;;;;;; Common system sandbox rules;;;;;;;;;;;; Copyright (c) 2008-2009 Apple

1. ;;;;;; Common system sandbox rules
2. ;;;;;;
3. ;;;;;; Copyright (c) 2008-2009 Apple Inc.  All Rights reserved.
4. ;;;;;;
5. ;;;;;; WARNING: The sandbox rules in this file currently constitute
6. ;;;;;; Apple System Private Interface and are subject to change at any time and
7. ;;;;;; without notice. The contents of this file are also auto-generated and
8. ;;;;;; not user editable; it may be overwritten at any time.
9.  
10. (version 1)
11.  
12. ;;; Allow registration of per-pid services.
13. (allow mach-register
14.        (local-name-regex #""))
15.  
16. ;;; Allow read access to standard system paths.
17. (allow file-read*
18.        (require-all (file-mode #o0004)
19.                     (require-any (subpath "/Library/Filesystems/NetFSPlugins")
20.                                  (subpath "/System")
21.                                  (subpath "/private/var/db/dyld")
22.                                  (subpath "/usr/lib")
23.                                  (subpath "/usr/share"))))
24.  
25. (allow file-read-metadata
26.        (literal "/etc")
27.        (literal "/tmp")
28.        (literal "/var")
29.        (literal "/private/etc/localtime"))
30.  
31.  
32. ;;; Allow access to standard special files.
33. (allow file-read*
34.        (literal "/dev/autofs_nowait")
35.        (literal "/dev/random")
36.        (literal "/dev/urandom")
37.        (literal "/private/etc/master.passwd")
38.        (literal "/private/etc/passwd"))
39.  
40. (allow file-read*
41.        file-write-data
42.        (literal "/dev/null")
43.        (literal "/dev/zero"))
44.  
45. (allow file-read*
46.        file-write-data
47.        file-ioctl
48.        (literal "/dev/dtracehelper"))
49.  
50. (allow network-outbound
51.        (literal "/private/var/run/asl_input")
52.        (literal "/private/var/run/syslog"))
53.  
54.  
55. ;;; Allow creation of core dumps.
56. (allow file-write-create
57.        (require-all (regex #"^/cores/")
58.                     (vnode-type REGULAR-FILE)))
59.  
60.  
61. ;;; Allow IPC to standard system agents.
62. (allow ipc-posix-shm-read*
63.        (ipc-posix-name #"apple.shm.notification_center")
64.        (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))
65.  
66. (allow mach-lookup
67.        (global-name "com.apple.appsleep")
68.        (global-name "com.apple.bsd.dirhelper")
69.        (global-name "com.apple.cfprefsd.agent")
70.        (global-name "com.apple.cfprefsd.daemon")
71.        (global-name "com.apple.diagnosticd")
72.        (global-name "com.apple.system.logger")
73.        (global-name "com.apple.system.notification_center")
74.        (global-name "com.apple.system.opendirectoryd.libinfo")
75.        (global-name "com.apple.system.DirectoryService.libinfo_v1")
76.        (global-name "com.apple.system.opendirectoryd.membership")
77.        (global-name "com.apple.xpc.activity.unmanaged")
78.        (global-name "com.apple.xpcd")
79.        (global-name "com.apple.secinitd")
80.        (global-name "com.apple.espd")
81.        (global-name "com.apple.gkbisd")
82.        (local-name "com.apple.cfprefsd.agent"))
83.  
84.  
85. ;;; Allow mostly harmless operations.
86. (allow sysctl-read)
87.  
88.  
89. ;;; (system-graphics) - Allow access to graphics hardware.
90. (define (system-graphics)
91.   ;; Preferences
92.   (allow user-preference-read
93.          (preference-domain "com.apple.opengl")
94.          (preference-domain "com.nvidia.OpenGL"))
95.   ;; OpenGL memory debugging
96.   (allow mach-lookup
97.          (global-name "com.apple.gpumemd.source"))
98.   ;; CVMS
99.   (allow mach-lookup
100.          (global-name "com.apple.cvmsServ"))
101.   ;; OpenCL
102.   (allow iokit-open
103.          (iokit-connection "IOAccelerator")
104.          (iokit-user-client-class "IOAccelerationUserClient")
105.          (iokit-user-client-class "IOSurfaceRootUserClient")
106.          (iokit-user-client-class "IOSurfaceSendRight"))
107.   ;; CoreVideo CVCGDisplayLink
108.   (allow iokit-open
109.          (iokit-user-client-class "IOFramebufferSharedUserClient"))
110.   ;; H.264 Acceleration
111.   (allow iokit-open
112.          (iokit-user-client-class "AppleSNBFBUserClient"))
113.   ;; QuartzCore
114.   (allow iokit-open
115.          (iokit-user-client-class "AGPMClient")
116.          (iokit-user-client-class "AppleGraphicsControlClient")
117.          (iokit-user-client-class "AppleGraphicsPolicyClient"))
118.   ;; OpenGL
119.   (allow iokit-open
120.          (iokit-user-client-class "AppleMGPUPowerControlClient"))
121.   ;; DisplayServices
122.   (allow iokit-set-properties
123.          (require-all (iokit-connection "IODisplay")
124.                       (require-any (iokit-property "brightness")
125.                                    (iokit-property "linear-brightness")
126.                                    (iokit-property "commit")
127.                                    (iokit-property "rgcs")
128.                                    (iokit-property "ggcs")
129.                                    (iokit-property "bgcs")))))
130.  
131.  
132. ;;; (system-network) - Allow access to the network.
133. (define (system-network)
134.   (allow file-read*
135.          (literal "/Library/Preferences/com.apple.networkd.plist"))
136.   (allow mach-lookup
137.          (global-name "com.apple.SystemConfiguration.PPPController")
138.          (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
139.          (global-name "com.apple.networkd")
140.          (global-name "com.apple.nsurlstorage-cache")
141.          (global-name "com.apple.symptomsd")
142.          (global-name "com.apple.usymptomsd"))
143.   (allow network-outbound
144.          (control-name "com.apple.netsrc")
145.          (control-name "com.apple.network.statistics"))
146.   (allow system-socket
147.          (require-all (socket-domain AF_SYSTEM)
148.                       (socket-protocol 2)) ; SYSPROTO_CONTROL
149.          (socket-domain AF_ROUTE)))