Changeset 254209 in webkit


Ignore:
Timestamp:
Jan 8, 2020 11:36:34 AM (4 years ago)
Author:
Brent Fulgham
Message:

Network process sandboxes should not include 'common.sb' or 'system.sb'
https://bugs.webkit.org/show_bug.cgi?id=205521
<rdar://problem/58095870>

Reviewed by Per Arne Vollan.

This patch replaces the 'include' with a copy/paste of the contents of the relevant
sandbox include file. I removed definitions that were not referenced in the existing
Network sandbox, but did not otherwise edit the contents. There are duplicates and
redundancies after this patch, which I will remove as a follow-up step once we confirm
that this has no regressions.

I also updated the sandbox to generate telemetry for some mach connections that we think
are unneeded, or that should be targeted for removal.

No new tests. There should be no change in behavior.

  • NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
  • Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
Location:
trunk/Source/WebKit
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebKit/ChangeLog

    r254208 r254209  
     12020-01-08  Brent Fulgham  <bfulgham@apple.com>
     2
     3        Network process sandboxes should not include 'common.sb' or 'system.sb'
     4        https://bugs.webkit.org/show_bug.cgi?id=205521
     5        <rdar://problem/58095870>
     6
     7        Reviewed by Per Arne Vollan.
     8
     9        This patch replaces the 'include' with a copy/paste of the contents of the relevant
     10        sandbox include file. I removed definitions that were not referenced in the existing
     11        Network sandbox, but did not otherwise edit the contents. There are duplicates and
     12        redundancies after this patch, which I will remove as a follow-up step once we confirm
     13        that this has no regressions.
     14
     15        I also updated the sandbox to generate telemetry for some mach connections that we think
     16        are unneeded, or that should be targeted for removal.
     17
     18        No new tests. There should be no change in behavior.
     19
     20        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
     21        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
     22
    1232020-01-08  David Kilzer  <ddkilzer@apple.com>
    224
  • trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in

    r254204 r254209  
    2626(allow system-audit file-read-metadata)
    2727
     28#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
     29;;;
     30;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
     31;;; remove unneeded sandbox extensions.
     32;;;
     33
     34(allow mach-register (local-name-prefix ""))
     35
     36(allow mach-lookup (xpc-service-name-prefix ""))
     37
     38(allow system-automount
     39       (process-attribute is-platform-binary))
     40
     41(allow file-map-executable
     42       (subpath "/Library/Apple/System/Library/Frameworks")
     43       (subpath "/Library/Apple/System/Library/PrivateFrameworks")
     44       (subpath "/System/Library/Frameworks")
     45       (subpath "/System/Library/PrivateFrameworks")
     46       (subpath "/usr/lib")
     47       (literal "/usr/local/lib/sanitizers"))
     48
     49(allow file-read-metadata
     50       (literal "/etc")
     51       (literal "/tmp")
     52       (literal "/var")
     53       (literal "/private/etc/localtime"))
     54
     55(allow file-read-metadata (path-ancestors "/System/Volumes/Data/private"))
     56
     57(allow file-read* (literal "/"))
     58
     59(allow file-read*
     60       (subpath "/Library/Apple/System")
     61       (subpath "/Library/Filesystems/NetFSPlugins")
     62       (subpath "/Library/Preferences/Logging")      ; Logging Rethink
     63       (subpath "/System")
     64       (subpath "/private/var/db/dyld")
     65       (subpath "/private/var/db/timezone")
     66       (subpath "/usr/lib")
     67       (subpath "/usr/share"))
     68
     69(allow file-read*
     70       (literal "/dev/autofs_nowait")
     71       (literal "/dev/random")
     72       (literal "/dev/urandom")
     73       (literal "/private/etc/master.passwd")
     74       (literal "/private/etc/passwd")
     75       (literal "/private/etc/protocols")
     76       (literal "/private/etc/services"))
     77
     78(allow file-read*
     79       file-write-data
     80       (literal "/dev/null")
     81       (literal "/dev/zero"))
     82
     83(allow file-read*
     84       file-write-data
     85       file-ioctl
     86       (literal "/dev/dtracehelper"))
     87
     88(allow file-read*
     89       (literal "/usr/local/lib/sanitizers"))
     90
     91(allow file-write-create
     92       (require-all (prefix "/cores/")
     93                    (vnode-type REGULAR-FILE)))
     94
     95(allow file-read*
     96       (require-all (subpath "/AppleInternal/Library/Preferences/Logging")
     97                    (system-attribute apple-internal)))
     98
     99(allow file-read* file-map-executable
     100       (require-all (subpath "/usr/local/lib/log")
     101                    (system-attribute apple-internal)))
     102
     103(allow network-outbound
     104       (literal "/private/var/run/syslog"))
     105
     106(allow ipc-posix-shm-read*
     107       (ipc-posix-name "apple.shm.notification_center")
     108       (ipc-posix-name-prefix "apple.cfprefs."))
     109
     110(allow mach-lookup (with report) (with telemetry)
     111       (global-name "com.apple.analyticsd")
     112       (global-name "com.apple.analyticsd.messagetracer")
     113       (global-name "com.apple.appsleep")
     114       (global-name "com.apple.bsd.dirhelper")
     115       (global-name "com.apple.cfprefsd.agent")
     116       (global-name "com.apple.cfprefsd.daemon")
     117       (global-name "com.apple.diagnosticd")
     118       (global-name "com.apple.espd")
     119       (global-name "com.apple.logd")
     120       (global-name "com.apple.logd.events")
     121       (global-name "com.apple.secinitd")
     122       (global-name "com.apple.system.DirectoryService.libinfo_v1")
     123       (global-name "com.apple.system.logger")
     124       (global-name "com.apple.system.notification_center")
     125       (global-name "com.apple.system.opendirectoryd.libinfo")
     126       (global-name "com.apple.system.opendirectoryd.membership")
     127       (global-name "com.apple.trustd")
     128       (global-name "com.apple.trustd.agent")
     129       (global-name "com.apple.xpc.activity.unmanaged")
     130       (local-name "com.apple.cfprefsd.agent"))
     131
     132(with-filter (system-attribute apple-internal)
     133    (allow mach-lookup (global-name "com.apple.internal.objc_trace")))
     134
     135(define (system-network)
     136    (allow file-read*
     137         (literal "/Library/Preferences/com.apple.networkd.plist")
     138         (literal "/private/var/db/nsurlstoraged/dafsaData.bin"))
     139    (allow mach-lookup
     140         (global-name "com.apple.SystemConfiguration.PPPController")
     141         (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
     142         (global-name "com.apple.nehelper")
     143         (global-name "com.apple.nesessionmanager")
     144         (global-name "com.apple.networkd")
     145         (global-name "com.apple.nsurlstorage-cache")
     146         (global-name "com.apple.symptomsd")
     147         (global-name "com.apple.usymptomsd"))
     148    (allow network-outbound
     149         (control-name "com.apple.netsrc")
     150         (control-name "com.apple.network.statistics"))
     151    (allow system-socket
     152         (require-all (socket-domain AF_SYSTEM)
     153                      (socket-protocol 2)) ; SYSPROTO_CONTROL
     154         (socket-domain AF_ROUTE))
     155    (allow mach-lookup
     156         (global-name "com.apple.AppSSO.service-xpc"))
     157    (allow ipc-posix-shm-read-data
     158         (ipc-posix-name "/com.apple.AppSSO.version")))
     159
     160;;;
     161;;; End rules originally copied from 'system.sb'
     162;;;
     163#else
    28164(import "system.sb")
     165#endif
    29166
    30167;;; process-info* defaults to allow; deny it and then allow operations we actually need.
     
    39176        "hw.ncpu"
    40177        "hw.model"
     178        "kern.maxfilesperproc"
    41179        "kern.memorystatus_level"
    42         "vm.footprint_suspend"))
     180        "vm.footprint_suspend")
     181    (sysctl-name-regex #"^net.routetable")
     182)
    43183
    44184(deny iokit-get-properties)
     
    134274;; IOKit user clients
    135275(allow iokit-open
    136 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500
    137     (with report) (with telemetry)
    138 #endif
    139     (iokit-user-client-class "RootDomainUserClient"))
     276    (iokit-user-client-class "RootDomainUserClient") ; Used by PowerObserver
     277)
    140278
    141279;; cookied.
  • trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb

    r254204 r254209  
    2626(allow system-audit file-read-metadata)
    2727
    28 (import "common.sb")
     28;;;
     29;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
     30;;; remove unneeded sandbox extensions.
     31;;;
     32
     33(import "util.sb")
     34
     35(define-once (allow-read-and-issue-generic-extensions . filters)
     36    (allow file-read*
     37           (apply require-any filters))
     38    (allow file-issue-extension
     39        (require-all
     40            ;; APP_SANDBOX_READ - default for sandbox_issue_extension() & sandbox_issue_fs_extension().
     41            (extension-class "com.apple.app-sandbox.read")
     42            (apply require-any filters))))
     43
     44(define-once (allow-read-write-and-issue-generic-extensions . filters)
     45    (allow file-read* file-write*
     46           (apply require-any filters))
     47    (allow file-read-metadata
     48           (apply require-any filters))
     49    (allow file-issue-extension
     50        (require-all
     51            (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
     52            (apply require-any filters))))
     53
     54(define-once (allow-network-common)
     55    ;; <rdar://problem/8645367>
     56    (allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2)))
     57    (allow network-outbound
     58           (control-name "com.apple.network.statistics")
     59           (control-name "com.apple.netsrc"))
     60
     61    (allow sysctl-read
     62           (sysctl-name "kern.ipc.maxsockbuf")
     63           (sysctl-name "kern.nisdomainname")
     64           (sysctl-name-prefix "net.routetable.")
     65           (sysctl-name "net.statistics"))
     66
     67    ;; <rdar://problem/10642881>
     68    (allow file-read*
     69           (literal "/private/var/preferences/com.apple.networkd.plist"))
     70
     71    ;; <rdar://problem/27580907>
     72    (allow file-read*
     73           (literal "/private/var/Managed Preferences/mobile/com.apple.SystemConfiguration.plist"))
     74
     75    ;; <rdar://problem/13679154>
     76    (allow file-read*
     77           (literal "/private/var/preferences/com.apple.NetworkStatistics.plist"))
     78
     79    ;; <rdar://problem/15711661>
     80    (allow mach-lookup
     81           (global-name "com.apple.nesessionmanager"))
     82
     83    ;; <rdar://problem/7693463>
     84    (allow system-socket (socket-domain AF_ROUTE))
     85
     86    (if gizmo?
     87        (with-filter
     88            (require-any
     89                (require-entitlement "com.apple.security.network.client")
     90                (require-entitlement "com.apple.security.network.server"))
     91            (allow network-outbound (literal "/private/var/run/mDNSResponder")))
     92        (allow network-outbound (literal "/private/var/run/mDNSResponder")))
     93
     94    ;; <rdar://problem/10962803>
     95    ;; <rdar://problem/13238730>
     96    (allow mach-lookup
     97           (global-name "com.apple.SystemConfiguration.configd")
     98           (global-name "com.apple.SystemConfiguration.helper")
     99           (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
     100           (global-name "com.apple.SystemConfiguration.DNSConfiguration")
     101           (global-name "com.apple.SystemConfiguration.PPPController")
     102           (global-name "com.apple.SystemConfiguration.NetworkInformation"))
     103
     104    ;; <rdar://problem/11792470>
     105    ;; <rdar://problem/13305819>
     106    (allow mach-lookup
     107           (global-name "com.apple.commcenter.xpc")
     108           (global-name "com.apple.commcenter.cupolicy.xpc"))
     109
     110    (allow mach-lookup
     111           (global-name "com.apple.securityd")
     112           (global-name "com.apple.trustd"))
     113    (allow file-read*
     114           (literal "/private/var/preferences/com.apple.security.plist"))
     115
     116    ;; <rdar://problem/13301795>
     117    (allow mach-lookup
     118           (global-name "com.apple.usymptomsd")
     119           (global-name "com.apple.symptomsd")
     120           (global-name "com.apple.symptoms.symptomsd.managed_events")) ; <rdar://problem/32768772>
     121
     122    (with-filter (entitlement-is-present "com.apple.private.networkextension.configuration")
     123           (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.plist")))
     124
     125    (with-filter (apple-signed-executable?)
     126        (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.uuidcache.plist")))
     127
     128    (allow mach-lookup
     129           (global-name "com.apple.AppSSO.service-xpc"))
     130    (allow ipc-posix-shm-read-data
     131           (ipc-posix-name "/com.apple.AppSSO.version"))
     132
     133    ;; <rdar://problem/30452093>
     134    (multipath-tcp))
     135
     136(define-once (network-client . filters)
     137    (allow-network-common)
     138
     139    ;; <rdar://problem/9193431>
     140    (allow mach-lookup
     141           (global-name "com.apple.networkd"))
     142
     143    ;; <rdar://problem/20094008>
     144    ;; <rdar://problem/24689958>
     145    (with-filter (require-any
     146                   (require-entitlement "com.apple.networkd.advisory_socket")
     147                   (require-entitlement "com.apple.networkd.disable_opportunistic")
     148                   (require-entitlement "com.apple.networkd.modify_settings")
     149                   (require-entitlement "com.apple.networkd.persistent_interface")
     150                   (require-entitlement "com.apple.networkd_privileged"))
     151        (allow mach-lookup
     152               (global-name "com.apple.networkd_privileged")))
     153
     154    ;; <rdar://problem/20201593>
     155    (with-filter (require-any
     156                   (apple-signed-executable?)
     157                   (require-entitlement "com.apple.authkit.client")
     158                   (require-entitlement "com.apple.authkit.client.private")
     159                   (require-entitlement "com.apple.authkit.client.internal"))
     160        (allow mach-lookup
     161               (global-name "com.apple.ak.anisette.xpc")
     162               (global-name "com.apple.ak.auth.xpc")))
     163
     164    ;; <rdar://problem/15897781>
     165    (allow mach-lookup
     166           (global-name "com.apple.nsurlsessiond"))
     167    (allow file-issue-extension
     168        (require-all
     169            (executable-bundle)
     170            (extension-class "com.apple.nsurlsessiond.readonly")))
     171
     172    ;; <rdar://problem/20617514>
     173    (when gizmo?
     174        (allow mach-lookup
     175            (global-name "com.apple.nsurlsessiond.NSURLSessionProxyService")
     176            (global-name "com.apple.sharingd.NSURLSessionProxyService")))
     177
     178    ;; <rdar://problem/15608009>
     179    (allow mach-lookup
     180           (global-name "com.apple.nsurlstorage-cache"))
     181
     182    ;; <rdar://problem/10423007>
     183    (allow mach-lookup
     184           (global-name "com.apple.cfnetwork.AuthBrokerAgent")
     185           (global-name "com.apple.cfnetwork.cfnetworkagent"))
     186
     187    ;; <rdar://problem/12620714>
     188    (deny file-write-create (with no-report)
     189          (home-prefix "/Library/Logs/CrashReporter/CFNetwork_"))
     190
     191    (allow mach-lookup
     192           (global-name "com.apple.cookied"))
     193
     194    ;; <rdar://problem/17910466>
     195    (allow mach-lookup
     196           (global-name "com.apple.accountsd.accountmanager"))
     197
     198    ;; GSS-API
     199    (allow mach-lookup
     200           (global-name "com.apple.GSSCred"))
     201
     202    ;; <rdar://problem/17853959>
     203    (mobile-keybag-access)
     204
     205    (allow mach-lookup
     206           (global-name "com.apple.nehelper"))
     207
     208    (allow-well-known-system-group-container-literal-read
     209           "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
     210
     211    ;; <rdar://problem/33277999>
     212    (mobile-preferences-read "com.apple.CFNetwork")
     213
     214    (if (null? filters)
     215        (allow network-outbound)
     216    ; else
     217        (allow network-outbound (apply require-any filters))))
     218
     219(define-once (multipath-tcp)
     220    (allow system-socket (socket-domain 39)))
     221
     222(define-once (managed-configuration-read-public)
     223    (allow file-read*
     224           (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
     225           (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
     226           (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo"))
     227    (allow mach-lookup
     228           (global-name "com.apple.managedconfiguration.profiled.public")))
     229
     230(define-once (allow-preferences-common)
     231    (allow file-read-metadata
     232           (home-literal "")
     233           (home-literal "/Library/Preferences")))
     234
     235(define-once (mobile-preferences-read . domains)
     236    (allow-preferences-common)
     237    (allow user-preference-read (apply preference-domain domains)))
     238
     239(define-once (mobile-keybag-access)
     240     (allow iokit-open (with report) (with telemetry)
     241            (iokit-user-client-class "AppleKeyStoreUserClient")))
     242
     243(define-once (debugging-support)
     244        ;; <rdar://problem/8379706>
     245        ;; <rdar://problem/12868101>
     246        ;; <rdar://problem/22766887>
     247        ;; <rdar://problem/22880365>
     248        (allow file-read* file-map-executable
     249               (subpath "/Developer"))
     250
     251        ;; <rdar://problem/7674121>
     252        ;; <rdar://problem/9151290>
     253        (allow ipc-posix-shm
     254               (ipc-posix-name-regex #"^stack-logs")
     255               (ipc-posix-name-regex #"^OA-")
     256               (ipc-posix-name-regex #"^/FSM-"))
     257
     258        (with-filter (system-attribute apple-internal)
     259            ;; <rdar://problem/8565035>
     260            ;; <rdar://problem/23857452>
     261            (allow file-read* file-map-executable
     262                   (subpath "/AppleInternal")
     263                   (subpath "/usr/local/lib")))
     264            (with-elevated-precedence
     265                (allow file-read* file-map-executable file-issue-extension
     266                   (front-user-home-subpath "/XcodeBuiltProducts")))
     267
     268        ;; <rdar://problem/8107758>
     269        (allow file-read* file-map-executable
     270               (subpath "/System/Library/Frameworks")
     271               (subpath "/System/Library/PrivateFrameworks"))
     272
     273        ;; <rdar://problem/11455762>
     274        (allow mach-lookup
     275               (global-name "com.apple.hangtracerd"))
     276        ;; <rdar://problem/32544921>
     277        (mobile-preferences-read "com.apple.hangtracer")
     278
     279        ;; <rdar://problem/9090627>
     280        (with-filter (apple-signed-executable?)
     281          (allow mach-lookup
     282                 (global-name "com.apple.ReportCrash.SimulateCrash"))))
     283
     284(define-once (logd-diagnostic-paths)
     285    (require-any
     286        (subpath "/private/var/db/diagnostics")
     287        (subpath "/private/var/db/timesync")
     288        (subpath "/private/var/db/uuidtext")
     289        (subpath "/private/var/userdata/diagnostics")))
     290(define-once (logd-diagnostic-client)
     291    (with-filter
     292        (require-all
     293            (require-any
     294                (require-entitlement "com.apple.private.logging.diagnostic")
     295                (require-entitlement "com.apple.diagnosticd.diagnostic"))
     296            (extension "com.apple.logd.read-only"))
     297        (allow file-read*
     298               (logd-diagnostic-paths))))
     299
     300(define required-etc-files
     301  (literal "/private/etc/fstab"
     302           "/private/etc/hosts"
     303           "/private/etc/group"
     304           "/private/etc/passwd"
     305           "/private/etc/protocols"
     306           "/private/etc/services"))
     307
     308(define-once (allow-multi-instance-xpc-services)
     309    ;; <rdar://problem/46716068>
     310    (allow mach-lookup
     311           (with telemetry)
     312           (with message "Create a radar and set it as a blocker to rdar://problem/48527566")
     313           (xpc-service-name "com.apple.WebKit.Networking"
     314                             "com.apple.WebKit.WebContent")
     315))
     316
     317(allow sysctl-read
     318   (sysctl-name "kern.bootsessionuuid"))
     319
     320(deny file-map-executable)
     321(deny file-write-mount file-write-unmount)
     322(allow file-read-metadata
     323    (vnode-type DIRECTORY))
     324
     325(mobile-preferences-read "com.apple.security")
     326
     327(with-elevated-precedence
     328    ;; System files.
     329    (allow file-read*
     330        (subpath "/usr/lib"
     331                 "/usr/share"
     332                 "/private/var/db/timezone"))
     333    (allow-read-and-issue-generic-extensions
     334         (subpath "/Library/RegionFeatures"
     335                  "/System/Library"))
     336   
     337    (allow file-map-executable
     338        (subpath "/System/Library")
     339        (subpath "/usr/lib"))
     340
     341    (allow file-read-metadata
     342        (vnode-type SYMLINK))
     343
     344    (allow file-read*
     345        (subpath "/private/var/preferences/Logging"))
     346
     347    (mobile-preferences-read "kCFPreferencesAnyApplication")
     348    (allow file-read*
     349        (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))
     350
     351    (allow file-read*
     352           (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
     353    (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
     354
     355    (allow file-read-metadata
     356        (home-literal "/Library/Caches/powerlog.launchd"))
     357
     358    (allow-read-and-issue-generic-extensions (executable-bundle))
     359    (allow file-map-executable (executable-bundle))
     360
     361    (deny file-read-data file-issue-extension file-map-executable
     362        (require-all
     363            (executable-bundle)
     364            (regex #"/[^/]+/SC_Info/")))
     365
     366    (with-filter (global-name-prefix "")
     367        (allow mach-lookup
     368               (extension "com.apple.security.exception.mach-lookup.global-name"))
     369        (allow mach-register
     370               (extension "com.apple.security.exception.mach-register.global-name")))
     371    (with-filter (local-name-prefix "")
     372        (allow mach-lookup
     373               (extension "com.apple.security.exception.mach-lookup.local-name"))
     374        (allow mach-register
     375               (extension "com.apple.security.exception.mach-register.local-name")))
     376    (allow-read-and-issue-generic-extensions
     377           (extension "com.apple.security.exception.files.absolute-path.read-only")
     378           (extension "com.apple.security.exception.files.home-relative-path.read-only"))
     379    (allow-read-write-and-issue-generic-extensions
     380           (extension "com.apple.security.exception.files.absolute-path.read-write")
     381           (extension "com.apple.security.exception.files.home-relative-path.read-write"))
     382    (allow iokit-open
     383           (extension "com.apple.security.exception.iokit-user-client-class"))
     384    (allow managed-preference-read
     385           (extension "com.apple.security.exception.managed-preference.read-only"))
     386    (allow user-preference-read
     387           (extension "com.apple.security.exception.shared-preference.read-only"))
     388    (allow user-preference-read user-preference-write
     389           (extension "com.apple.security.exception.shared-preference.read-write"))
     390    (allow sysctl-read
     391           (extension "com.apple.security.exception.sysctl.read-only"))
     392    (allow sysctl-read sysctl-write
     393           (extension "com.apple.security.exception.sysctl.read-write"))
     394
     395    (allow file-issue-extension
     396          (require-all
     397              (extension-class "com.apple.nsurlstorage.extension-cache")
     398              (extension "com.apple.security.exception.files.home-relative-path.read-write")
     399              (require-any
     400                  (prefix "/private/var/root/Library/Caches/")
     401                  (front-user-home-prefix "/Library/Caches/"))))
     402
     403    (with-filter (require-entitlement "com.apple.security.exception.process-info")
     404        (allow process-info-pidinfo process-info-pidfdinfo process-info-pidfileportinfo process-info-rusage process-info-codesignature)
     405        (allow sysctl-read
     406               (sysctl-name-prefix "kern.proc.")
     407               (sysctl-name-prefix "kern.procargs2."))))
     408
     409(debugging-support)
     410
     411(allow file-read*
     412    required-etc-files
     413    (literal "/"))
     414
     415(allow mach-lookup (with report) (with telemetry)
     416    (global-name "com.apple.logd")
     417    (global-name "com.apple.logd.events"))
     418
     419(allow mach-lookup (with report) (with telemetry)
     420    (global-name "com.apple.cfprefsd.daemon")
     421    (global-name "com.apple.cfprefsd.agent")
     422    (local-name "com.apple.cfprefsd.agent"))
     423(allow ipc-posix-shm-read*
     424    (ipc-posix-name-prefix "apple.cfprefs."))
     425
     426(allow mach-lookup (with report) (with telemetry)
     427    (global-name "com.apple.runningboard"))
     428
     429(allow-multi-instance-xpc-services)
     430
     431(allow system-sched
     432    (require-entitlement "com.apple.private.kernel.override-cpumon"))
     433
     434(allow sysctl-read (with report) (with telemetry)
     435    (sysctl-name "hw.activecpu")
     436    (sysctl-name "hw.busfrequency")
     437    (sysctl-name "hw.busfrequency_compat")
     438    (sysctl-name "hw.byteorder")
     439    (sysctl-name "hw.cachelinesize")
     440    (sysctl-name "hw.cachelinesize_compat")
     441    (sysctl-name "hw.cpu64bit_capable")
     442    (sysctl-name "hw.cpufamily")
     443    (sysctl-name "hw.cpufrequency")
     444    (sysctl-name "hw.cpufrequency_compat")
     445    (sysctl-name "hw.cpufrequency_max")
     446    (sysctl-name "hw.cpusubtype")
     447    (sysctl-name "hw.cputype")
     448    (sysctl-name "hw.l1dcachesize")
     449    (sysctl-name "hw.l1dcachesize_compat")
     450    (sysctl-name "hw.l1icachesize")
     451    (sysctl-name "hw.l1icachesize_compat")
     452    (sysctl-name "hw.l2cachesize")
     453    (sysctl-name "hw.l2cachesize_compat")
     454    (sysctl-name "hw.l2settings")
     455    (sysctl-name "hw.l3cachesize")
     456    (sysctl-name "hw.l3cachesize_compat")
     457    (sysctl-name "hw.l3settings")
     458    (sysctl-name "hw.logicalcpu")
     459    (sysctl-name "hw.logicalcpu_max")
     460    (sysctl-name "hw.machine")
     461    (sysctl-name "hw.memsize")
     462    (sysctl-name "hw.pagesize")
     463    (sysctl-name "hw.pagesize_compat")
     464    (sysctl-name "hw.physicalcpu")
     465    (sysctl-name "hw.physicalcpu_max")
     466    (sysctl-name "hw.physmem")
     467    (sysctl-name "hw.tbfrequency")
     468    (sysctl-name "hw.tbfrequency_compat")
     469    (sysctl-name "hw.usermem")
     470    (sysctl-name "hw.vectorunit")
     471    (sysctl-name "kern.bootargs")
     472    (sysctl-name "kern.boottime")
     473    (sysctl-name "kern.clockrate")
     474    (sysctl-name "kern.development")
     475    (sysctl-name "kern.hostid")
     476    (sysctl-name "kern.hostname")
     477    (sysctl-name "kern.maxproc")
     478    (sysctl-name "kern.maxvnodes")
     479    (sysctl-name-prefix "kern.monotonicclock")
     480    (sysctl-name "kern.monotoniclock_offset_usecs")
     481    (sysctl-name "kern.ngroups")
     482    (sysctl-name "kern.osproductversion")
     483    (sysctl-name "kern.osrelease")
     484    (sysctl-name "kern.ostype")
     485    (sysctl-name "kern.osvariant_status")
     486    (sysctl-name "kern.osversion")
     487    (sysctl-name "kern.saved_ids")
     488    (sysctl-name "kern.secure_kernel")
     489    (sysctl-name "kern.usrstack")
     490    (sysctl-name "kern.usrstack64")
     491    (sysctl-name "kern.version")
     492    (sysctl-name "kern.waketime")
     493    (sysctl-name "security.mac.sandbox.sentinel")
     494    (sysctl-name "sysctl.name2oid")
     495    (sysctl-name "vm.loadavg")
     496    (sysctl-name-prefix "kern.argmax")
     497    (sysctl-name-prefix "kern.proc.pid.")
     498)
     499
     500(with-filter (system-attribute apple-internal)
     501    (allow sysctl-read
     502           (sysctl-name "kern.dtrace.dof_mode"))
     503    (allow sysctl-read sysctl-write
     504           (sysctl-name "vm.footprint_suspend")))
     505
     506(allow mach-lookup (with report) (with telemetry)
     507       (global-name "com.apple.system.logger"))
     508(allow file-read-metadata network-outbound  (with report) (with telemetry)
     509       (literal "/private/var/run/syslog"))
     510
     511(allow mach-lookup (with report) (with telemetry)
     512    (global-name "com.apple.system.notification_center"))
     513(allow ipc-posix-shm-read*  (with report) (with telemetry)
     514    (ipc-posix-name "apple.shm.notification_center"))
     515
     516(allow mach-lookup (with report) (with telemetry)
     517    (global-name "com.apple.distributed_notifications@1v3"))
     518
     519(allow mach-lookup (with report) (with telemetry)
     520    (global-name "com.apple.diagnosticd"))
     521
     522(logd-diagnostic-client)
     523
     524(managed-configuration-read-public)
     525
     526(allow mach-lookup (with report) (with telemetry)
     527    (global-name "com.apple.ctkd.token-client"))
     528
     529(deny system-info (with no-report)
     530    (info-type "net.link.addr"))
     531
     532(allow mach-lookup (with report) (with telemetry)
     533    (global-name "com.apple.system.libinfo.muser"))
     534
     535(allow mach-task-name (target self))
     536
     537(allow process-info-pidinfo (target self))
     538(allow process-info-pidfdinfo (target self))
     539(allow process-info-pidfileportinfo (target self))
     540(allow process-info-setcontrol (target self))
     541(allow process-info-dirtycontrol (target self))
     542(allow process-info-rusage (target self))
     543(allow process-info-codesignature (target self))
     544
     545(allow mach-lookup (with report) (with telemetry)
     546    (global-name "com.apple.analyticsd"))
     547
     548;;;
     549;;; End rules originally copied from 'common.sb'
     550;;;
    29551
    30552(deny mach-lookup (xpc-service-name-prefix ""))
     
    38560        "hw.ncpu"
    39561        "hw.model"
     562        "kern.maxfilesperproc"
    40563        "kern.memorystatus_level"
    41564        "vm.footprint_suspend"))
     
    56579
    57580;; IOKit user clients
    58 (allow iokit-open (with report) (with telemetry)
    59        (iokit-user-client-class "RootDomainUserClient"))
     581(allow iokit-open
     582       (iokit-user-client-class "RootDomainUserClient") ;; Needed by PowerObserver
     583)
    60584
    61585;; Various services required by CFNetwork and other frameworks
    62 (allow mach-lookup
     586(allow mach-lookup (with report) (with telemetry)
    63587       (global-name "com.apple.PowerManagement.control"))
    64588
     
    74598
    75599;; Security framework
    76 (allow mach-lookup
     600(allow mach-lookup (with report) (with telemetry)
    77601    (global-name "com.apple.ocspd")
    78602    (global-name "com.apple.securityd"))
    79603
    80604;; PassKit framework
    81 (allow mach-lookup
     605(allow mach-lookup (with report) (with telemetry)
    82606    (global-name "com.apple.passd.in-app-payment")
    83607    (global-name "com.apple.passd.library"))
    84608
    85 (allow mach-lookup
     609(allow mach-lookup (with report) (with telemetry)
    86610    (global-name "com.apple.FileCoordination")
    87611    (global-name "com.apple.dmd.policy")
     
    90614
    91615(deny file-write-create
    92        (vnode-type SYMLINK))
     616      (vnode-type SYMLINK))
    93617
    94618;; FIXME should be removed when <rdar://problem/30498072> is fixed.
     
    100624
    101625;; Various services required by system frameworks
    102 (allow mach-lookup
     626(allow mach-lookup (with report) (with telemetry)
    103627    (global-name "com.apple.lsd.mapdb")
    104628    (global-name "com.apple.analyticsd")
     
    106630
    107631;; For reporting progress for active downloads <rdar://problem/44405661>
    108 (allow mach-lookup
     632(allow mach-lookup (with report) (with telemetry)
    109633    (global-name "com.apple.ProgressReporting"))
    110634
    111635 ;; <rdar://problem/47598758>
    112 (allow mach-lookup
     636(allow mach-lookup (with report) (with telemetry)
    113637    (global-name "com.apple.nesessionmanager.content-filter"))
    114638
Note: See TracChangeset for help on using the changeset viewer.