1; Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
2;
3; Redistribution and use in source and binary forms, with or without
4; modification, are permitted provided that the following conditions
5; are met:
6; 1. Redistributions of source code must retain the above copyright
7;    notice, this list of conditions and the following disclaimer.
8; 2. Redistributions in binary form must reproduce the above copyright
9;    notice, this list of conditions and the following disclaimer in the
10;    documentation and/or other materials provided with the distribution.
11;
12; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
13; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22; THE POSSIBILITY OF SUCH DAMAGE.
23
24(version 1)
25(deny default (with partial-symbolication))
26(allow system-audit file-read-metadata)
27
28(import "system.sb")
29
30;; Utility functions for home directory relative path filters
31(define (home-regex home-relative-regex)
32  (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
33
34(define (home-subpath home-relative-subpath)
35    (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
36
37(define (home-literal home-relative-literal)
38    (literal (string-append (param "HOME_DIR") home-relative-literal)))
39
40;; Read-only preferences and data
41(allow file-read*
42    ;; Basic system paths
43    (subpath "/Library/Frameworks")
44    (subpath "/Library/Managed Preferences")
45
46    ;; System and user preferences
47    (literal "/Library/Preferences/.GlobalPreferences.plist")
48    (regex #"^/Library/Managed Preferences/[^/]+/com\.apple\.networkConnect\.plist$")
49    (home-literal "/Library/Preferences/.GlobalPreferences.plist")
50    (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")
51    (home-regex #"/Library/Preferences/ByHost/com\.apple\.networkConnect\.")
52    (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
53    (home-literal "/Library/Preferences/com.apple.WebFoundation.plist")
54
55    ;; On-disk WebKit2 framework location, to account for debug installations
56    ;; outside of /System/Library/Frameworks
57    (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
58
59;; Sandbox extensions
60(define (apply-read-and-issue-extension op path-filter)
61    (op file-read* path-filter)
62    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
63(define (apply-write-and-issue-extension op path-filter)
64    (op file-write* path-filter)
65    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
66(define (read-only-and-issue-extensions path-filter)
67    (apply-read-and-issue-extension allow path-filter))
68(define (read-write-and-issue-extensions path-filter)
69    (apply-read-and-issue-extension allow path-filter)
70    (apply-write-and-issue-extension allow path-filter))
71(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
72(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
73
74#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080
75(allow file-read* file-write* (subpath (param "DARWIN_USER_CACHE_DIR")))
76#else
77(allow file-read* file-write* (subpath (string-append (param "DARWIN_USER_CACHE_DIR") "/mds")))
78#endif
79
80(allow file-read* file-write* (subpath (param "DARWIN_USER_TEMP_DIR")))
81
82;; IOKit user clients
83(allow iokit-open
84    (iokit-user-client-class "RootDomainUserClient"))
85
86;; cookied.
87;; FIXME: Update for <rdar://problem/13642852>.
88(allow ipc-posix-shm-read-data
89    (ipc-posix-name "FNetwork.defaultStorageSession")
90    (ipc-posix-name-regex #"\.PrivateBrowsing-")
91    (ipc-posix-name-regex #"^Private WebKit Session-"))
92
93;; Various services required by CFNetwork and other frameworks
94(allow mach-lookup
95    (global-name "com.apple.FileCoordination")
96    (global-name "com.apple.PowerManagement.control")
97    (global-name "com.apple.SystemConfiguration.configd")
98    (global-name "com.apple.cookied")
99    (global-name "com.apple.cfnetwork.AuthBrokerAgent"))
100
101;; Security framework
102(allow mach-lookup
103       (global-name "com.apple.ocspd")
104       (global-name "com.apple.SecurityServer"))
105(allow file-read* file-write* (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
106(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
107(allow file-read*
108       (subpath "/Library/Keychains")
109       (subpath "/private/var/db/mds")
110       (literal "/private/var/db/DetachedSignatures")
111       (literal "/Library/Preferences/com.apple.crypto.plist")
112       (literal "/Library/Preferences/com.apple.security.plist")
113       (literal "/Library/Preferences/com.apple.security.common.plist")
114       (literal "/Library/Preferences/com.apple.security.revocation.plist")
115       (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
116       (home-literal "/Library/Preferences/com.apple.security.plist")
117       (home-literal "/Library/Preferences/com.apple.security.revocation.plist"))
118(allow ipc-posix-shm-read* ipc-posix-shm-write-data
119       (ipc-posix-name "com.apple.AppleDatabaseChanged"))
120
121(system-network)
122(allow network-outbound
123    ;; Local mDNSResponder for DNS, arbitrary outbound TCP
124    (literal "/private/var/run/mDNSResponder")
125    (remote tcp))
126
127;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
128(allow mach-lookup
129    (global-name "org.h5l.kcm")
130    (global-name "com.apple.GSSCred")
131    (global-name "com.apple.system.logger")
132    (global-name "com.apple.system.notification_center"))
133(allow network-outbound
134    (remote udp))
135(allow file-read*
136    (home-subpath "/Library/Preferences/com.apple.Kerberos.plist")
137    (home-subpath "/Library/Preferences/com.apple.GSS.plist")
138    (home-subpath "/Library/Preferences/edu.mit.Kerberos")
139    (literal "/Library/Preferences/com.apple.Kerberos.plist")
140    (literal "/Library/Preferences/com.apple.GSS.plist")
141    (literal "/Library/Preferences/edu.mit.Kerberos")
142    (literal "/private/etc/krb5.conf")
143    (literal "/private/etc/services")
144    (literal "/private/etc/host"))
145
146(if (defined? 'vnode-type)
147    (deny file-write-create (vnode-type SYMLINK)))
148
149;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
150(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
151
152;; Reserve a namespace for additional protected extended attributes.
153#if __MAC_OS_X_VERSION_MIN_REQUIRED > 1090
154(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
155#else
156(deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\."))
157#endif
158
159(deny file-read* file-write* (with no-log)
160#if __MAC_OS_X_VERSION_MIN_REQUIRED <= 1080
161    (home-literal "/Library/Caches/Cache.db") ;; <rdar://problem/9422957>
162#endif
163    ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
164    (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
165    (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
166