1; Copyright (C) 2010, 2011, 2012, 2013, 2014 Apple Inc. All rights reserved. 2; 3; Redistribution and use in source and binary forms, with or without 4; modification, are permitted provided that the following conditions 5; are met: 6; 1. Redistributions of source code must retain the above copyright 7; notice, this list of conditions and the following disclaimer. 8; 2. Redistributions in binary form must reproduce the above copyright 9; notice, this list of conditions and the following disclaimer in the 10; documentation and/or other materials provided with the distribution. 11; 12; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS "AS IS" 13; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 14; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 15; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS 16; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 17; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 18; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 19; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 20; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 21; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 22; THE POSSIBILITY OF SUCH DAMAGE. 23 24(version 1) 25(deny default (with partial-symbolication)) 26(allow system-audit file-read-metadata) 27#if __MAC_OS_X_VERSION_MIN_REQUIRED == 1070 28(allow ipc-posix-shm) 29#endif 30 31(import "system.sb") 32 33;; Utility functions for home directory relative path filters 34(define (home-regex home-relative-regex) 35 (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex))) 36 37(define (home-subpath home-relative-subpath) 38 (subpath (string-append (param "HOME_DIR") home-relative-subpath))) 39 40(define (home-literal home-relative-literal) 41 (literal (string-append (param "HOME_DIR") home-relative-literal))) 42 43(define (allow-read-directory-and-issue-read-extensions path) 44 (if path 45 (begin 46 (allow file-read* (subpath path)) 47 (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path)))))) 48 49#if __MAC_OS_X_VERSION_MIN_REQUIRED == 1070 50;; Low level networking. Defined in system.sb on newer OS versions. 51(define (system-network) 52 (allow file-read* 53 (literal "/Library/Preferences/com.apple.networkd.plist")) 54 (allow mach-lookup 55 (global-name "com.apple.SystemConfiguration.PPPController") 56 (global-name "com.apple.SystemConfiguration.SCNetworkReachability") 57 (global-name "com.apple.networkd")) 58 (allow network-outbound 59 (control-name "com.apple.netsrc") 60 (control-name "com.apple.network.statistics")) 61 (allow system-socket 62 (require-all (socket-domain AF_SYSTEM) 63 (socket-protocol 2)) ; SYSPROTO_CONTROL 64 (socket-domain AF_ROUTE))) 65 66;; Low level graphics. Defined in system.sb on newer OS versions. 67(define (system-graphics) 68 (allow mach-lookup (global-name "com.apple.cvmsServ")) 69 (allow iokit-open 70 (iokit-connection "IOAccelerator") 71 (iokit-user-client-class "IOAccelerationUserClient") 72 (iokit-user-client-class "IOSurfaceRootUserClient") 73 (iokit-user-client-class "IOSurfaceSendRight") 74 (iokit-user-client-class "IOFramebufferSharedUserClient") 75 (iokit-user-client-class "AppleSNBFBUserClient") 76 (iokit-user-client-class "AGPMClient") 77 (iokit-user-client-class "AppleGraphicsControlClient"))) 78#endif 79 80;; Read-only preferences and data 81(allow file-read* 82 ;; Basic system paths 83 (subpath "/Library/Dictionaries") 84 (subpath "/Library/Fonts") 85 (subpath "/Library/Frameworks") 86 (subpath "/Library/Managed Preferences") 87 (subpath "/Library/Speech/Synthesizers") 88 (regex #"^/private/etc/(hosts|group|passwd)$") 89 90 ;; System and user preferences 91 (literal "/Library/Preferences/.GlobalPreferences.plist") 92 (home-literal "/Library/Preferences/.GlobalPreferences.plist") 93 (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.") 94 (home-regex #"/Library/Preferences/ByHost/com\.apple\.HIToolbox\.") 95 (home-regex #"/Library/Preferences/ByHost/com\.apple\.networkConnect\.") 96 (home-literal "/Library/Preferences/com.apple.ATS.plist") 97 (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist") 98 (home-literal "/Library/Preferences/com.apple.HIToolbox.plist") 99 (home-literal "/Library/Preferences/com.apple.LaunchServices.plist") 100 (home-literal "/Library/Preferences/com.apple.MultitouchSupport.plist") ;; FIXME: Remove when <rdar://problem/13011633> is fixed. 101 (home-literal "/Library/Preferences/com.apple.QTKit.plist") 102 (home-literal "/Library/Preferences/com.apple.WebFoundation.plist") 103 (home-literal "/Library/Preferences/com.apple.avfoundation.plist") 104 (home-literal "/Library/Preferences/com.apple.coremedia.plist") 105 (home-literal "/Library/Preferences/com.apple.speech.voice.prefs.plist") 106 (home-regex #"/Library/Preferences/com\.apple\.driver\.(AppleBluetoothMultitouch\.mouse|AppleBluetoothMultitouch\.trackpad|AppleHIDMouse)\.plist$") 107 (home-literal "/.CFUserTextEncoding") 108 109 ;; FIXME: This should be removed when <rdar://problem/8957845> is fixed. 110 (home-subpath "/Library/Fonts") 111 112 ;; FIXME: These should be removed when <rdar://problem/9217757> is fixed. 113 (home-subpath "/Library/Audio/Plug-Ins/Components") 114 (home-subpath "/Library/Preferences/QuickTime Preferences") 115 (home-literal "/Library/Caches/com.apple.coreaudio.components.plist") 116 (subpath "/Library/Audio/Plug-Ins/Components") 117 (subpath "/Library/Audio/Plug-Ins/HAL") 118 (subpath "/Library/Video/Plug-Ins") 119 (subpath "/Library/QuickTime") 120 121 (home-subpath "/Library/Dictionaries")) 122 123;; On-disk WebKit2 framework location, to account for debug installations outside of /System/Library/Frameworks, 124;; and to allow issuing extensions. 125(allow-read-directory-and-issue-read-extensions (param "WEBKIT2_FRAMEWORK_DIR")) 126 127;; Sandbox extensions 128(define (apply-read-and-issue-extension op path-filter) 129 (op file-read* path-filter) 130 (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter))) 131(define (apply-write-and-issue-extension op path-filter) 132 (op file-write* path-filter) 133 (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter))) 134(define (read-only-and-issue-extensions path-filter) 135 (apply-read-and-issue-extension allow path-filter)) 136(define (read-write-and-issue-extensions path-filter) 137 (apply-read-and-issue-extension allow path-filter) 138 (apply-write-and-issue-extension allow path-filter)) 139(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read")) 140(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write")) 141(allow mach-lookup (extension "com.apple.app-sandbox.mach")) ;; FIXME: Should be removed when <rdar://problem/13066206> is fixed. 142 143;; MediaAccessibility 144#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1090 145(allow file-read* (home-literal "/Library/Preferences/com.apple.mediaaccessibility.plist")) 146(allow file-read* file-write* (home-literal "/Library/Preferences/com.apple.mediaaccessibility.public.plist")) 147#endif 148 149#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080 150(if (positive? (string-length (param "DARWIN_USER_CACHE_DIR"))) 151 (allow file* (subpath (param "DARWIN_USER_CACHE_DIR")))) 152#else 153(if (positive? (string-length (param "DARWIN_USER_CACHE_DIR"))) 154 (allow file* (subpath (string-append (param "DARWIN_USER_CACHE_DIR") "/mds")))) 155#endif 156 157(if (positive? (string-length (param "DARWIN_USER_TEMP_DIR"))) 158 (allow file* (subpath (param "DARWIN_USER_TEMP_DIR")))) 159 160;; IOKit user clients 161(allow iokit-open 162 (iokit-user-client-class "AppleUpstreamUserClient") 163 (iokit-user-client-class "IOHIDParamUserClient") 164 (iokit-user-client-class "RootDomainUserClient") 165 (iokit-user-client-class "IOAudioControlUserClient") 166 (iokit-user-client-class "IOAudioEngineUserClient")) 167 168#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080 169 170;; cookied. 171;; FIXME: Update for <rdar://problem/13642852>. 172(allow ipc-posix-shm-read-data 173 (ipc-posix-name "FNetwork.defaultStorageSession") 174 (ipc-posix-name-regex #"\.PrivateBrowsing-") 175 (ipc-posix-name-regex #"^Private WebKit Session-")) 176 177;; ColorSync 178;; FIXME: Remove names with underscores when possible (see <rdar://problem/13072721>). 179(allow ipc-posix-shm* 180 (ipc-posix-name "_CS_GSHMEMLOCK") 181 (ipc-posix-name "_CS_DSHMEMLOCK") 182 (ipc-posix-name "_CSGRAYPROFILE") 183 (ipc-posix-name "_CSRGBPROFILE") 184 (ipc-posix-name "_CSGENGPROFILE") 185 (ipc-posix-name "_CSGENRPROFILE") 186 (ipc-posix-name "com.apple.ColorSync.Gen.lock") 187 (ipc-posix-name "com.apple.ColorSync.Disp.lock") 188 (ipc-posix-name "com.apple.ColorSync.Gray2.2") 189 (ipc-posix-name "com.apple.ColorSync.sRGB") 190 (ipc-posix-name "com.apple.ColorSync.GenGray") 191 (ipc-posix-name "com.apple.ColorSync.GenRGB")) 192 193;; Audio 194(allow ipc-posix-shm-read* ipc-posix-shm-write-data 195 (ipc-posix-name-regex #"^AudioIO")) 196 197#endif 198 199;; Various services required by AppKit and other frameworks 200(allow mach-lookup 201 (global-name "com.apple.DiskArbitration.diskarbitrationd") 202 (global-name "com.apple.FileCoordination") 203 (global-name "com.apple.FontObjectsServer") 204 (global-name "com.apple.FontServer") 205 (global-name "com.apple.SystemConfiguration.configd") 206 (global-name "com.apple.SystemConfiguration.PPPController") 207 (global-name "com.apple.audio.VDCAssistant") 208 (global-name "com.apple.audio.audiohald") 209 (global-name "com.apple.audio.coreaudiod") 210 (global-name "com.apple.cookied") 211 (global-name "com.apple.dock.server") 212 (global-name "com.apple.system.opendirectoryd.api") 213 (global-name "com.apple.tccd") 214 (global-name "com.apple.tccd.system") 215 (global-name "com.apple.window_proxies") 216 (global-name "com.apple.windowserver.active") 217 (global-name "com.apple.cfnetwork.AuthBrokerAgent") 218 (global-name "com.apple.PowerManagement.control") 219 (global-name "com.apple.speech.speechsynthesisd") 220 (global-name "com.apple.speech.synthesis.console") 221 222#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1090 223 (global-name "com.apple.coreservices.launchservicesd") 224#endif 225) 226 227;; Security framework 228(allow mach-lookup 229 (global-name "com.apple.ocspd") 230 (global-name "com.apple.SecurityServer")) 231(allow file-read* file-write* (home-subpath "/Library/Keychains")) ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed. 232(allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed. 233(allow file-read* 234 (subpath "/Library/Keychains") 235 (subpath "/private/var/db/mds") 236 (literal "/private/var/db/DetachedSignatures") 237 (literal "/Library/Preferences/com.apple.crypto.plist") 238 (literal "/Library/Preferences/com.apple.security.plist") 239 (literal "/Library/Preferences/com.apple.security.common.plist") 240 (literal "/Library/Preferences/com.apple.security.revocation.plist") 241 (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain") 242 (home-literal "/Library/Preferences/com.apple.security.plist") 243 (home-literal "/Library/Preferences/com.apple.security.revocation.plist")) 244#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080 245(allow ipc-posix-shm-read* ipc-posix-shm-write-data 246 (ipc-posix-name "com.apple.AppleDatabaseChanged")) 247#endif 248 249;; CoreFoundation. We don't import com.apple.corefoundation.sb, because it allows unnecessary access to pasteboard. 250(allow mach-lookup 251 (global-name-regex #"^com.apple.distributed_notifications") 252 (global-name "com.apple.CoreServices.coreservicesd")) 253(allow file-read-data 254 (literal "/dev/autofs_nowait")) ; Used by CF to circumvent automount triggers 255(allow ipc-posix-shm 256 (ipc-posix-name-regex #"^CFPBS:")) ; <rdar://problem/13757475> 257 258;; Graphics 259(system-graphics) 260 261;; Networking 262(system-network) 263(allow network-outbound 264 ;; Local mDNSResponder for DNS, arbitrary outbound TCP 265 (literal "/private/var/run/mDNSResponder") 266 (remote tcp)) 267 268;; Needed for NSAttributedString, <rdar://problem/10844321>. 269(allow file-read* 270 (home-literal "/Library/Preferences/pbs.plist") 271 (home-literal "/Library/Preferences/com.apple.ServicesMenu.Services.plist")) 272(allow mach-lookup 273 (global-name "com.apple.pbs.fetch_services")) 274 275;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed 276(allow mach-lookup 277 (global-name "org.h5l.kcm") 278 (global-name "com.apple.system.logger") 279 (global-name "com.apple.system.notification_center")) 280(allow network-outbound 281 (remote udp)) 282(allow file-read* 283 (home-subpath "/Library/Preferences/com.apple.Kerberos.plist") 284 (home-subpath "/Library/Preferences/com.apple.GSS.plist") 285 (home-subpath "/Library/Preferences/edu.mit.Kerberos") 286 (literal "/Library/Preferences/com.apple.Kerberos.plist") 287 (literal "/Library/Preferences/com.apple.GSS.plist") 288 (literal "/Library/Preferences/edu.mit.Kerberos") 289 (literal "/private/etc/krb5.conf") 290 (literal "/private/etc/services") 291 (literal "/private/etc/host")) 292 293(if (defined? 'vnode-type) 294 (deny file-write-create (vnode-type SYMLINK))) 295 296;; FIXME: Should be removed once <rdar://problem/16329087> is fixed. 297(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log)) 298 299;; Reserve a namespace for additional protected extended attributes. 300(deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\.")) 301 302(deny file-read* file-write* (with no-log) 303#if __MAC_OS_X_VERSION_MIN_REQUIRED <= 1080 304 (home-literal "/Library/Caches/Cache.db") ;; <rdar://problem/9422957> 305#endif 306#if __MAC_OS_X_VERSION_MIN_REQUIRED == 1080 307 (home-subpath "/Library/Caches/com.apple.WebProcess") ;; <rdar://problem/12656814> 308#endif 309 310#if __MAC_OS_X_VERSION_MIN_REQUIRED == 1070 311 (subpath (string-append (param "DARWIN_USER_CACHE_DIR") "/com.nvidia.OpenGL")) ;; <rdar://problem/13402976> 312#endif 313 314 ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed. 315 (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2") 316 (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal")) 317 318;; Deny access needed for unnecessary NSApplication initialization. 319;; FIXME: This can be removed once <rdar://problem/13011633> is fixed. 320(deny file-read* (with no-log) 321 (home-literal "/Library/Preferences/com.apple.speech.recognition.AppleSpeechRecognition.prefs.plist") 322 (subpath "/Library/InputManagers") 323 (home-subpath "/Library/InputManagers") 324#if __MAC_OS_X_VERSION_MIN_REQUIRED == 1070 325 (literal (string-append (param "DARWIN_USER_CACHE_DIR") "/com.apple.IntlDataCache.le")) 326 (literal (string-append (param "DARWIN_USER_CACHE_DIR") "/com.apple.IntlDataCache.le.kbdx")) 327#endif 328 ) 329(deny mach-lookup (with no-log) 330 (global-name "com.apple.coreservices.appleevents") 331 (global-name "com.apple.pasteboard.1") 332 (global-name "com.apple.speech.recognitionserver")) 333;; Also part of unnecessary NSApplication initialization, but we can't block access to these yet, see <rdar://problem/13869765>. 334(allow file-read* 335 (subpath "/Library/Components") 336 (subpath "/Library/Keyboard Layouts") 337 (subpath "/Library/Input Methods") 338 (home-subpath "/Library/Components") 339 (home-subpath "/Library/Keyboard Layouts") 340 (home-subpath "/Library/Input Methods")) 341 342#if __MAC_OS_X_VERSION_MIN_REQUIRED == 1070 343(deny mach-lookup (with no-log) (global-name "com.apple.tsm.uiserver")) ;; <rdar://problem/13902706> 344#endif 345