Close access to "lsopen" for non-UI process
[WebKit-https.git] / Source / WebKit / Resources / SandboxProfiles / ios / com.apple.WebKit.WebContent.sb
1 ; Copyright (C) 2010-2018 Apple Inc. All rights reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions
5 ; are met:
6 ; 1. Redistributions of source code must retain the above copyright
7 ; notice, this list of conditions and the following disclaimer.
8 ; 2. Redistributions in binary form must reproduce the above copyright
9 ; notice, this list of conditions and the following disclaimer in the
10 ; documentation and/or other materials provided with the distribution.
11 ;
12 ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
13 ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14 ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15 ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16 ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17 ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18 ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19 ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20 ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21 ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22 ; THE POSSIBILITY OF SUCH DAMAGE.
23
24 (version 1)
25 (deny default (with partial-symbolication))
26 (allow system-audit file-read-metadata)
27
28 (deny mach-lookup (xpc-service-name-prefix ""))
29
30 (import "common.sb")
31
32 (deny lsopen)
33
34 ;;;
35 ;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can
36 ;;; remove unneeded sandbox extensions.
37 ;;;
38
39 ;;; <rdar://problem/29959382> Allow UIKit apps access to com.apple.TextInput.preferences mach service
40 (allow mach-lookup
41     (global-name "com.apple.TextInput.preferences"))
42
43 (allow mach-lookup
44     (xpc-service-name "com.apple.siri.context.service"))
45
46 (allow mach-lookup
47     (global-name "com.apple.frontboard.systemappservices")                 ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier()
48     (global-name-regex #"^com\.apple\.uikit\.viewservice\..+"))
49
50 ;; Any app could use ubiquity.
51 (ubiquity-client)
52
53 ;; Any app can play audio & movies.
54 (play-audio)
55 (play-media)
56
57 (url-translation)
58
59 ;; For <rdar://problem/20812377> All applications need to be able to access the com.apple.UIKit.KeyboardManagement running in backboardd
60 ;; renamed in <rdar://problem/20909914> Rename com.apple.UIKit.KeyboardManagement
61 (allow mach-lookup
62     (global-name "com.apple.UIKit.KeyboardManagement")
63     (global-name "com.apple.UIKit.KeyboardManagement.hosted"))
64
65 ;; TextInput framework
66 (allow mach-lookup
67     (global-name "com.apple.TextInput")
68     (global-name "com.apple.TextInput.emoji")
69     (global-name "com.apple.TextInput.image-cache-server")
70     (global-name "com.apple.TextInput.lexicon-server")
71     (global-name "com.apple.TextInput.rdt")
72     (global-name "com.apple.TextInput.shortcuts"))
73 (mobile-preferences-read "com.apple.da")
74
75 ;; Various Accessibility services.
76 (allow mach-lookup
77     (xpc-service-name "com.apple.accessibility.AccessibilityUIServer")) ; Needed for Zoom focus updates
78
79 ;; ZoomTouch
80 ;; <rdar://problem/11823957>
81 (allow mach-lookup
82     (global-name "com.apple.accessibility.AXBackBoardServer"))
83
84 ;; Speak Selection & VoiceOver
85 ;; <rdar://problem/12030530> AX: Sandbox violation with changing Language while VO is on
86 ;; and <rdar://problem/13071747>
87 (mobile-preferences-read
88     "com.apple.SpeakSelection") ; Needed for WebSpeech
89
90 (allow mach-lookup
91     (global-name "com.apple.audio.AudioComponentPrefs")
92     (global-name "com.apple.audio.AudioComponentRegistrar")
93     (global-name "com.apple.audio.AudioQueueServer"))
94
95 (allow mach-register
96     (local-name "com.apple.iphone.axserver")) ; Needed for Application Accessibility
97
98 ;; <rdar://problem/14555119> Access to high quality speech voices
99 ;; Needed for WebSpeech
100 (allow file-read*
101     (home-subpath "/Library/VoiceServices/Assets")
102     (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice"))
103
104 ;; HearingAidSupport
105 (allow mach-lookup
106     (xpc-service-name "com.apple.accessibility.heard"))
107
108 ;; MediaAccessibility (captions)
109 ;; <rdar://problem/12801477>
110 (mobile-preferences-read "com.apple.mediaaccessibility")
111 (allow mach-lookup (global-name "com.apple.accessibility.mediaaccessibilityd"))
112
113 ;; Permit reading assets via MobileAsset framework.
114 (asset-access 'with-media-playback)
115
116 ;; Network Extensions / VPN helper.
117 (allow mach-lookup
118     (global-name "com.apple.nehelper")
119     (global-name "com.apple.nesessionmanager"))
120
121 ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
122 (allow-well-known-system-group-container-literal-read
123     "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
124
125 ;; Access the keyboards
126 (allow file-read*
127     (home-subpath "/Library/Caches/com.apple.keyboards"))
128
129 ;; NSExtension helper for supplying information not provided by PlugInKit
130 (allow mach-lookup
131     (xpc-service-name "com.apple.uifoundation-bundle-helper"))
132
133 ;; <rdar://problem/19525887>
134 (allow mach-lookup (xpc-service-name-regex #"\.apple-extension-service$"))
135 ;; <rdar://problem/31252371>
136 (allow mach-lookup (xpc-service-name-regex #"\.viewservice$"))
137
138 ;; Power logging
139 (allow mach-lookup
140     (global-name "com.apple.powerlog.plxpclogger.xpc")) ;;  <rdar://problem/36442803>
141
142 (mobile-preferences-read
143     "com.apple.EmojiPreferences"
144     ; <rdar://problem/8477596> com.apple.InputModePreferences
145     "com.apple.InputModePreferences"
146     ; <rdar://problem/8206632> Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist
147     "com.apple.keyboard"
148     ; <rdar://problem/9384085>
149     "com.apple.Preferences"
150     "com.apple.lookup.shared" ; Needed for DataDetector (Spotlight) support
151 )
152
153 ;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps
154 (allow file-read*
155     (home-subpath "/Library/Fonts"))
156
157 ;; <rdar://problem/7344719&26323449> LaunchServices app icons
158 (allow file-read*
159     (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache"))
160 (allow mach-lookup
161     (xpc-service-name "com.apple.lsdiconservice"))
162
163 ;; Common mach services needed by UIKit.
164 (allow mach-lookup
165     (global-name "com.apple.CARenderServer")
166     (global-name "com.apple.KeyboardServices.TextReplacementService")
167     (global-name "com.apple.assertiond.applicationstateconnection")
168     (global-name "com.apple.assertiond.expiration")
169     (global-name "com.apple.assertiond.processinfoservice")
170     (global-name "com.apple.audio.SystemSoundServer-iOS")
171     (global-name "com.apple.backboard.TouchDeliveryPolicyServer")
172     (global-name "com.apple.backboard.animation-fence-arbiter")
173     (global-name "com.apple.backboard.display.services")
174     (global-name "com.apple.backboard.hid.focus")
175     (global-name "com.apple.backboard.hid.services")
176     (global-name "com.apple.iohideventsystem")
177     (global-name "com.apple.iphone.axserver-systemwide")
178     (global-name "com.apple.frontboard.workspace")
179     (global-name "com.apple.frontboard.systemappservices"))
180
181 (allow-preferences-common)
182
183 ;; CoreMotion
184 (mobile-preferences-read "com.apple.CoreMotion")
185
186 ;; CoreMotion’s deviceMotion API
187 (with-filter
188     (require-any
189         (iokit-registry-entry-class "AppleOscarNub")
190         (iokit-registry-entry-class "AppleSPUHIDInterface"))
191     (allow iokit-get-properties
192         (iokit-property "gyro-interrupt-calibration")))
193 (with-filter
194     (iokit-registry-entry-class "IOHIDEventServiceFastPathUserClient")
195     (allow iokit-open)
196     (allow iokit-get-properties iokit-set-properties
197         (iokit-property "interval"
198                         "mode"
199                         "QueueSize"
200                         "useMag"))
201     (allow iokit-get-properties
202         (iokit-property "client")))
203
204 ;; Home Button
205 (with-filter (iokit-registry-entry-class "IOPlatformDevice")
206     (allow iokit-get-properties
207         (iokit-property "home-button-type")))
208
209 ;; Common preferences read by UIKit.
210 (mobile-preferences-read "com.apple.Accessibility"
211     "com.apple.UIKit"
212     "com.apple.WebUI"
213     "com.apple.airplay"
214     "com.apple.avkit"
215     "com.apple.coreanimation"
216     "com.apple.mt"
217     "com.apple.preferences.sounds")
218
219 ;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist.
220 ;; <rdar://problem/13796537>
221 (deny file-write-create
222     (home-prefix "/Library/Preferences/com.apple.UIKit.plist")
223     (with no-report))
224
225 ;; <rdar://problem/10809394>
226 (deny file-write-create
227     (home-prefix "/Library/Preferences/com.apple.Accessibility.plist")
228     (with no-report))
229
230 ;; <rdar://problem/9404009>
231 (mobile-preferences-read "kCFPreferencesAnyApplication")
232
233 ;; <rdar://problem/10266866>
234 (marco-logging-client)
235
236 ;; <rdar://problem/12250145>
237 (mobile-preferences-read "com.apple.mediaaccessibility")
238
239 ; Dictionary Services used by UITextFields.
240 ; <rdar://problem/9386926>
241 (allow-create-directory
242     (home-literal "/Library/Caches/com.apple.DictionaryServices"))
243
244 ; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
245 (allow file-read*
246     ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari)
247     (subpath "/Library/Dictionaries")
248     (home-subpath "/Library/Dictionaries"))
249
250 ; <rdar://problem/8440231>
251 (allow file-read*
252     (home-literal "/Library/Caches/DateFormats.plist"))
253 ; Silently deny writes when CFData attempts to write to the cache directory.
254 (deny file-write*
255     (home-literal "/Library/Caches/DateFormats.plist")
256     (with no-log))
257
258 ; UIKit-required IOKit nodes.
259 (allow iokit-open
260     (iokit-user-client-class "AppleJPEGDriverUserClient")
261     (iokit-user-client-class "IOSurfaceAcceleratorClient")
262     (iokit-user-client-class "IOSurfaceSendRight")
263     ;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow
264     (iokit-user-client-class "IOSurfaceRootUserClient"))
265
266 ;; <rdar://problem/12675621>
267 (allow iokit-open
268     (iokit-user-client-class "IOHIDLibUserClient"))
269
270 (framebuffer-access)
271
272 ;; <rdar://problem/7822790>
273 (mobile-keybag-access)
274
275 ; <rdar://problem/7595408> , <rdar://problem/7643881>
276 (opengl)
277
278 (location-services)
279
280 ; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist
281 ; which will attempt to create the plist if it doesn't exist -- from any application.  Only SpringBoard is
282 ; allowed to write its plist; ignore all others, they don't know what they are doing.
283 ; See <rdar://problem/9375027> for sample backtraces.
284 (deny file-write*
285     (home-prefix "/Library/Preferences/com.apple.springboard.plist")
286     (with no-log))
287
288 ;; <rdar://problem/34092690>
289 (allow mach-lookup
290     (xpc-service-name "com.apple.avkit.SharedPreferences"))
291
292 ;; <rdar://problem/34986314>
293 (mobile-preferences-read "com.apple.indigo")
294
295 ;; <rdar://problem/35417382>, <rdar://problem/35518557>
296 (allow mach-lookup
297     (global-name "com.apple.corespotlightservice"))
298
299 ;; <rdar://problem/35446577>
300 (allow mach-lookup
301     (global-name "com.apple.coremedia.endpointplaybacksession.xpc"))
302
303 ;; <rdar://problem/35509194>
304 (allow mach-lookup
305     (global-name "com.apple.coremedia.endpointremotecontrolsession.xpc"))
306
307 ;;;
308 ;;; End UIKit-apps.sb content
309 ;;;
310
311 ;; Access to media controls
312 (play-media)
313 (media-remote)
314
315 (deny sysctl*)
316 (allow sysctl-read
317     (sysctl-name
318         "hw.availcpu"
319         "hw.ncpu"
320         "hw.model"
321         "kern.memorystatus_level"
322         "vm.footprint_suspend"))
323
324 (deny iokit-get-properties (with partial-symbolication))
325 (allow iokit-get-properties
326     (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
327     (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI|RSTLogging))")
328     (iokit-property "BaseAddressAlignmentRequirement")
329     (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)")
330     (iokit-property-regex #"^IOGL(|ES(|Metal))BundleName")
331     (iokit-property "IOGLESDefaultUseMetal")
332     (iokit-property "IOSurfaceAcceleratorCapabilitiesDict")
333     (iokit-property-regex #"^MetalPlugin(Name|ClassName)")
334     (iokit-property "emu")
335     (iokit-property "hdcp-hoover-protocol")
336     (iokit-property "iommu-present")
337     (iokit-property "product-id")
338     (iokit-property "software-behavior")
339 )
340
341 ;; Read-only preferences and data
342 (mobile-preferences-read
343     "com.apple.LaunchServices"
344     "com.apple.WebFoundation"
345     "com.apple.mobileipod"
346     "com.apple.avfoundation.frecents" ;; <rdar://problem/33137029>
347     "com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568>
348     "com.apple.voiceservices.logging")
349
350 ;; Sandbox extensions
351 (define (apply-read-and-issue-extension op path-filter)
352     (op file-read* path-filter)
353     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
354 (define (apply-write-and-issue-extension op path-filter)
355     (op file-write* path-filter)
356     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
357 (define (read-only-and-issue-extensions path-filter)
358     (apply-read-and-issue-extension allow path-filter))
359 (define (read-write-and-issue-extensions path-filter)
360     (apply-read-and-issue-extension allow path-filter)
361     (apply-write-and-issue-extension allow path-filter))
362 (read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
363 (read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
364
365 ;; Access to client's cache folder & re-vending to CFNetwork.
366 ;; FIXME: Remove the webkti specific extension classes <rdar://problem/17755931>
367 (allow file-issue-extension (require-all
368     (extension "com.apple.app-sandbox.read-write")
369     (extension-class "com.apple.nsurlstorage.extension-cache")))
370
371 ;; MediaAccessibility
372 (mobile-preferences-read "com.apple.mediaaccessibility")
373 (mobile-preferences-read-write "com.apple.mediaaccessibility.public")
374
375 ;; Remote Web Inspector
376 (allow mach-lookup
377        (global-name "com.apple.webinspector"))
378
379 ;; Various services required by CFNetwork and other frameworks
380 (allow mach-lookup
381     (global-name "com.apple.PowerManagement.control")
382     (global-name "com.apple.accountsd.accountmanager")
383     (global-name "com.apple.analyticsd")
384     (global-name "com.apple.coremedia.audiodeviceclock"))
385
386 (deny file-write-create (vnode-type SYMLINK))
387 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
388
389 ;; Allow loading injected bundles.
390 (allow file-map-executable)
391
392 ;; AWD logging
393 (awd-log-directory "com.apple.WebKit.WebContent")
394
395 ;; Allow ManagedPreference access
396 (allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))
397
398 (allow file-read-data
399     (literal "/usr/local/lib/log") ; <rdar://problem/36629495>
400 )
401
402 ;; Allow mediaserverd to issue file extensions for the purposes of reading media
403 (allow file-issue-extension (require-all
404     (extension "com.apple.app-sandbox.read")
405     (extension-class "com.apple.mediaserverd.read")))
406
407 ;; Allow CoreMedia to communicate with mediaserverd in order to implement custom media loading
408 (allow mach-lookup
409     (global-name "com.apple.coremedia.customurlloader.xpc"))
410
411 ;; Media capture, microphone access
412 (with-filter (extension "com.apple.webkit.microphone")
413     (allow device-microphone))
414
415 ;; Media capture, camera access
416 (with-filter (extension "com.apple.webkit.camera")
417     (allow user-preference-read
418         (preference-domain "com.apple.coremedia"))
419     (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL"))
420     (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
421     (allow device-camera))
422
423 ;; Support incoming video connections
424 (allow mach-lookup
425     (global-name "com.apple.audio.audiohald")
426     (global-name "com.apple.coremedia.compressionsession")
427     (global-name "com.apple.coremedia.decompressionsession")
428     (global-name "com.apple.coremedia.videoqueue"))