View difference between Paste ID: <a href="/mAU7YZd2">mAU7YZd2</a> and <a href="/7H4fcijA">7H4fcijA</a> - Pastebin.com

View difference between Paste ID: mAU7YZd2 and 7H4fcijA

SHOW: | | - or go back to the newest paste.

1		--
2		application.sb
3	-	485a486,488
3	+	*** /System/Library/Sandbox/Profiles/application.sb 2017-01-31 18:23:47.000000000 -0800
4	-	> (with-filter
4	+	--- application.sb 2017-07-10 13:51:51.000000000 -0700
5	-	> (extension "com.apple.app-sandbox.read-write")
5	+	***************
6	-	> (allow file-link (home-subpath "/Library/Mobile Documents")))
6	+	* 483,488 **
7	-	562,563c565
7	+	--- 483,491 ----
8	-	< "\\..*\\.plist$")))
8	+	(deny nvram*)
9	-	< (%protect-preference-symlink domain)))
9	+	(allow nvram-get (nvram-variable "IOGVAEncoderRestricted"))
10	-	---
10	+	(deny file-link (home-subpath "/Library"))
11	-	> "\\..*\\.plist$")))))
11	+	+ (with-filter
12	-	584,585c586
12	+	+ (extension "com.apple.app-sandbox.read-write")
13	-	< "\\..*\\.plist(\\..+)?$")))
13	+	+ (allow file-link (home-subpath "/Library/Mobile Documents")))
14	-	< (%protect-preference-symlink domain)))
14	+	(if (entitlement "com.apple.security.temporary-exception.yasb")
15	-	---
15	+	(begin
16	-	> "\\..*\\.plist(\\..+)?$")))))
16	+	(read-write-and-issue-extensions (subpath "/"))
17	-	638c639
17	+	***************
18	-	< (global-name "com.apple.blued"))
18	+	* 559,566 **
19	-	---
19	+	(string-append
20	-	> (global-name "com.apple.bluetoothd"))
20	+	"/Library/Preferences/ByHost/"
21	-	840,843c841,845
21	+	(regex-quote domain)
22	-	< (read-only-and-issue-extensions
22	+	! "\\..*\\.plist$")))
23	-	< (require-all
23	+	! (%protect-preference-symlink domain)))
24	-	< (extension "com.apple.librarian.ubiquity-revision")
24	+	domains))
25	-	< (mount-relative-regex "^/\\.DocumentRevisions-V100(/\|$)")))
25	+	(define (shared-preferences-read-write . domains)
26	-	---
26	+	(for-each
27	-	> (sandbox-array-entitlement
27	+	--- 562,568 ----
28	-	> "com.apple.developer.icloud-container-identifiers"
28	+	(string-append
29	-	> (lambda (id)
29	+	"/Library/Preferences/ByHost/"
30	-	> (allow file-link (ubiquity-filter id))
30	+	(regex-quote domain)
31	-	> (read-write-and-issue-extensions (ubiquity-filter id))))
31	+	! "\\..*\\.plist$")))))
32	-	927,929d928
32	+	domains))
33	-	< (deny file-read*
33	+	(define (shared-preferences-read-write . domains)
34	-	< file-write*
34	+	(for-each
35	-	< (group-container-subpath "/Library/Preferences"))
35	+	***************
36	-	997a997
36	+	* 581,588 **
37	-	> "com.apple.airplay"
37	+	(string-append
38	-	1022a1023,1024
38	+	"/Library/Preferences/ByHost/"
39	-	> (%protect-preference-symlink "com.apple.security_common")
39	+	(regex-quote domain)
40	-	> (%protect-preference-symlink "com.apple.security")
40	+	! "\\..*\\.plist(\\..+)?$")))
41	-	1085a1088
41	+	! (%protect-preference-symlink domain)))
42	-	> (literal "/private/etc/openldap/ldap.conf")
42	+	domains))
43	-	1090c1093
43	+	(allow file-read*
44	-	< (literal "/private/etc/openldap/ldap.conf")
44	+	file-ioctl
45	-	---
45	+	--- 583,589 ----
46	-	> (literal "/private/etc/ssl/openssl.cnf")
46	+	(string-append
47	-	1133a1137,1138
47	+	"/Library/Preferences/ByHost/"
48	-	> (global-name "com.apple.audio.AudioComponentPrefs")
48	+	(regex-quote domain)
49	-	> (global-name "com.apple.audio.AudioComponentRegistrar")
49	+	! "\\..*\\.plist(\\..+)?$")))))
50	-	1138a1144
50	+	domains))
51	-	> (global-name "com.apple.cache_delete.public")
51	+	(allow file-read*
52	-	1139a1146
52	+	file-ioctl
53	-	> (global-name "com.apple.colorsync.useragent")
53	+	***************
54	-	1144a1152,1154
54	+	* 635,641 **
55	-	> (global-name "com.apple.coremedia.routediscoverer.xpc")
55	+	(literal "/Library/Preferences/com.apple.Bluetooth.plist"))
56	-	> (global-name "com.apple.coremedia.routingcontext.xpc")
56	+	(allow mach-lookup
57	-	> (global-name "com.apple.coremedia.volumecontroller.xpc")
57	+	(global-name "com.apple.BluetoothDOServer")
58	-	1153d1162
58	+	! (global-name "com.apple.blued"))
59	-	< (global-name "com.apple.decalog4.incoming")
59	+	(allow iokit-open
60	-	1159a1169
60	+	(iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
61	-	> (global-name "com.apple.FileProvider")
61	+	(iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
62	-	1177d1186
62	+	--- 636,642 ----
63	-	< (global-name "com.apple.librariand")
63	+	(literal "/Library/Preferences/com.apple.Bluetooth.plist"))
64	-	1216a1226
64	+	(allow mach-lookup
65	-	> (global-name "com.apple.tailspind")
65	+	(global-name "com.apple.BluetoothDOServer")
66	-	1232a1243,1245
66	+	! (global-name "com.apple.bluetoothd"))
67	-	> (with-filter
67	+	(allow iokit-open
68	-	> (iokit-registry-entry-class "IODisplayWrangler")
68	+	(iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
69	-	> (allow iokit-set-properties (iokit-property "IORequestIdle")))
69	+	(iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
70	-	1245d1257
70	+	***************
71	-	< (allow mach-register (local-name "com.apple.ICA"))
71	+	* 837,846 **
72	-	1401a1414,1429
72	+	(lambda (id)
73	-	> (define (select-sysctl-filter handle with-star without-star)
73	+	(allow file-link (ubiquity-filter id))
74	-	> (if (end-with-star? handle)
74	+	(read-write-and-issue-extensions (ubiquity-filter id))))
75	-	> (with-star (strip-last-char handle))
75	+	! (read-only-and-issue-extensions
76	-	> (without-star handle)))
76	+	! (require-all
77	-	> (sandbox-array-entitlement
77	+	! (extension "com.apple.librarian.ubiquity-revision")
78	-	> "com.apple.security.temporary-exception.sysctl.read-only"
78	+	! (mount-relative-regex "^/\\.DocumentRevisions-V100(/\|$)")))
79	-	> (lambda (handle)
79	+	(with-filter
80	-	> (let ((sysctl-filter
80	+	(extension "com.apple.librarian.ubiquity-container")
81	-	> (select-sysctl-filter handle sysctl-name-prefix sysctl-name)))
81	+	(allow file-link (home-subpath "/Library/Mobile Documents"))
82	-	> (allow sysctl-read sysctl-filter))))
82	+	--- 838,848 ----
83	-	> (sandbox-array-entitlement
83	+	(lambda (id)
84	-	> "com.apple.security.temporary-exception.sysctl.read-write"
84	+	(allow file-link (ubiquity-filter id))
85	-	> (lambda (handle)
85	+	(read-write-and-issue-extensions (ubiquity-filter id))))
86	-	> (let ((sysctl-filter
86	+	! (sandbox-array-entitlement
87	-	> (select-sysctl-filter handle sysctl-name-prefix sysctl-name)))
87	+	! "com.apple.developer.icloud-container-identifiers"
88	-	> (allow sysctl-read sysctl-write sysctl-filter))))
88	+	! (lambda (id)
89		! (allow file-link (ubiquity-filter id))
90		! (read-write-and-issue-extensions (ubiquity-filter id))))
91		(with-filter
92		(extension "com.apple.librarian.ubiquity-container")
93		(allow file-link (home-subpath "/Library/Mobile Documents"))
94	-	25c25
94	+	***************
95	-	< #"^/usr/share/zoneinfo/"
95	+	* 924,932 **
96	-	---
96	+	network-outbound
97	-	> #"^/var/db/timezone/zoneinfo/"
97	+	(group-container-regex "/"))
98		(read-write-and-issue-extensions (group-container-regex "/"))
99		- (deny file-read*
100	-	138c138
100	+	- file-write*
101	-	< (global-name "com.apple.blued")
101	+	- (group-container-subpath "/Library/Preferences"))
102	-	---
102	+	(allow file-read*
103	-	> (global-name "com.apple.bluetoothd")
103	+	process-exec
104		(subpath
105		--- 926,931 ----
106	-	20,21c20,26
106	+	***************
107	-	< (allow file-read* file-write-data file-write-create file-write-unlink file-write-owner (subpath "/Library/ColorSync/Profiles"))
107	+	* 995,1000 **
108	-	< (deny file-write-data file-write-create file-write-unlink file-write-owner (literal "/Library/ColorSync/Profiles"))
108	+	--- 994,1000 ----
109	-	---
109	+	(shared-preferences-read
110	-	> (define (allow-create-directory . filters)
110	+	".GlobalPreferences"
111	-	> (allow file-read-metadata
111	+	"com.apple.AppleMultitouchTrackpad"
112	-	> (apply require-any filters))
112	+	+ "com.apple.airplay"
113	-	> (allow file-read-metadata file-write-create
113	+	"com.apple.avfoundation"
114	-	> (require-all
114	+	"com.apple.cmio"
115	-	> (vnode-type DIRECTORY)
115	+	"com.apple.coreanimation"
116	-	> (apply require-any filters))))
116	+	***************
117	-	23,26c28,54
117	+	* 1020,1025 **
118	-	< (allow file-write-create
118	+	--- 1020,1027 ----
119	-	< (require-all
119	+	"com.apple.universalaccess"
120	-	< (vnode-type DIRECTORY)
120	+	"pbs")
121	-	< (literal "/Library/ColorSync/Profiles" "/Library/ColorSync" "/Library")))
121	+	(shared-preferences-read-write "com.apple.AppKit.TextFavorites")
122	-	---
122	+	+ (%protect-preference-symlink "com.apple.security_common")
123	-	> ;; Allow the creation of only a directory at these paths.
123	+	+ (%protect-preference-symlink "com.apple.security")
124	-	> (allow-create-directory
124	+	(allow user-preference-read (preference-domain "kCFPreferencesAnyApplication"))
125	-	> (literal "/Library/Caches")
125	+	(shared-preferences-read "com.apple.mediaaccessibility")
126	-	> (literal "/Library/Caches/ColorSync"))
126	+	(shared-preferences-read-write
127	-	> ;; Allow reading the contents of our directory
127	+	***************
128	-	> (allow file-read*
128	+	* 1083,1093 **
129	-	> (literal "/Library/Caches/ColorSync"))
129	+	(literal "/Volumes")
130	-	> ;; Allow full access to anything below our directory.
130	+	(literal "/private/etc/group")
131	-	> (allow file-read* file-write*
131	+	(literal "/private/etc/hosts")
132	-	> (prefix "/Library/Caches/ColorSync/"))
132	+	(literal "/private/etc/passwd")
133	-	>
133	+	(literal "/private/etc/protocols")
134	-	> (allow-create-directory
134	+	(literal "/private/etc/resolv.conf")
135	-	> (literal "/Library/ColorSync")
135	+	(literal "/private/etc/services")
136	-	> (literal "/Library/ColorSync/Profiles"))
136	+	! (literal "/private/etc/openldap/ldap.conf")
137	-	> (allow file-read*
137	+	(literal "/private/var/run/resolv.conf")
138	-	> (literal "/Library/ColorSync/Profiles"))
138	+	(literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist")
139	-	> (allow file-read* file-write*
139	+	(literal "/Library/Preferences/.GlobalPreferences.plist")
140	-	> (prefix "/Library/ColorSync/Profiles/"))
140	+	--- 1085,1096 ----
141	-	>
141	+	(literal "/Volumes")
142	-	> ;; deny the removal of these pre-installed profiles.
142	+	(literal "/private/etc/group")
143	-	> (deny file-write-unlink
143	+	(literal "/private/etc/hosts")
144	-	> (literal "/Library/ColorSync/Profiles/Black & White.icc")
144	+	+ (literal "/private/etc/openldap/ldap.conf")
145	-	> (literal "/Library/ColorSync/Profiles/Blue Tone.icc")
145	+	(literal "/private/etc/passwd")
146	-	> (literal "/Library/ColorSync/Profiles/Lightness Decrease.icc")
146	+	(literal "/private/etc/protocols")
147	-	> (literal "/Library/ColorSync/Profiles/Lightness Increase.icc")
147	+	(literal "/private/etc/resolv.conf")
148	-	> (literal "/Library/ColorSync/Profiles/Sepia Tone.icc")
148	+	(literal "/private/etc/services")
149	-	> (literal "/Library/ColorSync/Profiles/WebSafeColors.icc"))
149	+	! (literal "/private/etc/ssl/openssl.cnf")
150		(literal "/private/var/run/resolv.conf")
151		(literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist")
152	-	66,69c66,74
152	+	(literal "/Library/Preferences/.GlobalPreferences.plist")
153	-	< (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
153	+	***************
154	-	< (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
154	+	* 1131,1147 **
155	-	< (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient")
155	+	--- 1134,1157 ----
156	-	< (iokit-user-client-class "IOBluetoothDeviceUserClient")
156	+	(local-name "com.apple.CFPasteboardClient")
157	-	---
157	+	(local-name "com.apple.coredrag")
158	-	> (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
158	+	(global-name "com.apple.apsd")
159	-	> (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
159	+	+ (global-name "com.apple.audio.AudioComponentPrefs")
160	-	> (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient")
160	+	+ (global-name "com.apple.audio.AudioComponentRegistrar")
161	-	> (iokit-user-client-class "IOBluetoothDeviceUserClient")
161	+	(global-name "com.apple.audio.audiohald")
162	-	> (iokit-user-client-class "IOTimeSyncUserClient")
162	+	(global-name "com.apple.audio.coreaudiod")
163	-	> (iokit-user-client-class "IOTimeSyncClockManagerUserClient")
163	+	(global-name "com.apple.backupd.sandbox.xpc")
164	-	> (iokit-user-client-class "IOTimeSyncgPTPManagerUserClient")
164	+	(global-name "com.apple.bird")
165	-	> (iokit-user-client-class "IOTimeSyncDomainUserClient")
165	+	(global-name "com.apple.bird.token")
166	-	> (iokit-user-client-class "IOTimeSyncNetworkPortUserClient")
166	+	+ (global-name "com.apple.cache_delete.public")
167	-	86a92
167	+	(global-name "com.apple.colorsyncd")
168	-	> (global-name "com.apple.analyticsd")
168	+	+ (global-name "com.apple.colorsync.useragent")
169	-	88a95
169	+	(global-name "com.apple.controlcenter.toggle")
170	-	> (global-name "com.apple.audio.AudioComponentRegistrar")
170	+	(global-name "com.apple.coremedia.endpoint.xpc")
171	-	105c112
171	+	(global-name "com.apple.coremedia.endpointpicker.xpc")
172	-	< (global-name "com.apple.blued")
172	+	(global-name "com.apple.coremedia.endpointplaybacksession.xpc")
173	-	---
173	+	(global-name "com.apple.coremedia.endpointstream.xpc")
174	-	> (global-name "com.apple.bluetoothd")
174	+	+ (global-name "com.apple.coremedia.routediscoverer.xpc")
175	-	108c115,118
175	+	+ (global-name "com.apple.coremedia.routingcontext.xpc")
176	-	< (global-name "com.apple.airportd")
176	+	+ (global-name "com.apple.coremedia.volumecontroller.xpc")
177	-	---
177	+	(global-name "com.apple.coreservices.appleevents")
178	-	> (global-name "com.apple.airportd")
178	+	(global-name "com.apple.CoreServices.coreservicesd")
179	-	>
179	+	(global-name "com.apple.coreservices.launcherror-handler")
180	-	> (global-name "com.apple.distributed_notifications@1v3")
180	+	***************
181	-	> (global-name "com.apple.distributed_notifications@Uv3")
181	+	* 1150,1162 **
182	-	118a129
182	+	(global-name "com.apple.coreservices.sharedfilelistd.mig")
183	-	> (literal "/Library/Preferences/com.apple.alf.plist")
183	+	(global-name "com.apple.coreservices.sharedfilelistd.xpc")
184	-	126a138
184	+	(global-name "com.apple.cvmsServ")
185	-	> (preference-domain "com.apple.alf")
185	+	- (global-name "com.apple.decalog4.incoming")
186		(global-name "com.apple.DiskArbitration.diskarbitrationd")
187		(global-name "com.apple.distributed_notifications@1v3")
188		(global-name "com.apple.distributed_notifications@Uv3")
189		(global-name "com.apple.dock.fullscreen")
190		(global-name "com.apple.dock.server")
191	-	20,21d19
191	+	(global-name "com.apple.FileCoordination")
192	-	< (allow file-read-metadata
192	+	(global-name "com.apple.FontObjectsServer")
193	-	< (literal "/Applications/Server.app/Contents/ServerRoot/usr/libexec/AssetCache/AssetCache"))
193	+	(global-name "com.apple.FontRegistry.FontRegistryUIAgent")
194	-	28d25
194	+	(global-name "com.apple.fonts")
195	-	< (global-name "com.apple.AssetCacheC")
195	+	--- 1160,1172 ----
196		(global-name "com.apple.coreservices.sharedfilelistd.mig")
197		(global-name "com.apple.coreservices.sharedfilelistd.xpc")
198	-	0a1,18
198	+	(global-name "com.apple.cvmsServ")
199	-	> (version 1)
199	+	(global-name "com.apple.DiskArbitration.diskarbitrationd")
200	-	> (deny default)
200	+	(global-name "com.apple.distributed_notifications@1v3")
201	-	> (import "bsd.sb")
201	+	(global-name "com.apple.distributed_notifications@Uv3")
202	-	> (import "com.apple.corefoundation.sb")
202	+	(global-name "com.apple.dock.fullscreen")
203	-	> (corefoundation)
203	+	(global-name "com.apple.dock.server")
204	-	> (allow file-read* file-write*
204	+	(global-name "com.apple.FileCoordination")
205	-	> (literal "/Library/Preferences/com.apple.AssetCache.plist")
205	+	+ (global-name "com.apple.FileProvider")
206	-	> (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C($\|/)")
206	+	(global-name "com.apple.FontObjectsServer")
207	-	> (regex #"^(/private)?/var/folders/[^/]+/[^/]+/T($\|/)")
207	+	(global-name "com.apple.FontRegistry.FontRegistryUIAgent")
208	-	> (regex #"/Library/Application Support/Apple/AssetCache$")
208	+	(global-name "com.apple.fonts")
209	-	> (regex #"/Library/Application Support/Apple/AssetCache/Data$")
209	+	***************
210	-	> (literal "/Library/Application Support/Apple/AssetCache/.activated"))
210	+	* 1174,1180 **
211	-	> (allow file-write-create
211	+	(global-name "com.apple.iohideventsystem")
212	-	> (regex #"/Library$")
212	+	(global-name "com.apple.KerberosHelper.LKDCHelper")
213	-	> (regex #"/Library/Application Support$")
213	+	(global-name "com.apple.KeyboardServices.TextReplacementService")
214	-	> (regex #"/Library/Application Support/Apple$"))
214	+	- (global-name "com.apple.librariand")
215	-	> (allow mach-lookup
215	+	(global-name "com.apple.lookupd")
216	-	> (global-name "com.apple.AssetCache.builtin"))
216	+	(global-name "com.apple.ls.boxd")
217		(global-name "com.apple.lsd.mapdb")
218		--- 1184,1189 ----
219	-	12c12,14
219	+	***************
220	-	< (literal "/Library/Preferences/com.apple.MobileDevice.plist")) ; for reading MobileDevice prefs
220	+	* 1214,1219 **
221	-	---
221	+	--- 1223,1229 ----
222	-	> (literal "/Library/Preferences/com.apple.MobileDevice.plist") ; for reading MobileDevice prefs
222	+	(global-name "com.apple.SystemConfiguration.configd")
223	-	> (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") ; for CrashReporter
223	+	(global-name "com.apple.SystemConfiguration.DNSConfiguration")
224	-	> (literal "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")) ; for MessageTracer
224	+	(global-name "com.apple.SystemConfiguration.NetworkInformation")
225	-	24c26,27
225	+	+ (global-name "com.apple.tailspind")
226	-	< (global-name "com.apple.wifi.sharekit")) ; for using Internet Sharing
226	+	(global-name "com.apple.tccd")
227	-	---
227	+	(global-name "com.apple.tccd.system")
228	-	> (global-name "com.apple.wifi.sharekit") ; for using Internet Sharing
228	+	(global-name
229	-	> (global-name "com.apple.PowerManagement.control")) ; for power assertions
229	+	***************
230		* 1230,1235 **
231		--- 1240,1248 ----
232	-	0a1,68
232	+	(global-name-regex "_OpenStep$"))
233	-	> ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
233	+	(allow mach-lookup (global-name "com.apple.PowerManagement.control"))
234	-	> ;;;
234	+	(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
235	-	> ;;; WARNING: The sandbox rules in this file currently constitute
235	+	+ (with-filter
236	-	> ;;; Apple System Private Interface and are subject to change at any time and
236	+	+ (iokit-registry-entry-class "IODisplayWrangler")
237	-	> ;;; without notice.
237	+	+ (allow iokit-set-properties (iokit-property "IORequestIdle")))
238	-	> ;;;
238	+	(allow iokit-open (iokit-user-client-class "IOHIDParamUserClient"))
239	-	> (version 1)
239	+	(system-graphics)
240	-	>
240	+	(with-filter
241	-	> (deny default)
241	+	***************
242	-	> (deny file-map-executable iokit-get-properties process-info* nvram*)
242	+	* 1242,1248 **
243	-	> (deny dynamic-code-generation)
243	+	(allow authorization-right-obtain (right-name "system.hdd.smart"))
244	-	>
244	+	(allow appleevent-send
245	-	> (import "system.sb")
245	+	(appleevent-destination "com.apple.imagecaptureextension2"))
246	-	> (import "com.apple.corefoundation.sb")
246	+	- (allow mach-register (local-name "com.apple.ICA"))
247	-	> (corefoundation)
247	+	(allow network-outbound (subpath "/private/var/run"))
248	-	>
248	+	(deny network-outbound (literal "/private/var/run/usbmuxd"))
249	-	> ;;; Homedir-relative path filters
249	+	(allow network-bind
250	-	> (define (home-regex home-relative-regex)
250	+	--- 1255,1260 ----
251	-	> (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)))
251	+	***************
252	-	>
252	+	* 1399,1404 **
253	-	> (define (home-subpath home-relative-subpath)
253	+	--- 1411,1432 ----
254	-	> (subpath (string-append (param "HOME") home-relative-subpath)))
254	+	(sandbox-array-entitlement
255	-	>
255	+	"com.apple.security.temporary-exception.mach-register.local-name"
256	-	> (define (home-prefix home-relative-prefix)
256	+	(lambda (name) (allow mach-register (local-name name))))
257	-	> (prefix (string-append (param "HOME") home-relative-prefix)))
257	+	+ (define (select-sysctl-filter handle with-star without-star)
258	-	>
258	+	+ (if (end-with-star? handle)
259	-	> (define (home-literal home-relative-literal)
259	+	+ (with-star (strip-last-char handle))
260	-	> (literal (string-append (param "HOME") home-relative-literal)))
260	+	+ (without-star handle)))
261	-	>
261	+	+ (sandbox-array-entitlement
262	-	>
262	+	+ "com.apple.security.temporary-exception.sysctl.read-only"
263	-	> (allow process-info* (target self))
263	+	+ (lambda (handle)
264	-	>
264	+	+ (let ((sysctl-filter
265	-	> ;; For resolving symlinks, realpath(3), and equivalents.
265	+	+ (select-sysctl-filter handle sysctl-name-prefix sysctl-name)))
266	-	> (allow file-read-metadata)
266	+	+ (allow sysctl-read sysctl-filter))))
267	-	>
267	+	+ (sandbox-array-entitlement
268	-	> ;; For validating the entitlements of clients.
268	+	+ "com.apple.security.temporary-exception.sysctl.read-write"
269	-	> (allow process-info-codesignature)
269	+	+ (lambda (handle)
270	-	>
270	+	+ (let ((sysctl-filter
271	-	> ;; preference domains.
271	+	+ (select-sysctl-filter handle sysctl-name-prefix sysctl-name)))
272	-	> (allow user-preference-read user-preference-write
272	+	+ (allow sysctl-read sysctl-write sysctl-filter))))
273	-	> (preference-domain "com.apple.coreaudio")
273	+	(define (safe-subpath path) (subpath (if (string=? path "") "/" path)))
274	-	> (preference-domain "com.apple.audio.ComponentRegistrationOverrides")
274	+	(define (select-filter path with-slash without-slash)
275	-	> (preference-domain "com.apple.audio.UserComponentTags")
275	+	(if (end-with-slash? path)
276	-	> (preference-domain "com.apple.audio.ComponentTagHelper")
276	+
277	-	> )
277	+
278	-	>
278	+
279	-	> ;; Read/write access to a temporary directory.
279	+
280	-	> (allow file-read* file-write*
280	+
281	-	> (subpath (param "TMPDIR"))
281	+	*** /System/Library/Sandbox/Profiles/bsd.sb 2016-07-30 12:32:36.000000000 -0700
282	-	> (subpath (param "DARWIN_CACHE_DIR")))
282	+	--- bsd.sb 2017-07-10 13:51:51.000000000 -0700
283	-	>
283	+	***************
284	-	> ;; Above is from the template.
284	+	* 22,28 **
285	-	> ;; Below are customizations. To debug: (trace "/tmp/Sandbox.trace")
285	+	; Allow files accessed by system dylibs and frameworks
286	-	>
286	+	#"/\.CFUserTextEncoding$"
287	-	> (allow file-map-executable
287	+	#"^/usr/share/nls/"
288	-	> (subpath "/System/Library/PrivateFrameworks")
288	+	! #"^/usr/share/zoneinfo/"
289	-	> )
289	+	))
290	-	>
290	+
291	-	> (allow mach-lookup
291	+	(allow ipc-posix-shm (ipc-posix-name "apple.shm.notification_center")) ; Libnotify
292	-	> (global-name "com.apple.pluginkit.pkd")
292	+	--- 22,28 ----
293	-	> (global-name "com.apple.FSEvents")
293	+	; Allow files accessed by system dylibs and frameworks
294	-	> (global-name "com.apple.DiskArbitration.diskarbitrationd")
294	+	#"/\.CFUserTextEncoding$"
295	-	> )
295	+	#"^/usr/share/nls/"
296	-	>
296	+	! #"^/var/db/timezone/zoneinfo/"
297	-	> (allow file-read*
297	+	))
298	-	> (subpath "/Library/Audio/Plug-Ins/Components")
298	+
299	-	> (home-subpath "/Library/Audio/Plug-Ins/Components")
299	+	(allow ipc-posix-shm (ipc-posix-name "apple.shm.notification_center")) ; Libnotify
300	-	> )
300	+
301		cloudpaird.sb
302		*** /System/Library/Sandbox/Profiles/cloudpaird.sb 2016-09-09 20:24:50.000000000 -0700
303		--- cloudpaird.sb 2017-07-10 13:51:50.000000000 -0700
304		***************
305		* 135,141 **
306		(global-name "com.apple.BluetoothDOServer")
307		(global-name "com.apple.xpchelper")
308		(global-name "com.apple.bluetoothUIServer")
309	-	94a95,96
309	+	! (global-name "com.apple.blued")
310	-	> (global-name "com.apple.adid")
310	+	(global-name "com.apple.cloudd")
311	-	> (global-name "com.apple.fpsd")
311	+	(global-name "com.apple.apsd")
312		(global-name "com.apple.logind")
313		--- 135,141 ----
314	-	0a1,69
314	+	(global-name "com.apple.BluetoothDOServer")
315	-	> ;;;
315	+	(global-name "com.apple.xpchelper")
316	-	> ;;; Sandbox profile for /System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle
316	+	(global-name "com.apple.bluetoothUIServer")
317	-	> ;;;
317	+	! (global-name "com.apple.bluetoothd")
318	-	> ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
318	+	(global-name "com.apple.cloudd")
319	-	> ;;;
319	+	(global-name "com.apple.apsd")
320	-	> ;;; WARNING: The sandbox rules in this file currently constitute
320	+	(global-name "com.apple.logind")
321	-	> ;;; Apple System Private Interface and are subject to change at any time and
321	+
322	-	> ;;; without notice. The contents of this file are also auto-generated and
322	+
323	-	> ;;; not user editable; it may be overwritten at any time.
323	+	*** /System/Library/Sandbox/Profiles/colorsyncd.sb 2016-07-30 15:38:53.000000000 -0700
324	-	>
324	+	--- colorsyncd.sb 2017-07-10 13:51:50.000000000 -0700
325	-	> (version 1)
325	+	***************
326	-	>
326	+	* 17,26 **
327	-	> (deny default)
327	+
328	-	>
328	+	(allow authorization-right-obtain (right-name "system.colorsync.install.profile"))
329	-	> (import "system.sb")
329	+
330	-	>
330	+	! (allow file-read* file-write-data file-write-create file-write-unlink file-write-owner (subpath "/Library/ColorSync/Profiles"))
331	-	> (allow file-read*
331	+	! (deny file-write-data file-write-create file-write-unlink file-write-owner (literal "/Library/ColorSync/Profiles"))
332	-	> (literal "/private/etc/SmartcardLogin.plist")
332	+
333	-	> (literal "/private/etc/cacloginconfig.plist")
333	+	! (allow file-write-create
334	-	> (subpath (param "DARWIN_USER_TEMP_DIR"))
334	+	! (require-all
335	-	> (subpath (param "DARWIN_USER_CACHE_DIR"))
335	+	! (vnode-type DIRECTORY)
336	-	> (subpath "/private/var/db/mds")
336	+	! (literal "/Library/ColorSync/Profiles" "/Library/ColorSync" "/Library")))
337	-	> (subpath "/private/var/db/"))
337	+	--- 17,54 ----
338	-	>
338	+
339	-	> (allow file-read-data
339	+	(allow authorization-right-obtain (right-name "system.colorsync.install.profile"))
340	-	> (literal "/")
340	+
341	-	> (literal "/Library/Preferences/com.apple.security.plist"))
341	+	! (define (allow-create-directory . filters)
342	-	>
342	+	! (allow file-read-metadata
343	-	> (allow file-write*
343	+	! (apply require-any filters))
344	-	> (subpath (param "DARWIN_USER_CACHE_DIR"))
344	+	! (allow file-read-metadata file-write-create
345	-	> (subpath "/private/var/db/mds/system/"))
345	+	! (require-all
346	-	>
346	+	! (vnode-type DIRECTORY)
347	-	> (allow file-read-metadata)
347	+	! (apply require-any filters))))
348	-	>
348	+
349	-	> (allow process-fork)
349	+	! ;; Allow the creation of only a directory at these paths.
350	-	>
350	+	! (allow-create-directory
351	-	> (allow process-exec
351	+	! (literal "/Library/Caches")
352	-	> (literal "/System/Library/Frameworks/CryptoTokenKit.framework/UserSelector")
352	+	! (literal "/Library/Caches/ColorSync"))
353	-	> (subpath "/Library/CryptoTokenKit"))
353	+	! ;; Allow reading the contents of our directory
354	-	>
354	+	! (allow file-read*
355	-	> (allow mach-lookup
355	+	! (literal "/Library/Caches/ColorSync"))
356	-	> (global-name "com.apple.distributed_notifications@1v3")
356	+	! ;; Allow full access to anything below our directory.
357	-	> (global-name "com.apple.distributed_notifications@Uv3")
357	+	! (allow file-read* file-write*
358	-	> (global-name "com.apple.ctkd.token-client")
358	+	! (prefix "/Library/Caches/ColorSync/"))
359	-	> (global-name "com.apple.ctkd.watcher-client")
359	+	!
360	-	> (global-name "com.apple.SecurityServer")
360	+	! (allow-create-directory
361	-	> (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider")
361	+	! (literal "/Library/ColorSync")
362	-	> (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider.agent.libxpc")
362	+	! (literal "/Library/ColorSync/Profiles"))
363	-	> (global-name "com.apple.system.opendirectoryd.api")
363	+	! (allow file-read*
364	-	> (global-name "com.apple.CoreServices.coreservicesd")
364	+	! (literal "/Library/ColorSync/Profiles"))
365	-	> (global-name "com.apple.CoreAuthentication.agent.libxpc")
365	+	! (allow file-read* file-write*
366	-	> (global-name "com.apple.CoreAuthentication.agent")
366	+	! (prefix "/Library/ColorSync/Profiles/"))
367	-	> (global-name "com.apple.ocspd"))
367	+	!
368	-	>
368	+	! ;; deny the removal of these pre-installed profiles.
369	-	> (allow user-preference-read
369	+	! (deny file-write-unlink
370	-	> (preference-domain "kCFPreferencesAnyApplication"))
370	+	! (literal "/Library/ColorSync/Profiles/Black & White.icc")
371	-	>
371	+	! (literal "/Library/ColorSync/Profiles/Blue Tone.icc")
372	-	> (allow user-preference-read user-preference-write
372	+	! (literal "/Library/ColorSync/Profiles/Lightness Decrease.icc")
373	-	> (preference-domain "com.apple.security")
373	+	! (literal "/Library/ColorSync/Profiles/Lightness Increase.icc")
374	-	> (preference-domain "com.apple.security.smartcard"))
374	+	! (literal "/Library/ColorSync/Profiles/Sepia Tone.icc")
375	-	>
375	+	! (literal "/Library/ColorSync/Profiles/WebSafeColors.icc"))
376	-	> (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
376	+
377	-	> (ipc-posix-name "com.apple.AppleDatabaseChanged"))
377	+
378	-	>
378	+	*** /System/Library/Sandbox/Profiles/com.apple.AirPlayXPCHelper.sb 2017-04-04 20:54:28.000000000 -0700
379	-	> (allow authorization-right-obtain
379	+	--- com.apple.AirPlayXPCHelper.sb 2017-07-10 13:51:50.000000000 -0700
380	-	> (right-name "com.apple.ctk.pair"))
380	+	***************
381	-	>
381	+	* 63,72 **
382	-	> (allow iokit-open
382	+	(iokit-user-client-class "RootDomainUserClient")
383	-	> (iokit-user-client-class "AppleKeyStoreUserClient"))
383	+	(iokit-user-client-class "IOReportUserClient")
384		(iokit-user-client-class "IOBluetoothHCIUserClient")
385		! (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
386		! (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
387		! (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient")
388		! (iokit-user-client-class "IOBluetoothDeviceUserClient")
389		)
390
391		(allow iokit-set-properties
392	-	0a1,230
392	+	--- 63,77 ----
393	-	> ;;;;;; Sandbox Profile for ModernizerXPC derived from QTKitServer
393	+	(iokit-user-client-class "RootDomainUserClient")
394	-	> ;;;;;;
394	+	(iokit-user-client-class "IOReportUserClient")
395	-	> ;;;;;; Copyright (c) 2011-2017 Apple Inc. All Rights reserved.
395	+	(iokit-user-client-class "IOBluetoothHCIUserClient")
396	-	> ;;;;;;
396	+	! (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
397	-	> ;;;;;; WARNING: The sandbox rules in this file currently constitute
397	+	! (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
398	-	> ;;;;;; Apple System Private Interface and are subject to change at any time and
398	+	! (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient")
399	-	> ;;;;;; without notice. The contents of this file are also auto-generated and
399	+	! (iokit-user-client-class "IOBluetoothDeviceUserClient")
400	-	> ;;;;;; not user editable; it may be overwritten at any time.
400	+	! (iokit-user-client-class "IOTimeSyncUserClient")
401	-	>
401	+	! (iokit-user-client-class "IOTimeSyncClockManagerUserClient")
402	-	> (version 1)
402	+	! (iokit-user-client-class "IOTimeSyncgPTPManagerUserClient")
403	-	> (deny default)
403	+	! (iokit-user-client-class "IOTimeSyncDomainUserClient")
404	-	>
404	+	! (iokit-user-client-class "IOTimeSyncNetworkPortUserClient")
405	-	> (import "system.sb")
405	+	)
406	-	> (import "com.apple.corefoundation.sb")
406	+
407	-	>
407	+	(allow iokit-set-properties
408	-	> (define (home-regex home-relative-regex)
408	+	***************
409	-	> (regex (string-append "^" (regex-quote (param "DARWIN_QTKITSERVER_HOME_DIR")) home-relative-regex)))
409	+	* 84,91 **
410	-	> (define regex-home home-regex)
410	+	--- 89,98 ----
411	-	>
411	+	(global-name "com.apple.pluginkit.pkd")
412	-	> (define (home-subpath home-relative-subpath)
412	+	(global-name "com.apple.spindump")
413	-	> (subpath (string-append (param "DARWIN_QTKITSERVER_HOME_DIR") home-relative-subpath)))
413	+	(global-name "com.apple.PairingManager")
414	-	>
414	+	+ (global-name "com.apple.analyticsd")
415	-	> (define (home-literal home-relative-literal)
415	+
416	-	> (literal (string-append (param "DARWIN_QTKITSERVER_HOME_DIR") home-relative-literal)))
416	+	(global-name "com.apple.audio.audiohald")
417	-	>
417	+	+ (global-name "com.apple.audio.AudioComponentRegistrar")
418	-	> (allow file-read-metadata system-audit)
418	+
419	-	>
419	+	(global-name "com.apple.wirelessproxd")
420	-	> ;;; initialize CF sandbox actions
420	+	(global-name "com.apple.windowserver.active")
421	-	> (corefoundation)
421	+	***************
422	-	>
422	+	* 102,111 **
423	-	> (define (apply-read-and-issue-extension op path-filter)
423	+	(global-name "com.apple.coresymbolicationd")
424	-	> (op file-read* path-filter)
424	+	(global-name "com.apple.awdd")
425	-	> (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
425	+	(global-name "com.apple.SharingServices")
426	-	>
426	+	! (global-name "com.apple.blued")
427	-	> (define (apply-write-and-issue-extension op path-filter)
427	+	(global-name "com.apple.bluetoothaudiod")
428	-	> (op file-write* path-filter)
428	+	(global-name "com.apple.BluetoothDOServer")
429	-	> (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
429	+	! (global-name "com.apple.airportd")
430	-	>
430	+	)
431	-	> (define (read-only-and-issue-extensions path-filter)
431	+
432	-	> (apply-read-and-issue-extension allow path-filter))
432	+	;;
433	-	>
433	+	--- 109,121 ----
434	-	> (define (read-write-and-issue-extensions path-filter)
434	+	(global-name "com.apple.coresymbolicationd")
435	-	> (apply-read-and-issue-extension allow path-filter)
435	+	(global-name "com.apple.awdd")
436	-	> (apply-write-and-issue-extension allow path-filter))
436	+	(global-name "com.apple.SharingServices")
437	-	>
437	+	! (global-name "com.apple.bluetoothd")
438	-	> ;;; allow reading files for which we have a read-only app-sandbox extension
438	+	(global-name "com.apple.bluetoothaudiod")
439	-	> (allow file-read* (extension "com.apple.app-sandbox.read"))
439	+	(global-name "com.apple.BluetoothDOServer")
440	-	>
440	+	! (global-name "com.apple.airportd")
441	-	> ;;; allow writing of files for which we have an extension
441	+	!
442	-	> (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
442	+	! (global-name "com.apple.distributed_notifications@1v3")
443	-	>
443	+	! (global-name "com.apple.distributed_notifications@Uv3")
444	-	> ;;; allow issuing of extensions for paths we have an extension to
444	+	)
445	-	> (allow file-issue-extension
445	+
446	-	> (require-all
446	+	;;
447	-	> (extension-class "com.apple.app-sandbox.read")
447	+	***************
448	-	> (require-any
448	+	* 116,121 **
449	-	> (extension "com.apple.app-sandbox.read")
449	+	--- 126,132 ----
450	-	> (extension "com.apple.app-sandbox.read-write"))))
450	+	(literal "/Library/Preferences/.GlobalPreferences.plist")
451	-	>
451	+	(literal "/Library/Preferences/com.apple.security.plist")
452	-	> (allow file-issue-extension
452	+	(literal "/Library/Preferences/com.apple.Bluetooth.plist")
453	-	> (require-all
453	+	+ (literal "/Library/Preferences/com.apple.alf.plist")
454	-	> (extension-class "com.apple.app-sandbox.read-write")
454	+	(regex #"^/private/var/root/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
455	-	> (extension "com.apple.app-sandbox.read-write")))
455	+	)
456	-	>
456	+
457	-	> (allow file-read*
457	+	***************
458	-	> (subpath "/Library/Audio/Plug-Ins")
458	+	* 124,129 **
459	-	> (subpath "/Library/Audio/Sounds/Banks")
459	+	--- 135,141 ----
460	-	> (subpath "/Library/Frameworks")
460	+	(preference-domain "com.apple.coremedia")
461	-	> (subpath "/Library/Fonts")
461	+	(preference-domain "com.apple.security")
462	-	> (subpath "/Library/Application Support/ProApps")
462	+	(preference-domain "com.apple.Bluetooth")
463	-	> (subpath "/Library/Preferences")
463	+	+ (preference-domain "com.apple.alf")
464	-	> (subpath "/Library/QuickTime")
464	+	)
465	-	> (subpath "/Library/Filesystems/NetFSPlugins"))
465	+
466	-	>
466	+	(allow user-preference-write
467	-	> (allow file-read-data
467	+
468	-	> (subpath "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
468	+
469	-	> (subpath "/Users/Shared/SC Info")
469	+
470	-	> (subpath "/private/var")
470	+
471	-	> (subpath "/private/etc"))
471	+
472	-	>
472	+	*** /System/Library/Sandbox/Profiles/com.apple.AssetCacheLocatorService.sb 2017-03-01 19:04:54.000000000 -0800
473	-	> ;;; allow reading and issuing extensions to iTunes so it can opened
473	+	--- com.apple.AssetCacheLocatorService.sb 2017-07-10 13:51:50.000000000 -0700
474	-	> ;;; <rdar://problem/13568149>
474	+	***************
475	-	> (read-only-and-issue-extensions
475	+	* 17,31 **
476	-	> (subpath "/Applications/iTunes.app"))
476	+	(home-literal "/Library/Preferences/com.apple.security.plist")
477	-	>
477	+	(home-literal "/Library/Preferences/com.apple.security.revocation.plist")
478	-	> (allow file-read-xattr
478	+	(subpath "/private/var/db/mds"))
479	-	> (subpath "/Applications/iTunes.app"))
479	+	- (allow file-read-metadata
480	-	>
480	+	- (literal "/Applications/Server.app/Contents/ServerRoot/usr/libexec/AssetCache/AssetCache"))
481	-	> (allow file-read* file-write* (subpath "/Library/Caches"))
481	+	(allow file-read* file-write*
482	-	>
482	+	(subpath (param "USER_CACHE_PATH"))
483	-	> (if (param "DARWIN_QTKITSERVER_HOME_DIR")
483	+	(subpath (param "USER_TEMP_PATH")))
484	-	> (begin
484	+	(allow ipc-posix-shm-read-data ipc-posix-shm-write-data
485	-	> (allow file-read*
485	+	(ipc-posix-name "com.apple.AppleDatabaseChanged"))
486	-	> (home-subpath "/.CFUserTextEncoding")
486	+	(allow mach-lookup
487	-	> (home-subpath "/Library/Audio/Plug-Ins/Components")
487	+	- (global-name "com.apple.AssetCacheC")
488	-	> (home-subpath "/Library/Audio/Plug-Ins")
488	+	(global-name "com.apple.AssetCacheC.builtin")
489	-	> (home-subpath "/Library/QuickTime")
489	+	(global-name "com.apple.DiskArbitration.diskarbitrationd")
490	-	> (home-subpath "/Library/Input Methods")
490	+	(global-name "com.apple.SecurityServer")
491	-	> (home-subpath "/Library/Keyboard Layouts")
491	+	--- 17,28 ----
492	-	> (home-subpath "/Library/Components"))
492	+
493	-	> (allow file-read* file-write*
493	+
494	-	> (home-subpath "/Library/Caches/QuickTime"))
494	+	*** /System/Library/Sandbox/Profiles/com.apple.AssetCacheManagerService.sb 1969-12-31 16:00:00.000000000 -0800
495	-	> (deny file-read* file-write*
495	+	--- com.apple.AssetCacheManagerService.sb 2017-07-10 13:51:50.000000000 -0700
496	-	> (home-literal "/Library/Caches/com.nvidia.OpenGL") (with no-report))
496	+	***************
497	-	> ;; we have to allow 3rd party components to read and write their own prefs,-
497	+	* 0 **
498	-	> ;; but we don't know their names.
498	+	--- 1,18 ----
499	-	> ;; so allow r/w access to all of ~/Library/Prefs but deny access to prefs beginning with com.apple
499	+	+ (version 1)
500	-	> (allow file-write* file-read*
500	+	+ (deny default)
501	-	> (home-subpath "/Library/Preferences"))
501	+	+ (import "bsd.sb")
502	-	> (deny file-read* file-write* (with no-report)
502	+	+ (import "com.apple.corefoundation.sb")
503	-	> (home-regex #"/Library/Preferences/com\.apple\..*")
503	+	+ (corefoundation)
504	-	> (home-regex #"/Library/Preferences/\.GlobalPreferences\.plist")
504	+	+ (allow file-read* file-write*
505	-	> (home-regex #"/Library/Preferences/pbs\.plist")
505	+	+ (literal "/Library/Preferences/com.apple.AssetCache.plist")
506	-	> (home-regex #"/Library/Preferences/loginwindow\.plist")
506	+	+ (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C($\|/)")
507	-	> (home-regex #"/Library/Preferences/ByHost/com\.apple\..*"))
507	+	+ (regex #"^(/private)?/var/folders/[^/]+/[^/]+/T($\|/)")
508	-	> (allow file-read*
508	+	+ (regex #"/Library/Application Support/Apple/AssetCache$")
509	-	> (home-literal "/Library/Preferences/QuickTime Preferences"))))
509	+	+ (regex #"/Library/Application Support/Apple/AssetCache/Data$")
510	-	>
510	+	+ (literal "/Library/Application Support/Apple/AssetCache/.activated"))
511	-	> (if (param "DARWIN_QTKITSERVER_CACHE_DIR")
511	+	+ (allow file-write-create
512	-	> (allow file-write* file-read* (subpath (param "DARWIN_QTKITSERVER_CACHE_DIR"))))
512	+	+ (regex #"/Library$")
513	-	>
513	+	+ (regex #"/Library/Application Support$")
514	-	> (if (param "DARWIN_QTKITSERVER_TEMP_DIR")
514	+	+ (regex #"/Library/Application Support/Apple$"))
515	-	> (allow file-write* file-read* (subpath (param "DARWIN_QTKITSERVER_TEMP_DIR"))))
515	+	+ (allow mach-lookup
516	-	>
516	+	+ (global-name "com.apple.AssetCache.builtin"))
517	-	> (system-graphics)
517	+
518	-	>
518	+
519	-	> (allow iokit-open
519	+	*** /System/Library/Sandbox/Profiles/com.apple.AssetCacheTetheratorService.sb 2017-03-01 18:45:42.000000000 -0800
520	-	> (iokit-user-client-class "IOAudioControlUserClient")
520	+	--- com.apple.AssetCacheTetheratorService.sb 2017-07-10 13:51:50.000000000 -0700
521	-	> (iokit-user-client-class "IOAudioEngineUserClient")
521	+	***************
522	-	> (iokit-user-client-class "IOHIDParamUserClient"))
522	+	* 9,15 **
523	-	>
523	+	(literal "/Library/Preferences/.GlobalPreferences.plist") ; for reading NSUserDefaults
524	-	> ;; CoreVideo CVCGDisplayLink
524	+	(literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist") ; for reading NSUserDefaults
525	-	> (allow iokit-open
525	+	(literal "/Library/Preferences/com.apple.usbmuxd.plist") ; for reading usbmux prefs
526	-	> (iokit-user-client-class "IOFramebufferSharedUserClient"))
526	+	! (literal "/Library/Preferences/com.apple.MobileDevice.plist")) ; for reading MobileDevice prefs
527	-	>
527	+
528	-	> ;; H.264 Acceleration; <rdar://problem/10348815>
528	+	(allow file-write*
529	-	> (allow iokit-open
529	+	(literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist") ; for writing Internet Sharing prefs
530	-	> (iokit-user-client-class "AppleSNBFBUserClient"))
530	+	--- 9,17 ----
531	-	>
531	+	(literal "/Library/Preferences/.GlobalPreferences.plist") ; for reading NSUserDefaults
532	-	> ;; QuartzCore; <rdar://problem/9065114>
532	+	(literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist") ; for reading NSUserDefaults
533	-	> (allow iokit-open
533	+	(literal "/Library/Preferences/com.apple.usbmuxd.plist") ; for reading usbmux prefs
534	-	> (iokit-user-client-class "AppleGraphicsControlClient")
534	+	! (literal "/Library/Preferences/com.apple.MobileDevice.plist") ; for reading MobileDevice prefs
535	-	> (iokit-user-client-class "AGPMClient"))
535	+	! (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") ; for CrashReporter
536	-	>
536	+	! (literal "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")) ; for MessageTracer
537	-	> (allow iokit-open
537	+
538	-	> (iokit-user-client-class "AppleUpstreamUserClient")
538	+	(allow file-write*
539	-	> (iokit-user-client-class "AudioAUUC"))
539	+	(literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist") ; for writing Internet Sharing prefs
540	-	>
540	+	***************
541	-	> ;; BlackMagic; <rdar://problem/11899349>
541	+	* 21,27 **
542	-	> (allow iokit-open
542	+
543	-	> (iokit-user-client-class "com_blackmagic_design_iokit_DaisyCutterUserClient"))
543	+	(allow mach-lookup
544	-	>
544	+	(global-name "com.apple.SystemConfiguration.configd") ; for using Internet Sharing
545	-	> (allow ipc-posix-shm
545	+	! (global-name "com.apple.wifi.sharekit")) ; for using Internet Sharing
546	-	> (ipc-posix-name-regex #"^AudioIO")
546	+
547	-	> (ipc-posix-name-regex #"^ls\.")
547	+	(allow network-outbound
548	-	> (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
548	+	(literal "/private/var/run/usbmuxd")) ; for using usbmux
549	-	> (ipc-posix-name "FNetwork.defaultStorageSession")
549	+	--- 23,30 ----
550	-	> (ipc-posix-name "apple.shm.notification_center"))
550	+
551	-	>
551	+	(allow mach-lookup
552	-	> ;; ColorSync Profiles (<rdar://problem/13775802>)
552	+	(global-name "com.apple.SystemConfiguration.configd") ; for using Internet Sharing
553	-	> (allow ipc-posix-shm*
553	+	! (global-name "com.apple.wifi.sharekit") ; for using Internet Sharing
554	-	> (ipc-posix-name "com.apple.ColorSync.Gen.lock")
554	+	! (global-name "com.apple.PowerManagement.control")) ; for power assertions
555	-	> (ipc-posix-name "com.apple.ColorSync.Disp.lock")
555	+
556	-	> (ipc-posix-name "com.apple.ColorSync.Gray2.2")
556	+	(allow network-outbound
557	-	> (ipc-posix-name "com.apple.ColorSync.sRGB")
557	+	(literal "/private/var/run/usbmuxd")) ; for using usbmux
558	-	> (ipc-posix-name "com.apple.ColorSync.GenGray")
558	+
559	-	> (ipc-posix-name "com.apple.ColorSync.GenRGB")
559	+
560	-	> (ipc-posix-name-regex #"^com\.apple\.cs\."))
560	+	*** /System/Library/Sandbox/Profiles/com.apple.AudioComponentRegistrar.sb 1969-12-31 16:00:00.000000000 -0800
561	-	> (allow file-read*
561	+	--- com.apple.AudioComponentRegistrar.sb 2017-07-10 13:51:51.000000000 -0700
562	-	> (subpath "/Library/ColorSync/Profiles")
562	+	***************
563	-	> (home-subpath "/Library/ColorSync"))
563	+	* 0 **
564	-	>
564	+	--- 1,68 ----
565	-	> (allow mach-lookup
565	+	+ ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
566	-	> (global-name "com.apple.coreservices.launchservicesd")
566	+	+ ;;;
567	-	> (global-name "com.apple.ls.boxd")
567	+	+ ;;; WARNING: The sandbox rules in this file currently constitute
568	-	> (global-name "com.apple.lsd.mapdb")
568	+	+ ;;; Apple System Private Interface and are subject to change at any time and
569	-	> (global-name "com.apple.lsd.modifydb")
569	+	+ ;;; without notice.
570	-	> (global-name "com.apple.metadata.mds")
570	+	+ ;;;
571	-	> (global-name "com.apple.cookied")
571	+	+ (version 1)
572	-	> (global-name "com.apple.cfnetwork.AuthBrokerAgent")
572	+	+
573	-	> (global-name "com.apple.cfnetwork.cfnetworkagent")
573	+	+ (deny default)
574	-	> (global-name "com.apple.SystemConfiguration.configd")
574	+	+ (deny file-map-executable iokit-get-properties process-info* nvram*)
575	-	> (global-name "com.apple.CoreServices.coreservicesd")
575	+	+ (deny dynamic-code-generation)
576	-	> (global-name "com.apple.coreservices.appleevents")
576	+	+
577	-	> (global-name "com.apple.FontObjectsServer")
577	+	+ (import "system.sb")
578	-	> (global-name "com.apple.FontServer")
578	+	+ (import "com.apple.corefoundation.sb")
579	-	> (global-name "com.apple.PowerManagement.control")
579	+	+ (corefoundation)
580	-	> (global-name "com.apple.audio.audiohald")
580	+	+
581	-	> (global-name "com.apple.audio.coreaudiod")
581	+	+ ;;; Homedir-relative path filters
582	-	> (global-name "com.apple.audio.AudioComponentRegistrar")
582	+	+ (define (home-regex home-relative-regex)
583	-	> (global-name "com.apple.dock.server")
583	+	+ (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)))
584	-	> (global-name "com.apple.pasteboard.1")
584	+	+
585	-	> (global-name "com.apple.pbs.fetch_services")
585	+	+ (define (home-subpath home-relative-subpath)
586	-	> (global-name "com.apple.printtool.agent")
586	+	+ (subpath (string-append (param "HOME") home-relative-subpath)))
587	-	> (global-name "com.apple.tsm.uiserver")
587	+	+
588	-	> (global-name "com.apple.UNCUserNotification")
588	+	+ (define (home-prefix home-relative-prefix)
589	-	> (global-name "com.apple.windowserver.active")
589	+	+ (prefix (string-append (param "HOME") home-relative-prefix)))
590	-	> (global-name "com.apple.DiskArbitration.diskarbitrationd")
590	+	+
591	-	> (global-name "com.apple.window_proxies"))
591	+	+ (define (home-literal home-relative-literal)
592	-	>
592	+	+ (literal (string-append (param "HOME") home-relative-literal)))
593	-	> ;; Security framework
593	+	+
594	-	> (allow mach-lookup
594	+	+
595	-	> (global-name "com.apple.SecurityServer")
595	+	+ (allow process-info* (target self))
596	-	> (global-name "com.apple.securityd.xpc")
596	+	+
597	-	> (global-name "com.apple.ocspd"))
597	+	+ ;; For resolving symlinks, realpath(3), and equivalents.
598	-	> (if (param "DARWIN_QTKITSERVER_HOME_DIR")
598	+	+ (allow file-read-metadata)
599	-	> (begin
599	+	+
600	-	> (allow file-read* file-write* (home-subpath "/Library/Keychains"))))
600	+	+ ;; For validating the entitlements of clients.
601	-	> (allow file-read*
601	+	+ (allow process-info-codesignature)
602	-	> (subpath "/private/var/db/mds")
602	+	+
603	-	> (literal "/private/var/db/DetachedSignatures"))
603	+	+ ;; preference domains.
604	-	> (allow ipc-posix-shm-read* ipc-posix-shm-write-data
604	+	+ (allow user-preference-read user-preference-write
605	-	> (ipc-posix-name "com.apple.AppleDatabaseChanged"))
605	+	+ (preference-domain "com.apple.coreaudio")
606	-	>
606	+	+ (preference-domain "com.apple.audio.ComponentRegistrationOverrides")
607	-	> (allow appleevent-send
607	+	+ (preference-domain "com.apple.audio.UserComponentTags")
608	-	> (appleevent-destination "com.apple.iTunes"))
608	+	+ (preference-domain "com.apple.audio.ComponentTagHelper")
609	-	>
609	+	+ )
610	-	> (allow system-socket
610	+	+
611	-	> (socket-domain AF_ROUTE))
611	+	+ ;; Read/write access to a temporary directory.
612	-	>
612	+	+ (allow file-read* file-write*
613	-	> (allow system-socket
613	+	+ (subpath (param "TMPDIR"))
614	-	> (require-all (socket-domain AF_SYSTEM) (socket-protocol 2))) ; SYSPROTO_CONTROL
614	+	+ (subpath (param "DARWIN_CACHE_DIR")))
615	-	>
615	+	+
616	-	> (allow system-audit)
616	+	+ ;; Above is from the template.
617	-	> (allow system-fsctl
617	+	+ ;; Below are customizations. To debug: (trace "/tmp/Sandbox.trace")
618	-	> (fsctl-command (_IO "h" 24)) ;; HFS_VOLUME_STATUS
618	+	+
619	-	> (fsctl-command (_IO "z" 12)) ;; afpfsGetMountInfoFSCTL
619	+	+ (allow file-map-executable
620	-	> (fsctl-command (_IO "z" 19)) ;; smbfsUniqueShareIDFSCTL
620	+	+ (subpath "/System/Library/PrivateFrameworks")
621	-	> (fsctl-command (_IO "z" 23))) ;; afpfsByteRangeLock2FSCTL
621	+	+ )
622	-	>
622	+	+
623		+ (allow mach-lookup
624		+ (global-name "com.apple.pluginkit.pkd")
625		+ (global-name "com.apple.FSEvents")
626		+ (global-name "com.apple.DiskArbitration.diskarbitrationd")
627		+ )
628		+
629		+ (allow file-read*
630		+ (subpath "/Library/Audio/Plug-Ins/Components")
631	-	12,19d11
631	+	+ (home-subpath "/Library/Audio/Plug-Ins/Components")
632	-	< ;;; <rdar://problem/13449326>
632	+	+ )
633	-	< (let allow-paths ((i 0))
633	+
634	-	< (let ((path (param (string-append "HOME_" (number->string i)))))
634	+
635	-	< (if path
635	+
636	-	< (begin
636	+
637	-	< (allow file-read* file-write-unlink (subpath path))
637	+
638	-	< (allow-paths (+ i 1))))))
638	+
639	-	<
639	+
640		com.apple.CommerceKit.TransactionService.sb
641		*** /System/Library/Sandbox/Profiles/com.apple.CommerceKit.TransactionService.sb 2016-08-12 15:27:41.000000000 -0700
642		--- com.apple.CommerceKit.TransactionService.sb 2017-07-10 13:51:50.000000000 -0700
643		***************
644		* 92,97 **
645	-	64c64,65
645	+	--- 92,99 ----
646	-	< (global-name "com.apple.distributed_notifications@Uv3"))
646	+	(ipc-posix-name "com.apple.AppleDatabaseChanged"))
647	-	---
647	+
648	-	> (global-name "com.apple.distributed_notifications@Uv3")
648	+	(allow mach-lookup
649	-	> (global-name "com.apple.audio.AudioComponentRegistrar"))
649	+	+ (global-name "com.apple.adid")
650		+ (global-name "com.apple.fpsd")
651		(global-name "com.apple.UNCUserNotification")
652	-	45c45,46
652	+	(global-name "com.apple.coreservices.launcherror-handler")
653	-	< (global-name "com.apple.CoreServices.coreservicesd"))
653	+	(global-name "com.apple.softwareupdated")
654	-	---
654	+
655	-	> (global-name "com.apple.CoreServices.coreservicesd")
655	+
656	-	> (global-name "com.apple.dz.dznd"))
656	+	*** /System/Library/Sandbox/Profiles/com.apple.CryptoTokenKit.ctkahp.sb 1969-12-31 16:00:00.000000000 -0800
657		--- com.apple.CryptoTokenKit.ctkahp.sb 2017-07-10 13:51:50.000000000 -0700
658		***************
659	-	23a24,27
659	+	* 0 **
660	-	> (allow process-fork)
660	+	--- 1,69 ----
661	-	>
661	+	+ ;;;
662	-	> (allow process-exec (literal "/usr/bin/bsdtar"))
662	+	+ ;;; Sandbox profile for /System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle
663	-	>
663	+	+ ;;;
664	-	32c36,37
664	+	+ ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
665	-	< (allow file* (subpath (param "_CACHEDIR")))
665	+	+ ;;;
666	-	---
666	+	+ ;;; WARNING: The sandbox rules in this file currently constitute
667	-	> (allow file-read* file-write* (subpath (param "_TEMPDIR")))
667	+	+ ;;; Apple System Private Interface and are subject to change at any time and
668	-	> (allow file-read* file-write* (subpath (param "_CACHEDIR")))
668	+	+ ;;; without notice. The contents of this file are also auto-generated and
669	-	121a127
669	+	+ ;;; not user editable; it may be overwritten at any time.
670	-	> (global-name "com.apple.BluetoothDOServer")
670	+	+
671	-	138a145
671	+	+ (version 1)
672	-	> (global-name "com.apple.audio.AudioComponentRegistrar")
672	+	+
673	-	177c184,192
673	+	+ (deny default)
674	-	< (global-name "com.apple.networkserviceproxy"))
674	+	+
675	-	---
675	+	+ (import "system.sb")
676	-	> (global-name "com.apple.networkserviceproxy")
676	+	+
677	-	> (global-name "com.apple.cloudd")
677	+	+ (allow file-read*
678	-	> (global-name "com.apple.apsd")
678	+	+ (literal "/private/etc/SmartcardLogin.plist")
679	-	> (global-name "com.apple.analyticsd")
679	+	+ (literal "/private/etc/cacloginconfig.plist")
680	-	> (global-name "com.apple.symptom_analytics")
680	+	+ (subpath (param "DARWIN_USER_TEMP_DIR"))
681	-	> (global-name "com.apple.symptom_diagnostics")
681	+	+ (subpath (param "DARWIN_USER_CACHE_DIR"))
682	-	> (global-name "com.apple.siri.invoke")
682	+	+ (subpath "/private/var/db/mds")
683	-	> (global-name "com.apple.remoted")
683	+	+ (subpath "/private/var/db/"))
684	-	> (global-name "com.apple.PowerManagement.control"))
684	+	+
685		+ (allow file-read-data
686		+ (literal "/")
687	-	31a32,33
687	+	+ (literal "/Library/Preferences/com.apple.security.plist"))
688	-	> (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
688	+	+
689	-	> (literal "/private/var/db/timezone")
689	+	+ (allow file-write*
690	-	33,39d34
690	+	+ (subpath (param "DARWIN_USER_CACHE_DIR"))
691	-	< (literal "/Library/Keychains/System.keychain")
691	+	+ (subpath "/private/var/db/mds/system/"))
692	-	< (literal "/private/var/db/mds/messages/se_SecurityMessages")
692	+	+
693	-	< (literal "/private/var/db/mds/system/mdsDirectory.db")
693	+	+ (allow file-read-metadata)
694	-	< (literal "/private/var/db/mds/system/mdsObject.db")
694	+	+
695	-	< (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
695	+	+ (allow process-fork)
696	-	< (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
696	+	+
697	-	< (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
697	+	+ (allow process-exec
698	-	58a54
698	+	+ (literal "/System/Library/Frameworks/CryptoTokenKit.framework/UserSelector")
699	-	> (literal "/usr")
699	+	+ (subpath "/Library/CryptoTokenKit"))
700	-	61,63c57
700	+	+
701	-	< (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
701	+	+ (allow mach-lookup
702	-	< (literal "/private/var/db/disableAppleInternal")
702	+	+ (global-name "com.apple.distributed_notifications@1v3")
703	-	<
703	+	+ (global-name "com.apple.distributed_notifications@Uv3")
704	-	---
704	+	+ (global-name "com.apple.ctkd.token-client")
705	-	> (literal "/private/var/db/disableAppleInternal")
705	+	+ (global-name "com.apple.ctkd.watcher-client")
706	-	65,73c59,60
706	+	+ (global-name "com.apple.SecurityServer")
707	-	< (literal "/Library/Keychains")
707	+	+ (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider")
708	-	< (literal "/private")
708	+	+ (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider.agent.libxpc")
709	-	< (literal "/private/var")
709	+	+ (global-name "com.apple.system.opendirectoryd.api")
710	-	< (literal "/private/var/folders")
710	+	+ (global-name "com.apple.CoreServices.coreservicesd")
711	-	< (regex "^/private/var/folders/[^/]+")
711	+	+ (global-name "com.apple.CoreAuthentication.agent.libxpc")
712	-	< (regex "^/private/var/folders/[^/]+/[^/]+")
712	+	+ (global-name "com.apple.CoreAuthentication.agent")
713	-	< (literal "/private/var/run/systemkeychaincheck.done")
713	+	+ (global-name "com.apple.ocspd"))
714	-	< (regex "^/private/var/folders/[^/]+/[^/]+/C$")
714	+	+
715	-	< (regex "^/private/var/folders/[^/]+/[^/]+/C/mds$")
715	+	+ (allow user-preference-read
716	-	---
716	+	+ (preference-domain "kCFPreferencesAnyApplication"))
717	-	> (literal "/Library/Audio")
717	+	+
718	-	> (literal "/Library/Audio/Plug-Ins")
718	+	+ (allow user-preference-read user-preference-write
719	-	79,91d65
719	+	+ (preference-domain "com.apple.security")
720	-	<
720	+	+ (preference-domain "com.apple.security.smartcard"))
721	-	< (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
721	+	+
722	-	< (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db_$")
722	+	+ (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
723	-	< (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
723	+	+ (ipc-posix-name "com.apple.AppleDatabaseChanged"))
724	-	< (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db_$")
724	+	+
725	-	< (regex #"^/private/var/tmp/mds/[0-9]+(/\|$)")
725	+	+ (allow authorization-right-obtain
726	-	< (regex #"^/private/var/db/mds/[0-9]+(/\|$)")
726	+	+ (right-name "com.apple.ctk.pair"))
727	-	< (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/\|$)")
727	+	+
728	-	< (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/\|$)")
728	+	+ (allow iokit-open
729	-	< )
729	+	+ (iokit-user-client-class "AppleKeyStoreUserClient"))
730	-	<
730	+
731	-	< (allow file-write-data
731	+
732	-	< (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
732	+
733	-	108,109c82,83
733	+
734	-	< (global-name "com.apple.SecurityServer")
734	+
735	-	< (global-name "com.apple.ocspd")
735	+
736	-	---
736	+
737	-	> (global-name "com.apple.audio.AudioComponentRegistrar")
737	+
738	-	> (global-name "com.apple.audio.AudioComponentRegistrar.daemon")
738	+	*** /System/Library/Sandbox/Profiles/com.apple.ModernizerXPC.sb 1969-12-31 16:00:00.000000000 -0800
739		--- com.apple.ModernizerXPC.sb 2017-07-10 13:51:51.000000000 -0700
740		***************
741	-	15c15,16
741	+	* 0 **
742	-	< (subpath "/usr/share"))
742	+	--- 1,230 ----
743	-	---
743	+	+ ;;;;;; Sandbox Profile for ModernizerXPC derived from QTKitServer
744	-	> (subpath "/usr/share")
744	+	+ ;;;;;;
745	-	> (subpath "/private/var/db/timezone"))
745	+	+ ;;;;;; Copyright (c) 2011-2017 Apple Inc. All Rights reserved.
746	-	39a41
746	+	+ ;;;;;;
747	-	> (global-name "com.apple.audio.AudioComponentRegistrar")
747	+	+ ;;;;;; WARNING: The sandbox rules in this file currently constitute
748		+ ;;;;;; Apple System Private Interface and are subject to change at any time and
749		+ ;;;;;; without notice. The contents of this file are also auto-generated and
750	-	17a18,19
750	+	+ ;;;;;; not user editable; it may be overwritten at any time.
751	-	> (global-name "com.apple.CoreAuthentication.agent.libxpc")
751	+	+
752	-	> (global-name "com.apple.CoreAuthentication.daemon.libxpc")
752	+	+ (version 1)
753		+ (deny default)
754		+
755	-	38a39
755	+	+ (import "system.sb")
756	-	> (subpath "/private/tmp/vp/inject")
756	+	+ (import "com.apple.corefoundation.sb")
757	-	50c51,52
757	+	+
758	-	< (subpath "/private/tmp/vp")
758	+	+ (define (home-regex home-relative-regex)
759	-	---
759	+	+ (regex (string-append "^" (regex-quote (param "DARWIN_QTKITSERVER_HOME_DIR")) home-relative-regex)))
760	-	> (subpath "/private/tmp/AudioCapture")
760	+	+ (define regex-home home-regex)
761	-	> (subpath "/private/tmp/AudioCapture/VP")
761	+	+
762	-	56c58
762	+	+ (define (home-subpath home-relative-subpath)
763	-	< (extension-class "com.apple.app-sandbox.read-write")
763	+	+ (subpath (string-append (param "DARWIN_QTKITSERVER_HOME_DIR") home-relative-subpath)))
764	-	---
764	+	+
765	-	> (extension-class "com.apple.rtcreporting.upload")
765	+	+ (define (home-literal home-relative-literal)
766	-	101c103,106
766	+	+ (literal (string-append (param "DARWIN_QTKITSERVER_HOME_DIR") home-relative-literal)))
767	-	< (global-name "com.apple.WirelessCoexManager"))
767	+	+
768	-	---
768	+	+ (allow file-read-metadata system-audit)
769	-	> (global-name "com.apple.WirelessCoexManager")
769	+	+
770	-	> (global-name "com.apple.audio.AudioComponentRegistrar")
770	+	+ ;;; initialize CF sandbox actions
771	-	> (global-name "com.apple.distributed_notifications@1v3")
771	+	+ (corefoundation)
772	-	> (global-name "com.apple.distributed_notifications@Uv3"))
772	+	+
773		+ (define (apply-read-and-issue-extension op path-filter)
774		+ (op file-read* path-filter)
775		+ (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
776		+
777		+ (define (apply-write-and-issue-extension op path-filter)
778		+ (op file-write* path-filter)
779		+ (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
780		+
781	-	0a1,57
781	+	+ (define (read-only-and-issue-extensions path-filter)
782	-	> ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
782	+	+ (apply-read-and-issue-extension allow path-filter))
783	-	> ;;
783	+	+
784	-	> ;; WARNING: The sandbox rules in this file currently constitute
784	+	+ (define (read-write-and-issue-extensions path-filter)
785	-	> ;; Apple System Private Interface and are subject to change at any time and
785	+	+ (apply-read-and-issue-extension allow path-filter)
786	-	> ;; without notice.
786	+	+ (apply-write-and-issue-extension allow path-filter))
787	-	> ;;
787	+	+
788	-	>
788	+	+ ;;; allow reading files for which we have a read-only app-sandbox extension
789	-	> (version 1)
789	+	+ (allow file-read* (extension "com.apple.app-sandbox.read"))
790	-	> (deny default)
790	+	+
791	-	>
791	+	+ ;;; allow writing of files for which we have an extension
792	-	> (import "system.sb")
792	+	+ (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
793	-	>
793	+	+
794	-	> (import "com.apple.corefoundation.sb")
794	+	+ ;;; allow issuing of extensions for paths we have an extension to
795	-	>
795	+	+ (allow file-issue-extension
796	-	> ;;; initialize CF sandbox actions
796	+	+ (require-all
797	-	> (corefoundation)
797	+	+ (extension-class "com.apple.app-sandbox.read")
798	-	>
798	+	+ (require-any
799	-	> ;; For resolving symlinks, realpath(3), and equivalents.
799	+	+ (extension "com.apple.app-sandbox.read")
800	-	> (allow file-read-metadata)
800	+	+ (extension "com.apple.app-sandbox.read-write"))))
801	-	>
801	+	+
802	-	> (allow process-info* (target self))
802	+	+ (allow file-issue-extension
803	-	>
803	+	+ (require-all
804	-	> (allow mach-lookup
804	+	+ (extension-class "com.apple.app-sandbox.read-write")
805	-	> (global-name "com.apple.CoreServices.coreservicesd")
805	+	+ (extension "com.apple.app-sandbox.read-write")))
806	-	> (global-name "com.apple.coreservices.launchservicesd")
806	+	+
807	-	> (global-name "com.apple.windowserver.active")
807	+	+ (allow file-read*
808	-	> (global-name "com.apple.analyticsd")
808	+	+ (subpath "/Library/Audio/Plug-Ins")
809	-	> )
809	+	+ (subpath "/Library/Audio/Sounds/Banks")
810	-	>
810	+	+ (subpath "/Library/Frameworks")
811	-	> (allow file-map-executable
811	+	+ (subpath "/Library/Fonts")
812	-	> (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
812	+	+ (subpath "/Library/Application Support/ProApps")
813	-	> (subpath "/System/Library/Extensions")
813	+	+ (subpath "/Library/Preferences")
814	-	> )
814	+	+ (subpath "/Library/QuickTime")
815	-	>
815	+	+ (subpath "/Library/Filesystems/NetFSPlugins"))
816	-	> ;; Preferences
816	+	+
817	-	> (allow file-read*
817	+	+ (allow file-read-data
818	-	> (literal "/private/var/db/cmiodalassistants/Library/Preferences/com.apple.cmio.plist")
818	+	+ (subpath "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
819	-	> (literal "/private/var/db/cmiodalassistants/Library/Preferences/.GlobalPreferences.plist")
819	+	+ (subpath "/Users/Shared/SC Info")
820	-	> (literal "/Library/Preferences/.GlobalPreferences.plist")
820	+	+ (subpath "/private/var")
821	-	> (regex #"^/private/var/db/cmiodalassistants/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
821	+	+ (subpath "/private/etc"))
822	-	> )
822	+	+
823	-	>
823	+	+ ;;; allow reading and issuing extensions to iTunes so it can opened
824	-	> ;; Preference domain.
824	+	+ ;;; <rdar://problem/13568149>
825	-	> (allow user-preference-read
825	+	+ (read-only-and-issue-extensions
826	-	> (preference-domain "com.apple.cmio")
826	+	+ (subpath "/Applications/iTunes.app"))
827	-	> (preference-domain "com.apple.coremedia")
827	+	+
828	-	> )
828	+	+ (allow file-read-xattr
829	-	>
829	+	+ (subpath "/Applications/iTunes.app"))
830	-	> ;; Camera
830	+	+
831	-	> (allow device-camera)
831	+	+ (allow file-read* file-write* (subpath "/Library/Caches"))
832	-	> (allow iokit-open
832	+	+
833	-	> (iokit-user-client-class "IOFireWireAVCUserClient")
833	+	+ (if (param "DARWIN_QTKITSERVER_HOME_DIR")
834	-	> (iokit-user-client-class "IOFireWireUserClient")
834	+	+ (begin
835	-	> )
835	+	+ (allow file-read*
836	-	>
836	+	+ (home-subpath "/.CFUserTextEncoding")
837	-	> ;;(allow iokit-get-properties)
837	+	+ (home-subpath "/Library/Audio/Plug-Ins/Components")
838	-	>
838	+	+ (home-subpath "/Library/Audio/Plug-Ins")
839		+ (home-subpath "/Library/QuickTime")
840		+ (home-subpath "/Library/Input Methods")
841	-	0a1,61
841	+	+ (home-subpath "/Library/Keyboard Layouts")
842	-	> ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
842	+	+ (home-subpath "/Library/Components"))
843	-	> ;;
843	+	+ (allow file-read* file-write*
844	-	> ;; WARNING: The sandbox rules in this file currently constitute
844	+	+ (home-subpath "/Library/Caches/QuickTime"))
845	-	> ;; Apple System Private Interface and are subject to change at any time and
845	+	+ (deny file-read* file-write*
846	-	> ;; without notice.
846	+	+ (home-literal "/Library/Caches/com.nvidia.OpenGL") (with no-report))
847	-	> ;;
847	+	+ ;; we have to allow 3rd party components to read and write their own prefs,-
848	-	>
848	+	+ ;; but we don't know their names.
849	-	> (version 1)
849	+	+ ;; so allow r/w access to all of ~/Library/Prefs but deny access to prefs beginning with com.apple
850	-	> (deny default)
850	+	+ (allow file-write* file-read*
851	-	>
851	+	+ (home-subpath "/Library/Preferences"))
852	-	> (import "system.sb")
852	+	+ (deny file-read* file-write* (with no-report)
853	-	>
853	+	+ (home-regex #"/Library/Preferences/com\.apple\..*")
854	-	> (import "com.apple.corefoundation.sb")
854	+	+ (home-regex #"/Library/Preferences/\.GlobalPreferences\.plist")
855	-	>
855	+	+ (home-regex #"/Library/Preferences/pbs\.plist")
856	-	> ;;; initialize CF sandbox actions
856	+	+ (home-regex #"/Library/Preferences/loginwindow\.plist")
857	-	> (corefoundation)
857	+	+ (home-regex #"/Library/Preferences/ByHost/com\.apple\..*"))
858	-	>
858	+	+ (allow file-read*
859	-	> ;; For resolving symlinks, realpath(3), and equivalents.
859	+	+ (home-literal "/Library/Preferences/QuickTime Preferences"))))
860	-	> (allow file-read-metadata)
860	+	+
861	-	>
861	+	+ (if (param "DARWIN_QTKITSERVER_CACHE_DIR")
862	-	> (allow process-info* (target self))
862	+	+ (allow file-write* file-read* (subpath (param "DARWIN_QTKITSERVER_CACHE_DIR"))))
863	-	>
863	+	+
864	-	> (allow mach-lookup
864	+	+ (if (param "DARWIN_QTKITSERVER_TEMP_DIR")
865	-	> (global-name "com.apple.CoreServices.coreservicesd")
865	+	+ (allow file-write* file-read* (subpath (param "DARWIN_QTKITSERVER_TEMP_DIR"))))
866	-	> (global-name "com.apple.coreservices.launchservicesd")
866	+	+
867	-	> (global-name "com.apple.windowserver.active")
867	+	+ (system-graphics)
868	-	> (global-name "com.apple.analyticsd")
868	+	+
869	-	> )
869	+	+ (allow iokit-open
870	-	>
870	+	+ (iokit-user-client-class "IOAudioControlUserClient")
871	-	> (allow file-map-executable
871	+	+ (iokit-user-client-class "IOAudioEngineUserClient")
872	-	> (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
872	+	+ (iokit-user-client-class "IOHIDParamUserClient"))
873	-	> (subpath "/System/Library/Extensions")
873	+	+
874	-	> )
874	+	+ ;; CoreVideo CVCGDisplayLink
875	-	>
875	+	+ (allow iokit-open
876	-	> ;; Preferences
876	+	+ (iokit-user-client-class "IOFramebufferSharedUserClient"))
877	-	> (allow file-read*
877	+	+
878	-	> (literal "/private/var/db/cmiodalassistants/Library/Preferences/com.apple.cmio.plist")
878	+	+ ;; H.264 Acceleration; <rdar://problem/10348815>
879	-	> (literal "/private/var/db/cmiodalassistants/Library/Preferences/.GlobalPreferences.plist")
879	+	+ (allow iokit-open
880	-	> (literal "/Library/Preferences/.GlobalPreferences.plist")
880	+	+ (iokit-user-client-class "AppleSNBFBUserClient"))
881	-	> (regex #"^/private/var/db/cmiodalassistants/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
881	+	+
882	-	> )
882	+	+ ;; QuartzCore; <rdar://problem/9065114>
883	-	>
883	+	+ (allow iokit-open
884	-	> ;; Preference domain.
884	+	+ (iokit-user-client-class "AppleGraphicsControlClient")
885	-	> (allow user-preference-read
885	+	+ (iokit-user-client-class "AGPMClient"))
886	-	> (preference-domain "com.apple.cmio")
886	+	+
887	-	> (preference-domain "com.apple.coremedia")
887	+	+ (allow iokit-open
888	-	> )
888	+	+ (iokit-user-client-class "AppleUpstreamUserClient")
889	-	>
889	+	+ (iokit-user-client-class "AudioAUUC"))
890	-	> ;; Camera
890	+	+
891	-	> (allow iokit-open
891	+	+ ;; BlackMagic; <rdar://problem/11899349>
892	-	> (iokit-user-client-class "IOFireWireUserClient")
892	+	+ (allow iokit-open
893	-	> (iokit-user-client-class "RootDomainUserClient")
893	+	+ (iokit-user-client-class "com_blackmagic_design_iokit_DaisyCutterUserClient"))
894	-	> )
894	+	+
895	-	>
895	+	+ (allow ipc-posix-shm
896	-	> (allow iokit-open
896	+	+ (ipc-posix-name-regex #"^AudioIO")
897	-	> (iokit-registry-entry-class "RootDomainUserClient")
897	+	+ (ipc-posix-name-regex #"^ls\.")
898	-	> )
898	+	+ (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
899	-	>
899	+	+ (ipc-posix-name "FNetwork.defaultStorageSession")
900	-	> ;;(allow iokit-get-properties)
900	+	+ (ipc-posix-name "apple.shm.notification_center"))
901	-	>
901	+	+
902	-	>
902	+	+ ;; ColorSync Profiles (<rdar://problem/13775802>)
903		+ (allow ipc-posix-shm*
904		+ (ipc-posix-name "com.apple.ColorSync.Gen.lock")
905	-	0a1,74
905	+	+ (ipc-posix-name "com.apple.ColorSync.Disp.lock")
906	-	> ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
906	+	+ (ipc-posix-name "com.apple.ColorSync.Gray2.2")
907	-	> ;;
907	+	+ (ipc-posix-name "com.apple.ColorSync.sRGB")
908	-	> ;; WARNING: The sandbox rules in this file currently constitute
908	+	+ (ipc-posix-name "com.apple.ColorSync.GenGray")
909	-	> ;; Apple System Private Interface and are subject to change at any time and
909	+	+ (ipc-posix-name "com.apple.ColorSync.GenRGB")
910	-	> ;; without notice.
910	+	+ (ipc-posix-name-regex #"^com\.apple\.cs\."))
911	-	> ;;
911	+	+ (allow file-read*
912	-	>
912	+	+ (subpath "/Library/ColorSync/Profiles")
913	-	> (version 1)
913	+	+ (home-subpath "/Library/ColorSync"))
914	-	> (deny default)
914	+	+
915	-	>
915	+	+ (allow mach-lookup
916	-	> (import "system.sb")
916	+	+ (global-name "com.apple.coreservices.launchservicesd")
917	-	> (system-graphics)
917	+	+ (global-name "com.apple.ls.boxd")
918	-	>
918	+	+ (global-name "com.apple.lsd.mapdb")
919	-	> (import "com.apple.corefoundation.sb")
919	+	+ (global-name "com.apple.lsd.modifydb")
920	-	>
920	+	+ (global-name "com.apple.metadata.mds")
921	-	> ;;; initialize CF sandbox actions
921	+	+ (global-name "com.apple.cookied")
922	-	> (corefoundation)
922	+	+ (global-name "com.apple.cfnetwork.AuthBrokerAgent")
923	-	>
923	+	+ (global-name "com.apple.cfnetwork.cfnetworkagent")
924	-	> ;; For resolving symlinks, realpath(3), and equivalents.
924	+	+ (global-name "com.apple.SystemConfiguration.configd")
925	-	> (allow file-read-metadata)
925	+	+ (global-name "com.apple.CoreServices.coreservicesd")
926	-	>
926	+	+ (global-name "com.apple.coreservices.appleevents")
927	-	> (allow process-info* (target self))
927	+	+ (global-name "com.apple.FontObjectsServer")
928	-	>
928	+	+ (global-name "com.apple.FontServer")
929	-	> ;; For validating the entitlements of clients.
929	+	+ (global-name "com.apple.PowerManagement.control")
930	-	> (allow process-info-codesignature)
930	+	+ (global-name "com.apple.audio.audiohald")
931	-	>
931	+	+ (global-name "com.apple.audio.coreaudiod")
932	-	> (allow mach-lookup
932	+	+ (global-name "com.apple.audio.AudioComponentRegistrar")
933	-	> (global-name "com.apple.CoreServices.coreservicesd")
933	+	+ (global-name "com.apple.dock.server")
934	-	> (global-name "com.apple.coreservices.launchservicesd")
934	+	+ (global-name "com.apple.pasteboard.1")
935	-	> (global-name "com.apple.windowserver.active")
935	+	+ (global-name "com.apple.pbs.fetch_services")
936	-	> (global-name "com.apple.analyticsd")
936	+	+ (global-name "com.apple.printtool.agent")
937	-	> (subpath "/Library/Video/Plug-Ins")
937	+	+ (global-name "com.apple.tsm.uiserver")
938	-	> )
938	+	+ (global-name "com.apple.UNCUserNotification")
939	-	>
939	+	+ (global-name "com.apple.windowserver.active")
940	-	> (allow file-map-executable
940	+	+ (global-name "com.apple.DiskArbitration.diskarbitrationd")
941	-	> (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
941	+	+ (global-name "com.apple.window_proxies"))
942	-	> (subpath "/System/Library/Extensions")
942	+	+
943	-	> (subpath "/Library/Video/Plug-Ins")
943	+	+ ;; Security framework
944	-	> )
944	+	+ (allow mach-lookup
945	-	>
945	+	+ (global-name "com.apple.SecurityServer")
946	-	> ;; Preferences
946	+	+ (global-name "com.apple.securityd.xpc")
947	-	> (allow file-read*
947	+	+ (global-name "com.apple.ocspd"))
948	-	> (subpath "/Library/Video/Plug-Ins")
948	+	+ (if (param "DARWIN_QTKITSERVER_HOME_DIR")
949	-	> (literal "/private/var/db/cmiodalassistants/Library/Preferences/com.apple.cmio.plist")
949	+	+ (begin
950	-	> (literal "/private/var/db/cmiodalassistants/Library/Preferences/.GlobalPreferences.plist")
950	+	+ (allow file-read* file-write* (home-subpath "/Library/Keychains"))))
951	-	> (literal "/Library/Preferences/.GlobalPreferences.plist")
951	+	+ (allow file-read*
952	-	> (regex #"^/private/var/db/cmiodalassistant/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
952	+	+ (subpath "/private/var/db/mds")
953	-	> )
953	+	+ (literal "/private/var/db/DetachedSignatures"))
954	-	>
954	+	+ (allow ipc-posix-shm-read* ipc-posix-shm-write-data
955	-	> ;; Preference domain.
955	+	+ (ipc-posix-name "com.apple.AppleDatabaseChanged"))
956	-	> (allow user-preference-read
956	+	+
957	-	> (preference-domain "com.apple.cmio")
957	+	+ (allow appleevent-send
958	-	> (preference-domain "com.apple.coremedia")
958	+	+ (appleevent-destination "com.apple.iTunes"))
959	-	> )
959	+	+
960	-	>
960	+	+ (allow system-socket
961	-	> ;; Camera
961	+	+ (socket-domain AF_ROUTE))
962	-	> (allow device-camera)
962	+	+
963	-	> (allow iokit-open
963	+	+ (allow system-socket
964	-	> (iokit-user-client-class "IOUSBDeviceUserClientV2")
964	+	+ (require-all (socket-domain AF_SYSTEM) (socket-protocol 2))) ; SYSPROTO_CONTROL
965	-	> (iokit-user-client-class "IOUSBInterfaceUserClientV3")
965	+	+
966	-	> (iokit-user-client-class "RootDomainUserClient")
966	+	+ (allow system-audit)
967	-	> )
967	+	+ (allow system-fsctl
968	-	>
968	+	+ (fsctl-command (_IO "h" 24)) ;; HFS_VOLUME_STATUS
969	-	> (allow iokit-open
969	+	+ (fsctl-command (_IO "z" 12)) ;; afpfsGetMountInfoFSCTL
970	-	> (iokit-registry-entry-class "IGAccelDevice")
970	+	+ (fsctl-command (_IO "z" 19)) ;; smbfsUniqueShareIDFSCTL
971	-	> (iokit-registry-entry-class "IGAccelSharedUserClient")
971	+	+ (fsctl-command (_IO "z" 23))) ;; afpfsByteRangeLock2FSCTL
972	-	> (iokit-registry-entry-class "IGAccelVideoContextMain")
972	+	+
973	-	> (iokit-registry-entry-class "IGAccelVideoContextMedia")
973	+
974	-	> (iokit-registry-entry-class "IGAccelVideoContextVEBox")
974	+
975	-	> (iokit-registry-entry-class "RootDomainUserClient")
975	+
976	-	> )
976	+
977	-	>
977	+
978	-	> (allow iokit-get-properties)
978	+
979	-	>
979	+
980		com.apple.ReportPanicService.sb
981		*** /System/Library/Sandbox/Profiles/com.apple.ReportPanicService.sb 2017-04-14 19:00:59.000000000 -0700
982	-	0a1,161
982	+	--- com.apple.ReportPanicService.sb 2017-07-10 13:51:50.000000000 -0700
983	-	> ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
983	+	***************
984	-	> ;;
984	+	* 9,22 **
985	-	> ;; WARNING: The sandbox rules in this file currently constitute
985	+	(literal "/Library/Preferences/.GlobalPreferences.plist")
986	-	> ;; Apple System Private Interface and are subject to change at any time and
986	+	(with no-report))
987	-	> ;; without notice.
987	+
988	-	> ;;
988	+	- ;;; <rdar://problem/13449326>
989	-	>
989	+	- (let allow-paths ((i 0))
990	-	> (version 1)
990	+	- (let ((path (param (string-append "HOME_" (number->string i)))))
991	-	> (deny default)
991	+	- (if path
992	-	>
992	+	- (begin
993	-	> (import "system.sb")
993	+	- (allow file-read* file-write-unlink (subpath path))
994	-	> (system-graphics)
994	+	- (allow-paths (+ i 1))))))
995	-	>
995	+	-
996	-	> (import "com.apple.corefoundation.sb")
996	+	(allow authorization-right-obtain
997	-	>
997	+	(right-name "com.apple.ReportPanic.fixRight"))
998	-	> ;;; initialize CF sandbox actions
998	+
999	-	> (corefoundation)
999	+	--- 9,14 ----
1000	-	>
1000	+
1001	-	> (system-network)
1001	+
1002	-	> (allow network-outbound
1002	+
1003	-	> (literal "/private/var/run/usbmuxd")
1003	+
1004	-	> (literal "/private/var/run/mDNSResponder")
1004	+
1005	-	> (control-name "com.apple.network.statistics")
1005	+	*** /System/Library/Sandbox/Profiles/com.apple.SpeechRecognitionCore.speechrecognitiond.sb 2016-10-28 21:26:05.000000000 -0700
1006	-	> (control-name "com.apple.netsrc")
1006	+	--- com.apple.SpeechRecognitionCore.speechrecognitiond.sb 2017-07-10 13:51:50.000000000 -0700
1007	-	> (remote ip)
1007	+	***************
1008	-	> )
1008	+	* 61,67 **
1009	-	>
1009	+	(global-name "com.apple.CoreServices.coreservicesd")
1010	-	> (allow network-inbound )
1010	+	(global-name "com.apple.coreservices.launchservicesd")
1011	-	> (allow network-bind (remote ip))
1011	+	(global-name "com.apple.distributed_notifications@1v3")
1012	-	>
1012	+	! (global-name "com.apple.distributed_notifications@Uv3"))
1013	-	> ;; For resolving symlinks, realpath(3), and equivalents.
1013	+
1014	-	> (allow file-read-metadata)
1014	+	(allow iokit-open
1015	-	>
1015	+	(iokit-user-client-class "IOAudioControlUserClient")
1016	-	> (allow nvram-get (nvram-variable "BSD Name"))
1016	+	--- 61,68 ----
1017	-	> (allow process-info* (target self))
1017	+	(global-name "com.apple.CoreServices.coreservicesd")
1018	-	>
1018	+	(global-name "com.apple.coreservices.launchservicesd")
1019	-	> ;; For validating the entitlements of clients.
1019	+	(global-name "com.apple.distributed_notifications@1v3")
1020	-	> (allow process-info-codesignature)
1020	+	! (global-name "com.apple.distributed_notifications@Uv3")
1021	-	>
1021	+	! (global-name "com.apple.audio.AudioComponentRegistrar"))
1022	-	> (allow file-read*
1022	+
1023	-	> (subpath "/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/iOSScreenCapture.plugin/Contents/Resources")
1023	+	(allow iokit-open
1024	-	> (subpath "/Library/CoreMediaIO/Plug-Ins/FCP-DAL/iOSScreenCapture.plugin/Contents/Resources")
1024	+	(iokit-user-client-class "IOAudioControlUserClient")
1025	-	> (subpath "/private/var/db/mds")
1025	+
1026	-	> (subpath "/Library/Audio/Plug-Ins/HAL")
1026	+
1027	-	> )
1027	+	*** /System/Library/Sandbox/Profiles/com.apple.XprotectFramework.AnalysisService.sb 2016-07-30 18:59:46.000000000 -0700
1028	-	>
1028	+	--- com.apple.XprotectFramework.AnalysisService.sb 2017-07-10 13:51:50.000000000 -0700
1029	-	> (allow file-write*
1029	+	***************
1030	-	> (literal "/private/var/db/mds/system/mds.lock")
1030	+	* 42,48 **
1031	-	> (subpath "/private/tmp")
1031	+	(global-name "com.apple.SecurityServer")
1032	-	> )
1032	+	(global-name "com.apple.ocspd")
1033	-	>
1033	+	(global-name "com.apple.nsurlstorage-cache")
1034	-	> ;; From com.apple.AirPlayXPCHelper
1034	+	! (global-name "com.apple.CoreServices.coreservicesd"))
1035	-	> (allow iokit-open
1035	+
1036	-	> (iokit-user-client-class "IOAudioControlUserClient")
1036	+
1037	-	> (iokit-user-client-class "IOAudioEngineUserClient")
1037	+	;;This can probably leave once rdar://problem/21932990 lands
1038	-	> (iokit-user-client-class "IOAudio2DeviceUserClient")
1038	+	--- 42,49 ----
1039	-	> (iokit-user-client-class "RootDomainUserClient")
1039	+	(global-name "com.apple.SecurityServer")
1040	-	> (iokit-user-client-class "IOReportUserClient")
1040	+	(global-name "com.apple.ocspd")
1041	-	> (iokit-user-client-class "IOBluetoothHCIUserClient")
1041	+	(global-name "com.apple.nsurlstorage-cache")
1042	-	> (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
1042	+	! (global-name "com.apple.CoreServices.coreservicesd")
1043	-	> (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
1043	+	! (global-name "com.apple.dz.dznd"))
1044	-	> (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient")
1044	+
1045	-	> (iokit-user-client-class "IOBluetoothDeviceUserClient")
1045	+
1046	-	> )
1046	+	;;This can probably leave once rdar://problem/21932990 lands
1047	-	>
1047	+
1048	-	> ;; From com.apple.AirPlayXPCHelper
1048	+
1049	-	> (allow mach-lookup
1049	+	*** /System/Library/Sandbox/Profiles/com.apple.assistantd.sb 2016-09-06 19:43:03.000000000 -0700
1050	-	> (global-name "com.apple.SecurityServer")
1050	+	--- com.apple.assistantd.sb 2017-07-10 13:51:51.000000000 -0700
1051	-	> (global-name "com.apple.SystemConfiguration.DNSConfiguration")
1051	+	***************
1052	-	> (global-name "com.apple.SystemConfiguration.configd")
1052	+	* 21,26 **
1053	-	> (global-name "com.apple.metadata.mds")
1053	+	--- 21,30 ----
1054	-	> (global-name "com.apple.ocspd")
1054	+
1055	-	> (global-name "com.apple.pluginkit.pkd")
1055	+	(allow file-read*)
1056	-	> (global-name "com.apple.spindump")
1056	+
1057	-	> (global-name "com.apple.PairingManager")
1057	+	+ (allow process-fork)
1058	-	>
1058	+	+
1059	-	> (global-name "com.apple.audio.audiohald")
1059	+	+ (allow process-exec (literal "/usr/bin/bsdtar"))
1060	-	> (global-name "com.apple.audio.AudioComponentRegistrar")
1060	+	+
1061	-	> (global-name "com.apple.audio.AudioComponentRegistrar.daemon")
1061	+	(allow lsopen)
1062	-	>
1062	+
1063	-	> (global-name "com.apple.wirelessproxd")
1063	+	(allow device-microphone)
1064	-	> (global-name "com.apple.windowserver.active")
1064	+	***************
1065	-	>
1065	+	* 29,35 **
1066	-	> (global-name "com.apple.AirPlayXPCHelper")
1066	+
1067	-	> (global-name "com.apple.coremedia.endpoint.xpc")
1067	+	(deny file-write-setugid)
1068	-	> (global-name "com.apple.coremedia.endpointstream.xpc")
1068	+
1069	-	> (global-name "com.apple.coremedia.endpointplaybacksession.xpc")
1069	+	! (allow file* (subpath (param "_CACHEDIR")))
1070	-	> (global-name "com.apple.coremedia.endpointpicker.xpc")
1070	+
1071	-	> (global-name "com.apple.coremedia.endpointmanager.xpc")
1071	+	(allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
1072	-	> (global-name "com.apple.AirPlayAgent.xpc")
1072	+	(allow file-read* (extension "com.apple.app-sandbox.read"))
1073	-	> (global-name "com.apple.AirPlayUIAgent.xpc")
1073	+	--- 33,40 ----
1074	-	>
1074	+
1075	-	> (global-name "com.apple.coresymbolicationd")
1075	+	(deny file-write-setugid)
1076	-	> (global-name "com.apple.awdd")
1076	+
1077	-	> (global-name "com.apple.SharingServices")
1077	+	! (allow file-read* file-write* (subpath (param "_TEMPDIR")))
1078	-	> (global-name "com.apple.bluetoothd")
1078	+	! (allow file-read* file-write* (subpath (param "_CACHEDIR")))
1079	-	> (global-name "com.apple.bluetoothaudiod")
1079	+
1080	-	> (global-name "com.apple.BluetoothDOServer")
1080	+	(allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
1081	-	> (global-name "com.apple.airportd")
1081	+	(allow file-read* (extension "com.apple.app-sandbox.read"))
1082	-	>
1082	+	***************
1083	-	> (global-name "com.apple.PowerManagement.control")
1083	+	* 119,124 **
1084	-	> (global-name "com.apple.audio.coreaudiod")
1084	+	--- 124,130 ----
1085	-	> (global-name "com.apple.securityd.xpc")
1085	+	(global-name "com.apple.AddressBook.SourceSync")
1086	-	> (global-name "com.apple.lsd.mapdb")
1086	+	(global-name "com.apple.AddressBook.AddressBookApplicationFrameworkIPC")
1087	-	> (global-name "com.apple.lsd.modifydb")
1087	+	(global-name "com.apple.AddressBook.ContactsAccountsService")
1088	-	> (global-name "com.apple.coremedia.routediscoverer.xpc")
1088	+	+ (global-name "com.apple.BluetoothDOServer")
1089	-	> (global-name "com.apple.coremedia.routingcontext.xpc")
1089	+	(global-name "com.apple.ContactsAgent.addressbook")
1090	-	> (global-name "com.apple.analyticsd")
1090	+	(global-name "com.apple.accountsd.accountmanager")
1091	-	> )
1091	+	(global-name "com.apple.accountsd.oauthsigner")
1092	-	>
1092	+	***************
1093	-	> ;; Preferences
1093	+	* 136,141 **
1094	-	> (allow file-read*
1094	+	--- 142,148 ----
1095	-	> (literal "/private/var/root/Library/Preferences/com.apple.cmio.plist")
1095	+	(global-name "com.apple.DiskArbitration.diskarbitrationd")
1096	-	> (literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist")
1096	+	(global-name "com.apple.networkd")
1097	-	> (literal "/Library/Preferences/.GlobalPreferences.plist")
1097	+	(global-name "com.apple.cookied")
1098	-	> (literal "/Library/Preferences/com.apple.security.plist")
1098	+	+ (global-name "com.apple.audio.AudioComponentRegistrar")
1099	-	> (regex #"^/private/var/root/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
1099	+	(global-name "com.apple.audio.audiohald")
1100	-	> )
1100	+	(global-name "com.apple.audio.coreaudiod")
1101	-	>
1101	+	(global-name "com.apple.ocspd")
1102	-	> ;; Preference domain.
1102	+	***************
1103	-	> (allow user-preference-read
1103	+	* 174,180 **
1104	-	> (preference-domain "com.apple.airplay")
1104	+	(global-name "com.apple.metadata.mds.legacy")
1105	-	> (preference-domain "com.apple.coremedia")
1105	+	(global-name "com.apple.spotlight.IndexAgent")
1106	-	> (preference-domain "com.apple.security")
1106	+	(global-name "com.apple.coreservices.appleevents")
1107	-	> (preference-domain "com.apple.cmio")
1107	+	! (global-name "com.apple.networkserviceproxy"))
1108	-	> )
1108	+
1109	-	>
1109	+	(allow ipc-posix-shm
1110	-	> (allow ipc-posix-shm-read-data
1110	+	(ipc-posix-name-regex #"^AudioIO")
1111	-	> (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.[0-9]+$")
1111	+	--- 181,195 ----
1112	-	> (ipc-posix-name-regex #"^AudioIO")
1112	+	(global-name "com.apple.metadata.mds.legacy")
1113	-	> (ipc-posix-name "FNetwork.defaultStorageSession")
1113	+	(global-name "com.apple.spotlight.IndexAgent")
1114	-	> (ipc-posix-name "com.apple.AppleDatabaseChanged")
1114	+	(global-name "com.apple.coreservices.appleevents")
1115	-	> )
1115	+	! (global-name "com.apple.networkserviceproxy")
1116	-	>
1116	+	! (global-name "com.apple.cloudd")
1117	-	> (allow ipc-posix-shm-write-data
1117	+	! (global-name "com.apple.apsd")
1118	-	> (ipc-posix-name-regex #"^AudioIO")
1118	+	! (global-name "com.apple.analyticsd")
1119	-	> (ipc-posix-name "com.apple.AppleDatabaseChanged")
1119	+	! (global-name "com.apple.symptom_analytics")
1120	-	> )
1120	+	! (global-name "com.apple.symptom_diagnostics")
1121	-	>
1121	+	! (global-name "com.apple.siri.invoke")
1122	-	> (allow ipc-posix-shm-read-metadata
1122	+	! (global-name "com.apple.remoted")
1123	-	> (ipc-posix-name-regex #"^AudioIO")
1123	+	! (global-name "com.apple.PowerManagement.control"))
1124	-	> )
1124	+
1125	-	>
1125	+	(allow ipc-posix-shm
1126	-	> (allow file-map-executable
1126	+	(ipc-posix-name-regex #"^AudioIO")
1127	-	> (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
1127	+
1128	-	> (subpath "/System/Library/Extensions")
1128	+
1129	-	> )
1129	+	*** /System/Library/Sandbox/Profiles/com.apple.audio.coreaudiod.sb 2016-08-08 17:31:56.000000000 -0700
1130	-	>
1130	+	--- com.apple.audio.coreaudiod.sb 2017-07-10 13:51:51.000000000 -0700
1131	-	> ;; USB screen capture
1131	+	***************
1132	-	> (allow iokit-open
1132	+	* 29,42 **
1133	-	> (iokit-user-client-class "IOUSBDeviceUserClientV2")
1133	+	(literal "/Library/Audio/Plug-Ins/Components")
1134	-	> (iokit-user-client-class "IOUSBInterfaceUserClientV3")
1134	+	(literal "/Library/Preferences/SystemConfiguration/preferences.plist")
1135	-	> )
1135	+	(literal "/Library/Audio/CoreAudioLib/libAudioDiagnostics.dylib")
1136	-	>
1136	+
1137	-	> (allow iokit-open
1137	+	- (literal "/Library/Keychains/System.keychain")
1138	-	> (iokit-registry-entry-class "RootDomainUserClient")
1138	+	- (literal "/private/var/db/mds/messages/se_SecurityMessages")
1139	-	> )
1139	+	- (literal "/private/var/db/mds/system/mdsDirectory.db")
1140	-	>
1140	+	- (literal "/private/var/db/mds/system/mdsObject.db")
1141	-	> (allow iokit-get-properties)
1141	+	- (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
1142	-	>
1142	+	- (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
1143	-	>
1143	+	- (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
1144		(regex #"^/private/var/tmp/mds/[0-9]+(/\|$)")
1145		(regex #"^/private/var/db/mds/[0-9]+(/\|$)")
1146	-	0a1,40
1146	+	(regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/\|$)")
1147	-	> (version 1)
1147	+	--- 29,37 ----
1148	-	>
1148	+	(literal "/Library/Audio/Plug-Ins/Components")
1149	-	> (import "system.sb")
1149	+	(literal "/Library/Preferences/SystemConfiguration/preferences.plist")
1150	-	>
1150	+	(literal "/Library/Audio/CoreAudioLib/libAudioDiagnostics.dylib")
1151	-	> (deny default iokit-get-properties process-info*)
1151	+	+ (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
1152	-	>
1152	+	+ (literal "/private/var/db/timezone")
1153	-	> (deny process-info*)
1153	+
1154	-	> (allow process-info-pidinfo)
1154	+	(regex #"^/private/var/tmp/mds/[0-9]+(/\|$)")
1155	-	> (allow process-info-pidfdinfo (target self))
1155	+	(regex #"^/private/var/db/mds/[0-9]+(/\|$)")
1156	-	> (allow process-info-pidfileportinfo (target self))
1156	+	(regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/\|$)")
1157	-	> (allow process-info-setcontrol (target self))
1157	+	***************
1158	-	> (allow process-info-dirtycontrol (target self))
1158	+	* 56,94 **
1159	-	> (allow process-info-rusage (target self))
1159	+	(literal "/private/etc")
1160	-	>
1160	+	(literal "/private/etc/localtime")
1161	-	> (allow file-read-metadata file-read-data (literal "/"))
1161	+	(literal "/private/var/empty")
1162	-	> (allow file-read-metadata)
1162	+	(subpath "/usr/lib")
1163	-	>
1163	+	(literal "/var")
1164	-	> (allow authorization-right-obtain (right-name "system.colorsync.install.profile"))
1164	+	! (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
1165	-	> (allow authorization-right-obtain (right-name "com.apple.private.AmbientDisplay.messaging"))
1165	+	! (literal "/private/var/db/disableAppleInternal")
1166	-	>
1166	+	!
1167	-	> (allow-create-directory
1167	+	(literal "/Library")
1168	-	> (literal "/Library/ColorSync")
1168	+	! (literal "/Library/Keychains")
1169	-	> (literal "/Library/ColorSync/Profiles"))
1169	+	! (literal "/private")
1170	-	> (allow file-read*
1170	+	! (literal "/private/var")
1171	-	> (literal "/Library/ColorSync/Profiles"))
1171	+	! (literal "/private/var/folders")
1172	-	> (allow file-read* file-write*
1172	+	! (regex "^/private/var/folders/[^/]+")
1173	-	> (prefix "/Library/ColorSync/Profiles/"))
1173	+	! (regex "^/private/var/folders/[^/]+/[^/]+")
1174	-	>
1174	+	! (literal "/private/var/run/systemkeychaincheck.done")
1175	-	> ;; deny the removal of these pre-installed profiles.
1175	+	! (regex "^/private/var/folders/[^/]+/[^/]+/C$")
1176	-	> (deny file-write-unlink
1176	+	! (regex "^/private/var/folders/[^/]+/[^/]+/C/mds$")
1177	-	> (literal "/Library/ColorSync/Profiles/Black & White.icc")
1177	+	)
1178	-	> (literal "/Library/ColorSync/Profiles/Blue Tone.icc")
1178	+
1179	-	> (literal "/Library/ColorSync/Profiles/Lightness Decrease.icc")
1179	+	(allow file-write*
1180	-	> (literal "/Library/ColorSync/Profiles/Lightness Increase.icc")
1180	+	(subpath "/Library/Preferences/Audio")
1181	-	> (literal "/Library/ColorSync/Profiles/Sepia Tone.icc")
1181	+	(literal "/dev/dtracehelper")
1182	-	> (literal "/Library/ColorSync/Profiles/WebSafeColors.icc"))
1182	+	-
1183	-	>
1183	+	- (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
1184	-	> (allow mach-lookup
1184	+	- (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db_$")
1185	-	> (global-name "com.apple.CoreServices.coreservicesd"))
1185	+	- (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
1186	-	>
1186	+	- (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db_$")
1187		- (regex #"^/private/var/tmp/mds/[0-9]+(/\|$)")
1188		- (regex #"^/private/var/db/mds/[0-9]+(/\|$)")
1189	-	0a1,48
1189	+	- (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/\|$)")
1190	-	> ;;
1190	+	- (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/\|$)")
1191	-	> ;; ColorSync User Agent - sandbox profile
1191	+	- )
1192	-	> ;; Copyright (c) 2016 Apple Inc. All Rights reserved.
1192	+	-
1193	-	> ;;
1193	+	- (allow file-write-data
1194	-	> ;; WARNING: The sandbox rules in this file currently constitute
1194	+	- (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
1195	-	> ;; Apple System Private Interface and are subject to change at any time and
1195	+	)
1196	-	> ;; without notice. The contents of this file are also auto-generated and not
1196	+
1197	-	> ;; user editable; it may be overwritten at any time.
1197	+	(allow sysctl-write)
1198	-	> ;;
1198	+	--- 51,68 ----
1199	-	>
1199	+	(literal "/private/etc")
1200	-	> (version 1)
1200	+	(literal "/private/etc/localtime")
1201	-	> (deny default)
1201	+	(literal "/private/var/empty")
1202	-	> (import "system.sb")
1202	+	+ (literal "/usr")
1203	-	>
1203	+	(subpath "/usr/lib")
1204	-	> ;;; Home Directory
1204	+	(literal "/var")
1205	-	> (define (home-subpath home-relative-subpath)
1205	+	! (literal "/private/var/db/disableAppleInternal")
1206	-	> (subpath (string-append (param "_HOME") home-relative-subpath)))
1206	+	(literal "/Library")
1207	-	> (define (home-literal home-relative-literal)
1207	+	! (literal "/Library/Audio")
1208	-	> (literal (string-append (param "_HOME") home-relative-literal)))
1208	+	! (literal "/Library/Audio/Plug-Ins")
1209	-	> (define (home-regex home-relative-regex)
1209	+	)
1210	-	> (regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex)))
1210	+
1211	-	>
1211	+	(allow file-write*
1212	-	> (allow file-read-metadata)
1212	+	(subpath "/Library/Preferences/Audio")
1213	-	>
1213	+	(literal "/dev/dtracehelper")
1214	-	> (allow file-read* file-write*
1214	+	)
1215	-	> (subpath (param "DARWIN_USER_DIR"))
1215	+
1216	-	> (subpath (param "DARWIN_USER_TEMP_DIR"))
1216	+	(allow sysctl-write)
1217	-	> (subpath (param "DARWIN_USER_CACHE_DIR")))
1217	+	***************
1218	-	>
1218	+	* 105,112 **
1219	-	> (allow file-read*
1219	+	(global-name "com.apple.system.notification_center")
1220	-	> (literal "/Volumes")
1220	+	(global-name "com.apple.windowserver.active")
1221	-	> (literal "/Library/Preferences/.GlobalPreferences.plist")
1221	+	(global-name "com.apple.SystemConfiguration.configd")
1222	-	> (subpath "/Library/Printers")
1222	+	! (global-name "com.apple.SecurityServer")
1223	-	> (subpath "/Library/ImageCapture/Devices")
1223	+	! (global-name "com.apple.ocspd")
1224	-	> (subpath "/Library/ColorSync/Profiles")
1224	+	)
1225	-	> (subpath "System/Library/ColorSync/Profiles"))
1225	+
1226	-	>
1226	+	(allow mach-register
1227	-	> (allow file-read*
1227	+	--- 79,86 ----
1228	-	> (home-literal ".CFUserTextEncoding")
1228	+	(global-name "com.apple.system.notification_center")
1229	-	> (home-subpath "/Library/Printers")
1229	+	(global-name "com.apple.windowserver.active")
1230	-	> (home-subpath "/Library/ImageCapture/Devices")
1230	+	(global-name "com.apple.SystemConfiguration.configd")
1231	-	> (home-subpath "/Library/ColorSync/Profiles"))
1231	+	! (global-name "com.apple.audio.AudioComponentRegistrar")
1232	-	>
1232	+	! (global-name "com.apple.audio.AudioComponentRegistrar.daemon")
1233	-	>
1233	+	)
1234	-	>
1234	+
1235	-	> (allow mach-lookup
1235	+	(allow mach-register
1236	-	> (global-name "com.apple.CoreServices.coreservicesd"))
1236	+
1237	-	>
1237	+
1238		*** /System/Library/Sandbox/Profiles/com.apple.audio.systemsoundserverd.sb 2016-08-15 18:57:25.000000000 -0700
1239		--- com.apple.audio.systemsoundserverd.sb 2017-07-10 13:51:50.000000000 -0700
1240	-	0a1,162
1240	+	***************
1241	-	> (version 1)
1241	+	* 12,18 **
1242	-	> (deny default)
1242	+	(literal "/private/etc/master.passwd")
1243	-	>
1243	+	(literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist")
1244	-	> (import "system.sb")
1244	+	(subpath "/System")
1245	-	> (import "com.apple.corefoundation.sb")
1245	+	! (subpath "/usr/share"))
1246	-	> (corefoundation)
1246	+
1247	-	>
1247	+	(allow file-read-metadata
1248	-	> (allow file-read-metadata)
1248	+	(literal "/etc")
1249	-	>
1249	+	--- 12,19 ----
1250	-	> (allow file-issue-extension
1250	+	(literal "/private/etc/master.passwd")
1251	-	> (subpath "/Library/Documentation/Help/MacHelp.help")
1251	+	(literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist")
1252	-	> (regex #"/Library/Caches/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)(/CommerceRequestCache/?)?")
1252	+	(subpath "/System")
1253	-	> (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)")
1253	+	! (subpath "/usr/share")
1254	-	> (regex #"/Library/Caches/storeassetd")
1254	+	! (subpath "/private/var/db/timezone"))
1255	-	> (regex #"[a-z0-9]+\.app(/\|$)"))
1255	+
1256	-	>
1256	+	(allow file-read-metadata
1257	-	> (allow file-read*
1257	+	(literal "/etc")
1258	-	> (regex #"\.app(/\|$)")
1258	+	***************
1259	-	> (regex #"/CommerceKit\.framework")
1259	+	* 37,42 **
1260	-	> (literal "/private/etc/hosts")
1260	+	--- 38,44 ----
1261	-	> (literal "/private/var/db/mds/system/mdsDirectory.db")
1261	+
1262	-	> (literal "/private/var/db/mds/system/mdsObject.db")
1262	+	(allow mach-lookup
1263	-	> (literal "/Library/Preferences/com.apple.AECT.plist")
1263	+	(global-name "com.apple.CoreServices.coreservicesd")
1264	-	> (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
1264	+	+ (global-name "com.apple.audio.AudioComponentRegistrar")
1265	-	> (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
1265	+	(global-name "com.apple.audio.audiohald")
1266	-	> (literal "/Library/Preferences/com.apple.loginwindow.plist")
1266	+	(global-name "com.apple.cfprefsd.agent")
1267	-	> (literal "/private/var/db/PreviousSystemVersion.plist")
1267	+	(global-name "com.apple.cfprefsd.daemon")
1268	-	> (subpath "/Applications")
1268	+
1269	-	> (subpath "/Library/Documentation/Help/MacHelp.help")
1269	+
1270	-	> (subpath "/Users/Shared")
1270	+	*** /System/Library/Sandbox/Profiles/com.apple.authd.sb 2016-08-29 18:16:41.000000000 -0700
1271	-	> (regex "/Library/Bundles/[^/]+.bundle")
1271	+	--- com.apple.authd.sb 2017-07-10 13:51:51.000000000 -0700
1272	-	> (regex #"/Library/Preferences/com\.apple\.appstore\.plist$")
1272	+	***************
1273	-	> (regex #"/Library/Preferences/com.apple.LaunchServices.plist$")
1273	+	* 15,20 **
1274	-	> (regex #"/Library/Preferences/(ByHost/)?\.GlobalPreferences\.plist$")
1274	+	--- 15,22 ----
1275	-	> (regex #"/Library/Preferences/com.apple.security\.plist$")
1275	+	(subpath (param "TMP_DIR")))
1276	-	> (regex #"/\.CFUserTextEncoding$")
1276	+
1277	-	> (regex "/private/var/db/mds/messages/([A-Za-z0-9]+/)?se_SecurityMessages"))
1277	+	(allow mach-lookup
1278	-	>
1278	+	+ (global-name "com.apple.CoreAuthentication.agent.libxpc")
1279	-	> (allow file-read* file-write*
1279	+	+ (global-name "com.apple.CoreAuthentication.daemon.libxpc")
1280	-	> (literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist")
1280	+	(global-name "com.apple.CoreServices.coreservicesd")
1281	-	> (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
1281	+	(global-name "com.apple.PowerManagement.control")
1282	-	> (literal "/private/var/db/mds/system/mds.lock")
1282	+	(global-name "com.apple.security.agent")
1283	-	> (subpath "/private/var/root/Library/Caches/com.apple.commerce")
1283	+
1284	-	> (subpath "/private/var/tmp")
1284	+
1285	-	> (subpath "/private/var/folders")
1285	+	*** /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb 2016-11-04 17:36:02.000000000 -0700
1286	-	> (subpath "/private/tmp")
1286	+	--- com.apple.avconferenced.sb 2017-07-10 13:51:50.000000000 -0700
1287	-	> (subpath "/Users/Shared/adi")
1287	+	***************
1288	-	> (subpath "/Users/Shared/SC Info")
1288	+	* 36,41 **
1289	-	> (regex #"/Library/Caches/com\.apple\.commerce")
1289	+	--- 36,42 ----
1290	-	> (regex #"/Library/Caches/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)(/CommerceRequestCache/?)?")
1290	+	(subpath "/Library/Audio/Plug-Ins/HAL")
1291	-	> (regex #"/Library/Caches/com\.apple\.WebKit2\.WebProcessService$")
1291	+	(subpath "/Library/CoreMediaIO/Plug-Ins/DAL")
1292	-	> (regex #"/Library/Cookies/com\.apple\.(appstore\|iBooksX\|ibooks\|iTunes\|configurator(\.ui)?)\.(binary)?cookies")
1292	+	(subpath "/Library/Audio/CoreAudioLib")
1293	-	> (regex #"/Library/Cookies/Cookies\.binarycookies")
1293	+	+ (subpath "/private/tmp/vp/inject")
1294	-	>
1294	+	(subpath "/usr/libexec"))
1295	-	> (regex #"Library/Preferences/com\.apple\.security\.revocation\.plist")
1295	+
1296	-	> (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)")
1296	+	(allow file-read-metadata
1297	-	> (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/\|$)")
1297	+	***************
1298	-	> (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/mds(/\|$)")
1298	+	* 47,59 **
1299	-	> (regex #"/\.TemporaryItems(/\|$)")
1299	+	(subpath (param "DARWIN_USER_TEMP_DIR"))
1300	-	> (regex #"/Library/Keychains/")
1300	+	(subpath (param "DARWIN_USER_CACHE_DIR"))
1301	-	> (regex #"^/etilqs_"))
1301	+	(subpath "/private/var/db/mds")
1302	-	>
1302	+	! (subpath "/private/tmp/vp")
1303	-	> (allow user-preference-read
1303	+	(subpath "/private/tmp/vcp")
1304	-	> (preference-domain "kCFPreferencesAnyApplication"))
1304	+	(subpath "/Library/Keychains"))
1305	-	>
1305	+
1306	-	> (allow user-preference*
1306	+	(allow file-issue-extension
1307	-	> (preference-domain "com.apple.bookstoreagent")
1307	+	(require-all
1308	-	> (preference-domain "com.apple.storeagent")
1308	+	! (extension-class "com.apple.app-sandbox.read-write")
1309	-	> (preference-domain "com.apple.iTunes")
1309	+	(home-subpath "/Library/Caches/com.apple.VideoConference/logs")))
1310	-	> (preference-domain "com.apple.appstore")
1310	+
1311	-	> (preference-domain "com.apple.ibooks")
1311	+	(allow user-preference-read
1312	-	> (preference-domain "com.apple.commerce")
1312	+	--- 48,61 ----
1313	-	> (preference-domain "com.apple.commerce.configurator")
1313	+	(subpath (param "DARWIN_USER_TEMP_DIR"))
1314	-	> (preference-domain "com.apple.appstore.commerce")
1314	+	(subpath (param "DARWIN_USER_CACHE_DIR"))
1315	-	> (preference-domain "com.apple.iBooksX.commerce")
1315	+	(subpath "/private/var/db/mds")
1316	-	> (preference-domain "com.apple.configurator.ui.commerce"))
1316	+	! (subpath "/private/tmp/AudioCapture")
1317	-	>
1317	+	! (subpath "/private/tmp/AudioCapture/VP")
1318	-	> (allow ipc-posix-shm-read-data
1318	+	(subpath "/private/tmp/vcp")
1319	-	> (ipc-posix-name "FNetwork.defaultStorageSession")
1319	+	(subpath "/Library/Keychains"))
1320	-	> (ipc-posix-name-regex #"ls\.[a-f0-9\.]+")
1320	+
1321	-	> (ipc-posix-name "apple.shm.notification_center")
1321	+	(allow file-issue-extension
1322	-	> (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
1322	+	(require-all
1323	-	>
1323	+	! (extension-class "com.apple.rtcreporting.upload")
1324	-	> (allow ipc-posix-shm-read* ipc-posix-shm-write-data
1324	+	(home-subpath "/Library/Caches/com.apple.VideoConference/logs")))
1325	-	> (ipc-posix-name "com.apple.AppleDatabaseChanged"))
1325	+
1326	-	>
1326	+	(allow user-preference-read
1327	-	> (allow mach-register (global-name "com.apple.commerce"))
1327	+	***************
1328	-	>
1328	+	* 98,104 **
1329	-	> (allow mach-lookup
1329	+	(global-name "com.apple.windowserver.active")
1330	-	> (global-name "com.apple.apsd")
1330	+	(global-name "com.apple.SecurityServer")
1331	-	> (global-name "com.apple.adid")
1331	+	(global-name "com.apple.securityd.xpc")
1332	-	> (global-name "com.apple.fpsd")
1332	+	! (global-name "com.apple.WirelessCoexManager"))
1333	-	> (global-name "com.apple.askpermissiond")
1333	+
1334	-	> (global-name "com.apple.AssetCacheLocatorService")
1334	+	(allow network-inbound
1335	-	> (global-name "com.apple.accountsd.accountmanager")
1335	+	(local tcp ":")
1336	-	> (global-name "com.apple.backupd.sandbox.xpc")
1336	+	--- 100,109 ----
1337	-	> (global-name "com.apple.ctkd.token-client")
1337	+	(global-name "com.apple.windowserver.active")
1338	-	> (global-name "com.apple.CoreAuthentication.agent.libxpc")
1338	+	(global-name "com.apple.SecurityServer")
1339	-	> (global-name "com.apple.CoreAuthentication.agent")
1339	+	(global-name "com.apple.securityd.xpc")
1340	-	> (global-name "com.apple.securityd.xpc")
1340	+	! (global-name "com.apple.WirelessCoexManager")
1341	-	> (global-name "com.apple.UNCUserNotification")
1341	+	! (global-name "com.apple.audio.AudioComponentRegistrar")
1342	-	> (global-name "com.apple.coreservices.launcherror-handler")
1342	+	! (global-name "com.apple.distributed_notifications@1v3")
1343	-	> (global-name "com.apple.SystemConfiguration.configd")
1343	+	! (global-name "com.apple.distributed_notifications@Uv3"))
1344	-	> (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
1344	+
1345	-	> (global-name "com.apple.networkd")
1345	+	(allow network-inbound
1346	-	> (global-name "com.apple.storehelper")
1346	+	(local tcp ":")
1347	-	> (global-name "com.apple.SecurityServer")
1347	+
1348	-	> (global-name "com.apple.PowerManagement.control")
1348	+
1349	-	> (global-name "com.apple.distributed_notifications@Uv3")
1349	+
1350	-	> (global-name "com.apple.usernoted.daemon_client")
1350	+
1351	-	> (global-name "com.apple.metadata.mds")
1351	+
1352	-	> (global-name "com.apple.CoreServices.coreservicesd")
1352	+
1353	-	> (global-name "com.apple.ls.boxd")
1353	+
1354	-	> (global-name "com.apple.FileCoordination")
1354	+
1355	-	> (global-name "com.apple.ocspd")
1355	+	*** /System/Library/Sandbox/Profiles/com.apple.cmio.AVCAssistant.sb 1969-12-31 16:00:00.000000000 -0800
1356	-	> (global-name "com.apple.installd")
1356	+	--- com.apple.cmio.AVCAssistant.sb 2017-07-10 13:51:50.000000000 -0700
1357	-	> (global-name "com.apple.ProgressReporting")
1357	+	***************
1358	-	> (global-name "com.apple.windowserver.active")
1358	+	* 0 **
1359	-	> (global-name "com.apple.lsd.mapdb")
1359	+	--- 1,57 ----
1360	-	> (global-name "com.apple.coreservices.launchservicesd")
1360	+	+ ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
1361	-	> (global-name "com.apple.coreservices.appleevents")
1361	+	+ ;;
1362	-	> (global-name "com.apple.cookied")
1362	+	+ ;; WARNING: The sandbox rules in this file currently constitute
1363	-	> (global-name "com.apple.FontServer")
1363	+	+ ;; Apple System Private Interface and are subject to change at any time and
1364	-	> (global-name "com.apple.fonts")
1364	+	+ ;; without notice.
1365	-	> (global-name "com.apple.FontObjectsServer")
1365	+	+ ;;
1366	-	> (global-name "com.apple.DiskArbitration.diskarbitrationd")
1366	+	+
1367	-	> (global-name "com.apple.cvmsServ")
1367	+	+ (version 1)
1368	-	> (global-name "com.apple.logind")
1368	+	+ (deny default)
1369	-	> (global-name "com.apple.coreservices.quarantine-resolver")
1369	+	+
1370	-	> (global-name "com.apple.familycontrols")
1370	+	+ (import "system.sb")
1371	-	> (global-name "com.apple.pluginkit.pkd")
1371	+	+
1372	-	> (global-name "com.apple.nsurlstorage-cache")
1372	+	+ (import "com.apple.corefoundation.sb")
1373	-	> (global-name "com.apple.system.opendirectoryd.api")
1373	+	+
1374	-	> (global-name "com.apple.CrashReporterSupportHelper")
1374	+	+ ;;; initialize CF sandbox actions
1375	-	> (global-name "com.apple.cache_delete")
1375	+	+ (corefoundation)
1376	-	> (global-name "com.apple.ManagedClient.agent")
1376	+	+
1377	-	> (global-name "com.apple.cfnetwork.AuthBrokerAgent")
1377	+	+ ;; For resolving symlinks, realpath(3), and equivalents.
1378	-	> (global-name "com.apple.pasteboard.1"))
1378	+	+ (allow file-read-metadata)
1379	-	>
1379	+	+
1380	-	> (allow authorization-right-obtain
1380	+	+ (allow process-info* (target self))
1381	-	> (right-name "system.install.app-store-software")
1381	+	+
1382	-	> (right-name "system.install.apple-software")
1382	+	+ (allow mach-lookup
1383	-	> (right-name "system.install.app-store-software.standard-user")
1383	+	+ (global-name "com.apple.CoreServices.coreservicesd")
1384	-	> (right-name "system.install.apple-software.standard-user")
1384	+	+ (global-name "com.apple.coreservices.launchservicesd")
1385	-	> (right-name "system.install.apple-config-data")
1385	+	+ (global-name "com.apple.windowserver.active")
1386	-	> (right-name "system.install.software")
1386	+	+ (global-name "com.apple.analyticsd")
1387	-	> (right-name "system.install.software.iap")
1387	+	+ )
1388	-	> (right-name "system.install.software.mdm-provided")
1388	+	+
1389	-	> (right-name "com.apple.SoftwareUpdate.modify-settings"))
1389	+	+ (allow file-map-executable
1390	-	>
1390	+	+ (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
1391	-	> (allow iokit-open
1391	+	+ (subpath "/System/Library/Extensions")
1392	-	> (iokit-user-client-class "IOFramebufferSharedUserClient")
1392	+	+ )
1393	-	> (iokit-user-client-class "RootDomainUserClient")
1393	+	+
1394	-	> (iokit-user-client-class-regex #"AccelDevice$")
1394	+	+ ;; Preferences
1395	-	> (iokit-user-client-class-regex #"SharedUserClient$")
1395	+	+ (allow file-read*
1396	-	> (iokit-user-client-class-regex #"GLContext$"))
1396	+	+ (literal "/private/var/db/cmiodalassistants/Library/Preferences/com.apple.cmio.plist")
1397	-	>
1397	+	+ (literal "/private/var/db/cmiodalassistants/Library/Preferences/.GlobalPreferences.plist")
1398	-	> (allow network-outbound)
1398	+	+ (literal "/Library/Preferences/.GlobalPreferences.plist")
1399	-	> (allow system-socket)
1399	+	+ (regex #"^/private/var/db/cmiodalassistants/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
1400	-	> (allow distributed-notification-post)
1400	+	+ )
1401	-	> (allow appleevent-send)
1401	+	+
1402	-	> (allow lsopen)
1402	+	+ ;; Preference domain.
1403		+ (allow user-preference-read
1404		+ (preference-domain "com.apple.cmio")
1405	-	0a1,161
1405	+	+ (preference-domain "com.apple.coremedia")
1406	-	> (version 1)
1406	+	+ )
1407	-	> (deny default)
1407	+	+
1408	-	>
1408	+	+ ;; Camera
1409	-	> (import "system.sb")
1409	+	+ (allow device-camera)
1410	-	> (import "com.apple.corefoundation.sb")
1410	+	+ (allow iokit-open
1411	-	> (corefoundation)
1411	+	+ (iokit-user-client-class "IOFireWireAVCUserClient")
1412	-	>
1412	+	+ (iokit-user-client-class "IOFireWireUserClient")
1413	-	> (allow file-read-metadata)
1413	+	+ )
1414	-	>
1414	+	+
1415	-	> (allow file-issue-extension
1415	+	+ ;;(allow iokit-get-properties)
1416	-	> (subpath "/Library/Documentation/Help/MacHelp.help")
1416	+	+
1417	-	> (regex #"/Library/Caches/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)(/CommerceRequestCache/?)?")
1417	+
1418	-	> (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)")
1418	+
1419	-	> (regex #"/Library/Caches/storeassetd")
1419	+	*** /System/Library/Sandbox/Profiles/com.apple.cmio.IIDCVideoAssistant.sb 1969-12-31 16:00:00.000000000 -0800
1420	-	> (regex #"[a-z0-9]+\.app(/\|$)"))
1420	+	--- com.apple.cmio.IIDCVideoAssistant.sb 2017-07-10 13:51:50.000000000 -0700
1421	-	>
1421	+	***************
1422	-	> (allow file-read*
1422	+	* 0 **
1423	-	> (regex #"\.app(/\|$)")
1423	+	--- 1,61 ----
1424	-	> (regex #"/CommerceKit\.framework")
1424	+	+ ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
1425	-	> (literal "/private/etc/hosts")
1425	+	+ ;;
1426	-	> (literal "/private/var/db/mds/system/mdsDirectory.db")
1426	+	+ ;; WARNING: The sandbox rules in this file currently constitute
1427	-	> (literal "/private/var/db/mds/system/mdsObject.db")
1427	+	+ ;; Apple System Private Interface and are subject to change at any time and
1428	-	> (literal "/Library/Preferences/com.apple.AECT.plist")
1428	+	+ ;; without notice.
1429	-	> (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
1429	+	+ ;;
1430	-	> (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
1430	+	+
1431	-	> (literal "/Library/Preferences/com.apple.loginwindow.plist")
1431	+	+ (version 1)
1432	-	> (literal "/private/var/db/PreviousSystemVersion.plist")
1432	+	+ (deny default)
1433	-	> (subpath "/Applications")
1433	+	+
1434	-	> (subpath "/Library/Documentation/Help/MacHelp.help")
1434	+	+ (import "system.sb")
1435	-	> (subpath "/Users/Shared")
1435	+	+
1436	-	> (regex "/Library/Bundles/[^/]+.bundle")
1436	+	+ (import "com.apple.corefoundation.sb")
1437	-	> (regex #"/Library/Preferences/com\.apple\.appstore\.plist$")
1437	+	+
1438	-	> (regex #"/Library/Preferences/com.apple.LaunchServices.plist$")
1438	+	+ ;;; initialize CF sandbox actions
1439	-	> (regex #"/Library/Preferences/(ByHost/)?\.GlobalPreferences\.plist$")
1439	+	+ (corefoundation)
1440	-	> (regex #"/Library/Preferences/com.apple.security\.plist$")
1440	+	+
1441	-	> (regex #"/\.CFUserTextEncoding$")
1441	+	+ ;; For resolving symlinks, realpath(3), and equivalents.
1442	-	> (regex "/private/var/db/mds/messages/([A-Za-z0-9]+/)?se_SecurityMessages"))
1442	+	+ (allow file-read-metadata)
1443	-	>
1443	+	+
1444	-	> (allow file-read* file-write*
1444	+	+ (allow process-info* (target self))
1445	-	> (literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist")
1445	+	+
1446	-	> (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
1446	+	+ (allow mach-lookup
1447	-	> (literal "/private/var/db/mds/system/mds.lock")
1447	+	+ (global-name "com.apple.CoreServices.coreservicesd")
1448	-	> (subpath "/private/var/root/Library/Caches/com.apple.commerce")
1448	+	+ (global-name "com.apple.coreservices.launchservicesd")
1449	-	> (subpath "/private/var/tmp")
1449	+	+ (global-name "com.apple.windowserver.active")
1450	-	> (subpath "/private/var/folders")
1450	+	+ (global-name "com.apple.analyticsd")
1451	-	> (subpath "/private/tmp")
1451	+	+ )
1452	-	> (subpath "/Users/Shared/adi")
1452	+	+
1453	-	> (subpath "/Users/Shared/SC Info")
1453	+	+ (allow file-map-executable
1454	-	> (regex #"/Library/Caches/com\.apple\.commerce")
1454	+	+ (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
1455	-	> (regex #"/Library/Caches/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)(/CommerceRequestCache/?)?")
1455	+	+ (subpath "/System/Library/Extensions")
1456	-	> (regex #"/Library/Caches/com\.apple\.WebKit2\.WebProcessService$")
1456	+	+ )
1457	-	> (regex #"/Library/Cookies/com\.apple\.(appstore\|iBooksX\|ibooks\|iTunes\|configurator(\.ui)?)\.(binary)?cookies")
1457	+	+
1458	-	> (regex #"/Library/Cookies/Cookies\.binarycookies")
1458	+	+ ;; Preferences
1459	-	>
1459	+	+ (allow file-read*
1460	-	> (regex #"Library/Preferences/com\.apple\.security\.revocation\.plist")
1460	+	+ (literal "/private/var/db/cmiodalassistants/Library/Preferences/com.apple.cmio.plist")
1461	-	> (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)")
1461	+	+ (literal "/private/var/db/cmiodalassistants/Library/Preferences/.GlobalPreferences.plist")
1462	-	> (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/\|$)")
1462	+	+ (literal "/Library/Preferences/.GlobalPreferences.plist")
1463	-	> (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/mds(/\|$)")
1463	+	+ (regex #"^/private/var/db/cmiodalassistants/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
1464	-	> (regex #"/\.TemporaryItems(/\|$)")
1464	+	+ )
1465	-	> (regex #"/Library/Keychains/")
1465	+	+
1466	-	> (regex #"^/etilqs_"))
1466	+	+ ;; Preference domain.
1467	-	>
1467	+	+ (allow user-preference-read
1468	-	> (allow user-preference-read
1468	+	+ (preference-domain "com.apple.cmio")
1469	-	> (preference-domain "kCFPreferencesAnyApplication"))
1469	+	+ (preference-domain "com.apple.coremedia")
1470	-	>
1470	+	+ )
1471	-	> (allow user-preference*
1471	+	+
1472	-	> (preference-domain "com.apple.bookstoreagent")
1472	+	+ ;; Camera
1473	-	> (preference-domain "com.apple.storeagent")
1473	+	+ (allow iokit-open
1474	-	> (preference-domain "com.apple.iTunes")
1474	+	+ (iokit-user-client-class "IOFireWireUserClient")
1475	-	> (preference-domain "com.apple.appstore")
1475	+	+ (iokit-user-client-class "RootDomainUserClient")
1476	-	> (preference-domain "com.apple.commerce")
1476	+	+ )
1477	-	> (preference-domain "com.apple.commerce.configurator")
1477	+	+
1478	-	> (preference-domain "com.apple.appstore.commerce")
1478	+	+ (allow iokit-open
1479	-	> (preference-domain "com.apple.iBooksX.commerce")
1479	+	+ (iokit-registry-entry-class "RootDomainUserClient")
1480	-	> (preference-domain "com.apple.configurator.ui.commerce"))
1480	+	+ )
1481	-	>
1481	+	+
1482	-	> (allow ipc-posix-shm-read-data
1482	+	+ ;;(allow iokit-get-properties)
1483	-	> (ipc-posix-name "FNetwork.defaultStorageSession")
1483	+	+
1484	-	> (ipc-posix-name-regex #"ls\.[a-f0-9\.]+")
1484	+	+
1485	-	> (ipc-posix-name "apple.shm.notification_center")
1485	+
1486	-	> (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
1486	+
1487	-	>
1487	+	*** /System/Library/Sandbox/Profiles/com.apple.cmio.VDCAssistant.sb 1969-12-31 16:00:00.000000000 -0800
1488	-	> (allow ipc-posix-shm-read* ipc-posix-shm-write-data
1488	+	--- com.apple.cmio.VDCAssistant.sb 2017-07-10 13:51:51.000000000 -0700
1489	-	> (ipc-posix-name "com.apple.AppleDatabaseChanged"))
1489	+	***************
1490	-	>
1490	+	* 0 **
1491	-	> (allow mach-register (global-name "com.apple.commerced"))
1491	+	--- 1,74 ----
1492	-	>
1492	+	+ ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
1493	-	> (allow mach-lookup
1493	+	+ ;;
1494	-	> (global-name "com.apple.apsd")
1494	+	+ ;; WARNING: The sandbox rules in this file currently constitute
1495	-	> (global-name "com.apple.adid")
1495	+	+ ;; Apple System Private Interface and are subject to change at any time and
1496	-	> (global-name "com.apple.fpsd")
1496	+	+ ;; without notice.
1497	-	> (global-name "com.apple.askpermissiond")
1497	+	+ ;;
1498	-	> (global-name "com.apple.AssetCacheLocatorService")
1498	+	+
1499	-	> (global-name "com.apple.accountsd.accountmanager")
1499	+	+ (version 1)
1500	-	> (global-name "com.apple.backupd.sandbox.xpc")
1500	+	+ (deny default)
1501	-	> (global-name "com.apple.ctkd.token-client")
1501	+	+
1502	-	> (global-name "com.apple.CoreAuthentication.agent.libxpc")
1502	+	+ (import "system.sb")
1503	-	> (global-name "com.apple.CoreAuthentication.agent")
1503	+	+ (system-graphics)
1504	-	> (global-name "com.apple.securityd.xpc")
1504	+	+
1505	-	> (global-name "com.apple.UNCUserNotification")
1505	+	+ (import "com.apple.corefoundation.sb")
1506	-	> (global-name "com.apple.coreservices.launcherror-handler")
1506	+	+
1507	-	> (global-name "com.apple.SystemConfiguration.configd")
1507	+	+ ;;; initialize CF sandbox actions
1508	-	> (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
1508	+	+ (corefoundation)
1509	-	> (global-name "com.apple.networkd")
1509	+	+
1510	-	> (global-name "com.apple.storehelper")
1510	+	+ ;; For resolving symlinks, realpath(3), and equivalents.
1511	-	> (global-name "com.apple.SecurityServer")
1511	+	+ (allow file-read-metadata)
1512	-	> (global-name "com.apple.PowerManagement.control")
1512	+	+
1513	-	> (global-name "com.apple.distributed_notifications@Uv3")
1513	+	+ (allow process-info* (target self))
1514	-	> (global-name "com.apple.usernoted.daemon_client")
1514	+	+
1515	-	> (global-name "com.apple.metadata.mds")
1515	+	+ ;; For validating the entitlements of clients.
1516	-	> (global-name "com.apple.CoreServices.coreservicesd")
1516	+	+ (allow process-info-codesignature)
1517	-	> (global-name "com.apple.ls.boxd")
1517	+	+
1518	-	> (global-name "com.apple.FileCoordination")
1518	+	+ (allow mach-lookup
1519	-	> (global-name "com.apple.ocspd")
1519	+	+ (global-name "com.apple.CoreServices.coreservicesd")
1520	-	> (global-name "com.apple.installd")
1520	+	+ (global-name "com.apple.coreservices.launchservicesd")
1521	-	> (global-name "com.apple.ProgressReporting")
1521	+	+ (global-name "com.apple.windowserver.active")
1522	-	> (global-name "com.apple.windowserver.active")
1522	+	+ (global-name "com.apple.analyticsd")
1523	-	> (global-name "com.apple.lsd.mapdb")
1523	+	+ (subpath "/Library/Video/Plug-Ins")
1524	-	> (global-name "com.apple.coreservices.launchservicesd")
1524	+	+ )
1525	-	> (global-name "com.apple.coreservices.appleevents")
1525	+	+
1526	-	> (global-name "com.apple.cookied")
1526	+	+ (allow file-map-executable
1527	-	> (global-name "com.apple.FontServer")
1527	+	+ (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
1528	-	> (global-name "com.apple.fonts")
1528	+	+ (subpath "/System/Library/Extensions")
1529	-	> (global-name "com.apple.FontObjectsServer")
1529	+	+ (subpath "/Library/Video/Plug-Ins")
1530	-	> (global-name "com.apple.DiskArbitration.diskarbitrationd")
1530	+	+ )
1531	-	> (global-name "com.apple.cvmsServ")
1531	+	+
1532	-	> (global-name "com.apple.logind")
1532	+	+ ;; Preferences
1533	-	> (global-name "com.apple.coreservices.quarantine-resolver")
1533	+	+ (allow file-read*
1534	-	> (global-name "com.apple.familycontrols")
1534	+	+ (subpath "/Library/Video/Plug-Ins")
1535	-	> (global-name "com.apple.pluginkit.pkd")
1535	+	+ (literal "/private/var/db/cmiodalassistants/Library/Preferences/com.apple.cmio.plist")
1536	-	> (global-name "com.apple.nsurlstorage-cache")
1536	+	+ (literal "/private/var/db/cmiodalassistants/Library/Preferences/.GlobalPreferences.plist")
1537	-	> (global-name "com.apple.system.opendirectoryd.api")
1537	+	+ (literal "/Library/Preferences/.GlobalPreferences.plist")
1538	-	> (global-name "com.apple.CrashReporterSupportHelper")
1538	+	+ (regex #"^/private/var/db/cmiodalassistant/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
1539	-	> (global-name "com.apple.cache_delete")
1539	+	+ )
1540	-	> (global-name "com.apple.ManagedClient.agent")
1540	+	+
1541	-	> (global-name "com.apple.cfnetwork.AuthBrokerAgent")
1541	+	+ ;; Preference domain.
1542	-	> (global-name "com.apple.pasteboard.1"))
1542	+	+ (allow user-preference-read
1543	-	>
1543	+	+ (preference-domain "com.apple.cmio")
1544	-	> (allow authorization-right-obtain
1544	+	+ (preference-domain "com.apple.coremedia")
1545	-	> (right-name "system.install.app-store-software")
1545	+	+ )
1546	-	> (right-name "system.install.apple-software")
1546	+	+
1547	-	> (right-name "system.install.app-store-software.standard-user")
1547	+	+ ;; Camera
1548	-	> (right-name "system.install.apple-software.standard-user")
1548	+	+ (allow device-camera)
1549	-	> (right-name "system.install.apple-config-data")
1549	+	+ (allow iokit-open
1550	-	> (right-name "system.install.software")
1550	+	+ (iokit-user-client-class "IOUSBDeviceUserClientV2")
1551	-	> (right-name "system.install.software.iap")
1551	+	+ (iokit-user-client-class "IOUSBInterfaceUserClientV3")
1552	-	> (right-name "system.install.software.mdm-provided")
1552	+	+ (iokit-user-client-class "RootDomainUserClient")
1553	-	> (right-name "com.apple.SoftwareUpdate.modify-settings"))
1553	+	+ )
1554	-	>
1554	+	+
1555	-	> (allow iokit-open
1555	+	+ (allow iokit-open
1556	-	> (iokit-user-client-class "IOFramebufferSharedUserClient")
1556	+	+ (iokit-registry-entry-class "IGAccelDevice")
1557	-	> (iokit-user-client-class "RootDomainUserClient")
1557	+	+ (iokit-registry-entry-class "IGAccelSharedUserClient")
1558	-	> (iokit-user-client-class-regex #"AccelDevice$")
1558	+	+ (iokit-registry-entry-class "IGAccelVideoContextMain")
1559	-	> (iokit-user-client-class-regex #"SharedUserClient$")
1559	+	+ (iokit-registry-entry-class "IGAccelVideoContextMedia")
1560	-	> (iokit-user-client-class-regex #"GLContext$"))
1560	+	+ (iokit-registry-entry-class "IGAccelVideoContextVEBox")
1561	-	>
1561	+	+ (iokit-registry-entry-class "RootDomainUserClient")
1562	-	> (allow network-outbound)
1562	+	+ )
1563	-	> (allow system-socket)
1563	+	+
1564	-	> (allow distributed-notification-post)
1564	+	+ (allow iokit-get-properties)
1565	-	> (allow appleevent-send)
1565	+	+
1566	-	> (allow lsopen)
1566	+
1567		com.apple.cmio.iOSScreenCaptureAssistant.sb
1568		*** /System/Library/Sandbox/Profiles/com.apple.cmio.iOSScreenCaptureAssistant.sb 1969-12-31 16:00:00.000000000 -0800
1569		--- com.apple.cmio.iOSScreenCaptureAssistant.sb 2017-07-10 13:51:51.000000000 -0700
1570		***************
1571		* 0 **
1572		--- 1,161 ----
1573		+ ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
1574		+ ;;
1575	-	5a6
1575	+	+ ;; WARNING: The sandbox rules in this file currently constitute
1576	-	> (import "bsd.sb")
1576	+	+ ;; Apple System Private Interface and are subject to change at any time and
1577	-	7a9
1577	+	+ ;; without notice.
1578	-	> (system-network)
1578	+	+ ;;
1579	-	40a43
1579	+	+
1580	-	> (global-name "com.apple.cookied")
1580	+	+ (version 1)
1581	-	44a48
1581	+	+ (deny default)
1582	-	> (global-name "com.apple.coreservices.quarantine-resolver")
1582	+	+
1583	-	54c58,59
1583	+	+ (import "system.sb")
1584	-	< (global-name "com.apple.locationd.desktop.synchronous"))
1584	+	+ (system-graphics)
1585	-	---
1585	+	+
1586	-	> (global-name "com.apple.locationd.desktop.synchronous")
1586	+	+ (import "com.apple.corefoundation.sb")
1587	-	> (global-name "com.apple.SharingServices"))
1587	+	+
1588	-	59a65,74
1588	+	+ ;;; initialize CF sandbox actions
1589	-	>
1589	+	+ (corefoundation)
1590	-	> (allow network-outbound
1590	+	+
1591	-	> (literal "/private/var/run/mDNSResponder")) ; to resolve host names
1591	+	+ (system-network)
1592	-	>
1592	+	+ (allow network-outbound
1593	-	> (allow ipc-posix-shm-read-data
1593	+	+ (literal "/private/var/run/usbmuxd")
1594	-	> (ipc-posix-name "FNetwork.defaultStorageSession"))
1594	+	+ (literal "/private/var/run/mDNSResponder")
1595	-	>
1595	+	+ (control-name "com.apple.network.statistics")
1596	-	> (allow network-outbound
1596	+	+ (control-name "com.apple.netsrc")
1597	-	> (remote ip))
1597	+	+ (remote ip)
1598	-	>
1598	+	+ )
1599		+
1600		+ (allow network-inbound )
1601		+ (allow network-bind (remote ip))
1602		+
1603		+ ;; For resolving symlinks, realpath(3), and equivalents.
1604		+ (allow file-read-metadata)
1605		+
1606		+ (allow nvram-get (nvram-variable "BSD Name"))
1607		+ (allow process-info* (target self))
1608		+
1609		+ ;; For validating the entitlements of clients.
1610	-	0a1,63
1610	+	+ (allow process-info-codesignature)
1611	-	> ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
1611	+	+
1612	-	> ;;;
1612	+	+ (allow file-read*
1613	-	> ;;; WARNING: The sandbox rules in this file currently constitute
1613	+	+ (subpath "/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/iOSScreenCapture.plugin/Contents/Resources")
1614	-	> ;;; Apple System Private Interface and are subject to change at any time and
1614	+	+ (subpath "/Library/CoreMediaIO/Plug-Ins/FCP-DAL/iOSScreenCapture.plugin/Contents/Resources")
1615	-	> ;;; without notice.
1615	+	+ (subpath "/private/var/db/mds")
1616	-	> ;;;
1616	+	+ (subpath "/Library/Audio/Plug-Ins/HAL")
1617	-	> (version 1)
1617	+	+ )
1618	-	>
1618	+	+
1619	-	> (deny default)
1619	+	+ (allow file-write*
1620	-	>
1620	+	+ (literal "/private/var/db/mds/system/mds.lock")
1621	-	> (import "system.sb")
1621	+	+ (subpath "/private/tmp")
1622	-	> (import "com.apple.corefoundation.sb")
1622	+	+ )
1623	-	> (corefoundation)
1623	+	+
1624	-	>
1624	+	+ ;; From com.apple.AirPlayXPCHelper
1625	-	> (deny file-map-executable iokit-get-properties process-info* nvram*)
1625	+	+ (allow iokit-open
1626	-	> (deny dynamic-code-generation)
1626	+	+ (iokit-user-client-class "IOAudioControlUserClient")
1627	-	>
1627	+	+ (iokit-user-client-class "IOAudioEngineUserClient")
1628	-	> (allow process-info* (target self))
1628	+	+ (iokit-user-client-class "IOAudio2DeviceUserClient")
1629	-	>
1629	+	+ (iokit-user-client-class "RootDomainUserClient")
1630	-	> (allow process-info-codesignature)
1630	+	+ (iokit-user-client-class "IOReportUserClient")
1631	-	>
1631	+	+ (iokit-user-client-class "IOBluetoothHCIUserClient")
1632	-	> (allow user-preference-read user-preference-write
1632	+	+ (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
1633	-	> (preference-domain "com.apple.coreservicesd"))
1633	+	+ (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
1634	-	>
1634	+	+ (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient")
1635	-	> (allow file-read*)
1635	+	+ (iokit-user-client-class "IOBluetoothDeviceUserClient")
1636	-	> (allow file-read-metadata)
1636	+	+ )
1637	-	>
1637	+	+
1638	-	> (allow file-write*
1638	+	+ ;; From com.apple.AirPlayXPCHelper
1639	-	> (subpath (param "DARWIN_USER_TEMP_DIR"))
1639	+	+ (allow mach-lookup
1640	-	> (subpath (param "DARWIN_USER_CACHE_DIR")))
1640	+	+ (global-name "com.apple.SecurityServer")
1641	-	>
1641	+	+ (global-name "com.apple.SystemConfiguration.DNSConfiguration")
1642	-	> (allow file-ioctl
1642	+	+ (global-name "com.apple.SystemConfiguration.configd")
1643	-	> (path "/dev/fsevents"))
1643	+	+ (global-name "com.apple.metadata.mds")
1644	-	>
1644	+	+ (global-name "com.apple.ocspd")
1645	-	> (allow ipc-posix-shm-write-create
1645	+	+ (global-name "com.apple.pluginkit.pkd")
1646	-	> (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
1646	+	+ (global-name "com.apple.spindump")
1647	-	> (allow ipc-posix-shm-write-data
1647	+	+ (global-name "com.apple.PairingManager")
1648	-	> (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
1648	+	+
1649	-	>
1649	+	+ (global-name "com.apple.audio.audiohald")
1650	-	> (allow mach-lookup
1650	+	+ (global-name "com.apple.audio.AudioComponentRegistrar")
1651	-	> (global-name "com.apple.DiskArbitration.diskarbitrationd"))
1651	+	+ (global-name "com.apple.audio.AudioComponentRegistrar.daemon")
1652	-	>
1652	+	+
1653	-	> (allow file-write*
1653	+	+ (global-name "com.apple.wirelessproxd")
1654	-	> (path "/System/Library/Caches/com.apple.Components2.SystemCache.Components"))
1654	+	+ (global-name "com.apple.windowserver.active")
1655	-	> (allow file-write*
1655	+	+
1656	-	> (path "/System/Library/Caches/com.apple.Components2.SystemCache.QuickTimeComponents"))
1656	+	+ (global-name "com.apple.AirPlayXPCHelper")
1657	-	> (allow file-write*
1657	+	+ (global-name "com.apple.coremedia.endpoint.xpc")
1658	-	> (path "/System/Library/Caches/com.apple.Components2.SystemCache.AudioComponents"))
1658	+	+ (global-name "com.apple.coremedia.endpointstream.xpc")
1659	-	>
1659	+	+ (global-name "com.apple.coremedia.endpointplaybacksession.xpc")
1660	-	> (allow file-map-executable (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal"))
1660	+	+ (global-name "com.apple.coremedia.endpointpicker.xpc")
1661	-	>
1661	+	+ (global-name "com.apple.coremedia.endpointmanager.xpc")
1662	-	> (allow distributed-notification-post)
1662	+	+ (global-name "com.apple.AirPlayAgent.xpc")
1663	-	>
1663	+	+ (global-name "com.apple.AirPlayUIAgent.xpc")
1664	-	> (allow iokit-get-properties (iokit-property "Protocol Characteristics"))
1664	+	+
1665	-	> (allow iokit-get-properties (iokit-property "IOMediaIcon"))
1665	+	+ (global-name "com.apple.coresymbolicationd")
1666	-	> (allow iokit-get-properties (iokit-property "Ejectable"))
1666	+	+ (global-name "com.apple.awdd")
1667	-	> (allow iokit-get-properties (iokit-property "Removable"))
1667	+	+ (global-name "com.apple.SharingServices")
1668	-	> (allow iokit-get-properties (iokit-property "CoreStorage Encrypted"))
1668	+	+ (global-name "com.apple.bluetoothd")
1669	-	> (allow iokit-get-properties (iokit-property "IOClassNameOverride"))
1669	+	+ (global-name "com.apple.bluetoothaudiod")
1670	-	> (allow iokit-get-properties (iokit-property "od-server-name"))
1670	+	+ (global-name "com.apple.BluetoothDOServer")
1671	-	> (allow iokit-get-properties (iokit-property "image-path"))
1671	+	+ (global-name "com.apple.airportd")
1672	-	> (allow iokit-get-properties (iokit-property "filevault-image"))
1672	+	+
1673	-	> (allow iokit-get-properties (iokit-property "Product Identification"))
1673	+	+ (global-name "com.apple.PowerManagement.control")
1674		+ (global-name "com.apple.audio.coreaudiod")
1675		+ (global-name "com.apple.securityd.xpc")
1676	-	0a1,100
1676	+	+ (global-name "com.apple.lsd.mapdb")
1677	-	> ;;;
1677	+	+ (global-name "com.apple.lsd.modifydb")
1678	-	> ;;; Sandbox profile for /System/Library/Frameworks/CryptoTokenKit.framework/ctkbind.bundle/Contents/MacOS/ctkbind
1678	+	+ (global-name "com.apple.coremedia.routediscoverer.xpc")
1679	-	> ;;;
1679	+	+ (global-name "com.apple.coremedia.routingcontext.xpc")
1680	-	> ;;; Copyright (c) 2016 Apple Inc. All Rights reserved.
1680	+	+ (global-name "com.apple.analyticsd")
1681	-	> ;;;
1681	+	+ )
1682	-	> ;;; WARNING: The sandbox rules in this file currently constitute
1682	+	+
1683	-	> ;;; Apple System Private Interface and are subject to change at any time and
1683	+	+ ;; Preferences
1684	-	> ;;; without notice. The contents of this file are also auto-generated and
1684	+	+ (allow file-read*
1685	-	> ;;; not user editable; it may be overwritten at any time.
1685	+	+ (literal "/private/var/root/Library/Preferences/com.apple.cmio.plist")
1686	-	>
1686	+	+ (literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist")
1687	-	> (version 1)
1687	+	+ (literal "/Library/Preferences/.GlobalPreferences.plist")
1688	-	>
1688	+	+ (literal "/Library/Preferences/com.apple.security.plist")
1689	-	> (deny default)
1689	+	+ (regex #"^/private/var/root/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
1690	-	>
1690	+	+ )
1691	-	> (import "system.sb")
1691	+	+
1692	-	>
1692	+	+ ;; Preference domain.
1693	-	> (define (home-subpath home-relative-subpath)
1693	+	+ (allow user-preference-read
1694	-	> (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
1694	+	+ (preference-domain "com.apple.airplay")
1695	-	>
1695	+	+ (preference-domain "com.apple.coremedia")
1696	-	> (define (home-literal home-relative-literal)
1696	+	+ (preference-domain "com.apple.security")
1697	-	> (literal (string-append (param "HOME_DIR") home-relative-literal)))
1697	+	+ (preference-domain "com.apple.cmio")
1698	-	>
1698	+	+ )
1699	-	> (allow file-read-data)
1699	+	+
1700	-	>
1700	+	+ (allow ipc-posix-shm-read-data
1701	-	> (allow file-read-metadata)
1701	+	+ (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.[0-9]+$")
1702	-	>
1702	+	+ (ipc-posix-name-regex #"^AudioIO")
1703	-	> (allow file-read*
1703	+	+ (ipc-posix-name "FNetwork.defaultStorageSession")
1704	-	> (subpath (param "DARWIN_USER_TEMP_DIR"))
1704	+	+ (ipc-posix-name "com.apple.AppleDatabaseChanged")
1705	-	> (subpath (param "DARWIN_USER_CACHE_DIR"))
1705	+	+ )
1706	-	> (subpath "/Library/Caches/com.apple.iconservices.store")
1706	+	+
1707	-	> (subpath "/Library/Keyboard Layouts")
1707	+	+ (allow ipc-posix-shm-write-data
1708	-	> (subpath "/private/var/db")
1708	+	+ (ipc-posix-name-regex #"^AudioIO")
1709	-	> (home-subpath "/Library/Keyboard Layouts")
1709	+	+ (ipc-posix-name "com.apple.AppleDatabaseChanged")
1710	-	> (literal "/Library/Preferences/com.apple.security.plist")
1710	+	+ )
1711	-	> (home-literal "/Library/Keychains/login.keychain-db")
1711	+	+
1712	-	> (home-literal "/.CFUserTextEncoding"))
1712	+	+ (allow ipc-posix-shm-read-metadata
1713	-	>
1713	+	+ (ipc-posix-name-regex #"^AudioIO")
1714	-	> (allow file-write*
1714	+	+ )
1715	-	> (subpath (param "DARWIN_USER_CACHE_DIR"))
1715	+	+
1716	-	> (subpath "/private/var/db/mds/system"))
1716	+	+ (allow file-map-executable
1717	-	>
1717	+	+ (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
1718	-	> (allow mach-lookup
1718	+	+ (subpath "/System/Library/Extensions")
1719	-	> (global-name "com.apple.audio.SystemSoundServer-OSX")
1719	+	+ )
1720	-	> (global-name "com.apple.coreservices.appleevents")
1720	+	+
1721	-	> (global-name "com.apple.coreservices.launchservicesd")
1721	+	+ ;; USB screen capture
1722	-	> (global-name "com.apple.CoreServices.coreservicesd")
1722	+	+ (allow iokit-open
1723	-	> (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider.agent.libxpc")
1723	+	+ (iokit-user-client-class "IOUSBDeviceUserClientV2")
1724	-	> (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider.daemon.libxpc")
1724	+	+ (iokit-user-client-class "IOUSBInterfaceUserClientV3")
1725	-	> (global-name "com.apple.ctkd.token-client")
1725	+	+ )
1726	-	> (global-name "com.apple.ctkd.watcher-client")
1726	+	+
1727	-	> (global-name "com.apple.cvmsServ")
1727	+	+ (allow iokit-open
1728	-	> (global-name "com.apple.decalog4.incoming")
1728	+	+ (iokit-registry-entry-class "RootDomainUserClient")
1729	-	> (global-name "com.apple.distributed_notifications@Uv3")
1729	+	+ )
1730	-	> (global-name "com.apple.dock.fullscreen")
1730	+	+
1731	-	> (global-name "com.apple.dock.server")
1731	+	+ (allow iokit-get-properties)
1732	-	> (global-name "com.apple.fonts")
1732	+	+
1733	-	> (global-name "com.apple.FSEvents")
1733	+	+
1734	-	> (global-name "com.apple.iconservices")
1734	+
1735	-	> (global-name "com.apple.iconservices.store")
1735	+
1736	-	> (global-name "com.apple.inputmethodkit.getxpcendpoint")
1736	+	*** /System/Library/Sandbox/Profiles/com.apple.colorsync.displayservices.sb 1969-12-31 16:00:00.000000000 -0800
1737	-	> (global-name "com.apple.inputmethodkit.launchagent")
1737	+	--- com.apple.colorsync.displayservices.sb 2017-07-10 13:51:51.000000000 -0700
1738	-	> (global-name "com.apple.inputmethodkit.launcher")
1738	+	***************
1739	-	> (global-name "com.apple.lsd.mapdb")
1739	+	* 0 **
1740	-	> (global-name "com.apple.pasteboard.1")
1740	+	--- 1,40 ----
1741	-	> (global-name "com.apple.quicklook.ui.helper.active")
1741	+	+ (version 1)
1742	-	> (global-name "com.apple.SecurityServer")
1742	+	+
1743	-	> (global-name "com.apple.system.opendirectoryd.api")
1743	+	+ (import "system.sb")
1744	-	> (global-name "com.apple.SystemConfiguration.configd")
1744	+	+
1745	-	> (global-name "com.apple.touchbar.agent")
1745	+	+ (deny default iokit-get-properties process-info*)
1746	-	> (global-name "com.apple.tsm.uiserver")
1746	+	+
1747	-	> (global-name "com.apple.window_proxies")
1747	+	+ (deny process-info*)
1748	-	> (global-name "com.apple.tccd.system")
1748	+	+ (allow process-info-pidinfo)
1749	-	> (global-name "com.apple.ocspd")
1749	+	+ (allow process-info-pidfdinfo (target self))
1750	-	> (global-name "com.apple.windowserver.active"))
1750	+	+ (allow process-info-pidfileportinfo (target self))
1751	-	>
1751	+	+ (allow process-info-setcontrol (target self))
1752	-	> (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
1752	+	+ (allow process-info-dirtycontrol (target self))
1753	-	> (ipc-posix-name "com.apple.AppleDatabaseChanged"))
1753	+	+ (allow process-info-rusage (target self))
1754	-	>
1754	+	+
1755	-	> (allow authorization-right-obtain
1755	+	+ (allow file-read-metadata file-read-data (literal "/"))
1756	-	> (right-name "com.apple.ctk.pair")
1756	+	+ (allow file-read-metadata)
1757	-	> (right-name "com.apple.ctkbind.admin"))
1757	+	+
1758	-	>
1758	+	+ (allow authorization-right-obtain (right-name "system.colorsync.install.profile"))
1759	-	> (allow user-preference-read
1759	+	+ (allow authorization-right-obtain (right-name "com.apple.private.AmbientDisplay.messaging"))
1760	-	> (preference-domain "com.apple.AppleMultitouchTrackpad")
1760	+	+
1761	-	> (preference-domain "com.apple.ctkbind")
1761	+	+ (allow-create-directory
1762	-	> (preference-domain "com.apple.HIToolbox")
1762	+	+ (literal "/Library/ColorSync")
1763	-	> (preference-domain "com.apple.universalaccess")
1763	+	+ (literal "/Library/ColorSync/Profiles"))
1764	-	> (preference-domain "kCFPreferencesAnyApplication"))
1764	+	+ (allow file-read*
1765	-	>
1765	+	+ (literal "/Library/ColorSync/Profiles"))
1766	-	> (allow user-preference-read user-preference-write
1766	+	+ (allow file-read* file-write*
1767	-	> (preference-domain "com.apple.ctkbind")
1767	+	+ (prefix "/Library/ColorSync/Profiles/"))
1768	-	> (preference-domain "com.apple.security.smartcard")
1768	+	+
1769	-	> (preference-domain "com.apple.security.tokenlogin"))
1769	+	+ ;; deny the removal of these pre-installed profiles.
1770	-	>
1770	+	+ (deny file-write-unlink
1771	-	> (allow iokit-open
1771	+	+ (literal "/Library/ColorSync/Profiles/Black & White.icc")
1772	-	> (iokit-registry-entry-class "IGAccelCommandQueue")
1772	+	+ (literal "/Library/ColorSync/Profiles/Blue Tone.icc")
1773	-	> (iokit-registry-entry-class "IGAccelDevice")
1773	+	+ (literal "/Library/ColorSync/Profiles/Lightness Decrease.icc")
1774	-	> (iokit-user-client-class "AppleKeyStoreUserClient")
1774	+	+ (literal "/Library/ColorSync/Profiles/Lightness Increase.icc")
1775	-	> (iokit-user-client-class "IGAccelSharedUserClient")
1775	+	+ (literal "/Library/ColorSync/Profiles/Sepia Tone.icc")
1776	-	> (iokit-user-client-class "IOSurfaceRootUserClient"))
1776	+	+ (literal "/Library/ColorSync/Profiles/WebSafeColors.icc"))
1777		+
1778		+ (allow mach-lookup
1779		+ (global-name "com.apple.CoreServices.coreservicesd"))
1780		+
1781		--
1782		com.apple.colorsync.useragent.sb
1783		*** /System/Library/Sandbox/Profiles/com.apple.colorsync.useragent.sb 1969-12-31 16:00:00.000000000 -0800
1784		--- com.apple.colorsync.useragent.sb 2017-07-10 13:51:50.000000000 -0700
1785	-	38c38
1785	+	***************
1786	-	< (regex "/private/var/folders/.*/mds/mds.lock"))
1786	+	* 0 **
1787	-	---
1787	+	--- 1,48 ----
1788	-	> (regex #"/private/var/folders/[^/]+/[^/]+/C/[^/]+/mds/mds\.lock$"))
1788	+	+ ;;
1789	-	44,52c44,51
1789	+	+ ;; ColorSync User Agent - sandbox profile
1790	-	< (regex "/Users/.*/Library/Preferences/.GlobalPreferences.plist")
1790	+	+ ;; Copyright (c) 2016 Apple Inc. All Rights reserved.
1791	-	< (regex "/Users/./Library/Preferences/ByHost/.GlobalPreferences\..\.plist")
1791	+	+ ;;
1792	-	< (regex "/AppleInternal/Library/CacheDelete")
1792	+	+ ;; WARNING: The sandbox rules in this file currently constitute
1793	-	< (regex "/AppleInternal/Library/CacheDelete/.*")
1793	+	+ ;; Apple System Private Interface and are subject to change at any time and
1794	-	< (regex "/Applications/.*")
1794	+	+ ;; without notice. The contents of this file are also auto-generated and not
1795	-	< (regex "/private/var/folders/.*/mds/mds.lock")
1795	+	+ ;; user editable; it may be overwritten at any time.
1796	-	< (regex "/private/var/folders/./com.apple.LaunchServices-.\.csstore")
1796	+	+ ;;
1797	-	< (regex "*\.appex")
1797	+	+
1798	-	< (subpath "/System/Library/CacheDelete"))
1798	+	+ (version 1)
1799	-	---
1799	+	+ (deny default)
1800	-	> (regex "^/Users/[^/]+/Library/Preferences/\.GlobalPreferences\.plist$")
1800	+	+ (import "system.sb")
1801	-	> (regex "^/Users/[^/]+/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
1801	+	+
1802	-	> (regex "^/Applications/.*$")
1802	+	+ ;;; Home Directory
1803	-	> (regex "^/private/var/folders/.*/mds/mds\.lock$")
1803	+	+ (define (home-subpath home-relative-subpath)
1804	-	> (regex "^/private/var/folders/./com.apple.LaunchServices-.\.csstore$")
1804	+	+ (subpath (string-append (param "_HOME") home-relative-subpath)))
1805	-	> (regex "^./[^/]\.appex$")
1805	+	+ (define (home-literal home-relative-literal)
1806	-	> (subpath "/System/Library/CacheDelete")
1806	+	+ (literal (string-append (param "_HOME") home-relative-literal)))
1807	-	> (subpath "/AppleInternal/Library/CacheDelete"))
1807	+	+ (define (home-regex home-relative-regex)
1808	-	63a63,64
1808	+	+ (regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex)))
1809	-	> (global-name "com.apple.DiskArbitration.diskarbitrationd")
1809	+	+
1810	-	> (global-name "com.apple.diskmanagementd")
1810	+	+ (allow file-read-metadata)
1811	-	66a68,69
1811	+	+
1812	-	> (allow iokit-open (iokit-user-client-class "AppleAPFSUserClient"))
1812	+	+ (allow file-read* file-write*
1813	-	>
1813	+	+ (subpath (param "DARWIN_USER_DIR"))
1814		+ (subpath (param "DARWIN_USER_TEMP_DIR"))
1815		+ (subpath (param "DARWIN_USER_CACHE_DIR")))
1816		+
1817		+ (allow file-read*
1818		+ (literal "/Volumes")
1819	-	0a1,11
1819	+	+ (literal "/Library/Preferences/.GlobalPreferences.plist")
1820	-	> (version 1)
1820	+	+ (subpath "/Library/Printers")
1821	-	> (deny default)
1821	+	+ (subpath "/Library/ImageCapture/Devices")
1822	-	>
1822	+	+ (subpath "/Library/ColorSync/Profiles")
1823	-	> (import "system.sb")
1823	+	+ (subpath "System/Library/ColorSync/Profiles"))
1824	-	> (allow mach-lookup
1824	+	+
1825	-	> (global-name "com.apple.distributed_notifications@1v3")
1825	+	+ (allow file-read*
1826	-	> (global-name "com.apple.distributed_notifications@Uv3")
1826	+	+ (home-literal ".CFUserTextEncoding")
1827	-	> (global-name "com.apple.distributed_notifications@0v3")
1827	+	+ (home-subpath "/Library/Printers")
1828	-	> (local-name "com.apple.distributed_notifications@1v3")
1828	+	+ (home-subpath "/Library/ImageCapture/Devices")
1829	-	> (local-name "com.apple.distributed_notifications@Uv3")
1829	+	+ (home-subpath "/Library/ColorSync/Profiles"))
1830	-	> (local-name "com.apple.distributed_notifications@0v3"))
1830	+	+
1831		+
1832		+
1833	-	28c28,29
1833	+	+ (allow mach-lookup
1834	-	< (subpath "/Library/Application\ Support"))
1834	+	+ (global-name "com.apple.CoreServices.coreservicesd"))
1835	-	---
1835	+	+
1836	-	> (subpath "/Library/Application\ Support")
1836	+
1837	-	> (subpath "/usr"))
1837	+
1838		*** /System/Library/Sandbox/Profiles/com.apple.commerce.sb 1969-12-31 16:00:00.000000000 -0800
1839		--- com.apple.commerce.sb 2017-07-10 13:51:50.000000000 -0700
1840	-	0a1,22
1840	+	***************
1841	-	> ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
1841	+	* 0 **
1842	-	> ;;;
1842	+	--- 1,162 ----
1843	-	> ;;; WARNING: The sandbox rules in this file currently constitute
1843	+	+ (version 1)
1844	-	> ;;; Apple System Private Interface and are subject to change at any time and
1844	+	+ (deny default)
1845	-	> ;;; without notice.
1845	+	+
1846	-	> ;;;
1846	+	+ (import "system.sb")
1847	-	> (version 1)
1847	+	+ (import "com.apple.corefoundation.sb")
1848	-	>
1848	+	+ (corefoundation)
1849	-	> (deny default)
1849	+	+
1850	-	> (deny file-map-executable iokit-get-properties process-info* nvram*)
1850	+	+ (allow file-read-metadata)
1851	-	> (deny dynamic-code-generation)
1851	+	+
1852	-	>
1852	+	+ (allow file-issue-extension
1853	-	> (import "system.sb")
1853	+	+ (subpath "/Library/Documentation/Help/MacHelp.help")
1854	-	>
1854	+	+ (regex #"/Library/Caches/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)(/CommerceRequestCache/?)?")
1855	-	> ;; For reading dylibs
1855	+	+ (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)")
1856	-	> (allow file-read*)
1856	+	+ (regex #"/Library/Caches/storeassetd")
1857	-	>
1857	+	+ (regex #"[a-z0-9]+\.app(/\|$)"))
1858	-	> ;; For resolving symlinks, realpath(3), and equivalents.
1858	+	+
1859	-	> (allow file-read-metadata)
1859	+	+ (allow file-read*
1860	-	>
1860	+	+ (regex #"\.app(/\|$)")
1861	-	> ;; for logging name of client
1861	+	+ (regex #"/CommerceKit\.framework")
1862	-	> (allow process-info-pidinfo)
1862	+	+ (literal "/private/etc/hosts")
1863		+ (literal "/private/var/db/mds/system/mdsDirectory.db")
1864		+ (literal "/private/var/db/mds/system/mdsObject.db")
1865		+ (literal "/Library/Preferences/com.apple.AECT.plist")
1866		+ (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
1867		+ (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
1868	-	11,12c11,12
1868	+	+ (literal "/Library/Preferences/com.apple.loginwindow.plist")
1869	-	< (subpath "/System/Library/PrivateFrameworks/SSOClient.framework")
1869	+	+ (literal "/private/var/db/PreviousSystemVersion.plist")
1870	-	< (subpath "/System/Library/Frameworks/SSOClient.framework")
1870	+	+ (subpath "/Applications")
1871	-	---
1871	+	+ (subpath "/Library/Documentation/Help/MacHelp.help")
1872	-	> (subpath "/System/Library/PrivateFrameworks")
1872	+	+ (subpath "/Users/Shared")
1873	-	> (subpath "/System/Library/Frameworks")
1873	+	+ (regex "/Library/Bundles/[^/]+.bundle")
1874	-	15a16
1874	+	+ (regex #"/Library/Preferences/com\.apple\.appstore\.plist$")
1875	-	> (subpath "/Library/Frameworks/SplunkKit.framework")
1875	+	+ (regex #"/Library/Preferences/com.apple.LaunchServices.plist$")
1876		+ (regex #"/Library/Preferences/(ByHost/)?\.GlobalPreferences\.plist$")
1877		+ (regex #"/Library/Preferences/com.apple.security\.plist$")
1878		+ (regex #"/\.CFUserTextEncoding$")
1879		+ (regex "/private/var/db/mds/messages/([A-Za-z0-9]+/)?se_SecurityMessages"))
1880		+
1881		+ (allow file-read* file-write*
1882		+ (literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist")
1883		+ (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
1884		+ (literal "/private/var/db/mds/system/mds.lock")
1885		+ (subpath "/private/var/root/Library/Caches/com.apple.commerce")
1886		+ (subpath "/private/var/tmp")
1887	-	0a1,61
1887	+	+ (subpath "/private/var/folders")
1888	-	> (version 1)
1888	+	+ (subpath "/private/tmp")
1889	-	> (deny default)
1889	+	+ (subpath "/Users/Shared/adi")
1890	-	>
1890	+	+ (subpath "/Users/Shared/SC Info")
1891	-	> (import "system.sb")
1891	+	+ (regex #"/Library/Caches/com\.apple\.commerce")
1892	-	> (import "com.apple.corefoundation.sb")
1892	+	+ (regex #"/Library/Caches/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)(/CommerceRequestCache/?)?")
1893	-	> (import "bsd.sb")
1893	+	+ (regex #"/Library/Caches/com\.apple\.WebKit2\.WebProcessService$")
1894	-	>
1894	+	+ (regex #"/Library/Cookies/com\.apple\.(appstore\|iBooksX\|ibooks\|iTunes\|configurator(\.ui)?)\.(binary)?cookies")
1895	-	> (system-network)
1895	+	+ (regex #"/Library/Cookies/Cookies\.binarycookies")
1896	-	> (corefoundation)
1896	+	+
1897	-	>
1897	+	+ (regex #"Library/Preferences/com\.apple\.security\.revocation\.plist")
1898	-	> (allow mach-lookup
1898	+	+ (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)")
1899	-	> (global-name "com.apple.bird.token")
1899	+	+ (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/\|$)")
1900	-	> (global-name "com.apple.cloudd")
1900	+	+ (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/mds(/\|$)")
1901	-	> (global-name "com.apple.cookied")
1901	+	+ (regex #"/\.TemporaryItems(/\|$)")
1902	-	> (global-name "com.apple.CoreServices.coreservicesd")
1902	+	+ (regex #"/Library/Keychains/")
1903	-	> (global-name "com.apple.coreservices.quarantine-resolver")
1903	+	+ (regex #"^/etilqs_"))
1904	-	> (global-name "com.apple.coreduetd.knowledge.user")
1904	+	+
1905	-	> (global-name "com.apple.lsd.mapdb"))
1905	+	+ (allow user-preference-read
1906	-	>
1906	+	+ (preference-domain "kCFPreferencesAnyApplication"))
1907	-	> (allow file*
1907	+	+
1908	-	> (subpath (param "_USER_TEMP_DIR"))
1908	+	+ (allow user-preference*
1909	-	> (subpath (string-append (param "_HOME") "/Library/Caches/knowledge-agent"))
1909	+	+ (preference-domain "com.apple.bookstoreagent")
1910	-	> (literal (string-append (param "_HOME") "/Library/Preferences/knowledge-agent.plist"))
1910	+	+ (preference-domain "com.apple.storeagent")
1911	-	> (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.CoreDuet.plist"))
1911	+	+ (preference-domain "com.apple.iTunes")
1912	-	> (subpath (string-append (param "_HOME") "/Library/Application Support/Knowledge")))
1912	+	+ (preference-domain "com.apple.appstore")
1913	-	>
1913	+	+ (preference-domain "com.apple.ibooks")
1914	-	> (allow file-read* file-write*
1914	+	+ (preference-domain "com.apple.commerce")
1915	-	> (subpath (string-append (param "_HOME") "/Library/Caches/CloudKit/com.apple.knowledge-agent")))
1915	+	+ (preference-domain "com.apple.commerce.configurator")
1916	-	>
1916	+	+ (preference-domain "com.apple.appstore.commerce")
1917	-	> (allow file-read-metadata
1917	+	+ (preference-domain "com.apple.iBooksX.commerce")
1918	-	> (subpath (string-append (param "_HOME") "/Library"))
1918	+	+ (preference-domain "com.apple.configurator.ui.commerce"))
1919	-	> (subpath "/usr"))
1919	+	+
1920	-	>
1920	+	+ (allow ipc-posix-shm-read-data
1921	-	> (allow file-read-data
1921	+	+ (ipc-posix-name "FNetwork.defaultStorageSession")
1922	-	> (literal "/usr/libexec")
1922	+	+ (ipc-posix-name-regex #"ls\.[a-f0-9\.]+")
1923	-	> (subpath "/usr/libexec/knowledge-agent")
1923	+	+ (ipc-posix-name "apple.shm.notification_center")
1924	-	> (literal "/Library/Preferences/.GlobalPreferences.plist")
1924	+	+ (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
1925	-	> (literal (string-append (param "_HOME") "/Library/Preferences/.GlobalPreferences.plist"))
1925	+	+
1926	-	> (literal (string-append (param "_HOME") "/Library/Preferences/knowledge-agent.plist"))
1926	+	+ (allow ipc-posix-shm-read* ipc-posix-shm-write-data
1927	-	> (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.CoreDuet.plist"))
1927	+	+ (ipc-posix-name "com.apple.AppleDatabaseChanged"))
1928	-	> (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/\.GlobalPreferences\.[^/]*\.plist$"))
1928	+	+
1929	-	> (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/knowledge-agent\.[^/]*\.plist$"))
1929	+	+ (allow mach-register (global-name "com.apple.commerce"))
1930	-	> (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/com.apple.CoreDuet.plist\.[^/]*\.plist$")))
1930	+	+
1931	-	>
1931	+	+ (allow mach-lookup
1932	-	> (allow file-read-metadata
1932	+	+ (global-name "com.apple.apsd")
1933	-	> (literal "/AppleInternal")
1933	+	+ (global-name "com.apple.adid")
1934	-	> (literal (param "_HOME")))
1934	+	+ (global-name "com.apple.fpsd")
1935	-	>
1935	+	+ (global-name "com.apple.askpermissiond")
1936	-	> (allow file-read*
1936	+	+ (global-name "com.apple.AssetCacheLocatorService")
1937	-	> (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") ; for CrashReporter
1937	+	+ (global-name "com.apple.accountsd.accountmanager")
1938	-	> (literal "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")) ; for MessageTracer
1938	+	+ (global-name "com.apple.backupd.sandbox.xpc")
1939	-	>
1939	+	+ (global-name "com.apple.ctkd.token-client")
1940	-	> (allow network-outbound
1940	+	+ (global-name "com.apple.CoreAuthentication.agent.libxpc")
1941	-	> (literal "/private/var/run/mDNSResponder")) ; to resolve host names
1941	+	+ (global-name "com.apple.CoreAuthentication.agent")
1942	-	>
1942	+	+ (global-name "com.apple.securityd.xpc")
1943	-	> (allow ipc-posix-shm-read-data
1943	+	+ (global-name "com.apple.UNCUserNotification")
1944	-	> (ipc-posix-name "FNetwork.defaultStorageSession"))
1944	+	+ (global-name "com.apple.coreservices.launcherror-handler")
1945	-	>
1945	+	+ (global-name "com.apple.SystemConfiguration.configd")
1946	-	> (allow network-outbound
1946	+	+ (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
1947	-	> (remote ip)) ; to download policy updates
1947	+	+ (global-name "com.apple.networkd")
1948	-	>
1948	+	+ (global-name "com.apple.storehelper")
1949		+ (global-name "com.apple.SecurityServer")
1950		+ (global-name "com.apple.PowerManagement.control")
1951	-	1c1
1951	+	+ (global-name "com.apple.distributed_notifications@Uv3")
1952	-	< ;; Copyright (c) 2015 Apple Inc. All Rights reserved.
1952	+	+ (global-name "com.apple.usernoted.daemon_client")
1953	-	---
1953	+	+ (global-name "com.apple.metadata.mds")
1954	-	> ;; Copyright (c) 2015-2017 Apple Inc. All Rights reserved.
1954	+	+ (global-name "com.apple.CoreServices.coreservicesd")
1955	-	17,19c17,19
1955	+	+ (global-name "com.apple.ls.boxd")
1956	-	< (regex #"^(/private)?/var/db/diagnostics(/\|$)")
1956	+	+ (global-name "com.apple.FileCoordination")
1957	-	< (regex #"^(/private)?/var/db/uuidtext(/\|$)")
1957	+	+ (global-name "com.apple.ocspd")
1958	-	< )
1958	+	+ (global-name "com.apple.installd")
1959	-	---
1959	+	+ (global-name "com.apple.ProgressReporting")
1960	-	> (regex #"^/private/var/db/diagnostics(/\|$)")
1960	+	+ (global-name "com.apple.windowserver.active")
1961	-	> (regex #"^/private/var/db/timesync(/\|$)")
1961	+	+ (global-name "com.apple.lsd.mapdb")
1962	-	> (regex #"^/private/var/db/uuidtext(/\|$)"))
1962	+	+ (global-name "com.apple.coreservices.launchservicesd")
1963	-	22,24c22,24
1963	+	+ (global-name "com.apple.coreservices.appleevents")
1964	-	< (regex #"^(/private)?/var/db/diagnostics(/\|$)")
1964	+	+ (global-name "com.apple.cookied")
1965	-	< (regex #"^/private/var/db/timezone(/\|$)")
1965	+	+ (global-name "com.apple.FontServer")
1966	-	< )
1966	+	+ (global-name "com.apple.fonts")
1967	-	---
1967	+	+ (global-name "com.apple.FontObjectsServer")
1968	-	> (regex #"^/private/var/db/diagnostics(/\|$)")
1968	+	+ (global-name "com.apple.DiskArbitration.diskarbitrationd")
1969	-	> (regex #"^/private/var/db/timesync(/\|$)")
1969	+	+ (global-name "com.apple.cvmsServ")
1970	-	> (regex #"^/private/var/db/timezone(/\|$)"))
1970	+	+ (global-name "com.apple.logind")
1971	-	30a31
1971	+	+ (global-name "com.apple.coreservices.quarantine-resolver")
1972	-	> (subpath "/private/var/db/timesync")
1972	+	+ (global-name "com.apple.familycontrols")
1973	-	35,36c36
1973	+	+ (global-name "com.apple.pluginkit.pkd")
1974	-	< (remote unix-socket (path-literal "/private/var/run/syslog"))
1974	+	+ (global-name "com.apple.nsurlstorage-cache")
1975	-	< )
1975	+	+ (global-name "com.apple.system.opendirectoryd.api")
1976	-	---
1976	+	+ (global-name "com.apple.CrashReporterSupportHelper")
1977	-	> (remote unix-socket (path-literal "/private/var/run/syslog")))
1977	+	+ (global-name "com.apple.cache_delete")
1978		+ (global-name "com.apple.ManagedClient.agent")
1979		+ (global-name "com.apple.cfnetwork.AuthBrokerAgent")
1980	-	8,10c8
1980	+	+ (global-name "com.apple.pasteboard.1"))
1981	-	< (allow file-read-data)
1981	+	+
1982	-	< (allow file-read-metadata)
1982	+	+ (allow authorization-right-obtain
1983	-	<
1983	+	+ (right-name "system.install.app-store-software")
1984	-	---
1984	+	+ (right-name "system.install.apple-software")
1985	-	> (allow file-read-metadata (path "/"))
1985	+	+ (right-name "system.install.app-store-software.standard-user")
1986		+ (right-name "system.install.apple-software.standard-user")
1987		+ (right-name "system.install.apple-config-data")
1988		+ (right-name "system.install.software")
1989		+ (right-name "system.install.software.iap")
1990		+ (right-name "system.install.software.mdm-provided")
1991		+ (right-name "com.apple.SoftwareUpdate.modify-settings"))
1992		+
1993		+ (allow iokit-open
1994	-	20,21c20,21
1994	+	+ (iokit-user-client-class "IOFramebufferSharedUserClient")
1995	-	< (regex #"^/Library/Preferences/com\.apple\.networkextension(\.necp\|\.control\|\.cache)?\.plist")
1995	+	+ (iokit-user-client-class "RootDomainUserClient")
1996	-	< (regex #"^/Library/Preferences/com\.apple\.networkd(\.sysctl)?\.plist")
1996	+	+ (iokit-user-client-class-regex #"AccelDevice$")
1997	-	---
1997	+	+ (iokit-user-client-class-regex #"SharedUserClient$")
1998	-	> (regex #"^/Library/Preferences/com\.apple\.networkextension(\.[_a-zA-Z0-9-]+)?\.plist")
1998	+	+ (iokit-user-client-class-regex #"GLContext$"))
1999	-	> (regex #"^/Library/Preferences/com\.apple\.networkd(\.[_a-zA-Z0-9-]+)?\.plist")
1999	+	+
2000	-	26c26
2000	+	+ (allow network-outbound)
2001	-	< (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/\|$)"))
2001	+	+ (allow system-socket)
2002	-	---
2002	+	+ (allow distributed-notification-post)
2003	-	> (subpath (param "TEMPDIR")))
2003	+	+ (allow appleevent-send)
2004	-	67a68,69
2004	+	+ (allow lsopen)
2005	-	> (global-name "com.apple.mobileassetd")
2005	+
2006	-	> (global-name "com.apple.mobileassetd.v2")
2006	+
2007	-	69a72,75
2007	+	*** /System/Library/Sandbox/Profiles/com.apple.commerced.sb 1969-12-31 16:00:00.000000000 -0800
2008	-	> ;;; MobileAsset
2008	+	--- com.apple.commerced.sb 2017-07-10 13:51:50.000000000 -0700
2009	-	> (allow user-preference-read (preference-domain "com.apple.MobileAsset"))
2009	+	***************
2010	-	> (allow user-preference-read (preference-domain "com.apple.SoftwareUpdate"))
2010	+	* 0 **
2011	-	>
2011	+	--- 1,161 ----
2012		+ (version 1)
2013		+ (deny default)
2014	-	48d47
2014	+	+
2015	-	< (literal "/usr/libexec/discoveryd")
2015	+	+ (import "system.sb")
2016		+ (import "com.apple.corefoundation.sb")
2017		+ (corefoundation)
2018	-	33,34c33
2018	+	+
2019	-	< (literal "/private/var/mobile/Library/Logs/awd/awd-NetworkServiceProxy.log")
2019	+	+ (allow file-read-metadata)
2020	-	< (regex "/private/var/folders/.*"))
2020	+	+
2021	-	---
2021	+	+ (allow file-issue-extension
2022	-	> (literal "/private/var/mobile/Library/Logs/awd/awd-NetworkServiceProxy.log"))
2022	+	+ (subpath "/Library/Documentation/Help/MacHelp.help")
2023		+ (regex #"/Library/Caches/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)(/CommerceRequestCache/?)?")
2024		+ (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)")
2025		+ (regex #"/Library/Caches/storeassetd")
2026		+ (regex #"[a-z0-9]+\.app(/\|$)"))
2027		+
2028		+ (allow file-read*
2029		+ (regex #"\.app(/\|$)")
2030		+ (regex #"/CommerceKit\.framework")
2031		+ (literal "/private/etc/hosts")
2032		+ (literal "/private/var/db/mds/system/mdsDirectory.db")
2033		+ (literal "/private/var/db/mds/system/mdsObject.db")
2034		+ (literal "/Library/Preferences/com.apple.AECT.plist")
2035		+ (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
2036		+ (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
2037		+ (literal "/Library/Preferences/com.apple.loginwindow.plist")
2038		+ (literal "/private/var/db/PreviousSystemVersion.plist")
2039		+ (subpath "/Applications")
2040	-	5c5,20
2040	+	+ (subpath "/Library/Documentation/Help/MacHelp.help")
2041	-	< (allow ipc-posix-shm (ipc-posix-name-regex #"^CFPBS:"))
2041	+	+ (subpath "/Users/Shared")
2042	-	---
2042	+	+ (regex "/Library/Bundles/[^/]+.bundle")
2043	-	>
2043	+	+ (regex #"/Library/Preferences/com\.apple\.appstore\.plist$")
2044	-	> ; Enable pboard to call realpath() and re-issue sandbox extensions for file promises.
2044	+	+ (regex #"/Library/Preferences/com.apple.LaunchServices.plist$")
2045	-	> (allow file-read-metadata)
2045	+	+ (regex #"/Library/Preferences/(ByHost/)?\.GlobalPreferences\.plist$")
2046	-	> (allow file-issue-extension
2046	+	+ (regex #"/Library/Preferences/com.apple.security\.plist$")
2047	-	> (require-all
2047	+	+ (regex #"/\.CFUserTextEncoding$")
2048	-	> (extension-class "com.apple.app-sandbox.read")
2048	+	+ (regex "/private/var/db/mds/messages/([A-Za-z0-9]+/)?se_SecurityMessages"))
2049	-	> (extension "com.apple.app-sandbox.read")))
2049	+	+
2050	-	> (allow file-issue-extension
2050	+	+ (allow file-read* file-write*
2051	-	> (require-all
2051	+	+ (literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist")
2052	-	> (extension-class "com.apple.app-sandbox.read")
2052	+	+ (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
2053	-	> (extension "com.apple.app-sandbox.read-write")))
2053	+	+ (literal "/private/var/db/mds/system/mds.lock")
2054	-	> (allow file-issue-extension
2054	+	+ (subpath "/private/var/root/Library/Caches/com.apple.commerce")
2055	-	> (require-all
2055	+	+ (subpath "/private/var/tmp")
2056	-	> (extension-class "com.apple.app-sandbox.read-write")
2056	+	+ (subpath "/private/var/folders")
2057	-	> (extension "com.apple.app-sandbox.read-write")))
2057	+	+ (subpath "/private/tmp")
2058	-	>
2058	+	+ (subpath "/Users/Shared/adi")
2059	-	8,9c23
2059	+	+ (subpath "/Users/Shared/SC Info")
2060	-	< (global-name "com.apple.lsd.mapdb")
2060	+	+ (regex #"/Library/Caches/com\.apple\.commerce")
2061	-	< (local-name "com.apple.CFPasteboardClient"))
2061	+	+ (regex #"/Library/Caches/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)(/CommerceRequestCache/?)?")
2062	-	---
2062	+	+ (regex #"/Library/Caches/com\.apple\.WebKit2\.WebProcessService$")
2063	-	> (global-name "com.apple.lsd.mapdb"))
2063	+	+ (regex #"/Library/Cookies/com\.apple\.(appstore\|iBooksX\|ibooks\|iTunes\|configurator(\.ui)?)\.(binary)?cookies")
2064		+ (regex #"/Library/Cookies/Cookies\.binarycookies")
2065		+
2066		+ (regex #"Library/Preferences/com\.apple\.security\.revocation\.plist")
2067		+ (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore\|iBooksX\|iTunes\|configurator\.ui)")
2068		+ (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/\|$)")
2069	-	189a190
2069	+	+ (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/mds(/\|$)")
2070	-	> (global-name "com.apple.audio.AudioComponentRegistrar")
2070	+	+ (regex #"/\.TemporaryItems(/\|$)")
2071		+ (regex #"/Library/Keychains/")
2072		+ (regex #"^/etilqs_"))
2073	-	144a145
2073	+	+
2074	-	> (global-name "com.apple.audio.AudioComponentRegistrar")
2074	+	+ (allow user-preference-read
2075		+ (preference-domain "kCFPreferencesAnyApplication"))
2076		+
2077	-	0a1,47
2077	+	+ (allow user-preference*
2078	-	> ;
2078	+	+ (preference-domain "com.apple.bookstoreagent")
2079	-	> ; Copyright (C) 2017 Apple Inc. All Rights Reserved.
2079	+	+ (preference-domain "com.apple.storeagent")
2080	-	> ;
2080	+	+ (preference-domain "com.apple.iTunes")
2081	-	> ; Sandbox profile for rapportd.
2081	+	+ (preference-domain "com.apple.appstore")
2082	-	> ;
2082	+	+ (preference-domain "com.apple.commerce")
2083	-	>
2083	+	+ (preference-domain "com.apple.commerce.configurator")
2084	-	> (version 1)
2084	+	+ (preference-domain "com.apple.appstore.commerce")
2085	-	> (deny default)
2085	+	+ (preference-domain "com.apple.iBooksX.commerce")
2086	-	>
2086	+	+ (preference-domain "com.apple.configurator.ui.commerce"))
2087	-	> (import "com.apple.corefoundation.sb")
2087	+	+
2088	-	> (import "system.sb")
2088	+	+ (allow ipc-posix-shm-read-data
2089	-	>
2089	+	+ (ipc-posix-name "FNetwork.defaultStorageSession")
2090	-	> (allow distributed-notification-post)
2090	+	+ (ipc-posix-name-regex #"ls\.[a-f0-9\.]+")
2091	-	> (allow file-read*
2091	+	+ (ipc-posix-name "apple.shm.notification_center")
2092	-	> (subpath "/"))
2092	+	+ (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
2093	-	> (allow file-write*
2093	+	+
2094	-	> (subpath "/Library/Application Support/Rapport")
2094	+	+ (allow ipc-posix-shm-read* ipc-posix-shm-write-data
2095	-	> (regex #"^/Library/Keychains/System.keychain")
2095	+	+ (ipc-posix-name "com.apple.AppleDatabaseChanged"))
2096	-	> (literal "/private/var/db/mds/system/mds.lock")
2096	+	+
2097	-	> (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
2097	+	+ (allow mach-register (global-name "com.apple.commerced"))
2098	-	> (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C($\|/)")
2098	+	+
2099	-	> (regex #"^(/private)?/var/folders/[^/]+/[^/]+/T($\|/)")
2099	+	+ (allow mach-lookup
2100	-	> )
2100	+	+ (global-name "com.apple.apsd")
2101	-	> (allow mach-lookup
2101	+	+ (global-name "com.apple.adid")
2102	-	> (global-name "com.apple.analyticsd")
2102	+	+ (global-name "com.apple.fpsd")
2103	-	> (global-name "com.apple.AutoUnlock.AuthenticationHintsProvider")
2103	+	+ (global-name "com.apple.askpermissiond")
2104	-	> (global-name "com.apple.awdd")
2104	+	+ (global-name "com.apple.AssetCacheLocatorService")
2105	-	> (global-name "com.apple.bluetoothd")
2105	+	+ (global-name "com.apple.accountsd.accountmanager")
2106	-	> (global-name "com.apple.cloudd")
2106	+	+ (global-name "com.apple.backupd.sandbox.xpc")
2107	-	> (global-name "com.apple.coreduetd.context")
2107	+	+ (global-name "com.apple.ctkd.token-client")
2108	-	> (global-name "com.apple.coreduetd.knowledgebase")
2108	+	+ (global-name "com.apple.CoreAuthentication.agent.libxpc")
2109	-	> (global-name "com.apple.coresymbolicationd")
2109	+	+ (global-name "com.apple.CoreAuthentication.agent")
2110	-	> (global-name "com.apple.distributed_notifications@1v3")
2110	+	+ (global-name "com.apple.securityd.xpc")
2111	-	> (global-name "com.apple.managedconfiguration.profiled")
2111	+	+ (global-name "com.apple.UNCUserNotification")
2112	-	> (global-name "com.apple.networkd")
2112	+	+ (global-name "com.apple.coreservices.launcherror-handler")
2113	-	> (global-name "com.apple.ocspd")
2113	+	+ (global-name "com.apple.SystemConfiguration.configd")
2114	-	> (global-name "com.apple.PairingManager")
2114	+	+ (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
2115	-	> (global-name "com.apple.securityd.xpc")
2115	+	+ (global-name "com.apple.networkd")
2116	-	> (global-name "com.apple.SecurityServer")
2116	+	+ (global-name "com.apple.storehelper")
2117	-	> (global-name "com.apple.server.bluetooth")
2117	+	+ (global-name "com.apple.SecurityServer")
2118	-	> (global-name "com.apple.wifi.manager")
2118	+	+ (global-name "com.apple.PowerManagement.control")
2119	-	> (global-name "com.apple.wirelessproxd"))
2119	+	+ (global-name "com.apple.distributed_notifications@Uv3")
2120	-	> (allow network*)
2120	+	+ (global-name "com.apple.usernoted.daemon_client")
2121	-	> (allow system-socket)
2121	+	+ (global-name "com.apple.metadata.mds")
2122	-	> (allow user-preference-read user-preference-write
2122	+	+ (global-name "com.apple.CoreServices.coreservicesd")
2123	-	> (preference-domain "com.apple.rapport")
2123	+	+ (global-name "com.apple.ls.boxd")
2124	-	> )
2124	+	+ (global-name "com.apple.FileCoordination")
2125		+ (global-name "com.apple.ocspd")
2126		+ (global-name "com.apple.installd")
2127	-	12a13
2127	+	+ (global-name "com.apple.ProgressReporting")
2128	-	> (global-name "com.apple.parsecd") ;; to get flight information from Parsec (for flight template-less)
2128	+	+ (global-name "com.apple.windowserver.active")
2129		+ (global-name "com.apple.lsd.mapdb")
2130		+ (global-name "com.apple.coreservices.launchservicesd")
2131		+ (global-name "com.apple.coreservices.appleevents")
2132		+ (global-name "com.apple.cookied")
2133		+ (global-name "com.apple.FontServer")
2134	-	27a28
2134	+	+ (global-name "com.apple.fonts")
2135	-	> (literal "/private/var/db/mds/system/mds.lock")
2135	+	+ (global-name "com.apple.FontObjectsServer")
2136	-	31,36d31
2136	+	+ (global-name "com.apple.DiskArbitration.diskarbitrationd")
2137	-	< (allow file-issue-extension
2137	+	+ (global-name "com.apple.cvmsServ")
2138	-	< (home-literal "/Library/Caches/rtcreportingd")
2138	+	+ (global-name "com.apple.logind")
2139	-	< (require-all
2139	+	+ (global-name "com.apple.coreservices.quarantine-resolver")
2140	-	< (extension-class "com.apple.rtcreporting.upload")
2140	+	+ (global-name "com.apple.familycontrols")
2141	-	< (home-subpath "/Library/Containers/com.apple.FaceTime/Data/logs/mediaserverd")))
2141	+	+ (global-name "com.apple.pluginkit.pkd")
2142	-	<
2142	+	+ (global-name "com.apple.nsurlstorage-cache")
2143	-	53c48
2143	+	+ (global-name "com.apple.system.opendirectoryd.api")
2144	-	< (subpath "/usr/libexec/rtcreportingd"))
2144	+	+ (global-name "com.apple.CrashReporterSupportHelper")
2145	-	---
2145	+	+ (global-name "com.apple.cache_delete")
2146	-	> (literal "/usr/libexec/rtcreportingd"))
2146	+	+ (global-name "com.apple.ManagedClient.agent")
2147	-	67a63
2147	+	+ (global-name "com.apple.cfnetwork.AuthBrokerAgent")
2148	-	> (global-name "com.apple.awdd")
2148	+	+ (global-name "com.apple.pasteboard.1"))
2149	-	68a65
2149	+	+
2150	-	> (global-name "com.apple.distributed_notifications@1v3")
2150	+	+ (allow authorization-right-obtain
2151	-	70a68,70
2151	+	+ (right-name "system.install.app-store-software")
2152	-	> (allow system-fsctl
2152	+	+ (right-name "system.install.apple-software")
2153	-	> (fsctl-command (_IO "h" 47))) ; HFSIOC_SET_HOTFILE_STATE
2153	+	+ (right-name "system.install.app-store-software.standard-user")
2154	-	>
2154	+	+ (right-name "system.install.apple-software.standard-user")
2155	-	72,76c72,73
2155	+	+ (right-name "system.install.apple-config-data")
2156	-	< (allow network-outbound
2156	+	+ (right-name "system.install.software")
2157	-	< (literal "/private/var/run/mDNSResponder")
2157	+	+ (right-name "system.install.software.iap")
2158	-	< (remote tcp "*:443")
2158	+	+ (right-name "system.install.software.mdm-provided")
2159	-	< (remote udp "*:16384")
2159	+	+ (right-name "com.apple.SoftwareUpdate.modify-settings"))
2160	-	< (remote udp "*:16387"))
2160	+	+
2161		+ (allow iokit-open
2162	-	---
2162	+	+ (iokit-user-client-class "IOFramebufferSharedUserClient")
2163	-	> (allow network-outbound)
2163	+	+ (iokit-user-client-class "RootDomainUserClient")
2164	-	> (allow network-inbound (local udp))
2164	+	+ (iokit-user-client-class-regex #"AccelDevice$")
2165		+ (iokit-user-client-class-regex #"SharedUserClient$")
2166		+ (iokit-user-client-class-regex #"GLContext$"))
2167	-	0a1,46
2167	+	+
2168	-	> (version 1)
2168	+	+ (allow network-outbound)
2169	-	>
2169	+	+ (allow system-socket)
2170	-	> (deny default)
2170	+	+ (allow distributed-notification-post)
2171	-	>
2171	+	+ (allow appleevent-send)
2172	-	> (import "system.sb")
2172	+	+ (allow lsopen)
2173	-	>
2173	+
2174	-	> (allow file-read* file-write*
2174	+
2175	-	> (subpath "/private/var/db/mds")
2175	+
2176	-	> (regex #"^/private/var/folders/[^/]+/[^/]+/T(/\|$)")
2176	+
2177	-	> (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Keychains(/\|$)")))
2177	+
2178	-	>
2178	+
2179	-	>
2179	+
2180	-	> ;;;;;; will be fully fixed in 29465717
2180	+
2181	-	> (allow file-read* (subpath "/"))
2181	+	*** /System/Library/Sandbox/Profiles/com.apple.coreduetd.sb 2017-02-16 21:44:09.000000000 -0800
2182	-	>
2182	+	--- com.apple.coreduetd.sb 2017-07-10 13:51:51.000000000 -0700
2183	-	> (allow user-preference-read
2183	+	***************
2184	-	> (preference-domain ".GlobalPreferences"))
2184	+	* 3,10 **
2185	-	> (allow user-preference-read
2185	+	--- 3,12 ----
2186	-	> (preference-domain "com.apple.security"))
2186	+	;;(allow default (with report))
2187	-	>
2187	+
2188	-	> (allow file-read*
2188	+	(import "system.sb")
2189	-	> (literal "/usr/libexec/secd")
2189	+	+ (import "bsd.sb")
2190	-	> (literal "/Library/Preferences/com.apple.security.plist")
2190	+	(import "com.apple.corefoundation.sb")
2191	-	> (literal "/Library/Preferences/.GlobalPreferences.plist")
2191	+
2192	-	> (literal "/AppleInternal")
2192	+	+ (system-network)
2193	-	> (literal "/usr/libexec"))
2193	+	;;; initialize CF sandbox actions
2194	-	>
2194	+	(corefoundation)
2195	-	>
2195	+
2196	-	> (allow mach-lookup
2196	+	***************
2197	-	> (global-name "com.apple.SystemConfiguration.configd")
2197	+	* 38,47 **
2198	-	> (global-name "com.apple.security.cloudkeychainproxy3")
2198	+	--- 40,51 ----
2199	-	> (global-name "com.apple.security.keychainsyncingoveridsproxy")
2199	+	(global-name "com.apple.coreservices.launchservicesd")
2200	-	> (global-name "com.apple.cloudd")
2200	+	(global-name "com.apple.lsd.mapdb")
2201	-	> (global-name "com.apple.apsd")
2201	+	(global-name "com.apple.metadata.mds")
2202	-	> (global-name "com.apple.windowserver.active"))
2202	+	+ (global-name "com.apple.cookied")
2203	-	>
2203	+	(global-name "com.apple.coreduetd.knowledge")
2204	-	> (allow iokit-open
2204	+	(global-name "com.apple.coreduetd.people")
2205	-	> (iokit-user-client-class "AppleKeyStoreUserClient"))
2205	+	(global-name "com.apple.coreduetd.knowledgebase")
2206	-	>
2206	+	(global-name "com.apple.coreduetd.batterysaver")
2207	-	> (allow iokit-get-properties (iokit-registry-entry-class "IOPlatformExpertDevice"))
2207	+	+ (global-name "com.apple.coreservices.quarantine-resolver")
2208	-	>
2208	+	(global-name "com.apple.iokit.powerdxpc")
2209	-	> (allow ipc-posix-shm
2209	+	(global-name "com.apple.coreduetd.context")
2210	-	> (ipc-posix-name "com.apple.AppleDatabaseChanged"))
2210	+	(global-name "com.apple.SystemConfiguration.configd")
2211	-	>
2211	+	***************
2212	-	> (allow network-outbound)
2212	+	* 51,59 **
2213	-	> (allow system-socket)
2213	+	(global-name "com.apple.mediaremoted.xpc")
2214		(global-name "com.apple.CoreLocation.agent")
2215		(global-name "com.apple.locationd.desktop.registration")
2216		! (global-name "com.apple.locationd.desktop.synchronous"))
2217
2218		(allow ipc-posix-shm*
2219	-	22c22,23
2219	+	(ipc-posix-name "coreduetd")
2220	-	< (global-name "com.apple.ocspd"))
2220	+	(ipc-posix-name "/CDCSS")
2221	-	---
2221	+	(ipc-posix-name "com.apple.coreduetd"))
2222	-	> (global-name "com.apple.ocspd")
2222	+	--- 55,74 ----
2223	-	> (global-name "com.apple.mobile.keybagd.xpc"))
2223	+	(global-name "com.apple.mediaremoted.xpc")
2224		(global-name "com.apple.CoreLocation.agent")
2225		(global-name "com.apple.locationd.desktop.registration")
2226	-	27a28,30
2226	+	! (global-name "com.apple.locationd.desktop.synchronous")
2227	-	> ;; For mapping process path to CFScripter instance
2227	+	! (global-name "com.apple.SharingServices"))
2228	-	> (allow process-info-pidinfo)
2228	+
2229	-	>
2229	+	(allow ipc-posix-shm*
2230		(ipc-posix-name "coreduetd")
2231		(ipc-posix-name "/CDCSS")
2232	-	92c92
2232	+	(ipc-posix-name "com.apple.coreduetd"))
2233	-	< ;;; rdar://problem/26620973 & rdar://problem/31070724
2233	+	+
2234	-	---
2234	+	+ (allow network-outbound
2235	-	> ;;; rdar://problem/26620973 & rdar://problem/31560540
2235	+	+ (literal "/private/var/run/mDNSResponder")) ; to resolve host names
2236	-	100a101
2236	+	+
2237	-	> (global-name "com.apple.audio.AudioComponentRegistrar")
2237	+	+ (allow ipc-posix-shm-read-data
2238	-	104a106
2238	+	+ (ipc-posix-name "FNetwork.defaultStorageSession"))
2239	-	> (global-name "com.apple.mobileassetd")
2239	+	+
2240		+ (allow network-outbound
2241		+ (remote ip))
2242	-	105a106,107
2242	+	+
2243	-	> (global-name "com.apple.adid")
2243	+
2244	-	> (global-name "com.apple.fpsd")
2244	+
2245	-	109a112,113
2245	+
2246	-	> (global-name "com.apple.commerce")
2246	+
2247	-	> (global-name "com.apple.commerced")
2247	+
2248		Files /System/Library/Sandbox/Profiles/com.apple.coreservices.appleevents.appleeventsd.sb and com.apple.coreservices.appleevents.appleeventsd.sb are identical
2249		--
2250	-	95a96,97
2250	+
2251	-	> (global-name "com.apple.adid")
2251	+
2252	-	> (global-name "com.apple.fpsd")
2252	+
2253		com.apple.coreservicesd.sb
2254		*** /System/Library/Sandbox/Profiles/com.apple.coreservicesd.sb 1969-12-31 16:00:00.000000000 -0800
2255	-	39a40
2255	+	--- com.apple.coreservicesd.sb 2017-07-10 13:51:50.000000000 -0700
2256	-	> (regex #"/Library/Preferences/com\.apple\.seeding\.plist$")
2256	+	***************
2257	-	98a100,101
2257	+	* 0 **
2258	-	> (global-name "com.apple.adid")
2258	+	--- 1,63 ----
2259	-	> (global-name "com.apple.fpsd")
2259	+	+ ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
2260		+ ;;;
2261		+ ;;; WARNING: The sandbox rules in this file currently constitute
2262		+ ;;; Apple System Private Interface and are subject to change at any time and
2263		+ ;;; without notice.
2264		+ ;;;
2265	-	11a12
2265	+	+ (version 1)
2266	-	> (regex #"^/private/var/root/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
2266	+	+
2267	-	42a44,45
2267	+	+ (deny default)
2268	-	> (global-name "com.apple.lsd.mapdb")
2268	+	+
2269	-	> (global-name "com.apple.lsd.modifydb")
2269	+	+ (import "system.sb")
2270		+ (import "com.apple.corefoundation.sb")
2271		+ (corefoundation)
2272	-	87a88,94
2272	+	+
2273	-	> (allow user-preference-read
2273	+	+ (deny file-map-executable iokit-get-properties process-info* nvram*)
2274	-	> (preference-domain "com.apple.AppleMultitouchTrackpad")
2274	+	+ (deny dynamic-code-generation)
2275	-	> (preference-domain "com.apple.ServicesMenu.Services"))
2275	+	+
2276	-	>
2276	+	+ (allow process-info* (target self))
2277	-	> (allow user-preference*
2277	+	+
2278	-	> (preference-domain "com.apple.storeuid"))
2278	+	+ (allow process-info-codesignature)
2279	-	>
2279	+	+
2280	-	98c105,106
2280	+	+ (allow user-preference-read user-preference-write
2281	-	< (global-name "com.apple.storeuid"))
2281	+	+ (preference-domain "com.apple.coreservicesd"))
2282	-	---
2282	+	+
2283	-	> (global-name "com.apple.storeuid")
2283	+	+ (allow file-read*)
2284	-	> (global-name "com.apple.storeagent.storekit"))
2284	+	+ (allow file-read-metadata)
2285	-	100a109,113
2285	+	+
2286	-	> (global-name "com.apple.iohideventsystem")
2286	+	+ (allow file-write*
2287	-	> (global-name "com.apple.tsm.uiserver")
2287	+	+ (subpath (param "DARWIN_USER_TEMP_DIR"))
2288	-	> (global-name "com.apple.touchbarserver.mig")
2288	+	+ (subpath (param "DARWIN_USER_CACHE_DIR")))
2289	-	> (global-name "com.apple.touchbar.agent")
2289	+	+
2290	-	> (global-name "com.apple.pbs.fetch_services")
2290	+	+ (allow file-ioctl
2291	-	104a118
2291	+	+ (path "/dev/fsevents"))
2292	-	> (global-name "com.apple.commerce")
2292	+	+
2293	-	168a183,185
2293	+	+ (allow ipc-posix-shm-write-create
2294	-	> (iokit-user-client-class "IOSurfaceRootUserClient")
2294	+	+ (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
2295	-	> (iokit-user-client-class "IGAccelCommandQueue")
2295	+	+ (allow ipc-posix-shm-write-data
2296	-	> (iokit-user-client-class "AppleMultitouchDeviceUserClient")
2296	+	+ (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
2297		+
2298		+ (allow mach-lookup
2299	-	18a19,20
2299	+	+ (global-name "com.apple.DiskArbitration.diskarbitrationd"))
2300	-	> (home-subpath "/Library/Caches/com.apple.parsecd/CustomFeedback/") ;; Parsec feedback (Trystero uploads) <rdar://problem/33038387> Sandbox exception for Parsec feedback (macOS)
2300	+	+
2301	-	>
2301	+	+ (allow file-write*
2302	-	33a36
2302	+	+ (path "/System/Library/Caches/com.apple.Components2.SystemCache.Components"))
2303	-	> (home-subpath "/Library/Application Support/Knowledge") ;; _DKKnowledgeStore
2303	+	+ (allow file-write*
2304	-	39a43,51
2304	+	+ (path "/System/Library/Caches/com.apple.Components2.SystemCache.QuickTimeComponents"))
2305	-	> ;; <rdar://problem/31989235> Lobo: SGOrigin app name unlocalized - need sandbox rule for InfoPlist.strings
2305	+	+ (allow file-write*
2306	-	> (allow file-read* (home-literal "/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist"))
2306	+	+ (path "/System/Library/Caches/com.apple.Components2.SystemCache.AudioComponents"))
2307	-	> (allow file-read* (regex #"\.app$"))
2307	+	+
2308	-	> (allow file-read* (regex #"\.app/Contents$"))
2308	+	+ (allow file-map-executable (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal"))
2309	-	> (allow file-read* (regex #"\.app/Contents/Resources$"))
2309	+	+
2310	-	> (allow file-read* (regex #"/InfoPlist\.strings$"))
2310	+	+ (allow distributed-notification-post)
2311	-	> (allow file-read* (regex #"/Info.plist$"))
2311	+	+
2312	-	> (allow file-read* (regex #"\.lproj$"))
2312	+	+ (allow iokit-get-properties (iokit-property "Protocol Characteristics"))
2313	-	>
2313	+	+ (allow iokit-get-properties (iokit-property "IOMediaIcon"))
2314	-	41a54
2314	+	+ (allow iokit-get-properties (iokit-property "Ejectable"))
2315	-	> (global-name "com.apple.apsd") ;; SGDCloudKitSync (APNS)
2315	+	+ (allow iokit-get-properties (iokit-property "Removable"))
2316	-	50a64
2316	+	+ (allow iokit-get-properties (iokit-property "CoreStorage Encrypted"))
2317	-	> (global-name "com.apple.cloudd") ;; SGDCloudKitSync (CloudKit)
2317	+	+ (allow iokit-get-properties (iokit-property "IOClassNameOverride"))
2318	-	52c66,67
2318	+	+ (allow iokit-get-properties (iokit-property "od-server-name"))
2319	-	< (global-name "com.apple.coreduetd.people") ;; SGDuetBridge
2319	+	+ (allow iokit-get-properties (iokit-property "image-path"))
2320	-	---
2320	+	+ (allow iokit-get-properties (iokit-property "filevault-image"))
2321	-	> (global-name "com.apple.coreduetd.knowledge.user") ;; PersonalizationPortrait
2321	+	+ (allow iokit-get-properties (iokit-property "Product Identification"))
2322	-	> (global-name "com.apple.coreduetd.context") ;; SGDPowerBudget
2322	+
2323	-	54a70,71
2323	+
2324	-	> (global-name "com.apple.spotlight.SearchAgent")
2324	+	*** /System/Library/Sandbox/Profiles/com.apple.ctkbind.sb 1969-12-31 16:00:00.000000000 -0800
2325	-	> (global-name "com.apple.spotlight.IndexAgent")
2325	+	--- com.apple.ctkbind.sb 2017-07-10 13:51:51.000000000 -0700
2326	-	58a76
2326	+	***************
2327	-	> (global-name "com.apple.metadata.mds") ;; <rdar://problem/28957199>
2327	+	* 0 **
2328	-	66c84,87
2328	+	--- 1,100 ----
2329	-	< (global-name "com.apple.tccd"))
2329	+	+ ;;;
2330	-	---
2330	+	+ ;;; Sandbox profile for /System/Library/Frameworks/CryptoTokenKit.framework/ctkbind.bundle/Contents/MacOS/ctkbind
2331	-	> (global-name "com.apple.SystemConfiguration.configd") ;; SGDCloudKitSync (APNS)
2331	+	+ ;;;
2332	-	> (global-name "com.apple.tccd")
2332	+	+ ;;; Copyright (c) 2016 Apple Inc. All Rights reserved.
2333	-	> (global-name "com.apple.windowserver.active") ;; AGDCloudKitSync (APNS)
2333	+	+ ;;;
2334	-	> (global-name "com.apple.FileCoordination")) ;; MailServices for reimport
2334	+	+ ;;; WARNING: The sandbox rules in this file currently constitute
2335		+ ;;; Apple System Private Interface and are subject to change at any time and
2336		+ ;;; without notice. The contents of this file are also auto-generated and
2337		+ ;;; not user editable; it may be overwritten at any time.
2338		+
2339		+ (version 1)
2340		+
2341		+ (deny default)
2342		+
2343	-	0a1,106
2343	+	+ (import "system.sb")
2344	-	> ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
2344	+	+
2345	-	> ;;;
2345	+	+ (define (home-subpath home-relative-subpath)
2346	-	> ;;; WARNING: The sandbox rules in this file currently constitute
2346	+	+ (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
2347	-	> ;;; Apple System Private Interface and are subject to change at any time and
2347	+	+
2348	-	> ;;; without notice.
2348	+	+ (define (home-literal home-relative-literal)
2349	-	> ;;;
2349	+	+ (literal (string-append (param "HOME_DIR") home-relative-literal)))
2350	-	> (version 1)
2350	+	+
2351	-	>
2351	+	+ (allow file-read-data)
2352	-	> (deny default)
2352	+	+
2353	-	> (deny file-map-executable iokit-get-properties process-info* nvram*)
2353	+	+ (allow file-read-metadata)
2354	-	> (deny dynamic-code-generation)
2354	+	+
2355	-	>
2355	+	+ (allow file-read*
2356	-	> (import "system.sb")
2356	+	+ (subpath (param "DARWIN_USER_TEMP_DIR"))
2357	-	> (import "com.apple.corefoundation.sb")
2357	+	+ (subpath (param "DARWIN_USER_CACHE_DIR"))
2358	-	> (corefoundation)
2358	+	+ (subpath "/Library/Caches/com.apple.iconservices.store")
2359	-	>
2359	+	+ (subpath "/Library/Keyboard Layouts")
2360	-	> ;;; Homedir-relative path filters
2360	+	+ (subpath "/private/var/db")
2361	-	> (define (home-regex home-relative-regex)
2361	+	+ (home-subpath "/Library/Keyboard Layouts")
2362	-	> (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)))
2362	+	+ (literal "/Library/Preferences/com.apple.security.plist")
2363	-	>
2363	+	+ (home-literal "/Library/Keychains/login.keychain-db")
2364	-	> (define (home-subpath home-relative-subpath)
2364	+	+ (home-literal "/.CFUserTextEncoding"))
2365	-	> (subpath (string-append (param "HOME") home-relative-subpath)))
2365	+	+
2366	-	>
2366	+	+ (allow file-write*
2367	-	> (define (home-prefix home-relative-prefix)
2367	+	+ (subpath (param "DARWIN_USER_CACHE_DIR"))
2368	-	> (prefix (string-append (param "HOME") home-relative-prefix)))
2368	+	+ (subpath "/private/var/db/mds/system"))
2369	-	>
2369	+	+
2370	-	> (define (home-literal home-relative-literal)
2370	+	+ (allow mach-lookup
2371	-	> (literal (string-append (param "HOME") home-relative-literal)))
2371	+	+ (global-name "com.apple.audio.SystemSoundServer-OSX")
2372	-	>
2372	+	+ (global-name "com.apple.coreservices.appleevents")
2373	-	> (allow process-info* (target self))
2373	+	+ (global-name "com.apple.coreservices.launchservicesd")
2374	-	>
2374	+	+ (global-name "com.apple.CoreServices.coreservicesd")
2375	-	> ;; For resolving symlinks, realpath(3), and equivalents.
2375	+	+ (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider.agent.libxpc")
2376	-	> (allow file-read-metadata)
2376	+	+ (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider.daemon.libxpc")
2377	-	>
2377	+	+ (global-name "com.apple.ctkd.token-client")
2378	-	> ;; For validating the entitlements of clients.
2378	+	+ (global-name "com.apple.ctkd.watcher-client")
2379	-	> (allow process-info-codesignature)
2379	+	+ (global-name "com.apple.cvmsServ")
2380	-	>
2380	+	+ (global-name "com.apple.decalog4.incoming")
2381	-	> ;;allow safari to open the url
2381	+	+ (global-name "com.apple.distributed_notifications@Uv3")
2382	-	> (allow lsopen)
2382	+	+ (global-name "com.apple.dock.fullscreen")
2383	-	>
2383	+	+ (global-name "com.apple.dock.server")
2384	-	> ;; preference domain.
2384	+	+ (global-name "com.apple.fonts")
2385	-	> (allow user-preference-read user-preference-write
2385	+	+ (global-name "com.apple.FSEvents")
2386	-	> (preference-domain "com.apple.touristd"))
2386	+	+ (global-name "com.apple.iconservices")
2387	-	> (allow user-preference-read user-preference-write
2387	+	+ (global-name "com.apple.iconservices.store")
2388	-	> (preference-domain "NSGlobalDomain"))
2388	+	+ (global-name "com.apple.inputmethodkit.getxpcendpoint")
2389	-	> (allow file-read* file-write* (home-subpath "/Library/Preferences/"))
2389	+	+ (global-name "com.apple.inputmethodkit.launchagent")
2390	-	> (allow file-read* file-write* (literal "/Library/Preferences/.GlobalPreferences.plist"))
2390	+	+ (global-name "com.apple.inputmethodkit.launcher")
2391	-	>
2391	+	+ (global-name "com.apple.lsd.mapdb")
2392	-	> ;; private frameworks.
2392	+	+ (global-name "com.apple.pasteboard.1")
2393	-	> (allow file-map-executable (subpath "/System/Library/PrivateFrameworks/"))
2393	+	+ (global-name "com.apple.quicklook.ui.helper.active")
2394	-	> (allow file-map-executable (subpath "/System/Library/Frameworks/"))
2394	+	+ (global-name "com.apple.SecurityServer")
2395	-	>
2395	+	+ (global-name "com.apple.system.opendirectoryd.api")
2396	-	> ;;allow outbound network connections.
2396	+	+ (global-name "com.apple.SystemConfiguration.configd")
2397	-	> (system-network)
2397	+	+ (global-name "com.apple.touchbar.agent")
2398	-	> (allow network-outbound)
2398	+	+ (global-name "com.apple.tsm.uiserver")
2399	-	> (allow ipc-posix-shm-read-data)
2399	+	+ (global-name "com.apple.window_proxies")
2400	-	>
2400	+	+ (global-name "com.apple.tccd.system")
2401	-	> ;;allow mach lookup.
2401	+	+ (global-name "com.apple.ocspd")
2402	-	> (allow mach-lookup
2402	+	+ (global-name "com.apple.windowserver.active"))
2403	-	> (global-name "com.apple.cookied")
2403	+	+
2404	-	> (global-name "com.apple.coreservices.launchservicesd")
2404	+	+ (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
2405	-	> (global-name "com.apple.dock.server")
2405	+	+ (ipc-posix-name "com.apple.AppleDatabaseChanged"))
2406	-	> (global-name "com.apple.lsd.mapdb")
2406	+	+
2407	-	> (global-name "com.apple.lsd.modifydb")
2407	+	+ (allow authorization-right-obtain
2408	-	> (global-name "com.apple.syncdefaultsd")
2408	+	+ (right-name "com.apple.ctk.pair")
2409	-	> (global-name "com.apple.usernoted.daemon_client")
2409	+	+ (right-name "com.apple.ctkbind.admin"))
2410	-	> (global-name "com.apple.coreservices.quarantine-resolver")
2410	+	+
2411	-	> (global-name "com.apple.SecurityServer")
2411	+	+ (allow user-preference-read
2412	-	> (global-name "com.apple.windowserver.active"))
2412	+	+ (preference-domain "com.apple.AppleMultitouchTrackpad")
2413	-	>
2413	+	+ (preference-domain "com.apple.ctkbind")
2414	-	> ;;allow get properties.
2414	+	+ (preference-domain "com.apple.HIToolbox")
2415	-	> (allow iokit-get-properties
2415	+	+ (preference-domain "com.apple.universalaccess")
2416	-	> (require-all
2416	+	+ (preference-domain "kCFPreferencesAnyApplication"))
2417	-	> (iokit-registry-entry-class "IOPlatformExpertDevice")
2417	+	+
2418	-	> (iokit-registry-entry-class "IORegisterForSystemPower")
2418	+	+ (allow user-preference-read user-preference-write
2419	-	> (iokit-registry-entry-class "IORegistryEntryCreateCFProperty")))
2419	+	+ (preference-domain "com.apple.ctkbind")
2420	-	>
2420	+	+ (preference-domain "com.apple.security.smartcard")
2421	-	> (allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
2421	+	+ (preference-domain "com.apple.security.tokenlogin"))
2422	-	> (allow iokit-get-properties (iokit-property "board-id"))
2422	+	+
2423	-	> (allow iokit-get-properties)
2423	+	+ (allow iokit-open
2424	-	>
2424	+	+ (iokit-registry-entry-class "IGAccelCommandQueue")
2425	-	> ;; Read/write access to a temporary directory.
2425	+	+ (iokit-registry-entry-class "IGAccelDevice")
2426	-	> (allow file-read* file-write*
2426	+	+ (iokit-user-client-class "AppleKeyStoreUserClient")
2427	-	> (subpath (param "TMPDIR"))
2427	+	+ (iokit-user-client-class "IGAccelSharedUserClient")
2428	-	> (subpath (param "DARWIN_CACHE_DIR"))
2428	+	+ (iokit-user-client-class "IOSurfaceRootUserClient"))
2429	-	> (subpath "/Library/Application Support/CrashReporter/"))
2429	+
2430	-	>
2430	+
2431	-	>
2431	+
2432	-	> (allow file-read*
2432	+
2433	-	> (subpath "/Library/Application Support/CrashReporter/")
2433	+
2434	-	> (subpath "/private/var/db/mds/messages")
2434	+
2435	-	> (literal "/Library/Preferences/com.apple.security.plist"))
2435	+
2436	-	>
2436	+
2437	-	>
2437	+	*** /System/Library/Sandbox/Profiles/com.apple.deleted.sb 2017-02-02 19:49:20.000000000 -0800
2438	-	> ;; Read/write access to the previous system version.
2438	+	--- com.apple.deleted.sb 2017-07-10 13:51:51.000000000 -0700
2439	-	> (allow file-read-data (literal "/private/var/db/PreviousSystemVersion.plist"))
2439	+	***************
2440	-	> (allow file-read-data (home-literal "/.CFUserTextEncoding"))
2440	+	* 35,55 **
2441	-	>
2441	+	(home-subpath "/Library/Caches/com.apple.CacheDelete"))))
2442	-	> ;; Read/write access to com.apple.touristd’s cache.
2442	+
2443	-	> (let ((cache-path-filter (home-prefix "/Library/Caches/com.apple.touristd")))
2443	+	(allow file-write*
2444	-	> (allow file-read* file-write* cache-path-filter)
2444	+	! (regex "/private/var/folders/.*/mds/mds.lock"))
2445	-	> (allow file-issue-extension
2445	+
2446	-	> (require-all
2446	+
2447	-	> (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write")
2447	+	(allow file-read*
2448	-	> cache-path-filter)))
2448	+	(literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
2449	-	>
2449	+	(literal "/Library/Preferences/.GlobalPreferences.plist")
2450		! (regex "/Users/.*/Library/Preferences/.GlobalPreferences.plist")
2451		! (regex "/Users/./Library/Preferences/ByHost/.GlobalPreferences\..\.plist")
2452	-	0a1,70
2452	+	! (regex "/AppleInternal/Library/CacheDelete")
2453	-	> (version 1)
2453	+	! (regex "/AppleInternal/Library/CacheDelete/.*")
2454	-	>
2454	+	! (regex "/Applications/.*")
2455	-	> (deny default)
2455	+	! (regex "/private/var/folders/.*/mds/mds.lock")
2456	-	> (deny file-map-executable iokit-get-properties process-info* nvram*)
2456	+	! (regex "/private/var/folders/./com.apple.LaunchServices-.\.csstore")
2457	-	> (deny dynamic-code-generation)
2457	+	! (regex "*\.appex")
2458	-	>
2458	+	! (subpath "/System/Library/CacheDelete"))
2459	-	> (import "system.sb")
2459	+
2460	-	> (import "com.apple.corefoundation.sb")
2460	+	;;; Various patterns used by cache-delete services.
2461	-	> (corefoundation)
2461	+	(allow mach-lookup
2462	-	>
2462	+	--- 35,54 ----
2463	-	> (allow process-info* (target self))
2463	+	(home-subpath "/Library/Caches/com.apple.CacheDelete"))))
2464	-	>
2464	+
2465	-	> ;; For resolving symlinks, realpath(3), and equivalents.
2465	+	(allow file-write*
2466	-	> (allow file-read-metadata)
2466	+	! (regex #"/private/var/folders/[^/]+/[^/]+/C/[^/]+/mds/mds\.lock$"))
2467	-	>
2467	+
2468	-	> ;; For validating the entitlements of clients (for keychain and trust settings)
2468	+
2469	-	> ;; see 31353815
2469	+	(allow file-read*
2470	-	> (allow process-info-codesignature)
2470	+	(literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
2471	-	> (allow process-info-pidinfo)
2471	+	(literal "/Library/Preferences/.GlobalPreferences.plist")
2472	-	> (allow file-read*)
2472	+	! (regex "^/Users/[^/]+/Library/Preferences/\.GlobalPreferences\.plist$")
2473	-	>
2473	+	! (regex "^/Users/[^/]+/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
2474	-	> ;; ${PRODUCT_NAME}’s preference domain.
2474	+	! (regex "^/Applications/.*$")
2475	-	> (allow user-preference-read user-preference-write
2475	+	! (regex "^/private/var/folders/.*/mds/mds\.lock$")
2476	-	> (preference-domain "com.apple.trustd"))
2476	+	! (regex "^/private/var/folders/./com.apple.LaunchServices-.\.csstore$")
2477	-	>
2477	+	! (regex "^./[^/]\.appex$")
2478	-	> ;; Global and security preferences
2478	+	! (subpath "/System/Library/CacheDelete")
2479	-	> (allow user-preference-read
2479	+	! (subpath "/AppleInternal/Library/CacheDelete"))
2480	-	> (preference-domain "com.apple.security")
2480	+
2481	-	> (preference-domain "com.apple.Security")
2481	+	;;; Various patterns used by cache-delete services.
2482	-	> (preference-domain ".GlobalPreferences")
2482	+	(allow mach-lookup
2483	-	> (preference-domain "com.apple.MobileAsset"))
2483	+	***************
2484	-	>
2484	+	* 61,69 **
2485	-	> ;; Read/write access to a temporary directory.
2485	+	--- 60,72 ----
2486	-	> (allow file-read* file-write*
2486	+	(global-name "com.apple.lsd.modifydb")
2487	-	> (subpath (param "_TMPDIR"))
2487	+	(global-name "com.apple.lsd.mapdb")
2488	-	> (subpath (param "_DARWIN_CACHE_DIR")))
2488	+	(global-name "com.apple.diskspaced")
2489	-	>
2489	+	+ (global-name "com.apple.DiskArbitration.diskarbitrationd")
2490	-	> ;; Read/write access to keychains and caches
2490	+	+ (global-name "com.apple.diskmanagementd")
2491	-	> (allow file-read* file-write*
2491	+	(global-name "com.apple.windowserver.active")
2492	-	> (subpath "/private/var/db/mds/")
2492	+	(global-name "com.apple.cookied"))
2493	-	> (subpath "/private/var/db/crls/")
2493	+
2494	-	> (subpath "/System/Library/Security/")
2494	+	+ (allow iokit-open (iokit-user-client-class "AppleAPFSUserClient"))
2495	-	> (subpath "/Library/Keychains/")
2495	+	+
2496	-	> (subpath "/private/var/root/Library/Caches/com.apple.nsurlsessiond/"))
2496	+	(allow file-read-metadata)
2497	-	>
2497	+
2498	-	> (allow file-read*
2498	+	(allow user-preference*
2499	-	> (literal "/usr/libexec")
2499	+
2500	-	> (literal "/usr/libexec/trustd")
2500	+
2501	-	> (literal "/Library/Preferences/com.apple.security.plist")
2501	+
2502	-	> (regex #"/.GlobalPreferences[^/]*\.plist")
2502	+
2503	-	> (literal "/Library/Preferences/com.apple.SoftwareUpdate.plist")
2503	+
2504	-	> (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains"))
2504	+	*** /System/Library/Sandbox/Profiles/com.apple.distnoted.sb 1969-12-31 16:00:00.000000000 -0800
2505	-	>
2505	+	--- com.apple.distnoted.sb 2017-07-10 13:51:51.000000000 -0700
2506	-	> (allow file-map-executable
2506	+	***************
2507	-	> (regex #"/CoreServicesInternal")
2507	+	* 0 **
2508	-	> (regex #"/csparser"))
2508	+	--- 1,11 ----
2509	-	>
2509	+	+ (version 1)
2510	-	> (allow mach-lookup
2510	+	+ (deny default)
2511	-	> (global-name "com.apple.ocspd")
2511	+	+
2512	-	> (global-name "com.apple.SecurityServer")
2512	+	+ (import "system.sb")
2513	-	> (global-name "com.apple.SystemConfiguration.configd")
2513	+	+ (allow mach-lookup
2514	-	> (global-name "com.apple.mobileassetd")
2514	+	+ (global-name "com.apple.distributed_notifications@1v3")
2515	-	> (global-name "com.apple.securityd.xpc")
2515	+	+ (global-name "com.apple.distributed_notifications@Uv3")
2516	-	> (global-name "com.apple.nsurlsessiond"))
2516	+	+ (global-name "com.apple.distributed_notifications@0v3")
2517	-	>
2517	+	+ (local-name "com.apple.distributed_notifications@1v3")
2518	-	> (allow ipc-posix-shm
2518	+	+ (local-name "com.apple.distributed_notifications@Uv3")
2519	-	> (ipc-posix-name "com.apple.AppleDatabaseChanged"))
2519	+	+ (local-name "com.apple.distributed_notifications@0v3"))
2520	-	>
2520	+
2521	-	> (allow network-outbound)
2521	+
2522	-	> (allow system-socket)
2522	+	*** /System/Library/Sandbox/Profiles/com.apple.dprivacyd.sb 2016-08-03 14:00:02.000000000 -0700
2523		--- com.apple.dprivacyd.sb 2017-07-10 13:51:50.000000000 -0700
2524		***************
2525	-	14a15,21
2525	+	* 25,31 **
2526	-	> ;;(allow file-issue-extension
2526	+	(subpath "/private/var/root")
2527	-	> ;; (extension "com.apple.app-sandbox.read-write"))
2527	+	(subpath "/Library/Preferences")
2528	-	>
2528	+	(subpath "/Library")
2529	-	> (if (param "TMP_DIR")
2529	+	! (subpath "/Library/Application\ Support"))
2530	-	> (allow file-issue-extension
2530	+
2531	-	> (regex (string-append "^" (param "TMP_DIR") "/*"))))
2531	+	(allow file-write*
2532	-	>
2532	+	(subpath "/Library/Logs/DiagnosticReports"))
2533	-	56a64,66
2533	+	--- 25,32 ----
2534	-	> (global-name "com.apple.BluetoothDOServer")
2534	+	(subpath "/private/var/root")
2535	-	> (global-name "com.apple.FileCoordination")
2535	+	(subpath "/Library/Preferences")
2536	-	> (global-name "com.apple.analyticsd")
2536	+	(subpath "/Library")
2537		! (subpath "/Library/Application\ Support")
2538		! (subpath "/usr"))
2539
2540		(allow file-write*
2541		(subpath "/Library/Logs/DiagnosticReports"))
2542		--
2543		com.apple.dyld.closured.sb
2544		*** /System/Library/Sandbox/Profiles/com.apple.dyld.closured.sb 1969-12-31 16:00:00.000000000 -0800
2545		--- com.apple.dyld.closured.sb 2017-07-10 13:51:51.000000000 -0700
2546		***************
2547		* 0 **
2548		--- 1,22 ----
2549		+ ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
2550		+ ;;;
2551		+ ;;; WARNING: The sandbox rules in this file currently constitute
2552		+ ;;; Apple System Private Interface and are subject to change at any time and
2553		+ ;;; without notice.
2554		+ ;;;
2555		+ (version 1)
2556		+
2557	-	0a1,28
2557	+	+ (deny default)
2558	-	> (version 1)
2558	+	+ (deny file-map-executable iokit-get-properties process-info* nvram*)
2559	-	>
2559	+	+ (deny dynamic-code-generation)
2560	-	> (deny default)
2560	+	+
2561	-	> (deny dynamic-code-generation file-map-executable nvram* process-info*)
2561	+	+ (import "system.sb")
2562	-	>
2562	+	+
2563	-	> (import "system.sb")
2563	+	+ ;; For reading dylibs
2564	-	>
2564	+	+ (allow file-read*)
2565	-	> ;;; <rdar://problem/32252235> MAC: XPC: Sandbox violations on export
2565	+	+
2566	-	> (define (home-subpath home-relative-subpath)
2566	+	+ ;; For resolving symlinks, realpath(3), and equivalents.
2567	-	> (subpath (string-append (param "_HOME") home-relative-subpath)))
2567	+	+ (allow file-read-metadata)
2568	-	> (define (home-literal home-relative-literal)
2568	+	+
2569	-	> (literal (string-append (param "_HOME") home-relative-literal)))
2569	+	+ ;; for logging name of client
2570	-	> (define (home-regex home-relative-regex)
2570	+	+ (allow process-info-pidinfo)
2571	-	> (regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex)))
2571	+
2572	-	>
2572	+
2573	-	> (allow file-read* (home-literal "/Library/Preferences/.CFUserTextEncoding"))
2573	+
2574	-	>
2574	+
2575	-	> (allow file-read-metadata)
2575	+
2576	-	>
2576	+	*** /System/Library/Sandbox/Profiles/com.apple.eosauthagent.sb 2016-12-01 22:50:32.000000000 -0800
2577	-	> (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd"))
2577	+	--- com.apple.eosauthagent.sb 2017-07-10 13:51:50.000000000 -0700
2578	-	>
2578	+	***************
2579	-	> (allow file-read* (extension "com.apple.app-sandbox.read"))
2579	+	* 8,18 **
2580	-	> (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
2580	+	(allow file-read-metadata)
2581	-	>
2581	+
2582	-	> (allow process-info-dirtycontrol (target self))
2582	+	(allow file-read*
2583	-	>
2583	+	! (subpath "/System/Library/PrivateFrameworks/SSOClient.framework")
2584	-	> (allow file-map-executable (subpath "/System/Library/Frameworks")
2584	+	! (subpath "/System/Library/Frameworks/SSOClient.framework")
2585	-	> (subpath "/System/Library/PrivateFrameworks"))
2585	+	(subpath "/AppleInternal/Applications/AppleConnect.app/Contents/Frameworks/SSOClient.framework")
2586		(subpath "/Applications/AppleConnect.app/Contents/Frameworks/SSOClient.framework")
2587		(subpath "/Library/Frameworks/AppleConnect.framework")
2588		(subpath "/private/var/root/Library/Preferences/")
2589		(subpath "/Library/KerberosPlugins/")
2590		(subpath "/private/var/db/")
2591		--- 8,19 ----
2592		(allow file-read-metadata)
2593
2594	-	13,14c13,16
2594	+	(allow file-read*
2595	-	< (allow mach-register
2595	+	! (subpath "/System/Library/PrivateFrameworks")
2596	-	< (local-name-prefix ""))
2596	+	! (subpath "/System/Library/Frameworks")
2597	-	---
2597	+	(subpath "/AppleInternal/Applications/AppleConnect.app/Contents/Frameworks/SSOClient.framework")
2598	-	> (allow mach-register (local-name-prefix ""))
2598	+	(subpath "/Applications/AppleConnect.app/Contents/Frameworks/SSOClient.framework")
2599	-	>
2599	+	(subpath "/Library/Frameworks/AppleConnect.framework")
2600	-	> ;;; Allow lookup of XPC services for backward-compatibility.
2600	+	+ (subpath "/Library/Frameworks/SplunkKit.framework")
2601	-	> (allow mach-lookup (xpc-service-name-prefix ""))
2601	+	(subpath "/private/var/root/Library/Preferences/")
2602	-	22a25
2602	+	(subpath "/Library/KerberosPlugins/")
2603	-	> (subpath "/private/var/db/timezone")
2603	+	(subpath "/private/var/db/")
2604	-	78a82
2604	+
2605	-	> (global-name "com.apple.dyld.closured")
2605	+
2606	-	121a126
2606	+
2607	-	> (iokit-registry-entry-class "AppleIntelMEUserClient")
2607	+
2608		com.apple.iconservicesagent.sb
2609		Files /System/Library/Sandbox/Profiles/com.apple.iconservicesagent.sb and com.apple.iconservicesagent.sb are identical
2610		--
2611		com.apple.iconservicesd.sb
2612		Files /System/Library/Sandbox/Profiles/com.apple.iconservicesd.sb and com.apple.iconservicesd.sb are identical
2613		--
2614		com.apple.knowledge-agent.sb
2615		*** /System/Library/Sandbox/Profiles/com.apple.knowledge-agent.sb 1969-12-31 16:00:00.000000000 -0800
2616		--- com.apple.knowledge-agent.sb 2017-07-10 13:51:51.000000000 -0700
2617		***************
2618		* 0 **
2619		--- 1,61 ----
2620		+ (version 1)
2621		+ (deny default)
2622		+
2623		+ (import "system.sb")
2624		+ (import "com.apple.corefoundation.sb")
2625		+ (import "bsd.sb")
2626		+
2627		+ (system-network)
2628		+ (corefoundation)
2629		+
2630		+ (allow mach-lookup
2631		+ (global-name "com.apple.bird.token")
2632		+ (global-name "com.apple.cloudd")
2633		+ (global-name "com.apple.cookied")
2634		+ (global-name "com.apple.CoreServices.coreservicesd")
2635		+ (global-name "com.apple.coreservices.quarantine-resolver")
2636		+ (global-name "com.apple.coreduetd.knowledge.user")
2637		+ (global-name "com.apple.lsd.mapdb"))
2638		+
2639		+ (allow file*
2640		+ (subpath (param "_USER_TEMP_DIR"))
2641		+ (subpath (string-append (param "_HOME") "/Library/Caches/knowledge-agent"))
2642		+ (literal (string-append (param "_HOME") "/Library/Preferences/knowledge-agent.plist"))
2643		+ (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.CoreDuet.plist"))
2644		+ (subpath (string-append (param "_HOME") "/Library/Application Support/Knowledge")))
2645		+
2646		+ (allow file-read* file-write*
2647		+ (subpath (string-append (param "_HOME") "/Library/Caches/CloudKit/com.apple.knowledge-agent")))
2648		+
2649		+ (allow file-read-metadata
2650		+ (subpath (string-append (param "_HOME") "/Library"))
2651		+ (subpath "/usr"))
2652		+
2653		+ (allow file-read-data
2654		+ (literal "/usr/libexec")
2655		+ (subpath "/usr/libexec/knowledge-agent")
2656		+ (literal "/Library/Preferences/.GlobalPreferences.plist")
2657		+ (literal (string-append (param "_HOME") "/Library/Preferences/.GlobalPreferences.plist"))
2658		+ (literal (string-append (param "_HOME") "/Library/Preferences/knowledge-agent.plist"))
2659		+ (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.CoreDuet.plist"))
2660		+ (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/\.GlobalPreferences\.[^/]*\.plist$"))
2661		+ (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/knowledge-agent\.[^/]*\.plist$"))
2662		+ (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/com.apple.CoreDuet.plist\.[^/]*\.plist$")))
2663		+
2664		+ (allow file-read-metadata
2665		+ (literal "/AppleInternal")
2666		+ (literal (param "_HOME")))
2667		+
2668		+ (allow file-read*
2669		+ (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") ; for CrashReporter
2670		+ (literal "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")) ; for MessageTracer
2671		+
2672		+ (allow network-outbound
2673		+ (literal "/private/var/run/mDNSResponder")) ; to resolve host names
2674		+
2675		+ (allow ipc-posix-shm-read-data
2676		+ (ipc-posix-name "FNetwork.defaultStorageSession"))
2677		+
2678		+ (allow network-outbound
2679		+ (remote ip)) ; to download policy updates
2680		+
2681		--
2682		com.apple.logd.sb
2683		*** /System/Library/Sandbox/Profiles/com.apple.logd.sb 2017-04-14 16:25:45.000000000 -0700
2684		--- com.apple.logd.sb 2017-07-10 13:51:51.000000000 -0700
2685		***************
2686		* 1,4 **
2687		! ;; Copyright (c) 2015 Apple Inc. All Rights reserved.
2688		;;
2689		;; WARNING: The sandbox rules in this file currently constitute
2690		;; Apple System Private Interface and are subject to change at any time and
2691		--- 1,4 ----
2692		! ;; Copyright (c) 2015-2017 Apple Inc. All Rights reserved.
2693		;;
2694		;; WARNING: The sandbox rules in this file currently constitute
2695		;; Apple System Private Interface and are subject to change at any time and
2696		***************
2697		* 14,36 **
2698
2699		;; Allow files to be written/deleted, and attributes to be read
2700		(allow file-write*
2701		! (regex #"^(/private)?/var/db/diagnostics(/\|$)")
2702		! (regex #"^(/private)?/var/db/uuidtext(/\|$)")
2703		! )
2704
2705		(allow file-read*
2706		! (regex #"^(/private)?/var/db/diagnostics(/\|$)")
2707		! (regex #"^/private/var/db/timezone(/\|$)")
2708		! )
2709
2710		(allow file-issue-extension
2711		(require-all
2712		(extension-class "com.apple.logd.read-only")
2713		(require-any
2714		(subpath "/private/var/db/diagnostics")
2715		(subpath "/private/var/db/uuidtext"))))
2716
2717		;; Allow writes to syslogd
2718		(allow network-outbound
2719		! (remote unix-socket (path-literal "/private/var/run/syslog"))
2720		! )
2721		--- 14,36 ----
2722
2723		;; Allow files to be written/deleted, and attributes to be read
2724		(allow file-write*
2725		! (regex #"^/private/var/db/diagnostics(/\|$)")
2726		! (regex #"^/private/var/db/timesync(/\|$)")
2727		! (regex #"^/private/var/db/uuidtext(/\|$)"))
2728
2729		(allow file-read*
2730		! (regex #"^/private/var/db/diagnostics(/\|$)")
2731		! (regex #"^/private/var/db/timesync(/\|$)")
2732		! (regex #"^/private/var/db/timezone(/\|$)"))
2733
2734		(allow file-issue-extension
2735		(require-all
2736		(extension-class "com.apple.logd.read-only")
2737		(require-any
2738		(subpath "/private/var/db/diagnostics")
2739		+ (subpath "/private/var/db/timesync")
2740		(subpath "/private/var/db/uuidtext"))))
2741
2742		;; Allow writes to syslogd
2743		(allow network-outbound
2744		! (remote unix-socket (path-literal "/private/var/run/syslog")))
2745		--
2746		com.apple.mtlcompilerservice.sb
2747		*** /System/Library/Sandbox/Profiles/com.apple.mtlcompilerservice.sb 2016-08-01 20:13:26.000000000 -0700
2748		--- com.apple.mtlcompilerservice.sb 2017-07-10 13:51:50.000000000 -0700
2749		***************
2750		* 5,10 **
2751
2752		(import "system.sb")
2753
2754		! (allow file-read-data)
2755		! (allow file-read-metadata)
2756		!
2757		--- 5,8 ----
2758
2759		(import "system.sb")
2760
2761		! (allow file-read-metadata (path "/"))
2762		--
2763		com.apple.navd.sb
2764		Files /System/Library/Sandbox/Profiles/com.apple.navd.sb and com.apple.navd.sb are identical
2765		--
2766		com.apple.neagent.sb
2767		Files /System/Library/Sandbox/Profiles/com.apple.neagent.sb and com.apple.neagent.sb are identical
2768		--
2769		com.apple.nehelper.sb
2770		*** /System/Library/Sandbox/Profiles/com.apple.nehelper.sb 2016-08-01 20:26:18.000000000 -0700
2771		--- com.apple.nehelper.sb 2017-07-10 13:51:51.000000000 -0700
2772		***************
2773		* 17,29 **
2774		#"^/Library/Keychains/\."
2775		#"^(/private)?/var/db/mds/system/mds.lock$"
2776		)
2777		! (regex #"^/Library/Preferences/com\.apple\.networkextension(\.necp\|\.control\|\.cache)?\.plist")
2778		! (regex #"^/Library/Preferences/com\.apple\.networkd(\.sysctl)?\.plist")
2779		(regex #"^/Library/Preferences/Logging/Subsystems/com\.apple\.network\.plist")
2780		(regex #"^/Library/Preferences/Logging/Subsystems/com\.apple\.networkextension\.plist")
2781		(regex #"^/Library/Preferences/SystemConfiguration/preferences\.plist")
2782		(regex #"^/Library/Preferences/SystemConfiguration/VPN-[^/]+\.plist")
2783		! (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/\|$)"))
2784
2785		(allow mach-register
2786		(global-name "com.apple.nehelper")
2787		--- 17,29 ----
2788		#"^/Library/Keychains/\."
2789		#"^(/private)?/var/db/mds/system/mds.lock$"
2790		)
2791		! (regex #"^/Library/Preferences/com\.apple\.networkextension(\.[_a-zA-Z0-9-]+)?\.plist")
2792		! (regex #"^/Library/Preferences/com\.apple\.networkd(\.[_a-zA-Z0-9-]+)?\.plist")
2793		(regex #"^/Library/Preferences/Logging/Subsystems/com\.apple\.network\.plist")
2794		(regex #"^/Library/Preferences/Logging/Subsystems/com\.apple\.networkextension\.plist")
2795		(regex #"^/Library/Preferences/SystemConfiguration/preferences\.plist")
2796		(regex #"^/Library/Preferences/SystemConfiguration/VPN-[^/]+\.plist")
2797		! (subpath (param "TEMPDIR")))
2798
2799		(allow mach-register
2800		(global-name "com.apple.nehelper")
2801		***************
2802		* 65,72 **
2803		--- 65,78 ----
2804		(global-name "com.apple.lsd.modifydb")
2805		(global-name "com.apple.logd.admin")
2806		(global-name "com.apple.lsd.mapdb")
2807		+ (global-name "com.apple.mobileassetd")
2808		+ (global-name "com.apple.mobileassetd.v2")
2809		(global-name "com.apple.securityd.xpc"))
2810
2811		+ ;;; MobileAsset
2812		+ (allow user-preference-read (preference-domain "com.apple.MobileAsset"))
2813		+ (allow user-preference-read (preference-domain "com.apple.SoftwareUpdate"))
2814		+
2815		(allow sysctl-read)
2816
2817		(allow sysctl*
2818		--
2819		com.apple.nesessionmanager.sb
2820		*** /System/Library/Sandbox/Profiles/com.apple.nesessionmanager.sb 2016-08-01 20:26:33.000000000 -0700
2821		--- com.apple.nesessionmanager.sb 2017-07-10 13:51:50.000000000 -0700
2822		***************
2823		* 45,51 **
2824		(allow file-read*
2825		(literal "/usr/libexec")
2826		(literal "/usr/libexec/neagent")
2827		- (literal "/usr/libexec/discoveryd")
2828		(literal "/usr/libexec/nesessionmanager")
2829		(literal "/usr/sbin/mDNSResponder"))
2830
2831		--- 45,50 ----
2832		--
2833		com.apple.networkserviceproxy.sb
2834		*** /System/Library/Sandbox/Profiles/com.apple.networkserviceproxy.sb 2016-08-06 17:26:48.000000000 -0700
2835		--- com.apple.networkserviceproxy.sb 2017-07-10 13:51:51.000000000 -0700
2836		***************
2837		* 30,34 **
2838		(allow file-read* file-write*
2839		(literal (string-append (param "_HOME") "/Library/Preferences/networkserviceproxy.plist"))
2840		(literal "/private/var/mobile/Library/Logs/awd")
2841		! (literal "/private/var/mobile/Library/Logs/awd/awd-NetworkServiceProxy.log")
2842		! (regex "/private/var/folders/.*"))
2843		--- 30,33 ----
2844		(allow file-read* file-write*
2845		(literal (string-append (param "_HOME") "/Library/Preferences/networkserviceproxy.plist"))
2846		(literal "/private/var/mobile/Library/Logs/awd")
2847		! (literal "/private/var/mobile/Library/Logs/awd/awd-NetworkServiceProxy.log"))
2848		--
2849		com.apple.nlcd.sb
2850		Files /System/Library/Sandbox/Profiles/com.apple.nlcd.sb and com.apple.nlcd.sb are identical
2851		--
2852		com.apple.noticeboard.agent.sb
2853		Files /System/Library/Sandbox/Profiles/com.apple.noticeboard.agent.sb and com.apple.noticeboard.agent.sb are identical
2854		--
2855		com.apple.noticeboard.state.sb
2856		Files /System/Library/Sandbox/Profiles/com.apple.noticeboard.state.sb and com.apple.noticeboard.state.sb are identical
2857		--
2858		com.apple.notifyd.sb
2859		Files /System/Library/Sandbox/Profiles/com.apple.notifyd.sb and com.apple.notifyd.sb are identical
2860		--
2861		com.apple.opendirectoryd.sb
2862		Files /System/Library/Sandbox/Profiles/com.apple.opendirectoryd.sb and com.apple.opendirectoryd.sb are identical
2863		--
2864		com.apple.pboard.sb
2865		*** /System/Library/Sandbox/Profiles/com.apple.pboard.sb 2016-08-19 16:16:37.000000000 -0700
2866		--- com.apple.pboard.sb 2017-07-10 13:51:50.000000000 -0700
2867		***************
2868		* 2,11 **
2869		(deny default)
2870
2871		(import "system.sb")
2872		! (allow ipc-posix-shm (ipc-posix-name-regex #"^CFPBS:"))
2873		(allow mach-lookup
2874		(global-name "com.apple.coreservices.uasharedpasteboardmanager.xpc")
2875		! (global-name "com.apple.lsd.mapdb")
2876		! (local-name "com.apple.CFPasteboardClient"))
2877
2878		(allow file-read* (literal "/usr/libexec/pboard"))
2879		--- 2,25 ----
2880		(deny default)
2881
2882		(import "system.sb")
2883		!
2884		! ; Enable pboard to call realpath() and re-issue sandbox extensions for file promises.
2885		! (allow file-read-metadata)
2886		! (allow file-issue-extension
2887		! (require-all
2888		! (extension-class "com.apple.app-sandbox.read")
2889		! (extension "com.apple.app-sandbox.read")))
2890		! (allow file-issue-extension
2891		! (require-all
2892		! (extension-class "com.apple.app-sandbox.read")
2893		! (extension "com.apple.app-sandbox.read-write")))
2894		! (allow file-issue-extension
2895		! (require-all
2896		! (extension-class "com.apple.app-sandbox.read-write")
2897		! (extension "com.apple.app-sandbox.read-write")))
2898		!
2899		(allow mach-lookup
2900		(global-name "com.apple.coreservices.uasharedpasteboardmanager.xpc")
2901		! (global-name "com.apple.lsd.mapdb"))
2902
2903		(allow file-read* (literal "/usr/libexec/pboard"))
2904		--
2905		com.apple.pictd.sb
2906		Files /System/Library/Sandbox/Profiles/com.apple.pictd.sb and com.apple.pictd.sb are identical
2907		--
2908		com.apple.qtkitserver.sb
2909		*** /System/Library/Sandbox/Profiles/com.apple.qtkitserver.sb 2017-02-04 16:59:32.000000000 -0800
2910		--- com.apple.qtkitserver.sb 2017-07-10 13:51:51.000000000 -0700
2911		***************
2912		* 187,192 **
2913		--- 187,193 ----
2914		(global-name "com.apple.PowerManagement.control")
2915		(global-name "com.apple.audio.audiohald")
2916		(global-name "com.apple.audio.coreaudiod")
2917		+ (global-name "com.apple.audio.AudioComponentRegistrar")
2918		(global-name "com.apple.dock.server")
2919		(global-name "com.apple.pasteboard.1")
2920		(global-name "com.apple.pbs.fetch_services")
2921		--
2922		com.apple.qtkittrustedmoviesservice.sb
2923		*** /System/Library/Sandbox/Profiles/com.apple.qtkittrustedmoviesservice.sb 2017-02-04 16:59:32.000000000 -0800
2924		--- com.apple.qtkittrustedmoviesservice.sb 2017-07-10 13:51:51.000000000 -0700
2925		***************
2926		* 142,147 **
2927		--- 142,148 ----
2928		(global-name "com.apple.PowerManagement.control")
2929		(global-name "com.apple.audio.audiohald")
2930		(global-name "com.apple.audio.coreaudiod")
2931		+ (global-name "com.apple.audio.AudioComponentRegistrar")
2932		(global-name "com.apple.dock.server")
2933		(global-name "com.apple.pasteboard.1")
2934		(global-name "com.apple.pbs.fetch_services")
2935		--
2936		com.apple.rapportd.sb
2937		*** /System/Library/Sandbox/Profiles/com.apple.rapportd.sb 1969-12-31 16:00:00.000000000 -0800
2938		--- com.apple.rapportd.sb 2017-07-10 13:51:50.000000000 -0700
2939		***************
2940		* 0 **
2941		--- 1,47 ----
2942		+ ;
2943		+ ; Copyright (C) 2017 Apple Inc. All Rights Reserved.
2944		+ ;
2945		+ ; Sandbox profile for rapportd.
2946		+ ;
2947		+
2948		+ (version 1)
2949		+ (deny default)
2950		+
2951		+ (import "com.apple.corefoundation.sb")
2952		+ (import "system.sb")
2953		+
2954		+ (allow distributed-notification-post)
2955		+ (allow file-read*
2956		+ (subpath "/"))
2957		+ (allow file-write*
2958		+ (subpath "/Library/Application Support/Rapport")
2959		+ (regex #"^/Library/Keychains/System.keychain")
2960		+ (literal "/private/var/db/mds/system/mds.lock")
2961		+ (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
2962		+ (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C($\|/)")
2963		+ (regex #"^(/private)?/var/folders/[^/]+/[^/]+/T($\|/)")
2964		+ )
2965		+ (allow mach-lookup
2966		+ (global-name "com.apple.analyticsd")
2967		+ (global-name "com.apple.AutoUnlock.AuthenticationHintsProvider")
2968		+ (global-name "com.apple.awdd")
2969		+ (global-name "com.apple.bluetoothd")
2970		+ (global-name "com.apple.cloudd")
2971		+ (global-name "com.apple.coreduetd.context")
2972		+ (global-name "com.apple.coreduetd.knowledgebase")
2973		+ (global-name "com.apple.coresymbolicationd")
2974		+ (global-name "com.apple.distributed_notifications@1v3")
2975		+ (global-name "com.apple.managedconfiguration.profiled")
2976		+ (global-name "com.apple.networkd")
2977		+ (global-name "com.apple.ocspd")
2978		+ (global-name "com.apple.PairingManager")
2979		+ (global-name "com.apple.securityd.xpc")
2980		+ (global-name "com.apple.SecurityServer")
2981		+ (global-name "com.apple.server.bluetooth")
2982		+ (global-name "com.apple.wifi.manager")
2983		+ (global-name "com.apple.wirelessproxd"))
2984		+ (allow network*)
2985		+ (allow system-socket)
2986		+ (allow user-preference-read user-preference-write
2987		+ (preference-domain "com.apple.rapport")
2988		+ )
2989		--
2990		com.apple.reversetemplated.sb
2991		*** /System/Library/Sandbox/Profiles/com.apple.reversetemplated.sb 2016-08-03 17:40:10.000000000 -0700
2992		--- com.apple.reversetemplated.sb 2017-07-10 13:51:51.000000000 -0700
2993		***************
2994		* 10,15 **
2995		--- 10,16 ----
2996		(global-name "com.apple.tccd") ;; DataDetectorsCore
2997		(global-name "com.apple.CoreServices.coreservicesd") ;; -[NSURL getResourceValue:forKey:error:]
2998		(global-name "com.apple.mobileassetd") ;; to get access to the reverse templates
2999		+ (global-name "com.apple.parsecd") ;; to get flight information from Parsec (for flight template-less)
3000		)
3001
3002		;; SGAsset
3003		--
3004		com.apple.revisiond.sb
3005		Files /System/Library/Sandbox/Profiles/com.apple.revisiond.sb and com.apple.revisiond.sb are identical
3006		--
3007		com.apple.rtcreportingd.sb
3008		*** /System/Library/Sandbox/Profiles/com.apple.rtcreportingd.sb 2016-07-30 15:14:36.000000000 -0700
3009		--- com.apple.rtcreportingd.sb 2017-07-10 13:51:51.000000000 -0700
3010		***************
3011		* 25,39 **
3012		(home-subpath "/Library/Logs/RTCReports")
3013		(home-subpath "/logs/mediaserverd")
3014		(literal "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist")
3015		(darwin-user-temp-subpath #"/TemporaryItems")
3016		(mount-relative-regex #"^/\.TemporaryItems(/\|$)")) ;; NSData atomic write
3017
3018		- (allow file-issue-extension
3019		- (home-literal "/Library/Caches/rtcreportingd")
3020		- (require-all
3021		- (extension-class "com.apple.rtcreporting.upload")
3022		- (home-subpath "/Library/Containers/com.apple.FaceTime/Data/logs/mediaserverd")))
3023		-
3024		(allow file-read*
3025		(literal "/Library/Keychains/System.keychain")
3026		(home-literal "/Library/Keychains/login.keychain")
3027		--- 25,34 ----
3028		(home-subpath "/Library/Logs/RTCReports")
3029		(home-subpath "/logs/mediaserverd")
3030		(literal "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist")
3031		+ (literal "/private/var/db/mds/system/mds.lock")
3032		(darwin-user-temp-subpath #"/TemporaryItems")
3033		(mount-relative-regex #"^/\.TemporaryItems(/\|$)")) ;; NSData atomic write
3034
3035		(allow file-read*
3036		(literal "/Library/Keychains/System.keychain")
3037		(home-literal "/Library/Keychains/login.keychain")
3038		***************
3039		* 50,56 **
3040		(literal "/private/var/db/mds/system/mdsDirectory.db")
3041		(literal "/private/var/db/mds/system/mdsObject.db")
3042		(literal "/usr/libexec")
3043		! (subpath "/usr/libexec/rtcreportingd"))
3044
3045		(allow user-preference-read (preference-domain "com.apple.rtcreportingd"))
3046
3047		--- 45,51 ----
3048		(literal "/private/var/db/mds/system/mdsDirectory.db")
3049		(literal "/private/var/db/mds/system/mdsObject.db")
3050		(literal "/usr/libexec")
3051		! (literal "/usr/libexec/rtcreportingd"))
3052
3053		(allow user-preference-read (preference-domain "com.apple.rtcreportingd"))
3054
3055		***************
3056		* 65,76 **
3057		(global-name "com.apple.CoreServices.coreservicesd")
3058		(global-name "com.apple.DiskArbitration.diskarbitrationd") ;; NSData atomic write
3059		(global-name "com.apple.SecurityServer")
3060		(global-name "com.apple.cookied")
3061		(global-name "com.apple.ocspd"))
3062
3063		(system-network)
3064		! (allow network-outbound
3065		! (literal "/private/var/run/mDNSResponder")
3066		! (remote tcp "*:443")
3067		! (remote udp "*:16384")
3068		! (remote udp "*:16387"))
3069		\ No newline at end of file
3070		--- 60,73 ----
3071		(global-name "com.apple.CoreServices.coreservicesd")
3072		(global-name "com.apple.DiskArbitration.diskarbitrationd") ;; NSData atomic write
3073		(global-name "com.apple.SecurityServer")
3074		+ (global-name "com.apple.awdd")
3075		(global-name "com.apple.cookied")
3076		+ (global-name "com.apple.distributed_notifications@1v3")
3077		(global-name "com.apple.ocspd"))
3078
3079		+ (allow system-fsctl
3080		+ (fsctl-command (_IO "h" 47))) ; HFSIOC_SET_HOTFILE_STATE
3081		+
3082		(system-network)
3083		! (allow network-outbound)
3084		! (allow network-inbound (local udp))
3085		--
3086		com.apple.secd.sb
3087		*** /System/Library/Sandbox/Profiles/com.apple.secd.sb 1969-12-31 16:00:00.000000000 -0800
3088		--- com.apple.secd.sb 2017-07-10 13:51:51.000000000 -0700
3089		***************
3090		* 0 **
3091		--- 1,46 ----
3092		+ (version 1)
3093		+
3094		+ (deny default)
3095		+
3096		+ (import "system.sb")
3097		+
3098		+ (allow file-read* file-write*
3099		+ (subpath "/private/var/db/mds")
3100		+ (regex #"^/private/var/folders/[^/]+/[^/]+/T(/\|$)")
3101		+ (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Keychains(/\|$)")))
3102		+
3103		+
3104		+ ;;;;;; will be fully fixed in 29465717
3105		+ (allow file-read* (subpath "/"))
3106		+
3107		+ (allow user-preference-read
3108		+ (preference-domain ".GlobalPreferences"))
3109		+ (allow user-preference-read
3110		+ (preference-domain "com.apple.security"))
3111		+
3112		+ (allow file-read*
3113		+ (literal "/usr/libexec/secd")
3114		+ (literal "/Library/Preferences/com.apple.security.plist")
3115		+ (literal "/Library/Preferences/.GlobalPreferences.plist")
3116		+ (literal "/AppleInternal")
3117		+ (literal "/usr/libexec"))
3118		+
3119		+
3120		+ (allow mach-lookup
3121		+ (global-name "com.apple.SystemConfiguration.configd")
3122		+ (global-name "com.apple.security.cloudkeychainproxy3")
3123		+ (global-name "com.apple.security.keychainsyncingoveridsproxy")
3124		+ (global-name "com.apple.cloudd")
3125		+ (global-name "com.apple.apsd")
3126		+ (global-name "com.apple.windowserver.active"))
3127		+
3128		+ (allow iokit-open
3129		+ (iokit-user-client-class "AppleKeyStoreUserClient"))
3130		+
3131		+ (allow iokit-get-properties (iokit-registry-entry-class "IOPlatformExpertDevice"))
3132		+
3133		+ (allow ipc-posix-shm
3134		+ (ipc-posix-name "com.apple.AppleDatabaseChanged"))
3135		+
3136		+ (allow network-outbound)
3137		+ (allow system-socket)
3138		--
3139		com.apple.secinitd.sb
3140		Files /System/Library/Sandbox/Profiles/com.apple.secinitd.sb and com.apple.secinitd.sb are identical
3141		--
3142		com.apple.securitydservice.sb
3143		*** /System/Library/Sandbox/Profiles/com.apple.securitydservice.sb 2016-08-29 18:15:20.000000000 -0700
3144		--- com.apple.securitydservice.sb 2017-07-10 13:51:50.000000000 -0700
3145		***************
3146		* 19,25 **
3147
3148		(allow mach-lookup
3149		(global-name "com.apple.SecurityServer")
3150		! (global-name "com.apple.ocspd"))
3151
3152		(allow iokit-open
3153		(iokit-user-client-class "AppleFDEKeyStoreUserClient")
3154		--- 19,26 ----
3155
3156		(allow mach-lookup
3157		(global-name "com.apple.SecurityServer")
3158		! (global-name "com.apple.ocspd")
3159		! (global-name "com.apple.mobile.keybagd.xpc"))
3160
3161		(allow iokit-open
3162		(iokit-user-client-class "AppleFDEKeyStoreUserClient")
3163		--
3164		com.apple.siri.ClientFlow.ClientScripter.sb
3165		*** /System/Library/Sandbox/Profiles/com.apple.siri.ClientFlow.ClientScripter.sb 2017-02-16 22:33:31.000000000 -0800
3166		--- com.apple.siri.ClientFlow.ClientScripter.sb 2017-07-10 13:51:50.000000000 -0700
3167		***************
3168		* 25,30 **
3169		--- 25,33 ----
3170		;; For validating the entitlements of clients.
3171		(allow process-info-codesignature)
3172
3173		+ ;; For mapping process path to CFScripter instance
3174		+ (allow process-info-pidinfo)
3175		+
3176		(allow mach-lookup (global-name "com.apple.webinspector"))
3177
3178		(trace "/tmp/ClientScripter.trace")
3179		--
3180		com.apple.speech.speechsynthesisd.sb
3181		*** /System/Library/Sandbox/Profiles/com.apple.speech.speechsynthesisd.sb 2017-03-26 12:45:27.000000000 -0700
3182		--- com.apple.speech.speechsynthesisd.sb 2017-07-10 13:51:50.000000000 -0700
3183		***************
3184		* 89,95 **
3185		(regex #"^(/private)?/var/folders/[^/]+/[^/]+/C/[^/]+/mds/mdsObject\.db$")
3186		(regex #"^(/private)?/var/folders/[^/]+/[^/]+/C/[^/]+/mds/mdsObject\.db_$"))
3187
3188		! ;;; rdar://problem/26620973 & rdar://problem/31070724
3189		(allow file-read* file-write* (regex #"^(/private)?/var/folders/[^/]+/[^/]+/[^/]+/com\.apple\.speech\.speechsynthesisd.*"))
3190
3191		;;; rdar://problem/26439889 No speech at login window for Polyglot voices
3192		--- 89,95 ----
3193		(regex #"^(/private)?/var/folders/[^/]+/[^/]+/C/[^/]+/mds/mdsObject\.db$")
3194		(regex #"^(/private)?/var/folders/[^/]+/[^/]+/C/[^/]+/mds/mdsObject\.db_$"))
3195
3196		! ;;; rdar://problem/26620973 & rdar://problem/31560540
3197		(allow file-read* file-write* (regex #"^(/private)?/var/folders/[^/]+/[^/]+/[^/]+/com\.apple\.speech\.speechsynthesisd.*"))
3198
3199		;;; rdar://problem/26439889 No speech at login window for Polyglot voices
3200		***************
3201		* 98,107 **
3202		--- 98,109 ----
3203		(allow mach-lookup
3204		(global-name "com.apple.audio.audiohald")
3205		(global-name "com.apple.audio.coreaudiod")
3206		+ (global-name "com.apple.audio.AudioComponentRegistrar")
3207		(global-name "com.apple.CoreServices.coreservicesd")
3208		(global-name "com.apple.coreservices.launchservicesd")
3209		(global-name "com.apple.distributed_notifications@1v3")
3210		(global-name "com.apple.distributed_notifications@Uv3")
3211		+ (global-name "com.apple.mobileassetd")
3212		(global-name "com.apple.ocspd")
3213		(global-name "com.apple.speechArbitrationServer")
3214		(global-name "com.apple.speech.speechdatainstallerd")
3215		--
3216		com.apple.storeaccountd.sb
3217		*** /System/Library/Sandbox/Profiles/com.apple.storeaccountd.sb 2016-08-12 15:28:37.000000000 -0700
3218		--- com.apple.storeaccountd.sb 2017-07-10 13:51:50.000000000 -0700
3219		***************
3220		* 103,112 **
3221		--- 103,116 ----
3222		(global-name "com.apple.storeaccountd"))
3223
3224		(allow mach-lookup
3225		+ (global-name "com.apple.adid")
3226		+ (global-name "com.apple.fpsd")
3227		(global-name "com.apple.UNCUserNotification")
3228		(global-name "com.apple.coreservices.launcherror-handler")
3229		(global-name "com.apple.softwareupdated")
3230		(global-name "com.apple.SystemConfiguration.configd")
3231		+ (global-name "com.apple.commerce")
3232		+ (global-name "com.apple.commerced")
3233		(global-name "com.apple.storeassetd")
3234		(global-name "com.apple.storeassetd.daemon")
3235		(global-name "com.apple.storeaccountd")
3236		--
3237		com.apple.storeassetd.sb
3238		*** /System/Library/Sandbox/Profiles/com.apple.storeassetd.sb 2017-04-13 21:11:22.000000000 -0700
3239		--- com.apple.storeassetd.sb 2017-07-10 13:51:50.000000000 -0700
3240		***************
3241		* 93,98 **
3242		--- 93,100 ----
3243		(global-name "com.apple.storeassetd"))
3244
3245		(allow mach-lookup
3246		+ (global-name "com.apple.adid")
3247		+ (global-name "com.apple.fpsd")
3248		(global-name "com.apple.UNCUserNotification")
3249		(global-name "com.apple.coreservices.launcherror-handler")
3250		(global-name "com.apple.softwareupdated")
3251		--
3252		com.apple.storedownloadd.sb
3253		*** /System/Library/Sandbox/Profiles/com.apple.storedownloadd.sb 2016-08-12 15:28:32.000000000 -0700
3254		--- com.apple.storedownloadd.sb 2017-07-10 13:51:50.000000000 -0700
3255		***************
3256		* 37,42 **
3257		--- 37,43 ----
3258		(regex #"/Library/Preferences/\.GlobalPreferences\.plist$")
3259		(regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")
3260		(regex #"/Library/Preferences/com.apple.security\.plist$")
3261		+ (regex #"/Library/Preferences/com\.apple\.seeding\.plist$")
3262		(regex #"/\.CFUserTextEncoding$")
3263		(regex #"/Library/Caches/com\.apple\.commerce/updates-com\.apple\.appstore\.updateQueue\.plist$"))
3264
3265		***************
3266		* 96,101 **
3267		--- 97,104 ----
3268		(global-name "com.apple.storedownloadd"))
3269
3270		(allow mach-lookup
3271		+ (global-name "com.apple.adid")
3272		+ (global-name "com.apple.fpsd")
3273		(global-name "com.apple.UNCUserNotification")
3274		(global-name "com.apple.coreservices.launcherror-handler")
3275		(global-name "com.apple.softwareupdated")
3276		--
3277		com.apple.storelegacy.sb
3278		Files /System/Library/Sandbox/Profiles/com.apple.storelegacy.sb and com.apple.storelegacy.sb are identical
3279		--
3280		com.apple.storereceiptinstaller.sb
3281		*** /System/Library/Sandbox/Profiles/com.apple.storereceiptinstaller.sb 2017-04-13 21:12:19.000000000 -0700
3282		--- com.apple.storereceiptinstaller.sb 2017-07-10 13:51:51.000000000 -0700
3283		***************
3284		* 9,14 **
3285		--- 9,15 ----
3286		(literal "/private/var/root/Library/Preferences")
3287		(literal "/Library/Preferences/.GlobalPreferences.plist")
3288		(literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist")
3289		+ (regex #"^/private/var/root/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
3290		(literal "/Library/Preferences/"))
3291
3292		(allow file-read* file-write*
3293		***************
3294		* 40,45 **
3295		--- 41,48 ----
3296		(allow distributed-notification-post)
3297
3298		(allow mach-lookup
3299		+ (global-name "com.apple.lsd.mapdb")
3300		+ (global-name "com.apple.lsd.modifydb")
3301		(global-name "com.apple.CoreServices.coreservicesd")
3302		(global-name "com.apple.DiskArbitration.diskarbitrationd")) ;used by [[NSWorkspace sharedWorkspace] setIcon:forFile:options:];
3303
3304		--
3305		com.apple.storeuid.sb
3306		*** /System/Library/Sandbox/Profiles/com.apple.storeuid.sb 2016-08-12 15:29:02.000000000 -0700
3307		--- com.apple.storeuid.sb 2017-07-10 13:51:50.000000000 -0700
3308		***************
3309		* 85,90 **
3310		--- 85,97 ----
3311		(literal "/Library/Preferences/com.apple.HIToolbox.plist")
3312		(regex #"/Library/Preferences/com\.apple\.LaunchServices/com\.apple\.launchservices\.secure\.plist$"))
3313
3314		+ (allow user-preference-read
3315		+ (preference-domain "com.apple.AppleMultitouchTrackpad")
3316		+ (preference-domain "com.apple.ServicesMenu.Services"))
3317		+
3318		+ (allow user-preference*
3319		+ (preference-domain "com.apple.storeuid"))
3320		+
3321		(allow ipc-posix-shm-read-data
3322		(ipc-posix-name "FNetwork.defaultStorageSession")
3323		(ipc-posix-name-regex #"ls\.[a-f0-9\.]+")
3324		***************
3325		* 95,107 **
3326		(ipc-posix-name "com.apple.AppleDatabaseChanged"))
3327
3328		(allow mach-register
3329		! (global-name "com.apple.storeuid"))
3330
3331		(allow mach-lookup
3332		(global-name "com.apple.UNCUserNotification")
3333		(global-name "com.apple.coreservices.launcherror-handler")
3334		(global-name "com.apple.softwareupdated")
3335		(global-name "com.apple.SystemConfiguration.configd")
3336		(global-name "com.apple.storeassetd")
3337		(global-name "com.apple.storeaccountd")
3338		(global-name "com.apple.storedownloadd")
3339		--- 102,121 ----
3340		(ipc-posix-name "com.apple.AppleDatabaseChanged"))
3341
3342		(allow mach-register
3343		! (global-name "com.apple.storeuid")
3344		! (global-name "com.apple.storeagent.storekit"))
3345
3346		(allow mach-lookup
3347		+ (global-name "com.apple.iohideventsystem")
3348		+ (global-name "com.apple.tsm.uiserver")
3349		+ (global-name "com.apple.touchbarserver.mig")
3350		+ (global-name "com.apple.touchbar.agent")
3351		+ (global-name "com.apple.pbs.fetch_services")
3352		(global-name "com.apple.UNCUserNotification")
3353		(global-name "com.apple.coreservices.launcherror-handler")
3354		(global-name "com.apple.softwareupdated")
3355		(global-name "com.apple.SystemConfiguration.configd")
3356		+ (global-name "com.apple.commerce")
3357		(global-name "com.apple.storeassetd")
3358		(global-name "com.apple.storeaccountd")
3359		(global-name "com.apple.storedownloadd")
3360		***************
3361		* 166,171 **
3362		--- 180,188 ----
3363		(right-name "com.apple.SoftwareUpdate.modify-settings"))
3364
3365		(allow iokit-open
3366		+ (iokit-user-client-class "IOSurfaceRootUserClient")
3367		+ (iokit-user-client-class "IGAccelCommandQueue")
3368		+ (iokit-user-client-class "AppleMultitouchDeviceUserClient")
3369		(iokit-user-client-class "IOFramebufferSharedUserClient")
3370		(iokit-user-client-class "RootDomainUserClient")
3371		(iokit-user-client-class-regex #"AccelDevice$")
3372		--
3373		com.apple.suggestd.sb
3374		*** /System/Library/Sandbox/Profiles/com.apple.suggestd.sb 2016-11-08 18:31:19.000000000 -0800
3375		--- com.apple.suggestd.sb 2017-07-10 13:51:50.000000000 -0700
3376		***************
3377		* 16,21 **
3378		--- 16,23 ----
3379		(mount-relative-regex "^/\\.TemporaryItems(/\|$)") ;; NSData atomic write
3380		(home-subpath "/Library/Calendars") ;; EventKit
3381		(home-subpath "/Library/Application Support/AddressBook") ;; this needs to be r/w even if we only read: <rdar://problem/20454859>
3382		+ (home-subpath "/Library/Caches/com.apple.parsecd/CustomFeedback/") ;; Parsec feedback (Trystero uploads) <rdar://problem/33038387> Sandbox exception for Parsec feedback (macOS)
3383		+
3384		)
3385
3386		(allow file-write-create
3387		***************
3388		* 31,44 **
3389		--- 33,57 ----
3390		(literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") ;; MessageTracer
3391		(home-subpath "/Library/Mail") ;; Mail attachments
3392		(subpath "/private/var/db/datadetectors/sys") ;; Data Detectors sources
3393		+ (home-subpath "/Library/Application Support/Knowledge") ;; _DKKnowledgeStore
3394		)
3395
3396		(allow file-read* file-write*
3397		(literal "/private/var/db/mds/system/mds.lock") ;; Security.framework
3398		)
3399
3400		+ ;; <rdar://problem/31989235> Lobo: SGOrigin app name unlocalized - need sandbox rule for InfoPlist.strings
3401		+ (allow file-read* (home-literal "/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist"))
3402		+ (allow file-read* (regex #"\.app$"))
3403		+ (allow file-read* (regex #"\.app/Contents$"))
3404		+ (allow file-read* (regex #"\.app/Contents/Resources$"))
3405		+ (allow file-read* (regex #"/InfoPlist\.strings$"))
3406		+ (allow file-read* (regex #"/Info.plist$"))
3407		+ (allow file-read* (regex #"\.lproj$"))
3408		+
3409		(allow mach-lookup
3410		(global-name "com.apple.accountsd.accountmanager") ;; EventKit
3411		+ (global-name "com.apple.apsd") ;; SGDCloudKitSync (APNS)
3412		(global-name "com.apple.AddressBook.abd")
3413		(global-name "com.apple.AddressBook.AddressBookApplicationFrameworkIPC")
3414		(global-name "com.apple.AddressBook.ContactsAccountsService") ;; [ABAddressBook sharedAddressBook]
3415		***************
3416		* 48,61 **
3417		(global-name "com.apple.CalendarAgent.proxy")
3418		(global-name "com.apple.ContactsAgent.general")
3419		(global-name "com.apple.ContactsAgent.addressbook")
3420		(global-name "com.apple.coreduetd") ;; SGDPowerBudget
3421		! (global-name "com.apple.coreduetd.people") ;; SGDuetBridge
3422		(global-name "com.apple.corerecents.recentsd") ;; for significant pseudo-contacts
3423		(global-name "com.apple.CoreServices.coreservicesd") ;; apparently needed by -[NSURL getResourceValue:forKey:error:]
3424		(global-name "com.apple.DiskArbitration.diskarbitrationd") ;; NSData atomic write
3425		(global-name "com.apple.distributed_notifications@Uv3")
3426		(global-name "com.apple.lsd.mapdb") ;; apparently needed by -[NSURL getResourceValue:forKey:error:]
3427		(global-name "com.apple.lsd.modifydb") ;; same, see <rdar://problem/21302822>
3428		(global-name "com.apple.mobileassetd") ;; SGAsset
3429		(global-name "com.apple.reversetemplated")
3430		(global-name "com.apple.rtcreportingd")
3431		--- 61,79 ----
3432		(global-name "com.apple.CalendarAgent.proxy")
3433		(global-name "com.apple.ContactsAgent.general")
3434		(global-name "com.apple.ContactsAgent.addressbook")
3435		+ (global-name "com.apple.cloudd") ;; SGDCloudKitSync (CloudKit)
3436		(global-name "com.apple.coreduetd") ;; SGDPowerBudget
3437		! (global-name "com.apple.coreduetd.knowledge.user") ;; PersonalizationPortrait
3438		! (global-name "com.apple.coreduetd.context") ;; SGDPowerBudget
3439		(global-name "com.apple.corerecents.recentsd") ;; for significant pseudo-contacts
3440		(global-name "com.apple.CoreServices.coreservicesd") ;; apparently needed by -[NSURL getResourceValue:forKey:error:]
3441		+ (global-name "com.apple.spotlight.SearchAgent")
3442		+ (global-name "com.apple.spotlight.IndexAgent")
3443		(global-name "com.apple.DiskArbitration.diskarbitrationd") ;; NSData atomic write
3444		(global-name "com.apple.distributed_notifications@Uv3")
3445		(global-name "com.apple.lsd.mapdb") ;; apparently needed by -[NSURL getResourceValue:forKey:error:]
3446		(global-name "com.apple.lsd.modifydb") ;; same, see <rdar://problem/21302822>
3447		+ (global-name "com.apple.metadata.mds") ;; <rdar://problem/28957199>
3448		(global-name "com.apple.mobileassetd") ;; SGAsset
3449		(global-name "com.apple.reversetemplated")
3450		(global-name "com.apple.rtcreportingd")
3451		***************
3452		* 63,69 **
3453		(global-name "com.apple.SecurityServer") ;; Security.framework
3454		(global-name "com.apple.syncdefaultsd")
3455		(global-name "com.apple.system.opendirectoryd.api") ;; AddressBook.framework
3456		! (global-name "com.apple.tccd"))
3457
3458		(allow file-read-metadata
3459		(literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal"))
3460		--- 81,90 ----
3461		(global-name "com.apple.SecurityServer") ;; Security.framework
3462		(global-name "com.apple.syncdefaultsd")
3463		(global-name "com.apple.system.opendirectoryd.api") ;; AddressBook.framework
3464		! (global-name "com.apple.SystemConfiguration.configd") ;; SGDCloudKitSync (APNS)
3465		! (global-name "com.apple.tccd")
3466		! (global-name "com.apple.windowserver.active") ;; AGDCloudKitSync (APNS)
3467		! (global-name "com.apple.FileCoordination")) ;; MailServices for reimport
3468
3469		(allow file-read-metadata
3470		(literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal"))
3471		--
3472		com.apple.swcd.sb
3473		Files /System/Library/Sandbox/Profiles/com.apple.swcd.sb and com.apple.swcd.sb are identical
3474		--
3475		com.apple.tccd.sb
3476		Files /System/Library/Sandbox/Profiles/com.apple.tccd.sb and com.apple.tccd.sb are identical
3477		--
3478		com.apple.touristd.sb
3479		*** /System/Library/Sandbox/Profiles/com.apple.touristd.sb 1969-12-31 16:00:00.000000000 -0800
3480		--- com.apple.touristd.sb 2017-07-10 13:51:50.000000000 -0700
3481		***************
3482		* 0 **
3483		--- 1,106 ----
3484		+ ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
3485		+ ;;;
3486		+ ;;; WARNING: The sandbox rules in this file currently constitute
3487		+ ;;; Apple System Private Interface and are subject to change at any time and
3488		+ ;;; without notice.
3489		+ ;;;
3490		+ (version 1)
3491		+
3492		+ (deny default)
3493		+ (deny file-map-executable iokit-get-properties process-info* nvram*)
3494		+ (deny dynamic-code-generation)
3495		+
3496		+ (import "system.sb")
3497		+ (import "com.apple.corefoundation.sb")
3498		+ (corefoundation)
3499		+
3500		+ ;;; Homedir-relative path filters
3501		+ (define (home-regex home-relative-regex)
3502		+ (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)))
3503		+
3504		+ (define (home-subpath home-relative-subpath)
3505		+ (subpath (string-append (param "HOME") home-relative-subpath)))
3506		+
3507		+ (define (home-prefix home-relative-prefix)
3508		+ (prefix (string-append (param "HOME") home-relative-prefix)))
3509		+
3510		+ (define (home-literal home-relative-literal)
3511		+ (literal (string-append (param "HOME") home-relative-literal)))
3512		+
3513		+ (allow process-info* (target self))
3514		+
3515		+ ;; For resolving symlinks, realpath(3), and equivalents.
3516		+ (allow file-read-metadata)
3517		+
3518		+ ;; For validating the entitlements of clients.
3519		+ (allow process-info-codesignature)
3520		+
3521		+ ;;allow safari to open the url
3522		+ (allow lsopen)
3523		+
3524		+ ;; preference domain.
3525		+ (allow user-preference-read user-preference-write
3526		+ (preference-domain "com.apple.touristd"))
3527		+ (allow user-preference-read user-preference-write
3528		+ (preference-domain "NSGlobalDomain"))
3529		+ (allow file-read* file-write* (home-subpath "/Library/Preferences/"))
3530		+ (allow file-read* file-write* (literal "/Library/Preferences/.GlobalPreferences.plist"))
3531		+
3532		+ ;; private frameworks.
3533		+ (allow file-map-executable (subpath "/System/Library/PrivateFrameworks/"))
3534		+ (allow file-map-executable (subpath "/System/Library/Frameworks/"))
3535		+
3536		+ ;;allow outbound network connections.
3537		+ (system-network)
3538		+ (allow network-outbound)
3539		+ (allow ipc-posix-shm-read-data)
3540		+
3541		+ ;;allow mach lookup.
3542		+ (allow mach-lookup
3543		+ (global-name "com.apple.cookied")
3544		+ (global-name "com.apple.coreservices.launchservicesd")
3545		+ (global-name "com.apple.dock.server")
3546		+ (global-name "com.apple.lsd.mapdb")
3547		+ (global-name "com.apple.lsd.modifydb")
3548		+ (global-name "com.apple.syncdefaultsd")
3549		+ (global-name "com.apple.usernoted.daemon_client")
3550		+ (global-name "com.apple.coreservices.quarantine-resolver")
3551		+ (global-name "com.apple.SecurityServer")
3552		+ (global-name "com.apple.windowserver.active"))
3553		+
3554		+ ;;allow get properties.
3555		+ (allow iokit-get-properties
3556		+ (require-all
3557		+ (iokit-registry-entry-class "IOPlatformExpertDevice")
3558		+ (iokit-registry-entry-class "IORegisterForSystemPower")
3559		+ (iokit-registry-entry-class "IORegistryEntryCreateCFProperty")))
3560		+
3561		+ (allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
3562		+ (allow iokit-get-properties (iokit-property "board-id"))
3563		+ (allow iokit-get-properties)
3564		+
3565		+ ;; Read/write access to a temporary directory.
3566		+ (allow file-read* file-write*
3567		+ (subpath (param "TMPDIR"))
3568		+ (subpath (param "DARWIN_CACHE_DIR"))
3569		+ (subpath "/Library/Application Support/CrashReporter/"))
3570		+
3571		+
3572		+ (allow file-read*
3573		+ (subpath "/Library/Application Support/CrashReporter/")
3574		+ (subpath "/private/var/db/mds/messages")
3575		+ (literal "/Library/Preferences/com.apple.security.plist"))
3576		+
3577		+
3578		+ ;; Read/write access to the previous system version.
3579		+ (allow file-read-data (literal "/private/var/db/PreviousSystemVersion.plist"))
3580		+ (allow file-read-data (home-literal "/.CFUserTextEncoding"))
3581		+
3582		+ ;; Read/write access to com.apple.touristd’s cache.
3583		+ (let ((cache-path-filter (home-prefix "/Library/Caches/com.apple.touristd")))
3584		+ (allow file-read* file-write* cache-path-filter)
3585		+ (allow file-issue-extension
3586		+ (require-all
3587		+ (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write")
3588		+ cache-path-filter)))
3589		+
3590		--
3591		com.apple.trustd.sb
3592		*** /System/Library/Sandbox/Profiles/com.apple.trustd.sb 1969-12-31 16:00:00.000000000 -0800
3593		--- com.apple.trustd.sb 2017-07-10 13:51:51.000000000 -0700
3594		***************
3595		* 0 **
3596		--- 1,70 ----
3597		+ (version 1)
3598		+
3599		+ (deny default)
3600		+ (deny file-map-executable iokit-get-properties process-info* nvram*)
3601		+ (deny dynamic-code-generation)
3602		+
3603		+ (import "system.sb")
3604		+ (import "com.apple.corefoundation.sb")
3605		+ (corefoundation)
3606		+
3607		+ (allow process-info* (target self))
3608		+
3609		+ ;; For resolving symlinks, realpath(3), and equivalents.
3610		+ (allow file-read-metadata)
3611		+
3612		+ ;; For validating the entitlements of clients (for keychain and trust settings)
3613		+ ;; see 31353815
3614		+ (allow process-info-codesignature)
3615		+ (allow process-info-pidinfo)
3616		+ (allow file-read*)
3617		+
3618		+ ;; ${PRODUCT_NAME}’s preference domain.
3619		+ (allow user-preference-read user-preference-write
3620		+ (preference-domain "com.apple.trustd"))
3621		+
3622		+ ;; Global and security preferences
3623		+ (allow user-preference-read
3624		+ (preference-domain "com.apple.security")
3625		+ (preference-domain "com.apple.Security")
3626		+ (preference-domain ".GlobalPreferences")
3627		+ (preference-domain "com.apple.MobileAsset"))
3628		+
3629		+ ;; Read/write access to a temporary directory.
3630		+ (allow file-read* file-write*
3631		+ (subpath (param "_TMPDIR"))
3632		+ (subpath (param "_DARWIN_CACHE_DIR")))
3633		+
3634		+ ;; Read/write access to keychains and caches
3635		+ (allow file-read* file-write*
3636		+ (subpath "/private/var/db/mds/")
3637		+ (subpath "/private/var/db/crls/")
3638		+ (subpath "/System/Library/Security/")
3639		+ (subpath "/Library/Keychains/")
3640		+ (subpath "/private/var/root/Library/Caches/com.apple.nsurlsessiond/"))
3641		+
3642		+ (allow file-read*
3643		+ (literal "/usr/libexec")
3644		+ (literal "/usr/libexec/trustd")
3645		+ (literal "/Library/Preferences/com.apple.security.plist")
3646		+ (regex #"/.GlobalPreferences[^/]*\.plist")
3647		+ (literal "/Library/Preferences/com.apple.SoftwareUpdate.plist")
3648		+ (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains"))
3649		+
3650		+ (allow file-map-executable
3651		+ (regex #"/CoreServicesInternal")
3652		+ (regex #"/csparser"))
3653		+
3654		+ (allow mach-lookup
3655		+ (global-name "com.apple.ocspd")
3656		+ (global-name "com.apple.SecurityServer")
3657		+ (global-name "com.apple.SystemConfiguration.configd")
3658		+ (global-name "com.apple.mobileassetd")
3659		+ (global-name "com.apple.securityd.xpc")
3660		+ (global-name "com.apple.nsurlsessiond"))
3661		+
3662		+ (allow ipc-posix-shm
3663		+ (ipc-posix-name "com.apple.AppleDatabaseChanged"))
3664		+
3665		+ (allow network-outbound)
3666		+ (allow system-socket)
3667		--
3668		com.apple.useractivityd.sb
3669		*** /System/Library/Sandbox/Profiles/com.apple.useractivityd.sb 2016-08-02 19:58:42.000000000 -0700
3670		--- com.apple.useractivityd.sb 2017-07-10 13:51:50.000000000 -0700
3671		***************
3672		* 12,17 **
3673		--- 12,24 ----
3674		(allow file-write*
3675		(subpath (param "LOG_DIR")))
3676
3677		+ ;;(allow file-issue-extension
3678		+ ;; (extension "com.apple.app-sandbox.read-write"))
3679		+
3680		+ (if (param "TMP_DIR")
3681		+ (allow file-issue-extension
3682		+ (regex (string-append "^" (param "TMP_DIR") "/*"))))
3683		+
3684		(if (param "TMP_DIR")
3685		(allow file-write*
3686		(regex (string-append "^" (param "TMP_DIR") "/*"))))
3687		***************
3688		* 54,59 **
3689		--- 61,69 ----
3690		(global-name "com.apple.ProgressReporting")
3691		(global-name "com.apple.iokit.powerdxpc")
3692		(global-name "com.apple.PowerManagement.control")
3693		+ (global-name "com.apple.BluetoothDOServer")
3694		+ (global-name "com.apple.FileCoordination")
3695		+ (global-name "com.apple.analyticsd")
3696		)
3697
3698		;; Things needed for debugging, only if it's a debug server
3699		--
3700		com.apple.writeconfig.sb
3701		Files /System/Library/Sandbox/Profiles/com.apple.writeconfig.sb and com.apple.writeconfig.sb are identical
3702		--
3703		com.apple.xpchelper.sb
3704		Files /System/Library/Sandbox/Profiles/com.apple.xpchelper.sb and com.apple.xpchelper.sb are identical
3705		--
3706		com.openssh.sshd.sb
3707		Files /System/Library/Sandbox/Profiles/com.openssh.sshd.sb and com.openssh.sshd.sb are identical
3708		--
3709		coresymbolicationd.sb
3710		Files /System/Library/Sandbox/Profiles/coresymbolicationd.sb and coresymbolicationd.sb are identical
3711		--
3712		directoryserver.sb
3713		Files /System/Library/Sandbox/Profiles/directoryserver.sb and directoryserver.sb are identical
3714		--
3715		fmfd.sb
3716		Files /System/Library/Sandbox/Profiles/fmfd.sb and fmfd.sb are identical
3717		--
3718		iWorkXPC.sb
3719		*** /System/Library/Sandbox/Profiles/iWorkXPC.sb 1969-12-31 16:00:00.000000000 -0800
3720		--- iWorkXPC.sb 2017-07-10 13:51:51.000000000 -0700
3721		***************
3722		* 0 **
3723		--- 1,28 ----
3724		+ (version 1)
3725		+
3726		+ (deny default)
3727		+ (deny dynamic-code-generation file-map-executable nvram* process-info*)
3728		+
3729		+ (import "system.sb")
3730		+
3731		+ ;;; <rdar://problem/32252235> MAC: XPC: Sandbox violations on export
3732		+ (define (home-subpath home-relative-subpath)
3733		+ (subpath (string-append (param "_HOME") home-relative-subpath)))
3734		+ (define (home-literal home-relative-literal)
3735		+ (literal (string-append (param "_HOME") home-relative-literal)))
3736		+ (define (home-regex home-relative-regex)
3737		+ (regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex)))
3738		+
3739		+ (allow file-read* (home-literal "/Library/Preferences/.CFUserTextEncoding"))
3740		+
3741		+ (allow file-read-metadata)
3742		+
3743		+ (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd"))
3744		+
3745		+ (allow file-read* (extension "com.apple.app-sandbox.read"))
3746		+ (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
3747		+
3748		+ (allow process-info-dirtycontrol (target self))
3749		+
3750		+ (allow file-map-executable (subpath "/System/Library/Frameworks")
3751		+ (subpath "/System/Library/PrivateFrameworks"))
3752		--
3753		opendirectory.sb
3754		Files /System/Library/Sandbox/Profiles/opendirectory.sb and opendirectory.sb are identical
3755		--
3756		racoon.sb
3757		Files /System/Library/Sandbox/Profiles/racoon.sb and racoon.sb are identical
3758		--
3759		system.sb
3760		*** /System/Library/Sandbox/Profiles/system.sb 2016-08-29 17:54:29.000000000 -0700
3761		--- system.sb 2017-07-10 13:51:50.000000000 -0700
3762		***************
3763		* 10,17 **
3764		(version 1)
3765
3766		;;; Allow registration of per-pid services.
3767		! (allow mach-register
3768		! (local-name-prefix ""))
3769
3770		;;; Allow read access to standard system paths.
3771		(allow file-read*
3772		--- 10,19 ----
3773		(version 1)
3774
3775		;;; Allow registration of per-pid services.
3776		! (allow mach-register (local-name-prefix ""))
3777		!
3778		! ;;; Allow lookup of XPC services for backward-compatibility.
3779		! (allow mach-lookup (xpc-service-name-prefix ""))
3780
3781		;;; Allow read access to standard system paths.
3782		(allow file-read*
3783		***************
3784		* 20,25 **
3785		--- 22,28 ----
3786		(subpath "/Library/Preferences/Logging") ; Logging Rethink
3787		(subpath "/System")
3788		(subpath "/private/var/db/dyld")
3789		+ (subpath "/private/var/db/timezone")
3790		(subpath "/usr/lib")
3791		(subpath "/usr/share"))))
3792
3793		***************
3794		* 76,81 **
3795		--- 79,85 ----
3796		(global-name "com.apple.cfprefsd.agent")
3797		(global-name "com.apple.cfprefsd.daemon")
3798		(global-name "com.apple.diagnosticd")
3799		+ (global-name "com.apple.dyld.closured")
3800		(global-name "com.apple.espd")
3801		(global-name "com.apple.logd")
3802		(global-name "com.apple.logd.events")
3803		***************
3804		* 119,124 **
3805		--- 123,129 ----
3806		(iokit-registry-entry-class "IOFramebufferSharedUserClient"))
3807		;; H.264 Acceleration
3808		(allow iokit-open
3809		+ (iokit-registry-entry-class "AppleIntelMEUserClient")
3810		(iokit-registry-entry-class "AppleSNBFBUserClient"))
3811		;; QuartzCore
3812		(allow iokit-open

Public Pastes

FE KJ Movements Exploit Limb Reanim
Lua | 27 min ago | 3.99 KB
Script
Lua | 34 min ago | 0.15 KB
Script
Lua | 34 min ago | 0.15 KB
Script
Lua | 51 min ago | 0.18 KB
LocalScript
Lua | 1 hour ago | 0.15 KB
dataNone
JSON | 1 hour ago | 0.64 KB
Add Parent ID column to WooCommerce products...
PHP | 2 hours ago | 0.64 KB
RefuelLoop
Lua | 2 hours ago | 0.53 KB