1; Copyright (C) 2013, 2014 Apple Inc. All rights reserved. 2; 3; Redistribution and use in source and binary forms, with or without 4; modification, are permitted provided that the following conditions 5; are met: 6; 1. Redistributions of source code must retain the above copyright 7; notice, this list of conditions and the following disclaimer. 8; 2. Redistributions in binary form must reproduce the above copyright 9; notice, this list of conditions and the following disclaimer in the 10; documentation and/or other materials provided with the distribution. 11; 12; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' 13; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 14; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 15; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS 16; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 17; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 18; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 19; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 20; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 21; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 22; THE POSSIBILITY OF SUCH DAMAGE. 23 24(version 1) 25(deny default (with partial-symbolication)) 26(allow system-audit file-read-metadata) 27 28(import "system.sb") 29 30;; Utility functions for home directory relative path filters 31(define (home-regex home-relative-regex) 32 (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex))) 33 34(define (home-subpath home-relative-subpath) 35 (subpath (string-append (param "HOME_DIR") home-relative-subpath))) 36 37(define (home-literal home-relative-literal) 38 (literal (string-append (param "HOME_DIR") home-relative-literal))) 39 40;; Read-only preferences and data 41(allow file-read* 42 ;; Basic system paths 43 (subpath "/Library/Frameworks") 44 (subpath "/Library/Managed Preferences") 45 46 ;; System and user preferences 47 (literal "/Library/Preferences/.GlobalPreferences.plist") 48 (regex #"^/Library/Managed Preferences/[^/]+/com\.apple\.networkConnect\.plist$") 49 (home-literal "/Library/Preferences/.GlobalPreferences.plist") 50 (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.") 51 (home-regex #"/Library/Preferences/ByHost/com\.apple\.networkConnect\.") 52 (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist") 53 (home-literal "/Library/Preferences/com.apple.WebFoundation.plist") 54 55 ;; On-disk WebKit2 framework location, to account for debug installations 56 ;; outside of /System/Library/Frameworks 57 (subpath (param "WEBKIT2_FRAMEWORK_DIR"))) 58 59;; Sandbox extensions 60(define (apply-read-and-issue-extension op path-filter) 61 (op file-read* path-filter) 62 (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter))) 63(define (apply-write-and-issue-extension op path-filter) 64 (op file-write* path-filter) 65 (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter))) 66(define (read-only-and-issue-extensions path-filter) 67 (apply-read-and-issue-extension allow path-filter)) 68(define (read-write-and-issue-extensions path-filter) 69 (apply-read-and-issue-extension allow path-filter) 70 (apply-write-and-issue-extension allow path-filter)) 71(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read")) 72(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write")) 73 74#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080 75(allow file-read* file-write* (subpath (param "DARWIN_USER_CACHE_DIR"))) 76#else 77(allow file-read* file-write* (subpath (string-append (param "DARWIN_USER_CACHE_DIR") "/mds"))) 78#endif 79 80(allow file-read* file-write* (subpath (param "DARWIN_USER_TEMP_DIR"))) 81 82;; IOKit user clients 83(allow iokit-open 84 (iokit-user-client-class "RootDomainUserClient")) 85 86;; cookied. 87;; FIXME: Update for <rdar://problem/13642852>. 88(allow ipc-posix-shm-read-data 89 (ipc-posix-name "FNetwork.defaultStorageSession") 90 (ipc-posix-name-regex #"\.PrivateBrowsing-") 91 (ipc-posix-name-regex #"^Private WebKit Session-")) 92 93;; Various services required by CFNetwork and other frameworks 94(allow mach-lookup 95 (global-name "com.apple.FileCoordination") 96 (global-name "com.apple.PowerManagement.control") 97 (global-name "com.apple.SystemConfiguration.configd") 98 (global-name "com.apple.cookied") 99 (global-name "com.apple.cfnetwork.AuthBrokerAgent")) 100 101;; Security framework 102(allow mach-lookup 103 (global-name "com.apple.ocspd") 104 (global-name "com.apple.SecurityServer")) 105(allow file-read* file-write* (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed. 106(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed. 107(allow file-read* 108 (subpath "/Library/Keychains") 109 (subpath "/private/var/db/mds") 110 (literal "/private/var/db/DetachedSignatures") 111 (literal "/Library/Preferences/com.apple.crypto.plist") 112 (literal "/Library/Preferences/com.apple.security.plist") 113 (literal "/Library/Preferences/com.apple.security.common.plist") 114 (literal "/Library/Preferences/com.apple.security.revocation.plist") 115 (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain") 116 (home-literal "/Library/Preferences/com.apple.security.plist") 117 (home-literal "/Library/Preferences/com.apple.security.revocation.plist")) 118(allow ipc-posix-shm-read* ipc-posix-shm-write-data 119 (ipc-posix-name "com.apple.AppleDatabaseChanged")) 120 121(system-network) 122(allow network-outbound 123 ;; Local mDNSResponder for DNS, arbitrary outbound TCP 124 (literal "/private/var/run/mDNSResponder") 125 (remote tcp)) 126 127;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed 128(allow mach-lookup 129 (global-name "org.h5l.kcm") 130 (global-name "com.apple.GSSCred") 131 (global-name "com.apple.system.logger") 132 (global-name "com.apple.system.notification_center")) 133(allow network-outbound 134 (remote udp)) 135(allow file-read* 136 (home-subpath "/Library/Preferences/com.apple.Kerberos.plist") 137 (home-subpath "/Library/Preferences/com.apple.GSS.plist") 138 (home-subpath "/Library/Preferences/edu.mit.Kerberos") 139 (literal "/Library/Preferences/com.apple.Kerberos.plist") 140 (literal "/Library/Preferences/com.apple.GSS.plist") 141 (literal "/Library/Preferences/edu.mit.Kerberos") 142 (literal "/private/etc/krb5.conf") 143 (literal "/private/etc/services") 144 (literal "/private/etc/host")) 145 146(if (defined? 'vnode-type) 147 (deny file-write-create (vnode-type SYMLINK))) 148 149;; FIXME: Should be removed once <rdar://problem/16329087> is fixed. 150(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log)) 151 152;; Reserve a namespace for additional protected extended attributes. 153#if __MAC_OS_X_VERSION_MIN_REQUIRED > 1090 154(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\.")) 155#else 156(deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\.")) 157#endif 158 159(deny file-read* file-write* (with no-log) 160#if __MAC_OS_X_VERSION_MIN_REQUIRED <= 1080 161 (home-literal "/Library/Caches/Cache.db") ;; <rdar://problem/9422957> 162#endif 163 ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed. 164 (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2") 165 (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal")) 166