Remove network access from the WebContent process sandbox
[WebKit-https.git] / Source / WebKit / Resources / SandboxProfiles / ios / com.apple.WebKit.WebContent.sb
1 ; Copyright (C) 2010-2018 Apple Inc. All rights reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions
5 ; are met:
6 ; 1. Redistributions of source code must retain the above copyright
7 ; notice, this list of conditions and the following disclaimer.
8 ; 2. Redistributions in binary form must reproduce the above copyright
9 ; notice, this list of conditions and the following disclaimer in the
10 ; documentation and/or other materials provided with the distribution.
11 ;
12 ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
13 ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14 ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15 ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16 ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17 ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18 ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19 ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20 ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21 ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22 ; THE POSSIBILITY OF SUCH DAMAGE.
23
24 (version 1)
25 (deny default (with partial-symbolication))
26 (allow system-audit file-read-metadata)
27
28 (deny mach-lookup (xpc-service-name-prefix ""))
29
30 (import "common.sb")
31
32 ;;;
33 ;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can
34 ;;; remove unneeded sandbox extensions.
35 ;;;
36
37 ;;; <rdar://problem/29959382> Allow UIKit apps access to com.apple.TextInput.preferences mach service
38 (allow mach-lookup
39     (global-name "com.apple.TextInput.preferences"))
40
41 (allow mach-lookup
42     (xpc-service-name "com.apple.siri.context.service"))
43
44 (allow mach-lookup
45     (global-name "com.apple.frontboard.systemappservices")                 ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier()
46     (global-name-regex #"^com\.apple\.uikit\.viewservice\..+"))
47
48 ;; Any app could use ubiquity.
49 (ubiquity-client)
50
51 ;; Any app can play audio & movies.
52 (play-audio)
53 (play-media)
54
55 (url-translation)
56
57 ;; For <rdar://problem/20812377> All applications need to be able to access the com.apple.UIKit.KeyboardManagement running in backboardd
58 ;; renamed in <rdar://problem/20909914> Rename com.apple.UIKit.KeyboardManagement
59 (allow mach-lookup
60     (global-name "com.apple.UIKit.KeyboardManagement")
61     (global-name "com.apple.UIKit.KeyboardManagement.hosted"))
62
63 ;; TextInput framework
64 (allow mach-lookup
65     (global-name "com.apple.TextInput")
66     (global-name "com.apple.TextInput.emoji")
67     (global-name "com.apple.TextInput.image-cache-server")
68     (global-name "com.apple.TextInput.lexicon-server")
69     (global-name "com.apple.TextInput.rdt")
70     (global-name "com.apple.TextInput.shortcuts"))
71 (mobile-preferences-read "com.apple.da")
72
73 ;; Various Accessibility services.
74 (allow mach-lookup
75     (xpc-service-name "com.apple.accessibility.AccessibilityUIServer")) ; Needed for Zoom focus updates
76
77 ;; ZoomTouch
78 ;; <rdar://problem/11823957>
79 (allow mach-lookup
80     (global-name "com.apple.accessibility.AXBackBoardServer"))
81
82 ;; Speak Selection & VoiceOver
83 ;; <rdar://problem/12030530> AX: Sandbox violation with changing Language while VO is on
84 ;; and <rdar://problem/13071747>
85 (mobile-preferences-read
86     "com.apple.SpeakSelection") ; Needed for WebSpeech
87
88 (allow mach-lookup
89     (global-name "com.apple.audio.AudioComponentPrefs")
90     (global-name "com.apple.audio.AudioComponentRegistrar")
91     (global-name "com.apple.audio.AudioQueueServer"))
92
93 (allow mach-register
94     (local-name "com.apple.iphone.axserver")) ; Needed for Application Accessibility
95
96 ;; <rdar://problem/14555119> Access to high quality speech voices
97 ;; Needed for WebSpeech
98 (allow file-read*
99     (home-subpath "/Library/VoiceServices/Assets")
100     (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice"))
101
102 ;; HearingAidSupport
103 (allow mach-lookup
104     (xpc-service-name "com.apple.accessibility.heard"))
105
106 ;; MediaAccessibility (captions)
107 ;; <rdar://problem/12801477>
108 (mobile-preferences-read "com.apple.mediaaccessibility")
109 (allow mach-lookup (global-name "com.apple.accessibility.mediaaccessibilityd"))
110
111 ;; Permit reading assets via MobileAsset framework.
112 (asset-access 'with-media-playback)
113
114 ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
115 (allow-well-known-system-group-container-literal-read
116     "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
117
118 ;; Access the keyboards
119 (allow file-read*
120     (home-subpath "/Library/Caches/com.apple.keyboards"))
121
122 ;; NSExtension helper for supplying information not provided by PlugInKit
123 (allow mach-lookup
124     (xpc-service-name "com.apple.uifoundation-bundle-helper"))
125
126 ;; <rdar://problem/19525887>
127 (allow mach-lookup (xpc-service-name-regex #"\.apple-extension-service$"))
128 ;; <rdar://problem/31252371>
129 (allow mach-lookup (xpc-service-name-regex #"\.viewservice$"))
130
131 ;; Power logging
132 (allow mach-lookup
133     (global-name "com.apple.powerlog.plxpclogger.xpc")) ;;  <rdar://problem/36442803>
134
135 (mobile-preferences-read
136     "com.apple.EmojiPreferences"
137     ; <rdar://problem/8477596> com.apple.InputModePreferences
138     "com.apple.InputModePreferences"
139     ; <rdar://problem/8206632> Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist
140     "com.apple.keyboard"
141     ; <rdar://problem/9384085>
142     "com.apple.Preferences"
143     "com.apple.lookup.shared" ; Needed for DataDetector (Spotlight) support
144 )
145
146 ;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps
147 (allow file-read*
148     (home-subpath "/Library/Fonts"))
149
150 ;; <rdar://problem/7344719&26323449> LaunchServices app icons
151 (allow file-read*
152     (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache"))
153 (allow mach-lookup
154     (xpc-service-name "com.apple.lsdiconservice"))
155
156 ;; Common mach services needed by UIKit.
157 (allow mach-lookup
158     (global-name "com.apple.CARenderServer")
159     (global-name "com.apple.KeyboardServices.TextReplacementService")
160     (global-name "com.apple.assertiond.applicationstateconnection")
161     (global-name "com.apple.assertiond.expiration")
162     (global-name "com.apple.assertiond.processinfoservice")
163     (global-name "com.apple.audio.SystemSoundServer-iOS")
164     (global-name "com.apple.backboard.TouchDeliveryPolicyServer")
165     (global-name "com.apple.backboard.animation-fence-arbiter")
166     (global-name "com.apple.backboard.display.services")
167     (global-name "com.apple.backboard.hid.focus")
168     (global-name "com.apple.backboard.hid.services")
169     (global-name "com.apple.iohideventsystem")
170     (global-name "com.apple.iphone.axserver-systemwide")
171     (global-name "com.apple.frontboard.workspace")
172     (global-name "com.apple.frontboard.systemappservices"))
173
174 (allow-preferences-common)
175
176 ;; CoreMotion
177 (mobile-preferences-read "com.apple.CoreMotion")
178
179 ;; CoreMotion’s deviceMotion API
180 (with-filter
181     (require-any
182         (iokit-registry-entry-class "AppleOscarNub")
183         (iokit-registry-entry-class "AppleSPUHIDInterface"))
184     (allow iokit-get-properties
185         (iokit-property "gyro-interrupt-calibration")))
186 (with-filter
187     (iokit-registry-entry-class "IOHIDEventServiceFastPathUserClient")
188     (allow iokit-open)
189     (allow iokit-get-properties iokit-set-properties
190         (iokit-property "interval"
191                         "mode"
192                         "QueueSize"
193                         "useMag"))
194     (allow iokit-get-properties
195         (iokit-property "client")))
196
197 ;; Common preferences read by UIKit.
198 (mobile-preferences-read "com.apple.Accessibility"
199     "com.apple.UIKit"
200     "com.apple.WebUI"
201     "com.apple.airplay"
202     "com.apple.avkit"
203     "com.apple.coreanimation"
204     "com.apple.mt"
205     "com.apple.preferences.sounds")
206
207 ;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist.
208 ;; <rdar://problem/13796537>
209 (deny file-write-create
210     (home-prefix "/Library/Preferences/com.apple.UIKit.plist")
211     (with no-report))
212
213 ;; <rdar://problem/10809394>
214 (deny file-write-create
215     (home-prefix "/Library/Preferences/com.apple.Accessibility.plist")
216     (with no-report))
217
218 ;; <rdar://problem/9404009>
219 (mobile-preferences-read "kCFPreferencesAnyApplication")
220
221 ;; <rdar://problem/10266866>
222 (marco-logging-client)
223
224 ;; <rdar://problem/12250145>
225 (mobile-preferences-read "com.apple.mediaaccessibility")
226
227 ; Dictionary Services used by UITextFields.
228 ; <rdar://problem/9386926>
229 (allow-create-directory
230     (home-literal "/Library/Caches/com.apple.DictionaryServices"))
231
232 ; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
233 (allow file-read*
234     ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari)
235     (subpath "/Library/Dictionaries")
236     (home-subpath "/Library/Dictionaries"))
237
238 ; <rdar://problem/8440231>
239 (allow file-read*
240     (home-literal "/Library/Caches/DateFormats.plist"))
241 ; Silently deny writes when CFData attempts to write to the cache directory.
242 (deny file-write*
243     (home-literal "/Library/Caches/DateFormats.plist")
244     (with no-log))
245
246 ; UIKit-required IOKit nodes.
247 (allow iokit-open
248     (iokit-user-client-class "AppleJPEGDriverUserClient")
249     (iokit-user-client-class "IOSurfaceAcceleratorClient")
250     (iokit-user-client-class "IOSurfaceSendRight")
251     ;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow
252     (iokit-user-client-class "IOSurfaceRootUserClient"))
253
254 ;; <rdar://problem/12675621>
255 (allow iokit-open
256     (iokit-user-client-class "IOHIDLibUserClient"))
257
258 (framebuffer-access)
259
260 ;; <rdar://problem/7822790>
261 (mobile-keybag-access)
262
263 ; <rdar://problem/7595408> , <rdar://problem/7643881>
264 (opengl)
265
266 (location-services)
267
268 ; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist
269 ; which will attempt to create the plist if it doesn't exist -- from any application.  Only SpringBoard is
270 ; allowed to write its plist; ignore all others, they don't know what they are doing.
271 ; See <rdar://problem/9375027> for sample backtraces.
272 (deny file-write*
273     (home-prefix "/Library/Preferences/com.apple.springboard.plist")
274     (with no-log))
275
276 ;; <rdar://problem/34092690>
277 (allow mach-lookup
278     (xpc-service-name "com.apple.avkit.SharedPreferences"))
279
280 ;; <rdar://problem/34986314>
281 (mobile-preferences-read "com.apple.indigo")
282
283 ;; <rdar://problem/35417382>, <rdar://problem/35518557>
284 (allow mach-lookup
285     (global-name "com.apple.corespotlightservice"))
286
287 ;; <rdar://problem/35446577>
288 (allow mach-lookup
289     (global-name "com.apple.coremedia.endpointplaybacksession.xpc"))
290
291 ;; <rdar://problem/35509194>
292 (allow mach-lookup
293     (global-name "com.apple.coremedia.endpointremotecontrolsession.xpc"))
294
295 ;;;
296 ;;; End UIKit-apps.sb content
297 ;;;
298
299 ;; Access to media controls
300 (play-media)
301 (media-remote)
302
303 (deny sysctl*)
304 (allow sysctl-read
305     (sysctl-name
306         "hw.availcpu"
307         "hw.ncpu"
308         "hw.model"
309         "kern.memorystatus_level"
310         "vm.footprint_suspend"))
311
312 (deny iokit-get-properties (with partial-symbolication))
313 (allow iokit-get-properties
314     (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
315     (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI))")
316     (iokit-property "BaseAddressAlignmentRequirement")
317     (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)")
318     (iokit-property-regex #"^IOGL(|ES(|Metal))BundleName")
319     (iokit-property "IOGLESDefaultUseMetal")
320     (iokit-property "IOSurfaceAcceleratorCapabilitiesDict")
321     (iokit-property-regex #"^MetalPlugin(Name|ClassName)")
322     (iokit-property "emu")
323     (iokit-property "hdcp-hoover-protocol")
324     (iokit-property "iommu-present")
325     (iokit-property "product-id")
326     (iokit-property "software-behavior")
327 )
328
329 ;; Read-only preferences and data
330 (mobile-preferences-read
331     "com.apple.LaunchServices"
332     "com.apple.WebFoundation"
333     "com.apple.mobileipod"
334     "com.apple.avfoundation.frecents" ;; <rdar://problem/33137029>
335     "com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568>
336     "com.apple.voiceservices.logging")
337
338 ;; Sandbox extensions
339 (define (apply-read-and-issue-extension op path-filter)
340     (op file-read* path-filter)
341     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
342 (define (apply-write-and-issue-extension op path-filter)
343     (op file-write* path-filter)
344     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
345 (define (read-only-and-issue-extensions path-filter)
346     (apply-read-and-issue-extension allow path-filter))
347 (define (read-write-and-issue-extensions path-filter)
348     (apply-read-and-issue-extension allow path-filter)
349     (apply-write-and-issue-extension allow path-filter))
350 (read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
351 (read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
352
353 ;; Access to client's cache folder & re-vending to CFNetwork.
354 ;; FIXME: Remove the webkti specific extension classes <rdar://problem/17755931>
355 (allow file-issue-extension (require-all
356     (extension "com.apple.app-sandbox.read-write")
357     (extension-class "com.apple.nsurlstorage.extension-cache")))
358
359 ;; MediaAccessibility
360 (mobile-preferences-read "com.apple.mediaaccessibility")
361 (mobile-preferences-read-write "com.apple.mediaaccessibility.public")
362
363 ;; Remote Web Inspector
364 (allow mach-lookup
365        (global-name "com.apple.webinspector"))
366
367 ;; Various services required by CFNetwork and other frameworks
368 (allow mach-lookup
369     (global-name "com.apple.PowerManagement.control")
370     (global-name "com.apple.accountsd.accountmanager")
371     (global-name "com.apple.analyticsd")
372     (global-name "com.apple.coremedia.audiodeviceclock"))
373
374 (deny file-write-create (vnode-type SYMLINK))
375 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
376
377 ;; Allow loading injected bundles.
378 (allow file-map-executable)
379
380 ;; AWD logging
381 (awd-log-directory "com.apple.WebKit.WebContent")
382
383 ;; Allow ManagedPreference access
384 (allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))
385
386 (allow file-read-data
387     (literal "/usr/local/lib/log") ; <rdar://problem/36629495>
388 )
389
390 ;; Allow mediaserverd to issue file extensions for the purposes of reading media
391 (allow file-issue-extension (require-all
392     (extension "com.apple.app-sandbox.read")
393     (extension-class "com.apple.mediaserverd.read")))
394
395 ;; Allow CoreMedia to communicate with mediaserverd in order to implement custom media loading
396 (allow mach-lookup
397     (global-name "com.apple.coremedia.customurlloader.xpc"))
398
399 ;; Media capture, microphone access
400 (with-filter (extension "com.apple.webkit.microphone")
401     (allow device-microphone))
402
403 ;; Media capture, camera access
404 (with-filter (extension "com.apple.webkit.camera")
405     (allow user-preference-read
406         (preference-domain "com.apple.coremedia"))
407     (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL"))
408     (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
409     (allow device-camera))
410
411 ;; Support incoming video connections
412 (allow mach-lookup
413     (global-name "com.apple.audio.audiohald")
414     (global-name "com.apple.coremedia.compressionsession")
415     (global-name "com.apple.coremedia.decompressionsession")
416     (global-name "com.apple.coremedia.videoqueue"))