video.currentTime is not being updated in iOS 13.4 Beta
[WebKit-https.git] / Source / WebKit / Resources / SandboxProfiles / ios / com.apple.WebKit.GPU.sb
1 ; Copyright (C) 2010-2019 Apple Inc. All rights reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions
5 ; are met:
6 ; 1. Redistributions of source code must retain the above copyright
7 ; notice, this list of conditions and the following disclaimer.
8 ; 2. Redistributions in binary form must reproduce the above copyright
9 ; notice, this list of conditions and the following disclaimer in the
10 ; documentation and/or other materials provided with the distribution.
11 ;
12 ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
13 ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14 ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15 ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16 ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17 ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18 ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19 ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20 ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21 ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22 ; THE POSSIBILITY OF SUCH DAMAGE.
23
24 (version 1)
25 (deny default (with partial-symbolication))
26 (allow system-audit file-read-metadata)
27
28 ;;;
29 ;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
30 ;;; remove unneeded sandbox extensions.
31 ;;;
32
33 (import "util.sb")
34
35 (define-once (allow-read-and-issue-generic-extensions . filters)
36     (allow file-read*
37            (apply require-any filters))
38     (allow file-issue-extension
39         (require-all
40             (extension-class "com.apple.app-sandbox.read")
41             (apply require-any filters))))
42
43 (define-once (allow-read-write-and-issue-generic-extensions . filters)
44     (allow file-read* file-write*
45            (apply require-any filters))
46     (allow file-read-metadata
47            (apply require-any filters))
48     (allow file-issue-extension
49         (require-all
50             (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
51             (apply require-any filters))))
52
53 (define-once (managed-configuration-read-public)
54     (allow file-read*
55            (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
56            (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
57            (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo")))
58
59 (define-once (managed-configuration-read . files)
60     (if (null? files)
61         (allow file-read*
62                (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles")
63                (front-user-home-subpath "/Library/ConfigurationProfiles")
64                (front-user-home-subpath "/Library/UserConfigurationProfiles"))
65         (for-each
66             (lambda (file)
67                 (allow file-read*
68                     (well-known-system-group-container-literal
69                         (string-append "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/" file))
70                     (front-user-home-literal
71                         (string-append "/Library/ConfigurationProfiles/" file)
72                         (string-append "/Library/UserConfigurationProfiles/" file))))
73             files)))
74
75 (define-once (allow-preferences-common)
76     (allow file-read-metadata
77            (home-literal "")
78            (home-literal "/Library/Preferences")))
79
80 (define-once (mobile-preferences-read . domains)
81     (allow-preferences-common)
82     (allow user-preference-read (apply preference-domain domains)))
83
84 (define-once (mobile-preferences-read-write . domains)
85     (allow-preferences-common)
86     (allow user-preference-read user-preference-write (apply preference-domain domains)))
87
88 (define-once (framebuffer-access)
89     (allow iokit-open
90            (iokit-user-client-class "IOMobileFramebufferUserClient"))
91     (mobile-preferences-read "com.apple.iokit.IOMobileGraphicsFamily"))
92
93 (define-once (asset-access . options)
94     (let ((asset-access-filter
95             (require-all
96               (require-any
97                 (home-subpath "/Library/Assets")
98                 (subpath "/private/var/MobileAsset"))
99               (extension "com.apple.assets.read"))))
100         ;; <rdar://problem/10710883>
101         ;; <rdar://problem/11569106>
102         (allow file-read* asset-access-filter)
103         (if (memq 'with-media-playback options)
104             (play-media asset-access-filter))
105         (allow mach-lookup (with report) (with telemetry)
106                (global-name "com.apple.mobileassetd" "com.apple.mobileassetd.v2"))
107         (mobile-preferences-read "com.apple.MobileAsset")))
108
109 (define-once (mobile-keybag-access)
110      (allow iokit-open
111             (iokit-user-client-class "AppleKeyStoreUserClient")))
112
113 (define-once (play-audio)
114     (allow mach-lookup
115            (global-name "com.apple.audio.AURemoteIOServer"))
116     (allow mach-lookup (with report) (with telemetry)
117            (xpc-service-name "com.apple.audio.toolbox.reporting.service")))
118
119 (define-once (play-media . filters)
120     (if (not (null? filters))
121         ;; <rdar://problem/9875794>
122         (allow file-issue-extension
123             (require-all
124                 (apply require-any filters)
125                 (extension-class "com.apple.mediaserverd.read"))))
126     (allow file-issue-extension
127         (require-all
128             (extension-class "com.apple.mediaserverd.read")
129             (extension "com.apple.security.exception.files.absolute-path.read-only"
130                        "com.apple.security.exception.files.absolute-path.read-write"
131                        "com.apple.security.exception.files.home-relative-path.read-only"
132                        "com.apple.security.exception.files.home-relative-path.read-write")))
133     (allow file-issue-extension
134         (require-all
135             (extension-class "com.apple.mediaserverd.read-write")
136             (extension "com.apple.security.exception.files.absolute-path.read-write"
137                        "com.apple.security.exception.files.home-relative-path.read-write")))
138     ;; CoreMedia framework.
139     (allow mach-lookup
140            (global-name "com.apple.coremedia.admin")
141            (global-name "com.apple.coremedia.asset.xpc")
142            (global-name "com.apple.coremedia.assetimagegenerator.xpc")
143            (global-name "com.apple.coremedia.audiodeviceclock.xpc") ; Needed for CMTimeBase
144            (global-name "com.apple.coremedia.audioprocessingtap.xpc")
145            (global-name "com.apple.coremedia.capturesession")      ; Actually for video capture
146            (global-name "com.apple.coremedia.capturesource")       ; Also for video capture (<rdar://problem/15794291>).
147            (global-name "com.apple.coremedia.cpe.xpc") ; Needed for HDR playback.
148            (global-name "com.apple.coremedia.customurlloader.xpc") ; Needed for custom media loading
149            (global-name "com.apple.coremedia.formatreader.xpc")
150            (global-name "com.apple.coremedia.player.xpc")
151            (global-name "com.apple.coremedia.remaker")
152            (global-name "com.apple.coremedia.remotequeue")
153            (global-name "com.apple.coremedia.routediscoverer.xpc")
154            (global-name "com.apple.coremedia.routingcontext.xpc")
155            (global-name "com.apple.coremedia.samplebufferaudiorenderer.xpc")
156            (global-name "com.apple.coremedia.samplebufferrendersynchronizer.xpc")
157            (global-name "com.apple.coremedia.sandboxserver.xpc")
158            (global-name "com.apple.coremedia.systemcontroller.xpc")
159            (global-name "com.apple.coremedia.volumecontroller.xpc"))
160
161     (allow mach-lookup (with report) (with telemetry)
162         (global-name "com.apple.coremedia.cpeprotector.xpc")
163         (global-name "com.apple.coremedia.endpoint.xpc")
164         (global-name "com.apple.coremedia.figcontentkeysession.xpc")
165         (global-name "com.apple.coremedia.figcpecryptor")
166         (global-name "com.apple.coremedia.routingsessionmanager.xpc")
167         (global-name "com.apple.coremedia.sts"))
168
169     (mobile-preferences-read
170         "com.apple.avfoundation"
171         "com.apple.coreaudio"
172         "com.apple.coremedia"
173         "com.apple.corevideo"
174         "com.apple.itunesstored" ; Needed by MediaPlayer framework
175         "com.apple.mobileipod" ; Ditto
176         "com.apple.audio.virtualaudio" ; <rdar://problem/57170333>
177     )
178
179     ;; AVF needs to see these network preferences:
180     (allow file-read*
181         (literal "/private/var/preferences/com.apple.networkd.plist"))
182
183     ;; Required by the MediaPlayer framework.
184     (allow mach-lookup
185         (global-name "com.apple.audio.AudioSession"))
186
187     (allow mach-lookup (with report) (with telemetry)
188         (global-name "com.apple.airplay.apsynccontroller.xpc"))
189
190     ;; Allow mediaserverd to issue file extensions for the purposes of reading media
191     (allow file-issue-extension (require-all
192         (extension "com.apple.app-sandbox.read")
193         (extension-class "com.apple.mediaserverd.read")))
194 )
195
196 (define-once (media-remote)
197     (mobile-preferences-read
198         "com.apple.mediaremote"
199         "com.apple.mobileipod")
200     (allow mach-lookup
201            (global-name "com.apple.mediaremoted.xpc"))
202     (allow mach-lookup (with report) (with telemetry)
203         (xpc-service-name "com.apple.MediaPlayer.RemotePlayerService"))
204 )
205
206 (define-once (media-capture-support)
207     ;; Media capture, microphone access
208     (with-filter (extension "com.apple.webkit.microphone")
209         (allow device-microphone))
210
211     ;; Media capture, camera access
212     (with-filter (extension "com.apple.webkit.camera")
213         (allow user-preference-read
214             (preference-domain "com.apple.coremedia"))
215         (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL"))
216         (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
217         (allow device-camera))
218
219     ;; Support incoming video connections
220     (allow mach-lookup
221         (global-name "com.apple.coremedia.compressionsession")
222         (global-name "com.apple.coremedia.decompressionsession")
223         (global-name "com.apple.coremedia.videoqueue"))
224 )
225
226 (define-once (accessibility-support)
227     (allow mach-register
228         (local-name "com.apple.iphone.axserver"))
229     (mobile-preferences-read "com.apple.Accessibility")
230     
231     ;; <rdar://problem/10809394>
232     (deny file-write-create
233         (home-prefix "/Library/Preferences/com.apple.Accessibility.plist")
234         (with no-report))
235 )
236
237 (define-once (media-accessibility-support)
238     ;; <rdar://problem/12801477>
239     (allow mach-lookup
240         (global-name "com.apple.accessibility.mediaaccessibilityd"))
241
242     ;; <rdar://problem/12250145>
243     (mobile-preferences-read "com.apple.mediaaccessibility")
244     (mobile-preferences-read-write "com.apple.mediaaccessibility.public")
245 )
246
247 (define-once (url-translation)
248     ;; For translating http:// & https:// URLs referencing itms:// URLs.
249     ;; <rdar://problem/11587338>
250     (allow file-read*
251            (home-literal "/Library/Caches/com.apple.itunesstored/url-resolution.plist")))
252
253 ;;;
254 ;;; Declare that the application uses the OpenGL, Metal, and CoreML hardware & frameworks.
255 ;;;
256 (define-once (opengl)
257     (allow iokit-open
258            (iokit-connection "IOGPU")
259            (iokit-user-client-class
260                 "AGXCommandQueue"
261                 "AGXDevice"
262                 "AGXDeviceUserClient"
263                 "AGXSharedUserClient"
264                 "IOAccelContext"
265                 "IOAccelDevice"
266                 "IOAccelSharedUserClient"
267                 "IOAccelSubmitter2"
268                 "IOAccelContext2"
269                 "IOAccelDevice2"
270                 "IOAccelSharedUserClient2"))
271
272     (allow iokit-get-properties
273         (iokit-property "IOGLBundleName")
274         (iokit-property "IOGLESBundleName")
275         (iokit-property "IOGLESDefaultUseMetal")
276         (iokit-property "IOGLESMetalBundleName")
277         (iokit-property "MetalPluginClassName")
278         (iokit-property "MetalPluginName")
279     )
280
281     (allow sysctl-read
282            (sysctl-name #"kern.bootsessionuuid"))
283
284     (allow mach-lookup (with report) (with telemetry)
285         (xpc-service-name-prefix "com.apple.AGXCompilerService"))
286
287     (allow mach-lookup
288        ;; <rdar://problem/47268166>
289        (xpc-service-name "com.apple.MTLCompilerService"))
290     
291     (mobile-preferences-read
292         "com.apple.Metal" ;; <rdar://problem/25535471>
293         "com.apple.opengl" ;; <rdar://problem/23321675>
294     )
295 )
296
297 (define-once (debugging-support)
298         (allow file-read* file-map-executable
299                (subpath "/Developer"))
300
301         (allow ipc-posix-shm
302                (ipc-posix-name-regex #"^stack-logs")
303                (ipc-posix-name-regex #"^OA-")
304                (ipc-posix-name-regex #"^/FSM-"))
305
306         (allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink
307                (ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$"))
308
309         (with-filter (system-attribute apple-internal)
310             ;; <rdar://problem/8565035>
311             ;; <rdar://problem/23857452>
312             (allow file-read* file-map-executable
313                    (subpath "/AppleInternal")
314                    (subpath "/usr/local/lib")))
315             (with-elevated-precedence
316                 (allow file-read* file-map-executable file-issue-extension
317                    (front-user-home-subpath "/XcodeBuiltProducts")))
318
319         ;; <rdar://problem/8107758>
320         (allow file-read* file-map-executable
321                (subpath "/System/Library/Frameworks")
322                (subpath "/System/Library/PrivateFrameworks"))
323
324         ;; <rdar://problem/32544921>
325         (mobile-preferences-read "com.apple.hangtracer"))
326
327 (define-once (device-access)
328     (deny file-read* file-write*
329           (vnode-type BLOCK-DEVICE CHARACTER-DEVICE))
330
331     (allow file-read* file-write-data
332            (literal "/dev/null")
333            (literal "/dev/zero"))
334
335     (allow file-read* file-write-data file-ioctl
336            (literal "/dev/dtracehelper"))
337
338     (allow file-read*
339            (literal "/dev/random")
340            (literal "/dev/urandom"))
341     ;; <rdar://problem/14215718>
342     (deny file-write-data (with no-report)
343           (literal "/dev/random")
344           (literal "/dev/urandom"))
345
346     (allow file-read* file-write-data file-ioctl
347            (literal "/dev/aes_0")))
348
349 (define-once (logd-diagnostic-paths)
350     (require-any
351         (subpath "/private/var/db/diagnostics")
352         (subpath "/private/var/db/timesync")
353         (subpath "/private/var/db/uuidtext")
354         (subpath "/private/var/userdata/diagnostics")))
355 (define-once (logd-diagnostic-client)
356     (with-filter
357         (require-all
358             (require-any
359                 (require-entitlement "com.apple.private.logging.diagnostic")
360                 (require-entitlement "com.apple.diagnosticd.diagnostic"))
361             (extension "com.apple.logd.read-only"))
362         (allow file-read*
363                (logd-diagnostic-paths))))
364
365 (define required-etc-files
366   (literal "/private/etc/fstab"
367            "/private/etc/hosts"
368            "/private/etc/group"
369            "/private/etc/passwd"
370            "/private/etc/protocols"
371            "/private/etc/services"))
372
373 (define-once (speech-synthesis-and-voiceover)
374     ;; Speak Selection & VoiceOver
375     ;; <rdar://problem/12030530> AX: Sandbox violation with changing Language while VO is on
376     ;; and <rdar://problem/13071747>
377     (mobile-preferences-read
378         "com.apple.SpeakSelection" ; Needed for WebSpeech
379         "com.apple.VoiceOverTouch" ; Needed for non-US english language synthesis
380         "com.apple.voiceservices") ; Ditto
381
382     ;; <rdar://problem/14555119> Access to high quality speech voices
383     ;; Needed for WebSpeech
384     (allow file-read*
385         (home-subpath "/Library/VoiceServices/Assets")
386         (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice"))
387 )
388
389 ;; Things required by UIKit
390 (define-once (uikit-requirements)
391     (mobile-preferences-read
392         "com.apple.UIKit"
393         "com.apple.WebUI"
394         "com.apple.airplay"
395         "com.apple.avkit"
396         "com.apple.coreanimation"
397         "com.apple.mt"
398         "com.apple.preferences.sounds")
399
400     (allow mach-lookup (with report) (with telemetry)
401         (global-name "com.apple.frontboard.systemappservices")                 ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier()
402     )
403
404     (allow mach-lookup
405         (global-name "com.apple.CARenderServer"))
406
407     (allow mach-lookup (with report) (with telemetry)
408         (global-name-regex #"^com\.apple\.uikit\.viewservice\..+")
409         (xpc-service-name-regex #"\.apple-extension-service$") ;; <rdar://problem/19525887>
410         (xpc-service-name-regex #"\.viewservice$") ;; <rdar://problem/31252371>
411     )
412
413     ; UIKit-required IOKit nodes.
414     (allow iokit-open
415         (iokit-user-client-class "AppleJPEGDriverUserClient")
416         (iokit-user-client-class "IOSurfaceAcceleratorClient")
417         (iokit-user-client-class "IOSurfaceSendRight")
418         ;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow
419         (iokit-user-client-class "IOSurfaceRootUserClient"))
420
421     ;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist.
422     ;; <rdar://problem/13796537>
423     (deny file-write-create
424         (home-prefix "/Library/Preferences/com.apple.UIKit.plist")
425         (with no-report))
426 )
427
428 (define-once (dictionary-support)
429     ; Dictionary Services used by UITextFields.
430     ; <rdar://problem/9386926>
431     (allow-create-directory
432         (home-literal "/Library/Caches/com.apple.DictionaryServices"))
433
434     ; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
435     (allow file-read*
436         ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari)
437         (subpath "/Library/Dictionaries")
438         (home-subpath "/Library/Dictionaries"))
439 )
440
441 (deny file-map-executable)
442
443 (deny file-write-mount file-write-unmount)
444
445 (allow file-read-metadata (with no-times)
446        (vnode-type DIRECTORY))
447 (with-filter (apple-signed-executable?)
448   (allow file-read-metadata
449          (vnode-type DIRECTORY)))
450
451 (with-filter (apple-signed-executable?)
452   (managed-configuration-read "CloudConfigurationDetails.plist")
453   (managed-configuration-read "CloudConfigurationSetAsideDetails.plist")
454   (mobile-preferences-read "com.apple.security"))
455
456 (with-filter (system-attribute apple-internal)
457   (mobile-preferences-read "com.apple.PrototypeTools"))
458
459 (with-elevated-precedence
460     (allow file-read*
461            (subpath "/usr/lib"
462                     "/usr/share"
463                     "/private/var/db/timezone"))
464     (allow-read-and-issue-generic-extensions
465         (subpath "/Library/RegionFeatures"
466                  "/System/Library"))
467     (allow file-issue-extension
468         (require-all
469             (extension-class "com.apple.mediaserverd.read")
470             (subpath "/System/Library")))
471     (let ((hw-identifying-paths
472             (require-any
473                 (literal "/System/Library/Caches/apticket.der")
474                 (subpath "/System/Library/Caches/com.apple.kernelcaches")
475                 (subpath "/System/Library/Caches/com.apple.factorydata"))))
476         (deny file-issue-extension file-read* hw-identifying-paths))
477     
478     (allow file-map-executable
479            (subpath "/System/Library")
480            (subpath "/usr/lib"))
481     (allow file-read-metadata
482            (vnode-type SYMLINK))
483
484     ;;; <rdar://problem/24144418>
485     (allow file-read*
486            (subpath "/private/var/preferences/Logging"))
487
488     (mobile-preferences-read "kCFPreferencesAnyApplication")
489     (allow file-read*
490            (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))
491
492     (allow file-read*
493            (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
494     (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
495
496     (allow file-read-metadata
497            (home-literal "/Library/Caches/powerlog.launchd"))
498
499     (allow-read-and-issue-generic-extensions (executable-bundle))
500     (allow file-map-executable (executable-bundle))
501
502     ;; <rdar://problem/13963294>
503     (deny file-read-data file-issue-extension file-map-executable
504         (require-all
505             (executable-bundle)
506             (regex #"/[^/]+/SC_Info/")))
507
508     (unless (defined? 'restrictive-extension)
509         (with-filter
510             (extension
511                 "com.apple.app-sandbox.read"
512                 "com.apple.app-sandbox.read-write"
513                 "com.apple.quicklook.readonly"
514                 "com.apple.security.exception.files.absolute-path.read-only"
515                 "com.apple.security.exception.files.absolute-path.read-write"
516                 "com.apple.security.exception.files.home-relative-path.read-only"
517                 "com.apple.security.exception.files.home-relative-path.read-write"
518                 "com.apple.sharing.airdrop.readonly")
519             (allow file-read* file-read-metadata)
520             (allow file-issue-extension
521                    (extension-class "com.apple.app-sandbox.read"
522                                     "com.apple.mediaserverd.read"
523                                     "com.apple.quicklook.readonly"
524                                     "com.apple.sharing.airdrop.readonly")))
525         (with-filter
526             (extension
527                 "com.apple.app-sandbox.read-write"
528                 "com.apple.security.exception.files.absolute-path.read-write"
529                 "com.apple.security.exception.files.home-relative-path.read-write")
530             (allow file-write*)
531             (allow file-issue-extension
532                    (extension-class "com.apple.app-sandbox.read-write"
533                                     "com.apple.mediaserverd.read-write"))))
534
535     ;; <rdar://problem/16079361>
536     (with-filter (global-name-prefix "")
537         (allow mach-register
538                (extension "com.apple.security.exception.mach-register.global-name")))
539     (with-filter (local-name-prefix "")
540         (allow mach-register
541                (extension "com.apple.security.exception.mach-register.local-name")))
542     (allow-read-and-issue-generic-extensions
543            (extension "com.apple.security.exception.files.absolute-path.read-only")
544            (extension "com.apple.security.exception.files.home-relative-path.read-only"))
545     (allow-read-write-and-issue-generic-extensions
546            (extension "com.apple.security.exception.files.absolute-path.read-write")
547            (extension "com.apple.security.exception.files.home-relative-path.read-write"))
548     (allow iokit-open
549            (extension "com.apple.security.exception.iokit-user-client-class"))
550     (allow managed-preference-read
551            (extension "com.apple.security.exception.managed-preference.read-only"))
552     (allow user-preference-read
553            (extension "com.apple.security.exception.shared-preference.read-only"))
554     (allow user-preference-read user-preference-write
555            (extension "com.apple.security.exception.shared-preference.read-write"))
556
557     (allow file-issue-extension
558           (require-all
559               (extension-class "com.apple.nsurlstorage.extension-cache")
560               (extension "com.apple.security.exception.files.home-relative-path.read-write")
561               (require-any
562                   (prefix "/private/var/root/Library/Caches/")
563                   (front-user-home-prefix "/Library/Caches/"))))
564 )
565
566 (debugging-support)
567
568 (allow file-read*
569     required-etc-files
570     (literal "/"))
571
572 (allow file-read*
573        (subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))
574
575 (device-access)
576
577 (allow file-issue-extension
578     (require-all
579         (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
580         (extension "com.apple.fileprovider.read-write")))
581
582 (allow mach-lookup
583     (global-name "com.apple.logd")
584     (global-name "com.apple.logd.events")
585     (global-name "com.apple.distributed_notifications@1v3")
586     (global-name "com.apple.aggregated")
587     (global-name "com.apple.cfprefsd.daemon"))
588
589 (allow mach-lookup (with report) (with telemetry)
590     (global-name "com.apple.tccd"))
591
592 (allow ipc-posix-shm-read*
593        (ipc-posix-name-prefix "apple.cfprefs."))
594  
595 (allow mach-lookup (with report) (with telemetry)
596     (global-name "com.apple.lsd.open")
597     (global-name "com.apple.lsd.mapdb"))
598
599 ;; <rdar://problem/12413942>
600 (allow file-read*
601        (well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
602 (allow iokit-get-properties
603        (iokit-property "IORegistryEntryPropertyKeys"))
604
605 (allow ipc-posix-sem-open
606        (ipc-posix-name "containermanagerd.fb_check"))
607
608 (with-filter (ipc-posix-name "purplebuddy.sentinel")
609     (deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait)
610     (allow ipc-posix-sem-open))
611
612 (allow mach-lookup (with telemetry)
613     (global-name "com.apple.runningboard")) ;; Needed by process assertion code (ProcessTaskStateObserver).
614
615 (allow system-sched
616        (require-entitlement "com.apple.private.kernel.override-cpumon"))
617
618 (deny sysctl-read (with no-report)
619       (sysctl-name "sysctl.proc_native"))
620
621 (with-filter (system-attribute apple-internal)
622     (allow sysctl-read sysctl-write
623            (sysctl-name "vm.footprint_suspend")))
624
625 (allow mach-lookup (with report) (with telemetry)
626        (global-name "com.apple.system.logger"))
627
628 (allow file-read-metadata network-outbound
629        (literal "/private/var/run/syslog"))
630
631 (allow mach-lookup
632        (global-name "com.apple.system.notification_center"))
633 (allow ipc-posix-shm-read*
634        (ipc-posix-name "apple.shm.notification_center"))
635
636 (allow mach-lookup (with report) (with telemetry)
637     (global-name "com.apple.diagnosticd"))
638
639 (logd-diagnostic-client)
640
641 (managed-configuration-read-public)
642
643 (deny system-info (with no-report)
644       (info-type "net.link.addr"))
645
646 (allow file-read*
647        (subpath "/private/var/db/datadetectors/sys"))
648
649 (allow-well-known-system-group-container-subpath-read
650        "/systemgroup.com.apple.icloud.findmydevice.managed/Library")
651
652 (allow mach-task-name (target self))
653
654 (allow process-info-pidinfo (target self))
655 (allow process-info-pidfdinfo (target self))
656 (allow process-info-pidfileportinfo (target self))
657 (allow process-info-setcontrol (target self))
658 (allow process-info-dirtycontrol (target self))
659 (allow process-info-rusage (target self))
660 (allow process-info-codesignature (target self))
661
662 (with-filter (apple-signed-executable?)
663     (mobile-preferences-read "com.apple.demo-settings"))
664
665 ;;;
666 ;;; End common.sb content
667 ;;;
668
669 (deny mach-lookup (xpc-service-name-prefix ""))
670 (deny iokit-get-properties (with partial-symbolication))
671 (deny lsopen)
672
673 ;;;
674 ;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can
675 ;;; remove unneeded sandbox extensions.
676 ;;;
677
678 ;; Any app can play audio & movies.
679 (play-audio)
680 (play-media)
681
682 ;; Access to media controls
683 (media-remote)
684
685 (url-translation)
686
687 ;; TextInput framework
688 (allow mach-lookup (with report) (with telemetry)
689     (global-name "com.apple.TextInput"))
690
691 (mobile-preferences-read "com.apple.da")
692
693 (speech-synthesis-and-voiceover)
694
695 (allow mach-lookup (with report) (with telemetry)
696     (global-name "com.apple.audio.AudioComponentRegistrar"))
697
698 ;; Permit reading assets via MobileAsset framework.
699 (asset-access 'with-media-playback)
700
701 ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
702 (allow-well-known-system-group-container-literal-read
703     "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
704
705 ;; Access the keyboards
706 (allow file-read*
707     (home-subpath "/Library/Caches/com.apple.keyboards"))
708
709 ;; Power logging
710 (allow mach-lookup
711     (global-name "com.apple.powerlog.plxpclogger.xpc")) ;;  <rdar://problem/36442803>
712
713 (mobile-preferences-read
714     "com.apple.EmojiPreferences"
715     ; <rdar://problem/8477596> com.apple.InputModePreferences
716     "com.apple.InputModePreferences"
717     ; <rdar://problem/8206632> Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist
718     "com.apple.keyboard"
719     ; <rdar://problem/9384085>
720     "com.apple.Preferences"
721     "com.apple.lookup.shared" ; Needed for DataDetector (Spotlight) support
722 )
723
724 ;; Silently deny unnecessary accesses caused by MessageUI framework.
725 ;; This can be removed once <rdar://problem/47038102> is resolved.
726 (deny file-read*
727     (home-literal "/Library/Preferences/com.apple.mobilemail.plist")
728     (with no-log))
729
730 ;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps
731 (allow file-read*
732     (home-subpath "/Library/Fonts"))
733
734 ;; <rdar://problem/7344719&26323449> LaunchServices app icons
735 (allow file-read*
736     (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache"))
737 (allow mach-lookup (with report) (with telemetry)
738     (xpc-service-name "com.apple.iconservices")
739     (global-name "com.apple.iconservices"))
740
741 (allow-preferences-common)
742
743 ;; Home Button
744 (with-filter (iokit-registry-entry-class "IOPlatformDevice")
745     (allow iokit-get-properties
746         (iokit-property "home-button-type")))
747
748 (uikit-requirements)
749
750 ;; <rdar://problem/9404009>
751 (mobile-preferences-read "kCFPreferencesAnyApplication")
752
753 (dictionary-support)
754
755 ; <rdar://problem/8440231>
756 (allow file-read*
757     (home-literal "/Library/Caches/DateFormats.plist"))
758 ; Silently deny writes when CFData attempts to write to the cache directory.
759 (deny file-write*
760     (home-literal "/Library/Caches/DateFormats.plist")
761     (with no-log))
762
763 (framebuffer-access)
764
765 ;; <rdar://problem/7822790>
766 (mobile-keybag-access)
767
768 ; <rdar://problem/7595408> , <rdar://problem/7643881>
769 (opengl)
770
771 ; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist
772 ; which will attempt to create the plist if it doesn't exist -- from any application.  Only SpringBoard is
773 ; allowed to write its plist; ignore all others, they don't know what they are doing.
774 ; See <rdar://problem/9375027> for sample backtraces.
775 (deny file-write*
776     (home-prefix "/Library/Preferences/com.apple.springboard.plist")
777     (with no-log))
778
779 ;; <rdar://problem/34986314>
780 (mobile-preferences-read "com.apple.indigo")
781
782 ;;;
783 ;;; End UIKit-apps.sb content
784 ;;;
785
786 (deny sysctl*)
787 (allow sysctl-read
788     (sysctl-name
789         "hw.activecpu"
790         "hw.availcpu"
791         "hw.cachelinesize"
792         "hw.cputype"
793         "hw.l2cachesize"
794         "hw.logicalcpu"
795         "hw.logicalcpu_max"
796         "hw.ncpu"
797         "hw.machine"
798         "hw.memsize"
799         "hw.model"
800         "hw.pagesize_compat"
801         "hw.physicalcpu"
802         "hw.physicalcpu_max"
803         "kern.bootargs"
804         "kern.hostname"
805         "kern.memorystatus_level"
806         "kern.osproductversion"
807         "kern.osrelease"
808         "kern.osvariant_status"
809         "kern.secure_kernel"
810         "kern.version"
811         "vm.footprint_suspend"))
812
813 (allow iokit-get-properties
814     (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
815     (iokit-property "APTDevice")
816     (iokit-property "AVCSupported")
817     (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI|RSTLogging))")
818     (iokit-property "BaseAddressAlignmentRequirement")
819     (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)")
820     (iokit-property "HEVCSupported")
821     (iokit-property-regex #"IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler)")
822     (iokit-property "IOClassNameOverride")
823     (iokit-property "IOPlatformUUID")
824     (iokit-property "IOSurfaceAcceleratorCapabilitiesDict")
825     (iokit-property "Protocol Characteristics")
826     (iokit-property "als-colorCfg") ;; <rdar://problem/52903475>
827     (iokit-property "artwork-device-idiom") ;; <rdar://problem/49497720>
828     (iokit-property "artwork-device-subtype")
829     (iokit-property "artwork-display-gamut") ;; <rdar://problem/49497788>
830     (iokit-property "artwork-dynamic-displaymode") ;; <rdar://problem/49497720>
831     (iokit-property "artwork-scale-factor") ;; <rdar://problem/49497788>
832     (iokit-property-regex #"(canvas-height|canvas-width)")
833     (iokit-property "chip-id") ;; <rdar://problem/52903477>
834     (iokit-property "class-code")
835     (iokit-property "color-accuracy-index")
836     (iokit-property "compatible") ;; <rdar://problem/47523516>
837     (iokit-property "compatible-device-fallback") ;; <rdar://problem/49497720>
838     (iokit-property "device-colors") ;; <rdar://problem/51322072>
839     (iokit-property "device-id")
840     (iokit-property "device-perf-memory-class")
841     (iokit-property "display-corner-radius") ;; <rdar://problem/50602737>
842     (iokit-property "emu")
843     (iokit-property "graphics-featureset-class") ;; <rdar://problem/49497720>
844     (iokit-property "graphics-featureset-fallbacks") ;; <rdar://problem/51322072>
845     (iokit-property "hdcp-hoover-protocol")
846     (iokit-property "iommu-present")
847     (iokit-property "oled-display") ;; <rdar://problem/51322072>
848     (iokit-property "product-description") ;; <rdar://problem/49497788>
849     (iokit-property "product-id")
850     (iokit-property "region-info") ;; <rdar://problem/52903475>
851     (iokit-property "regulatory-model-number") ;; <rdar://problem/52903475>
852     (iokit-property "soc-generation") ;; <rdar://problem/52903476>
853     (iokit-property "software-behavior")
854     (iokit-property "vendor-id")
855     (iokit-property "udid-version") ;; <rdar://problem/52903475>
856     (iokit-property "ui-pip") ;; <rdar://problem/48867037>
857 )
858
859 ;; Read-only preferences and data
860 (mobile-preferences-read
861     "com.apple.LaunchServices"
862     "com.apple.WebFoundation"
863     "com.apple.avfoundation.frecents" ;; <rdar://problem/33137029>
864     "com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568>
865     "com.apple.voiceservices.logging")
866
867 ;; Sandbox extensions
868 (define (apply-read-and-issue-extension op path-filter)
869     (op file-read* path-filter)
870     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
871 (define (apply-write-and-issue-extension op path-filter)
872     (op file-write* path-filter)
873     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
874 (define (read-only-and-issue-extensions path-filter)
875     (apply-read-and-issue-extension allow path-filter))
876 (define (read-write-and-issue-extensions path-filter)
877     (apply-read-and-issue-extension allow path-filter)
878     (apply-write-and-issue-extension allow path-filter))
879 (read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
880 (read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
881
882 ;; Access to client's cache folder & re-vending to CFNetwork.
883 (allow file-issue-extension (require-all
884     (extension "com.apple.app-sandbox.read-write")
885     (extension-class "com.apple.nsurlstorage.extension-cache")))
886
887 (accessibility-support)
888
889 (media-accessibility-support)
890
891 ;; Remote Web Inspector
892 (allow mach-lookup
893        (global-name "com.apple.webinspector"))
894
895 ;; Various services required by CFNetwork and other frameworks
896 (allow mach-lookup
897     (global-name "com.apple.PowerManagement.control")
898     (global-name "com.apple.analyticsd"))
899
900 (deny file-write-create (vnode-type SYMLINK))
901 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
902
903 ;; Allow loading injected bundles.
904 (allow file-map-executable)
905
906 ;; Allow ManagedPreference access
907 (allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))
908
909 (allow file-read-data
910     (literal "/usr/local/lib/log") ; <rdar://problem/36629495>
911 )
912
913 (allow mach-lookup
914     (require-all
915         (extension "com.apple.webkit.extension.mach")
916         (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.AGXCompilerService")))
917
918 (media-capture-support)
919
920 ;; These services have been identified as unused during living-on.
921 ;; This list overrides some definitions above and in common.sb.
922 ;; FIXME: remove overridden rules once the final list has been
923 ;; established, see https://bugs.webkit.org/show_bug.cgi?id=193840
924 (deny mach-lookup
925     (global-name "com.apple.webkit.camera")
926 )