-posix-shm-write-data (ipc-posix-name-regex "^Apple MIDI (in|out) [0-9]+$")) (mediaplayback) (appsandbox-fsctl) (foundation) (allow ipc-posix-shm-read* (ipc-posix-name-prefix "/tmp/com.apple.csseed.") (ipc-posix-name-prefix "ls.")) (allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink (ipc-posix-name-regex "^gdt-[A-Za-z0-9]+-(c|s)$")) (allow file-read* (home-subpath "/Library/Dictionaries") (subpath "/Library/Dictionaries") (subpath "/Network/Library/Dictionaries")) (sandbox-array-entitlement "com.apple.security.temporary-exception.iokit-user-client-class" (lambda (name) (allow iokit-open-user-client (iokit-user-client-class name)) (allow iokit-set-properties (iokit-user-client-class name)))) (sandbox-array-entitlement "com.apple.security.temporary-exception.mach-lookup.global-name" (lambda (name) (allow mach-lookup (global-name name)))) (sandbox-array-entitlement "com.apple.security.temporary-exception.mach-lookup.local-name" (lambda (name) (allow mach-lookup (local-name name)))) (sandbox-array-entitlement "com.apple.security.temporary-exception.files.home-relative-path.read-only" (lambda (path) (let ((filter (select-filter path home-subpath home-literal))) (read-only-and-issue-extensions filter) (allow process-exec filter)))) (sandbox-array-entitlement "com.apple.security.temporary-exception.files.home-relative-path.read-write" (lambda (path) (let ((filter (select-filter path home-subpath home-literal))) (allow process-exec filter) (read-write-and-issue-extensions filter)))) (sandbox-array-entitlement "com.apple.security.temporary-exception.files.absolute-path.read-only" (lambda (path) (let ((filter (select-filter path safe-subpath literal))) (allow process-exec filter) (read-only-and-issue-extensions filter)))) (sandbox-array-entitlement "com.apple.security.temporary-exception.files.absolute-path.read-write" (lambda (path) (let ((filter (select-filter path safe-subpath literal))) (allow process-exec filter) (read-write-and-issue-extensions filter)))) (sandbox-array-entitlement "com.apple.security.temporary-exception.shared-preference.read-only" (lambda (domain) (allow user-preference-read (preference-domain domain)))) (sandbox-array-entitlement "com.apple.security.temporary-exception.shared-preference.read-write" (lambda (domain) (allow user-preference-read user-preference-write (preference-domain domain)))) (oopjit-runner) (sandbox-array-entitlement "com.apple.security.temporary-exception.sbpl" (lambda (string) (let* ((port (open-input-string string)) (sbpl (read port))) (with-transparent-redirection (eval sbpl))))) (appsandbox-quarantine-common) (protect-redirected-paths) (protect-redirectable-paths)