--application.sb485a486,488> (with-filter> (extension "com.apple.app-s

1. --
2. application.sb
3. 485a486,488
4. > (with-filter
5. > (extension "com.apple.app-sandbox.read-write")
6. > (allow file-link (home-subpath "/Library/Mobile Documents")))
7. 562,563c565
8. < "\\..*\\.plist$")))
9. < (%protect-preference-symlink domain)))
10. ---
11. > "\\..*\\.plist$")))))
12. 584,585c586
13. < "\\..*\\.plist(\\..+)?$")))
14. < (%protect-preference-symlink domain)))
15. ---
16. > "\\..*\\.plist(\\..+)?$")))))
17. 638c639
18. < (global-name "com.apple.blued"))
19. ---
20. > (global-name "com.apple.bluetoothd"))
21. 840,843c841,845
22. < (read-only-and-issue-extensions
23. < (require-all
24. < (extension "com.apple.librarian.ubiquity-revision")
25. < (mount-relative-regex "^/\\.DocumentRevisions-V100(/|$)")))
26. ---
27. > (sandbox-array-entitlement
28. > "com.apple.developer.icloud-container-identifiers"
29. > (lambda (id)
30. > (allow file-link (ubiquity-filter id))
31. > (read-write-and-issue-extensions (ubiquity-filter id))))
32. 927,929d928
33. < (deny file-read*
34. < file-write*
35. < (group-container-subpath "/Library/Preferences"))
36. 997a997
37. > "com.apple.airplay"
38. 1022a1023,1024
39. > (%protect-preference-symlink "com.apple.security_common")
40. > (%protect-preference-symlink "com.apple.security")
41. 1085a1088
42. > (literal "/private/etc/openldap/ldap.conf")
43. 1090c1093
44. < (literal "/private/etc/openldap/ldap.conf")
45. ---
46. > (literal "/private/etc/ssl/openssl.cnf")
47. 1133a1137,1138
48. > (global-name "com.apple.audio.AudioComponentPrefs")
49. > (global-name "com.apple.audio.AudioComponentRegistrar")
50. 1138a1144
51. > (global-name "com.apple.cache_delete.public")
52. 1139a1146
53. > (global-name "com.apple.colorsync.useragent")
54. 1144a1152,1154
55. > (global-name "com.apple.coremedia.routediscoverer.xpc")
56. > (global-name "com.apple.coremedia.routingcontext.xpc")
57. > (global-name "com.apple.coremedia.volumecontroller.xpc")
58. 1153d1162
59. < (global-name "com.apple.decalog4.incoming")
60. 1159a1169
61. > (global-name "com.apple.FileProvider")
62. 1177d1186
63. < (global-name "com.apple.librariand")
64. 1216a1226
65. > (global-name "com.apple.tailspind")
66. 1232a1243,1245
67. > (with-filter
68. > (iokit-registry-entry-class "IODisplayWrangler")
69. > (allow iokit-set-properties (iokit-property "IORequestIdle")))
70. 1245d1257
71. < (allow mach-register (local-name "com.apple.ICA"))
72. 1401a1414,1429
73. > (define (select-sysctl-filter handle with-star without-star)
74. > (if (end-with-star? handle)
75. > (with-star (strip-last-char handle))
76. > (without-star handle)))
77. > (sandbox-array-entitlement
78. > "com.apple.security.temporary-exception.sysctl.read-only"
79. > (lambda (handle)
80. > (let ((sysctl-filter
81. > (select-sysctl-filter handle sysctl-name-prefix sysctl-name)))
82. > (allow sysctl-read sysctl-filter))))
83. > (sandbox-array-entitlement
84. > "com.apple.security.temporary-exception.sysctl.read-write"
85. > (lambda (handle)
86. > (let ((sysctl-filter
87. > (select-sysctl-filter handle sysctl-name-prefix sysctl-name)))
88. > (allow sysctl-read sysctl-write sysctl-filter))))
89. --
90. apsd.sb
91. Files /System/Library/Sandbox/Profiles/apsd.sb and apsd.sb are identical
92. --
93. bsd.sb
94. 25c25
95. < #"^/usr/share/zoneinfo/"
96. ---
97. > #"^/var/db/timezone/zoneinfo/"
98. --
99. cloudpaird.sb
100. 138c138
101. < (global-name "com.apple.blued")
102. ---
103. > (global-name "com.apple.bluetoothd")
104. --
105. colorsyncd.sb
106. 20,21c20,26
107. < (allow file-read* file-write-data file-write-create file-write-unlink file-write-owner (subpath "/Library/ColorSync/Profiles"))
108. < (deny file-write-data file-write-create file-write-unlink file-write-owner (literal "/Library/ColorSync/Profiles"))
109. ---
110. > (define (allow-create-directory . filters)
111. > (allow file-read-metadata
112. > (apply require-any filters))
113. > (allow file-read-metadata file-write-create
114. > (require-all
115. > (vnode-type DIRECTORY)
116. > (apply require-any filters))))
117. 23,26c28,54
118. < (allow file-write-create
119. < (require-all
120. < (vnode-type DIRECTORY)
121. < (literal "/Library/ColorSync/Profiles" "/Library/ColorSync" "/Library")))
122. ---
123. > ;; Allow the creation of only a directory at these paths.
124. > (allow-create-directory
125. > (literal "/Library/Caches")
126. > (literal "/Library/Caches/ColorSync"))
127. > ;; Allow reading the contents of our directory
128. > (allow file-read*
129. > (literal "/Library/Caches/ColorSync"))
130. > ;; Allow full access to anything below our directory.
131. > (allow file-read* file-write*
132. > (prefix "/Library/Caches/ColorSync/"))
133. >
134. > (allow-create-directory
135. > (literal "/Library/ColorSync")
136. > (literal "/Library/ColorSync/Profiles"))
137. > (allow file-read*
138. > (literal "/Library/ColorSync/Profiles"))
139. > (allow file-read* file-write*
140. > (prefix "/Library/ColorSync/Profiles/"))
141. >
142. > ;; deny the removal of these pre-installed profiles.
143. > (deny file-write-unlink
144. > (literal "/Library/ColorSync/Profiles/Black & White.icc")
145. > (literal "/Library/ColorSync/Profiles/Blue Tone.icc")
146. > (literal "/Library/ColorSync/Profiles/Lightness Decrease.icc")
147. > (literal "/Library/ColorSync/Profiles/Lightness Increase.icc")
148. > (literal "/Library/ColorSync/Profiles/Sepia Tone.icc")
149. > (literal "/Library/ColorSync/Profiles/WebSafeColors.icc"))
150. --
151. com.apple.AirPlayXPCHelper.sb
152. 66,69c66,74
153. < (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
154. < (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
155. < (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient")
156. < (iokit-user-client-class "IOBluetoothDeviceUserClient")
157. ---
158. > (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
159. > (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
160. > (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient")
161. > (iokit-user-client-class "IOBluetoothDeviceUserClient")
162. > (iokit-user-client-class "IOTimeSyncUserClient")
163. > (iokit-user-client-class "IOTimeSyncClockManagerUserClient")
164. > (iokit-user-client-class "IOTimeSyncgPTPManagerUserClient")
165. > (iokit-user-client-class "IOTimeSyncDomainUserClient")
166. > (iokit-user-client-class "IOTimeSyncNetworkPortUserClient")
167. 86a92
168. > (global-name "com.apple.analyticsd")
169. 88a95
170. > (global-name "com.apple.audio.AudioComponentRegistrar")
171. 105c112
172. < (global-name "com.apple.blued")
173. ---
174. > (global-name "com.apple.bluetoothd")
175. 108c115,118
176. < (global-name "com.apple.airportd")
177. ---
178. > (global-name "com.apple.airportd")
179. >
180. > (global-name "com.apple.distributed_notifications@1v3")
181. > (global-name "com.apple.distributed_notifications@Uv3")
182. 118a129
183. > (literal "/Library/Preferences/com.apple.alf.plist")
184. 126a138
185. > (preference-domain "com.apple.alf")
186. --
187. com.apple.AnnotationKit.MigratorService.sb
188. Files /System/Library/Sandbox/Profiles/com.apple.AnnotationKit.MigratorService.sb and com.apple.AnnotationKit.MigratorService.sb are identical
189. --
190. com.apple.AssetCacheLocatorService.sb
191. 20,21d19
192. < (allow file-read-metadata
193. < (literal "/Applications/Server.app/Contents/ServerRoot/usr/libexec/AssetCache/AssetCache"))
194. 28d25
195. < (global-name "com.apple.AssetCacheC")
196. --
197. com.apple.AssetCacheManagerService.sb
198. 0a1,18
199. > (version 1)
200. > (deny default)
201. > (import "bsd.sb")
202. > (import "com.apple.corefoundation.sb")
203. > (corefoundation)
204. > (allow file-read* file-write*
205. > (literal "/Library/Preferences/com.apple.AssetCache.plist")
206. > (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C($|/)")
207. > (regex #"^(/private)?/var/folders/[^/]+/[^/]+/T($|/)")
208. > (regex #"/Library/Application Support/Apple/AssetCache$")
209. > (regex #"/Library/Application Support/Apple/AssetCache/Data$")
210. > (literal "/Library/Application Support/Apple/AssetCache/.activated"))
211. > (allow file-write-create
212. > (regex #"/Library$")
213. > (regex #"/Library/Application Support$")
214. > (regex #"/Library/Application Support/Apple$"))
215. > (allow mach-lookup
216. > (global-name "com.apple.AssetCache.builtin"))
217. --
218. com.apple.AssetCacheTetheratorService.sb
219. 12c12,14
220. < (literal "/Library/Preferences/com.apple.MobileDevice.plist")) ; for reading MobileDevice prefs
221. ---
222. > (literal "/Library/Preferences/com.apple.MobileDevice.plist") ; for reading MobileDevice prefs
223. > (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") ; for CrashReporter
224. > (literal "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")) ; for MessageTracer
225. 24c26,27
226. < (global-name "com.apple.wifi.sharekit")) ; for using Internet Sharing
227. ---
228. > (global-name "com.apple.wifi.sharekit") ; for using Internet Sharing
229. > (global-name "com.apple.PowerManagement.control")) ; for power assertions
230. --
231. com.apple.AudioComponentRegistrar.sb
232. 0a1,68
233. > ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
234. > ;;;
235. > ;;; WARNING: The sandbox rules in this file currently constitute
236. > ;;; Apple System Private Interface and are subject to change at any time and
237. > ;;; without notice.
238. > ;;;
239. > (version 1)
240. >
241. > (deny default)
242. > (deny file-map-executable iokit-get-properties process-info* nvram*)
243. > (deny dynamic-code-generation)
244. >
245. > (import "system.sb")
246. > (import "com.apple.corefoundation.sb")
247. > (corefoundation)
248. >
249. > ;;; Homedir-relative path filters
250. > (define (home-regex home-relative-regex)
251. > (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)))
252. >
253. > (define (home-subpath home-relative-subpath)
254. > (subpath (string-append (param "HOME") home-relative-subpath)))
255. >
256. > (define (home-prefix home-relative-prefix)
257. > (prefix (string-append (param "HOME") home-relative-prefix)))
258. >
259. > (define (home-literal home-relative-literal)
260. > (literal (string-append (param "HOME") home-relative-literal)))
261. >
262. >
263. > (allow process-info* (target self))
264. >
265. > ;; For resolving symlinks, realpath(3), and equivalents.
266. > (allow file-read-metadata)
267. >
268. > ;; For validating the entitlements of clients.
269. > (allow process-info-codesignature)
270. >
271. > ;; preference domains.
272. > (allow user-preference-read user-preference-write
273. > (preference-domain "com.apple.coreaudio")
274. > (preference-domain "com.apple.audio.ComponentRegistrationOverrides")
275. > (preference-domain "com.apple.audio.UserComponentTags")
276. > (preference-domain "com.apple.audio.ComponentTagHelper")
277. > )
278. >
279. > ;; Read/write access to a temporary directory.
280. > (allow file-read* file-write*
281. > (subpath (param "TMPDIR"))
282. > (subpath (param "DARWIN_CACHE_DIR")))
283. >
284. > ;; Above is from the template.
285. > ;; Below are customizations. To debug: (trace "/tmp/Sandbox.trace")
286. >
287. > (allow file-map-executable
288. > (subpath "/System/Library/PrivateFrameworks")
289. > )
290. >
291. > (allow mach-lookup
292. > (global-name "com.apple.pluginkit.pkd")
293. > (global-name "com.apple.FSEvents")
294. > (global-name "com.apple.DiskArbitration.diskarbitrationd")
295. > )
296. >
297. > (allow file-read*
298. > (subpath "/Library/Audio/Plug-Ins/Components")
299. > (home-subpath "/Library/Audio/Plug-Ins/Components")
300. > )
301. --
302. com.apple.CMValidateMovieDataReferenceService.sb
303. Files /System/Library/Sandbox/Profiles/com.apple.CMValidateMovieDataReferenceService.sb and com.apple.CMValidateMovieDataReferenceService.sb are identical
304. --
305. com.apple.CodeSigningHelper.sb
306. Files /System/Library/Sandbox/Profiles/com.apple.CodeSigningHelper.sb and com.apple.CodeSigningHelper.sb are identical
307. --
308. com.apple.CommerceKit.TransactionService.sb
309. 94a95,96
310. > (global-name "com.apple.adid")
311. > (global-name "com.apple.fpsd")
312. --
313. com.apple.CryptoTokenKit.ctkahp.sb
314. 0a1,69
315. > ;;;
316. > ;;; Sandbox profile for /System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle
317. > ;;;
318. > ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
319. > ;;;
320. > ;;; WARNING: The sandbox rules in this file currently constitute
321. > ;;; Apple System Private Interface and are subject to change at any time and
322. > ;;; without notice. The contents of this file are also auto-generated and
323. > ;;; not user editable; it may be overwritten at any time.
324. >
325. > (version 1)
326. >
327. > (deny default)
328. >
329. > (import "system.sb")
330. >
331. > (allow file-read*
332. > (literal "/private/etc/SmartcardLogin.plist")
333. > (literal "/private/etc/cacloginconfig.plist")
334. > (subpath (param "DARWIN_USER_TEMP_DIR"))
335. > (subpath (param "DARWIN_USER_CACHE_DIR"))
336. > (subpath "/private/var/db/mds")
337. > (subpath "/private/var/db/"))
338. >
339. > (allow file-read-data
340. > (literal "/")
341. > (literal "/Library/Preferences/com.apple.security.plist"))
342. >
343. > (allow file-write*
344. > (subpath (param "DARWIN_USER_CACHE_DIR"))
345. > (subpath "/private/var/db/mds/system/"))
346. >
347. > (allow file-read-metadata)
348. >
349. > (allow process-fork)
350. >
351. > (allow process-exec
352. > (literal "/System/Library/Frameworks/CryptoTokenKit.framework/UserSelector")
353. > (subpath "/Library/CryptoTokenKit"))
354. >
355. > (allow mach-lookup
356. > (global-name "com.apple.distributed_notifications@1v3")
357. > (global-name "com.apple.distributed_notifications@Uv3")
358. > (global-name "com.apple.ctkd.token-client")
359. > (global-name "com.apple.ctkd.watcher-client")
360. > (global-name "com.apple.SecurityServer")
361. > (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider")
362. > (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider.agent.libxpc")
363. > (global-name "com.apple.system.opendirectoryd.api")
364. > (global-name "com.apple.CoreServices.coreservicesd")
365. > (global-name "com.apple.CoreAuthentication.agent.libxpc")
366. > (global-name "com.apple.CoreAuthentication.agent")
367. > (global-name "com.apple.ocspd"))
368. >
369. > (allow user-preference-read
370. > (preference-domain "kCFPreferencesAnyApplication"))
371. >
372. > (allow user-preference-read user-preference-write
373. > (preference-domain "com.apple.security")
374. > (preference-domain "com.apple.security.smartcard"))
375. >
376. > (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
377. > (ipc-posix-name "com.apple.AppleDatabaseChanged"))
378. >
379. > (allow authorization-right-obtain
380. > (right-name "com.apple.ctk.pair"))
381. >
382. > (allow iokit-open
383. > (iokit-user-client-class "AppleKeyStoreUserClient"))
384. --
385. com.apple.DumpGPURestart.sb
386. Files /System/Library/Sandbox/Profiles/com.apple.DumpGPURestart.sb and com.apple.DumpGPURestart.sb are identical
387. --
388. com.apple.IOAccelMemoryInfoCollector.sb
389. Files /System/Library/Sandbox/Profiles/com.apple.IOAccelMemoryInfoCollector.sb and com.apple.IOAccelMemoryInfoCollector.sb are identical
390. --
391. com.apple.ModernizerXPC.sb
392. 0a1,230
393. > ;;;;;; Sandbox Profile for ModernizerXPC derived from QTKitServer
394. > ;;;;;;
395. > ;;;;;; Copyright (c) 2011-2017 Apple Inc. All Rights reserved.
396. > ;;;;;;
397. > ;;;;;; WARNING: The sandbox rules in this file currently constitute
398. > ;;;;;; Apple System Private Interface and are subject to change at any time and
399. > ;;;;;; without notice. The contents of this file are also auto-generated and
400. > ;;;;;; not user editable; it may be overwritten at any time.
401. >
402. > (version 1)
403. > (deny default)
404. >
405. > (import "system.sb")
406. > (import "com.apple.corefoundation.sb")
407. >
408. > (define (home-regex home-relative-regex)
409. > (regex (string-append "^" (regex-quote (param "DARWIN_QTKITSERVER_HOME_DIR")) home-relative-regex)))
410. > (define regex-home home-regex)
411. >
412. > (define (home-subpath home-relative-subpath)
413. > (subpath (string-append (param "DARWIN_QTKITSERVER_HOME_DIR") home-relative-subpath)))
414. >
415. > (define (home-literal home-relative-literal)
416. > (literal (string-append (param "DARWIN_QTKITSERVER_HOME_DIR") home-relative-literal)))
417. >
418. > (allow file-read-metadata system-audit)
419. >
420. > ;;; initialize CF sandbox actions
421. > (corefoundation)
422. >
423. > (define (apply-read-and-issue-extension op path-filter)
424. > (op file-read* path-filter)
425. > (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
426. >
427. > (define (apply-write-and-issue-extension op path-filter)
428. > (op file-write* path-filter)
429. > (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
430. >
431. > (define (read-only-and-issue-extensions path-filter)
432. > (apply-read-and-issue-extension allow path-filter))
433. >
434. > (define (read-write-and-issue-extensions path-filter)
435. > (apply-read-and-issue-extension allow path-filter)
436. > (apply-write-and-issue-extension allow path-filter))
437. >
438. > ;;; allow reading files for which we have a read-only app-sandbox extension
439. > (allow file-read* (extension "com.apple.app-sandbox.read"))
440. >
441. > ;;; allow writing of files for which we have an extension
442. > (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
443. >
444. > ;;; allow issuing of extensions for paths we have an extension to
445. > (allow file-issue-extension
446. > (require-all
447. > (extension-class "com.apple.app-sandbox.read")
448. > (require-any
449. > (extension "com.apple.app-sandbox.read")
450. > (extension "com.apple.app-sandbox.read-write"))))
451. >
452. > (allow file-issue-extension
453. > (require-all
454. > (extension-class "com.apple.app-sandbox.read-write")
455. > (extension "com.apple.app-sandbox.read-write")))
456. >
457. > (allow file-read*
458. > (subpath "/Library/Audio/Plug-Ins")
459. > (subpath "/Library/Audio/Sounds/Banks")
460. > (subpath "/Library/Frameworks")
461. > (subpath "/Library/Fonts")
462. > (subpath "/Library/Application Support/ProApps")
463. > (subpath "/Library/Preferences")
464. > (subpath "/Library/QuickTime")
465. > (subpath "/Library/Filesystems/NetFSPlugins"))
466. >
467. > (allow file-read-data
468. > (subpath "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
469. > (subpath "/Users/Shared/SC Info")
470. > (subpath "/private/var")
471. > (subpath "/private/etc"))
472. >
473. > ;;; allow reading and issuing extensions to iTunes so it can opened
474. > ;;; <rdar://problem/13568149>
475. > (read-only-and-issue-extensions
476. > (subpath "/Applications/iTunes.app"))
477. >
478. > (allow file-read-xattr
479. > (subpath "/Applications/iTunes.app"))
480. >
481. > (allow file-read* file-write* (subpath "/Library/Caches"))
482. >
483. > (if (param "DARWIN_QTKITSERVER_HOME_DIR")
484. > (begin
485. > (allow file-read*
486. > (home-subpath "/.CFUserTextEncoding")
487. > (home-subpath "/Library/Audio/Plug-Ins/Components")
488. > (home-subpath "/Library/Audio/Plug-Ins")
489. > (home-subpath "/Library/QuickTime")
490. > (home-subpath "/Library/Input Methods")
491. > (home-subpath "/Library/Keyboard Layouts")
492. > (home-subpath "/Library/Components"))
493. > (allow file-read* file-write*
494. > (home-subpath "/Library/Caches/QuickTime"))
495. > (deny file-read* file-write*
496. > (home-literal "/Library/Caches/com.nvidia.OpenGL") (with no-report))
497. > ;; we have to allow 3rd party components to read and write their own prefs,-
498. > ;; but we don't know their names.
499. > ;; so allow r/w access to all of ~/Library/Prefs but deny access to prefs beginning with com.apple
500. > (allow file-write* file-read*
501. > (home-subpath "/Library/Preferences"))
502. > (deny file-read* file-write* (with no-report)
503. > (home-regex #"/Library/Preferences/com\.apple\..*")
504. > (home-regex #"/Library/Preferences/\.GlobalPreferences\.plist")
505. > (home-regex #"/Library/Preferences/pbs\.plist")
506. > (home-regex #"/Library/Preferences/loginwindow\.plist")
507. > (home-regex #"/Library/Preferences/ByHost/com\.apple\..*"))
508. > (allow file-read*
509. > (home-literal "/Library/Preferences/QuickTime Preferences"))))
510. >
511. > (if (param "DARWIN_QTKITSERVER_CACHE_DIR")
512. > (allow file-write* file-read* (subpath (param "DARWIN_QTKITSERVER_CACHE_DIR"))))
513. >
514. > (if (param "DARWIN_QTKITSERVER_TEMP_DIR")
515. > (allow file-write* file-read* (subpath (param "DARWIN_QTKITSERVER_TEMP_DIR"))))
516. >
517. > (system-graphics)
518. >
519. > (allow iokit-open
520. > (iokit-user-client-class "IOAudioControlUserClient")
521. > (iokit-user-client-class "IOAudioEngineUserClient")
522. > (iokit-user-client-class "IOHIDParamUserClient"))
523. >
524. > ;; CoreVideo CVCGDisplayLink
525. > (allow iokit-open
526. > (iokit-user-client-class "IOFramebufferSharedUserClient"))
527. >
528. > ;; H.264 Acceleration; <rdar://problem/10348815>
529. > (allow iokit-open
530. > (iokit-user-client-class "AppleSNBFBUserClient"))
531. >
532. > ;; QuartzCore; <rdar://problem/9065114>
533. > (allow iokit-open
534. > (iokit-user-client-class "AppleGraphicsControlClient")
535. > (iokit-user-client-class "AGPMClient"))
536. >
537. > (allow iokit-open
538. > (iokit-user-client-class "AppleUpstreamUserClient")
539. > (iokit-user-client-class "AudioAUUC"))
540. >
541. > ;; BlackMagic; <rdar://problem/11899349>
542. > (allow iokit-open
543. > (iokit-user-client-class "com_blackmagic_design_iokit_DaisyCutterUserClient"))
544. >
545. > (allow ipc-posix-shm
546. > (ipc-posix-name-regex #"^AudioIO")
547. > (ipc-posix-name-regex #"^ls\.")
548. > (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
549. > (ipc-posix-name "FNetwork.defaultStorageSession")
550. > (ipc-posix-name "apple.shm.notification_center"))
551. >
552. > ;; ColorSync Profiles (<rdar://problem/13775802>)
553. > (allow ipc-posix-shm*
554. > (ipc-posix-name "com.apple.ColorSync.Gen.lock")
555. > (ipc-posix-name "com.apple.ColorSync.Disp.lock")
556. > (ipc-posix-name "com.apple.ColorSync.Gray2.2")
557. > (ipc-posix-name "com.apple.ColorSync.sRGB")
558. > (ipc-posix-name "com.apple.ColorSync.GenGray")
559. > (ipc-posix-name "com.apple.ColorSync.GenRGB")
560. > (ipc-posix-name-regex #"^com\.apple\.cs\."))
561. > (allow file-read*
562. > (subpath "/Library/ColorSync/Profiles")
563. > (home-subpath "/Library/ColorSync"))
564. >
565. > (allow mach-lookup
566. > (global-name "com.apple.coreservices.launchservicesd")
567. > (global-name "com.apple.ls.boxd")
568. > (global-name "com.apple.lsd.mapdb")
569. > (global-name "com.apple.lsd.modifydb")
570. > (global-name "com.apple.metadata.mds")
571. > (global-name "com.apple.cookied")
572. > (global-name "com.apple.cfnetwork.AuthBrokerAgent")
573. > (global-name "com.apple.cfnetwork.cfnetworkagent")
574. > (global-name "com.apple.SystemConfiguration.configd")
575. > (global-name "com.apple.CoreServices.coreservicesd")
576. > (global-name "com.apple.coreservices.appleevents")
577. > (global-name "com.apple.FontObjectsServer")
578. > (global-name "com.apple.FontServer")
579. > (global-name "com.apple.PowerManagement.control")
580. > (global-name "com.apple.audio.audiohald")
581. > (global-name "com.apple.audio.coreaudiod")
582. > (global-name "com.apple.audio.AudioComponentRegistrar")
583. > (global-name "com.apple.dock.server")
584. > (global-name "com.apple.pasteboard.1")
585. > (global-name "com.apple.pbs.fetch_services")
586. > (global-name "com.apple.printtool.agent")
587. > (global-name "com.apple.tsm.uiserver")
588. > (global-name "com.apple.UNCUserNotification")
589. > (global-name "com.apple.windowserver.active")
590. > (global-name "com.apple.DiskArbitration.diskarbitrationd")
591. > (global-name "com.apple.window_proxies"))
592. >
593. > ;; Security framework
594. > (allow mach-lookup
595. > (global-name "com.apple.SecurityServer")
596. > (global-name "com.apple.securityd.xpc")
597. > (global-name "com.apple.ocspd"))
598. > (if (param "DARWIN_QTKITSERVER_HOME_DIR")
599. > (begin
600. > (allow file-read* file-write* (home-subpath "/Library/Keychains"))))
601. > (allow file-read*
602. > (subpath "/private/var/db/mds")
603. > (literal "/private/var/db/DetachedSignatures"))
604. > (allow ipc-posix-shm-read* ipc-posix-shm-write-data
605. > (ipc-posix-name "com.apple.AppleDatabaseChanged"))
606. >
607. > (allow appleevent-send
608. > (appleevent-destination "com.apple.iTunes"))
609. >
610. > (allow system-socket
611. > (socket-domain AF_ROUTE))
612. >
613. > (allow system-socket
614. > (require-all (socket-domain AF_SYSTEM) (socket-protocol 2))) ; SYSPROTO_CONTROL
615. >
616. > (allow system-audit)
617. > (allow system-fsctl
618. > (fsctl-command (_IO "h" 24)) ;; HFS_VOLUME_STATUS
619. > (fsctl-command (_IO "z" 12)) ;; afpfsGetMountInfoFSCTL
620. > (fsctl-command (_IO "z" 19)) ;; smbfsUniqueShareIDFSCTL
621. > (fsctl-command (_IO "z" 23))) ;; afpfsByteRangeLock2FSCTL
622. >
623. --
624. com.apple.PIPAgent.sb
625. Files /System/Library/Sandbox/Profiles/com.apple.PIPAgent.sb and com.apple.PIPAgent.sb are identical
626. --
627. com.apple.ReportGPURestart.sb
628. Files /System/Library/Sandbox/Profiles/com.apple.ReportGPURestart.sb and com.apple.ReportGPURestart.sb are identical
629. --
630. com.apple.ReportPanicService.sb
631. 12,19d11
632. < ;;; <rdar://problem/13449326>
633. < (let allow-paths ((i 0))
634. < (let ((path (param (string-append "HOME_" (number->string i)))))
635. < (if path
636. < (begin
637. < (allow file-read* file-write-unlink (subpath path))
638. < (allow-paths (+ i 1))))))
639. <
640. --
641. com.apple.SpeechRecognitionCore.brokerd.sb
642. Files /System/Library/Sandbox/Profiles/com.apple.SpeechRecognitionCore.brokerd.sb and com.apple.SpeechRecognitionCore.brokerd.sb are identical
643. --
644. com.apple.SpeechRecognitionCore.speechrecognitiond.sb
645. 64c64,65
646. < (global-name "com.apple.distributed_notifications@Uv3"))
647. ---
648. > (global-name "com.apple.distributed_notifications@Uv3")
649. > (global-name "com.apple.audio.AudioComponentRegistrar"))
650. --
651. com.apple.XprotectFramework.AnalysisService.sb
652. 45c45,46
653. < (global-name "com.apple.CoreServices.coreservicesd"))
654. ---
655. > (global-name "com.apple.CoreServices.coreservicesd")
656. > (global-name "com.apple.dz.dznd"))
657. --
658. com.apple.assistantd.sb
659. 23a24,27
660. > (allow process-fork)
661. >
662. > (allow process-exec (literal "/usr/bin/bsdtar"))
663. >
664. 32c36,37
665. < (allow file* (subpath (param "_CACHEDIR")))
666. ---
667. > (allow file-read* file-write* (subpath (param "_TEMPDIR")))
668. > (allow file-read* file-write* (subpath (param "_CACHEDIR")))
669. 121a127
670. > (global-name "com.apple.BluetoothDOServer")
671. 138a145
672. > (global-name "com.apple.audio.AudioComponentRegistrar")
673. 177c184,192
674. < (global-name "com.apple.networkserviceproxy"))
675. ---
676. > (global-name "com.apple.networkserviceproxy")
677. > (global-name "com.apple.cloudd")
678. > (global-name "com.apple.apsd")
679. > (global-name "com.apple.analyticsd")
680. > (global-name "com.apple.symptom_analytics")
681. > (global-name "com.apple.symptom_diagnostics")
682. > (global-name "com.apple.siri.invoke")
683. > (global-name "com.apple.remoted")
684. > (global-name "com.apple.PowerManagement.control"))
685. --
686. com.apple.audio.coreaudiod.sb
687. 31a32,33
688. > (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
689. > (literal "/private/var/db/timezone")
690. 33,39d34
691. < (literal "/Library/Keychains/System.keychain")
692. < (literal "/private/var/db/mds/messages/se_SecurityMessages")
693. < (literal "/private/var/db/mds/system/mdsDirectory.db")
694. < (literal "/private/var/db/mds/system/mdsObject.db")
695. < (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
696. < (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
697. < (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
698. 58a54
699. > (literal "/usr")
700. 61,63c57
701. < (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
702. < (literal "/private/var/db/disableAppleInternal")
703. <
704. ---
705. > (literal "/private/var/db/disableAppleInternal")
706. 65,73c59,60
707. < (literal "/Library/Keychains")
708. < (literal "/private")
709. < (literal "/private/var")
710. < (literal "/private/var/folders")
711. < (regex "^/private/var/folders/[^/]+")
712. < (regex "^/private/var/folders/[^/]+/[^/]+")
713. < (literal "/private/var/run/systemkeychaincheck.done")
714. < (regex "^/private/var/folders/[^/]+/[^/]+/C$")
715. < (regex "^/private/var/folders/[^/]+/[^/]+/C/mds$")
716. ---
717. > (literal "/Library/Audio")
718. > (literal "/Library/Audio/Plug-Ins")
719. 79,91d65
720. <
721. < (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
722. < (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db_$")
723. < (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
724. < (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db_$")
725. < (regex #"^/private/var/tmp/mds/[0-9]+(/|$)")
726. < (regex #"^/private/var/db/mds/[0-9]+(/|$)")
727. < (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)")
728. < (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)")
729. < )
730. <
731. < (allow file-write-data
732. < (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
733. 108,109c82,83
734. < (global-name "com.apple.SecurityServer")
735. < (global-name "com.apple.ocspd")
736. ---
737. > (global-name "com.apple.audio.AudioComponentRegistrar")
738. > (global-name "com.apple.audio.AudioComponentRegistrar.daemon")
739. --
740. com.apple.audio.systemsoundserverd.sb
741. 15c15,16
742. < (subpath "/usr/share"))
743. ---
744. > (subpath "/usr/share")
745. > (subpath "/private/var/db/timezone"))
746. 39a41
747. > (global-name "com.apple.audio.AudioComponentRegistrar")
748. --
749. com.apple.authd.sb
750. 17a18,19
751. > (global-name "com.apple.CoreAuthentication.agent.libxpc")
752. > (global-name "com.apple.CoreAuthentication.daemon.libxpc")
753. --
754. com.apple.avconferenced.sb
755. 38a39
756. > (subpath "/private/tmp/vp/inject")
757. 50c51,52
758. < (subpath "/private/tmp/vp")
759. ---
760. > (subpath "/private/tmp/AudioCapture")
761. > (subpath "/private/tmp/AudioCapture/VP")
762. 56c58
763. < (extension-class "com.apple.app-sandbox.read-write")
764. ---
765. > (extension-class "com.apple.rtcreporting.upload")
766. 101c103,106
767. < (global-name "com.apple.WirelessCoexManager"))
768. ---
769. > (global-name "com.apple.WirelessCoexManager")
770. > (global-name "com.apple.audio.AudioComponentRegistrar")
771. > (global-name "com.apple.distributed_notifications@1v3")
772. > (global-name "com.apple.distributed_notifications@Uv3"))
773. --
774. com.apple.captiveagent.sb
775. Files /System/Library/Sandbox/Profiles/com.apple.captiveagent.sb and com.apple.captiveagent.sb are identical
776. --
777. com.apple.cf.appsleepd.sb
778. Files /System/Library/Sandbox/Profiles/com.apple.cf.appsleepd.sb and com.apple.cf.appsleepd.sb are identical
779. --
780. com.apple.cmio.AVCAssistant.sb
781. 0a1,57
782. > ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
783. > ;;
784. > ;; WARNING: The sandbox rules in this file currently constitute
785. > ;; Apple System Private Interface and are subject to change at any time and
786. > ;; without notice.
787. > ;;
788. >
789. > (version 1)
790. > (deny default)
791. >
792. > (import "system.sb")
793. >
794. > (import "com.apple.corefoundation.sb")
795. >
796. > ;;; initialize CF sandbox actions
797. > (corefoundation)
798. >
799. > ;; For resolving symlinks, realpath(3), and equivalents.
800. > (allow file-read-metadata)
801. >
802. > (allow process-info* (target self))
803. >
804. > (allow mach-lookup
805. > (global-name "com.apple.CoreServices.coreservicesd")
806. > (global-name "com.apple.coreservices.launchservicesd")
807. > (global-name "com.apple.windowserver.active")
808. > (global-name "com.apple.analyticsd")
809. > )
810. >
811. > (allow file-map-executable
812. > (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
813. > (subpath "/System/Library/Extensions")
814. > )
815. >
816. > ;; Preferences
817. > (allow file-read*
818. > (literal "/private/var/db/cmiodalassistants/Library/Preferences/com.apple.cmio.plist")
819. > (literal "/private/var/db/cmiodalassistants/Library/Preferences/.GlobalPreferences.plist")
820. > (literal "/Library/Preferences/.GlobalPreferences.plist")
821. > (regex #"^/private/var/db/cmiodalassistants/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
822. > )
823. >
824. > ;; Preference domain.
825. > (allow user-preference-read
826. > (preference-domain "com.apple.cmio")
827. > (preference-domain "com.apple.coremedia")
828. > )
829. >
830. > ;; Camera
831. > (allow device-camera)
832. > (allow iokit-open
833. > (iokit-user-client-class "IOFireWireAVCUserClient")
834. > (iokit-user-client-class "IOFireWireUserClient")
835. > )
836. >
837. > ;;(allow iokit-get-properties)
838. >
839. --
840. com.apple.cmio.IIDCVideoAssistant.sb
841. 0a1,61
842. > ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
843. > ;;
844. > ;; WARNING: The sandbox rules in this file currently constitute
845. > ;; Apple System Private Interface and are subject to change at any time and
846. > ;; without notice.
847. > ;;
848. >
849. > (version 1)
850. > (deny default)
851. >
852. > (import "system.sb")
853. >
854. > (import "com.apple.corefoundation.sb")
855. >
856. > ;;; initialize CF sandbox actions
857. > (corefoundation)
858. >
859. > ;; For resolving symlinks, realpath(3), and equivalents.
860. > (allow file-read-metadata)
861. >
862. > (allow process-info* (target self))
863. >
864. > (allow mach-lookup
865. > (global-name "com.apple.CoreServices.coreservicesd")
866. > (global-name "com.apple.coreservices.launchservicesd")
867. > (global-name "com.apple.windowserver.active")
868. > (global-name "com.apple.analyticsd")
869. > )
870. >
871. > (allow file-map-executable
872. > (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
873. > (subpath "/System/Library/Extensions")
874. > )
875. >
876. > ;; Preferences
877. > (allow file-read*
878. > (literal "/private/var/db/cmiodalassistants/Library/Preferences/com.apple.cmio.plist")
879. > (literal "/private/var/db/cmiodalassistants/Library/Preferences/.GlobalPreferences.plist")
880. > (literal "/Library/Preferences/.GlobalPreferences.plist")
881. > (regex #"^/private/var/db/cmiodalassistants/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
882. > )
883. >
884. > ;; Preference domain.
885. > (allow user-preference-read
886. > (preference-domain "com.apple.cmio")
887. > (preference-domain "com.apple.coremedia")
888. > )
889. >
890. > ;; Camera
891. > (allow iokit-open
892. > (iokit-user-client-class "IOFireWireUserClient")
893. > (iokit-user-client-class "RootDomainUserClient")
894. > )
895. >
896. > (allow iokit-open
897. > (iokit-registry-entry-class "RootDomainUserClient")
898. > )
899. >
900. > ;;(allow iokit-get-properties)
901. >
902. >
903. --
904. com.apple.cmio.VDCAssistant.sb
905. 0a1,74
906. > ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
907. > ;;
908. > ;; WARNING: The sandbox rules in this file currently constitute
909. > ;; Apple System Private Interface and are subject to change at any time and
910. > ;; without notice.
911. > ;;
912. >
913. > (version 1)
914. > (deny default)
915. >
916. > (import "system.sb")
917. > (system-graphics)
918. >
919. > (import "com.apple.corefoundation.sb")
920. >
921. > ;;; initialize CF sandbox actions
922. > (corefoundation)
923. >
924. > ;; For resolving symlinks, realpath(3), and equivalents.
925. > (allow file-read-metadata)
926. >
927. > (allow process-info* (target self))
928. >
929. > ;; For validating the entitlements of clients.
930. > (allow process-info-codesignature)
931. >
932. > (allow mach-lookup
933. > (global-name "com.apple.CoreServices.coreservicesd")
934. > (global-name "com.apple.coreservices.launchservicesd")
935. > (global-name "com.apple.windowserver.active")
936. > (global-name "com.apple.analyticsd")
937. > (subpath "/Library/Video/Plug-Ins")
938. > )
939. >
940. > (allow file-map-executable
941. > (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
942. > (subpath "/System/Library/Extensions")
943. > (subpath "/Library/Video/Plug-Ins")
944. > )
945. >
946. > ;; Preferences
947. > (allow file-read*
948. > (subpath "/Library/Video/Plug-Ins")
949. > (literal "/private/var/db/cmiodalassistants/Library/Preferences/com.apple.cmio.plist")
950. > (literal "/private/var/db/cmiodalassistants/Library/Preferences/.GlobalPreferences.plist")
951. > (literal "/Library/Preferences/.GlobalPreferences.plist")
952. > (regex #"^/private/var/db/cmiodalassistant/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
953. > )
954. >
955. > ;; Preference domain.
956. > (allow user-preference-read
957. > (preference-domain "com.apple.cmio")
958. > (preference-domain "com.apple.coremedia")
959. > )
960. >
961. > ;; Camera
962. > (allow device-camera)
963. > (allow iokit-open
964. > (iokit-user-client-class "IOUSBDeviceUserClientV2")
965. > (iokit-user-client-class "IOUSBInterfaceUserClientV3")
966. > (iokit-user-client-class "RootDomainUserClient")
967. > )
968. >
969. > (allow iokit-open
970. > (iokit-registry-entry-class "IGAccelDevice")
971. > (iokit-registry-entry-class "IGAccelSharedUserClient")
972. > (iokit-registry-entry-class "IGAccelVideoContextMain")
973. > (iokit-registry-entry-class "IGAccelVideoContextMedia")
974. > (iokit-registry-entry-class "IGAccelVideoContextVEBox")
975. > (iokit-registry-entry-class "RootDomainUserClient")
976. > )
977. >
978. > (allow iokit-get-properties)
979. >
980. --
981. com.apple.cmio.iOSScreenCaptureAssistant.sb
982. 0a1,161
983. > ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
984. > ;;
985. > ;; WARNING: The sandbox rules in this file currently constitute
986. > ;; Apple System Private Interface and are subject to change at any time and
987. > ;; without notice.
988. > ;;
989. >
990. > (version 1)
991. > (deny default)
992. >
993. > (import "system.sb")
994. > (system-graphics)
995. >
996. > (import "com.apple.corefoundation.sb")
997. >
998. > ;;; initialize CF sandbox actions
999. > (corefoundation)
1000. >
1001. > (system-network)
1002. > (allow network-outbound
1003. > (literal "/private/var/run/usbmuxd")
1004. > (literal "/private/var/run/mDNSResponder")
1005. > (control-name "com.apple.network.statistics")
1006. > (control-name "com.apple.netsrc")
1007. > (remote ip)
1008. > )
1009. >
1010. > (allow network-inbound )
1011. > (allow network-bind (remote ip))
1012. >
1013. > ;; For resolving symlinks, realpath(3), and equivalents.
1014. > (allow file-read-metadata)
1015. >
1016. > (allow nvram-get (nvram-variable "BSD Name"))
1017. > (allow process-info* (target self))
1018. >
1019. > ;; For validating the entitlements of clients.
1020. > (allow process-info-codesignature)
1021. >
1022. > (allow file-read*
1023. > (subpath "/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/iOSScreenCapture.plugin/Contents/Resources")
1024. > (subpath "/Library/CoreMediaIO/Plug-Ins/FCP-DAL/iOSScreenCapture.plugin/Contents/Resources")
1025. > (subpath "/private/var/db/mds")
1026. > (subpath "/Library/Audio/Plug-Ins/HAL")
1027. > )
1028. >
1029. > (allow file-write*
1030. > (literal "/private/var/db/mds/system/mds.lock")
1031. > (subpath "/private/tmp")
1032. > )
1033. >
1034. > ;; From com.apple.AirPlayXPCHelper
1035. > (allow iokit-open
1036. > (iokit-user-client-class "IOAudioControlUserClient")
1037. > (iokit-user-client-class "IOAudioEngineUserClient")
1038. > (iokit-user-client-class "IOAudio2DeviceUserClient")
1039. > (iokit-user-client-class "RootDomainUserClient")
1040. > (iokit-user-client-class "IOReportUserClient")
1041. > (iokit-user-client-class "IOBluetoothHCIUserClient")
1042. > (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
1043. > (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
1044. > (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient")
1045. > (iokit-user-client-class "IOBluetoothDeviceUserClient")
1046. > )
1047. >
1048. > ;; From com.apple.AirPlayXPCHelper
1049. > (allow mach-lookup
1050. > (global-name "com.apple.SecurityServer")
1051. > (global-name "com.apple.SystemConfiguration.DNSConfiguration")
1052. > (global-name "com.apple.SystemConfiguration.configd")
1053. > (global-name "com.apple.metadata.mds")
1054. > (global-name "com.apple.ocspd")
1055. > (global-name "com.apple.pluginkit.pkd")
1056. > (global-name "com.apple.spindump")
1057. > (global-name "com.apple.PairingManager")
1058. >
1059. > (global-name "com.apple.audio.audiohald")
1060. > (global-name "com.apple.audio.AudioComponentRegistrar")
1061. > (global-name "com.apple.audio.AudioComponentRegistrar.daemon")
1062. >
1063. > (global-name "com.apple.wirelessproxd")
1064. > (global-name "com.apple.windowserver.active")
1065. >
1066. > (global-name "com.apple.AirPlayXPCHelper")
1067. > (global-name "com.apple.coremedia.endpoint.xpc")
1068. > (global-name "com.apple.coremedia.endpointstream.xpc")
1069. > (global-name "com.apple.coremedia.endpointplaybacksession.xpc")
1070. > (global-name "com.apple.coremedia.endpointpicker.xpc")
1071. > (global-name "com.apple.coremedia.endpointmanager.xpc")
1072. > (global-name "com.apple.AirPlayAgent.xpc")
1073. > (global-name "com.apple.AirPlayUIAgent.xpc")
1074. >
1075. > (global-name "com.apple.coresymbolicationd")
1076. > (global-name "com.apple.awdd")
1077. > (global-name "com.apple.SharingServices")
1078. > (global-name "com.apple.bluetoothd")
1079. > (global-name "com.apple.bluetoothaudiod")
1080. > (global-name "com.apple.BluetoothDOServer")
1081. > (global-name "com.apple.airportd")
1082. >
1083. > (global-name "com.apple.PowerManagement.control")
1084. > (global-name "com.apple.audio.coreaudiod")
1085. > (global-name "com.apple.securityd.xpc")
1086. > (global-name "com.apple.lsd.mapdb")
1087. > (global-name "com.apple.lsd.modifydb")
1088. > (global-name "com.apple.coremedia.routediscoverer.xpc")
1089. > (global-name "com.apple.coremedia.routingcontext.xpc")
1090. > (global-name "com.apple.analyticsd")
1091. > )
1092. >
1093. > ;; Preferences
1094. > (allow file-read*
1095. > (literal "/private/var/root/Library/Preferences/com.apple.cmio.plist")
1096. > (literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist")
1097. > (literal "/Library/Preferences/.GlobalPreferences.plist")
1098. > (literal "/Library/Preferences/com.apple.security.plist")
1099. > (regex #"^/private/var/root/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
1100. > )
1101. >
1102. > ;; Preference domain.
1103. > (allow user-preference-read
1104. > (preference-domain "com.apple.airplay")
1105. > (preference-domain "com.apple.coremedia")
1106. > (preference-domain "com.apple.security")
1107. > (preference-domain "com.apple.cmio")
1108. > )
1109. >
1110. > (allow ipc-posix-shm-read-data
1111. > (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.[0-9]+$")
1112. > (ipc-posix-name-regex #"^AudioIO")
1113. > (ipc-posix-name "FNetwork.defaultStorageSession")
1114. > (ipc-posix-name "com.apple.AppleDatabaseChanged")
1115. > )
1116. >
1117. > (allow ipc-posix-shm-write-data
1118. > (ipc-posix-name-regex #"^AudioIO")
1119. > (ipc-posix-name "com.apple.AppleDatabaseChanged")
1120. > )
1121. >
1122. > (allow ipc-posix-shm-read-metadata
1123. > (ipc-posix-name-regex #"^AudioIO")
1124. > )
1125. >
1126. > (allow file-map-executable
1127. > (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
1128. > (subpath "/System/Library/Extensions")
1129. > )
1130. >
1131. > ;; USB screen capture
1132. > (allow iokit-open
1133. > (iokit-user-client-class "IOUSBDeviceUserClientV2")
1134. > (iokit-user-client-class "IOUSBInterfaceUserClientV3")
1135. > )
1136. >
1137. > (allow iokit-open
1138. > (iokit-registry-entry-class "RootDomainUserClient")
1139. > )
1140. >
1141. > (allow iokit-get-properties)
1142. >
1143. >
1144. --
1145. com.apple.colorsync.displayservices.sb
1146. 0a1,40
1147. > (version 1)
1148. >
1149. > (import "system.sb")
1150. >
1151. > (deny default iokit-get-properties process-info*)
1152. >
1153. > (deny process-info*)
1154. > (allow process-info-pidinfo)
1155. > (allow process-info-pidfdinfo (target self))
1156. > (allow process-info-pidfileportinfo (target self))
1157. > (allow process-info-setcontrol (target self))
1158. > (allow process-info-dirtycontrol (target self))
1159. > (allow process-info-rusage (target self))
1160. >
1161. > (allow file-read-metadata file-read-data (literal "/"))
1162. > (allow file-read-metadata)
1163. >
1164. > (allow authorization-right-obtain (right-name "system.colorsync.install.profile"))
1165. > (allow authorization-right-obtain (right-name "com.apple.private.AmbientDisplay.messaging"))
1166. >
1167. > (allow-create-directory
1168. > (literal "/Library/ColorSync")
1169. > (literal "/Library/ColorSync/Profiles"))
1170. > (allow file-read*
1171. > (literal "/Library/ColorSync/Profiles"))
1172. > (allow file-read* file-write*
1173. > (prefix "/Library/ColorSync/Profiles/"))
1174. >
1175. > ;; deny the removal of these pre-installed profiles.
1176. > (deny file-write-unlink
1177. > (literal "/Library/ColorSync/Profiles/Black & White.icc")
1178. > (literal "/Library/ColorSync/Profiles/Blue Tone.icc")
1179. > (literal "/Library/ColorSync/Profiles/Lightness Decrease.icc")
1180. > (literal "/Library/ColorSync/Profiles/Lightness Increase.icc")
1181. > (literal "/Library/ColorSync/Profiles/Sepia Tone.icc")
1182. > (literal "/Library/ColorSync/Profiles/WebSafeColors.icc"))
1183. >
1184. > (allow mach-lookup
1185. > (global-name "com.apple.CoreServices.coreservicesd"))
1186. >
1187. --
1188. com.apple.colorsync.useragent.sb
1189. 0a1,48
1190. > ;;
1191. > ;; ColorSync User Agent - sandbox profile
1192. > ;; Copyright (c) 2016 Apple Inc. All Rights reserved.
1193. > ;;
1194. > ;; WARNING: The sandbox rules in this file currently constitute
1195. > ;; Apple System Private Interface and are subject to change at any time and
1196. > ;; without notice. The contents of this file are also auto-generated and not
1197. > ;; user editable; it may be overwritten at any time.
1198. > ;;
1199. >
1200. > (version 1)
1201. > (deny default)
1202. > (import "system.sb")
1203. >
1204. > ;;; Home Directory
1205. > (define (home-subpath home-relative-subpath)
1206. > (subpath (string-append (param "_HOME") home-relative-subpath)))
1207. > (define (home-literal home-relative-literal)
1208. > (literal (string-append (param "_HOME") home-relative-literal)))
1209. > (define (home-regex home-relative-regex)
1210. > (regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex)))
1211. >
1212. > (allow file-read-metadata)
1213. >
1214. > (allow file-read* file-write*
1215. > (subpath (param "DARWIN_USER_DIR"))
1216. > (subpath (param "DARWIN_USER_TEMP_DIR"))
1217. > (subpath (param "DARWIN_USER_CACHE_DIR")))
1218. >
1219. > (allow file-read*
1220. > (literal "/Volumes")
1221. > (literal "/Library/Preferences/.GlobalPreferences.plist")
1222. > (subpath "/Library/Printers")
1223. > (subpath "/Library/ImageCapture/Devices")
1224. > (subpath "/Library/ColorSync/Profiles")
1225. > (subpath "System/Library/ColorSync/Profiles"))
1226. >
1227. > (allow file-read*
1228. > (home-literal ".CFUserTextEncoding")
1229. > (home-subpath "/Library/Printers")
1230. > (home-subpath "/Library/ImageCapture/Devices")
1231. > (home-subpath "/Library/ColorSync/Profiles"))
1232. >
1233. >
1234. >
1235. > (allow mach-lookup
1236. > (global-name "com.apple.CoreServices.coreservicesd"))
1237. >
1238. --
1239. com.apple.commerce.sb
1240. 0a1,162
1241. > (version 1)
1242. > (deny default)
1243. >
1244. > (import "system.sb")
1245. > (import "com.apple.corefoundation.sb")
1246. > (corefoundation)
1247. >
1248. > (allow file-read-metadata)
1249. >
1250. > (allow file-issue-extension
1251. > (subpath "/Library/Documentation/Help/MacHelp.help")
1252. > (regex #"/Library/Caches/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)(/CommerceRequestCache/?)?")
1253. > (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)")
1254. > (regex #"/Library/Caches/storeassetd")
1255. > (regex #"[a-z0-9]+\.app(/|$)"))
1256. >
1257. > (allow file-read*
1258. > (regex #"\.app(/|$)")
1259. > (regex #"/CommerceKit\.framework")
1260. > (literal "/private/etc/hosts")
1261. > (literal "/private/var/db/mds/system/mdsDirectory.db")
1262. > (literal "/private/var/db/mds/system/mdsObject.db")
1263. > (literal "/Library/Preferences/com.apple.AECT.plist")
1264. > (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
1265. > (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
1266. > (literal "/Library/Preferences/com.apple.loginwindow.plist")
1267. > (literal "/private/var/db/PreviousSystemVersion.plist")
1268. > (subpath "/Applications")
1269. > (subpath "/Library/Documentation/Help/MacHelp.help")
1270. > (subpath "/Users/Shared")
1271. > (regex "/Library/Bundles/[^/]+.bundle")
1272. > (regex #"/Library/Preferences/com\.apple\.appstore\.plist$")
1273. > (regex #"/Library/Preferences/com.apple.LaunchServices.plist$")
1274. > (regex #"/Library/Preferences/(ByHost/)?\.GlobalPreferences\.plist$")
1275. > (regex #"/Library/Preferences/com.apple.security\.plist$")
1276. > (regex #"/\.CFUserTextEncoding$")
1277. > (regex "/private/var/db/mds/messages/([A-Za-z0-9]+/)?se_SecurityMessages"))
1278. >
1279. > (allow file-read* file-write*
1280. > (literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist")
1281. > (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
1282. > (literal "/private/var/db/mds/system/mds.lock")
1283. > (subpath "/private/var/root/Library/Caches/com.apple.commerce")
1284. > (subpath "/private/var/tmp")
1285. > (subpath "/private/var/folders")
1286. > (subpath "/private/tmp")
1287. > (subpath "/Users/Shared/adi")
1288. > (subpath "/Users/Shared/SC Info")
1289. > (regex #"/Library/Caches/com\.apple\.commerce")
1290. > (regex #"/Library/Caches/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)(/CommerceRequestCache/?)?")
1291. > (regex #"/Library/Caches/com\.apple\.WebKit2\.WebProcessService$")
1292. > (regex #"/Library/Cookies/com\.apple\.(appstore|iBooksX|ibooks|iTunes|configurator(\.ui)?)\.(binary)?cookies")
1293. > (regex #"/Library/Cookies/Cookies\.binarycookies")
1294. >
1295. > (regex #"Library/Preferences/com\.apple\.security\.revocation\.plist")
1296. > (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)")
1297. > (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/|$)")
1298. > (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/mds(/|$)")
1299. > (regex #"/\.TemporaryItems(/|$)")
1300. > (regex #"/Library/Keychains/")
1301. > (regex #"^/etilqs_"))
1302. >
1303. > (allow user-preference-read
1304. > (preference-domain "kCFPreferencesAnyApplication"))
1305. >
1306. > (allow user-preference*
1307. > (preference-domain "com.apple.bookstoreagent")
1308. > (preference-domain "com.apple.storeagent")
1309. > (preference-domain "com.apple.iTunes")
1310. > (preference-domain "com.apple.appstore")
1311. > (preference-domain "com.apple.ibooks")
1312. > (preference-domain "com.apple.commerce")
1313. > (preference-domain "com.apple.commerce.configurator")
1314. > (preference-domain "com.apple.appstore.commerce")
1315. > (preference-domain "com.apple.iBooksX.commerce")
1316. > (preference-domain "com.apple.configurator.ui.commerce"))
1317. >
1318. > (allow ipc-posix-shm-read-data
1319. > (ipc-posix-name "FNetwork.defaultStorageSession")
1320. > (ipc-posix-name-regex #"ls\.[a-f0-9\.]+")
1321. > (ipc-posix-name "apple.shm.notification_center")
1322. > (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
1323. >
1324. > (allow ipc-posix-shm-read* ipc-posix-shm-write-data
1325. > (ipc-posix-name "com.apple.AppleDatabaseChanged"))
1326. >
1327. > (allow mach-register (global-name "com.apple.commerce"))
1328. >
1329. > (allow mach-lookup
1330. > (global-name "com.apple.apsd")
1331. > (global-name "com.apple.adid")
1332. > (global-name "com.apple.fpsd")
1333. > (global-name "com.apple.askpermissiond")
1334. > (global-name "com.apple.AssetCacheLocatorService")
1335. > (global-name "com.apple.accountsd.accountmanager")
1336. > (global-name "com.apple.backupd.sandbox.xpc")
1337. > (global-name "com.apple.ctkd.token-client")
1338. > (global-name "com.apple.CoreAuthentication.agent.libxpc")
1339. > (global-name "com.apple.CoreAuthentication.agent")
1340. > (global-name "com.apple.securityd.xpc")
1341. > (global-name "com.apple.UNCUserNotification")
1342. > (global-name "com.apple.coreservices.launcherror-handler")
1343. > (global-name "com.apple.SystemConfiguration.configd")
1344. > (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
1345. > (global-name "com.apple.networkd")
1346. > (global-name "com.apple.storehelper")
1347. > (global-name "com.apple.SecurityServer")
1348. > (global-name "com.apple.PowerManagement.control")
1349. > (global-name "com.apple.distributed_notifications@Uv3")
1350. > (global-name "com.apple.usernoted.daemon_client")
1351. > (global-name "com.apple.metadata.mds")
1352. > (global-name "com.apple.CoreServices.coreservicesd")
1353. > (global-name "com.apple.ls.boxd")
1354. > (global-name "com.apple.FileCoordination")
1355. > (global-name "com.apple.ocspd")
1356. > (global-name "com.apple.installd")
1357. > (global-name "com.apple.ProgressReporting")
1358. > (global-name "com.apple.windowserver.active")
1359. > (global-name "com.apple.lsd.mapdb")
1360. > (global-name "com.apple.coreservices.launchservicesd")
1361. > (global-name "com.apple.coreservices.appleevents")
1362. > (global-name "com.apple.cookied")
1363. > (global-name "com.apple.FontServer")
1364. > (global-name "com.apple.fonts")
1365. > (global-name "com.apple.FontObjectsServer")
1366. > (global-name "com.apple.DiskArbitration.diskarbitrationd")
1367. > (global-name "com.apple.cvmsServ")
1368. > (global-name "com.apple.logind")
1369. > (global-name "com.apple.coreservices.quarantine-resolver")
1370. > (global-name "com.apple.familycontrols")
1371. > (global-name "com.apple.pluginkit.pkd")
1372. > (global-name "com.apple.nsurlstorage-cache")
1373. > (global-name "com.apple.system.opendirectoryd.api")
1374. > (global-name "com.apple.CrashReporterSupportHelper")
1375. > (global-name "com.apple.cache_delete")
1376. > (global-name "com.apple.ManagedClient.agent")
1377. > (global-name "com.apple.cfnetwork.AuthBrokerAgent")
1378. > (global-name "com.apple.pasteboard.1"))
1379. >
1380. > (allow authorization-right-obtain
1381. > (right-name "system.install.app-store-software")
1382. > (right-name "system.install.apple-software")
1383. > (right-name "system.install.app-store-software.standard-user")
1384. > (right-name "system.install.apple-software.standard-user")
1385. > (right-name "system.install.apple-config-data")
1386. > (right-name "system.install.software")
1387. > (right-name "system.install.software.iap")
1388. > (right-name "system.install.software.mdm-provided")
1389. > (right-name "com.apple.SoftwareUpdate.modify-settings"))
1390. >
1391. > (allow iokit-open
1392. > (iokit-user-client-class "IOFramebufferSharedUserClient")
1393. > (iokit-user-client-class "RootDomainUserClient")
1394. > (iokit-user-client-class-regex #"AccelDevice$")
1395. > (iokit-user-client-class-regex #"SharedUserClient$")
1396. > (iokit-user-client-class-regex #"GLContext$"))
1397. >
1398. > (allow network-outbound)
1399. > (allow system-socket)
1400. > (allow distributed-notification-post)
1401. > (allow appleevent-send)
1402. > (allow lsopen)
1403. --
1404. com.apple.commerced.sb
1405. 0a1,161
1406. > (version 1)
1407. > (deny default)
1408. >
1409. > (import "system.sb")
1410. > (import "com.apple.corefoundation.sb")
1411. > (corefoundation)
1412. >
1413. > (allow file-read-metadata)
1414. >
1415. > (allow file-issue-extension
1416. > (subpath "/Library/Documentation/Help/MacHelp.help")
1417. > (regex #"/Library/Caches/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)(/CommerceRequestCache/?)?")
1418. > (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)")
1419. > (regex #"/Library/Caches/storeassetd")
1420. > (regex #"[a-z0-9]+\.app(/|$)"))
1421. >
1422. > (allow file-read*
1423. > (regex #"\.app(/|$)")
1424. > (regex #"/CommerceKit\.framework")
1425. > (literal "/private/etc/hosts")
1426. > (literal "/private/var/db/mds/system/mdsDirectory.db")
1427. > (literal "/private/var/db/mds/system/mdsObject.db")
1428. > (literal "/Library/Preferences/com.apple.AECT.plist")
1429. > (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
1430. > (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
1431. > (literal "/Library/Preferences/com.apple.loginwindow.plist")
1432. > (literal "/private/var/db/PreviousSystemVersion.plist")
1433. > (subpath "/Applications")
1434. > (subpath "/Library/Documentation/Help/MacHelp.help")
1435. > (subpath "/Users/Shared")
1436. > (regex "/Library/Bundles/[^/]+.bundle")
1437. > (regex #"/Library/Preferences/com\.apple\.appstore\.plist$")
1438. > (regex #"/Library/Preferences/com.apple.LaunchServices.plist$")
1439. > (regex #"/Library/Preferences/(ByHost/)?\.GlobalPreferences\.plist$")
1440. > (regex #"/Library/Preferences/com.apple.security\.plist$")
1441. > (regex #"/\.CFUserTextEncoding$")
1442. > (regex "/private/var/db/mds/messages/([A-Za-z0-9]+/)?se_SecurityMessages"))
1443. >
1444. > (allow file-read* file-write*
1445. > (literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist")
1446. > (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
1447. > (literal "/private/var/db/mds/system/mds.lock")
1448. > (subpath "/private/var/root/Library/Caches/com.apple.commerce")
1449. > (subpath "/private/var/tmp")
1450. > (subpath "/private/var/folders")
1451. > (subpath "/private/tmp")
1452. > (subpath "/Users/Shared/adi")
1453. > (subpath "/Users/Shared/SC Info")
1454. > (regex #"/Library/Caches/com\.apple\.commerce")
1455. > (regex #"/Library/Caches/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)(/CommerceRequestCache/?)?")
1456. > (regex #"/Library/Caches/com\.apple\.WebKit2\.WebProcessService$")
1457. > (regex #"/Library/Cookies/com\.apple\.(appstore|iBooksX|ibooks|iTunes|configurator(\.ui)?)\.(binary)?cookies")
1458. > (regex #"/Library/Cookies/Cookies\.binarycookies")
1459. >
1460. > (regex #"Library/Preferences/com\.apple\.security\.revocation\.plist")
1461. > (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)")
1462. > (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/|$)")
1463. > (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/mds(/|$)")
1464. > (regex #"/\.TemporaryItems(/|$)")
1465. > (regex #"/Library/Keychains/")
1466. > (regex #"^/etilqs_"))
1467. >
1468. > (allow user-preference-read
1469. > (preference-domain "kCFPreferencesAnyApplication"))
1470. >
1471. > (allow user-preference*
1472. > (preference-domain "com.apple.bookstoreagent")
1473. > (preference-domain "com.apple.storeagent")
1474. > (preference-domain "com.apple.iTunes")
1475. > (preference-domain "com.apple.appstore")
1476. > (preference-domain "com.apple.commerce")
1477. > (preference-domain "com.apple.commerce.configurator")
1478. > (preference-domain "com.apple.appstore.commerce")
1479. > (preference-domain "com.apple.iBooksX.commerce")
1480. > (preference-domain "com.apple.configurator.ui.commerce"))
1481. >
1482. > (allow ipc-posix-shm-read-data
1483. > (ipc-posix-name "FNetwork.defaultStorageSession")
1484. > (ipc-posix-name-regex #"ls\.[a-f0-9\.]+")
1485. > (ipc-posix-name "apple.shm.notification_center")
1486. > (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
1487. >
1488. > (allow ipc-posix-shm-read* ipc-posix-shm-write-data
1489. > (ipc-posix-name "com.apple.AppleDatabaseChanged"))
1490. >
1491. > (allow mach-register (global-name "com.apple.commerced"))
1492. >
1493. > (allow mach-lookup
1494. > (global-name "com.apple.apsd")
1495. > (global-name "com.apple.adid")
1496. > (global-name "com.apple.fpsd")
1497. > (global-name "com.apple.askpermissiond")
1498. > (global-name "com.apple.AssetCacheLocatorService")
1499. > (global-name "com.apple.accountsd.accountmanager")
1500. > (global-name "com.apple.backupd.sandbox.xpc")
1501. > (global-name "com.apple.ctkd.token-client")
1502. > (global-name "com.apple.CoreAuthentication.agent.libxpc")
1503. > (global-name "com.apple.CoreAuthentication.agent")
1504. > (global-name "com.apple.securityd.xpc")
1505. > (global-name "com.apple.UNCUserNotification")
1506. > (global-name "com.apple.coreservices.launcherror-handler")
1507. > (global-name "com.apple.SystemConfiguration.configd")
1508. > (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
1509. > (global-name "com.apple.networkd")
1510. > (global-name "com.apple.storehelper")
1511. > (global-name "com.apple.SecurityServer")
1512. > (global-name "com.apple.PowerManagement.control")
1513. > (global-name "com.apple.distributed_notifications@Uv3")
1514. > (global-name "com.apple.usernoted.daemon_client")
1515. > (global-name "com.apple.metadata.mds")
1516. > (global-name "com.apple.CoreServices.coreservicesd")
1517. > (global-name "com.apple.ls.boxd")
1518. > (global-name "com.apple.FileCoordination")
1519. > (global-name "com.apple.ocspd")
1520. > (global-name "com.apple.installd")
1521. > (global-name "com.apple.ProgressReporting")
1522. > (global-name "com.apple.windowserver.active")
1523. > (global-name "com.apple.lsd.mapdb")
1524. > (global-name "com.apple.coreservices.launchservicesd")
1525. > (global-name "com.apple.coreservices.appleevents")
1526. > (global-name "com.apple.cookied")
1527. > (global-name "com.apple.FontServer")
1528. > (global-name "com.apple.fonts")
1529. > (global-name "com.apple.FontObjectsServer")
1530. > (global-name "com.apple.DiskArbitration.diskarbitrationd")
1531. > (global-name "com.apple.cvmsServ")
1532. > (global-name "com.apple.logind")
1533. > (global-name "com.apple.coreservices.quarantine-resolver")
1534. > (global-name "com.apple.familycontrols")
1535. > (global-name "com.apple.pluginkit.pkd")
1536. > (global-name "com.apple.nsurlstorage-cache")
1537. > (global-name "com.apple.system.opendirectoryd.api")
1538. > (global-name "com.apple.CrashReporterSupportHelper")
1539. > (global-name "com.apple.cache_delete")
1540. > (global-name "com.apple.ManagedClient.agent")
1541. > (global-name "com.apple.cfnetwork.AuthBrokerAgent")
1542. > (global-name "com.apple.pasteboard.1"))
1543. >
1544. > (allow authorization-right-obtain
1545. > (right-name "system.install.app-store-software")
1546. > (right-name "system.install.apple-software")
1547. > (right-name "system.install.app-store-software.standard-user")
1548. > (right-name "system.install.apple-software.standard-user")
1549. > (right-name "system.install.apple-config-data")
1550. > (right-name "system.install.software")
1551. > (right-name "system.install.software.iap")
1552. > (right-name "system.install.software.mdm-provided")
1553. > (right-name "com.apple.SoftwareUpdate.modify-settings"))
1554. >
1555. > (allow iokit-open
1556. > (iokit-user-client-class "IOFramebufferSharedUserClient")
1557. > (iokit-user-client-class "RootDomainUserClient")
1558. > (iokit-user-client-class-regex #"AccelDevice$")
1559. > (iokit-user-client-class-regex #"SharedUserClient$")
1560. > (iokit-user-client-class-regex #"GLContext$"))
1561. >
1562. > (allow network-outbound)
1563. > (allow system-socket)
1564. > (allow distributed-notification-post)
1565. > (allow appleevent-send)
1566. > (allow lsopen)
1567. --
1568. com.apple.controlstrip.sb
1569. Files /System/Library/Sandbox/Profiles/com.apple.controlstrip.sb and com.apple.controlstrip.sb are identical
1570. --
1571. com.apple.corebrightnessd.sb
1572. Files /System/Library/Sandbox/Profiles/com.apple.corebrightnessd.sb and com.apple.corebrightnessd.sb are identical
1573. --
1574. com.apple.coreduetd.sb
1575. 5a6
1576. > (import "bsd.sb")
1577. 7a9
1578. > (system-network)
1579. 40a43
1580. > (global-name "com.apple.cookied")
1581. 44a48
1582. > (global-name "com.apple.coreservices.quarantine-resolver")
1583. 54c58,59
1584. < (global-name "com.apple.locationd.desktop.synchronous"))
1585. ---
1586. > (global-name "com.apple.locationd.desktop.synchronous")
1587. > (global-name "com.apple.SharingServices"))
1588. 59a65,74
1589. >
1590. > (allow network-outbound
1591. > (literal "/private/var/run/mDNSResponder")) ; to resolve host names
1592. >
1593. > (allow ipc-posix-shm-read-data
1594. > (ipc-posix-name "FNetwork.defaultStorageSession"))
1595. >
1596. > (allow network-outbound
1597. > (remote ip))
1598. >
1599. --
1600. com.apple.corefoundation.sb
1601. Files /System/Library/Sandbox/Profiles/com.apple.corefoundation.sb and com.apple.corefoundation.sb are identical
1602. --
1603. com.apple.coreservices.appleevents.appleeventsd.sb
1604. Files /System/Library/Sandbox/Profiles/com.apple.coreservices.appleevents.appleeventsd.sb and com.apple.coreservices.appleevents.appleeventsd.sb are identical
1605. --
1606. com.apple.coreservices.launchservices.launchservicesd.sb
1607. Files /System/Library/Sandbox/Profiles/com.apple.coreservices.launchservices.launchservicesd.sb and com.apple.coreservices.launchservices.launchservicesd.sb are identical
1608. --
1609. com.apple.coreservicesd.sb
1610. 0a1,63
1611. > ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
1612. > ;;;
1613. > ;;; WARNING: The sandbox rules in this file currently constitute
1614. > ;;; Apple System Private Interface and are subject to change at any time and
1615. > ;;; without notice.
1616. > ;;;
1617. > (version 1)
1618. >
1619. > (deny default)
1620. >
1621. > (import "system.sb")
1622. > (import "com.apple.corefoundation.sb")
1623. > (corefoundation)
1624. >
1625. > (deny file-map-executable iokit-get-properties process-info* nvram*)
1626. > (deny dynamic-code-generation)
1627. >
1628. > (allow process-info* (target self))
1629. >
1630. > (allow process-info-codesignature)
1631. >
1632. > (allow user-preference-read user-preference-write
1633. > (preference-domain "com.apple.coreservicesd"))
1634. >
1635. > (allow file-read*)
1636. > (allow file-read-metadata)
1637. >
1638. > (allow file-write*
1639. > (subpath (param "DARWIN_USER_TEMP_DIR"))
1640. > (subpath (param "DARWIN_USER_CACHE_DIR")))
1641. >
1642. > (allow file-ioctl
1643. > (path "/dev/fsevents"))
1644. >
1645. > (allow ipc-posix-shm-write-create
1646. > (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
1647. > (allow ipc-posix-shm-write-data
1648. > (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
1649. >
1650. > (allow mach-lookup
1651. > (global-name "com.apple.DiskArbitration.diskarbitrationd"))
1652. >
1653. > (allow file-write*
1654. > (path "/System/Library/Caches/com.apple.Components2.SystemCache.Components"))
1655. > (allow file-write*
1656. > (path "/System/Library/Caches/com.apple.Components2.SystemCache.QuickTimeComponents"))
1657. > (allow file-write*
1658. > (path "/System/Library/Caches/com.apple.Components2.SystemCache.AudioComponents"))
1659. >
1660. > (allow file-map-executable (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal"))
1661. >
1662. > (allow distributed-notification-post)
1663. >
1664. > (allow iokit-get-properties (iokit-property "Protocol Characteristics"))
1665. > (allow iokit-get-properties (iokit-property "IOMediaIcon"))
1666. > (allow iokit-get-properties (iokit-property "Ejectable"))
1667. > (allow iokit-get-properties (iokit-property "Removable"))
1668. > (allow iokit-get-properties (iokit-property "CoreStorage Encrypted"))
1669. > (allow iokit-get-properties (iokit-property "IOClassNameOverride"))
1670. > (allow iokit-get-properties (iokit-property "od-server-name"))
1671. > (allow iokit-get-properties (iokit-property "image-path"))
1672. > (allow iokit-get-properties (iokit-property "filevault-image"))
1673. > (allow iokit-get-properties (iokit-property "Product Identification"))
1674. --
1675. com.apple.ctkbind.sb
1676. 0a1,100
1677. > ;;;
1678. > ;;; Sandbox profile for /System/Library/Frameworks/CryptoTokenKit.framework/ctkbind.bundle/Contents/MacOS/ctkbind
1679. > ;;;
1680. > ;;; Copyright (c) 2016 Apple Inc. All Rights reserved.
1681. > ;;;
1682. > ;;; WARNING: The sandbox rules in this file currently constitute
1683. > ;;; Apple System Private Interface and are subject to change at any time and
1684. > ;;; without notice. The contents of this file are also auto-generated and
1685. > ;;; not user editable; it may be overwritten at any time.
1686. >
1687. > (version 1)
1688. >
1689. > (deny default)
1690. >
1691. > (import "system.sb")
1692. >
1693. > (define (home-subpath home-relative-subpath)
1694. > (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
1695. >
1696. > (define (home-literal home-relative-literal)
1697. > (literal (string-append (param "HOME_DIR") home-relative-literal)))
1698. >
1699. > (allow file-read-data)
1700. >
1701. > (allow file-read-metadata)
1702. >
1703. > (allow file-read*
1704. > (subpath (param "DARWIN_USER_TEMP_DIR"))
1705. > (subpath (param "DARWIN_USER_CACHE_DIR"))
1706. > (subpath "/Library/Caches/com.apple.iconservices.store")
1707. > (subpath "/Library/Keyboard Layouts")
1708. > (subpath "/private/var/db")
1709. > (home-subpath "/Library/Keyboard Layouts")
1710. > (literal "/Library/Preferences/com.apple.security.plist")
1711. > (home-literal "/Library/Keychains/login.keychain-db")
1712. > (home-literal "/.CFUserTextEncoding"))
1713. >
1714. > (allow file-write*
1715. > (subpath (param "DARWIN_USER_CACHE_DIR"))
1716. > (subpath "/private/var/db/mds/system"))
1717. >
1718. > (allow mach-lookup
1719. > (global-name "com.apple.audio.SystemSoundServer-OSX")
1720. > (global-name "com.apple.coreservices.appleevents")
1721. > (global-name "com.apple.coreservices.launchservicesd")
1722. > (global-name "com.apple.CoreServices.coreservicesd")
1723. > (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider.agent.libxpc")
1724. > (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider.daemon.libxpc")
1725. > (global-name "com.apple.ctkd.token-client")
1726. > (global-name "com.apple.ctkd.watcher-client")
1727. > (global-name "com.apple.cvmsServ")
1728. > (global-name "com.apple.decalog4.incoming")
1729. > (global-name "com.apple.distributed_notifications@Uv3")
1730. > (global-name "com.apple.dock.fullscreen")
1731. > (global-name "com.apple.dock.server")
1732. > (global-name "com.apple.fonts")
1733. > (global-name "com.apple.FSEvents")
1734. > (global-name "com.apple.iconservices")
1735. > (global-name "com.apple.iconservices.store")
1736. > (global-name "com.apple.inputmethodkit.getxpcendpoint")
1737. > (global-name "com.apple.inputmethodkit.launchagent")
1738. > (global-name "com.apple.inputmethodkit.launcher")
1739. > (global-name "com.apple.lsd.mapdb")
1740. > (global-name "com.apple.pasteboard.1")
1741. > (global-name "com.apple.quicklook.ui.helper.active")
1742. > (global-name "com.apple.SecurityServer")
1743. > (global-name "com.apple.system.opendirectoryd.api")
1744. > (global-name "com.apple.SystemConfiguration.configd")
1745. > (global-name "com.apple.touchbar.agent")
1746. > (global-name "com.apple.tsm.uiserver")
1747. > (global-name "com.apple.window_proxies")
1748. > (global-name "com.apple.tccd.system")
1749. > (global-name "com.apple.ocspd")
1750. > (global-name "com.apple.windowserver.active"))
1751. >
1752. > (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
1753. > (ipc-posix-name "com.apple.AppleDatabaseChanged"))
1754. >
1755. > (allow authorization-right-obtain
1756. > (right-name "com.apple.ctk.pair")
1757. > (right-name "com.apple.ctkbind.admin"))
1758. >
1759. > (allow user-preference-read
1760. > (preference-domain "com.apple.AppleMultitouchTrackpad")
1761. > (preference-domain "com.apple.ctkbind")
1762. > (preference-domain "com.apple.HIToolbox")
1763. > (preference-domain "com.apple.universalaccess")
1764. > (preference-domain "kCFPreferencesAnyApplication"))
1765. >
1766. > (allow user-preference-read user-preference-write
1767. > (preference-domain "com.apple.ctkbind")
1768. > (preference-domain "com.apple.security.smartcard")
1769. > (preference-domain "com.apple.security.tokenlogin"))
1770. >
1771. > (allow iokit-open
1772. > (iokit-registry-entry-class "IGAccelCommandQueue")
1773. > (iokit-registry-entry-class "IGAccelDevice")
1774. > (iokit-user-client-class "AppleKeyStoreUserClient")
1775. > (iokit-user-client-class "IGAccelSharedUserClient")
1776. > (iokit-user-client-class "IOSurfaceRootUserClient"))
1777. --
1778. com.apple.ctkd.sb
1779. Files /System/Library/Sandbox/Profiles/com.apple.ctkd.sb and com.apple.ctkd.sb are identical
1780. --
1781. com.apple.datadetectors.sourceaccess.sb
1782. Files /System/Library/Sandbox/Profiles/com.apple.datadetectors.sourceaccess.sb and com.apple.datadetectors.sourceaccess.sb are identical
1783. --
1784. com.apple.deleted.sb
1785. 38c38
1786. < (regex "/private/var/folders/.*/mds/mds.lock"))
1787. ---
1788. > (regex #"/private/var/folders/[^/]+/[^/]+/C/[^/]+/mds/mds\.lock$"))
1789. 44,52c44,51
1790. < (regex "/Users/.*/Library/Preferences/.GlobalPreferences.plist")
1791. < (regex "/Users/.*/Library/Preferences/ByHost/.GlobalPreferences\..*\.plist")
1792. < (regex "/AppleInternal/Library/CacheDelete")
1793. < (regex "/AppleInternal/Library/CacheDelete/.*")
1794. < (regex "/Applications/.*")
1795. < (regex "/private/var/folders/.*/mds/mds.lock")
1796. < (regex "/private/var/folders/.*/com.apple.LaunchServices-.*\.csstore")
1797. < (regex "*\.appex")
1798. < (subpath "/System/Library/CacheDelete"))
1799. ---
1800. > (regex "^/Users/[^/]+/Library/Preferences/\.GlobalPreferences\.plist$")
1801. > (regex "^/Users/[^/]+/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
1802. > (regex "^/Applications/.*$")
1803. > (regex "^/private/var/folders/.*/mds/mds\.lock$")
1804. > (regex "^/private/var/folders/.*/com.apple.LaunchServices-.*\.csstore$")
1805. > (regex "^.*/[^/]*\.appex$")
1806. > (subpath "/System/Library/CacheDelete")
1807. > (subpath "/AppleInternal/Library/CacheDelete"))
1808. 63a63,64
1809. > (global-name "com.apple.DiskArbitration.diskarbitrationd")
1810. > (global-name "com.apple.diskmanagementd")
1811. 66a68,69
1812. > (allow iokit-open (iokit-user-client-class "AppleAPFSUserClient"))
1813. >
1814. --
1815. com.apple.diagnosticd.sb
1816. Files /System/Library/Sandbox/Profiles/com.apple.diagnosticd.sb and com.apple.diagnosticd.sb are identical
1817. --
1818. com.apple.distnoted.sb
1819. 0a1,11
1820. > (version 1)
1821. > (deny default)
1822. >
1823. > (import "system.sb")
1824. > (allow mach-lookup
1825. > (global-name "com.apple.distributed_notifications@1v3")
1826. > (global-name "com.apple.distributed_notifications@Uv3")
1827. > (global-name "com.apple.distributed_notifications@0v3")
1828. > (local-name "com.apple.distributed_notifications@1v3")
1829. > (local-name "com.apple.distributed_notifications@Uv3")
1830. > (local-name "com.apple.distributed_notifications@0v3"))
1831. --
1832. com.apple.dprivacyd.sb
1833. 28c28,29
1834. < (subpath "/Library/Application\ Support"))
1835. ---
1836. > (subpath "/Library/Application\ Support")
1837. > (subpath "/usr"))
1838. --
1839. com.apple.dyld.closured.sb
1840. 0a1,22
1841. > ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
1842. > ;;;
1843. > ;;; WARNING: The sandbox rules in this file currently constitute
1844. > ;;; Apple System Private Interface and are subject to change at any time and
1845. > ;;; without notice.
1846. > ;;;
1847. > (version 1)
1848. >
1849. > (deny default)
1850. > (deny file-map-executable iokit-get-properties process-info* nvram*)
1851. > (deny dynamic-code-generation)
1852. >
1853. > (import "system.sb")
1854. >
1855. > ;; For reading dylibs
1856. > (allow file-read*)
1857. >
1858. > ;; For resolving symlinks, realpath(3), and equivalents.
1859. > (allow file-read-metadata)
1860. >
1861. > ;; for logging name of client
1862. > (allow process-info-pidinfo)
1863. --
1864. com.apple.efilogin-helper.sb
1865. Files /System/Library/Sandbox/Profiles/com.apple.efilogin-helper.sb and com.apple.efilogin-helper.sb are identical
1866. --
1867. com.apple.eosauthagent.sb
1868. 11,12c11,12
1869. < (subpath "/System/Library/PrivateFrameworks/SSOClient.framework")
1870. < (subpath "/System/Library/Frameworks/SSOClient.framework")
1871. ---
1872. > (subpath "/System/Library/PrivateFrameworks")
1873. > (subpath "/System/Library/Frameworks")
1874. 15a16
1875. > (subpath "/Library/Frameworks/SplunkKit.framework")
1876. --
1877. com.apple.icloud.findmydeviced.findmydevice-user-agent.sb
1878. Files /System/Library/Sandbox/Profiles/com.apple.icloud.findmydeviced.findmydevice-user-agent.sb and com.apple.icloud.findmydeviced.findmydevice-user-agent.sb are identical
1879. --
1880. com.apple.iconservicesagent.sb
1881. Files /System/Library/Sandbox/Profiles/com.apple.iconservicesagent.sb and com.apple.iconservicesagent.sb are identical
1882. --
1883. com.apple.iconservicesd.sb
1884. Files /System/Library/Sandbox/Profiles/com.apple.iconservicesd.sb and com.apple.iconservicesd.sb are identical
1885. --
1886. com.apple.knowledge-agent.sb
1887. 0a1,61
1888. > (version 1)
1889. > (deny default)
1890. >
1891. > (import "system.sb")
1892. > (import "com.apple.corefoundation.sb")
1893. > (import "bsd.sb")
1894. >
1895. > (system-network)
1896. > (corefoundation)
1897. >
1898. > (allow mach-lookup
1899. > (global-name "com.apple.bird.token")
1900. > (global-name "com.apple.cloudd")
1901. > (global-name "com.apple.cookied")
1902. > (global-name "com.apple.CoreServices.coreservicesd")
1903. > (global-name "com.apple.coreservices.quarantine-resolver")
1904. > (global-name "com.apple.coreduetd.knowledge.user")
1905. > (global-name "com.apple.lsd.mapdb"))
1906. >
1907. > (allow file*
1908. > (subpath (param "_USER_TEMP_DIR"))
1909. > (subpath (string-append (param "_HOME") "/Library/Caches/knowledge-agent"))
1910. > (literal (string-append (param "_HOME") "/Library/Preferences/knowledge-agent.plist"))
1911. > (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.CoreDuet.plist"))
1912. > (subpath (string-append (param "_HOME") "/Library/Application Support/Knowledge")))
1913. >
1914. > (allow file-read* file-write*
1915. > (subpath (string-append (param "_HOME") "/Library/Caches/CloudKit/com.apple.knowledge-agent")))
1916. >
1917. > (allow file-read-metadata
1918. > (subpath (string-append (param "_HOME") "/Library"))
1919. > (subpath "/usr"))
1920. >
1921. > (allow file-read-data
1922. > (literal "/usr/libexec")
1923. > (subpath "/usr/libexec/knowledge-agent")
1924. > (literal "/Library/Preferences/.GlobalPreferences.plist")
1925. > (literal (string-append (param "_HOME") "/Library/Preferences/.GlobalPreferences.plist"))
1926. > (literal (string-append (param "_HOME") "/Library/Preferences/knowledge-agent.plist"))
1927. > (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.CoreDuet.plist"))
1928. > (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/\.GlobalPreferences\.[^/]*\.plist$"))
1929. > (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/knowledge-agent\.[^/]*\.plist$"))
1930. > (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/com.apple.CoreDuet.plist\.[^/]*\.plist$")))
1931. >
1932. > (allow file-read-metadata
1933. > (literal "/AppleInternal")
1934. > (literal (param "_HOME")))
1935. >
1936. > (allow file-read*
1937. > (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") ; for CrashReporter
1938. > (literal "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")) ; for MessageTracer
1939. >
1940. > (allow network-outbound
1941. > (literal "/private/var/run/mDNSResponder")) ; to resolve host names
1942. >
1943. > (allow ipc-posix-shm-read-data
1944. > (ipc-posix-name "FNetwork.defaultStorageSession"))
1945. >
1946. > (allow network-outbound
1947. > (remote ip)) ; to download policy updates
1948. >
1949. --
1950. com.apple.logd.sb
1951. 1c1
1952. < ;; Copyright (c) 2015 Apple Inc. All Rights reserved.
1953. ---
1954. > ;; Copyright (c) 2015-2017 Apple Inc. All Rights reserved.
1955. 17,19c17,19
1956. < (regex #"^(/private)?/var/db/diagnostics(/|$)")
1957. < (regex #"^(/private)?/var/db/uuidtext(/|$)")
1958. < )
1959. ---
1960. > (regex #"^/private/var/db/diagnostics(/|$)")
1961. > (regex #"^/private/var/db/timesync(/|$)")
1962. > (regex #"^/private/var/db/uuidtext(/|$)"))
1963. 22,24c22,24
1964. < (regex #"^(/private)?/var/db/diagnostics(/|$)")
1965. < (regex #"^/private/var/db/timezone(/|$)")
1966. < )
1967. ---
1968. > (regex #"^/private/var/db/diagnostics(/|$)")
1969. > (regex #"^/private/var/db/timesync(/|$)")
1970. > (regex #"^/private/var/db/timezone(/|$)"))
1971. 30a31
1972. > (subpath "/private/var/db/timesync")
1973. 35,36c36
1974. < (remote unix-socket (path-literal "/private/var/run/syslog"))
1975. < )
1976. ---
1977. > (remote unix-socket (path-literal "/private/var/run/syslog")))
1978. --
1979. com.apple.mtlcompilerservice.sb
1980. 8,10c8
1981. < (allow file-read-data)
1982. < (allow file-read-metadata)
1983. <
1984. ---
1985. > (allow file-read-metadata (path "/"))
1986. --
1987. com.apple.navd.sb
1988. Files /System/Library/Sandbox/Profiles/com.apple.navd.sb and com.apple.navd.sb are identical
1989. --
1990. com.apple.neagent.sb
1991. Files /System/Library/Sandbox/Profiles/com.apple.neagent.sb and com.apple.neagent.sb are identical
1992. --
1993. com.apple.nehelper.sb
1994. 20,21c20,21
1995. < (regex #"^/Library/Preferences/com\.apple\.networkextension(\.necp|\.control|\.cache)?\.plist")
1996. < (regex #"^/Library/Preferences/com\.apple\.networkd(\.sysctl)?\.plist")
1997. ---
1998. > (regex #"^/Library/Preferences/com\.apple\.networkextension(\.[_a-zA-Z0-9-]+)?\.plist")
1999. > (regex #"^/Library/Preferences/com\.apple\.networkd(\.[_a-zA-Z0-9-]+)?\.plist")
2000. 26c26
2001. < (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/|$)"))
2002. ---
2003. > (subpath (param "TEMPDIR")))
2004. 67a68,69
2005. > (global-name "com.apple.mobileassetd")
2006. > (global-name "com.apple.mobileassetd.v2")
2007. 69a72,75
2008. > ;;; MobileAsset
2009. > (allow user-preference-read (preference-domain "com.apple.MobileAsset"))
2010. > (allow user-preference-read (preference-domain "com.apple.SoftwareUpdate"))
2011. >
2012. --
2013. com.apple.nesessionmanager.sb
2014. 48d47
2015. < (literal "/usr/libexec/discoveryd")
2016. --
2017. com.apple.networkserviceproxy.sb
2018. 33,34c33
2019. < (literal "/private/var/mobile/Library/Logs/awd/awd-NetworkServiceProxy.log")
2020. < (regex "/private/var/folders/.*"))
2021. ---
2022. > (literal "/private/var/mobile/Library/Logs/awd/awd-NetworkServiceProxy.log"))
2023. --
2024. com.apple.nlcd.sb
2025. Files /System/Library/Sandbox/Profiles/com.apple.nlcd.sb and com.apple.nlcd.sb are identical
2026. --
2027. com.apple.noticeboard.agent.sb
2028. Files /System/Library/Sandbox/Profiles/com.apple.noticeboard.agent.sb and com.apple.noticeboard.agent.sb are identical
2029. --
2030. com.apple.noticeboard.state.sb
2031. Files /System/Library/Sandbox/Profiles/com.apple.noticeboard.state.sb and com.apple.noticeboard.state.sb are identical
2032. --
2033. com.apple.notifyd.sb
2034. Files /System/Library/Sandbox/Profiles/com.apple.notifyd.sb and com.apple.notifyd.sb are identical
2035. --
2036. com.apple.opendirectoryd.sb
2037. Files /System/Library/Sandbox/Profiles/com.apple.opendirectoryd.sb and com.apple.opendirectoryd.sb are identical
2038. --
2039. com.apple.pboard.sb
2040. 5c5,20
2041. < (allow ipc-posix-shm (ipc-posix-name-regex #"^CFPBS:"))
2042. ---
2043. >
2044. > ; Enable pboard to call realpath() and re-issue sandbox extensions for file promises.
2045. > (allow file-read-metadata)
2046. > (allow file-issue-extension
2047. > (require-all
2048. > (extension-class "com.apple.app-sandbox.read")
2049. > (extension "com.apple.app-sandbox.read")))
2050. > (allow file-issue-extension
2051. > (require-all
2052. > (extension-class "com.apple.app-sandbox.read")
2053. > (extension "com.apple.app-sandbox.read-write")))
2054. > (allow file-issue-extension
2055. > (require-all
2056. > (extension-class "com.apple.app-sandbox.read-write")
2057. > (extension "com.apple.app-sandbox.read-write")))
2058. >
2059. 8,9c23
2060. < (global-name "com.apple.lsd.mapdb")
2061. < (local-name "com.apple.CFPasteboardClient"))
2062. ---
2063. > (global-name "com.apple.lsd.mapdb"))
2064. --
2065. com.apple.pictd.sb
2066. Files /System/Library/Sandbox/Profiles/com.apple.pictd.sb and com.apple.pictd.sb are identical
2067. --
2068. com.apple.qtkitserver.sb
2069. 189a190
2070. > (global-name "com.apple.audio.AudioComponentRegistrar")
2071. --
2072. com.apple.qtkittrustedmoviesservice.sb
2073. 144a145
2074. > (global-name "com.apple.audio.AudioComponentRegistrar")
2075. --
2076. com.apple.rapportd.sb
2077. 0a1,47
2078. > ;
2079. > ; Copyright (C) 2017 Apple Inc. All Rights Reserved.
2080. > ;
2081. > ; Sandbox profile for rapportd.
2082. > ;
2083. >
2084. > (version 1)
2085. > (deny default)
2086. >
2087. > (import "com.apple.corefoundation.sb")
2088. > (import "system.sb")
2089. >
2090. > (allow distributed-notification-post)
2091. > (allow file-read*
2092. > (subpath "/"))
2093. > (allow file-write*
2094. > (subpath "/Library/Application Support/Rapport")
2095. > (regex #"^/Library/Keychains/System.keychain")
2096. > (literal "/private/var/db/mds/system/mds.lock")
2097. > (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
2098. > (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C($|/)")
2099. > (regex #"^(/private)?/var/folders/[^/]+/[^/]+/T($|/)")
2100. > )
2101. > (allow mach-lookup
2102. > (global-name "com.apple.analyticsd")
2103. > (global-name "com.apple.AutoUnlock.AuthenticationHintsProvider")
2104. > (global-name "com.apple.awdd")
2105. > (global-name "com.apple.bluetoothd")
2106. > (global-name "com.apple.cloudd")
2107. > (global-name "com.apple.coreduetd.context")
2108. > (global-name "com.apple.coreduetd.knowledgebase")
2109. > (global-name "com.apple.coresymbolicationd")
2110. > (global-name "com.apple.distributed_notifications@1v3")
2111. > (global-name "com.apple.managedconfiguration.profiled")
2112. > (global-name "com.apple.networkd")
2113. > (global-name "com.apple.ocspd")
2114. > (global-name "com.apple.PairingManager")
2115. > (global-name "com.apple.securityd.xpc")
2116. > (global-name "com.apple.SecurityServer")
2117. > (global-name "com.apple.server.bluetooth")
2118. > (global-name "com.apple.wifi.manager")
2119. > (global-name "com.apple.wirelessproxd"))
2120. > (allow network*)
2121. > (allow system-socket)
2122. > (allow user-preference-read user-preference-write
2123. > (preference-domain "com.apple.rapport")
2124. > )
2125. --
2126. com.apple.reversetemplated.sb
2127. 12a13
2128. > (global-name "com.apple.parsecd") ;; to get flight information from Parsec (for flight template-less)
2129. --
2130. com.apple.revisiond.sb
2131. Files /System/Library/Sandbox/Profiles/com.apple.revisiond.sb and com.apple.revisiond.sb are identical
2132. --
2133. com.apple.rtcreportingd.sb
2134. 27a28
2135. > (literal "/private/var/db/mds/system/mds.lock")
2136. 31,36d31
2137. < (allow file-issue-extension
2138. < (home-literal "/Library/Caches/rtcreportingd")
2139. < (require-all
2140. < (extension-class "com.apple.rtcreporting.upload")
2141. < (home-subpath "/Library/Containers/com.apple.FaceTime/Data/logs/mediaserverd")))
2142. <
2143. 53c48
2144. < (subpath "/usr/libexec/rtcreportingd"))
2145. ---
2146. > (literal "/usr/libexec/rtcreportingd"))
2147. 67a63
2148. > (global-name "com.apple.awdd")
2149. 68a65
2150. > (global-name "com.apple.distributed_notifications@1v3")
2151. 70a68,70
2152. > (allow system-fsctl
2153. > (fsctl-command (_IO "h" 47))) ; HFSIOC_SET_HOTFILE_STATE
2154. >
2155. 72,76c72,73
2156. < (allow network-outbound
2157. < (literal "/private/var/run/mDNSResponder")
2158. < (remote tcp "*:443")
2159. < (remote udp "*:16384")
2160. < (remote udp "*:16387"))
2161. \ No newline at end of file
2162. ---
2163. > (allow network-outbound)
2164. > (allow network-inbound (local udp))
2165. --
2166. com.apple.secd.sb
2167. 0a1,46
2168. > (version 1)
2169. >
2170. > (deny default)
2171. >
2172. > (import "system.sb")
2173. >
2174. > (allow file-read* file-write*
2175. > (subpath "/private/var/db/mds")
2176. > (regex #"^/private/var/folders/[^/]+/[^/]+/T(/|$)")
2177. > (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Keychains(/|$)")))
2178. >
2179. >
2180. > ;;;;;; will be fully fixed in 29465717
2181. > (allow file-read* (subpath "/"))
2182. >
2183. > (allow user-preference-read
2184. > (preference-domain ".GlobalPreferences"))
2185. > (allow user-preference-read
2186. > (preference-domain "com.apple.security"))
2187. >
2188. > (allow file-read*
2189. > (literal "/usr/libexec/secd")
2190. > (literal "/Library/Preferences/com.apple.security.plist")
2191. > (literal "/Library/Preferences/.GlobalPreferences.plist")
2192. > (literal "/AppleInternal")
2193. > (literal "/usr/libexec"))
2194. >
2195. >
2196. > (allow mach-lookup
2197. > (global-name "com.apple.SystemConfiguration.configd")
2198. > (global-name "com.apple.security.cloudkeychainproxy3")
2199. > (global-name "com.apple.security.keychainsyncingoveridsproxy")
2200. > (global-name "com.apple.cloudd")
2201. > (global-name "com.apple.apsd")
2202. > (global-name "com.apple.windowserver.active"))
2203. >
2204. > (allow iokit-open
2205. > (iokit-user-client-class "AppleKeyStoreUserClient"))
2206. >
2207. > (allow iokit-get-properties (iokit-registry-entry-class "IOPlatformExpertDevice"))
2208. >
2209. > (allow ipc-posix-shm
2210. > (ipc-posix-name "com.apple.AppleDatabaseChanged"))
2211. >
2212. > (allow network-outbound)
2213. > (allow system-socket)
2214. --
2215. com.apple.secinitd.sb
2216. Files /System/Library/Sandbox/Profiles/com.apple.secinitd.sb and com.apple.secinitd.sb are identical
2217. --
2218. com.apple.securitydservice.sb
2219. 22c22,23
2220. < (global-name "com.apple.ocspd"))
2221. ---
2222. > (global-name "com.apple.ocspd")
2223. > (global-name "com.apple.mobile.keybagd.xpc"))
2224. --
2225. com.apple.siri.ClientFlow.ClientScripter.sb
2226. 27a28,30
2227. > ;; For mapping process path to CFScripter instance
2228. > (allow process-info-pidinfo)
2229. >
2230. --
2231. com.apple.speech.speechsynthesisd.sb
2232. 92c92
2233. < ;;; rdar://problem/26620973 & rdar://problem/31070724
2234. ---
2235. > ;;; rdar://problem/26620973 & rdar://problem/31560540
2236. 100a101
2237. > (global-name "com.apple.audio.AudioComponentRegistrar")
2238. 104a106
2239. > (global-name "com.apple.mobileassetd")
2240. --
2241. com.apple.storeaccountd.sb
2242. 105a106,107
2243. > (global-name "com.apple.adid")
2244. > (global-name "com.apple.fpsd")
2245. 109a112,113
2246. > (global-name "com.apple.commerce")
2247. > (global-name "com.apple.commerced")
2248. --
2249. com.apple.storeassetd.sb
2250. 95a96,97
2251. > (global-name "com.apple.adid")
2252. > (global-name "com.apple.fpsd")
2253. --
2254. com.apple.storedownloadd.sb
2255. 39a40
2256. > (regex #"/Library/Preferences/com\.apple\.seeding\.plist$")
2257. 98a100,101
2258. > (global-name "com.apple.adid")
2259. > (global-name "com.apple.fpsd")
2260. --
2261. com.apple.storelegacy.sb
2262. Files /System/Library/Sandbox/Profiles/com.apple.storelegacy.sb and com.apple.storelegacy.sb are identical
2263. --
2264. com.apple.storereceiptinstaller.sb
2265. 11a12
2266. > (regex #"^/private/var/root/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
2267. 42a44,45
2268. > (global-name "com.apple.lsd.mapdb")
2269. > (global-name "com.apple.lsd.modifydb")
2270. --
2271. com.apple.storeuid.sb
2272. 87a88,94
2273. > (allow user-preference-read
2274. > (preference-domain "com.apple.AppleMultitouchTrackpad")
2275. > (preference-domain "com.apple.ServicesMenu.Services"))
2276. >
2277. > (allow user-preference*
2278. > (preference-domain "com.apple.storeuid"))
2279. >
2280. 98c105,106
2281. < (global-name "com.apple.storeuid"))
2282. ---
2283. > (global-name "com.apple.storeuid")
2284. > (global-name "com.apple.storeagent.storekit"))
2285. 100a109,113
2286. > (global-name "com.apple.iohideventsystem")
2287. > (global-name "com.apple.tsm.uiserver")
2288. > (global-name "com.apple.touchbarserver.mig")
2289. > (global-name "com.apple.touchbar.agent")
2290. > (global-name "com.apple.pbs.fetch_services")
2291. 104a118
2292. > (global-name "com.apple.commerce")
2293. 168a183,185
2294. > (iokit-user-client-class "IOSurfaceRootUserClient")
2295. > (iokit-user-client-class "IGAccelCommandQueue")
2296. > (iokit-user-client-class "AppleMultitouchDeviceUserClient")
2297. --
2298. com.apple.suggestd.sb
2299. 18a19,20
2300. > (home-subpath "/Library/Caches/com.apple.parsecd/CustomFeedback/") ;; Parsec feedback (Trystero uploads) <rdar://problem/33038387> Sandbox exception for Parsec feedback (macOS)
2301. >
2302. 33a36
2303. > (home-subpath "/Library/Application Support/Knowledge") ;; _DKKnowledgeStore
2304. 39a43,51
2305. > ;; <rdar://problem/31989235> Lobo: SGOrigin app name unlocalized - need sandbox rule for InfoPlist.strings
2306. > (allow file-read* (home-literal "/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist"))
2307. > (allow file-read* (regex #"\.app$"))
2308. > (allow file-read* (regex #"\.app/Contents$"))
2309. > (allow file-read* (regex #"\.app/Contents/Resources$"))
2310. > (allow file-read* (regex #"/InfoPlist\.strings$"))
2311. > (allow file-read* (regex #"/Info.plist$"))
2312. > (allow file-read* (regex #"\.lproj$"))
2313. >
2314. 41a54
2315. > (global-name "com.apple.apsd") ;; SGDCloudKitSync (APNS)
2316. 50a64
2317. > (global-name "com.apple.cloudd") ;; SGDCloudKitSync (CloudKit)
2318. 52c66,67
2319. < (global-name "com.apple.coreduetd.people") ;; SGDuetBridge
2320. ---
2321. > (global-name "com.apple.coreduetd.knowledge.user") ;; PersonalizationPortrait
2322. > (global-name "com.apple.coreduetd.context") ;; SGDPowerBudget
2323. 54a70,71
2324. > (global-name "com.apple.spotlight.SearchAgent")
2325. > (global-name "com.apple.spotlight.IndexAgent")
2326. 58a76
2327. > (global-name "com.apple.metadata.mds") ;; <rdar://problem/28957199>
2328. 66c84,87
2329. < (global-name "com.apple.tccd"))
2330. ---
2331. > (global-name "com.apple.SystemConfiguration.configd") ;; SGDCloudKitSync (APNS)
2332. > (global-name "com.apple.tccd")
2333. > (global-name "com.apple.windowserver.active") ;; AGDCloudKitSync (APNS)
2334. > (global-name "com.apple.FileCoordination")) ;; MailServices for reimport
2335. --
2336. com.apple.swcd.sb
2337. Files /System/Library/Sandbox/Profiles/com.apple.swcd.sb and com.apple.swcd.sb are identical
2338. --
2339. com.apple.tccd.sb
2340. Files /System/Library/Sandbox/Profiles/com.apple.tccd.sb and com.apple.tccd.sb are identical
2341. --
2342. com.apple.touristd.sb
2343. 0a1,106
2344. > ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
2345. > ;;;
2346. > ;;; WARNING: The sandbox rules in this file currently constitute
2347. > ;;; Apple System Private Interface and are subject to change at any time and
2348. > ;;; without notice.
2349. > ;;;
2350. > (version 1)
2351. >
2352. > (deny default)
2353. > (deny file-map-executable iokit-get-properties process-info* nvram*)
2354. > (deny dynamic-code-generation)
2355. >
2356. > (import "system.sb")
2357. > (import "com.apple.corefoundation.sb")
2358. > (corefoundation)
2359. >
2360. > ;;; Homedir-relative path filters
2361. > (define (home-regex home-relative-regex)
2362. > (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)))
2363. >
2364. > (define (home-subpath home-relative-subpath)
2365. > (subpath (string-append (param "HOME") home-relative-subpath)))
2366. >
2367. > (define (home-prefix home-relative-prefix)
2368. > (prefix (string-append (param "HOME") home-relative-prefix)))
2369. >
2370. > (define (home-literal home-relative-literal)
2371. > (literal (string-append (param "HOME") home-relative-literal)))
2372. >
2373. > (allow process-info* (target self))
2374. >
2375. > ;; For resolving symlinks, realpath(3), and equivalents.
2376. > (allow file-read-metadata)
2377. >
2378. > ;; For validating the entitlements of clients.
2379. > (allow process-info-codesignature)
2380. >
2381. > ;;allow safari to open the url
2382. > (allow lsopen)
2383. >
2384. > ;; preference domain.
2385. > (allow user-preference-read user-preference-write
2386. > (preference-domain "com.apple.touristd"))
2387. > (allow user-preference-read user-preference-write
2388. > (preference-domain "NSGlobalDomain"))
2389. > (allow file-read* file-write* (home-subpath "/Library/Preferences/"))
2390. > (allow file-read* file-write* (literal "/Library/Preferences/.GlobalPreferences.plist"))
2391. >
2392. > ;; private frameworks.
2393. > (allow file-map-executable (subpath "/System/Library/PrivateFrameworks/"))
2394. > (allow file-map-executable (subpath "/System/Library/Frameworks/"))
2395. >
2396. > ;;allow outbound network connections.
2397. > (system-network)
2398. > (allow network-outbound)
2399. > (allow ipc-posix-shm-read-data)
2400. >
2401. > ;;allow mach lookup.
2402. > (allow mach-lookup
2403. > (global-name "com.apple.cookied")
2404. > (global-name "com.apple.coreservices.launchservicesd")
2405. > (global-name "com.apple.dock.server")
2406. > (global-name "com.apple.lsd.mapdb")
2407. > (global-name "com.apple.lsd.modifydb")
2408. > (global-name "com.apple.syncdefaultsd")
2409. > (global-name "com.apple.usernoted.daemon_client")
2410. > (global-name "com.apple.coreservices.quarantine-resolver")
2411. > (global-name "com.apple.SecurityServer")
2412. > (global-name "com.apple.windowserver.active"))
2413. >
2414. > ;;allow get properties.
2415. > (allow iokit-get-properties
2416. > (require-all
2417. > (iokit-registry-entry-class "IOPlatformExpertDevice")
2418. > (iokit-registry-entry-class "IORegisterForSystemPower")
2419. > (iokit-registry-entry-class "IORegistryEntryCreateCFProperty")))
2420. >
2421. > (allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
2422. > (allow iokit-get-properties (iokit-property "board-id"))
2423. > (allow iokit-get-properties)
2424. >
2425. > ;; Read/write access to a temporary directory.
2426. > (allow file-read* file-write*
2427. > (subpath (param "TMPDIR"))
2428. > (subpath (param "DARWIN_CACHE_DIR"))
2429. > (subpath "/Library/Application Support/CrashReporter/"))
2430. >
2431. >
2432. > (allow file-read*
2433. > (subpath "/Library/Application Support/CrashReporter/")
2434. > (subpath "/private/var/db/mds/messages")
2435. > (literal "/Library/Preferences/com.apple.security.plist"))
2436. >
2437. >
2438. > ;; Read/write access to the previous system version.
2439. > (allow file-read-data (literal "/private/var/db/PreviousSystemVersion.plist"))
2440. > (allow file-read-data (home-literal "/.CFUserTextEncoding"))
2441. >
2442. > ;; Read/write access to com.apple.touristd’s cache.
2443. > (let ((cache-path-filter (home-prefix "/Library/Caches/com.apple.touristd")))
2444. > (allow file-read* file-write* cache-path-filter)
2445. > (allow file-issue-extension
2446. > (require-all
2447. > (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write")
2448. > cache-path-filter)))
2449. >
2450. --
2451. com.apple.trustd.sb
2452. 0a1,70
2453. > (version 1)
2454. >
2455. > (deny default)
2456. > (deny file-map-executable iokit-get-properties process-info* nvram*)
2457. > (deny dynamic-code-generation)
2458. >
2459. > (import "system.sb")
2460. > (import "com.apple.corefoundation.sb")
2461. > (corefoundation)
2462. >
2463. > (allow process-info* (target self))
2464. >
2465. > ;; For resolving symlinks, realpath(3), and equivalents.
2466. > (allow file-read-metadata)
2467. >
2468. > ;; For validating the entitlements of clients (for keychain and trust settings)
2469. > ;; see 31353815
2470. > (allow process-info-codesignature)
2471. > (allow process-info-pidinfo)
2472. > (allow file-read*)
2473. >
2474. > ;; ${PRODUCT_NAME}’s preference domain.
2475. > (allow user-preference-read user-preference-write
2476. > (preference-domain "com.apple.trustd"))
2477. >
2478. > ;; Global and security preferences
2479. > (allow user-preference-read
2480. > (preference-domain "com.apple.security")
2481. > (preference-domain "com.apple.Security")
2482. > (preference-domain ".GlobalPreferences")
2483. > (preference-domain "com.apple.MobileAsset"))
2484. >
2485. > ;; Read/write access to a temporary directory.
2486. > (allow file-read* file-write*
2487. > (subpath (param "_TMPDIR"))
2488. > (subpath (param "_DARWIN_CACHE_DIR")))
2489. >
2490. > ;; Read/write access to keychains and caches
2491. > (allow file-read* file-write*
2492. > (subpath "/private/var/db/mds/")
2493. > (subpath "/private/var/db/crls/")
2494. > (subpath "/System/Library/Security/")
2495. > (subpath "/Library/Keychains/")
2496. > (subpath "/private/var/root/Library/Caches/com.apple.nsurlsessiond/"))
2497. >
2498. > (allow file-read*
2499. > (literal "/usr/libexec")
2500. > (literal "/usr/libexec/trustd")
2501. > (literal "/Library/Preferences/com.apple.security.plist")
2502. > (regex #"/.GlobalPreferences[^/]*\.plist")
2503. > (literal "/Library/Preferences/com.apple.SoftwareUpdate.plist")
2504. > (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains"))
2505. >
2506. > (allow file-map-executable
2507. > (regex #"/CoreServicesInternal")
2508. > (regex #"/csparser"))
2509. >
2510. > (allow mach-lookup
2511. > (global-name "com.apple.ocspd")
2512. > (global-name "com.apple.SecurityServer")
2513. > (global-name "com.apple.SystemConfiguration.configd")
2514. > (global-name "com.apple.mobileassetd")
2515. > (global-name "com.apple.securityd.xpc")
2516. > (global-name "com.apple.nsurlsessiond"))
2517. >
2518. > (allow ipc-posix-shm
2519. > (ipc-posix-name "com.apple.AppleDatabaseChanged"))
2520. >
2521. > (allow network-outbound)
2522. > (allow system-socket)
2523. --
2524. com.apple.useractivityd.sb
2525. 14a15,21
2526. > ;;(allow file-issue-extension
2527. > ;; (extension "com.apple.app-sandbox.read-write"))
2528. >
2529. > (if (param "TMP_DIR")
2530. > (allow file-issue-extension
2531. > (regex (string-append "^" (param "TMP_DIR") "/*"))))
2532. >
2533. 56a64,66
2534. > (global-name "com.apple.BluetoothDOServer")
2535. > (global-name "com.apple.FileCoordination")
2536. > (global-name "com.apple.analyticsd")
2537. --
2538. com.apple.writeconfig.sb
2539. Files /System/Library/Sandbox/Profiles/com.apple.writeconfig.sb and com.apple.writeconfig.sb are identical
2540. --
2541. com.apple.xpchelper.sb
2542. Files /System/Library/Sandbox/Profiles/com.apple.xpchelper.sb and com.apple.xpchelper.sb are identical
2543. --
2544. com.openssh.sshd.sb
2545. Files /System/Library/Sandbox/Profiles/com.openssh.sshd.sb and com.openssh.sshd.sb are identical
2546. --
2547. coresymbolicationd.sb
2548. Files /System/Library/Sandbox/Profiles/coresymbolicationd.sb and coresymbolicationd.sb are identical
2549. --
2550. directoryserver.sb
2551. Files /System/Library/Sandbox/Profiles/directoryserver.sb and directoryserver.sb are identical
2552. --
2553. fmfd.sb
2554. Files /System/Library/Sandbox/Profiles/fmfd.sb and fmfd.sb are identical
2555. --
2556. iWorkXPC.sb
2557. 0a1,28
2558. > (version 1)
2559. >
2560. > (deny default)
2561. > (deny dynamic-code-generation file-map-executable nvram* process-info*)
2562. >
2563. > (import "system.sb")
2564. >
2565. > ;;; <rdar://problem/32252235> MAC: XPC: Sandbox violations on export
2566. > (define (home-subpath home-relative-subpath)
2567. > (subpath (string-append (param "_HOME") home-relative-subpath)))
2568. > (define (home-literal home-relative-literal)
2569. > (literal (string-append (param "_HOME") home-relative-literal)))
2570. > (define (home-regex home-relative-regex)
2571. > (regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex)))
2572. >
2573. > (allow file-read* (home-literal "/Library/Preferences/.CFUserTextEncoding"))
2574. >
2575. > (allow file-read-metadata)
2576. >
2577. > (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd"))
2578. >
2579. > (allow file-read* (extension "com.apple.app-sandbox.read"))
2580. > (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
2581. >
2582. > (allow process-info-dirtycontrol (target self))
2583. >
2584. > (allow file-map-executable (subpath "/System/Library/Frameworks")
2585. > (subpath "/System/Library/PrivateFrameworks"))
2586. --
2587. opendirectory.sb
2588. Files /System/Library/Sandbox/Profiles/opendirectory.sb and opendirectory.sb are identical
2589. --
2590. racoon.sb
2591. Files /System/Library/Sandbox/Profiles/racoon.sb and racoon.sb are identical
2592. --
2593. system.sb
2594. 13,14c13,16
2595. < (allow mach-register
2596. < (local-name-prefix ""))
2597. ---
2598. > (allow mach-register (local-name-prefix ""))
2599. >
2600. > ;;; Allow lookup of XPC services for backward-compatibility.
2601. > (allow mach-lookup (xpc-service-name-prefix ""))
2602. 22a25
2603. > (subpath "/private/var/db/timezone")
2604. 78a82
2605. > (global-name "com.apple.dyld.closured")
2606. 121a126
2607. > (iokit-registry-entry-class "AppleIntelMEUserClient")