API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 10th, 2017
2,133
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 151.26 KB | None | 0 0
raw download clone embed print report diff
  1. --
  2. application.sb
  3. *** /System/Library/Sandbox/Profiles/application.sb 2017-01-31 18:23:47.000000000 -0800
  4. --- application.sb 2017-07-10 13:51:51.000000000 -0700
  5. ***************
  6. *** 483,488 ****
  7. --- 483,491 ----
  8. (deny nvram*)
  9. (allow nvram-get (nvram-variable "IOGVAEncoderRestricted"))
  10. (deny file-link (home-subpath "/Library"))
  11. + (with-filter
  12. + (extension "com.apple.app-sandbox.read-write")
  13. + (allow file-link (home-subpath "/Library/Mobile Documents")))
  14. (if (entitlement "com.apple.security.temporary-exception.yasb")
  15. (begin
  16. (read-write-and-issue-extensions (subpath "/"))
  17. ***************
  18. *** 559,566 ****
  19. (string-append
  20. "/Library/Preferences/ByHost/"
  21. (regex-quote domain)
  22. ! "\\..*\\.plist$")))
  23. ! (%protect-preference-symlink domain)))
  24. domains))
  25. (define (shared-preferences-read-write . domains)
  26. (for-each
  27. --- 562,568 ----
  28. (string-append
  29. "/Library/Preferences/ByHost/"
  30. (regex-quote domain)
  31. ! "\\..*\\.plist$")))))
  32. domains))
  33. (define (shared-preferences-read-write . domains)
  34. (for-each
  35. ***************
  36. *** 581,588 ****
  37. (string-append
  38. "/Library/Preferences/ByHost/"
  39. (regex-quote domain)
  40. ! "\\..*\\.plist(\\..+)?$")))
  41. ! (%protect-preference-symlink domain)))
  42. domains))
  43. (allow file-read*
  44. file-ioctl
  45. --- 583,589 ----
  46. (string-append
  47. "/Library/Preferences/ByHost/"
  48. (regex-quote domain)
  49. ! "\\..*\\.plist(\\..+)?$")))))
  50. domains))
  51. (allow file-read*
  52. file-ioctl
  53. ***************
  54. *** 635,641 ****
  55. (literal "/Library/Preferences/com.apple.Bluetooth.plist"))
  56. (allow mach-lookup
  57. (global-name "com.apple.BluetoothDOServer")
  58. ! (global-name "com.apple.blued"))
  59. (allow iokit-open
  60. (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
  61. (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
  62. --- 636,642 ----
  63. (literal "/Library/Preferences/com.apple.Bluetooth.plist"))
  64. (allow mach-lookup
  65. (global-name "com.apple.BluetoothDOServer")
  66. ! (global-name "com.apple.bluetoothd"))
  67. (allow iokit-open
  68. (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
  69. (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
  70. ***************
  71. *** 837,846 ****
  72. (lambda (id)
  73. (allow file-link (ubiquity-filter id))
  74. (read-write-and-issue-extensions (ubiquity-filter id))))
  75. ! (read-only-and-issue-extensions
  76. ! (require-all
  77. ! (extension "com.apple.librarian.ubiquity-revision")
  78. ! (mount-relative-regex "^/\\.DocumentRevisions-V100(/|$)")))
  79. (with-filter
  80. (extension "com.apple.librarian.ubiquity-container")
  81. (allow file-link (home-subpath "/Library/Mobile Documents"))
  82. --- 838,848 ----
  83. (lambda (id)
  84. (allow file-link (ubiquity-filter id))
  85. (read-write-and-issue-extensions (ubiquity-filter id))))
  86. ! (sandbox-array-entitlement
  87. ! "com.apple.developer.icloud-container-identifiers"
  88. ! (lambda (id)
  89. ! (allow file-link (ubiquity-filter id))
  90. ! (read-write-and-issue-extensions (ubiquity-filter id))))
  91. (with-filter
  92. (extension "com.apple.librarian.ubiquity-container")
  93. (allow file-link (home-subpath "/Library/Mobile Documents"))
  94. ***************
  95. *** 924,932 ****
  96. network-outbound
  97. (group-container-regex "/"))
  98. (read-write-and-issue-extensions (group-container-regex "/"))
  99. - (deny file-read*
  100. - file-write*
  101. - (group-container-subpath "/Library/Preferences"))
  102. (allow file-read*
  103. process-exec
  104. (subpath
  105. --- 926,931 ----
  106. ***************
  107. *** 995,1000 ****
  108. --- 994,1000 ----
  109. (shared-preferences-read
  110. ".GlobalPreferences"
  111. "com.apple.AppleMultitouchTrackpad"
  112. + "com.apple.airplay"
  113. "com.apple.avfoundation"
  114. "com.apple.cmio"
  115. "com.apple.coreanimation"
  116. ***************
  117. *** 1020,1025 ****
  118. --- 1020,1027 ----
  119. "com.apple.universalaccess"
  120. "pbs")
  121. (shared-preferences-read-write "com.apple.AppKit.TextFavorites")
  122. + (%protect-preference-symlink "com.apple.security_common")
  123. + (%protect-preference-symlink "com.apple.security")
  124. (allow user-preference-read (preference-domain "kCFPreferencesAnyApplication"))
  125. (shared-preferences-read "com.apple.mediaaccessibility")
  126. (shared-preferences-read-write
  127. ***************
  128. *** 1083,1093 ****
  129. (literal "/Volumes")
  130. (literal "/private/etc/group")
  131. (literal "/private/etc/hosts")
  132. (literal "/private/etc/passwd")
  133. (literal "/private/etc/protocols")
  134. (literal "/private/etc/resolv.conf")
  135. (literal "/private/etc/services")
  136. ! (literal "/private/etc/openldap/ldap.conf")
  137. (literal "/private/var/run/resolv.conf")
  138. (literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist")
  139. (literal "/Library/Preferences/.GlobalPreferences.plist")
  140. --- 1085,1096 ----
  141. (literal "/Volumes")
  142. (literal "/private/etc/group")
  143. (literal "/private/etc/hosts")
  144. + (literal "/private/etc/openldap/ldap.conf")
  145. (literal "/private/etc/passwd")
  146. (literal "/private/etc/protocols")
  147. (literal "/private/etc/resolv.conf")
  148. (literal "/private/etc/services")
  149. ! (literal "/private/etc/ssl/openssl.cnf")
  150. (literal "/private/var/run/resolv.conf")
  151. (literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist")
  152. (literal "/Library/Preferences/.GlobalPreferences.plist")
  153. ***************
  154. *** 1131,1147 ****
  155. --- 1134,1157 ----
  156. (local-name "com.apple.CFPasteboardClient")
  157. (local-name "com.apple.coredrag")
  158. (global-name "com.apple.apsd")
  159. + (global-name "com.apple.audio.AudioComponentPrefs")
  160. + (global-name "com.apple.audio.AudioComponentRegistrar")
  161. (global-name "com.apple.audio.audiohald")
  162. (global-name "com.apple.audio.coreaudiod")
  163. (global-name "com.apple.backupd.sandbox.xpc")
  164. (global-name "com.apple.bird")
  165. (global-name "com.apple.bird.token")
  166. + (global-name "com.apple.cache_delete.public")
  167. (global-name "com.apple.colorsyncd")
  168. + (global-name "com.apple.colorsync.useragent")
  169. (global-name "com.apple.controlcenter.toggle")
  170. (global-name "com.apple.coremedia.endpoint.xpc")
  171. (global-name "com.apple.coremedia.endpointpicker.xpc")
  172. (global-name "com.apple.coremedia.endpointplaybacksession.xpc")
  173. (global-name "com.apple.coremedia.endpointstream.xpc")
  174. + (global-name "com.apple.coremedia.routediscoverer.xpc")
  175. + (global-name "com.apple.coremedia.routingcontext.xpc")
  176. + (global-name "com.apple.coremedia.volumecontroller.xpc")
  177. (global-name "com.apple.coreservices.appleevents")
  178. (global-name "com.apple.CoreServices.coreservicesd")
  179. (global-name "com.apple.coreservices.launcherror-handler")
  180. ***************
  181. *** 1150,1162 ****
  182. (global-name "com.apple.coreservices.sharedfilelistd.mig")
  183. (global-name "com.apple.coreservices.sharedfilelistd.xpc")
  184. (global-name "com.apple.cvmsServ")
  185. - (global-name "com.apple.decalog4.incoming")
  186. (global-name "com.apple.DiskArbitration.diskarbitrationd")
  187. (global-name "com.apple.distributed_notifications@1v3")
  188. (global-name "com.apple.distributed_notifications@Uv3")
  189. (global-name "com.apple.dock.fullscreen")
  190. (global-name "com.apple.dock.server")
  191. (global-name "com.apple.FileCoordination")
  192. (global-name "com.apple.FontObjectsServer")
  193. (global-name "com.apple.FontRegistry.FontRegistryUIAgent")
  194. (global-name "com.apple.fonts")
  195. --- 1160,1172 ----
  196. (global-name "com.apple.coreservices.sharedfilelistd.mig")
  197. (global-name "com.apple.coreservices.sharedfilelistd.xpc")
  198. (global-name "com.apple.cvmsServ")
  199. (global-name "com.apple.DiskArbitration.diskarbitrationd")
  200. (global-name "com.apple.distributed_notifications@1v3")
  201. (global-name "com.apple.distributed_notifications@Uv3")
  202. (global-name "com.apple.dock.fullscreen")
  203. (global-name "com.apple.dock.server")
  204. (global-name "com.apple.FileCoordination")
  205. + (global-name "com.apple.FileProvider")
  206. (global-name "com.apple.FontObjectsServer")
  207. (global-name "com.apple.FontRegistry.FontRegistryUIAgent")
  208. (global-name "com.apple.fonts")
  209. ***************
  210. *** 1174,1180 ****
  211. (global-name "com.apple.iohideventsystem")
  212. (global-name "com.apple.KerberosHelper.LKDCHelper")
  213. (global-name "com.apple.KeyboardServices.TextReplacementService")
  214. - (global-name "com.apple.librariand")
  215. (global-name "com.apple.lookupd")
  216. (global-name "com.apple.ls.boxd")
  217. (global-name "com.apple.lsd.mapdb")
  218. --- 1184,1189 ----
  219. ***************
  220. *** 1214,1219 ****
  221. --- 1223,1229 ----
  222. (global-name "com.apple.SystemConfiguration.configd")
  223. (global-name "com.apple.SystemConfiguration.DNSConfiguration")
  224. (global-name "com.apple.SystemConfiguration.NetworkInformation")
  225. + (global-name "com.apple.tailspind")
  226. (global-name "com.apple.tccd")
  227. (global-name "com.apple.tccd.system")
  228. (global-name
  229. ***************
  230. *** 1230,1235 ****
  231. --- 1240,1248 ----
  232. (global-name-regex "_OpenStep$"))
  233. (allow mach-lookup (global-name "com.apple.PowerManagement.control"))
  234. (allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
  235. + (with-filter
  236. + (iokit-registry-entry-class "IODisplayWrangler")
  237. + (allow iokit-set-properties (iokit-property "IORequestIdle")))
  238. (allow iokit-open (iokit-user-client-class "IOHIDParamUserClient"))
  239. (system-graphics)
  240. (with-filter
  241. ***************
  242. *** 1242,1248 ****
  243. (allow authorization-right-obtain (right-name "system.hdd.smart"))
  244. (allow appleevent-send
  245. (appleevent-destination "com.apple.imagecaptureextension2"))
  246. - (allow mach-register (local-name "com.apple.ICA"))
  247. (allow network-outbound (subpath "/private/var/run"))
  248. (deny network-outbound (literal "/private/var/run/usbmuxd"))
  249. (allow network-bind
  250. --- 1255,1260 ----
  251. ***************
  252. *** 1399,1404 ****
  253. --- 1411,1432 ----
  254. (sandbox-array-entitlement
  255. "com.apple.security.temporary-exception.mach-register.local-name"
  256. (lambda (name) (allow mach-register (local-name name))))
  257. + (define (select-sysctl-filter handle with-star without-star)
  258. + (if (end-with-star? handle)
  259. + (with-star (strip-last-char handle))
  260. + (without-star handle)))
  261. + (sandbox-array-entitlement
  262. + "com.apple.security.temporary-exception.sysctl.read-only"
  263. + (lambda (handle)
  264. + (let ((sysctl-filter
  265. + (select-sysctl-filter handle sysctl-name-prefix sysctl-name)))
  266. + (allow sysctl-read sysctl-filter))))
  267. + (sandbox-array-entitlement
  268. + "com.apple.security.temporary-exception.sysctl.read-write"
  269. + (lambda (handle)
  270. + (let ((sysctl-filter
  271. + (select-sysctl-filter handle sysctl-name-prefix sysctl-name)))
  272. + (allow sysctl-read sysctl-write sysctl-filter))))
  273. (define (safe-subpath path) (subpath (if (string=? path "") "/" path)))
  274. (define (select-filter path with-slash without-slash)
  275. (if (end-with-slash? path)
  276. --
  277. apsd.sb
  278. Files /System/Library/Sandbox/Profiles/apsd.sb and apsd.sb are identical
  279. --
  280. bsd.sb
  281. *** /System/Library/Sandbox/Profiles/bsd.sb 2016-07-30 12:32:36.000000000 -0700
  282. --- bsd.sb 2017-07-10 13:51:51.000000000 -0700
  283. ***************
  284. *** 22,28 ****
  285. ; Allow files accessed by system dylibs and frameworks
  286. #"/\.CFUserTextEncoding$"
  287. #"^/usr/share/nls/"
  288. ! #"^/usr/share/zoneinfo/"
  289. ))
  290.  
  291. (allow ipc-posix-shm (ipc-posix-name "apple.shm.notification_center")) ; Libnotify
  292. --- 22,28 ----
  293. ; Allow files accessed by system dylibs and frameworks
  294. #"/\.CFUserTextEncoding$"
  295. #"^/usr/share/nls/"
  296. ! #"^/var/db/timezone/zoneinfo/"
  297. ))
  298.  
  299. (allow ipc-posix-shm (ipc-posix-name "apple.shm.notification_center")) ; Libnotify
  300. --
  301. cloudpaird.sb
  302. *** /System/Library/Sandbox/Profiles/cloudpaird.sb 2016-09-09 20:24:50.000000000 -0700
  303. --- cloudpaird.sb 2017-07-10 13:51:50.000000000 -0700
  304. ***************
  305. *** 135,141 ****
  306. (global-name "com.apple.BluetoothDOServer")
  307. (global-name "com.apple.xpchelper")
  308. (global-name "com.apple.bluetoothUIServer")
  309. ! (global-name "com.apple.blued")
  310. (global-name "com.apple.cloudd")
  311. (global-name "com.apple.apsd")
  312. (global-name "com.apple.logind")
  313. --- 135,141 ----
  314. (global-name "com.apple.BluetoothDOServer")
  315. (global-name "com.apple.xpchelper")
  316. (global-name "com.apple.bluetoothUIServer")
  317. ! (global-name "com.apple.bluetoothd")
  318. (global-name "com.apple.cloudd")
  319. (global-name "com.apple.apsd")
  320. (global-name "com.apple.logind")
  321. --
  322. colorsyncd.sb
  323. *** /System/Library/Sandbox/Profiles/colorsyncd.sb 2016-07-30 15:38:53.000000000 -0700
  324. --- colorsyncd.sb 2017-07-10 13:51:50.000000000 -0700
  325. ***************
  326. *** 17,26 ****
  327.  
  328. (allow authorization-right-obtain (right-name "system.colorsync.install.profile"))
  329.  
  330. ! (allow file-read* file-write-data file-write-create file-write-unlink file-write-owner (subpath "/Library/ColorSync/Profiles"))
  331. ! (deny file-write-data file-write-create file-write-unlink file-write-owner (literal "/Library/ColorSync/Profiles"))
  332.  
  333. ! (allow file-write-create
  334. ! (require-all
  335. ! (vnode-type DIRECTORY)
  336. ! (literal "/Library/ColorSync/Profiles" "/Library/ColorSync" "/Library")))
  337. --- 17,54 ----
  338.  
  339. (allow authorization-right-obtain (right-name "system.colorsync.install.profile"))
  340.  
  341. ! (define (allow-create-directory . filters)
  342. ! (allow file-read-metadata
  343. ! (apply require-any filters))
  344. ! (allow file-read-metadata file-write-create
  345. ! (require-all
  346. ! (vnode-type DIRECTORY)
  347. ! (apply require-any filters))))
  348.  
  349. ! ;; Allow the creation of only a directory at these paths.
  350. ! (allow-create-directory
  351. ! (literal "/Library/Caches")
  352. ! (literal "/Library/Caches/ColorSync"))
  353. ! ;; Allow reading the contents of our directory
  354. ! (allow file-read*
  355. ! (literal "/Library/Caches/ColorSync"))
  356. ! ;; Allow full access to anything below our directory.
  357. ! (allow file-read* file-write*
  358. ! (prefix "/Library/Caches/ColorSync/"))
  359. !
  360. ! (allow-create-directory
  361. ! (literal "/Library/ColorSync")
  362. ! (literal "/Library/ColorSync/Profiles"))
  363. ! (allow file-read*
  364. ! (literal "/Library/ColorSync/Profiles"))
  365. ! (allow file-read* file-write*
  366. ! (prefix "/Library/ColorSync/Profiles/"))
  367. !
  368. ! ;; deny the removal of these pre-installed profiles.
  369. ! (deny file-write-unlink
  370. ! (literal "/Library/ColorSync/Profiles/Black & White.icc")
  371. ! (literal "/Library/ColorSync/Profiles/Blue Tone.icc")
  372. ! (literal "/Library/ColorSync/Profiles/Lightness Decrease.icc")
  373. ! (literal "/Library/ColorSync/Profiles/Lightness Increase.icc")
  374. ! (literal "/Library/ColorSync/Profiles/Sepia Tone.icc")
  375. ! (literal "/Library/ColorSync/Profiles/WebSafeColors.icc"))
  376. --
  377. com.apple.AirPlayXPCHelper.sb
  378. *** /System/Library/Sandbox/Profiles/com.apple.AirPlayXPCHelper.sb 2017-04-04 20:54:28.000000000 -0700
  379. --- com.apple.AirPlayXPCHelper.sb 2017-07-10 13:51:50.000000000 -0700
  380. ***************
  381. *** 63,72 ****
  382. (iokit-user-client-class "RootDomainUserClient")
  383. (iokit-user-client-class "IOReportUserClient")
  384. (iokit-user-client-class "IOBluetoothHCIUserClient")
  385. ! (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
  386. ! (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
  387. ! (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient")
  388. ! (iokit-user-client-class "IOBluetoothDeviceUserClient")
  389. )
  390.  
  391. (allow iokit-set-properties
  392. --- 63,77 ----
  393. (iokit-user-client-class "RootDomainUserClient")
  394. (iokit-user-client-class "IOReportUserClient")
  395. (iokit-user-client-class "IOBluetoothHCIUserClient")
  396. ! (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
  397. ! (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
  398. ! (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient")
  399. ! (iokit-user-client-class "IOBluetoothDeviceUserClient")
  400. ! (iokit-user-client-class "IOTimeSyncUserClient")
  401. ! (iokit-user-client-class "IOTimeSyncClockManagerUserClient")
  402. ! (iokit-user-client-class "IOTimeSyncgPTPManagerUserClient")
  403. ! (iokit-user-client-class "IOTimeSyncDomainUserClient")
  404. ! (iokit-user-client-class "IOTimeSyncNetworkPortUserClient")
  405. )
  406.  
  407. (allow iokit-set-properties
  408. ***************
  409. *** 84,91 ****
  410. --- 89,98 ----
  411. (global-name "com.apple.pluginkit.pkd")
  412. (global-name "com.apple.spindump")
  413. (global-name "com.apple.PairingManager")
  414. + (global-name "com.apple.analyticsd")
  415.  
  416. (global-name "com.apple.audio.audiohald")
  417. + (global-name "com.apple.audio.AudioComponentRegistrar")
  418.  
  419. (global-name "com.apple.wirelessproxd")
  420. (global-name "com.apple.windowserver.active")
  421. ***************
  422. *** 102,111 ****
  423. (global-name "com.apple.coresymbolicationd")
  424. (global-name "com.apple.awdd")
  425. (global-name "com.apple.SharingServices")
  426. ! (global-name "com.apple.blued")
  427. (global-name "com.apple.bluetoothaudiod")
  428. (global-name "com.apple.BluetoothDOServer")
  429. ! (global-name "com.apple.airportd")
  430. )
  431.  
  432. ;;
  433. --- 109,121 ----
  434. (global-name "com.apple.coresymbolicationd")
  435. (global-name "com.apple.awdd")
  436. (global-name "com.apple.SharingServices")
  437. ! (global-name "com.apple.bluetoothd")
  438. (global-name "com.apple.bluetoothaudiod")
  439. (global-name "com.apple.BluetoothDOServer")
  440. ! (global-name "com.apple.airportd")
  441. !
  442. ! (global-name "com.apple.distributed_notifications@1v3")
  443. ! (global-name "com.apple.distributed_notifications@Uv3")
  444. )
  445.  
  446. ;;
  447. ***************
  448. *** 116,121 ****
  449. --- 126,132 ----
  450. (literal "/Library/Preferences/.GlobalPreferences.plist")
  451. (literal "/Library/Preferences/com.apple.security.plist")
  452. (literal "/Library/Preferences/com.apple.Bluetooth.plist")
  453. + (literal "/Library/Preferences/com.apple.alf.plist")
  454. (regex #"^/private/var/root/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
  455. )
  456.  
  457. ***************
  458. *** 124,129 ****
  459. --- 135,141 ----
  460. (preference-domain "com.apple.coremedia")
  461. (preference-domain "com.apple.security")
  462. (preference-domain "com.apple.Bluetooth")
  463. + (preference-domain "com.apple.alf")
  464. )
  465.  
  466. (allow user-preference-write
  467. --
  468. com.apple.AnnotationKit.MigratorService.sb
  469. Files /System/Library/Sandbox/Profiles/com.apple.AnnotationKit.MigratorService.sb and com.apple.AnnotationKit.MigratorService.sb are identical
  470. --
  471. com.apple.AssetCacheLocatorService.sb
  472. *** /System/Library/Sandbox/Profiles/com.apple.AssetCacheLocatorService.sb 2017-03-01 19:04:54.000000000 -0800
  473. --- com.apple.AssetCacheLocatorService.sb 2017-07-10 13:51:50.000000000 -0700
  474. ***************
  475. *** 17,31 ****
  476. (home-literal "/Library/Preferences/com.apple.security.plist")
  477. (home-literal "/Library/Preferences/com.apple.security.revocation.plist")
  478. (subpath "/private/var/db/mds"))
  479. - (allow file-read-metadata
  480. - (literal "/Applications/Server.app/Contents/ServerRoot/usr/libexec/AssetCache/AssetCache"))
  481. (allow file-read* file-write*
  482. (subpath (param "USER_CACHE_PATH"))
  483. (subpath (param "USER_TEMP_PATH")))
  484. (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
  485. (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  486. (allow mach-lookup
  487. - (global-name "com.apple.AssetCacheC")
  488. (global-name "com.apple.AssetCacheC.builtin")
  489. (global-name "com.apple.DiskArbitration.diskarbitrationd")
  490. (global-name "com.apple.SecurityServer")
  491. --- 17,28 ----
  492. --
  493. com.apple.AssetCacheManagerService.sb
  494. *** /System/Library/Sandbox/Profiles/com.apple.AssetCacheManagerService.sb 1969-12-31 16:00:00.000000000 -0800
  495. --- com.apple.AssetCacheManagerService.sb 2017-07-10 13:51:50.000000000 -0700
  496. ***************
  497. *** 0 ****
  498. --- 1,18 ----
  499. + (version 1)
  500. + (deny default)
  501. + (import "bsd.sb")
  502. + (import "com.apple.corefoundation.sb")
  503. + (corefoundation)
  504. + (allow file-read* file-write*
  505. + (literal "/Library/Preferences/com.apple.AssetCache.plist")
  506. + (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C($|/)")
  507. + (regex #"^(/private)?/var/folders/[^/]+/[^/]+/T($|/)")
  508. + (regex #"/Library/Application Support/Apple/AssetCache$")
  509. + (regex #"/Library/Application Support/Apple/AssetCache/Data$")
  510. + (literal "/Library/Application Support/Apple/AssetCache/.activated"))
  511. + (allow file-write-create
  512. + (regex #"/Library$")
  513. + (regex #"/Library/Application Support$")
  514. + (regex #"/Library/Application Support/Apple$"))
  515. + (allow mach-lookup
  516. + (global-name "com.apple.AssetCache.builtin"))
  517. --
  518. com.apple.AssetCacheTetheratorService.sb
  519. *** /System/Library/Sandbox/Profiles/com.apple.AssetCacheTetheratorService.sb 2017-03-01 18:45:42.000000000 -0800
  520. --- com.apple.AssetCacheTetheratorService.sb 2017-07-10 13:51:50.000000000 -0700
  521. ***************
  522. *** 9,15 ****
  523. (literal "/Library/Preferences/.GlobalPreferences.plist") ; for reading NSUserDefaults
  524. (literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist") ; for reading NSUserDefaults
  525. (literal "/Library/Preferences/com.apple.usbmuxd.plist") ; for reading usbmux prefs
  526. ! (literal "/Library/Preferences/com.apple.MobileDevice.plist")) ; for reading MobileDevice prefs
  527.  
  528. (allow file-write*
  529. (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist") ; for writing Internet Sharing prefs
  530. --- 9,17 ----
  531. (literal "/Library/Preferences/.GlobalPreferences.plist") ; for reading NSUserDefaults
  532. (literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist") ; for reading NSUserDefaults
  533. (literal "/Library/Preferences/com.apple.usbmuxd.plist") ; for reading usbmux prefs
  534. ! (literal "/Library/Preferences/com.apple.MobileDevice.plist") ; for reading MobileDevice prefs
  535. ! (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") ; for CrashReporter
  536. ! (literal "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")) ; for MessageTracer
  537.  
  538. (allow file-write*
  539. (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist") ; for writing Internet Sharing prefs
  540. ***************
  541. *** 21,27 ****
  542.  
  543. (allow mach-lookup
  544. (global-name "com.apple.SystemConfiguration.configd") ; for using Internet Sharing
  545. ! (global-name "com.apple.wifi.sharekit")) ; for using Internet Sharing
  546.  
  547. (allow network-outbound
  548. (literal "/private/var/run/usbmuxd")) ; for using usbmux
  549. --- 23,30 ----
  550.  
  551. (allow mach-lookup
  552. (global-name "com.apple.SystemConfiguration.configd") ; for using Internet Sharing
  553. ! (global-name "com.apple.wifi.sharekit") ; for using Internet Sharing
  554. ! (global-name "com.apple.PowerManagement.control")) ; for power assertions
  555.  
  556. (allow network-outbound
  557. (literal "/private/var/run/usbmuxd")) ; for using usbmux
  558. --
  559. com.apple.AudioComponentRegistrar.sb
  560. *** /System/Library/Sandbox/Profiles/com.apple.AudioComponentRegistrar.sb 1969-12-31 16:00:00.000000000 -0800
  561. --- com.apple.AudioComponentRegistrar.sb 2017-07-10 13:51:51.000000000 -0700
  562. ***************
  563. *** 0 ****
  564. --- 1,68 ----
  565. + ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
  566. + ;;;
  567. + ;;; WARNING: The sandbox rules in this file currently constitute
  568. + ;;; Apple System Private Interface and are subject to change at any time and
  569. + ;;; without notice.
  570. + ;;;
  571. + (version 1)
  572. +
  573. + (deny default)
  574. + (deny file-map-executable iokit-get-properties process-info* nvram*)
  575. + (deny dynamic-code-generation)
  576. +
  577. + (import "system.sb")
  578. + (import "com.apple.corefoundation.sb")
  579. + (corefoundation)
  580. +
  581. + ;;; Homedir-relative path filters
  582. + (define (home-regex home-relative-regex)
  583. + (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)))
  584. +
  585. + (define (home-subpath home-relative-subpath)
  586. + (subpath (string-append (param "HOME") home-relative-subpath)))
  587. +
  588. + (define (home-prefix home-relative-prefix)
  589. + (prefix (string-append (param "HOME") home-relative-prefix)))
  590. +
  591. + (define (home-literal home-relative-literal)
  592. + (literal (string-append (param "HOME") home-relative-literal)))
  593. +
  594. +
  595. + (allow process-info* (target self))
  596. +
  597. + ;; For resolving symlinks, realpath(3), and equivalents.
  598. + (allow file-read-metadata)
  599. +
  600. + ;; For validating the entitlements of clients.
  601. + (allow process-info-codesignature)
  602. +
  603. + ;; preference domains.
  604. + (allow user-preference-read user-preference-write
  605. + (preference-domain "com.apple.coreaudio")
  606. + (preference-domain "com.apple.audio.ComponentRegistrationOverrides")
  607. + (preference-domain "com.apple.audio.UserComponentTags")
  608. + (preference-domain "com.apple.audio.ComponentTagHelper")
  609. + )
  610. +
  611. + ;; Read/write access to a temporary directory.
  612. + (allow file-read* file-write*
  613. + (subpath (param "TMPDIR"))
  614. + (subpath (param "DARWIN_CACHE_DIR")))
  615. +
  616. + ;; Above is from the template.
  617. + ;; Below are customizations. To debug: (trace "/tmp/Sandbox.trace")
  618. +
  619. + (allow file-map-executable
  620. + (subpath "/System/Library/PrivateFrameworks")
  621. + )
  622. +
  623. + (allow mach-lookup
  624. + (global-name "com.apple.pluginkit.pkd")
  625. + (global-name "com.apple.FSEvents")
  626. + (global-name "com.apple.DiskArbitration.diskarbitrationd")
  627. + )
  628. +
  629. + (allow file-read*
  630. + (subpath "/Library/Audio/Plug-Ins/Components")
  631. + (home-subpath "/Library/Audio/Plug-Ins/Components")
  632. + )
  633. --
  634. com.apple.CMValidateMovieDataReferenceService.sb
  635. Files /System/Library/Sandbox/Profiles/com.apple.CMValidateMovieDataReferenceService.sb and com.apple.CMValidateMovieDataReferenceService.sb are identical
  636. --
  637. com.apple.CodeSigningHelper.sb
  638. Files /System/Library/Sandbox/Profiles/com.apple.CodeSigningHelper.sb and com.apple.CodeSigningHelper.sb are identical
  639. --
  640. com.apple.CommerceKit.TransactionService.sb
  641. *** /System/Library/Sandbox/Profiles/com.apple.CommerceKit.TransactionService.sb 2016-08-12 15:27:41.000000000 -0700
  642. --- com.apple.CommerceKit.TransactionService.sb 2017-07-10 13:51:50.000000000 -0700
  643. ***************
  644. *** 92,97 ****
  645. --- 92,99 ----
  646. (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  647.  
  648. (allow mach-lookup
  649. + (global-name "com.apple.adid")
  650. + (global-name "com.apple.fpsd")
  651. (global-name "com.apple.UNCUserNotification")
  652. (global-name "com.apple.coreservices.launcherror-handler")
  653. (global-name "com.apple.softwareupdated")
  654. --
  655. com.apple.CryptoTokenKit.ctkahp.sb
  656. *** /System/Library/Sandbox/Profiles/com.apple.CryptoTokenKit.ctkahp.sb 1969-12-31 16:00:00.000000000 -0800
  657. --- com.apple.CryptoTokenKit.ctkahp.sb 2017-07-10 13:51:50.000000000 -0700
  658. ***************
  659. *** 0 ****
  660. --- 1,69 ----
  661. + ;;;
  662. + ;;; Sandbox profile for /System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle
  663. + ;;;
  664. + ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
  665. + ;;;
  666. + ;;; WARNING: The sandbox rules in this file currently constitute
  667. + ;;; Apple System Private Interface and are subject to change at any time and
  668. + ;;; without notice. The contents of this file are also auto-generated and
  669. + ;;; not user editable; it may be overwritten at any time.
  670. +
  671. + (version 1)
  672. +
  673. + (deny default)
  674. +
  675. + (import "system.sb")
  676. +
  677. + (allow file-read*
  678. + (literal "/private/etc/SmartcardLogin.plist")
  679. + (literal "/private/etc/cacloginconfig.plist")
  680. + (subpath (param "DARWIN_USER_TEMP_DIR"))
  681. + (subpath (param "DARWIN_USER_CACHE_DIR"))
  682. + (subpath "/private/var/db/mds")
  683. + (subpath "/private/var/db/"))
  684. +
  685. + (allow file-read-data
  686. + (literal "/")
  687. + (literal "/Library/Preferences/com.apple.security.plist"))
  688. +
  689. + (allow file-write*
  690. + (subpath (param "DARWIN_USER_CACHE_DIR"))
  691. + (subpath "/private/var/db/mds/system/"))
  692. +
  693. + (allow file-read-metadata)
  694. +
  695. + (allow process-fork)
  696. +
  697. + (allow process-exec
  698. + (literal "/System/Library/Frameworks/CryptoTokenKit.framework/UserSelector")
  699. + (subpath "/Library/CryptoTokenKit"))
  700. +
  701. + (allow mach-lookup
  702. + (global-name "com.apple.distributed_notifications@1v3")
  703. + (global-name "com.apple.distributed_notifications@Uv3")
  704. + (global-name "com.apple.ctkd.token-client")
  705. + (global-name "com.apple.ctkd.watcher-client")
  706. + (global-name "com.apple.SecurityServer")
  707. + (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider")
  708. + (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider.agent.libxpc")
  709. + (global-name "com.apple.system.opendirectoryd.api")
  710. + (global-name "com.apple.CoreServices.coreservicesd")
  711. + (global-name "com.apple.CoreAuthentication.agent.libxpc")
  712. + (global-name "com.apple.CoreAuthentication.agent")
  713. + (global-name "com.apple.ocspd"))
  714. +
  715. + (allow user-preference-read
  716. + (preference-domain "kCFPreferencesAnyApplication"))
  717. +
  718. + (allow user-preference-read user-preference-write
  719. + (preference-domain "com.apple.security")
  720. + (preference-domain "com.apple.security.smartcard"))
  721. +
  722. + (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
  723. + (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  724. +
  725. + (allow authorization-right-obtain
  726. + (right-name "com.apple.ctk.pair"))
  727. +
  728. + (allow iokit-open
  729. + (iokit-user-client-class "AppleKeyStoreUserClient"))
  730. --
  731. com.apple.DumpGPURestart.sb
  732. Files /System/Library/Sandbox/Profiles/com.apple.DumpGPURestart.sb and com.apple.DumpGPURestart.sb are identical
  733. --
  734. com.apple.IOAccelMemoryInfoCollector.sb
  735. Files /System/Library/Sandbox/Profiles/com.apple.IOAccelMemoryInfoCollector.sb and com.apple.IOAccelMemoryInfoCollector.sb are identical
  736. --
  737. com.apple.ModernizerXPC.sb
  738. *** /System/Library/Sandbox/Profiles/com.apple.ModernizerXPC.sb 1969-12-31 16:00:00.000000000 -0800
  739. --- com.apple.ModernizerXPC.sb 2017-07-10 13:51:51.000000000 -0700
  740. ***************
  741. *** 0 ****
  742. --- 1,230 ----
  743. + ;;;;;; Sandbox Profile for ModernizerXPC derived from QTKitServer
  744. + ;;;;;;
  745. + ;;;;;; Copyright (c) 2011-2017 Apple Inc. All Rights reserved.
  746. + ;;;;;;
  747. + ;;;;;; WARNING: The sandbox rules in this file currently constitute
  748. + ;;;;;; Apple System Private Interface and are subject to change at any time and
  749. + ;;;;;; without notice. The contents of this file are also auto-generated and
  750. + ;;;;;; not user editable; it may be overwritten at any time.
  751. +
  752. + (version 1)
  753. + (deny default)
  754. +
  755. + (import "system.sb")
  756. + (import "com.apple.corefoundation.sb")
  757. +
  758. + (define (home-regex home-relative-regex)
  759. + (regex (string-append "^" (regex-quote (param "DARWIN_QTKITSERVER_HOME_DIR")) home-relative-regex)))
  760. + (define regex-home home-regex)
  761. +
  762. + (define (home-subpath home-relative-subpath)
  763. + (subpath (string-append (param "DARWIN_QTKITSERVER_HOME_DIR") home-relative-subpath)))
  764. +
  765. + (define (home-literal home-relative-literal)
  766. + (literal (string-append (param "DARWIN_QTKITSERVER_HOME_DIR") home-relative-literal)))
  767. +
  768. + (allow file-read-metadata system-audit)
  769. +
  770. + ;;; initialize CF sandbox actions
  771. + (corefoundation)
  772. +
  773. + (define (apply-read-and-issue-extension op path-filter)
  774. + (op file-read* path-filter)
  775. + (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
  776. +
  777. + (define (apply-write-and-issue-extension op path-filter)
  778. + (op file-write* path-filter)
  779. + (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
  780. +
  781. + (define (read-only-and-issue-extensions path-filter)
  782. + (apply-read-and-issue-extension allow path-filter))
  783. +
  784. + (define (read-write-and-issue-extensions path-filter)
  785. + (apply-read-and-issue-extension allow path-filter)
  786. + (apply-write-and-issue-extension allow path-filter))
  787. +
  788. + ;;; allow reading files for which we have a read-only app-sandbox extension
  789. + (allow file-read* (extension "com.apple.app-sandbox.read"))
  790. +
  791. + ;;; allow writing of files for which we have an extension
  792. + (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
  793. +
  794. + ;;; allow issuing of extensions for paths we have an extension to
  795. + (allow file-issue-extension
  796. + (require-all
  797. + (extension-class "com.apple.app-sandbox.read")
  798. + (require-any
  799. + (extension "com.apple.app-sandbox.read")
  800. + (extension "com.apple.app-sandbox.read-write"))))
  801. +
  802. + (allow file-issue-extension
  803. + (require-all
  804. + (extension-class "com.apple.app-sandbox.read-write")
  805. + (extension "com.apple.app-sandbox.read-write")))
  806. +
  807. + (allow file-read*
  808. + (subpath "/Library/Audio/Plug-Ins")
  809. + (subpath "/Library/Audio/Sounds/Banks")
  810. + (subpath "/Library/Frameworks")
  811. + (subpath "/Library/Fonts")
  812. + (subpath "/Library/Application Support/ProApps")
  813. + (subpath "/Library/Preferences")
  814. + (subpath "/Library/QuickTime")
  815. + (subpath "/Library/Filesystems/NetFSPlugins"))
  816. +
  817. + (allow file-read-data
  818. + (subpath "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
  819. + (subpath "/Users/Shared/SC Info")
  820. + (subpath "/private/var")
  821. + (subpath "/private/etc"))
  822. +
  823. + ;;; allow reading and issuing extensions to iTunes so it can opened
  824. + ;;; <rdar://problem/13568149>
  825. + (read-only-and-issue-extensions
  826. + (subpath "/Applications/iTunes.app"))
  827. +
  828. + (allow file-read-xattr
  829. + (subpath "/Applications/iTunes.app"))
  830. +
  831. + (allow file-read* file-write* (subpath "/Library/Caches"))
  832. +
  833. + (if (param "DARWIN_QTKITSERVER_HOME_DIR")
  834. + (begin
  835. + (allow file-read*
  836. + (home-subpath "/.CFUserTextEncoding")
  837. + (home-subpath "/Library/Audio/Plug-Ins/Components")
  838. + (home-subpath "/Library/Audio/Plug-Ins")
  839. + (home-subpath "/Library/QuickTime")
  840. + (home-subpath "/Library/Input Methods")
  841. + (home-subpath "/Library/Keyboard Layouts")
  842. + (home-subpath "/Library/Components"))
  843. + (allow file-read* file-write*
  844. + (home-subpath "/Library/Caches/QuickTime"))
  845. + (deny file-read* file-write*
  846. + (home-literal "/Library/Caches/com.nvidia.OpenGL") (with no-report))
  847. + ;; we have to allow 3rd party components to read and write their own prefs,-
  848. + ;; but we don't know their names.
  849. + ;; so allow r/w access to all of ~/Library/Prefs but deny access to prefs beginning with com.apple
  850. + (allow file-write* file-read*
  851. + (home-subpath "/Library/Preferences"))
  852. + (deny file-read* file-write* (with no-report)
  853. + (home-regex #"/Library/Preferences/com\.apple\..*")
  854. + (home-regex #"/Library/Preferences/\.GlobalPreferences\.plist")
  855. + (home-regex #"/Library/Preferences/pbs\.plist")
  856. + (home-regex #"/Library/Preferences/loginwindow\.plist")
  857. + (home-regex #"/Library/Preferences/ByHost/com\.apple\..*"))
  858. + (allow file-read*
  859. + (home-literal "/Library/Preferences/QuickTime Preferences"))))
  860. +
  861. + (if (param "DARWIN_QTKITSERVER_CACHE_DIR")
  862. + (allow file-write* file-read* (subpath (param "DARWIN_QTKITSERVER_CACHE_DIR"))))
  863. +
  864. + (if (param "DARWIN_QTKITSERVER_TEMP_DIR")
  865. + (allow file-write* file-read* (subpath (param "DARWIN_QTKITSERVER_TEMP_DIR"))))
  866. +
  867. + (system-graphics)
  868. +
  869. + (allow iokit-open
  870. + (iokit-user-client-class "IOAudioControlUserClient")
  871. + (iokit-user-client-class "IOAudioEngineUserClient")
  872. + (iokit-user-client-class "IOHIDParamUserClient"))
  873. +
  874. + ;; CoreVideo CVCGDisplayLink
  875. + (allow iokit-open
  876. + (iokit-user-client-class "IOFramebufferSharedUserClient"))
  877. +
  878. + ;; H.264 Acceleration; <rdar://problem/10348815>
  879. + (allow iokit-open
  880. + (iokit-user-client-class "AppleSNBFBUserClient"))
  881. +
  882. + ;; QuartzCore; <rdar://problem/9065114>
  883. + (allow iokit-open
  884. + (iokit-user-client-class "AppleGraphicsControlClient")
  885. + (iokit-user-client-class "AGPMClient"))
  886. +
  887. + (allow iokit-open
  888. + (iokit-user-client-class "AppleUpstreamUserClient")
  889. + (iokit-user-client-class "AudioAUUC"))
  890. +
  891. + ;; BlackMagic; <rdar://problem/11899349>
  892. + (allow iokit-open
  893. + (iokit-user-client-class "com_blackmagic_design_iokit_DaisyCutterUserClient"))
  894. +
  895. + (allow ipc-posix-shm
  896. + (ipc-posix-name-regex #"^AudioIO")
  897. + (ipc-posix-name-regex #"^ls\.")
  898. + (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
  899. + (ipc-posix-name "FNetwork.defaultStorageSession")
  900. + (ipc-posix-name "apple.shm.notification_center"))
  901. +
  902. + ;; ColorSync Profiles (<rdar://problem/13775802>)
  903. + (allow ipc-posix-shm*
  904. + (ipc-posix-name "com.apple.ColorSync.Gen.lock")
  905. + (ipc-posix-name "com.apple.ColorSync.Disp.lock")
  906. + (ipc-posix-name "com.apple.ColorSync.Gray2.2")
  907. + (ipc-posix-name "com.apple.ColorSync.sRGB")
  908. + (ipc-posix-name "com.apple.ColorSync.GenGray")
  909. + (ipc-posix-name "com.apple.ColorSync.GenRGB")
  910. + (ipc-posix-name-regex #"^com\.apple\.cs\."))
  911. + (allow file-read*
  912. + (subpath "/Library/ColorSync/Profiles")
  913. + (home-subpath "/Library/ColorSync"))
  914. +
  915. + (allow mach-lookup
  916. + (global-name "com.apple.coreservices.launchservicesd")
  917. + (global-name "com.apple.ls.boxd")
  918. + (global-name "com.apple.lsd.mapdb")
  919. + (global-name "com.apple.lsd.modifydb")
  920. + (global-name "com.apple.metadata.mds")
  921. + (global-name "com.apple.cookied")
  922. + (global-name "com.apple.cfnetwork.AuthBrokerAgent")
  923. + (global-name "com.apple.cfnetwork.cfnetworkagent")
  924. + (global-name "com.apple.SystemConfiguration.configd")
  925. + (global-name "com.apple.CoreServices.coreservicesd")
  926. + (global-name "com.apple.coreservices.appleevents")
  927. + (global-name "com.apple.FontObjectsServer")
  928. + (global-name "com.apple.FontServer")
  929. + (global-name "com.apple.PowerManagement.control")
  930. + (global-name "com.apple.audio.audiohald")
  931. + (global-name "com.apple.audio.coreaudiod")
  932. + (global-name "com.apple.audio.AudioComponentRegistrar")
  933. + (global-name "com.apple.dock.server")
  934. + (global-name "com.apple.pasteboard.1")
  935. + (global-name "com.apple.pbs.fetch_services")
  936. + (global-name "com.apple.printtool.agent")
  937. + (global-name "com.apple.tsm.uiserver")
  938. + (global-name "com.apple.UNCUserNotification")
  939. + (global-name "com.apple.windowserver.active")
  940. + (global-name "com.apple.DiskArbitration.diskarbitrationd")
  941. + (global-name "com.apple.window_proxies"))
  942. +
  943. + ;; Security framework
  944. + (allow mach-lookup
  945. + (global-name "com.apple.SecurityServer")
  946. + (global-name "com.apple.securityd.xpc")
  947. + (global-name "com.apple.ocspd"))
  948. + (if (param "DARWIN_QTKITSERVER_HOME_DIR")
  949. + (begin
  950. + (allow file-read* file-write* (home-subpath "/Library/Keychains"))))
  951. + (allow file-read*
  952. + (subpath "/private/var/db/mds")
  953. + (literal "/private/var/db/DetachedSignatures"))
  954. + (allow ipc-posix-shm-read* ipc-posix-shm-write-data
  955. + (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  956. +
  957. + (allow appleevent-send
  958. + (appleevent-destination "com.apple.iTunes"))
  959. +
  960. + (allow system-socket
  961. + (socket-domain AF_ROUTE))
  962. +
  963. + (allow system-socket
  964. + (require-all (socket-domain AF_SYSTEM) (socket-protocol 2))) ; SYSPROTO_CONTROL
  965. +
  966. + (allow system-audit)
  967. + (allow system-fsctl
  968. + (fsctl-command (_IO "h" 24)) ;; HFS_VOLUME_STATUS
  969. + (fsctl-command (_IO "z" 12)) ;; afpfsGetMountInfoFSCTL
  970. + (fsctl-command (_IO "z" 19)) ;; smbfsUniqueShareIDFSCTL
  971. + (fsctl-command (_IO "z" 23))) ;; afpfsByteRangeLock2FSCTL
  972. +
  973. --
  974. com.apple.PIPAgent.sb
  975. Files /System/Library/Sandbox/Profiles/com.apple.PIPAgent.sb and com.apple.PIPAgent.sb are identical
  976. --
  977. com.apple.ReportGPURestart.sb
  978. Files /System/Library/Sandbox/Profiles/com.apple.ReportGPURestart.sb and com.apple.ReportGPURestart.sb are identical
  979. --
  980. com.apple.ReportPanicService.sb
  981. *** /System/Library/Sandbox/Profiles/com.apple.ReportPanicService.sb 2017-04-14 19:00:59.000000000 -0700
  982. --- com.apple.ReportPanicService.sb 2017-07-10 13:51:50.000000000 -0700
  983. ***************
  984. *** 9,22 ****
  985. (literal "/Library/Preferences/.GlobalPreferences.plist")
  986. (with no-report))
  987.  
  988. - ;;; <rdar://problem/13449326>
  989. - (let allow-paths ((i 0))
  990. - (let ((path (param (string-append "HOME_" (number->string i)))))
  991. - (if path
  992. - (begin
  993. - (allow file-read* file-write-unlink (subpath path))
  994. - (allow-paths (+ i 1))))))
  995. -
  996. (allow authorization-right-obtain
  997. (right-name "com.apple.ReportPanic.fixRight"))
  998.  
  999. --- 9,14 ----
  1000. --
  1001. com.apple.SpeechRecognitionCore.brokerd.sb
  1002. Files /System/Library/Sandbox/Profiles/com.apple.SpeechRecognitionCore.brokerd.sb and com.apple.SpeechRecognitionCore.brokerd.sb are identical
  1003. --
  1004. com.apple.SpeechRecognitionCore.speechrecognitiond.sb
  1005. *** /System/Library/Sandbox/Profiles/com.apple.SpeechRecognitionCore.speechrecognitiond.sb 2016-10-28 21:26:05.000000000 -0700
  1006. --- com.apple.SpeechRecognitionCore.speechrecognitiond.sb 2017-07-10 13:51:50.000000000 -0700
  1007. ***************
  1008. *** 61,67 ****
  1009. (global-name "com.apple.CoreServices.coreservicesd")
  1010. (global-name "com.apple.coreservices.launchservicesd")
  1011. (global-name "com.apple.distributed_notifications@1v3")
  1012. ! (global-name "com.apple.distributed_notifications@Uv3"))
  1013.  
  1014. (allow iokit-open
  1015. (iokit-user-client-class "IOAudioControlUserClient")
  1016. --- 61,68 ----
  1017. (global-name "com.apple.CoreServices.coreservicesd")
  1018. (global-name "com.apple.coreservices.launchservicesd")
  1019. (global-name "com.apple.distributed_notifications@1v3")
  1020. ! (global-name "com.apple.distributed_notifications@Uv3")
  1021. ! (global-name "com.apple.audio.AudioComponentRegistrar"))
  1022.  
  1023. (allow iokit-open
  1024. (iokit-user-client-class "IOAudioControlUserClient")
  1025. --
  1026. com.apple.XprotectFramework.AnalysisService.sb
  1027. *** /System/Library/Sandbox/Profiles/com.apple.XprotectFramework.AnalysisService.sb 2016-07-30 18:59:46.000000000 -0700
  1028. --- com.apple.XprotectFramework.AnalysisService.sb 2017-07-10 13:51:50.000000000 -0700
  1029. ***************
  1030. *** 42,48 ****
  1031. (global-name "com.apple.SecurityServer")
  1032. (global-name "com.apple.ocspd")
  1033. (global-name "com.apple.nsurlstorage-cache")
  1034. ! (global-name "com.apple.CoreServices.coreservicesd"))
  1035.  
  1036.  
  1037. ;;This can probably leave once rdar://problem/21932990 lands
  1038. --- 42,49 ----
  1039. (global-name "com.apple.SecurityServer")
  1040. (global-name "com.apple.ocspd")
  1041. (global-name "com.apple.nsurlstorage-cache")
  1042. ! (global-name "com.apple.CoreServices.coreservicesd")
  1043. ! (global-name "com.apple.dz.dznd"))
  1044.  
  1045.  
  1046. ;;This can probably leave once rdar://problem/21932990 lands
  1047. --
  1048. com.apple.assistantd.sb
  1049. *** /System/Library/Sandbox/Profiles/com.apple.assistantd.sb 2016-09-06 19:43:03.000000000 -0700
  1050. --- com.apple.assistantd.sb 2017-07-10 13:51:51.000000000 -0700
  1051. ***************
  1052. *** 21,26 ****
  1053. --- 21,30 ----
  1054.  
  1055. (allow file-read*)
  1056.  
  1057. + (allow process-fork)
  1058. +
  1059. + (allow process-exec (literal "/usr/bin/bsdtar"))
  1060. +
  1061. (allow lsopen)
  1062.  
  1063. (allow device-microphone)
  1064. ***************
  1065. *** 29,35 ****
  1066.  
  1067. (deny file-write-setugid)
  1068.  
  1069. ! (allow file* (subpath (param "_CACHEDIR")))
  1070.  
  1071. (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
  1072. (allow file-read* (extension "com.apple.app-sandbox.read"))
  1073. --- 33,40 ----
  1074.  
  1075. (deny file-write-setugid)
  1076.  
  1077. ! (allow file-read* file-write* (subpath (param "_TEMPDIR")))
  1078. ! (allow file-read* file-write* (subpath (param "_CACHEDIR")))
  1079.  
  1080. (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
  1081. (allow file-read* (extension "com.apple.app-sandbox.read"))
  1082. ***************
  1083. *** 119,124 ****
  1084. --- 124,130 ----
  1085. (global-name "com.apple.AddressBook.SourceSync")
  1086. (global-name "com.apple.AddressBook.AddressBookApplicationFrameworkIPC")
  1087. (global-name "com.apple.AddressBook.ContactsAccountsService")
  1088. + (global-name "com.apple.BluetoothDOServer")
  1089. (global-name "com.apple.ContactsAgent.addressbook")
  1090. (global-name "com.apple.accountsd.accountmanager")
  1091. (global-name "com.apple.accountsd.oauthsigner")
  1092. ***************
  1093. *** 136,141 ****
  1094. --- 142,148 ----
  1095. (global-name "com.apple.DiskArbitration.diskarbitrationd")
  1096. (global-name "com.apple.networkd")
  1097. (global-name "com.apple.cookied")
  1098. + (global-name "com.apple.audio.AudioComponentRegistrar")
  1099. (global-name "com.apple.audio.audiohald")
  1100. (global-name "com.apple.audio.coreaudiod")
  1101. (global-name "com.apple.ocspd")
  1102. ***************
  1103. *** 174,180 ****
  1104. (global-name "com.apple.metadata.mds.legacy")
  1105. (global-name "com.apple.spotlight.IndexAgent")
  1106. (global-name "com.apple.coreservices.appleevents")
  1107. ! (global-name "com.apple.networkserviceproxy"))
  1108.  
  1109. (allow ipc-posix-shm
  1110. (ipc-posix-name-regex #"^AudioIO")
  1111. --- 181,195 ----
  1112. (global-name "com.apple.metadata.mds.legacy")
  1113. (global-name "com.apple.spotlight.IndexAgent")
  1114. (global-name "com.apple.coreservices.appleevents")
  1115. ! (global-name "com.apple.networkserviceproxy")
  1116. ! (global-name "com.apple.cloudd")
  1117. ! (global-name "com.apple.apsd")
  1118. ! (global-name "com.apple.analyticsd")
  1119. ! (global-name "com.apple.symptom_analytics")
  1120. ! (global-name "com.apple.symptom_diagnostics")
  1121. ! (global-name "com.apple.siri.invoke")
  1122. ! (global-name "com.apple.remoted")
  1123. ! (global-name "com.apple.PowerManagement.control"))
  1124.  
  1125. (allow ipc-posix-shm
  1126. (ipc-posix-name-regex #"^AudioIO")
  1127. --
  1128. com.apple.audio.coreaudiod.sb
  1129. *** /System/Library/Sandbox/Profiles/com.apple.audio.coreaudiod.sb 2016-08-08 17:31:56.000000000 -0700
  1130. --- com.apple.audio.coreaudiod.sb 2017-07-10 13:51:51.000000000 -0700
  1131. ***************
  1132. *** 29,42 ****
  1133. (literal "/Library/Audio/Plug-Ins/Components")
  1134. (literal "/Library/Preferences/SystemConfiguration/preferences.plist")
  1135. (literal "/Library/Audio/CoreAudioLib/libAudioDiagnostics.dylib")
  1136.  
  1137. - (literal "/Library/Keychains/System.keychain")
  1138. - (literal "/private/var/db/mds/messages/se_SecurityMessages")
  1139. - (literal "/private/var/db/mds/system/mdsDirectory.db")
  1140. - (literal "/private/var/db/mds/system/mdsObject.db")
  1141. - (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
  1142. - (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
  1143. - (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
  1144. (regex #"^/private/var/tmp/mds/[0-9]+(/|$)")
  1145. (regex #"^/private/var/db/mds/[0-9]+(/|$)")
  1146. (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)")
  1147. --- 29,37 ----
  1148. (literal "/Library/Audio/Plug-Ins/Components")
  1149. (literal "/Library/Preferences/SystemConfiguration/preferences.plist")
  1150. (literal "/Library/Audio/CoreAudioLib/libAudioDiagnostics.dylib")
  1151. + (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
  1152. + (literal "/private/var/db/timezone")
  1153.  
  1154. (regex #"^/private/var/tmp/mds/[0-9]+(/|$)")
  1155. (regex #"^/private/var/db/mds/[0-9]+(/|$)")
  1156. (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)")
  1157. ***************
  1158. *** 56,94 ****
  1159. (literal "/private/etc")
  1160. (literal "/private/etc/localtime")
  1161. (literal "/private/var/empty")
  1162. (subpath "/usr/lib")
  1163. (literal "/var")
  1164. ! (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
  1165. ! (literal "/private/var/db/disableAppleInternal")
  1166. !
  1167. (literal "/Library")
  1168. ! (literal "/Library/Keychains")
  1169. ! (literal "/private")
  1170. ! (literal "/private/var")
  1171. ! (literal "/private/var/folders")
  1172. ! (regex "^/private/var/folders/[^/]+")
  1173. ! (regex "^/private/var/folders/[^/]+/[^/]+")
  1174. ! (literal "/private/var/run/systemkeychaincheck.done")
  1175. ! (regex "^/private/var/folders/[^/]+/[^/]+/C$")
  1176. ! (regex "^/private/var/folders/[^/]+/[^/]+/C/mds$")
  1177. )
  1178.  
  1179. (allow file-write*
  1180. (subpath "/Library/Preferences/Audio")
  1181. (literal "/dev/dtracehelper")
  1182. -
  1183. - (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
  1184. - (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db_$")
  1185. - (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
  1186. - (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db_$")
  1187. - (regex #"^/private/var/tmp/mds/[0-9]+(/|$)")
  1188. - (regex #"^/private/var/db/mds/[0-9]+(/|$)")
  1189. - (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)")
  1190. - (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)")
  1191. - )
  1192. -
  1193. - (allow file-write-data
  1194. - (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
  1195. )
  1196.  
  1197. (allow sysctl-write)
  1198. --- 51,68 ----
  1199. (literal "/private/etc")
  1200. (literal "/private/etc/localtime")
  1201. (literal "/private/var/empty")
  1202. + (literal "/usr")
  1203. (subpath "/usr/lib")
  1204. (literal "/var")
  1205. ! (literal "/private/var/db/disableAppleInternal")
  1206. (literal "/Library")
  1207. ! (literal "/Library/Audio")
  1208. ! (literal "/Library/Audio/Plug-Ins")
  1209. )
  1210.  
  1211. (allow file-write*
  1212. (subpath "/Library/Preferences/Audio")
  1213. (literal "/dev/dtracehelper")
  1214. )
  1215.  
  1216. (allow sysctl-write)
  1217. ***************
  1218. *** 105,112 ****
  1219. (global-name "com.apple.system.notification_center")
  1220. (global-name "com.apple.windowserver.active")
  1221. (global-name "com.apple.SystemConfiguration.configd")
  1222. ! (global-name "com.apple.SecurityServer")
  1223. ! (global-name "com.apple.ocspd")
  1224. )
  1225.  
  1226. (allow mach-register
  1227. --- 79,86 ----
  1228. (global-name "com.apple.system.notification_center")
  1229. (global-name "com.apple.windowserver.active")
  1230. (global-name "com.apple.SystemConfiguration.configd")
  1231. ! (global-name "com.apple.audio.AudioComponentRegistrar")
  1232. ! (global-name "com.apple.audio.AudioComponentRegistrar.daemon")
  1233. )
  1234.  
  1235. (allow mach-register
  1236. --
  1237. com.apple.audio.systemsoundserverd.sb
  1238. *** /System/Library/Sandbox/Profiles/com.apple.audio.systemsoundserverd.sb 2016-08-15 18:57:25.000000000 -0700
  1239. --- com.apple.audio.systemsoundserverd.sb 2017-07-10 13:51:50.000000000 -0700
  1240. ***************
  1241. *** 12,18 ****
  1242. (literal "/private/etc/master.passwd")
  1243. (literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist")
  1244. (subpath "/System")
  1245. ! (subpath "/usr/share"))
  1246.  
  1247. (allow file-read-metadata
  1248. (literal "/etc")
  1249. --- 12,19 ----
  1250. (literal "/private/etc/master.passwd")
  1251. (literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist")
  1252. (subpath "/System")
  1253. ! (subpath "/usr/share")
  1254. ! (subpath "/private/var/db/timezone"))
  1255.  
  1256. (allow file-read-metadata
  1257. (literal "/etc")
  1258. ***************
  1259. *** 37,42 ****
  1260. --- 38,44 ----
  1261.  
  1262. (allow mach-lookup
  1263. (global-name "com.apple.CoreServices.coreservicesd")
  1264. + (global-name "com.apple.audio.AudioComponentRegistrar")
  1265. (global-name "com.apple.audio.audiohald")
  1266. (global-name "com.apple.cfprefsd.agent")
  1267. (global-name "com.apple.cfprefsd.daemon")
  1268. --
  1269. com.apple.authd.sb
  1270. *** /System/Library/Sandbox/Profiles/com.apple.authd.sb 2016-08-29 18:16:41.000000000 -0700
  1271. --- com.apple.authd.sb 2017-07-10 13:51:51.000000000 -0700
  1272. ***************
  1273. *** 15,20 ****
  1274. --- 15,22 ----
  1275. (subpath (param "TMP_DIR")))
  1276.  
  1277. (allow mach-lookup
  1278. + (global-name "com.apple.CoreAuthentication.agent.libxpc")
  1279. + (global-name "com.apple.CoreAuthentication.daemon.libxpc")
  1280. (global-name "com.apple.CoreServices.coreservicesd")
  1281. (global-name "com.apple.PowerManagement.control")
  1282. (global-name "com.apple.security.agent")
  1283. --
  1284. com.apple.avconferenced.sb
  1285. *** /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb 2016-11-04 17:36:02.000000000 -0700
  1286. --- com.apple.avconferenced.sb 2017-07-10 13:51:50.000000000 -0700
  1287. ***************
  1288. *** 36,41 ****
  1289. --- 36,42 ----
  1290. (subpath "/Library/Audio/Plug-Ins/HAL")
  1291. (subpath "/Library/CoreMediaIO/Plug-Ins/DAL")
  1292. (subpath "/Library/Audio/CoreAudioLib")
  1293. + (subpath "/private/tmp/vp/inject")
  1294. (subpath "/usr/libexec"))
  1295.  
  1296. (allow file-read-metadata
  1297. ***************
  1298. *** 47,59 ****
  1299. (subpath (param "DARWIN_USER_TEMP_DIR"))
  1300. (subpath (param "DARWIN_USER_CACHE_DIR"))
  1301. (subpath "/private/var/db/mds")
  1302. ! (subpath "/private/tmp/vp")
  1303. (subpath "/private/tmp/vcp")
  1304. (subpath "/Library/Keychains"))
  1305.  
  1306. (allow file-issue-extension
  1307. (require-all
  1308. ! (extension-class "com.apple.app-sandbox.read-write")
  1309. (home-subpath "/Library/Caches/com.apple.VideoConference/logs")))
  1310.  
  1311. (allow user-preference-read
  1312. --- 48,61 ----
  1313. (subpath (param "DARWIN_USER_TEMP_DIR"))
  1314. (subpath (param "DARWIN_USER_CACHE_DIR"))
  1315. (subpath "/private/var/db/mds")
  1316. ! (subpath "/private/tmp/AudioCapture")
  1317. ! (subpath "/private/tmp/AudioCapture/VP")
  1318. (subpath "/private/tmp/vcp")
  1319. (subpath "/Library/Keychains"))
  1320.  
  1321. (allow file-issue-extension
  1322. (require-all
  1323. ! (extension-class "com.apple.rtcreporting.upload")
  1324. (home-subpath "/Library/Caches/com.apple.VideoConference/logs")))
  1325.  
  1326. (allow user-preference-read
  1327. ***************
  1328. *** 98,104 ****
  1329. (global-name "com.apple.windowserver.active")
  1330. (global-name "com.apple.SecurityServer")
  1331. (global-name "com.apple.securityd.xpc")
  1332. ! (global-name "com.apple.WirelessCoexManager"))
  1333.  
  1334. (allow network-inbound
  1335. (local tcp "*:*")
  1336. --- 100,109 ----
  1337. (global-name "com.apple.windowserver.active")
  1338. (global-name "com.apple.SecurityServer")
  1339. (global-name "com.apple.securityd.xpc")
  1340. ! (global-name "com.apple.WirelessCoexManager")
  1341. ! (global-name "com.apple.audio.AudioComponentRegistrar")
  1342. ! (global-name "com.apple.distributed_notifications@1v3")
  1343. ! (global-name "com.apple.distributed_notifications@Uv3"))
  1344.  
  1345. (allow network-inbound
  1346. (local tcp "*:*")
  1347. --
  1348. com.apple.captiveagent.sb
  1349. Files /System/Library/Sandbox/Profiles/com.apple.captiveagent.sb and com.apple.captiveagent.sb are identical
  1350. --
  1351. com.apple.cf.appsleepd.sb
  1352. Files /System/Library/Sandbox/Profiles/com.apple.cf.appsleepd.sb and com.apple.cf.appsleepd.sb are identical
  1353. --
  1354. com.apple.cmio.AVCAssistant.sb
  1355. *** /System/Library/Sandbox/Profiles/com.apple.cmio.AVCAssistant.sb 1969-12-31 16:00:00.000000000 -0800
  1356. --- com.apple.cmio.AVCAssistant.sb 2017-07-10 13:51:50.000000000 -0700
  1357. ***************
  1358. *** 0 ****
  1359. --- 1,57 ----
  1360. + ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
  1361. + ;;
  1362. + ;; WARNING: The sandbox rules in this file currently constitute
  1363. + ;; Apple System Private Interface and are subject to change at any time and
  1364. + ;; without notice.
  1365. + ;;
  1366. +
  1367. + (version 1)
  1368. + (deny default)
  1369. +
  1370. + (import "system.sb")
  1371. +
  1372. + (import "com.apple.corefoundation.sb")
  1373. +
  1374. + ;;; initialize CF sandbox actions
  1375. + (corefoundation)
  1376. +
  1377. + ;; For resolving symlinks, realpath(3), and equivalents.
  1378. + (allow file-read-metadata)
  1379. +
  1380. + (allow process-info* (target self))
  1381. +
  1382. + (allow mach-lookup
  1383. + (global-name "com.apple.CoreServices.coreservicesd")
  1384. + (global-name "com.apple.coreservices.launchservicesd")
  1385. + (global-name "com.apple.windowserver.active")
  1386. + (global-name "com.apple.analyticsd")
  1387. + )
  1388. +
  1389. + (allow file-map-executable
  1390. + (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
  1391. + (subpath "/System/Library/Extensions")
  1392. + )
  1393. +
  1394. + ;; Preferences
  1395. + (allow file-read*
  1396. + (literal "/private/var/db/cmiodalassistants/Library/Preferences/com.apple.cmio.plist")
  1397. + (literal "/private/var/db/cmiodalassistants/Library/Preferences/.GlobalPreferences.plist")
  1398. + (literal "/Library/Preferences/.GlobalPreferences.plist")
  1399. + (regex #"^/private/var/db/cmiodalassistants/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
  1400. + )
  1401. +
  1402. + ;; Preference domain.
  1403. + (allow user-preference-read
  1404. + (preference-domain "com.apple.cmio")
  1405. + (preference-domain "com.apple.coremedia")
  1406. + )
  1407. +
  1408. + ;; Camera
  1409. + (allow device-camera)
  1410. + (allow iokit-open
  1411. + (iokit-user-client-class "IOFireWireAVCUserClient")
  1412. + (iokit-user-client-class "IOFireWireUserClient")
  1413. + )
  1414. +
  1415. + ;;(allow iokit-get-properties)
  1416. +
  1417. --
  1418. com.apple.cmio.IIDCVideoAssistant.sb
  1419. *** /System/Library/Sandbox/Profiles/com.apple.cmio.IIDCVideoAssistant.sb 1969-12-31 16:00:00.000000000 -0800
  1420. --- com.apple.cmio.IIDCVideoAssistant.sb 2017-07-10 13:51:50.000000000 -0700
  1421. ***************
  1422. *** 0 ****
  1423. --- 1,61 ----
  1424. + ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
  1425. + ;;
  1426. + ;; WARNING: The sandbox rules in this file currently constitute
  1427. + ;; Apple System Private Interface and are subject to change at any time and
  1428. + ;; without notice.
  1429. + ;;
  1430. +
  1431. + (version 1)
  1432. + (deny default)
  1433. +
  1434. + (import "system.sb")
  1435. +
  1436. + (import "com.apple.corefoundation.sb")
  1437. +
  1438. + ;;; initialize CF sandbox actions
  1439. + (corefoundation)
  1440. +
  1441. + ;; For resolving symlinks, realpath(3), and equivalents.
  1442. + (allow file-read-metadata)
  1443. +
  1444. + (allow process-info* (target self))
  1445. +
  1446. + (allow mach-lookup
  1447. + (global-name "com.apple.CoreServices.coreservicesd")
  1448. + (global-name "com.apple.coreservices.launchservicesd")
  1449. + (global-name "com.apple.windowserver.active")
  1450. + (global-name "com.apple.analyticsd")
  1451. + )
  1452. +
  1453. + (allow file-map-executable
  1454. + (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
  1455. + (subpath "/System/Library/Extensions")
  1456. + )
  1457. +
  1458. + ;; Preferences
  1459. + (allow file-read*
  1460. + (literal "/private/var/db/cmiodalassistants/Library/Preferences/com.apple.cmio.plist")
  1461. + (literal "/private/var/db/cmiodalassistants/Library/Preferences/.GlobalPreferences.plist")
  1462. + (literal "/Library/Preferences/.GlobalPreferences.plist")
  1463. + (regex #"^/private/var/db/cmiodalassistants/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
  1464. + )
  1465. +
  1466. + ;; Preference domain.
  1467. + (allow user-preference-read
  1468. + (preference-domain "com.apple.cmio")
  1469. + (preference-domain "com.apple.coremedia")
  1470. + )
  1471. +
  1472. + ;; Camera
  1473. + (allow iokit-open
  1474. + (iokit-user-client-class "IOFireWireUserClient")
  1475. + (iokit-user-client-class "RootDomainUserClient")
  1476. + )
  1477. +
  1478. + (allow iokit-open
  1479. + (iokit-registry-entry-class "RootDomainUserClient")
  1480. + )
  1481. +
  1482. + ;;(allow iokit-get-properties)
  1483. +
  1484. +
  1485. --
  1486. com.apple.cmio.VDCAssistant.sb
  1487. *** /System/Library/Sandbox/Profiles/com.apple.cmio.VDCAssistant.sb 1969-12-31 16:00:00.000000000 -0800
  1488. --- com.apple.cmio.VDCAssistant.sb 2017-07-10 13:51:51.000000000 -0700
  1489. ***************
  1490. *** 0 ****
  1491. --- 1,74 ----
  1492. + ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
  1493. + ;;
  1494. + ;; WARNING: The sandbox rules in this file currently constitute
  1495. + ;; Apple System Private Interface and are subject to change at any time and
  1496. + ;; without notice.
  1497. + ;;
  1498. +
  1499. + (version 1)
  1500. + (deny default)
  1501. +
  1502. + (import "system.sb")
  1503. + (system-graphics)
  1504. +
  1505. + (import "com.apple.corefoundation.sb")
  1506. +
  1507. + ;;; initialize CF sandbox actions
  1508. + (corefoundation)
  1509. +
  1510. + ;; For resolving symlinks, realpath(3), and equivalents.
  1511. + (allow file-read-metadata)
  1512. +
  1513. + (allow process-info* (target self))
  1514. +
  1515. + ;; For validating the entitlements of clients.
  1516. + (allow process-info-codesignature)
  1517. +
  1518. + (allow mach-lookup
  1519. + (global-name "com.apple.CoreServices.coreservicesd")
  1520. + (global-name "com.apple.coreservices.launchservicesd")
  1521. + (global-name "com.apple.windowserver.active")
  1522. + (global-name "com.apple.analyticsd")
  1523. + (subpath "/Library/Video/Plug-Ins")
  1524. + )
  1525. +
  1526. + (allow file-map-executable
  1527. + (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
  1528. + (subpath "/System/Library/Extensions")
  1529. + (subpath "/Library/Video/Plug-Ins")
  1530. + )
  1531. +
  1532. + ;; Preferences
  1533. + (allow file-read*
  1534. + (subpath "/Library/Video/Plug-Ins")
  1535. + (literal "/private/var/db/cmiodalassistants/Library/Preferences/com.apple.cmio.plist")
  1536. + (literal "/private/var/db/cmiodalassistants/Library/Preferences/.GlobalPreferences.plist")
  1537. + (literal "/Library/Preferences/.GlobalPreferences.plist")
  1538. + (regex #"^/private/var/db/cmiodalassistant/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
  1539. + )
  1540. +
  1541. + ;; Preference domain.
  1542. + (allow user-preference-read
  1543. + (preference-domain "com.apple.cmio")
  1544. + (preference-domain "com.apple.coremedia")
  1545. + )
  1546. +
  1547. + ;; Camera
  1548. + (allow device-camera)
  1549. + (allow iokit-open
  1550. + (iokit-user-client-class "IOUSBDeviceUserClientV2")
  1551. + (iokit-user-client-class "IOUSBInterfaceUserClientV3")
  1552. + (iokit-user-client-class "RootDomainUserClient")
  1553. + )
  1554. +
  1555. + (allow iokit-open
  1556. + (iokit-registry-entry-class "IGAccelDevice")
  1557. + (iokit-registry-entry-class "IGAccelSharedUserClient")
  1558. + (iokit-registry-entry-class "IGAccelVideoContextMain")
  1559. + (iokit-registry-entry-class "IGAccelVideoContextMedia")
  1560. + (iokit-registry-entry-class "IGAccelVideoContextVEBox")
  1561. + (iokit-registry-entry-class "RootDomainUserClient")
  1562. + )
  1563. +
  1564. + (allow iokit-get-properties)
  1565. +
  1566. --
  1567. com.apple.cmio.iOSScreenCaptureAssistant.sb
  1568. *** /System/Library/Sandbox/Profiles/com.apple.cmio.iOSScreenCaptureAssistant.sb 1969-12-31 16:00:00.000000000 -0800
  1569. --- com.apple.cmio.iOSScreenCaptureAssistant.sb 2017-07-10 13:51:51.000000000 -0700
  1570. ***************
  1571. *** 0 ****
  1572. --- 1,161 ----
  1573. + ;; Copyright (c) 2017 Apple Inc. All Rights reserved.
  1574. + ;;
  1575. + ;; WARNING: The sandbox rules in this file currently constitute
  1576. + ;; Apple System Private Interface and are subject to change at any time and
  1577. + ;; without notice.
  1578. + ;;
  1579. +
  1580. + (version 1)
  1581. + (deny default)
  1582. +
  1583. + (import "system.sb")
  1584. + (system-graphics)
  1585. +
  1586. + (import "com.apple.corefoundation.sb")
  1587. +
  1588. + ;;; initialize CF sandbox actions
  1589. + (corefoundation)
  1590. +
  1591. + (system-network)
  1592. + (allow network-outbound
  1593. + (literal "/private/var/run/usbmuxd")
  1594. + (literal "/private/var/run/mDNSResponder")
  1595. + (control-name "com.apple.network.statistics")
  1596. + (control-name "com.apple.netsrc")
  1597. + (remote ip)
  1598. + )
  1599. +
  1600. + (allow network-inbound )
  1601. + (allow network-bind (remote ip))
  1602. +
  1603. + ;; For resolving symlinks, realpath(3), and equivalents.
  1604. + (allow file-read-metadata)
  1605. +
  1606. + (allow nvram-get (nvram-variable "BSD Name"))
  1607. + (allow process-info* (target self))
  1608. +
  1609. + ;; For validating the entitlements of clients.
  1610. + (allow process-info-codesignature)
  1611. +
  1612. + (allow file-read*
  1613. + (subpath "/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/iOSScreenCapture.plugin/Contents/Resources")
  1614. + (subpath "/Library/CoreMediaIO/Plug-Ins/FCP-DAL/iOSScreenCapture.plugin/Contents/Resources")
  1615. + (subpath "/private/var/db/mds")
  1616. + (subpath "/Library/Audio/Plug-Ins/HAL")
  1617. + )
  1618. +
  1619. + (allow file-write*
  1620. + (literal "/private/var/db/mds/system/mds.lock")
  1621. + (subpath "/private/tmp")
  1622. + )
  1623. +
  1624. + ;; From com.apple.AirPlayXPCHelper
  1625. + (allow iokit-open
  1626. + (iokit-user-client-class "IOAudioControlUserClient")
  1627. + (iokit-user-client-class "IOAudioEngineUserClient")
  1628. + (iokit-user-client-class "IOAudio2DeviceUserClient")
  1629. + (iokit-user-client-class "RootDomainUserClient")
  1630. + (iokit-user-client-class "IOReportUserClient")
  1631. + (iokit-user-client-class "IOBluetoothHCIUserClient")
  1632. + (iokit-user-client-class "IOBluetoothRFCOMMConnectionUserClient")
  1633. + (iokit-user-client-class "IOBluetoothRFCOMMChannelUserClient")
  1634. + (iokit-user-client-class "IOBluetoothL2CAPChannelUserClient")
  1635. + (iokit-user-client-class "IOBluetoothDeviceUserClient")
  1636. + )
  1637. +
  1638. + ;; From com.apple.AirPlayXPCHelper
  1639. + (allow mach-lookup
  1640. + (global-name "com.apple.SecurityServer")
  1641. + (global-name "com.apple.SystemConfiguration.DNSConfiguration")
  1642. + (global-name "com.apple.SystemConfiguration.configd")
  1643. + (global-name "com.apple.metadata.mds")
  1644. + (global-name "com.apple.ocspd")
  1645. + (global-name "com.apple.pluginkit.pkd")
  1646. + (global-name "com.apple.spindump")
  1647. + (global-name "com.apple.PairingManager")
  1648. +
  1649. + (global-name "com.apple.audio.audiohald")
  1650. + (global-name "com.apple.audio.AudioComponentRegistrar")
  1651. + (global-name "com.apple.audio.AudioComponentRegistrar.daemon")
  1652. +
  1653. + (global-name "com.apple.wirelessproxd")
  1654. + (global-name "com.apple.windowserver.active")
  1655. +
  1656. + (global-name "com.apple.AirPlayXPCHelper")
  1657. + (global-name "com.apple.coremedia.endpoint.xpc")
  1658. + (global-name "com.apple.coremedia.endpointstream.xpc")
  1659. + (global-name "com.apple.coremedia.endpointplaybacksession.xpc")
  1660. + (global-name "com.apple.coremedia.endpointpicker.xpc")
  1661. + (global-name "com.apple.coremedia.endpointmanager.xpc")
  1662. + (global-name "com.apple.AirPlayAgent.xpc")
  1663. + (global-name "com.apple.AirPlayUIAgent.xpc")
  1664. +
  1665. + (global-name "com.apple.coresymbolicationd")
  1666. + (global-name "com.apple.awdd")
  1667. + (global-name "com.apple.SharingServices")
  1668. + (global-name "com.apple.bluetoothd")
  1669. + (global-name "com.apple.bluetoothaudiod")
  1670. + (global-name "com.apple.BluetoothDOServer")
  1671. + (global-name "com.apple.airportd")
  1672. +
  1673. + (global-name "com.apple.PowerManagement.control")
  1674. + (global-name "com.apple.audio.coreaudiod")
  1675. + (global-name "com.apple.securityd.xpc")
  1676. + (global-name "com.apple.lsd.mapdb")
  1677. + (global-name "com.apple.lsd.modifydb")
  1678. + (global-name "com.apple.coremedia.routediscoverer.xpc")
  1679. + (global-name "com.apple.coremedia.routingcontext.xpc")
  1680. + (global-name "com.apple.analyticsd")
  1681. + )
  1682. +
  1683. + ;; Preferences
  1684. + (allow file-read*
  1685. + (literal "/private/var/root/Library/Preferences/com.apple.cmio.plist")
  1686. + (literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist")
  1687. + (literal "/Library/Preferences/.GlobalPreferences.plist")
  1688. + (literal "/Library/Preferences/com.apple.security.plist")
  1689. + (regex #"^/private/var/root/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
  1690. + )
  1691. +
  1692. + ;; Preference domain.
  1693. + (allow user-preference-read
  1694. + (preference-domain "com.apple.airplay")
  1695. + (preference-domain "com.apple.coremedia")
  1696. + (preference-domain "com.apple.security")
  1697. + (preference-domain "com.apple.cmio")
  1698. + )
  1699. +
  1700. + (allow ipc-posix-shm-read-data
  1701. + (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.[0-9]+$")
  1702. + (ipc-posix-name-regex #"^AudioIO")
  1703. + (ipc-posix-name "FNetwork.defaultStorageSession")
  1704. + (ipc-posix-name "com.apple.AppleDatabaseChanged")
  1705. + )
  1706. +
  1707. + (allow ipc-posix-shm-write-data
  1708. + (ipc-posix-name-regex #"^AudioIO")
  1709. + (ipc-posix-name "com.apple.AppleDatabaseChanged")
  1710. + )
  1711. +
  1712. + (allow ipc-posix-shm-read-metadata
  1713. + (ipc-posix-name-regex #"^AudioIO")
  1714. + )
  1715. +
  1716. + (allow file-map-executable
  1717. + (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal")
  1718. + (subpath "/System/Library/Extensions")
  1719. + )
  1720. +
  1721. + ;; USB screen capture
  1722. + (allow iokit-open
  1723. + (iokit-user-client-class "IOUSBDeviceUserClientV2")
  1724. + (iokit-user-client-class "IOUSBInterfaceUserClientV3")
  1725. + )
  1726. +
  1727. + (allow iokit-open
  1728. + (iokit-registry-entry-class "RootDomainUserClient")
  1729. + )
  1730. +
  1731. + (allow iokit-get-properties)
  1732. +
  1733. +
  1734. --
  1735. com.apple.colorsync.displayservices.sb
  1736. *** /System/Library/Sandbox/Profiles/com.apple.colorsync.displayservices.sb 1969-12-31 16:00:00.000000000 -0800
  1737. --- com.apple.colorsync.displayservices.sb 2017-07-10 13:51:51.000000000 -0700
  1738. ***************
  1739. *** 0 ****
  1740. --- 1,40 ----
  1741. + (version 1)
  1742. +
  1743. + (import "system.sb")
  1744. +
  1745. + (deny default iokit-get-properties process-info*)
  1746. +
  1747. + (deny process-info*)
  1748. + (allow process-info-pidinfo)
  1749. + (allow process-info-pidfdinfo (target self))
  1750. + (allow process-info-pidfileportinfo (target self))
  1751. + (allow process-info-setcontrol (target self))
  1752. + (allow process-info-dirtycontrol (target self))
  1753. + (allow process-info-rusage (target self))
  1754. +
  1755. + (allow file-read-metadata file-read-data (literal "/"))
  1756. + (allow file-read-metadata)
  1757. +
  1758. + (allow authorization-right-obtain (right-name "system.colorsync.install.profile"))
  1759. + (allow authorization-right-obtain (right-name "com.apple.private.AmbientDisplay.messaging"))
  1760. +
  1761. + (allow-create-directory
  1762. + (literal "/Library/ColorSync")
  1763. + (literal "/Library/ColorSync/Profiles"))
  1764. + (allow file-read*
  1765. + (literal "/Library/ColorSync/Profiles"))
  1766. + (allow file-read* file-write*
  1767. + (prefix "/Library/ColorSync/Profiles/"))
  1768. +
  1769. + ;; deny the removal of these pre-installed profiles.
  1770. + (deny file-write-unlink
  1771. + (literal "/Library/ColorSync/Profiles/Black & White.icc")
  1772. + (literal "/Library/ColorSync/Profiles/Blue Tone.icc")
  1773. + (literal "/Library/ColorSync/Profiles/Lightness Decrease.icc")
  1774. + (literal "/Library/ColorSync/Profiles/Lightness Increase.icc")
  1775. + (literal "/Library/ColorSync/Profiles/Sepia Tone.icc")
  1776. + (literal "/Library/ColorSync/Profiles/WebSafeColors.icc"))
  1777. +
  1778. + (allow mach-lookup
  1779. + (global-name "com.apple.CoreServices.coreservicesd"))
  1780. +
  1781. --
  1782. com.apple.colorsync.useragent.sb
  1783. *** /System/Library/Sandbox/Profiles/com.apple.colorsync.useragent.sb 1969-12-31 16:00:00.000000000 -0800
  1784. --- com.apple.colorsync.useragent.sb 2017-07-10 13:51:50.000000000 -0700
  1785. ***************
  1786. *** 0 ****
  1787. --- 1,48 ----
  1788. + ;;
  1789. + ;; ColorSync User Agent - sandbox profile
  1790. + ;; Copyright (c) 2016 Apple Inc. All Rights reserved.
  1791. + ;;
  1792. + ;; WARNING: The sandbox rules in this file currently constitute
  1793. + ;; Apple System Private Interface and are subject to change at any time and
  1794. + ;; without notice. The contents of this file are also auto-generated and not
  1795. + ;; user editable; it may be overwritten at any time.
  1796. + ;;
  1797. +
  1798. + (version 1)
  1799. + (deny default)
  1800. + (import "system.sb")
  1801. +
  1802. + ;;; Home Directory
  1803. + (define (home-subpath home-relative-subpath)
  1804. + (subpath (string-append (param "_HOME") home-relative-subpath)))
  1805. + (define (home-literal home-relative-literal)
  1806. + (literal (string-append (param "_HOME") home-relative-literal)))
  1807. + (define (home-regex home-relative-regex)
  1808. + (regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex)))
  1809. +
  1810. + (allow file-read-metadata)
  1811. +
  1812. + (allow file-read* file-write*
  1813. + (subpath (param "DARWIN_USER_DIR"))
  1814. + (subpath (param "DARWIN_USER_TEMP_DIR"))
  1815. + (subpath (param "DARWIN_USER_CACHE_DIR")))
  1816. +
  1817. + (allow file-read*
  1818. + (literal "/Volumes")
  1819. + (literal "/Library/Preferences/.GlobalPreferences.plist")
  1820. + (subpath "/Library/Printers")
  1821. + (subpath "/Library/ImageCapture/Devices")
  1822. + (subpath "/Library/ColorSync/Profiles")
  1823. + (subpath "System/Library/ColorSync/Profiles"))
  1824. +
  1825. + (allow file-read*
  1826. + (home-literal ".CFUserTextEncoding")
  1827. + (home-subpath "/Library/Printers")
  1828. + (home-subpath "/Library/ImageCapture/Devices")
  1829. + (home-subpath "/Library/ColorSync/Profiles"))
  1830. +
  1831. +
  1832. +
  1833. + (allow mach-lookup
  1834. + (global-name "com.apple.CoreServices.coreservicesd"))
  1835. +
  1836. --
  1837. com.apple.commerce.sb
  1838. *** /System/Library/Sandbox/Profiles/com.apple.commerce.sb 1969-12-31 16:00:00.000000000 -0800
  1839. --- com.apple.commerce.sb 2017-07-10 13:51:50.000000000 -0700
  1840. ***************
  1841. *** 0 ****
  1842. --- 1,162 ----
  1843. + (version 1)
  1844. + (deny default)
  1845. +
  1846. + (import "system.sb")
  1847. + (import "com.apple.corefoundation.sb")
  1848. + (corefoundation)
  1849. +
  1850. + (allow file-read-metadata)
  1851. +
  1852. + (allow file-issue-extension
  1853. + (subpath "/Library/Documentation/Help/MacHelp.help")
  1854. + (regex #"/Library/Caches/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)(/CommerceRequestCache/?)?")
  1855. + (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)")
  1856. + (regex #"/Library/Caches/storeassetd")
  1857. + (regex #"[a-z0-9]+\.app(/|$)"))
  1858. +
  1859. + (allow file-read*
  1860. + (regex #"\.app(/|$)")
  1861. + (regex #"/CommerceKit\.framework")
  1862. + (literal "/private/etc/hosts")
  1863. + (literal "/private/var/db/mds/system/mdsDirectory.db")
  1864. + (literal "/private/var/db/mds/system/mdsObject.db")
  1865. + (literal "/Library/Preferences/com.apple.AECT.plist")
  1866. + (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
  1867. + (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
  1868. + (literal "/Library/Preferences/com.apple.loginwindow.plist")
  1869. + (literal "/private/var/db/PreviousSystemVersion.plist")
  1870. + (subpath "/Applications")
  1871. + (subpath "/Library/Documentation/Help/MacHelp.help")
  1872. + (subpath "/Users/Shared")
  1873. + (regex "/Library/Bundles/[^/]+.bundle")
  1874. + (regex #"/Library/Preferences/com\.apple\.appstore\.plist$")
  1875. + (regex #"/Library/Preferences/com.apple.LaunchServices.plist$")
  1876. + (regex #"/Library/Preferences/(ByHost/)?\.GlobalPreferences\.plist$")
  1877. + (regex #"/Library/Preferences/com.apple.security\.plist$")
  1878. + (regex #"/\.CFUserTextEncoding$")
  1879. + (regex "/private/var/db/mds/messages/([A-Za-z0-9]+/)?se_SecurityMessages"))
  1880. +
  1881. + (allow file-read* file-write*
  1882. + (literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist")
  1883. + (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
  1884. + (literal "/private/var/db/mds/system/mds.lock")
  1885. + (subpath "/private/var/root/Library/Caches/com.apple.commerce")
  1886. + (subpath "/private/var/tmp")
  1887. + (subpath "/private/var/folders")
  1888. + (subpath "/private/tmp")
  1889. + (subpath "/Users/Shared/adi")
  1890. + (subpath "/Users/Shared/SC Info")
  1891. + (regex #"/Library/Caches/com\.apple\.commerce")
  1892. + (regex #"/Library/Caches/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)(/CommerceRequestCache/?)?")
  1893. + (regex #"/Library/Caches/com\.apple\.WebKit2\.WebProcessService$")
  1894. + (regex #"/Library/Cookies/com\.apple\.(appstore|iBooksX|ibooks|iTunes|configurator(\.ui)?)\.(binary)?cookies")
  1895. + (regex #"/Library/Cookies/Cookies\.binarycookies")
  1896. +
  1897. + (regex #"Library/Preferences/com\.apple\.security\.revocation\.plist")
  1898. + (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)")
  1899. + (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/|$)")
  1900. + (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/mds(/|$)")
  1901. + (regex #"/\.TemporaryItems(/|$)")
  1902. + (regex #"/Library/Keychains/")
  1903. + (regex #"^/etilqs_"))
  1904. +
  1905. + (allow user-preference-read
  1906. + (preference-domain "kCFPreferencesAnyApplication"))
  1907. +
  1908. + (allow user-preference*
  1909. + (preference-domain "com.apple.bookstoreagent")
  1910. + (preference-domain "com.apple.storeagent")
  1911. + (preference-domain "com.apple.iTunes")
  1912. + (preference-domain "com.apple.appstore")
  1913. + (preference-domain "com.apple.ibooks")
  1914. + (preference-domain "com.apple.commerce")
  1915. + (preference-domain "com.apple.commerce.configurator")
  1916. + (preference-domain "com.apple.appstore.commerce")
  1917. + (preference-domain "com.apple.iBooksX.commerce")
  1918. + (preference-domain "com.apple.configurator.ui.commerce"))
  1919. +
  1920. + (allow ipc-posix-shm-read-data
  1921. + (ipc-posix-name "FNetwork.defaultStorageSession")
  1922. + (ipc-posix-name-regex #"ls\.[a-f0-9\.]+")
  1923. + (ipc-posix-name "apple.shm.notification_center")
  1924. + (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
  1925. +
  1926. + (allow ipc-posix-shm-read* ipc-posix-shm-write-data
  1927. + (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  1928. +
  1929. + (allow mach-register (global-name "com.apple.commerce"))
  1930. +
  1931. + (allow mach-lookup
  1932. + (global-name "com.apple.apsd")
  1933. + (global-name "com.apple.adid")
  1934. + (global-name "com.apple.fpsd")
  1935. + (global-name "com.apple.askpermissiond")
  1936. + (global-name "com.apple.AssetCacheLocatorService")
  1937. + (global-name "com.apple.accountsd.accountmanager")
  1938. + (global-name "com.apple.backupd.sandbox.xpc")
  1939. + (global-name "com.apple.ctkd.token-client")
  1940. + (global-name "com.apple.CoreAuthentication.agent.libxpc")
  1941. + (global-name "com.apple.CoreAuthentication.agent")
  1942. + (global-name "com.apple.securityd.xpc")
  1943. + (global-name "com.apple.UNCUserNotification")
  1944. + (global-name "com.apple.coreservices.launcherror-handler")
  1945. + (global-name "com.apple.SystemConfiguration.configd")
  1946. + (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
  1947. + (global-name "com.apple.networkd")
  1948. + (global-name "com.apple.storehelper")
  1949. + (global-name "com.apple.SecurityServer")
  1950. + (global-name "com.apple.PowerManagement.control")
  1951. + (global-name "com.apple.distributed_notifications@Uv3")
  1952. + (global-name "com.apple.usernoted.daemon_client")
  1953. + (global-name "com.apple.metadata.mds")
  1954. + (global-name "com.apple.CoreServices.coreservicesd")
  1955. + (global-name "com.apple.ls.boxd")
  1956. + (global-name "com.apple.FileCoordination")
  1957. + (global-name "com.apple.ocspd")
  1958. + (global-name "com.apple.installd")
  1959. + (global-name "com.apple.ProgressReporting")
  1960. + (global-name "com.apple.windowserver.active")
  1961. + (global-name "com.apple.lsd.mapdb")
  1962. + (global-name "com.apple.coreservices.launchservicesd")
  1963. + (global-name "com.apple.coreservices.appleevents")
  1964. + (global-name "com.apple.cookied")
  1965. + (global-name "com.apple.FontServer")
  1966. + (global-name "com.apple.fonts")
  1967. + (global-name "com.apple.FontObjectsServer")
  1968. + (global-name "com.apple.DiskArbitration.diskarbitrationd")
  1969. + (global-name "com.apple.cvmsServ")
  1970. + (global-name "com.apple.logind")
  1971. + (global-name "com.apple.coreservices.quarantine-resolver")
  1972. + (global-name "com.apple.familycontrols")
  1973. + (global-name "com.apple.pluginkit.pkd")
  1974. + (global-name "com.apple.nsurlstorage-cache")
  1975. + (global-name "com.apple.system.opendirectoryd.api")
  1976. + (global-name "com.apple.CrashReporterSupportHelper")
  1977. + (global-name "com.apple.cache_delete")
  1978. + (global-name "com.apple.ManagedClient.agent")
  1979. + (global-name "com.apple.cfnetwork.AuthBrokerAgent")
  1980. + (global-name "com.apple.pasteboard.1"))
  1981. +
  1982. + (allow authorization-right-obtain
  1983. + (right-name "system.install.app-store-software")
  1984. + (right-name "system.install.apple-software")
  1985. + (right-name "system.install.app-store-software.standard-user")
  1986. + (right-name "system.install.apple-software.standard-user")
  1987. + (right-name "system.install.apple-config-data")
  1988. + (right-name "system.install.software")
  1989. + (right-name "system.install.software.iap")
  1990. + (right-name "system.install.software.mdm-provided")
  1991. + (right-name "com.apple.SoftwareUpdate.modify-settings"))
  1992. +
  1993. + (allow iokit-open
  1994. + (iokit-user-client-class "IOFramebufferSharedUserClient")
  1995. + (iokit-user-client-class "RootDomainUserClient")
  1996. + (iokit-user-client-class-regex #"AccelDevice$")
  1997. + (iokit-user-client-class-regex #"SharedUserClient$")
  1998. + (iokit-user-client-class-regex #"GLContext$"))
  1999. +
  2000. + (allow network-outbound)
  2001. + (allow system-socket)
  2002. + (allow distributed-notification-post)
  2003. + (allow appleevent-send)
  2004. + (allow lsopen)
  2005. --
  2006. com.apple.commerced.sb
  2007. *** /System/Library/Sandbox/Profiles/com.apple.commerced.sb 1969-12-31 16:00:00.000000000 -0800
  2008. --- com.apple.commerced.sb 2017-07-10 13:51:50.000000000 -0700
  2009. ***************
  2010. *** 0 ****
  2011. --- 1,161 ----
  2012. + (version 1)
  2013. + (deny default)
  2014. +
  2015. + (import "system.sb")
  2016. + (import "com.apple.corefoundation.sb")
  2017. + (corefoundation)
  2018. +
  2019. + (allow file-read-metadata)
  2020. +
  2021. + (allow file-issue-extension
  2022. + (subpath "/Library/Documentation/Help/MacHelp.help")
  2023. + (regex #"/Library/Caches/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)(/CommerceRequestCache/?)?")
  2024. + (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)")
  2025. + (regex #"/Library/Caches/storeassetd")
  2026. + (regex #"[a-z0-9]+\.app(/|$)"))
  2027. +
  2028. + (allow file-read*
  2029. + (regex #"\.app(/|$)")
  2030. + (regex #"/CommerceKit\.framework")
  2031. + (literal "/private/etc/hosts")
  2032. + (literal "/private/var/db/mds/system/mdsDirectory.db")
  2033. + (literal "/private/var/db/mds/system/mdsObject.db")
  2034. + (literal "/Library/Preferences/com.apple.AECT.plist")
  2035. + (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
  2036. + (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
  2037. + (literal "/Library/Preferences/com.apple.loginwindow.plist")
  2038. + (literal "/private/var/db/PreviousSystemVersion.plist")
  2039. + (subpath "/Applications")
  2040. + (subpath "/Library/Documentation/Help/MacHelp.help")
  2041. + (subpath "/Users/Shared")
  2042. + (regex "/Library/Bundles/[^/]+.bundle")
  2043. + (regex #"/Library/Preferences/com\.apple\.appstore\.plist$")
  2044. + (regex #"/Library/Preferences/com.apple.LaunchServices.plist$")
  2045. + (regex #"/Library/Preferences/(ByHost/)?\.GlobalPreferences\.plist$")
  2046. + (regex #"/Library/Preferences/com.apple.security\.plist$")
  2047. + (regex #"/\.CFUserTextEncoding$")
  2048. + (regex "/private/var/db/mds/messages/([A-Za-z0-9]+/)?se_SecurityMessages"))
  2049. +
  2050. + (allow file-read* file-write*
  2051. + (literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist")
  2052. + (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal")
  2053. + (literal "/private/var/db/mds/system/mds.lock")
  2054. + (subpath "/private/var/root/Library/Caches/com.apple.commerce")
  2055. + (subpath "/private/var/tmp")
  2056. + (subpath "/private/var/folders")
  2057. + (subpath "/private/tmp")
  2058. + (subpath "/Users/Shared/adi")
  2059. + (subpath "/Users/Shared/SC Info")
  2060. + (regex #"/Library/Caches/com\.apple\.commerce")
  2061. + (regex #"/Library/Caches/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)(/CommerceRequestCache/?)?")
  2062. + (regex #"/Library/Caches/com\.apple\.WebKit2\.WebProcessService$")
  2063. + (regex #"/Library/Cookies/com\.apple\.(appstore|iBooksX|ibooks|iTunes|configurator(\.ui)?)\.(binary)?cookies")
  2064. + (regex #"/Library/Cookies/Cookies\.binarycookies")
  2065. +
  2066. + (regex #"Library/Preferences/com\.apple\.security\.revocation\.plist")
  2067. + (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.(appstore|iBooksX|iTunes|configurator\.ui)")
  2068. + (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/|$)")
  2069. + (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/mds(/|$)")
  2070. + (regex #"/\.TemporaryItems(/|$)")
  2071. + (regex #"/Library/Keychains/")
  2072. + (regex #"^/etilqs_"))
  2073. +
  2074. + (allow user-preference-read
  2075. + (preference-domain "kCFPreferencesAnyApplication"))
  2076. +
  2077. + (allow user-preference*
  2078. + (preference-domain "com.apple.bookstoreagent")
  2079. + (preference-domain "com.apple.storeagent")
  2080. + (preference-domain "com.apple.iTunes")
  2081. + (preference-domain "com.apple.appstore")
  2082. + (preference-domain "com.apple.commerce")
  2083. + (preference-domain "com.apple.commerce.configurator")
  2084. + (preference-domain "com.apple.appstore.commerce")
  2085. + (preference-domain "com.apple.iBooksX.commerce")
  2086. + (preference-domain "com.apple.configurator.ui.commerce"))
  2087. +
  2088. + (allow ipc-posix-shm-read-data
  2089. + (ipc-posix-name "FNetwork.defaultStorageSession")
  2090. + (ipc-posix-name-regex #"ls\.[a-f0-9\.]+")
  2091. + (ipc-posix-name "apple.shm.notification_center")
  2092. + (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
  2093. +
  2094. + (allow ipc-posix-shm-read* ipc-posix-shm-write-data
  2095. + (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  2096. +
  2097. + (allow mach-register (global-name "com.apple.commerced"))
  2098. +
  2099. + (allow mach-lookup
  2100. + (global-name "com.apple.apsd")
  2101. + (global-name "com.apple.adid")
  2102. + (global-name "com.apple.fpsd")
  2103. + (global-name "com.apple.askpermissiond")
  2104. + (global-name "com.apple.AssetCacheLocatorService")
  2105. + (global-name "com.apple.accountsd.accountmanager")
  2106. + (global-name "com.apple.backupd.sandbox.xpc")
  2107. + (global-name "com.apple.ctkd.token-client")
  2108. + (global-name "com.apple.CoreAuthentication.agent.libxpc")
  2109. + (global-name "com.apple.CoreAuthentication.agent")
  2110. + (global-name "com.apple.securityd.xpc")
  2111. + (global-name "com.apple.UNCUserNotification")
  2112. + (global-name "com.apple.coreservices.launcherror-handler")
  2113. + (global-name "com.apple.SystemConfiguration.configd")
  2114. + (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
  2115. + (global-name "com.apple.networkd")
  2116. + (global-name "com.apple.storehelper")
  2117. + (global-name "com.apple.SecurityServer")
  2118. + (global-name "com.apple.PowerManagement.control")
  2119. + (global-name "com.apple.distributed_notifications@Uv3")
  2120. + (global-name "com.apple.usernoted.daemon_client")
  2121. + (global-name "com.apple.metadata.mds")
  2122. + (global-name "com.apple.CoreServices.coreservicesd")
  2123. + (global-name "com.apple.ls.boxd")
  2124. + (global-name "com.apple.FileCoordination")
  2125. + (global-name "com.apple.ocspd")
  2126. + (global-name "com.apple.installd")
  2127. + (global-name "com.apple.ProgressReporting")
  2128. + (global-name "com.apple.windowserver.active")
  2129. + (global-name "com.apple.lsd.mapdb")
  2130. + (global-name "com.apple.coreservices.launchservicesd")
  2131. + (global-name "com.apple.coreservices.appleevents")
  2132. + (global-name "com.apple.cookied")
  2133. + (global-name "com.apple.FontServer")
  2134. + (global-name "com.apple.fonts")
  2135. + (global-name "com.apple.FontObjectsServer")
  2136. + (global-name "com.apple.DiskArbitration.diskarbitrationd")
  2137. + (global-name "com.apple.cvmsServ")
  2138. + (global-name "com.apple.logind")
  2139. + (global-name "com.apple.coreservices.quarantine-resolver")
  2140. + (global-name "com.apple.familycontrols")
  2141. + (global-name "com.apple.pluginkit.pkd")
  2142. + (global-name "com.apple.nsurlstorage-cache")
  2143. + (global-name "com.apple.system.opendirectoryd.api")
  2144. + (global-name "com.apple.CrashReporterSupportHelper")
  2145. + (global-name "com.apple.cache_delete")
  2146. + (global-name "com.apple.ManagedClient.agent")
  2147. + (global-name "com.apple.cfnetwork.AuthBrokerAgent")
  2148. + (global-name "com.apple.pasteboard.1"))
  2149. +
  2150. + (allow authorization-right-obtain
  2151. + (right-name "system.install.app-store-software")
  2152. + (right-name "system.install.apple-software")
  2153. + (right-name "system.install.app-store-software.standard-user")
  2154. + (right-name "system.install.apple-software.standard-user")
  2155. + (right-name "system.install.apple-config-data")
  2156. + (right-name "system.install.software")
  2157. + (right-name "system.install.software.iap")
  2158. + (right-name "system.install.software.mdm-provided")
  2159. + (right-name "com.apple.SoftwareUpdate.modify-settings"))
  2160. +
  2161. + (allow iokit-open
  2162. + (iokit-user-client-class "IOFramebufferSharedUserClient")
  2163. + (iokit-user-client-class "RootDomainUserClient")
  2164. + (iokit-user-client-class-regex #"AccelDevice$")
  2165. + (iokit-user-client-class-regex #"SharedUserClient$")
  2166. + (iokit-user-client-class-regex #"GLContext$"))
  2167. +
  2168. + (allow network-outbound)
  2169. + (allow system-socket)
  2170. + (allow distributed-notification-post)
  2171. + (allow appleevent-send)
  2172. + (allow lsopen)
  2173. --
  2174. com.apple.controlstrip.sb
  2175. Files /System/Library/Sandbox/Profiles/com.apple.controlstrip.sb and com.apple.controlstrip.sb are identical
  2176. --
  2177. com.apple.corebrightnessd.sb
  2178. Files /System/Library/Sandbox/Profiles/com.apple.corebrightnessd.sb and com.apple.corebrightnessd.sb are identical
  2179. --
  2180. com.apple.coreduetd.sb
  2181. *** /System/Library/Sandbox/Profiles/com.apple.coreduetd.sb 2017-02-16 21:44:09.000000000 -0800
  2182. --- com.apple.coreduetd.sb 2017-07-10 13:51:51.000000000 -0700
  2183. ***************
  2184. *** 3,10 ****
  2185. --- 3,12 ----
  2186. ;;(allow default (with report))
  2187.  
  2188. (import "system.sb")
  2189. + (import "bsd.sb")
  2190. (import "com.apple.corefoundation.sb")
  2191.  
  2192. + (system-network)
  2193. ;;; initialize CF sandbox actions
  2194. (corefoundation)
  2195.  
  2196. ***************
  2197. *** 38,47 ****
  2198. --- 40,51 ----
  2199. (global-name "com.apple.coreservices.launchservicesd")
  2200. (global-name "com.apple.lsd.mapdb")
  2201. (global-name "com.apple.metadata.mds")
  2202. + (global-name "com.apple.cookied")
  2203. (global-name "com.apple.coreduetd.knowledge")
  2204. (global-name "com.apple.coreduetd.people")
  2205. (global-name "com.apple.coreduetd.knowledgebase")
  2206. (global-name "com.apple.coreduetd.batterysaver")
  2207. + (global-name "com.apple.coreservices.quarantine-resolver")
  2208. (global-name "com.apple.iokit.powerdxpc")
  2209. (global-name "com.apple.coreduetd.context")
  2210. (global-name "com.apple.SystemConfiguration.configd")
  2211. ***************
  2212. *** 51,59 ****
  2213. (global-name "com.apple.mediaremoted.xpc")
  2214. (global-name "com.apple.CoreLocation.agent")
  2215. (global-name "com.apple.locationd.desktop.registration")
  2216. ! (global-name "com.apple.locationd.desktop.synchronous"))
  2217.  
  2218. (allow ipc-posix-shm*
  2219. (ipc-posix-name "coreduetd")
  2220. (ipc-posix-name "/CDCSS")
  2221. (ipc-posix-name "com.apple.coreduetd"))
  2222. --- 55,74 ----
  2223. (global-name "com.apple.mediaremoted.xpc")
  2224. (global-name "com.apple.CoreLocation.agent")
  2225. (global-name "com.apple.locationd.desktop.registration")
  2226. ! (global-name "com.apple.locationd.desktop.synchronous")
  2227. ! (global-name "com.apple.SharingServices"))
  2228.  
  2229. (allow ipc-posix-shm*
  2230. (ipc-posix-name "coreduetd")
  2231. (ipc-posix-name "/CDCSS")
  2232. (ipc-posix-name "com.apple.coreduetd"))
  2233. +
  2234. + (allow network-outbound
  2235. + (literal "/private/var/run/mDNSResponder")) ; to resolve host names
  2236. +
  2237. + (allow ipc-posix-shm-read-data
  2238. + (ipc-posix-name "FNetwork.defaultStorageSession"))
  2239. +
  2240. + (allow network-outbound
  2241. + (remote ip))
  2242. +
  2243. --
  2244. com.apple.corefoundation.sb
  2245. Files /System/Library/Sandbox/Profiles/com.apple.corefoundation.sb and com.apple.corefoundation.sb are identical
  2246. --
  2247. com.apple.coreservices.appleevents.appleeventsd.sb
  2248. Files /System/Library/Sandbox/Profiles/com.apple.coreservices.appleevents.appleeventsd.sb and com.apple.coreservices.appleevents.appleeventsd.sb are identical
  2249. --
  2250. com.apple.coreservices.launchservices.launchservicesd.sb
  2251. Files /System/Library/Sandbox/Profiles/com.apple.coreservices.launchservices.launchservicesd.sb and com.apple.coreservices.launchservices.launchservicesd.sb are identical
  2252. --
  2253. com.apple.coreservicesd.sb
  2254. *** /System/Library/Sandbox/Profiles/com.apple.coreservicesd.sb 1969-12-31 16:00:00.000000000 -0800
  2255. --- com.apple.coreservicesd.sb 2017-07-10 13:51:50.000000000 -0700
  2256. ***************
  2257. *** 0 ****
  2258. --- 1,63 ----
  2259. + ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
  2260. + ;;;
  2261. + ;;; WARNING: The sandbox rules in this file currently constitute
  2262. + ;;; Apple System Private Interface and are subject to change at any time and
  2263. + ;;; without notice.
  2264. + ;;;
  2265. + (version 1)
  2266. +
  2267. + (deny default)
  2268. +
  2269. + (import "system.sb")
  2270. + (import "com.apple.corefoundation.sb")
  2271. + (corefoundation)
  2272. +
  2273. + (deny file-map-executable iokit-get-properties process-info* nvram*)
  2274. + (deny dynamic-code-generation)
  2275. +
  2276. + (allow process-info* (target self))
  2277. +
  2278. + (allow process-info-codesignature)
  2279. +
  2280. + (allow user-preference-read user-preference-write
  2281. + (preference-domain "com.apple.coreservicesd"))
  2282. +
  2283. + (allow file-read*)
  2284. + (allow file-read-metadata)
  2285. +
  2286. + (allow file-write*
  2287. + (subpath (param "DARWIN_USER_TEMP_DIR"))
  2288. + (subpath (param "DARWIN_USER_CACHE_DIR")))
  2289. +
  2290. + (allow file-ioctl
  2291. + (path "/dev/fsevents"))
  2292. +
  2293. + (allow ipc-posix-shm-write-create
  2294. + (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
  2295. + (allow ipc-posix-shm-write-data
  2296. + (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$"))
  2297. +
  2298. + (allow mach-lookup
  2299. + (global-name "com.apple.DiskArbitration.diskarbitrationd"))
  2300. +
  2301. + (allow file-write*
  2302. + (path "/System/Library/Caches/com.apple.Components2.SystemCache.Components"))
  2303. + (allow file-write*
  2304. + (path "/System/Library/Caches/com.apple.Components2.SystemCache.QuickTimeComponents"))
  2305. + (allow file-write*
  2306. + (path "/System/Library/Caches/com.apple.Components2.SystemCache.AudioComponents"))
  2307. +
  2308. + (allow file-map-executable (path "/System/Library/PrivateFrameworks/CoreServicesInternal.framework/Versions/A/CoreServicesInternal"))
  2309. +
  2310. + (allow distributed-notification-post)
  2311. +
  2312. + (allow iokit-get-properties (iokit-property "Protocol Characteristics"))
  2313. + (allow iokit-get-properties (iokit-property "IOMediaIcon"))
  2314. + (allow iokit-get-properties (iokit-property "Ejectable"))
  2315. + (allow iokit-get-properties (iokit-property "Removable"))
  2316. + (allow iokit-get-properties (iokit-property "CoreStorage Encrypted"))
  2317. + (allow iokit-get-properties (iokit-property "IOClassNameOverride"))
  2318. + (allow iokit-get-properties (iokit-property "od-server-name"))
  2319. + (allow iokit-get-properties (iokit-property "image-path"))
  2320. + (allow iokit-get-properties (iokit-property "filevault-image"))
  2321. + (allow iokit-get-properties (iokit-property "Product Identification"))
  2322. --
  2323. com.apple.ctkbind.sb
  2324. *** /System/Library/Sandbox/Profiles/com.apple.ctkbind.sb 1969-12-31 16:00:00.000000000 -0800
  2325. --- com.apple.ctkbind.sb 2017-07-10 13:51:51.000000000 -0700
  2326. ***************
  2327. *** 0 ****
  2328. --- 1,100 ----
  2329. + ;;;
  2330. + ;;; Sandbox profile for /System/Library/Frameworks/CryptoTokenKit.framework/ctkbind.bundle/Contents/MacOS/ctkbind
  2331. + ;;;
  2332. + ;;; Copyright (c) 2016 Apple Inc. All Rights reserved.
  2333. + ;;;
  2334. + ;;; WARNING: The sandbox rules in this file currently constitute
  2335. + ;;; Apple System Private Interface and are subject to change at any time and
  2336. + ;;; without notice. The contents of this file are also auto-generated and
  2337. + ;;; not user editable; it may be overwritten at any time.
  2338. +
  2339. + (version 1)
  2340. +
  2341. + (deny default)
  2342. +
  2343. + (import "system.sb")
  2344. +
  2345. + (define (home-subpath home-relative-subpath)
  2346. + (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
  2347. +
  2348. + (define (home-literal home-relative-literal)
  2349. + (literal (string-append (param "HOME_DIR") home-relative-literal)))
  2350. +
  2351. + (allow file-read-data)
  2352. +
  2353. + (allow file-read-metadata)
  2354. +
  2355. + (allow file-read*
  2356. + (subpath (param "DARWIN_USER_TEMP_DIR"))
  2357. + (subpath (param "DARWIN_USER_CACHE_DIR"))
  2358. + (subpath "/Library/Caches/com.apple.iconservices.store")
  2359. + (subpath "/Library/Keyboard Layouts")
  2360. + (subpath "/private/var/db")
  2361. + (home-subpath "/Library/Keyboard Layouts")
  2362. + (literal "/Library/Preferences/com.apple.security.plist")
  2363. + (home-literal "/Library/Keychains/login.keychain-db")
  2364. + (home-literal "/.CFUserTextEncoding"))
  2365. +
  2366. + (allow file-write*
  2367. + (subpath (param "DARWIN_USER_CACHE_DIR"))
  2368. + (subpath "/private/var/db/mds/system"))
  2369. +
  2370. + (allow mach-lookup
  2371. + (global-name "com.apple.audio.SystemSoundServer-OSX")
  2372. + (global-name "com.apple.coreservices.appleevents")
  2373. + (global-name "com.apple.coreservices.launchservicesd")
  2374. + (global-name "com.apple.CoreServices.coreservicesd")
  2375. + (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider.agent.libxpc")
  2376. + (global-name "com.apple.CryptoTokenKit.AuthenticationHintsProvider.daemon.libxpc")
  2377. + (global-name "com.apple.ctkd.token-client")
  2378. + (global-name "com.apple.ctkd.watcher-client")
  2379. + (global-name "com.apple.cvmsServ")
  2380. + (global-name "com.apple.decalog4.incoming")
  2381. + (global-name "com.apple.distributed_notifications@Uv3")
  2382. + (global-name "com.apple.dock.fullscreen")
  2383. + (global-name "com.apple.dock.server")
  2384. + (global-name "com.apple.fonts")
  2385. + (global-name "com.apple.FSEvents")
  2386. + (global-name "com.apple.iconservices")
  2387. + (global-name "com.apple.iconservices.store")
  2388. + (global-name "com.apple.inputmethodkit.getxpcendpoint")
  2389. + (global-name "com.apple.inputmethodkit.launchagent")
  2390. + (global-name "com.apple.inputmethodkit.launcher")
  2391. + (global-name "com.apple.lsd.mapdb")
  2392. + (global-name "com.apple.pasteboard.1")
  2393. + (global-name "com.apple.quicklook.ui.helper.active")
  2394. + (global-name "com.apple.SecurityServer")
  2395. + (global-name "com.apple.system.opendirectoryd.api")
  2396. + (global-name "com.apple.SystemConfiguration.configd")
  2397. + (global-name "com.apple.touchbar.agent")
  2398. + (global-name "com.apple.tsm.uiserver")
  2399. + (global-name "com.apple.window_proxies")
  2400. + (global-name "com.apple.tccd.system")
  2401. + (global-name "com.apple.ocspd")
  2402. + (global-name "com.apple.windowserver.active"))
  2403. +
  2404. + (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
  2405. + (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  2406. +
  2407. + (allow authorization-right-obtain
  2408. + (right-name "com.apple.ctk.pair")
  2409. + (right-name "com.apple.ctkbind.admin"))
  2410. +
  2411. + (allow user-preference-read
  2412. + (preference-domain "com.apple.AppleMultitouchTrackpad")
  2413. + (preference-domain "com.apple.ctkbind")
  2414. + (preference-domain "com.apple.HIToolbox")
  2415. + (preference-domain "com.apple.universalaccess")
  2416. + (preference-domain "kCFPreferencesAnyApplication"))
  2417. +
  2418. + (allow user-preference-read user-preference-write
  2419. + (preference-domain "com.apple.ctkbind")
  2420. + (preference-domain "com.apple.security.smartcard")
  2421. + (preference-domain "com.apple.security.tokenlogin"))
  2422. +
  2423. + (allow iokit-open
  2424. + (iokit-registry-entry-class "IGAccelCommandQueue")
  2425. + (iokit-registry-entry-class "IGAccelDevice")
  2426. + (iokit-user-client-class "AppleKeyStoreUserClient")
  2427. + (iokit-user-client-class "IGAccelSharedUserClient")
  2428. + (iokit-user-client-class "IOSurfaceRootUserClient"))
  2429. --
  2430. com.apple.ctkd.sb
  2431. Files /System/Library/Sandbox/Profiles/com.apple.ctkd.sb and com.apple.ctkd.sb are identical
  2432. --
  2433. com.apple.datadetectors.sourceaccess.sb
  2434. Files /System/Library/Sandbox/Profiles/com.apple.datadetectors.sourceaccess.sb and com.apple.datadetectors.sourceaccess.sb are identical
  2435. --
  2436. com.apple.deleted.sb
  2437. *** /System/Library/Sandbox/Profiles/com.apple.deleted.sb 2017-02-02 19:49:20.000000000 -0800
  2438. --- com.apple.deleted.sb 2017-07-10 13:51:51.000000000 -0700
  2439. ***************
  2440. *** 35,55 ****
  2441. (home-subpath "/Library/Caches/com.apple.CacheDelete"))))
  2442.  
  2443. (allow file-write*
  2444. ! (regex "/private/var/folders/.*/mds/mds.lock"))
  2445.  
  2446.  
  2447. (allow file-read*
  2448. (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
  2449. (literal "/Library/Preferences/.GlobalPreferences.plist")
  2450. ! (regex "/Users/.*/Library/Preferences/.GlobalPreferences.plist")
  2451. ! (regex "/Users/.*/Library/Preferences/ByHost/.GlobalPreferences\..*\.plist")
  2452. ! (regex "/AppleInternal/Library/CacheDelete")
  2453. ! (regex "/AppleInternal/Library/CacheDelete/.*")
  2454. ! (regex "/Applications/.*")
  2455. ! (regex "/private/var/folders/.*/mds/mds.lock")
  2456. ! (regex "/private/var/folders/.*/com.apple.LaunchServices-.*\.csstore")
  2457. ! (regex "*\.appex")
  2458. ! (subpath "/System/Library/CacheDelete"))
  2459.  
  2460. ;;; Various patterns used by cache-delete services.
  2461. (allow mach-lookup
  2462. --- 35,54 ----
  2463. (home-subpath "/Library/Caches/com.apple.CacheDelete"))))
  2464.  
  2465. (allow file-write*
  2466. ! (regex #"/private/var/folders/[^/]+/[^/]+/C/[^/]+/mds/mds\.lock$"))
  2467.  
  2468.  
  2469. (allow file-read*
  2470. (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
  2471. (literal "/Library/Preferences/.GlobalPreferences.plist")
  2472. ! (regex "^/Users/[^/]+/Library/Preferences/\.GlobalPreferences\.plist$")
  2473. ! (regex "^/Users/[^/]+/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
  2474. ! (regex "^/Applications/.*$")
  2475. ! (regex "^/private/var/folders/.*/mds/mds\.lock$")
  2476. ! (regex "^/private/var/folders/.*/com.apple.LaunchServices-.*\.csstore$")
  2477. ! (regex "^.*/[^/]*\.appex$")
  2478. ! (subpath "/System/Library/CacheDelete")
  2479. ! (subpath "/AppleInternal/Library/CacheDelete"))
  2480.  
  2481. ;;; Various patterns used by cache-delete services.
  2482. (allow mach-lookup
  2483. ***************
  2484. *** 61,69 ****
  2485. --- 60,72 ----
  2486. (global-name "com.apple.lsd.modifydb")
  2487. (global-name "com.apple.lsd.mapdb")
  2488. (global-name "com.apple.diskspaced")
  2489. + (global-name "com.apple.DiskArbitration.diskarbitrationd")
  2490. + (global-name "com.apple.diskmanagementd")
  2491. (global-name "com.apple.windowserver.active")
  2492. (global-name "com.apple.cookied"))
  2493.  
  2494. + (allow iokit-open (iokit-user-client-class "AppleAPFSUserClient"))
  2495. +
  2496. (allow file-read-metadata)
  2497.  
  2498. (allow user-preference*
  2499. --
  2500. com.apple.diagnosticd.sb
  2501. Files /System/Library/Sandbox/Profiles/com.apple.diagnosticd.sb and com.apple.diagnosticd.sb are identical
  2502. --
  2503. com.apple.distnoted.sb
  2504. *** /System/Library/Sandbox/Profiles/com.apple.distnoted.sb 1969-12-31 16:00:00.000000000 -0800
  2505. --- com.apple.distnoted.sb 2017-07-10 13:51:51.000000000 -0700
  2506. ***************
  2507. *** 0 ****
  2508. --- 1,11 ----
  2509. + (version 1)
  2510. + (deny default)
  2511. +
  2512. + (import "system.sb")
  2513. + (allow mach-lookup
  2514. + (global-name "com.apple.distributed_notifications@1v3")
  2515. + (global-name "com.apple.distributed_notifications@Uv3")
  2516. + (global-name "com.apple.distributed_notifications@0v3")
  2517. + (local-name "com.apple.distributed_notifications@1v3")
  2518. + (local-name "com.apple.distributed_notifications@Uv3")
  2519. + (local-name "com.apple.distributed_notifications@0v3"))
  2520. --
  2521. com.apple.dprivacyd.sb
  2522. *** /System/Library/Sandbox/Profiles/com.apple.dprivacyd.sb 2016-08-03 14:00:02.000000000 -0700
  2523. --- com.apple.dprivacyd.sb 2017-07-10 13:51:50.000000000 -0700
  2524. ***************
  2525. *** 25,31 ****
  2526. (subpath "/private/var/root")
  2527. (subpath "/Library/Preferences")
  2528. (subpath "/Library")
  2529. ! (subpath "/Library/Application\ Support"))
  2530.  
  2531. (allow file-write*
  2532. (subpath "/Library/Logs/DiagnosticReports"))
  2533. --- 25,32 ----
  2534. (subpath "/private/var/root")
  2535. (subpath "/Library/Preferences")
  2536. (subpath "/Library")
  2537. ! (subpath "/Library/Application\ Support")
  2538. ! (subpath "/usr"))
  2539.  
  2540. (allow file-write*
  2541. (subpath "/Library/Logs/DiagnosticReports"))
  2542. --
  2543. com.apple.dyld.closured.sb
  2544. *** /System/Library/Sandbox/Profiles/com.apple.dyld.closured.sb 1969-12-31 16:00:00.000000000 -0800
  2545. --- com.apple.dyld.closured.sb 2017-07-10 13:51:51.000000000 -0700
  2546. ***************
  2547. *** 0 ****
  2548. --- 1,22 ----
  2549. + ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
  2550. + ;;;
  2551. + ;;; WARNING: The sandbox rules in this file currently constitute
  2552. + ;;; Apple System Private Interface and are subject to change at any time and
  2553. + ;;; without notice.
  2554. + ;;;
  2555. + (version 1)
  2556. +
  2557. + (deny default)
  2558. + (deny file-map-executable iokit-get-properties process-info* nvram*)
  2559. + (deny dynamic-code-generation)
  2560. +
  2561. + (import "system.sb")
  2562. +
  2563. + ;; For reading dylibs
  2564. + (allow file-read*)
  2565. +
  2566. + ;; For resolving symlinks, realpath(3), and equivalents.
  2567. + (allow file-read-metadata)
  2568. +
  2569. + ;; for logging name of client
  2570. + (allow process-info-pidinfo)
  2571. --
  2572. com.apple.efilogin-helper.sb
  2573. Files /System/Library/Sandbox/Profiles/com.apple.efilogin-helper.sb and com.apple.efilogin-helper.sb are identical
  2574. --
  2575. com.apple.eosauthagent.sb
  2576. *** /System/Library/Sandbox/Profiles/com.apple.eosauthagent.sb 2016-12-01 22:50:32.000000000 -0800
  2577. --- com.apple.eosauthagent.sb 2017-07-10 13:51:50.000000000 -0700
  2578. ***************
  2579. *** 8,18 ****
  2580. (allow file-read-metadata)
  2581.  
  2582. (allow file-read*
  2583. ! (subpath "/System/Library/PrivateFrameworks/SSOClient.framework")
  2584. ! (subpath "/System/Library/Frameworks/SSOClient.framework")
  2585. (subpath "/AppleInternal/Applications/AppleConnect.app/Contents/Frameworks/SSOClient.framework")
  2586. (subpath "/Applications/AppleConnect.app/Contents/Frameworks/SSOClient.framework")
  2587. (subpath "/Library/Frameworks/AppleConnect.framework")
  2588. (subpath "/private/var/root/Library/Preferences/")
  2589. (subpath "/Library/KerberosPlugins/")
  2590. (subpath "/private/var/db/")
  2591. --- 8,19 ----
  2592. (allow file-read-metadata)
  2593.  
  2594. (allow file-read*
  2595. ! (subpath "/System/Library/PrivateFrameworks")
  2596. ! (subpath "/System/Library/Frameworks")
  2597. (subpath "/AppleInternal/Applications/AppleConnect.app/Contents/Frameworks/SSOClient.framework")
  2598. (subpath "/Applications/AppleConnect.app/Contents/Frameworks/SSOClient.framework")
  2599. (subpath "/Library/Frameworks/AppleConnect.framework")
  2600. + (subpath "/Library/Frameworks/SplunkKit.framework")
  2601. (subpath "/private/var/root/Library/Preferences/")
  2602. (subpath "/Library/KerberosPlugins/")
  2603. (subpath "/private/var/db/")
  2604. --
  2605. com.apple.icloud.findmydeviced.findmydevice-user-agent.sb
  2606. Files /System/Library/Sandbox/Profiles/com.apple.icloud.findmydeviced.findmydevice-user-agent.sb and com.apple.icloud.findmydeviced.findmydevice-user-agent.sb are identical
  2607. --
  2608. com.apple.iconservicesagent.sb
  2609. Files /System/Library/Sandbox/Profiles/com.apple.iconservicesagent.sb and com.apple.iconservicesagent.sb are identical
  2610. --
  2611. com.apple.iconservicesd.sb
  2612. Files /System/Library/Sandbox/Profiles/com.apple.iconservicesd.sb and com.apple.iconservicesd.sb are identical
  2613. --
  2614. com.apple.knowledge-agent.sb
  2615. *** /System/Library/Sandbox/Profiles/com.apple.knowledge-agent.sb 1969-12-31 16:00:00.000000000 -0800
  2616. --- com.apple.knowledge-agent.sb 2017-07-10 13:51:51.000000000 -0700
  2617. ***************
  2618. *** 0 ****
  2619. --- 1,61 ----
  2620. + (version 1)
  2621. + (deny default)
  2622. +
  2623. + (import "system.sb")
  2624. + (import "com.apple.corefoundation.sb")
  2625. + (import "bsd.sb")
  2626. +
  2627. + (system-network)
  2628. + (corefoundation)
  2629. +
  2630. + (allow mach-lookup
  2631. + (global-name "com.apple.bird.token")
  2632. + (global-name "com.apple.cloudd")
  2633. + (global-name "com.apple.cookied")
  2634. + (global-name "com.apple.CoreServices.coreservicesd")
  2635. + (global-name "com.apple.coreservices.quarantine-resolver")
  2636. + (global-name "com.apple.coreduetd.knowledge.user")
  2637. + (global-name "com.apple.lsd.mapdb"))
  2638. +
  2639. + (allow file*
  2640. + (subpath (param "_USER_TEMP_DIR"))
  2641. + (subpath (string-append (param "_HOME") "/Library/Caches/knowledge-agent"))
  2642. + (literal (string-append (param "_HOME") "/Library/Preferences/knowledge-agent.plist"))
  2643. + (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.CoreDuet.plist"))
  2644. + (subpath (string-append (param "_HOME") "/Library/Application Support/Knowledge")))
  2645. +
  2646. + (allow file-read* file-write*
  2647. + (subpath (string-append (param "_HOME") "/Library/Caches/CloudKit/com.apple.knowledge-agent")))
  2648. +
  2649. + (allow file-read-metadata
  2650. + (subpath (string-append (param "_HOME") "/Library"))
  2651. + (subpath "/usr"))
  2652. +
  2653. + (allow file-read-data
  2654. + (literal "/usr/libexec")
  2655. + (subpath "/usr/libexec/knowledge-agent")
  2656. + (literal "/Library/Preferences/.GlobalPreferences.plist")
  2657. + (literal (string-append (param "_HOME") "/Library/Preferences/.GlobalPreferences.plist"))
  2658. + (literal (string-append (param "_HOME") "/Library/Preferences/knowledge-agent.plist"))
  2659. + (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.CoreDuet.plist"))
  2660. + (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/\.GlobalPreferences\.[^/]*\.plist$"))
  2661. + (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/knowledge-agent\.[^/]*\.plist$"))
  2662. + (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Preferences/ByHost/com.apple.CoreDuet.plist\.[^/]*\.plist$")))
  2663. +
  2664. + (allow file-read-metadata
  2665. + (literal "/AppleInternal")
  2666. + (literal (param "_HOME")))
  2667. +
  2668. + (allow file-read*
  2669. + (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") ; for CrashReporter
  2670. + (literal "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")) ; for MessageTracer
  2671. +
  2672. + (allow network-outbound
  2673. + (literal "/private/var/run/mDNSResponder")) ; to resolve host names
  2674. +
  2675. + (allow ipc-posix-shm-read-data
  2676. + (ipc-posix-name "FNetwork.defaultStorageSession"))
  2677. +
  2678. + (allow network-outbound
  2679. + (remote ip)) ; to download policy updates
  2680. +
  2681. --
  2682. com.apple.logd.sb
  2683. *** /System/Library/Sandbox/Profiles/com.apple.logd.sb 2017-04-14 16:25:45.000000000 -0700
  2684. --- com.apple.logd.sb 2017-07-10 13:51:51.000000000 -0700
  2685. ***************
  2686. *** 1,4 ****
  2687. ! ;; Copyright (c) 2015 Apple Inc. All Rights reserved.
  2688. ;;
  2689. ;; WARNING: The sandbox rules in this file currently constitute
  2690. ;; Apple System Private Interface and are subject to change at any time and
  2691. --- 1,4 ----
  2692. ! ;; Copyright (c) 2015-2017 Apple Inc. All Rights reserved.
  2693. ;;
  2694. ;; WARNING: The sandbox rules in this file currently constitute
  2695. ;; Apple System Private Interface and are subject to change at any time and
  2696. ***************
  2697. *** 14,36 ****
  2698.  
  2699. ;; Allow files to be written/deleted, and attributes to be read
  2700. (allow file-write*
  2701. ! (regex #"^(/private)?/var/db/diagnostics(/|$)")
  2702. ! (regex #"^(/private)?/var/db/uuidtext(/|$)")
  2703. ! )
  2704.  
  2705. (allow file-read*
  2706. ! (regex #"^(/private)?/var/db/diagnostics(/|$)")
  2707. ! (regex #"^/private/var/db/timezone(/|$)")
  2708. ! )
  2709.  
  2710. (allow file-issue-extension
  2711. (require-all
  2712. (extension-class "com.apple.logd.read-only")
  2713. (require-any
  2714. (subpath "/private/var/db/diagnostics")
  2715. (subpath "/private/var/db/uuidtext"))))
  2716.  
  2717. ;; Allow writes to syslogd
  2718. (allow network-outbound
  2719. ! (remote unix-socket (path-literal "/private/var/run/syslog"))
  2720. ! )
  2721. --- 14,36 ----
  2722.  
  2723. ;; Allow files to be written/deleted, and attributes to be read
  2724. (allow file-write*
  2725. ! (regex #"^/private/var/db/diagnostics(/|$)")
  2726. ! (regex #"^/private/var/db/timesync(/|$)")
  2727. ! (regex #"^/private/var/db/uuidtext(/|$)"))
  2728.  
  2729. (allow file-read*
  2730. ! (regex #"^/private/var/db/diagnostics(/|$)")
  2731. ! (regex #"^/private/var/db/timesync(/|$)")
  2732. ! (regex #"^/private/var/db/timezone(/|$)"))
  2733.  
  2734. (allow file-issue-extension
  2735. (require-all
  2736. (extension-class "com.apple.logd.read-only")
  2737. (require-any
  2738. (subpath "/private/var/db/diagnostics")
  2739. + (subpath "/private/var/db/timesync")
  2740. (subpath "/private/var/db/uuidtext"))))
  2741.  
  2742. ;; Allow writes to syslogd
  2743. (allow network-outbound
  2744. ! (remote unix-socket (path-literal "/private/var/run/syslog")))
  2745. --
  2746. com.apple.mtlcompilerservice.sb
  2747. *** /System/Library/Sandbox/Profiles/com.apple.mtlcompilerservice.sb 2016-08-01 20:13:26.000000000 -0700
  2748. --- com.apple.mtlcompilerservice.sb 2017-07-10 13:51:50.000000000 -0700
  2749. ***************
  2750. *** 5,10 ****
  2751.  
  2752. (import "system.sb")
  2753.  
  2754. ! (allow file-read-data)
  2755. ! (allow file-read-metadata)
  2756. !
  2757. --- 5,8 ----
  2758.  
  2759. (import "system.sb")
  2760.  
  2761. ! (allow file-read-metadata (path "/"))
  2762. --
  2763. com.apple.navd.sb
  2764. Files /System/Library/Sandbox/Profiles/com.apple.navd.sb and com.apple.navd.sb are identical
  2765. --
  2766. com.apple.neagent.sb
  2767. Files /System/Library/Sandbox/Profiles/com.apple.neagent.sb and com.apple.neagent.sb are identical
  2768. --
  2769. com.apple.nehelper.sb
  2770. *** /System/Library/Sandbox/Profiles/com.apple.nehelper.sb 2016-08-01 20:26:18.000000000 -0700
  2771. --- com.apple.nehelper.sb 2017-07-10 13:51:51.000000000 -0700
  2772. ***************
  2773. *** 17,29 ****
  2774. #"^/Library/Keychains/\."
  2775. #"^(/private)?/var/db/mds/system/mds.lock$"
  2776. )
  2777. ! (regex #"^/Library/Preferences/com\.apple\.networkextension(\.necp|\.control|\.cache)?\.plist")
  2778. ! (regex #"^/Library/Preferences/com\.apple\.networkd(\.sysctl)?\.plist")
  2779. (regex #"^/Library/Preferences/Logging/Subsystems/com\.apple\.network\.plist")
  2780. (regex #"^/Library/Preferences/Logging/Subsystems/com\.apple\.networkextension\.plist")
  2781. (regex #"^/Library/Preferences/SystemConfiguration/preferences\.plist")
  2782. (regex #"^/Library/Preferences/SystemConfiguration/VPN-[^/]+\.plist")
  2783. ! (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/|$)"))
  2784.  
  2785. (allow mach-register
  2786. (global-name "com.apple.nehelper")
  2787. --- 17,29 ----
  2788. #"^/Library/Keychains/\."
  2789. #"^(/private)?/var/db/mds/system/mds.lock$"
  2790. )
  2791. ! (regex #"^/Library/Preferences/com\.apple\.networkextension(\.[_a-zA-Z0-9-]+)?\.plist")
  2792. ! (regex #"^/Library/Preferences/com\.apple\.networkd(\.[_a-zA-Z0-9-]+)?\.plist")
  2793. (regex #"^/Library/Preferences/Logging/Subsystems/com\.apple\.network\.plist")
  2794. (regex #"^/Library/Preferences/Logging/Subsystems/com\.apple\.networkextension\.plist")
  2795. (regex #"^/Library/Preferences/SystemConfiguration/preferences\.plist")
  2796. (regex #"^/Library/Preferences/SystemConfiguration/VPN-[^/]+\.plist")
  2797. ! (subpath (param "TEMPDIR")))
  2798.  
  2799. (allow mach-register
  2800. (global-name "com.apple.nehelper")
  2801. ***************
  2802. *** 65,72 ****
  2803. --- 65,78 ----
  2804. (global-name "com.apple.lsd.modifydb")
  2805. (global-name "com.apple.logd.admin")
  2806. (global-name "com.apple.lsd.mapdb")
  2807. + (global-name "com.apple.mobileassetd")
  2808. + (global-name "com.apple.mobileassetd.v2")
  2809. (global-name "com.apple.securityd.xpc"))
  2810.  
  2811. + ;;; MobileAsset
  2812. + (allow user-preference-read (preference-domain "com.apple.MobileAsset"))
  2813. + (allow user-preference-read (preference-domain "com.apple.SoftwareUpdate"))
  2814. +
  2815. (allow sysctl-read)
  2816.  
  2817. (allow sysctl*
  2818. --
  2819. com.apple.nesessionmanager.sb
  2820. *** /System/Library/Sandbox/Profiles/com.apple.nesessionmanager.sb 2016-08-01 20:26:33.000000000 -0700
  2821. --- com.apple.nesessionmanager.sb 2017-07-10 13:51:50.000000000 -0700
  2822. ***************
  2823. *** 45,51 ****
  2824. (allow file-read*
  2825. (literal "/usr/libexec")
  2826. (literal "/usr/libexec/neagent")
  2827. - (literal "/usr/libexec/discoveryd")
  2828. (literal "/usr/libexec/nesessionmanager")
  2829. (literal "/usr/sbin/mDNSResponder"))
  2830.  
  2831. --- 45,50 ----
  2832. --
  2833. com.apple.networkserviceproxy.sb
  2834. *** /System/Library/Sandbox/Profiles/com.apple.networkserviceproxy.sb 2016-08-06 17:26:48.000000000 -0700
  2835. --- com.apple.networkserviceproxy.sb 2017-07-10 13:51:51.000000000 -0700
  2836. ***************
  2837. *** 30,34 ****
  2838. (allow file-read* file-write*
  2839. (literal (string-append (param "_HOME") "/Library/Preferences/networkserviceproxy.plist"))
  2840. (literal "/private/var/mobile/Library/Logs/awd")
  2841. ! (literal "/private/var/mobile/Library/Logs/awd/awd-NetworkServiceProxy.log")
  2842. ! (regex "/private/var/folders/.*"))
  2843. --- 30,33 ----
  2844. (allow file-read* file-write*
  2845. (literal (string-append (param "_HOME") "/Library/Preferences/networkserviceproxy.plist"))
  2846. (literal "/private/var/mobile/Library/Logs/awd")
  2847. ! (literal "/private/var/mobile/Library/Logs/awd/awd-NetworkServiceProxy.log"))
  2848. --
  2849. com.apple.nlcd.sb
  2850. Files /System/Library/Sandbox/Profiles/com.apple.nlcd.sb and com.apple.nlcd.sb are identical
  2851. --
  2852. com.apple.noticeboard.agent.sb
  2853. Files /System/Library/Sandbox/Profiles/com.apple.noticeboard.agent.sb and com.apple.noticeboard.agent.sb are identical
  2854. --
  2855. com.apple.noticeboard.state.sb
  2856. Files /System/Library/Sandbox/Profiles/com.apple.noticeboard.state.sb and com.apple.noticeboard.state.sb are identical
  2857. --
  2858. com.apple.notifyd.sb
  2859. Files /System/Library/Sandbox/Profiles/com.apple.notifyd.sb and com.apple.notifyd.sb are identical
  2860. --
  2861. com.apple.opendirectoryd.sb
  2862. Files /System/Library/Sandbox/Profiles/com.apple.opendirectoryd.sb and com.apple.opendirectoryd.sb are identical
  2863. --
  2864. com.apple.pboard.sb
  2865. *** /System/Library/Sandbox/Profiles/com.apple.pboard.sb 2016-08-19 16:16:37.000000000 -0700
  2866. --- com.apple.pboard.sb 2017-07-10 13:51:50.000000000 -0700
  2867. ***************
  2868. *** 2,11 ****
  2869. (deny default)
  2870.  
  2871. (import "system.sb")
  2872. ! (allow ipc-posix-shm (ipc-posix-name-regex #"^CFPBS:"))
  2873. (allow mach-lookup
  2874. (global-name "com.apple.coreservices.uasharedpasteboardmanager.xpc")
  2875. ! (global-name "com.apple.lsd.mapdb")
  2876. ! (local-name "com.apple.CFPasteboardClient"))
  2877.  
  2878. (allow file-read* (literal "/usr/libexec/pboard"))
  2879. --- 2,25 ----
  2880. (deny default)
  2881.  
  2882. (import "system.sb")
  2883. !
  2884. ! ; Enable pboard to call realpath() and re-issue sandbox extensions for file promises.
  2885. ! (allow file-read-metadata)
  2886. ! (allow file-issue-extension
  2887. ! (require-all
  2888. ! (extension-class "com.apple.app-sandbox.read")
  2889. ! (extension "com.apple.app-sandbox.read")))
  2890. ! (allow file-issue-extension
  2891. ! (require-all
  2892. ! (extension-class "com.apple.app-sandbox.read")
  2893. ! (extension "com.apple.app-sandbox.read-write")))
  2894. ! (allow file-issue-extension
  2895. ! (require-all
  2896. ! (extension-class "com.apple.app-sandbox.read-write")
  2897. ! (extension "com.apple.app-sandbox.read-write")))
  2898. !
  2899. (allow mach-lookup
  2900. (global-name "com.apple.coreservices.uasharedpasteboardmanager.xpc")
  2901. ! (global-name "com.apple.lsd.mapdb"))
  2902.  
  2903. (allow file-read* (literal "/usr/libexec/pboard"))
  2904. --
  2905. com.apple.pictd.sb
  2906. Files /System/Library/Sandbox/Profiles/com.apple.pictd.sb and com.apple.pictd.sb are identical
  2907. --
  2908. com.apple.qtkitserver.sb
  2909. *** /System/Library/Sandbox/Profiles/com.apple.qtkitserver.sb 2017-02-04 16:59:32.000000000 -0800
  2910. --- com.apple.qtkitserver.sb 2017-07-10 13:51:51.000000000 -0700
  2911. ***************
  2912. *** 187,192 ****
  2913. --- 187,193 ----
  2914. (global-name "com.apple.PowerManagement.control")
  2915. (global-name "com.apple.audio.audiohald")
  2916. (global-name "com.apple.audio.coreaudiod")
  2917. + (global-name "com.apple.audio.AudioComponentRegistrar")
  2918. (global-name "com.apple.dock.server")
  2919. (global-name "com.apple.pasteboard.1")
  2920. (global-name "com.apple.pbs.fetch_services")
  2921. --
  2922. com.apple.qtkittrustedmoviesservice.sb
  2923. *** /System/Library/Sandbox/Profiles/com.apple.qtkittrustedmoviesservice.sb 2017-02-04 16:59:32.000000000 -0800
  2924. --- com.apple.qtkittrustedmoviesservice.sb 2017-07-10 13:51:51.000000000 -0700
  2925. ***************
  2926. *** 142,147 ****
  2927. --- 142,148 ----
  2928. (global-name "com.apple.PowerManagement.control")
  2929. (global-name "com.apple.audio.audiohald")
  2930. (global-name "com.apple.audio.coreaudiod")
  2931. + (global-name "com.apple.audio.AudioComponentRegistrar")
  2932. (global-name "com.apple.dock.server")
  2933. (global-name "com.apple.pasteboard.1")
  2934. (global-name "com.apple.pbs.fetch_services")
  2935. --
  2936. com.apple.rapportd.sb
  2937. *** /System/Library/Sandbox/Profiles/com.apple.rapportd.sb 1969-12-31 16:00:00.000000000 -0800
  2938. --- com.apple.rapportd.sb 2017-07-10 13:51:50.000000000 -0700
  2939. ***************
  2940. *** 0 ****
  2941. --- 1,47 ----
  2942. + ;
  2943. + ; Copyright (C) 2017 Apple Inc. All Rights Reserved.
  2944. + ;
  2945. + ; Sandbox profile for rapportd.
  2946. + ;
  2947. +
  2948. + (version 1)
  2949. + (deny default)
  2950. +
  2951. + (import "com.apple.corefoundation.sb")
  2952. + (import "system.sb")
  2953. +
  2954. + (allow distributed-notification-post)
  2955. + (allow file-read*
  2956. + (subpath "/"))
  2957. + (allow file-write*
  2958. + (subpath "/Library/Application Support/Rapport")
  2959. + (regex #"^/Library/Keychains/System.keychain")
  2960. + (literal "/private/var/db/mds/system/mds.lock")
  2961. + (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
  2962. + (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C($|/)")
  2963. + (regex #"^(/private)?/var/folders/[^/]+/[^/]+/T($|/)")
  2964. + )
  2965. + (allow mach-lookup
  2966. + (global-name "com.apple.analyticsd")
  2967. + (global-name "com.apple.AutoUnlock.AuthenticationHintsProvider")
  2968. + (global-name "com.apple.awdd")
  2969. + (global-name "com.apple.bluetoothd")
  2970. + (global-name "com.apple.cloudd")
  2971. + (global-name "com.apple.coreduetd.context")
  2972. + (global-name "com.apple.coreduetd.knowledgebase")
  2973. + (global-name "com.apple.coresymbolicationd")
  2974. + (global-name "com.apple.distributed_notifications@1v3")
  2975. + (global-name "com.apple.managedconfiguration.profiled")
  2976. + (global-name "com.apple.networkd")
  2977. + (global-name "com.apple.ocspd")
  2978. + (global-name "com.apple.PairingManager")
  2979. + (global-name "com.apple.securityd.xpc")
  2980. + (global-name "com.apple.SecurityServer")
  2981. + (global-name "com.apple.server.bluetooth")
  2982. + (global-name "com.apple.wifi.manager")
  2983. + (global-name "com.apple.wirelessproxd"))
  2984. + (allow network*)
  2985. + (allow system-socket)
  2986. + (allow user-preference-read user-preference-write
  2987. + (preference-domain "com.apple.rapport")
  2988. + )
  2989. --
  2990. com.apple.reversetemplated.sb
  2991. *** /System/Library/Sandbox/Profiles/com.apple.reversetemplated.sb 2016-08-03 17:40:10.000000000 -0700
  2992. --- com.apple.reversetemplated.sb 2017-07-10 13:51:51.000000000 -0700
  2993. ***************
  2994. *** 10,15 ****
  2995. --- 10,16 ----
  2996. (global-name "com.apple.tccd") ;; DataDetectorsCore
  2997. (global-name "com.apple.CoreServices.coreservicesd") ;; -[NSURL getResourceValue:forKey:error:]
  2998. (global-name "com.apple.mobileassetd") ;; to get access to the reverse templates
  2999. + (global-name "com.apple.parsecd") ;; to get flight information from Parsec (for flight template-less)
  3000. )
  3001.  
  3002. ;; SGAsset
  3003. --
  3004. com.apple.revisiond.sb
  3005. Files /System/Library/Sandbox/Profiles/com.apple.revisiond.sb and com.apple.revisiond.sb are identical
  3006. --
  3007. com.apple.rtcreportingd.sb
  3008. *** /System/Library/Sandbox/Profiles/com.apple.rtcreportingd.sb 2016-07-30 15:14:36.000000000 -0700
  3009. --- com.apple.rtcreportingd.sb 2017-07-10 13:51:51.000000000 -0700
  3010. ***************
  3011. *** 25,39 ****
  3012. (home-subpath "/Library/Logs/RTCReports")
  3013. (home-subpath "/logs/mediaserverd")
  3014. (literal "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist")
  3015. (darwin-user-temp-subpath #"/TemporaryItems")
  3016. (mount-relative-regex #"^/\.TemporaryItems(/|$)")) ;; NSData atomic write
  3017.  
  3018. - (allow file-issue-extension
  3019. - (home-literal "/Library/Caches/rtcreportingd")
  3020. - (require-all
  3021. - (extension-class "com.apple.rtcreporting.upload")
  3022. - (home-subpath "/Library/Containers/com.apple.FaceTime/Data/logs/mediaserverd")))
  3023. -
  3024. (allow file-read*
  3025. (literal "/Library/Keychains/System.keychain")
  3026. (home-literal "/Library/Keychains/login.keychain")
  3027. --- 25,34 ----
  3028. (home-subpath "/Library/Logs/RTCReports")
  3029. (home-subpath "/logs/mediaserverd")
  3030. (literal "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist")
  3031. + (literal "/private/var/db/mds/system/mds.lock")
  3032. (darwin-user-temp-subpath #"/TemporaryItems")
  3033. (mount-relative-regex #"^/\.TemporaryItems(/|$)")) ;; NSData atomic write
  3034.  
  3035. (allow file-read*
  3036. (literal "/Library/Keychains/System.keychain")
  3037. (home-literal "/Library/Keychains/login.keychain")
  3038. ***************
  3039. *** 50,56 ****
  3040. (literal "/private/var/db/mds/system/mdsDirectory.db")
  3041. (literal "/private/var/db/mds/system/mdsObject.db")
  3042. (literal "/usr/libexec")
  3043. ! (subpath "/usr/libexec/rtcreportingd"))
  3044.  
  3045. (allow user-preference-read (preference-domain "com.apple.rtcreportingd"))
  3046.  
  3047. --- 45,51 ----
  3048. (literal "/private/var/db/mds/system/mdsDirectory.db")
  3049. (literal "/private/var/db/mds/system/mdsObject.db")
  3050. (literal "/usr/libexec")
  3051. ! (literal "/usr/libexec/rtcreportingd"))
  3052.  
  3053. (allow user-preference-read (preference-domain "com.apple.rtcreportingd"))
  3054.  
  3055. ***************
  3056. *** 65,76 ****
  3057. (global-name "com.apple.CoreServices.coreservicesd")
  3058. (global-name "com.apple.DiskArbitration.diskarbitrationd") ;; NSData atomic write
  3059. (global-name "com.apple.SecurityServer")
  3060. (global-name "com.apple.cookied")
  3061. (global-name "com.apple.ocspd"))
  3062.  
  3063. (system-network)
  3064. ! (allow network-outbound
  3065. ! (literal "/private/var/run/mDNSResponder")
  3066. ! (remote tcp "*:443")
  3067. ! (remote udp "*:16384")
  3068. ! (remote udp "*:16387"))
  3069. \ No newline at end of file
  3070. --- 60,73 ----
  3071. (global-name "com.apple.CoreServices.coreservicesd")
  3072. (global-name "com.apple.DiskArbitration.diskarbitrationd") ;; NSData atomic write
  3073. (global-name "com.apple.SecurityServer")
  3074. + (global-name "com.apple.awdd")
  3075. (global-name "com.apple.cookied")
  3076. + (global-name "com.apple.distributed_notifications@1v3")
  3077. (global-name "com.apple.ocspd"))
  3078.  
  3079. + (allow system-fsctl
  3080. + (fsctl-command (_IO "h" 47))) ; HFSIOC_SET_HOTFILE_STATE
  3081. +
  3082. (system-network)
  3083. ! (allow network-outbound)
  3084. ! (allow network-inbound (local udp))
  3085. --
  3086. com.apple.secd.sb
  3087. *** /System/Library/Sandbox/Profiles/com.apple.secd.sb 1969-12-31 16:00:00.000000000 -0800
  3088. --- com.apple.secd.sb 2017-07-10 13:51:51.000000000 -0700
  3089. ***************
  3090. *** 0 ****
  3091. --- 1,46 ----
  3092. + (version 1)
  3093. +
  3094. + (deny default)
  3095. +
  3096. + (import "system.sb")
  3097. +
  3098. + (allow file-read* file-write*
  3099. + (subpath "/private/var/db/mds")
  3100. + (regex #"^/private/var/folders/[^/]+/[^/]+/T(/|$)")
  3101. + (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Keychains(/|$)")))
  3102. +
  3103. +
  3104. + ;;;;;; will be fully fixed in 29465717
  3105. + (allow file-read* (subpath "/"))
  3106. +
  3107. + (allow user-preference-read
  3108. + (preference-domain ".GlobalPreferences"))
  3109. + (allow user-preference-read
  3110. + (preference-domain "com.apple.security"))
  3111. +
  3112. + (allow file-read*
  3113. + (literal "/usr/libexec/secd")
  3114. + (literal "/Library/Preferences/com.apple.security.plist")
  3115. + (literal "/Library/Preferences/.GlobalPreferences.plist")
  3116. + (literal "/AppleInternal")
  3117. + (literal "/usr/libexec"))
  3118. +
  3119. +
  3120. + (allow mach-lookup
  3121. + (global-name "com.apple.SystemConfiguration.configd")
  3122. + (global-name "com.apple.security.cloudkeychainproxy3")
  3123. + (global-name "com.apple.security.keychainsyncingoveridsproxy")
  3124. + (global-name "com.apple.cloudd")
  3125. + (global-name "com.apple.apsd")
  3126. + (global-name "com.apple.windowserver.active"))
  3127. +
  3128. + (allow iokit-open
  3129. + (iokit-user-client-class "AppleKeyStoreUserClient"))
  3130. +
  3131. + (allow iokit-get-properties (iokit-registry-entry-class "IOPlatformExpertDevice"))
  3132. +
  3133. + (allow ipc-posix-shm
  3134. + (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  3135. +
  3136. + (allow network-outbound)
  3137. + (allow system-socket)
  3138. --
  3139. com.apple.secinitd.sb
  3140. Files /System/Library/Sandbox/Profiles/com.apple.secinitd.sb and com.apple.secinitd.sb are identical
  3141. --
  3142. com.apple.securitydservice.sb
  3143. *** /System/Library/Sandbox/Profiles/com.apple.securitydservice.sb 2016-08-29 18:15:20.000000000 -0700
  3144. --- com.apple.securitydservice.sb 2017-07-10 13:51:50.000000000 -0700
  3145. ***************
  3146. *** 19,25 ****
  3147.  
  3148. (allow mach-lookup
  3149. (global-name "com.apple.SecurityServer")
  3150. ! (global-name "com.apple.ocspd"))
  3151.  
  3152. (allow iokit-open
  3153. (iokit-user-client-class "AppleFDEKeyStoreUserClient")
  3154. --- 19,26 ----
  3155.  
  3156. (allow mach-lookup
  3157. (global-name "com.apple.SecurityServer")
  3158. ! (global-name "com.apple.ocspd")
  3159. ! (global-name "com.apple.mobile.keybagd.xpc"))
  3160.  
  3161. (allow iokit-open
  3162. (iokit-user-client-class "AppleFDEKeyStoreUserClient")
  3163. --
  3164. com.apple.siri.ClientFlow.ClientScripter.sb
  3165. *** /System/Library/Sandbox/Profiles/com.apple.siri.ClientFlow.ClientScripter.sb 2017-02-16 22:33:31.000000000 -0800
  3166. --- com.apple.siri.ClientFlow.ClientScripter.sb 2017-07-10 13:51:50.000000000 -0700
  3167. ***************
  3168. *** 25,30 ****
  3169. --- 25,33 ----
  3170. ;; For validating the entitlements of clients.
  3171. (allow process-info-codesignature)
  3172.  
  3173. + ;; For mapping process path to CFScripter instance
  3174. + (allow process-info-pidinfo)
  3175. +
  3176. (allow mach-lookup (global-name "com.apple.webinspector"))
  3177.  
  3178. (trace "/tmp/ClientScripter.trace")
  3179. --
  3180. com.apple.speech.speechsynthesisd.sb
  3181. *** /System/Library/Sandbox/Profiles/com.apple.speech.speechsynthesisd.sb 2017-03-26 12:45:27.000000000 -0700
  3182. --- com.apple.speech.speechsynthesisd.sb 2017-07-10 13:51:50.000000000 -0700
  3183. ***************
  3184. *** 89,95 ****
  3185. (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C/[^/]+/mds/mdsObject\.db$")
  3186. (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C/[^/]+/mds/mdsObject\.db_$"))
  3187.  
  3188. ! ;;; rdar://problem/26620973 & rdar://problem/31070724
  3189. (allow file-read* file-write* (regex #"^(/private)?/var/folders/[^/]+/[^/]+/[^/]+/com\.apple\.speech\.speechsynthesisd.*"))
  3190.  
  3191. ;;; rdar://problem/26439889 No speech at login window for Polyglot voices
  3192. --- 89,95 ----
  3193. (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C/[^/]+/mds/mdsObject\.db$")
  3194. (regex #"^(/private)?/var/folders/[^/]+/[^/]+/C/[^/]+/mds/mdsObject\.db_$"))
  3195.  
  3196. ! ;;; rdar://problem/26620973 & rdar://problem/31560540
  3197. (allow file-read* file-write* (regex #"^(/private)?/var/folders/[^/]+/[^/]+/[^/]+/com\.apple\.speech\.speechsynthesisd.*"))
  3198.  
  3199. ;;; rdar://problem/26439889 No speech at login window for Polyglot voices
  3200. ***************
  3201. *** 98,107 ****
  3202. --- 98,109 ----
  3203. (allow mach-lookup
  3204. (global-name "com.apple.audio.audiohald")
  3205. (global-name "com.apple.audio.coreaudiod")
  3206. + (global-name "com.apple.audio.AudioComponentRegistrar")
  3207. (global-name "com.apple.CoreServices.coreservicesd")
  3208. (global-name "com.apple.coreservices.launchservicesd")
  3209. (global-name "com.apple.distributed_notifications@1v3")
  3210. (global-name "com.apple.distributed_notifications@Uv3")
  3211. + (global-name "com.apple.mobileassetd")
  3212. (global-name "com.apple.ocspd")
  3213. (global-name "com.apple.speechArbitrationServer")
  3214. (global-name "com.apple.speech.speechdatainstallerd")
  3215. --
  3216. com.apple.storeaccountd.sb
  3217. *** /System/Library/Sandbox/Profiles/com.apple.storeaccountd.sb 2016-08-12 15:28:37.000000000 -0700
  3218. --- com.apple.storeaccountd.sb 2017-07-10 13:51:50.000000000 -0700
  3219. ***************
  3220. *** 103,112 ****
  3221. --- 103,116 ----
  3222. (global-name "com.apple.storeaccountd"))
  3223.  
  3224. (allow mach-lookup
  3225. + (global-name "com.apple.adid")
  3226. + (global-name "com.apple.fpsd")
  3227. (global-name "com.apple.UNCUserNotification")
  3228. (global-name "com.apple.coreservices.launcherror-handler")
  3229. (global-name "com.apple.softwareupdated")
  3230. (global-name "com.apple.SystemConfiguration.configd")
  3231. + (global-name "com.apple.commerce")
  3232. + (global-name "com.apple.commerced")
  3233. (global-name "com.apple.storeassetd")
  3234. (global-name "com.apple.storeassetd.daemon")
  3235. (global-name "com.apple.storeaccountd")
  3236. --
  3237. com.apple.storeassetd.sb
  3238. *** /System/Library/Sandbox/Profiles/com.apple.storeassetd.sb 2017-04-13 21:11:22.000000000 -0700
  3239. --- com.apple.storeassetd.sb 2017-07-10 13:51:50.000000000 -0700
  3240. ***************
  3241. *** 93,98 ****
  3242. --- 93,100 ----
  3243. (global-name "com.apple.storeassetd"))
  3244.  
  3245. (allow mach-lookup
  3246. + (global-name "com.apple.adid")
  3247. + (global-name "com.apple.fpsd")
  3248. (global-name "com.apple.UNCUserNotification")
  3249. (global-name "com.apple.coreservices.launcherror-handler")
  3250. (global-name "com.apple.softwareupdated")
  3251. --
  3252. com.apple.storedownloadd.sb
  3253. *** /System/Library/Sandbox/Profiles/com.apple.storedownloadd.sb 2016-08-12 15:28:32.000000000 -0700
  3254. --- com.apple.storedownloadd.sb 2017-07-10 13:51:50.000000000 -0700
  3255. ***************
  3256. *** 37,42 ****
  3257. --- 37,43 ----
  3258. (regex #"/Library/Preferences/\.GlobalPreferences\.plist$")
  3259. (regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")
  3260. (regex #"/Library/Preferences/com.apple.security\.plist$")
  3261. + (regex #"/Library/Preferences/com\.apple\.seeding\.plist$")
  3262. (regex #"/\.CFUserTextEncoding$")
  3263. (regex #"/Library/Caches/com\.apple\.commerce/updates-com\.apple\.appstore\.updateQueue\.plist$"))
  3264.  
  3265. ***************
  3266. *** 96,101 ****
  3267. --- 97,104 ----
  3268. (global-name "com.apple.storedownloadd"))
  3269.  
  3270. (allow mach-lookup
  3271. + (global-name "com.apple.adid")
  3272. + (global-name "com.apple.fpsd")
  3273. (global-name "com.apple.UNCUserNotification")
  3274. (global-name "com.apple.coreservices.launcherror-handler")
  3275. (global-name "com.apple.softwareupdated")
  3276. --
  3277. com.apple.storelegacy.sb
  3278. Files /System/Library/Sandbox/Profiles/com.apple.storelegacy.sb and com.apple.storelegacy.sb are identical
  3279. --
  3280. com.apple.storereceiptinstaller.sb
  3281. *** /System/Library/Sandbox/Profiles/com.apple.storereceiptinstaller.sb 2017-04-13 21:12:19.000000000 -0700
  3282. --- com.apple.storereceiptinstaller.sb 2017-07-10 13:51:51.000000000 -0700
  3283. ***************
  3284. *** 9,14 ****
  3285. --- 9,15 ----
  3286. (literal "/private/var/root/Library/Preferences")
  3287. (literal "/Library/Preferences/.GlobalPreferences.plist")
  3288. (literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist")
  3289. + (regex #"^/private/var/root/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
  3290. (literal "/Library/Preferences/"))
  3291.  
  3292. (allow file-read* file-write*
  3293. ***************
  3294. *** 40,45 ****
  3295. --- 41,48 ----
  3296. (allow distributed-notification-post)
  3297.  
  3298. (allow mach-lookup
  3299. + (global-name "com.apple.lsd.mapdb")
  3300. + (global-name "com.apple.lsd.modifydb")
  3301. (global-name "com.apple.CoreServices.coreservicesd")
  3302. (global-name "com.apple.DiskArbitration.diskarbitrationd")) ;used by [[NSWorkspace sharedWorkspace] setIcon:forFile:options:];
  3303.  
  3304. --
  3305. com.apple.storeuid.sb
  3306. *** /System/Library/Sandbox/Profiles/com.apple.storeuid.sb 2016-08-12 15:29:02.000000000 -0700
  3307. --- com.apple.storeuid.sb 2017-07-10 13:51:50.000000000 -0700
  3308. ***************
  3309. *** 85,90 ****
  3310. --- 85,97 ----
  3311. (literal "/Library/Preferences/com.apple.HIToolbox.plist")
  3312. (regex #"/Library/Preferences/com\.apple\.LaunchServices/com\.apple\.launchservices\.secure\.plist$"))
  3313.  
  3314. + (allow user-preference-read
  3315. + (preference-domain "com.apple.AppleMultitouchTrackpad")
  3316. + (preference-domain "com.apple.ServicesMenu.Services"))
  3317. +
  3318. + (allow user-preference*
  3319. + (preference-domain "com.apple.storeuid"))
  3320. +
  3321. (allow ipc-posix-shm-read-data
  3322. (ipc-posix-name "FNetwork.defaultStorageSession")
  3323. (ipc-posix-name-regex #"ls\.[a-f0-9\.]+")
  3324. ***************
  3325. *** 95,107 ****
  3326. (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  3327.  
  3328. (allow mach-register
  3329. ! (global-name "com.apple.storeuid"))
  3330.  
  3331. (allow mach-lookup
  3332. (global-name "com.apple.UNCUserNotification")
  3333. (global-name "com.apple.coreservices.launcherror-handler")
  3334. (global-name "com.apple.softwareupdated")
  3335. (global-name "com.apple.SystemConfiguration.configd")
  3336. (global-name "com.apple.storeassetd")
  3337. (global-name "com.apple.storeaccountd")
  3338. (global-name "com.apple.storedownloadd")
  3339. --- 102,121 ----
  3340. (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  3341.  
  3342. (allow mach-register
  3343. ! (global-name "com.apple.storeuid")
  3344. ! (global-name "com.apple.storeagent.storekit"))
  3345.  
  3346. (allow mach-lookup
  3347. + (global-name "com.apple.iohideventsystem")
  3348. + (global-name "com.apple.tsm.uiserver")
  3349. + (global-name "com.apple.touchbarserver.mig")
  3350. + (global-name "com.apple.touchbar.agent")
  3351. + (global-name "com.apple.pbs.fetch_services")
  3352. (global-name "com.apple.UNCUserNotification")
  3353. (global-name "com.apple.coreservices.launcherror-handler")
  3354. (global-name "com.apple.softwareupdated")
  3355. (global-name "com.apple.SystemConfiguration.configd")
  3356. + (global-name "com.apple.commerce")
  3357. (global-name "com.apple.storeassetd")
  3358. (global-name "com.apple.storeaccountd")
  3359. (global-name "com.apple.storedownloadd")
  3360. ***************
  3361. *** 166,171 ****
  3362. --- 180,188 ----
  3363. (right-name "com.apple.SoftwareUpdate.modify-settings"))
  3364.  
  3365. (allow iokit-open
  3366. + (iokit-user-client-class "IOSurfaceRootUserClient")
  3367. + (iokit-user-client-class "IGAccelCommandQueue")
  3368. + (iokit-user-client-class "AppleMultitouchDeviceUserClient")
  3369. (iokit-user-client-class "IOFramebufferSharedUserClient")
  3370. (iokit-user-client-class "RootDomainUserClient")
  3371. (iokit-user-client-class-regex #"AccelDevice$")
  3372. --
  3373. com.apple.suggestd.sb
  3374. *** /System/Library/Sandbox/Profiles/com.apple.suggestd.sb 2016-11-08 18:31:19.000000000 -0800
  3375. --- com.apple.suggestd.sb 2017-07-10 13:51:50.000000000 -0700
  3376. ***************
  3377. *** 16,21 ****
  3378. --- 16,23 ----
  3379. (mount-relative-regex "^/\\.TemporaryItems(/|$)") ;; NSData atomic write
  3380. (home-subpath "/Library/Calendars") ;; EventKit
  3381. (home-subpath "/Library/Application Support/AddressBook") ;; this needs to be r/w even if we only read: <rdar://problem/20454859>
  3382. + (home-subpath "/Library/Caches/com.apple.parsecd/CustomFeedback/") ;; Parsec feedback (Trystero uploads) <rdar://problem/33038387> Sandbox exception for Parsec feedback (macOS)
  3383. +
  3384. )
  3385.  
  3386. (allow file-write-create
  3387. ***************
  3388. *** 31,44 ****
  3389. --- 33,57 ----
  3390. (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") ;; MessageTracer
  3391. (home-subpath "/Library/Mail") ;; Mail attachments
  3392. (subpath "/private/var/db/datadetectors/sys") ;; Data Detectors sources
  3393. + (home-subpath "/Library/Application Support/Knowledge") ;; _DKKnowledgeStore
  3394. )
  3395.  
  3396. (allow file-read* file-write*
  3397. (literal "/private/var/db/mds/system/mds.lock") ;; Security.framework
  3398. )
  3399.  
  3400. + ;; <rdar://problem/31989235> Lobo: SGOrigin app name unlocalized - need sandbox rule for InfoPlist.strings
  3401. + (allow file-read* (home-literal "/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist"))
  3402. + (allow file-read* (regex #"\.app$"))
  3403. + (allow file-read* (regex #"\.app/Contents$"))
  3404. + (allow file-read* (regex #"\.app/Contents/Resources$"))
  3405. + (allow file-read* (regex #"/InfoPlist\.strings$"))
  3406. + (allow file-read* (regex #"/Info.plist$"))
  3407. + (allow file-read* (regex #"\.lproj$"))
  3408. +
  3409. (allow mach-lookup
  3410. (global-name "com.apple.accountsd.accountmanager") ;; EventKit
  3411. + (global-name "com.apple.apsd") ;; SGDCloudKitSync (APNS)
  3412. (global-name "com.apple.AddressBook.abd")
  3413. (global-name "com.apple.AddressBook.AddressBookApplicationFrameworkIPC")
  3414. (global-name "com.apple.AddressBook.ContactsAccountsService") ;; [ABAddressBook sharedAddressBook]
  3415. ***************
  3416. *** 48,61 ****
  3417. (global-name "com.apple.CalendarAgent.proxy")
  3418. (global-name "com.apple.ContactsAgent.general")
  3419. (global-name "com.apple.ContactsAgent.addressbook")
  3420. (global-name "com.apple.coreduetd") ;; SGDPowerBudget
  3421. ! (global-name "com.apple.coreduetd.people") ;; SGDuetBridge
  3422. (global-name "com.apple.corerecents.recentsd") ;; for significant pseudo-contacts
  3423. (global-name "com.apple.CoreServices.coreservicesd") ;; apparently needed by -[NSURL getResourceValue:forKey:error:]
  3424. (global-name "com.apple.DiskArbitration.diskarbitrationd") ;; NSData atomic write
  3425. (global-name "com.apple.distributed_notifications@Uv3")
  3426. (global-name "com.apple.lsd.mapdb") ;; apparently needed by -[NSURL getResourceValue:forKey:error:]
  3427. (global-name "com.apple.lsd.modifydb") ;; same, see <rdar://problem/21302822>
  3428. (global-name "com.apple.mobileassetd") ;; SGAsset
  3429. (global-name "com.apple.reversetemplated")
  3430. (global-name "com.apple.rtcreportingd")
  3431. --- 61,79 ----
  3432. (global-name "com.apple.CalendarAgent.proxy")
  3433. (global-name "com.apple.ContactsAgent.general")
  3434. (global-name "com.apple.ContactsAgent.addressbook")
  3435. + (global-name "com.apple.cloudd") ;; SGDCloudKitSync (CloudKit)
  3436. (global-name "com.apple.coreduetd") ;; SGDPowerBudget
  3437. ! (global-name "com.apple.coreduetd.knowledge.user") ;; PersonalizationPortrait
  3438. ! (global-name "com.apple.coreduetd.context") ;; SGDPowerBudget
  3439. (global-name "com.apple.corerecents.recentsd") ;; for significant pseudo-contacts
  3440. (global-name "com.apple.CoreServices.coreservicesd") ;; apparently needed by -[NSURL getResourceValue:forKey:error:]
  3441. + (global-name "com.apple.spotlight.SearchAgent")
  3442. + (global-name "com.apple.spotlight.IndexAgent")
  3443. (global-name "com.apple.DiskArbitration.diskarbitrationd") ;; NSData atomic write
  3444. (global-name "com.apple.distributed_notifications@Uv3")
  3445. (global-name "com.apple.lsd.mapdb") ;; apparently needed by -[NSURL getResourceValue:forKey:error:]
  3446. (global-name "com.apple.lsd.modifydb") ;; same, see <rdar://problem/21302822>
  3447. + (global-name "com.apple.metadata.mds") ;; <rdar://problem/28957199>
  3448. (global-name "com.apple.mobileassetd") ;; SGAsset
  3449. (global-name "com.apple.reversetemplated")
  3450. (global-name "com.apple.rtcreportingd")
  3451. ***************
  3452. *** 63,69 ****
  3453. (global-name "com.apple.SecurityServer") ;; Security.framework
  3454. (global-name "com.apple.syncdefaultsd")
  3455. (global-name "com.apple.system.opendirectoryd.api") ;; AddressBook.framework
  3456. ! (global-name "com.apple.tccd"))
  3457.  
  3458. (allow file-read-metadata
  3459. (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal"))
  3460. --- 81,90 ----
  3461. (global-name "com.apple.SecurityServer") ;; Security.framework
  3462. (global-name "com.apple.syncdefaultsd")
  3463. (global-name "com.apple.system.opendirectoryd.api") ;; AddressBook.framework
  3464. ! (global-name "com.apple.SystemConfiguration.configd") ;; SGDCloudKitSync (APNS)
  3465. ! (global-name "com.apple.tccd")
  3466. ! (global-name "com.apple.windowserver.active") ;; AGDCloudKitSync (APNS)
  3467. ! (global-name "com.apple.FileCoordination")) ;; MailServices for reimport
  3468.  
  3469. (allow file-read-metadata
  3470. (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal"))
  3471. --
  3472. com.apple.swcd.sb
  3473. Files /System/Library/Sandbox/Profiles/com.apple.swcd.sb and com.apple.swcd.sb are identical
  3474. --
  3475. com.apple.tccd.sb
  3476. Files /System/Library/Sandbox/Profiles/com.apple.tccd.sb and com.apple.tccd.sb are identical
  3477. --
  3478. com.apple.touristd.sb
  3479. *** /System/Library/Sandbox/Profiles/com.apple.touristd.sb 1969-12-31 16:00:00.000000000 -0800
  3480. --- com.apple.touristd.sb 2017-07-10 13:51:50.000000000 -0700
  3481. ***************
  3482. *** 0 ****
  3483. --- 1,106 ----
  3484. + ;;; Copyright (c) 2017 Apple Inc. All Rights reserved.
  3485. + ;;;
  3486. + ;;; WARNING: The sandbox rules in this file currently constitute
  3487. + ;;; Apple System Private Interface and are subject to change at any time and
  3488. + ;;; without notice.
  3489. + ;;;
  3490. + (version 1)
  3491. +
  3492. + (deny default)
  3493. + (deny file-map-executable iokit-get-properties process-info* nvram*)
  3494. + (deny dynamic-code-generation)
  3495. +
  3496. + (import "system.sb")
  3497. + (import "com.apple.corefoundation.sb")
  3498. + (corefoundation)
  3499. +
  3500. + ;;; Homedir-relative path filters
  3501. + (define (home-regex home-relative-regex)
  3502. + (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)))
  3503. +
  3504. + (define (home-subpath home-relative-subpath)
  3505. + (subpath (string-append (param "HOME") home-relative-subpath)))
  3506. +
  3507. + (define (home-prefix home-relative-prefix)
  3508. + (prefix (string-append (param "HOME") home-relative-prefix)))
  3509. +
  3510. + (define (home-literal home-relative-literal)
  3511. + (literal (string-append (param "HOME") home-relative-literal)))
  3512. +
  3513. + (allow process-info* (target self))
  3514. +
  3515. + ;; For resolving symlinks, realpath(3), and equivalents.
  3516. + (allow file-read-metadata)
  3517. +
  3518. + ;; For validating the entitlements of clients.
  3519. + (allow process-info-codesignature)
  3520. +
  3521. + ;;allow safari to open the url
  3522. + (allow lsopen)
  3523. +
  3524. + ;; preference domain.
  3525. + (allow user-preference-read user-preference-write
  3526. + (preference-domain "com.apple.touristd"))
  3527. + (allow user-preference-read user-preference-write
  3528. + (preference-domain "NSGlobalDomain"))
  3529. + (allow file-read* file-write* (home-subpath "/Library/Preferences/"))
  3530. + (allow file-read* file-write* (literal "/Library/Preferences/.GlobalPreferences.plist"))
  3531. +
  3532. + ;; private frameworks.
  3533. + (allow file-map-executable (subpath "/System/Library/PrivateFrameworks/"))
  3534. + (allow file-map-executable (subpath "/System/Library/Frameworks/"))
  3535. +
  3536. + ;;allow outbound network connections.
  3537. + (system-network)
  3538. + (allow network-outbound)
  3539. + (allow ipc-posix-shm-read-data)
  3540. +
  3541. + ;;allow mach lookup.
  3542. + (allow mach-lookup
  3543. + (global-name "com.apple.cookied")
  3544. + (global-name "com.apple.coreservices.launchservicesd")
  3545. + (global-name "com.apple.dock.server")
  3546. + (global-name "com.apple.lsd.mapdb")
  3547. + (global-name "com.apple.lsd.modifydb")
  3548. + (global-name "com.apple.syncdefaultsd")
  3549. + (global-name "com.apple.usernoted.daemon_client")
  3550. + (global-name "com.apple.coreservices.quarantine-resolver")
  3551. + (global-name "com.apple.SecurityServer")
  3552. + (global-name "com.apple.windowserver.active"))
  3553. +
  3554. + ;;allow get properties.
  3555. + (allow iokit-get-properties
  3556. + (require-all
  3557. + (iokit-registry-entry-class "IOPlatformExpertDevice")
  3558. + (iokit-registry-entry-class "IORegisterForSystemPower")
  3559. + (iokit-registry-entry-class "IORegistryEntryCreateCFProperty")))
  3560. +
  3561. + (allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
  3562. + (allow iokit-get-properties (iokit-property "board-id"))
  3563. + (allow iokit-get-properties)
  3564. +
  3565. + ;; Read/write access to a temporary directory.
  3566. + (allow file-read* file-write*
  3567. + (subpath (param "TMPDIR"))
  3568. + (subpath (param "DARWIN_CACHE_DIR"))
  3569. + (subpath "/Library/Application Support/CrashReporter/"))
  3570. +
  3571. +
  3572. + (allow file-read*
  3573. + (subpath "/Library/Application Support/CrashReporter/")
  3574. + (subpath "/private/var/db/mds/messages")
  3575. + (literal "/Library/Preferences/com.apple.security.plist"))
  3576. +
  3577. +
  3578. + ;; Read/write access to the previous system version.
  3579. + (allow file-read-data (literal "/private/var/db/PreviousSystemVersion.plist"))
  3580. + (allow file-read-data (home-literal "/.CFUserTextEncoding"))
  3581. +
  3582. + ;; Read/write access to com.apple.touristd’s cache.
  3583. + (let ((cache-path-filter (home-prefix "/Library/Caches/com.apple.touristd")))
  3584. + (allow file-read* file-write* cache-path-filter)
  3585. + (allow file-issue-extension
  3586. + (require-all
  3587. + (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write")
  3588. + cache-path-filter)))
  3589. +
  3590. --
  3591. com.apple.trustd.sb
  3592. *** /System/Library/Sandbox/Profiles/com.apple.trustd.sb 1969-12-31 16:00:00.000000000 -0800
  3593. --- com.apple.trustd.sb 2017-07-10 13:51:51.000000000 -0700
  3594. ***************
  3595. *** 0 ****
  3596. --- 1,70 ----
  3597. + (version 1)
  3598. +
  3599. + (deny default)
  3600. + (deny file-map-executable iokit-get-properties process-info* nvram*)
  3601. + (deny dynamic-code-generation)
  3602. +
  3603. + (import "system.sb")
  3604. + (import "com.apple.corefoundation.sb")
  3605. + (corefoundation)
  3606. +
  3607. + (allow process-info* (target self))
  3608. +
  3609. + ;; For resolving symlinks, realpath(3), and equivalents.
  3610. + (allow file-read-metadata)
  3611. +
  3612. + ;; For validating the entitlements of clients (for keychain and trust settings)
  3613. + ;; see 31353815
  3614. + (allow process-info-codesignature)
  3615. + (allow process-info-pidinfo)
  3616. + (allow file-read*)
  3617. +
  3618. + ;; ${PRODUCT_NAME}’s preference domain.
  3619. + (allow user-preference-read user-preference-write
  3620. + (preference-domain "com.apple.trustd"))
  3621. +
  3622. + ;; Global and security preferences
  3623. + (allow user-preference-read
  3624. + (preference-domain "com.apple.security")
  3625. + (preference-domain "com.apple.Security")
  3626. + (preference-domain ".GlobalPreferences")
  3627. + (preference-domain "com.apple.MobileAsset"))
  3628. +
  3629. + ;; Read/write access to a temporary directory.
  3630. + (allow file-read* file-write*
  3631. + (subpath (param "_TMPDIR"))
  3632. + (subpath (param "_DARWIN_CACHE_DIR")))
  3633. +
  3634. + ;; Read/write access to keychains and caches
  3635. + (allow file-read* file-write*
  3636. + (subpath "/private/var/db/mds/")
  3637. + (subpath "/private/var/db/crls/")
  3638. + (subpath "/System/Library/Security/")
  3639. + (subpath "/Library/Keychains/")
  3640. + (subpath "/private/var/root/Library/Caches/com.apple.nsurlsessiond/"))
  3641. +
  3642. + (allow file-read*
  3643. + (literal "/usr/libexec")
  3644. + (literal "/usr/libexec/trustd")
  3645. + (literal "/Library/Preferences/com.apple.security.plist")
  3646. + (regex #"/.GlobalPreferences[^/]*\.plist")
  3647. + (literal "/Library/Preferences/com.apple.SoftwareUpdate.plist")
  3648. + (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains"))
  3649. +
  3650. + (allow file-map-executable
  3651. + (regex #"/CoreServicesInternal")
  3652. + (regex #"/csparser"))
  3653. +
  3654. + (allow mach-lookup
  3655. + (global-name "com.apple.ocspd")
  3656. + (global-name "com.apple.SecurityServer")
  3657. + (global-name "com.apple.SystemConfiguration.configd")
  3658. + (global-name "com.apple.mobileassetd")
  3659. + (global-name "com.apple.securityd.xpc")
  3660. + (global-name "com.apple.nsurlsessiond"))
  3661. +
  3662. + (allow ipc-posix-shm
  3663. + (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  3664. +
  3665. + (allow network-outbound)
  3666. + (allow system-socket)
  3667. --
  3668. com.apple.useractivityd.sb
  3669. *** /System/Library/Sandbox/Profiles/com.apple.useractivityd.sb 2016-08-02 19:58:42.000000000 -0700
  3670. --- com.apple.useractivityd.sb 2017-07-10 13:51:50.000000000 -0700
  3671. ***************
  3672. *** 12,17 ****
  3673. --- 12,24 ----
  3674. (allow file-write*
  3675. (subpath (param "LOG_DIR")))
  3676.  
  3677. + ;;(allow file-issue-extension
  3678. + ;; (extension "com.apple.app-sandbox.read-write"))
  3679. +
  3680. + (if (param "TMP_DIR")
  3681. + (allow file-issue-extension
  3682. + (regex (string-append "^" (param "TMP_DIR") "/*"))))
  3683. +
  3684. (if (param "TMP_DIR")
  3685. (allow file-write*
  3686. (regex (string-append "^" (param "TMP_DIR") "/*"))))
  3687. ***************
  3688. *** 54,59 ****
  3689. --- 61,69 ----
  3690. (global-name "com.apple.ProgressReporting")
  3691. (global-name "com.apple.iokit.powerdxpc")
  3692. (global-name "com.apple.PowerManagement.control")
  3693. + (global-name "com.apple.BluetoothDOServer")
  3694. + (global-name "com.apple.FileCoordination")
  3695. + (global-name "com.apple.analyticsd")
  3696. )
  3697.  
  3698. ;; Things needed for debugging, only if it's a debug server
  3699. --
  3700. com.apple.writeconfig.sb
  3701. Files /System/Library/Sandbox/Profiles/com.apple.writeconfig.sb and com.apple.writeconfig.sb are identical
  3702. --
  3703. com.apple.xpchelper.sb
  3704. Files /System/Library/Sandbox/Profiles/com.apple.xpchelper.sb and com.apple.xpchelper.sb are identical
  3705. --
  3706. com.openssh.sshd.sb
  3707. Files /System/Library/Sandbox/Profiles/com.openssh.sshd.sb and com.openssh.sshd.sb are identical
  3708. --
  3709. coresymbolicationd.sb
  3710. Files /System/Library/Sandbox/Profiles/coresymbolicationd.sb and coresymbolicationd.sb are identical
  3711. --
  3712. directoryserver.sb
  3713. Files /System/Library/Sandbox/Profiles/directoryserver.sb and directoryserver.sb are identical
  3714. --
  3715. fmfd.sb
  3716. Files /System/Library/Sandbox/Profiles/fmfd.sb and fmfd.sb are identical
  3717. --
  3718. iWorkXPC.sb
  3719. *** /System/Library/Sandbox/Profiles/iWorkXPC.sb 1969-12-31 16:00:00.000000000 -0800
  3720. --- iWorkXPC.sb 2017-07-10 13:51:51.000000000 -0700
  3721. ***************
  3722. *** 0 ****
  3723. --- 1,28 ----
  3724. + (version 1)
  3725. +
  3726. + (deny default)
  3727. + (deny dynamic-code-generation file-map-executable nvram* process-info*)
  3728. +
  3729. + (import "system.sb")
  3730. +
  3731. + ;;; <rdar://problem/32252235> MAC: XPC: Sandbox violations on export
  3732. + (define (home-subpath home-relative-subpath)
  3733. + (subpath (string-append (param "_HOME") home-relative-subpath)))
  3734. + (define (home-literal home-relative-literal)
  3735. + (literal (string-append (param "_HOME") home-relative-literal)))
  3736. + (define (home-regex home-relative-regex)
  3737. + (regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex)))
  3738. +
  3739. + (allow file-read* (home-literal "/Library/Preferences/.CFUserTextEncoding"))
  3740. +
  3741. + (allow file-read-metadata)
  3742. +
  3743. + (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd"))
  3744. +
  3745. + (allow file-read* (extension "com.apple.app-sandbox.read"))
  3746. + (allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))
  3747. +
  3748. + (allow process-info-dirtycontrol (target self))
  3749. +
  3750. + (allow file-map-executable (subpath "/System/Library/Frameworks")
  3751. + (subpath "/System/Library/PrivateFrameworks"))
  3752. --
  3753. opendirectory.sb
  3754. Files /System/Library/Sandbox/Profiles/opendirectory.sb and opendirectory.sb are identical
  3755. --
  3756. racoon.sb
  3757. Files /System/Library/Sandbox/Profiles/racoon.sb and racoon.sb are identical
  3758. --
  3759. system.sb
  3760. *** /System/Library/Sandbox/Profiles/system.sb 2016-08-29 17:54:29.000000000 -0700
  3761. --- system.sb 2017-07-10 13:51:50.000000000 -0700
  3762. ***************
  3763. *** 10,17 ****
  3764. (version 1)
  3765.  
  3766. ;;; Allow registration of per-pid services.
  3767. ! (allow mach-register
  3768. ! (local-name-prefix ""))
  3769.  
  3770. ;;; Allow read access to standard system paths.
  3771. (allow file-read*
  3772. --- 10,19 ----
  3773. (version 1)
  3774.  
  3775. ;;; Allow registration of per-pid services.
  3776. ! (allow mach-register (local-name-prefix ""))
  3777. !
  3778. ! ;;; Allow lookup of XPC services for backward-compatibility.
  3779. ! (allow mach-lookup (xpc-service-name-prefix ""))
  3780.  
  3781. ;;; Allow read access to standard system paths.
  3782. (allow file-read*
  3783. ***************
  3784. *** 20,25 ****
  3785. --- 22,28 ----
  3786. (subpath "/Library/Preferences/Logging") ; Logging Rethink
  3787. (subpath "/System")
  3788. (subpath "/private/var/db/dyld")
  3789. + (subpath "/private/var/db/timezone")
  3790. (subpath "/usr/lib")
  3791. (subpath "/usr/share"))))
  3792.  
  3793. ***************
  3794. *** 76,81 ****
  3795. --- 79,85 ----
  3796. (global-name "com.apple.cfprefsd.agent")
  3797. (global-name "com.apple.cfprefsd.daemon")
  3798. (global-name "com.apple.diagnosticd")
  3799. + (global-name "com.apple.dyld.closured")
  3800. (global-name "com.apple.espd")
  3801. (global-name "com.apple.logd")
  3802. (global-name "com.apple.logd.events")
  3803. ***************
  3804. *** 119,124 ****
  3805. --- 123,129 ----
  3806. (iokit-registry-entry-class "IOFramebufferSharedUserClient"))
  3807. ;; H.264 Acceleration
  3808. (allow iokit-open
  3809. + (iokit-registry-entry-class "AppleIntelMEUserClient")
  3810. (iokit-registry-entry-class "AppleSNBFBUserClient"))
  3811. ;; QuartzCore
  3812. (allow iokit-open
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!