Changeset 254209 in webkit
- Timestamp:
- Jan 8, 2020 11:36:34 AM (4 years ago)
- Location:
- trunk/Source/WebKit
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit/ChangeLog
r254208 r254209 1 2020-01-08 Brent Fulgham <bfulgham@apple.com> 2 3 Network process sandboxes should not include 'common.sb' or 'system.sb' 4 https://bugs.webkit.org/show_bug.cgi?id=205521 5 <rdar://problem/58095870> 6 7 Reviewed by Per Arne Vollan. 8 9 This patch replaces the 'include' with a copy/paste of the contents of the relevant 10 sandbox include file. I removed definitions that were not referenced in the existing 11 Network sandbox, but did not otherwise edit the contents. There are duplicates and 12 redundancies after this patch, which I will remove as a follow-up step once we confirm 13 that this has no regressions. 14 15 I also updated the sandbox to generate telemetry for some mach connections that we think 16 are unneeded, or that should be targeted for removal. 17 18 No new tests. There should be no change in behavior. 19 20 * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in: 21 * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb: 22 1 23 2020-01-08 David Kilzer <ddkilzer@apple.com> 2 24 -
trunk/Source/WebKit/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in
r254204 r254209 26 26 (allow system-audit file-read-metadata) 27 27 28 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500 29 ;;; 30 ;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can 31 ;;; remove unneeded sandbox extensions. 32 ;;; 33 34 (allow mach-register (local-name-prefix "")) 35 36 (allow mach-lookup (xpc-service-name-prefix "")) 37 38 (allow system-automount 39 (process-attribute is-platform-binary)) 40 41 (allow file-map-executable 42 (subpath "/Library/Apple/System/Library/Frameworks") 43 (subpath "/Library/Apple/System/Library/PrivateFrameworks") 44 (subpath "/System/Library/Frameworks") 45 (subpath "/System/Library/PrivateFrameworks") 46 (subpath "/usr/lib") 47 (literal "/usr/local/lib/sanitizers")) 48 49 (allow file-read-metadata 50 (literal "/etc") 51 (literal "/tmp") 52 (literal "/var") 53 (literal "/private/etc/localtime")) 54 55 (allow file-read-metadata (path-ancestors "/System/Volumes/Data/private")) 56 57 (allow file-read* (literal "/")) 58 59 (allow file-read* 60 (subpath "/Library/Apple/System") 61 (subpath "/Library/Filesystems/NetFSPlugins") 62 (subpath "/Library/Preferences/Logging") ; Logging Rethink 63 (subpath "/System") 64 (subpath "/private/var/db/dyld") 65 (subpath "/private/var/db/timezone") 66 (subpath "/usr/lib") 67 (subpath "/usr/share")) 68 69 (allow file-read* 70 (literal "/dev/autofs_nowait") 71 (literal "/dev/random") 72 (literal "/dev/urandom") 73 (literal "/private/etc/master.passwd") 74 (literal "/private/etc/passwd") 75 (literal "/private/etc/protocols") 76 (literal "/private/etc/services")) 77 78 (allow file-read* 79 file-write-data 80 (literal "/dev/null") 81 (literal "/dev/zero")) 82 83 (allow file-read* 84 file-write-data 85 file-ioctl 86 (literal "/dev/dtracehelper")) 87 88 (allow file-read* 89 (literal "/usr/local/lib/sanitizers")) 90 91 (allow file-write-create 92 (require-all (prefix "/cores/") 93 (vnode-type REGULAR-FILE))) 94 95 (allow file-read* 96 (require-all (subpath "/AppleInternal/Library/Preferences/Logging") 97 (system-attribute apple-internal))) 98 99 (allow file-read* file-map-executable 100 (require-all (subpath "/usr/local/lib/log") 101 (system-attribute apple-internal))) 102 103 (allow network-outbound 104 (literal "/private/var/run/syslog")) 105 106 (allow ipc-posix-shm-read* 107 (ipc-posix-name "apple.shm.notification_center") 108 (ipc-posix-name-prefix "apple.cfprefs.")) 109 110 (allow mach-lookup (with report) (with telemetry) 111 (global-name "com.apple.analyticsd") 112 (global-name "com.apple.analyticsd.messagetracer") 113 (global-name "com.apple.appsleep") 114 (global-name "com.apple.bsd.dirhelper") 115 (global-name "com.apple.cfprefsd.agent") 116 (global-name "com.apple.cfprefsd.daemon") 117 (global-name "com.apple.diagnosticd") 118 (global-name "com.apple.espd") 119 (global-name "com.apple.logd") 120 (global-name "com.apple.logd.events") 121 (global-name "com.apple.secinitd") 122 (global-name "com.apple.system.DirectoryService.libinfo_v1") 123 (global-name "com.apple.system.logger") 124 (global-name "com.apple.system.notification_center") 125 (global-name "com.apple.system.opendirectoryd.libinfo") 126 (global-name "com.apple.system.opendirectoryd.membership") 127 (global-name "com.apple.trustd") 128 (global-name "com.apple.trustd.agent") 129 (global-name "com.apple.xpc.activity.unmanaged") 130 (local-name "com.apple.cfprefsd.agent")) 131 132 (with-filter (system-attribute apple-internal) 133 (allow mach-lookup (global-name "com.apple.internal.objc_trace"))) 134 135 (define (system-network) 136 (allow file-read* 137 (literal "/Library/Preferences/com.apple.networkd.plist") 138 (literal "/private/var/db/nsurlstoraged/dafsaData.bin")) 139 (allow mach-lookup 140 (global-name "com.apple.SystemConfiguration.PPPController") 141 (global-name "com.apple.SystemConfiguration.SCNetworkReachability") 142 (global-name "com.apple.nehelper") 143 (global-name "com.apple.nesessionmanager") 144 (global-name "com.apple.networkd") 145 (global-name "com.apple.nsurlstorage-cache") 146 (global-name "com.apple.symptomsd") 147 (global-name "com.apple.usymptomsd")) 148 (allow network-outbound 149 (control-name "com.apple.netsrc") 150 (control-name "com.apple.network.statistics")) 151 (allow system-socket 152 (require-all (socket-domain AF_SYSTEM) 153 (socket-protocol 2)) ; SYSPROTO_CONTROL 154 (socket-domain AF_ROUTE)) 155 (allow mach-lookup 156 (global-name "com.apple.AppSSO.service-xpc")) 157 (allow ipc-posix-shm-read-data 158 (ipc-posix-name "/com.apple.AppSSO.version"))) 159 160 ;;; 161 ;;; End rules originally copied from 'system.sb' 162 ;;; 163 #else 28 164 (import "system.sb") 165 #endif 29 166 30 167 ;;; process-info* defaults to allow; deny it and then allow operations we actually need. … … 39 176 "hw.ncpu" 40 177 "hw.model" 178 "kern.maxfilesperproc" 41 179 "kern.memorystatus_level" 42 "vm.footprint_suspend")) 180 "vm.footprint_suspend") 181 (sysctl-name-regex #"^net.routetable") 182 ) 43 183 44 184 (deny iokit-get-properties) … … 134 274 ;; IOKit user clients 135 275 (allow iokit-open 136 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500 137 (with report) (with telemetry) 138 #endif 139 (iokit-user-client-class "RootDomainUserClient")) 276 (iokit-user-client-class "RootDomainUserClient") ; Used by PowerObserver 277 ) 140 278 141 279 ;; cookied. -
trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb
r254204 r254209 26 26 (allow system-audit file-read-metadata) 27 27 28 (import "common.sb") 28 ;;; 29 ;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can 30 ;;; remove unneeded sandbox extensions. 31 ;;; 32 33 (import "util.sb") 34 35 (define-once (allow-read-and-issue-generic-extensions . filters) 36 (allow file-read* 37 (apply require-any filters)) 38 (allow file-issue-extension 39 (require-all 40 ;; APP_SANDBOX_READ - default for sandbox_issue_extension() & sandbox_issue_fs_extension(). 41 (extension-class "com.apple.app-sandbox.read") 42 (apply require-any filters)))) 43 44 (define-once (allow-read-write-and-issue-generic-extensions . filters) 45 (allow file-read* file-write* 46 (apply require-any filters)) 47 (allow file-read-metadata 48 (apply require-any filters)) 49 (allow file-issue-extension 50 (require-all 51 (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read") 52 (apply require-any filters)))) 53 54 (define-once (allow-network-common) 55 ;; <rdar://problem/8645367> 56 (allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2))) 57 (allow network-outbound 58 (control-name "com.apple.network.statistics") 59 (control-name "com.apple.netsrc")) 60 61 (allow sysctl-read 62 (sysctl-name "kern.ipc.maxsockbuf") 63 (sysctl-name "kern.nisdomainname") 64 (sysctl-name-prefix "net.routetable.") 65 (sysctl-name "net.statistics")) 66 67 ;; <rdar://problem/10642881> 68 (allow file-read* 69 (literal "/private/var/preferences/com.apple.networkd.plist")) 70 71 ;; <rdar://problem/27580907> 72 (allow file-read* 73 (literal "/private/var/Managed Preferences/mobile/com.apple.SystemConfiguration.plist")) 74 75 ;; <rdar://problem/13679154> 76 (allow file-read* 77 (literal "/private/var/preferences/com.apple.NetworkStatistics.plist")) 78 79 ;; <rdar://problem/15711661> 80 (allow mach-lookup 81 (global-name "com.apple.nesessionmanager")) 82 83 ;; <rdar://problem/7693463> 84 (allow system-socket (socket-domain AF_ROUTE)) 85 86 (if gizmo? 87 (with-filter 88 (require-any 89 (require-entitlement "com.apple.security.network.client") 90 (require-entitlement "com.apple.security.network.server")) 91 (allow network-outbound (literal "/private/var/run/mDNSResponder"))) 92 (allow network-outbound (literal "/private/var/run/mDNSResponder"))) 93 94 ;; <rdar://problem/10962803> 95 ;; <rdar://problem/13238730> 96 (allow mach-lookup 97 (global-name "com.apple.SystemConfiguration.configd") 98 (global-name "com.apple.SystemConfiguration.helper") 99 (global-name "com.apple.SystemConfiguration.SCNetworkReachability") 100 (global-name "com.apple.SystemConfiguration.DNSConfiguration") 101 (global-name "com.apple.SystemConfiguration.PPPController") 102 (global-name "com.apple.SystemConfiguration.NetworkInformation")) 103 104 ;; <rdar://problem/11792470> 105 ;; <rdar://problem/13305819> 106 (allow mach-lookup 107 (global-name "com.apple.commcenter.xpc") 108 (global-name "com.apple.commcenter.cupolicy.xpc")) 109 110 (allow mach-lookup 111 (global-name "com.apple.securityd") 112 (global-name "com.apple.trustd")) 113 (allow file-read* 114 (literal "/private/var/preferences/com.apple.security.plist")) 115 116 ;; <rdar://problem/13301795> 117 (allow mach-lookup 118 (global-name "com.apple.usymptomsd") 119 (global-name "com.apple.symptomsd") 120 (global-name "com.apple.symptoms.symptomsd.managed_events")) ; <rdar://problem/32768772> 121 122 (with-filter (entitlement-is-present "com.apple.private.networkextension.configuration") 123 (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.plist"))) 124 125 (with-filter (apple-signed-executable?) 126 (allow file-read* (literal "/private/var/preferences/com.apple.networkextension.uuidcache.plist"))) 127 128 (allow mach-lookup 129 (global-name "com.apple.AppSSO.service-xpc")) 130 (allow ipc-posix-shm-read-data 131 (ipc-posix-name "/com.apple.AppSSO.version")) 132 133 ;; <rdar://problem/30452093> 134 (multipath-tcp)) 135 136 (define-once (network-client . filters) 137 (allow-network-common) 138 139 ;; <rdar://problem/9193431> 140 (allow mach-lookup 141 (global-name "com.apple.networkd")) 142 143 ;; <rdar://problem/20094008> 144 ;; <rdar://problem/24689958> 145 (with-filter (require-any 146 (require-entitlement "com.apple.networkd.advisory_socket") 147 (require-entitlement "com.apple.networkd.disable_opportunistic") 148 (require-entitlement "com.apple.networkd.modify_settings") 149 (require-entitlement "com.apple.networkd.persistent_interface") 150 (require-entitlement "com.apple.networkd_privileged")) 151 (allow mach-lookup 152 (global-name "com.apple.networkd_privileged"))) 153 154 ;; <rdar://problem/20201593> 155 (with-filter (require-any 156 (apple-signed-executable?) 157 (require-entitlement "com.apple.authkit.client") 158 (require-entitlement "com.apple.authkit.client.private") 159 (require-entitlement "com.apple.authkit.client.internal")) 160 (allow mach-lookup 161 (global-name "com.apple.ak.anisette.xpc") 162 (global-name "com.apple.ak.auth.xpc"))) 163 164 ;; <rdar://problem/15897781> 165 (allow mach-lookup 166 (global-name "com.apple.nsurlsessiond")) 167 (allow file-issue-extension 168 (require-all 169 (executable-bundle) 170 (extension-class "com.apple.nsurlsessiond.readonly"))) 171 172 ;; <rdar://problem/20617514> 173 (when gizmo? 174 (allow mach-lookup 175 (global-name "com.apple.nsurlsessiond.NSURLSessionProxyService") 176 (global-name "com.apple.sharingd.NSURLSessionProxyService"))) 177 178 ;; <rdar://problem/15608009> 179 (allow mach-lookup 180 (global-name "com.apple.nsurlstorage-cache")) 181 182 ;; <rdar://problem/10423007> 183 (allow mach-lookup 184 (global-name "com.apple.cfnetwork.AuthBrokerAgent") 185 (global-name "com.apple.cfnetwork.cfnetworkagent")) 186 187 ;; <rdar://problem/12620714> 188 (deny file-write-create (with no-report) 189 (home-prefix "/Library/Logs/CrashReporter/CFNetwork_")) 190 191 (allow mach-lookup 192 (global-name "com.apple.cookied")) 193 194 ;; <rdar://problem/17910466> 195 (allow mach-lookup 196 (global-name "com.apple.accountsd.accountmanager")) 197 198 ;; GSS-API 199 (allow mach-lookup 200 (global-name "com.apple.GSSCred")) 201 202 ;; <rdar://problem/17853959> 203 (mobile-keybag-access) 204 205 (allow mach-lookup 206 (global-name "com.apple.nehelper")) 207 208 (allow-well-known-system-group-container-literal-read 209 "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin") 210 211 ;; <rdar://problem/33277999> 212 (mobile-preferences-read "com.apple.CFNetwork") 213 214 (if (null? filters) 215 (allow network-outbound) 216 ; else 217 (allow network-outbound (apply require-any filters)))) 218 219 (define-once (multipath-tcp) 220 (allow system-socket (socket-domain 39))) 221 222 (define-once (managed-configuration-read-public) 223 (allow file-read* 224 (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") 225 (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo") 226 (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo")) 227 (allow mach-lookup 228 (global-name "com.apple.managedconfiguration.profiled.public"))) 229 230 (define-once (allow-preferences-common) 231 (allow file-read-metadata 232 (home-literal "") 233 (home-literal "/Library/Preferences"))) 234 235 (define-once (mobile-preferences-read . domains) 236 (allow-preferences-common) 237 (allow user-preference-read (apply preference-domain domains))) 238 239 (define-once (mobile-keybag-access) 240 (allow iokit-open (with report) (with telemetry) 241 (iokit-user-client-class "AppleKeyStoreUserClient"))) 242 243 (define-once (debugging-support) 244 ;; <rdar://problem/8379706> 245 ;; <rdar://problem/12868101> 246 ;; <rdar://problem/22766887> 247 ;; <rdar://problem/22880365> 248 (allow file-read* file-map-executable 249 (subpath "/Developer")) 250 251 ;; <rdar://problem/7674121> 252 ;; <rdar://problem/9151290> 253 (allow ipc-posix-shm 254 (ipc-posix-name-regex #"^stack-logs") 255 (ipc-posix-name-regex #"^OA-") 256 (ipc-posix-name-regex #"^/FSM-")) 257 258 (with-filter (system-attribute apple-internal) 259 ;; <rdar://problem/8565035> 260 ;; <rdar://problem/23857452> 261 (allow file-read* file-map-executable 262 (subpath "/AppleInternal") 263 (subpath "/usr/local/lib"))) 264 (with-elevated-precedence 265 (allow file-read* file-map-executable file-issue-extension 266 (front-user-home-subpath "/XcodeBuiltProducts"))) 267 268 ;; <rdar://problem/8107758> 269 (allow file-read* file-map-executable 270 (subpath "/System/Library/Frameworks") 271 (subpath "/System/Library/PrivateFrameworks")) 272 273 ;; <rdar://problem/11455762> 274 (allow mach-lookup 275 (global-name "com.apple.hangtracerd")) 276 ;; <rdar://problem/32544921> 277 (mobile-preferences-read "com.apple.hangtracer") 278 279 ;; <rdar://problem/9090627> 280 (with-filter (apple-signed-executable?) 281 (allow mach-lookup 282 (global-name "com.apple.ReportCrash.SimulateCrash")))) 283 284 (define-once (logd-diagnostic-paths) 285 (require-any 286 (subpath "/private/var/db/diagnostics") 287 (subpath "/private/var/db/timesync") 288 (subpath "/private/var/db/uuidtext") 289 (subpath "/private/var/userdata/diagnostics"))) 290 (define-once (logd-diagnostic-client) 291 (with-filter 292 (require-all 293 (require-any 294 (require-entitlement "com.apple.private.logging.diagnostic") 295 (require-entitlement "com.apple.diagnosticd.diagnostic")) 296 (extension "com.apple.logd.read-only")) 297 (allow file-read* 298 (logd-diagnostic-paths)))) 299 300 (define required-etc-files 301 (literal "/private/etc/fstab" 302 "/private/etc/hosts" 303 "/private/etc/group" 304 "/private/etc/passwd" 305 "/private/etc/protocols" 306 "/private/etc/services")) 307 308 (define-once (allow-multi-instance-xpc-services) 309 ;; <rdar://problem/46716068> 310 (allow mach-lookup 311 (with telemetry) 312 (with message "Create a radar and set it as a blocker to rdar://problem/48527566") 313 (xpc-service-name "com.apple.WebKit.Networking" 314 "com.apple.WebKit.WebContent") 315 )) 316 317 (allow sysctl-read 318 (sysctl-name "kern.bootsessionuuid")) 319 320 (deny file-map-executable) 321 (deny file-write-mount file-write-unmount) 322 (allow file-read-metadata 323 (vnode-type DIRECTORY)) 324 325 (mobile-preferences-read "com.apple.security") 326 327 (with-elevated-precedence 328 ;; System files. 329 (allow file-read* 330 (subpath "/usr/lib" 331 "/usr/share" 332 "/private/var/db/timezone")) 333 (allow-read-and-issue-generic-extensions 334 (subpath "/Library/RegionFeatures" 335 "/System/Library")) 336 337 (allow file-map-executable 338 (subpath "/System/Library") 339 (subpath "/usr/lib")) 340 341 (allow file-read-metadata 342 (vnode-type SYMLINK)) 343 344 (allow file-read* 345 (subpath "/private/var/preferences/Logging")) 346 347 (mobile-preferences-read "kCFPreferencesAnyApplication") 348 (allow file-read* 349 (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist")) 350 351 (allow file-read* 352 (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist")) 353 (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication")) 354 355 (allow file-read-metadata 356 (home-literal "/Library/Caches/powerlog.launchd")) 357 358 (allow-read-and-issue-generic-extensions (executable-bundle)) 359 (allow file-map-executable (executable-bundle)) 360 361 (deny file-read-data file-issue-extension file-map-executable 362 (require-all 363 (executable-bundle) 364 (regex #"/[^/]+/SC_Info/"))) 365 366 (with-filter (global-name-prefix "") 367 (allow mach-lookup 368 (extension "com.apple.security.exception.mach-lookup.global-name")) 369 (allow mach-register 370 (extension "com.apple.security.exception.mach-register.global-name"))) 371 (with-filter (local-name-prefix "") 372 (allow mach-lookup 373 (extension "com.apple.security.exception.mach-lookup.local-name")) 374 (allow mach-register 375 (extension "com.apple.security.exception.mach-register.local-name"))) 376 (allow-read-and-issue-generic-extensions 377 (extension "com.apple.security.exception.files.absolute-path.read-only") 378 (extension "com.apple.security.exception.files.home-relative-path.read-only")) 379 (allow-read-write-and-issue-generic-extensions 380 (extension "com.apple.security.exception.files.absolute-path.read-write") 381 (extension "com.apple.security.exception.files.home-relative-path.read-write")) 382 (allow iokit-open 383 (extension "com.apple.security.exception.iokit-user-client-class")) 384 (allow managed-preference-read 385 (extension "com.apple.security.exception.managed-preference.read-only")) 386 (allow user-preference-read 387 (extension "com.apple.security.exception.shared-preference.read-only")) 388 (allow user-preference-read user-preference-write 389 (extension "com.apple.security.exception.shared-preference.read-write")) 390 (allow sysctl-read 391 (extension "com.apple.security.exception.sysctl.read-only")) 392 (allow sysctl-read sysctl-write 393 (extension "com.apple.security.exception.sysctl.read-write")) 394 395 (allow file-issue-extension 396 (require-all 397 (extension-class "com.apple.nsurlstorage.extension-cache") 398 (extension "com.apple.security.exception.files.home-relative-path.read-write") 399 (require-any 400 (prefix "/private/var/root/Library/Caches/") 401 (front-user-home-prefix "/Library/Caches/")))) 402 403 (with-filter (require-entitlement "com.apple.security.exception.process-info") 404 (allow process-info-pidinfo process-info-pidfdinfo process-info-pidfileportinfo process-info-rusage process-info-codesignature) 405 (allow sysctl-read 406 (sysctl-name-prefix "kern.proc.") 407 (sysctl-name-prefix "kern.procargs2.")))) 408 409 (debugging-support) 410 411 (allow file-read* 412 required-etc-files 413 (literal "/")) 414 415 (allow mach-lookup (with report) (with telemetry) 416 (global-name "com.apple.logd") 417 (global-name "com.apple.logd.events")) 418 419 (allow mach-lookup (with report) (with telemetry) 420 (global-name "com.apple.cfprefsd.daemon") 421 (global-name "com.apple.cfprefsd.agent") 422 (local-name "com.apple.cfprefsd.agent")) 423 (allow ipc-posix-shm-read* 424 (ipc-posix-name-prefix "apple.cfprefs.")) 425 426 (allow mach-lookup (with report) (with telemetry) 427 (global-name "com.apple.runningboard")) 428 429 (allow-multi-instance-xpc-services) 430 431 (allow system-sched 432 (require-entitlement "com.apple.private.kernel.override-cpumon")) 433 434 (allow sysctl-read (with report) (with telemetry) 435 (sysctl-name "hw.activecpu") 436 (sysctl-name "hw.busfrequency") 437 (sysctl-name "hw.busfrequency_compat") 438 (sysctl-name "hw.byteorder") 439 (sysctl-name "hw.cachelinesize") 440 (sysctl-name "hw.cachelinesize_compat") 441 (sysctl-name "hw.cpu64bit_capable") 442 (sysctl-name "hw.cpufamily") 443 (sysctl-name "hw.cpufrequency") 444 (sysctl-name "hw.cpufrequency_compat") 445 (sysctl-name "hw.cpufrequency_max") 446 (sysctl-name "hw.cpusubtype") 447 (sysctl-name "hw.cputype") 448 (sysctl-name "hw.l1dcachesize") 449 (sysctl-name "hw.l1dcachesize_compat") 450 (sysctl-name "hw.l1icachesize") 451 (sysctl-name "hw.l1icachesize_compat") 452 (sysctl-name "hw.l2cachesize") 453 (sysctl-name "hw.l2cachesize_compat") 454 (sysctl-name "hw.l2settings") 455 (sysctl-name "hw.l3cachesize") 456 (sysctl-name "hw.l3cachesize_compat") 457 (sysctl-name "hw.l3settings") 458 (sysctl-name "hw.logicalcpu") 459 (sysctl-name "hw.logicalcpu_max") 460 (sysctl-name "hw.machine") 461 (sysctl-name "hw.memsize") 462 (sysctl-name "hw.pagesize") 463 (sysctl-name "hw.pagesize_compat") 464 (sysctl-name "hw.physicalcpu") 465 (sysctl-name "hw.physicalcpu_max") 466 (sysctl-name "hw.physmem") 467 (sysctl-name "hw.tbfrequency") 468 (sysctl-name "hw.tbfrequency_compat") 469 (sysctl-name "hw.usermem") 470 (sysctl-name "hw.vectorunit") 471 (sysctl-name "kern.bootargs") 472 (sysctl-name "kern.boottime") 473 (sysctl-name "kern.clockrate") 474 (sysctl-name "kern.development") 475 (sysctl-name "kern.hostid") 476 (sysctl-name "kern.hostname") 477 (sysctl-name "kern.maxproc") 478 (sysctl-name "kern.maxvnodes") 479 (sysctl-name-prefix "kern.monotonicclock") 480 (sysctl-name "kern.monotoniclock_offset_usecs") 481 (sysctl-name "kern.ngroups") 482 (sysctl-name "kern.osproductversion") 483 (sysctl-name "kern.osrelease") 484 (sysctl-name "kern.ostype") 485 (sysctl-name "kern.osvariant_status") 486 (sysctl-name "kern.osversion") 487 (sysctl-name "kern.saved_ids") 488 (sysctl-name "kern.secure_kernel") 489 (sysctl-name "kern.usrstack") 490 (sysctl-name "kern.usrstack64") 491 (sysctl-name "kern.version") 492 (sysctl-name "kern.waketime") 493 (sysctl-name "security.mac.sandbox.sentinel") 494 (sysctl-name "sysctl.name2oid") 495 (sysctl-name "vm.loadavg") 496 (sysctl-name-prefix "kern.argmax") 497 (sysctl-name-prefix "kern.proc.pid.") 498 ) 499 500 (with-filter (system-attribute apple-internal) 501 (allow sysctl-read 502 (sysctl-name "kern.dtrace.dof_mode")) 503 (allow sysctl-read sysctl-write 504 (sysctl-name "vm.footprint_suspend"))) 505 506 (allow mach-lookup (with report) (with telemetry) 507 (global-name "com.apple.system.logger")) 508 (allow file-read-metadata network-outbound (with report) (with telemetry) 509 (literal "/private/var/run/syslog")) 510 511 (allow mach-lookup (with report) (with telemetry) 512 (global-name "com.apple.system.notification_center")) 513 (allow ipc-posix-shm-read* (with report) (with telemetry) 514 (ipc-posix-name "apple.shm.notification_center")) 515 516 (allow mach-lookup (with report) (with telemetry) 517 (global-name "com.apple.distributed_notifications@1v3")) 518 519 (allow mach-lookup (with report) (with telemetry) 520 (global-name "com.apple.diagnosticd")) 521 522 (logd-diagnostic-client) 523 524 (managed-configuration-read-public) 525 526 (allow mach-lookup (with report) (with telemetry) 527 (global-name "com.apple.ctkd.token-client")) 528 529 (deny system-info (with no-report) 530 (info-type "net.link.addr")) 531 532 (allow mach-lookup (with report) (with telemetry) 533 (global-name "com.apple.system.libinfo.muser")) 534 535 (allow mach-task-name (target self)) 536 537 (allow process-info-pidinfo (target self)) 538 (allow process-info-pidfdinfo (target self)) 539 (allow process-info-pidfileportinfo (target self)) 540 (allow process-info-setcontrol (target self)) 541 (allow process-info-dirtycontrol (target self)) 542 (allow process-info-rusage (target self)) 543 (allow process-info-codesignature (target self)) 544 545 (allow mach-lookup (with report) (with telemetry) 546 (global-name "com.apple.analyticsd")) 547 548 ;;; 549 ;;; End rules originally copied from 'common.sb' 550 ;;; 29 551 30 552 (deny mach-lookup (xpc-service-name-prefix "")) … … 38 560 "hw.ncpu" 39 561 "hw.model" 562 "kern.maxfilesperproc" 40 563 "kern.memorystatus_level" 41 564 "vm.footprint_suspend")) … … 56 579 57 580 ;; IOKit user clients 58 (allow iokit-open (with report) (with telemetry) 59 (iokit-user-client-class "RootDomainUserClient")) 581 (allow iokit-open 582 (iokit-user-client-class "RootDomainUserClient") ;; Needed by PowerObserver 583 ) 60 584 61 585 ;; Various services required by CFNetwork and other frameworks 62 (allow mach-lookup 586 (allow mach-lookup (with report) (with telemetry) 63 587 (global-name "com.apple.PowerManagement.control")) 64 588 … … 74 598 75 599 ;; Security framework 76 (allow mach-lookup 600 (allow mach-lookup (with report) (with telemetry) 77 601 (global-name "com.apple.ocspd") 78 602 (global-name "com.apple.securityd")) 79 603 80 604 ;; PassKit framework 81 (allow mach-lookup 605 (allow mach-lookup (with report) (with telemetry) 82 606 (global-name "com.apple.passd.in-app-payment") 83 607 (global-name "com.apple.passd.library")) 84 608 85 (allow mach-lookup 609 (allow mach-lookup (with report) (with telemetry) 86 610 (global-name "com.apple.FileCoordination") 87 611 (global-name "com.apple.dmd.policy") … … 90 614 91 615 (deny file-write-create 92 616 (vnode-type SYMLINK)) 93 617 94 618 ;; FIXME should be removed when <rdar://problem/30498072> is fixed. … … 100 624 101 625 ;; Various services required by system frameworks 102 (allow mach-lookup 626 (allow mach-lookup (with report) (with telemetry) 103 627 (global-name "com.apple.lsd.mapdb") 104 628 (global-name "com.apple.analyticsd") … … 106 630 107 631 ;; For reporting progress for active downloads <rdar://problem/44405661> 108 (allow mach-lookup 632 (allow mach-lookup (with report) (with telemetry) 109 633 (global-name "com.apple.ProgressReporting")) 110 634 111 635 ;; <rdar://problem/47598758> 112 (allow mach-lookup 636 (allow mach-lookup (with report) (with telemetry) 113 637 (global-name "com.apple.nesessionmanager.content-filter")) 114 638
Note: See TracChangeset
for help on using the changeset viewer.