1; Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
2;
3; Redistribution and use in source and binary forms, with or without
4; modification, are permitted provided that the following conditions
5; are met:
6; 1. Redistributions of source code must retain the above copyright
7;    notice, this list of conditions and the following disclaimer.
8; 2. Redistributions in binary form must reproduce the above copyright
9;    notice, this list of conditions and the following disclaimer in the
10;    documentation and/or other materials provided with the distribution.
11;
12; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS "AS IS"
13; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22; THE POSSIBILITY OF SUCH DAMAGE.
23
24(version 1)
25(deny default (with partial-symbolication))
26(allow system-audit file-read-metadata)
27
28(import "system.sb")
29
30;; Utility functions for home directory relative path filters
31(define (home-regex home-relative-regex)
32  (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
33
34(define (home-subpath home-relative-subpath)
35    (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
36
37(define (home-literal home-relative-literal)
38    (literal (string-append (param "HOME_DIR") home-relative-literal)))
39
40#if __MAC_OS_X_VERSION_MIN_REQUIRED == 1070
41;; Low level networking. Defined in system.sb on newer OS versions.
42(define (system-network)
43  (allow file-read*
44         (literal "/Library/Preferences/com.apple.networkd.plist"))
45  (allow mach-lookup
46         (global-name "com.apple.SystemConfiguration.PPPController")
47         (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
48         (global-name "com.apple.networkd"))
49  (allow network-outbound
50         (control-name "com.apple.netsrc")
51         (control-name "com.apple.network.statistics"))
52  (allow system-socket
53         (require-all (socket-domain AF_SYSTEM)
54                      (socket-protocol 2)) ; SYSPROTO_CONTROL
55         (socket-domain AF_ROUTE)))
56#endif
57
58;; Read-only preferences and data
59(allow file-read*
60    ;; Basic system paths
61    (subpath "/Library/Frameworks")
62    (subpath "/Library/Managed Preferences")
63
64    ;; System and user preferences
65    (literal "/Library/Preferences/.GlobalPreferences.plist")
66    (regex #"^/Library/Managed Preferences/[^/]+/com\.apple\.networkConnect\.plist$")
67    (home-literal "/Library/Preferences/.GlobalPreferences.plist")
68    (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")
69    (home-regex #"/Library/Preferences/ByHost/com\.apple\.networkConnect\.")
70    (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")
71    (home-literal "/Library/Preferences/com.apple.WebFoundation.plist")
72
73    ;; On-disk WebKit2 framework location, to account for debug installations
74    ;; outside of /System/Library/Frameworks
75    (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
76
77;; Sandbox extensions
78(define (apply-read-and-issue-extension op path-filter)
79    (op file-read* path-filter)
80    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
81(define (apply-write-and-issue-extension op path-filter)
82    (op file-write* path-filter)
83    (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
84(define (read-only-and-issue-extensions path-filter)
85    (apply-read-and-issue-extension allow path-filter))
86(define (read-write-and-issue-extensions path-filter)
87    (apply-read-and-issue-extension allow path-filter)
88    (apply-write-and-issue-extension allow path-filter))
89(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
90(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
91
92#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080
93(allow file-read* file-write* (subpath (param "DARWIN_USER_CACHE_DIR")))
94#else
95(allow file-read* file-write* (subpath (string-append (param "DARWIN_USER_CACHE_DIR") "/mds")))
96#endif
97
98(allow file-read* file-write* (subpath (param "DARWIN_USER_TEMP_DIR")))
99
100;; IOKit user clients
101(allow iokit-open
102    (iokit-user-client-class "RootDomainUserClient"))
103
104;; cookied.
105;; FIXME: Update for <rdar://problem/13642852>.
106(allow ipc-posix-shm-read-data
107    (ipc-posix-name "FNetwork.defaultStorageSession")
108    (ipc-posix-name-regex #"\.PrivateBrowsing-")
109    (ipc-posix-name-regex #"^Private WebKit Session-"))
110
111;; Various services required by CFNetwork and other frameworks
112(allow mach-lookup
113    (global-name "com.apple.PowerManagement.control")
114    (global-name "com.apple.SystemConfiguration.configd")
115    (global-name "com.apple.cookied")
116    (global-name "com.apple.cfnetwork.AuthBrokerAgent"))
117
118;; Security framework
119(allow mach-lookup
120       (global-name "com.apple.ocspd")
121       (global-name "com.apple.SecurityServer"))
122(allow file-read* file-write* (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
123(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
124(allow file-read*
125       (subpath "/Library/Keychains")
126       (subpath "/private/var/db/mds")
127       (literal "/private/var/db/DetachedSignatures")
128       (literal "/Library/Preferences/com.apple.crypto.plist")
129       (literal "/Library/Preferences/com.apple.security.plist")
130       (literal "/Library/Preferences/com.apple.security.common.plist")
131       (literal "/Library/Preferences/com.apple.security.revocation.plist")
132       (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
133       (home-literal "/Library/Preferences/com.apple.security.plist")
134       (home-literal "/Library/Preferences/com.apple.security.revocation.plist"))
135(allow ipc-posix-shm-read* ipc-posix-shm-write-data
136       (ipc-posix-name "com.apple.AppleDatabaseChanged"))
137
138(system-network)
139(allow network-outbound
140    ;; Local mDNSResponder for DNS, arbitrary outbound TCP
141    (literal "/private/var/run/mDNSResponder")
142    (remote tcp))
143
144;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
145(allow mach-lookup
146    (global-name "org.h5l.kcm")
147    (global-name "com.apple.system.logger")
148    (global-name "com.apple.system.notification_center"))
149(allow network-outbound
150    (remote udp))
151(allow file-read*
152    (home-subpath "/Library/Preferences/com.apple.Kerberos.plist")
153    (home-subpath "/Library/Preferences/com.apple.GSS.plist")
154    (home-subpath "/Library/Preferences/edu.mit.Kerberos")
155    (literal "/Library/Preferences/com.apple.Kerberos.plist")
156    (literal "/Library/Preferences/com.apple.GSS.plist")
157    (literal "/Library/Preferences/edu.mit.Kerberos")
158    (literal "/private/etc/krb5.conf")
159    (literal "/private/etc/services")
160    (literal "/private/etc/host"))
161
162(if (defined? 'vnode-type)
163    (deny file-write-create (vnode-type SYMLINK)))
164
165;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
166(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))
167
168;; Reserve a namespace for additional protected extended attributes.
169(deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\."))
170
171(deny file-read* file-write* (with no-log)
172#if __MAC_OS_X_VERSION_MIN_REQUIRED <= 1080
173    (home-literal "/Library/Caches/Cache.db") ;; <rdar://problem/9422957>
174#endif
175    ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
176    (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
177    (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
178