;;; Copyright (c) 2017 Apple Inc. All Rights reserved. ;;; ;;; WARNING: The sandbox rules in this file currently constitute ;;; Apple System Private Interface and are subject to change at any time and ;;; without notice. ;;; (version 3) ;;; TODO: Change these to deny before finalizing this profile. (deny default) (deny file-map-executable process-info* nvram*) (deny dynamic-code-generation) (deny mach-priv-host-port) (import "system.sb") (import "com.apple.corefoundation.sb") (corefoundation) ;;; Homedir-relative path filters (define (home-regex home-relative-regex) (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex))) (define (home-subpath home-relative-subpath) (subpath (string-append (param "HOME") home-relative-subpath))) (define (home-prefix home-relative-prefix) (prefix (string-append (param "HOME") home-relative-prefix))) (define (home-literal home-relative-literal) (literal (string-append (param "HOME") home-relative-literal))) (allow process-info* (target self)) (allow syscall-unix (syscall-number SYS_madvise) (syscall-number SYS_geteuid) (syscall-number SYS_proc_info) (syscall-number SYS_gettid) (syscall-number SYS_csops_audittoken) (syscall-number SYS_fstatfs64) (syscall-number SYS_stat64) (syscall-number SYS_issetugid) (syscall-number SYS_getdirentries64) (syscall-number SYS_read) (syscall-number SYS_getegid) (syscall-number SYS_lseek) (syscall-number SYS_fstat64) (syscall-number SYS_sendto) (syscall-number SYS_pread) (syscall-number SYS_workq_kernreturn) (syscall-number SYS_workq_open) (syscall-number SYS_kevent_qos) (syscall-number SYS_kevent_id) (syscall-number SYS_getuid) (syscall-number SYS_read_nocancel) (syscall-number SYS_thread_selfid) (syscall-number SYS_mmap) (syscall-number SYS_getrlimit) (syscall-number SYS_readlink) (syscall-number SYS_pipe) (syscall-number SYS_lstat64) (syscall-number SYS_access) (syscall-number SYS_sigprocmask) (syscall-number SYS___semwait_signal) (syscall-number SYS___channel_open) (syscall-number SYS___channel_get_info) (syscall-number SYS_guarded_close_np) (syscall-number SYS_kqueue) (syscall-number SYS_kevent) (syscall-number SYS_bsdthread_create) (syscall-number SYS___channel_sync) (syscall-number SYS___disable_threadsignal) (syscall-number SYS_bsdthread_terminate) (syscall-number SYS_fileport_makefd) (syscall-number SYS_setsockopt) (syscall-number SYS_getsockopt) (syscall-number SYS_getattrlist) (syscall-number SYS_ulock_wake) (syscall-number SYS_ulock_wait2) (syscall-number SYS_statfs64) (syscall-number SYS_getattrlistbulk) (syscall-number SYS_listxattr) (syscall-number SYS_bsdthread_ctl) (syscall-number SYS_kdebug_trace64) (syscall-number SYS_select) (syscall-number SYS_recvfrom) (syscall-number SYS_ulock_wait) (syscall-number SYS_change_fdguard_np) (syscall-number SYS_kdebug_trace_string) (syscall-number SYS_kqueue_workloop_ctl) (syscall-number SYS_rename) (syscall-number SYS_getentropy) (syscall-number SYS_fsync) (syscall-number SYS_psynch_mutexwait) (syscall-number SYS_psynch_mutexdrop) (syscall-number SYS_gettimeofday) (syscall-number SYS_getaudit_addr) (syscall-number SYS_ftruncate) (syscall-number SYS_flock) (syscall-number SYS_mkdirat) (syscall-number SYS_mkdir) (syscall-number SYS_mprotect) (syscall-number SYS_sigaction) (syscall-number SYS___pthread_sigmask) (syscall-number SYS_abort_with_payload) (syscall-number SYS_munmap)) (allow system-mac-syscall (mac-syscall-number 5)) (allow syscall-mach (machtrap-number MSC_mach_msg2_trap) (machtrap-number MSC__kernelrpc_mach_vm_map_trap) (machtrap-number MSC__kernelrpc_mach_port_destruct_trap) (machtrap-number MSC__kernelrpc_mach_port_deallocate_trap) (machtrap-number MSC__kernelrpc_mach_port_mod_refs_trap) (machtrap-number MSC__kernelrpc_mach_port_construct_trap) (machtrap-number MSC_host_self_trap) (machtrap-number MSC__kernelrpc_mach_port_request_notification_trap) (machtrap-number MSC__kernelrpc_mach_vm_protect_trap) (machtrap-number MSC__kernelrpc_mach_vm_deallocate_trap) (machtrap-number MSC__kernelrpc_mach_port_allocate_trap) (machtrap-number MSC__kernelrpc_mach_port_insert_member_trap) (machtrap-number MSC_mk_timer_create) (machtrap-number MSC__kernelrpc_mach_port_type_trap) (machtrap-number MSC__kernelrpc_mach_port_extract_member_trap) (machtrap-number MSC__kernelrpc_mach_port_guard_trap) (machtrap-number MSC__kernelrpc_mach_vm_allocate_trap) (machtrap-number MSC__kernelrpc_mach_port_insert_right_trap) (machtrap-number MSC_thread_get_special_reply_port) (machtrap-number MSC_semaphore_timedwait_trap) (machtrap-number MSC_semaphore_signal_trap) (machtrap-number MSC_mach_generate_activity_id) (machtrap-number MSC_semaphore_wait_trap) (machtrap-number MSC_mach_reply_port)) (allow system-fcntl (fcntl-command F_GETFD) (fcntl-command F_SETFD) (fcntl-command F_GETFL) (fcntl-command F_SETFL) (fcntl-command F_GETPROTECTIONCLASS)) (allow system-socket) (allow socket-option-get) (allow socket-option-set) (allow file-test-existence) (allow necp-client-open) (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.nehelper") (global-name "com.apple.WirelessCoexManager") (global-name "com.apple.corefollowup.agent") (global-name "com.apple.symptom_diagnostics") (global-name "com.apple.bluetooth.xpc") (global-name "com.apple.securityd.xpc") (global-name "com.apple.SecurityServer") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.srp-mdns-proxy.proxy") (global-name "com.apple.private.corewifi-xpc") (global-name "com.apple.geod") (global-name "com.apple.airportd") (global-name "com.apple.corewlan-xpc") (global-name "com.apple.wifi.WiFiAgent") (global-name "com.apple.awdd") (global-name "com.apple.coreservices.quarantine-resolver") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.lsd.modifydb") (global-name "com.apple.carboncore.csnameddata (xpc)")) (allow socket-ioctl (ioctl-command SIOCGIFMTU) (ioctl-command SIOCGIFFLAGS) (ioctl-command SIOCSIFFLAGS)) (allow system-necp-client-action (necp-client-action NECP_CLIENT_ACTION_ADD) (necp-client-action NECP_CLIENT_ACTION_COPY_RESULT) (necp-client-action NECP_CLIENT_ACTION_COPY_INTERFACE) (necp-client-action NECP_CLIENT_ACTION_COPY_AGENT) (necp-client-action NECP_CLIENT_ACTION_REMOVE)) (allow file-write-create file-write-unlink (subpath "/private/var/db/com.apple.threadradiod")) (allow file-read-data (subpath "/private/var/db/com.apple.threadradiod") (subpath "/private/var/root/Library/Caches/GeoServices") (subpath "/private/var/db/mds/messages/se_SecurityMessages") (subpath "/Library/Keychains/System.keychain") (home-literal "/Users/local/corethreadradio/threadradiod-info.plist") (literal "/Library/Preferences/com.apple.networkd.plist") (literal "/private/var/root/Library/Caches/GeoServices/DirectReadConfigStore.plist") (literal "/Library/Preferences/com.apple.security.plist") (literal "/private/var/db/mds/system/mds.lock") (literal "/private/var/db/mds/system/mdsObject.db") (literal "/private/var/db/mds/system/mdsDirectory.db") (literal "/AppleInternal/Library/ExtensionKit/ExtensionPoints")) (allow file-write-data (subpath "/private/var/db/com.apple.threadradiod") (literal "/private/var/db/mds/system/mds.lock")) (allow file-read* (subpath "/private/var/logs/CrashReporter/CoreCapture/BT") (subpath "/System/Library/PrivateFrameworks/CoreThreadRadio.framework")) (allow ipc-posix-shm-read-data ipc-posix-shm-write-create ipc-posix-shm-write-data (ipc-posix-name "com.apple.AppleDatabaseChanged") ) (allow iokit-open-service (iokit-registry-entry-class "IOPMrootDomain")) (allow iokit-open-service (iokit-registry-entry-class "IOUserService")) (allow iokit-open-user-client (iokit-user-client-class "IOUserUserClient")) (allow iokit-open-user-client (iokit-user-client-class "RootDomainUserClient")) ;; Allow iokit get props (allow iokit-get-properties) ;; For resolving symlinks, realpath(3), and equivalents. (allow file-read-metadata) ;; For validating the entitlements of clients. (allow process-info-codesignature) ;; Your preference domain ;; TODO: Replace ${PRODUCT_BUNDLE_IDENTIFIER} with the actual bundle identifier. (allow user-preference-read user-preference-write (preference-domain "com.apple.threadradiod") (preference-domain "kCFPreferencesAnyApplication") (preference-domain "com.apple.threadradiodData") (preference-domain "com.apple.threadradiodeMACDB") (preference-domain "com.apple.ccmapping_macos_cc4") (preference-domain "com.apple.ccmapping_macos_cc5_v0_19") (preference-domain "com.apple.ccmapping_macos_cc5_v0_39")) ;; Read/write access to a temporary directory. (allow file-read* file-write* (subpath (param "TMPDIR")) (subpath (param "DARWIN_CACHE_DIR")) (subpath "/Library/Logs/CrashReporter/CoreCapture/BT")) ;; Read/write cache access ;; TODO: Replace ${PRODUCT_BUNDLE_IDENTIFIER} with the actual bundle identifier. (let ((cache-path-filter (home-subpath "/Library/Caches/com.apple.threadradiod"))) (allow file-read* file-write* cache-path-filter) (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write") cache-path-filter)))