AX: Need an entitlement for WebContent to send accessibility notifications
[WebKit-https.git] / Source / WebKit / Resources / SandboxProfiles / ios / com.apple.WebKit.WebContent.sb
index 93ef8bb..95970b6 100644 (file)
@@ -1,4 +1,4 @@
-; Copyright (C) 2010-2017 Apple Inc. All rights reserved.
+; Copyright (C) 2010-2019 Apple Inc. All rights reserved.
 ;
 ; Redistribution and use in source and binary forms, with or without
 ; modification, are permitted provided that the following conditions
 (deny default (with partial-symbolication))
 (allow system-audit file-read-metadata)
 
+(import "common.sb")
+
 (deny mach-lookup (xpc-service-name-prefix ""))
 
-(import "common.sb")
+(deny lsopen)
 
 ;;;
 ;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can
 ;;; remove unneeded sandbox extensions.
 ;;;
 
-;;;
-;;; Declare that the process hosts UI provided by another process.
-;;; (This could potentially be any application; see <rdar://problem/11034833> and
-;;;  <rdar://problem/11330224> for details)
-;;;
-(define-once (remote-view-client)
-    (allow mach-lookup
-        (global-name "com.apple.frontboard.systemappservices")                 ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier()
-        (global-name-regex #"^com\.apple\.uikit\.viewservice\..+")))
+(allow mach-lookup
+    (global-name "com.apple.frontboard.systemappservices")                 ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier()
+    (global-name-regex #"^com\.apple\.uikit\.viewservice\..+"))
 
-;;;
-;;; Declare that the process serves UI that can be remotely-hosted by another process.
-;;;
-(define-once (remote-view-service)
-    ;; RemoteViewServices need to lookup their own accessility service in order to send
-    ;; the mach port to the hosting app.
-    (allow mach-lookup
-        (local-name "com.apple.iphone.axserver"))
-    ;; RemoteViewServices need to lookup the bundle identifier of the application hosting
-    ;; their views (see <rdar://problem/11780984>).
-    (allow mach-lookup
-        (global-name "com.apple.springboard.backgroundappservices")))
-
-(define (uikit-app . rest)
-    ;;; <rdar://problem/29959382> Allow UIKit apps access to com.apple.TextInput.preferences mach service
-    (allow mach-lookup
-        (global-name "com.apple.TextInput.preferences"))
-
-    (allow mach-lookup
-        (xpc-service-name "com.apple.siri.context.service"))
-
-    ;; Any UI could be remote-hosted.
-    (remote-view-client)
-
-    ;; Any app could use ubiquity.
-    (ubiquity-client)
-
-    ;; Any app can play audio & movies.
-    (play-audio)
-    (play-media)
-
-    ;; Any app can use ProgressKit
-    (progresskit-client)
-
-    (url-translation)
-
-    ;; For <rdar://problem/20812377> All applications need to be able to access the com.apple.UIKit.KeyboardManagement running in backboardd
-    ;; renamed in <rdar://problem/20909914> Rename com.apple.UIKit.KeyboardManagement
-    (allow mach-lookup
-        (global-name "com.apple.UIKit.KeyboardManagement")
-        (global-name "com.apple.UIKit.KeyboardManagement.hosted"))
-
-    ;; For <rdar://problem/23469318> Allow UIKit-based apps to access com.apple.remote-text-editing mach service
-    ;; and <rdar://problem/23579008> REM: Allow UIKit-based apps to access com.apple.remote-input-limiting mach service
-    (when tv?
-        (allow mach-lookup
-            (global-name "com.apple.remote-input-limiting")
-            (global-name "com.apple.remote-text-editing")
-            (global-name "com.apple.remote-text-editing-legacy")
-            (global-name "com.apple.sharing.remote-text-editing")))
-
-    ;; For ApplicationScripting
-    ;; <rdar://problem/12778546> ASProcessScriptEvent fails to obtain port for event return
-    (allow mach-lookup
-        (global-name "ScripterServer"))
-
-    ;; TextInput framework
-    (allow mach-lookup
-        (global-name "com.apple.TextInput")
-        (global-name "com.apple.TextInput.emoji")
-        (global-name "com.apple.TextInput.image-cache-server")
-        (global-name "com.apple.TextInput.lexicon-server")
-        (global-name "com.apple.TextInput.rdt")
-        (global-name "com.apple.TextInput.shortcuts"))
-    (mobile-preferences-read "com.apple.da")
-
-    ;; Various Accessibility services.
-    (allow mach-lookup
-        (xpc-service-name "com.apple.accessibility.AccessibilityUIServer"))
-
-    ;; Guided Access support (<rdar://problem/11683460>).
-    (allow mach-lookup
-        (global-name "com.apple.accessibility.gax.backboard"))
-    (allow mach-register
-        (local-name "com.apple.accessibility.gax.client"))
-
-    ;; AssistiveTouch
-    ;; <rdar://problem/11800071> sandbox error for remote message services when AssistiveTouch is running
-    (allow mach-lookup
-        (global-name "UIASTNotificationCenter"))
-
-    ;; ZoomTouch
-    ;; <rdar://problem/11823957>
-    (allow mach-lookup
-        (global-name "com.apple.accessibility.AXBackBoardServer"))
-
-    ;; Speak Selection & VoiceOver
-    ;; <rdar://problem/12030530> AX: Sandbox violation with changing Language while VO is on
-    ;; and <rdar://problem/13071747>
-    (mobile-preferences-read
-        "com.apple.SpeakSelection"
-        "com.apple.VoiceOverTouch"
-        "com.apple.voiceservices")
-    (allow mach-lookup
-        (global-name "com.apple.audio.AudioComponentPrefs")
-        (global-name "com.apple.audio.AudioComponentRegistrar")
-        (global-name "com.apple.audio.AudioQueueServer")
-        (global-name "com.apple.voiceservices.keepalive")
-        (global-name "com.apple.voiceservices.tts"))
-    (allow mach-register
-        (local-name "com.apple.iphone.axserver"))
-    ;; <rdar://problem/14555119> Access to high quality speech voices
-    (allow file-read*
-        (home-subpath "/Library/VoiceServices/Assets")
-        (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice"))
-
-    ;; HearingAidSupport
-    (allow mach-lookup
-        (xpc-service-name "com.apple.accessibility.heard"))
-
-    ;; MediaAccessibility (captions)
-    ;; <rdar://problem/12801477>
-    (mobile-preferences-read "com.apple.mediaaccessibility")
-        (allow mach-lookup (global-name "com.apple.accessibility.mediaaccessibilityd"))
-
-    ;; MobileAssistantFramework's AFContextManager
-    ;; <rdar://problem/13742083> & <rdar://problem/13717391> & <rdar://problem/13811297>
-    (allow mach-register mach-lookup
-        (local-name-regex #"^com\.apple\.assistant\.contextprovider\."))
-
-    ;; Permit reading assets via MobileAsset framework.
-    (asset-access 'with-media-playback)
-
-    ;; Permit access to on-demand resources.
-    (allow mach-lookup
-        (global-name "com.apple.ondemandd.client"))
-    (with-filter
-        (require-all
-            (require-any
-                (home-subpath "/Library/OnDemandResources/AssetPacks")
-                (well-known-system-group-container-subpath "/systemgroup.com.apple.ondemandresources/Library/AssetPacks"))
-            (extension "com.apple.odr-assets"))
-        (allow file-read*)
-        (allow file-issue-extension
-            (extension-class "com.apple.app-sandbox.read" "com.apple.mediaserverd.read")))
-
-    ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
-    (allow-well-known-system-group-container-literal-read
-        "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
-
-    ;; allow replayd to extend read access to its data
-    (allow file-read*
-        (require-all
-            (extension "com.apple.replayd.read-only")
-            (home-subpath "/Library/ReplayKit")))
-
-    ;; AirPlay
-    (allow mach-lookup
-        (global-name "com.apple.airplaydiagnostics.server"))
-
-    ;; Access the keyboards
-    (allow file-read*
-        (home-subpath "/Library/Caches/com.apple.keyboards"))
-
-    ;; NSExtension helper for supplying information not provided by PlugInKit
-    (allow mach-lookup
-        (xpc-service-name "com.apple.uifoundation-bundle-helper"))
-
-    ;; <rdar://problem/19525887>
-    (allow mach-lookup (xpc-service-name-regex #"\.apple-extension-service$"))
-    ;; <rdar://problem/31252371>
-    (allow mach-lookup (xpc-service-name-regex #"\.viewservice$"))
-
-    ;; DataDetectors -> CallKit so user can place calls by tapping on phone numbers.
-    (allow mach-lookup
-        (global-name "com.apple.callkit.callcontrollerhost"))
-
-    ;; DataDetectors; update CoreRecents with recently-detected addresses, etc.
-    (allow mach-lookup
-        (xpc-service-name "com.apple.datadetectors.AddToRecentsService"))
-
-    ;; Accessoryd
-    (allow mach-lookup
-        (global-name "com.apple.accessories.externalaccessory-server"))
-
-    ;; Power logging
-    (allow mach-lookup
-        (global-name "com.apple.powerlog.plxpclogger.xpc"))
-
-    ;; <rdar://problem/19460486>
-    (nano-preferences-read ".GlobalPreferences")
-
-    (mobile-preferences-read
-        ; To determine whether the dictation opt-in alert should be suppressed.
-        "com.apple.assistant.backedup"
-        ; Keyboard Dictation reads the list of supported languages from com.apple.assistant.support.plist.
-        ; And Dictation checks whether Assistant is enabled by reading the same plist.
-        ; <rdar://problem/9883999> com.apple.assistant.support preference domain needs to be unsandboxed
-        "com.apple.assistant.support"
-        "com.apple.EmojiPreferences"
-        ; For CarPlay screen aspect ratio (rdar://problem/20062770).
-        "com.apple.iapd"
-        ; <rdar://problem/8477596> com.apple.InputModePreferences
-        "com.apple.InputModePreferences"
-        ; <rdar://problem/8206632> Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist
-        "com.apple.keyboard"
-        ; <rdar://problem/25130834> Spotlight suggestions in Lookup preference should be readable by any process
-        "com.apple.lookup.shared"
-        ; <rdar://problem/9384085>
-        "com.apple.Preferences")
-
-    ;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps
-    (allow file-read*
-        (home-subpath "/Library/Fonts"))
-
-    ;; <rdar://problem/23803332>, <rdar://problem/9457549>, <rdar://problem/13237899>
-    (allow mach-lookup
-        (global-name "com.apple.assistant.analytics")
-        (global-name "com.apple.assistant.dictation")
-        (global-name "com.apple.dictationd.recognition"))
-
-    ;; For copy-and-paste.
-    (allow mach-lookup
-        (global-name "com.apple.UIKit.pasteboardd")
-        (global-name "com.apple.pasteboard.pasted"))
-
-    ;; <rdar://problem/9749387>
-    (allow file-read*
-        (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist"))
-
-    ;; For Social.framework
-    ;; <rdar://problem/13239172>
-    (allow file-read*
-        (literal "/private/var/preferences/SystemConfiguration/com.apple.sinaweibo.plist")
-        (literal "/private/var/preferences/SystemConfiguration/com.apple.twitter.plist")
-        (literal "/private/var/preferences/SystemConfiguration/com.apple.facebook.plist")
-        (literal "/private/var/preferences/SystemConfiguration/com.apple.linkedin.plist"))
-
-    ;; <rdar://problem/7344719&26323449> LaunchServices app icons
-    (allow file-read*
-        (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache"))
-    (allow mach-lookup
-        (xpc-service-name "com.apple.lsdiconservice"))
-
-    ;; <rdar://problem/14184130> SpringBoard needs read/write to statusbar cache folder - all apps need read
-    (allow file-read*
-        (home-subpath "/Library/Caches/com.apple.UIStatusBar"))
-
-    ;; <rdar://problem/22346174> Allow read-only access from the container profile to ~/Library/TVWallpaper
-    (when tv?
-        (allow file-read*
-        (home-subpath "/Library/TVWallpaper")))
-
-    ;; Common mach services needed by UIKit.
-    (allow mach-lookup
-        (global-name "com.apple.CARenderServer")
-        (global-name "com.apple.KeyboardServices.TextReplacementService")
-        (global-name "com.apple.UIKit.statusbarserver")
-        (global-name "com.apple.uikit.GestureServer")
-        (global-name "com.apple.assertiond.applicationstateconnection")
-        (global-name "com.apple.assertiond.expiration")
-        (global-name "com.apple.assertiond.processinfoservice")
-        (global-name "com.apple.audio.hapticd")
-        (global-name "com.apple.audio.SystemSoundServer-iOS")
-        (global-name "com.apple.backboard.TouchDeliveryPolicyServer")
-        (global-name "com.apple.backboard.animation-fence-arbiter")
-        (global-name "com.apple.backboard.display.services")
-        (global-name "com.apple.backboard.hid.focus")
-        (global-name "com.apple.backboard.hid.services")
-        (global-name "com.apple.iohideventsystem")
-        (global-name "com.apple.iphone.axserver-systemwide")
-        (global-name "com.apple.frontboard.workspace")
-        (global-name "com.apple.frontboard.systemappservices")
-        (global-name "com.apple.progressd"))
-
-    (pasteboard-client)
-    (springboard-services)
-
-    (when gizmo?
-        (mobile-preferences-read "com.apple.nano")
-        (allow mach-lookup
-            (global-name "com.apple.appaudiod")
-            (global-name "com.apple.Carousel.ButtonTapAssertion")
-            (global-name "com.apple.Carousel.CSLSBackgroundTaskRequestService")
-            (global-name "com.apple.Carousel.CSLSDockStatusService")
-            (global-name "com.apple.Carousel.activatingUIAssertion")
-            (global-name "com.apple.Carousel.alertSuppression")
-            (global-name "com.apple.Carousel.appOnWake")
-            (global-name "com.apple.Carousel.suspendSystemGestureAssertion")
-            (global-name "com.apple.carousel.backlightxpc")
-            (global-name "com.apple.carousel.brightnesscalculator")
-            (global-name "com.apple.carousel.connectionstatusservice")
-            (global-name "com.apple.Carousel.contextuallock")
-            (global-name "com.apple.carousel.fetchschedulingservice")
-            (global-name "com.apple.carousel.snapshotservice")
-            (global-name "com.apple.carousel.uiscalingservice")
-            (global-name "com.apple.carousel.unblankingsynchronization")
-            (global-name "com.apple.pepperuicore.statusbaritemserver")))
-
-    ;; AirDrop from the activity sheet.
-    ;; <rdar://problem/12715391>, <rdar://problem/12847034>, <rdar://problem/16400661>
-    (allow mach-lookup
-        (global-name "com.apple.sharingd")
-        (global-name "com.apple.sharingd.nsxpc")
-        (with report)
-        (with message "This rule is being removed in rdar://15713112 -- please report this violation to Sandbox_profiles | all"))
-    (allow-preferences-common)
-    (allow user-preference-read
-        (preference-domain "com.apple.Sharing")
-        (with report)
-        (with message "This rule is being removed in rdar://15713112 -- please report this violation to Sandbox_profiles | all"))
-
-    ;; <rdar://problem/30874167> Create a new CacheDelete mach service to allow for public API for purgeable space requests
-    (allow mach-lookup
-        (global-name "com.apple.cache_delete.public"))
-
-    ;; MIDI
-    (allow ipc-posix-shm-read* ipc-posix-shm-write-data
-        (ipc-posix-name-regex #"^Apple MIDI (in|out) [0-9]+$"))
-
-    ;; CoreMotion
-    (mobile-preferences-read "com.apple.CoreMotion")
-
-    ;; CoreMotion’s deviceMotion API
-    (with-filter
-        (require-any
-            (iokit-registry-entry-class "AppleOscarNub")
-            (iokit-registry-entry-class "AppleSPUHIDInterface"))
-        (allow iokit-get-properties
-            (iokit-property "gyro-interrupt-calibration")))
-    (with-filter (iokit-registry-entry-class "IOHIDEventServiceFastPathUserClient")
+;; Any app could use ubiquity.
+(ubiquity-client)
+
+;; Any app can play audio & movies.
+(play-audio)
+(play-media)
+
+;; Access to media controls
+(media-remote)
+
+(url-translation)
+
+;; TextInput framework
+(allow mach-lookup
+    (global-name "com.apple.TextInput"))
+
+(mobile-preferences-read "com.apple.da")
+
+;; Speak Selection & VoiceOver
+;; <rdar://problem/12030530> AX: Sandbox violation with changing Language while VO is on
+;; and <rdar://problem/13071747>
+(mobile-preferences-read
+    "com.apple.SpeakSelection" ; Needed for WebSpeech
+    "com.apple.VoiceOverTouch" ; Needed for non-US english language synthesis
+    "com.apple.voiceservices") ; Ditto
+
+(allow mach-lookup
+    (global-name "com.apple.audio.AudioComponentRegistrar"))
+
+(allow mach-register
+    (local-name "com.apple.iphone.axserver")) ; Needed for Application Accessibility
+(allow mach-lookup
+    (global-name "com.apple.iphone.axserver-systemwide")) ; Needed to send accessibility notifications.
+
+;; <rdar://problem/14555119> Access to high quality speech voices
+;; Needed for WebSpeech
+(allow file-read*
+    (home-subpath "/Library/VoiceServices/Assets")
+    (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice"))
+
+;; MediaAccessibility (captions)
+;; <rdar://problem/12801477>
+(mobile-preferences-read "com.apple.mediaaccessibility")
+(allow mach-lookup (global-name "com.apple.accessibility.mediaaccessibilityd"))
+
+;; Permit reading assets via MobileAsset framework.
+(asset-access 'with-media-playback)
+
+;; Network Extensions / VPN helper.
+(allow mach-lookup
+    (global-name "com.apple.nehelper")
+    (global-name "com.apple.nesessionmanager.content-filter")) ;; <rdar://problem/48442387>
+
+;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
+(allow-well-known-system-group-container-literal-read
+    "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
+
+;; Access the keyboards
+(allow file-read*
+    (home-subpath "/Library/Caches/com.apple.keyboards"))
+
+;; <rdar://problem/19525887>
+(allow mach-lookup (xpc-service-name-regex #"\.apple-extension-service$"))
+;; <rdar://problem/31252371>
+(allow mach-lookup (xpc-service-name-regex #"\.viewservice$"))
+
+;; Power logging
+(allow mach-lookup
+    (global-name "com.apple.powerlog.plxpclogger.xpc")) ;;  <rdar://problem/36442803>
+
+(mobile-preferences-read
+    "com.apple.EmojiPreferences"
+    ; <rdar://problem/8477596> com.apple.InputModePreferences
+    "com.apple.InputModePreferences"
+    ; <rdar://problem/8206632> Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist
+    "com.apple.keyboard"
+    ; <rdar://problem/9384085>
+    "com.apple.Preferences"
+    "com.apple.lookup.shared" ; Needed for DataDetector (Spotlight) support
+)
+
+;; Silently deny unnecessary accesses caused by MessageUI framework.
+;; This can be removed once <rdar://problem/47038102> is resolved.
+(deny file-read*
+    (home-literal "/Library/Preferences/com.apple.mobilemail.plist")
+    (with no-log))
+
+;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps
+(allow file-read*
+    (home-subpath "/Library/Fonts"))
+
+;; <rdar://problem/7344719&26323449> LaunchServices app icons
+(allow file-read*
+    (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache"))
+(allow mach-lookup
+    (xpc-service-name "com.apple.iconservices")
+    (global-name "com.apple.iconservices"))
+
+;; Common mach services needed by UIKit.
+(allow mach-lookup
+    (global-name "com.apple.CARenderServer")
+    (global-name "com.apple.iohideventsystem")
+    (global-name "com.apple.frontboard.systemappservices"))
+
+;; <rdar://problem/47268166>
+(allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService"))
+
+(allow-preferences-common)
+
+;; CoreMotion
+(mobile-preferences-read "com.apple.CoreMotion")
+
+;; CoreMotion’s deviceMotion API
+(with-filter
+    (require-any
+        (iokit-registry-entry-class "AppleOscarNub")
+        (iokit-registry-entry-class "AppleSPUHIDInterface"))
+    (allow iokit-get-properties
+        (iokit-property "gyro-interrupt-calibration")))
+(with-filter
+    (iokit-registry-entry-class "IOHIDEventServiceFastPathUserClient")
     (allow iokit-open)
     (allow iokit-get-properties iokit-set-properties
         (iokit-property "interval"
                         "QueueSize"
                         "useMag"))
     (allow iokit-get-properties
-    (iokit-property "client")))
-
-    ;; Common preferences read by UIKit.
-    (mobile-preferences-read "com.apple.Accessibility"
-        "com.apple.UIKit"
-        "com.apple.WebUI"
-        "com.apple.airplay"
-        "com.apple.avkit"
-        "com.apple.coreanimation"
-        "com.apple.mt"
-        "com.apple.preferences.sounds"
-        "com.apple.telephonyutilities.dialassist")
-
-    ;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist.
-    ;; <rdar://problem/13796537>
-    (deny file-write-create
-        (home-prefix "/Library/Preferences/com.apple.UIKit.plist")
-        (with no-report))
-
-    ;; <rdar://problem/10809394>
-    (deny file-write-create
-        (home-prefix "/Library/Preferences/com.apple.Accessibility.plist")
-        (with no-report))
-
-    ;; <rdar://problem/9404009>
-    (mobile-preferences-read "kCFPreferencesAnyApplication")
-
-    ;; <rdar://problem/10266866>
-    (marco-logging-client)
-
-    ;; <rdar://problem/12250145>
-    (mobile-preferences-read "com.apple.mediaaccessibility")
-
-    ; Dictionary Services used by UITextFields.
-    ; <rdar://problem/9386926>
-    (allow-create-directory
-        (home-literal "/Library/Caches/com.apple.DictionaryServices"))
-
-    ; <rdar://problem/11204655>
-    (mobile-preferences-read "com.apple.MapKit.internal")
-
-    ;; Required to detect whether Airplane mode is enabled.
-    (allow file-read*
-        (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist"))
-
-    (when (memq 'with-printing rest)
-        (allow file-read-metadata network-outbound
-            (literal "/private/var/run/printd"))
-        (allow mach-lookup
-            (xpc-service-name "com.apple.PrintKit.PrinterTool")))
-
-    ; <rdar://problem/9007191> , <rdar://problem/9244785>
-    (when (memq 'with-gamekit-data rest)
-        (allow file-read*
-            (home-regex "/Library/GameKit/Data/[^/]+\.gcdata$"))
-        (allow file-read-metadata
-            (home-literal "/Library/GameKit/Data")))
-
-    ; rfc3484 -- from common.sb
-    (unless (memq 'without-network rest)
-        (allow-network-common))
-
-    ; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
-    (allow file-read*
-        ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari)
-        (subpath "/Library/Dictionaries")
-        (home-subpath "/Library/Dictionaries"))
-
-    ; <rdar://problem/8440231>
-    (allow file-read*
-        (home-literal "/Library/Caches/DateFormats.plist"))
-    ; Silently deny writes when CFData attempts to write to the cache directory.
-    (deny file-write*
-        (home-literal "/Library/Caches/DateFormats.plist")
-        (with no-log))
-
-    ; UIKit-required IOKit nodes.
-    (allow iokit-open
-        (iokit-user-client-class "AppleJPEGDriverUserClient")
-        (iokit-user-client-class "IOSurfaceAcceleratorClient")
-        (iokit-user-client-class "IOSurfaceSendRight")
-        ;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow
-        (iokit-user-client-class "IOSurfaceRootUserClient"))
-
-    ;; <rdar://problem/12675621>
-    (allow iokit-open
-        (iokit-user-client-class "IOHIDLibUserClient"))
-
-    (framebuffer-access)
-
-    ;; <rdar://problem/7822790>
-    (mobile-keybag-access)
-
-    ; <rdar://problem/7595408> , <rdar://problem/7643881>
-    (if (memq 'with-opengl rest)
-        (opengl))
-
-    (if (memq 'with-geoservices rest)
-        (geoservices))
-
-    (if (memq 'with-location-services rest)
-        (location-services))
-
-    ; <rdar://problem/8181749> Allow access to iTunes database files in container.sb
-    (if (memq 'with-itunes-db rest)
-        (itunes-db-read))
-
-    (if (memq 'with-push-notifications rest)
-        (push-notifications))
-
-    (if (memq 'with-in-app-purchases rest)
-        (in-app-purchases))
-
-    ; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist
-    ; which will attempt to create the plist if it doesn't exist -- from any application.  Only SpringBoard is
-    ; allowed to write its plist; ignore all others, they don't know what they are doing.
-    ; See <rdar://problem/9375027> for sample backtraces.
-    (deny file-write*
-        (home-prefix "/Library/Preferences/com.apple.springboard.plist")
-        (with no-log))
-
-    ;; For <rdar://problem/29428318> Allow DragUI mach service lookups for all UIKit apps
-    (allow mach-lookup
-        (global-name "com.apple.DragUI.druid.destination")
-        (global-name "com.apple.DragUI.druid.source"))
-
-    ;; <rdar://problem/30544378> Allow global lookup of com.apple.contactsd
-    (allow mach-lookup
-        (global-name "com.apple.contactsd"))
-
-    ;; <rdar://problem/31571441> need AX Drag-and-drop mach services added to default sandbox profile
-    (allow mach-lookup
-        (global-name "com.apple.VoiceOverTouch.drag.xpc")
-        (global-name "com.apple.assistivetouchd.drag.xpc"))
-
-    ;; <rdar://problem/34092690>
-    (allow mach-lookup
-        (xpc-service-name "com.apple.avkit.SharedPreferences"))
-
-    ;; <rdar://problem/34437589>
-    (allow mach-lookup
-        (global-name "com.apple.ap.adtrackingd.attribution"))
-
-    ;; <rdar://problem/34986314> Sandbox Profiles changes for indigo pref
-    (mobile-preferences-read "com.apple.indigo")
-
-    ;; <rdar://problem/35417382>, <rdar://problem/35518557>
-    (allow mach-lookup
-        (global-name "com.apple.corespotlightservice"))
-
-    ;; <rdar://problem/35446577>
-    (allow mach-lookup
-        (global-name "com.apple.coremedia.endpointplaybacksession.xpc"))
-
-    ;; For the (define... nesting.
-    )
+        (iokit-property "client")))
+
+;; Home Button
+(with-filter (iokit-registry-entry-class "IOPlatformDevice")
+    (allow iokit-get-properties
+        (iokit-property "home-button-type")))
+
+;; Common preferences read by UIKit.
+(mobile-preferences-read "com.apple.Accessibility"
+    "com.apple.UIKit"
+    "com.apple.WebUI"
+    "com.apple.airplay"
+    "com.apple.avkit"
+    "com.apple.coreanimation"
+    "com.apple.mt"
+    "com.apple.preferences.sounds")
+
+;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist.
+;; <rdar://problem/13796537>
+(deny file-write-create
+    (home-prefix "/Library/Preferences/com.apple.UIKit.plist")
+    (with no-report))
+
+;; <rdar://problem/10809394>
+(deny file-write-create
+    (home-prefix "/Library/Preferences/com.apple.Accessibility.plist")
+    (with no-report))
+
+;; <rdar://problem/9404009>
+(mobile-preferences-read "kCFPreferencesAnyApplication")
+
+;; <rdar://problem/12250145>
+(mobile-preferences-read "com.apple.mediaaccessibility")
+
+; Dictionary Services used by UITextFields.
+; <rdar://problem/9386926>
+(allow-create-directory
+    (home-literal "/Library/Caches/com.apple.DictionaryServices"))
+
+; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
+(allow file-read*
+    ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari)
+    (subpath "/Library/Dictionaries")
+    (home-subpath "/Library/Dictionaries"))
+
+; <rdar://problem/8440231>
+(allow file-read*
+    (home-literal "/Library/Caches/DateFormats.plist"))
+; Silently deny writes when CFData attempts to write to the cache directory.
+(deny file-write*
+    (home-literal "/Library/Caches/DateFormats.plist")
+    (with no-log))
+
+; UIKit-required IOKit nodes.
+(allow iokit-open
+    (iokit-user-client-class "AppleJPEGDriverUserClient")
+    (iokit-user-client-class "IOSurfaceAcceleratorClient")
+    (iokit-user-client-class "IOSurfaceSendRight")
+    ;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow
+    (iokit-user-client-class "IOSurfaceRootUserClient"))
+
+(framebuffer-access)
+
+;; <rdar://problem/7822790>
+(mobile-keybag-access)
+
+; <rdar://problem/7595408> , <rdar://problem/7643881>
+(opengl)
+
+(location-services)
+
+; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist
+; which will attempt to create the plist if it doesn't exist -- from any application.  Only SpringBoard is
+; allowed to write its plist; ignore all others, they don't know what they are doing.
+; See <rdar://problem/9375027> for sample backtraces.
+(deny file-write*
+    (home-prefix "/Library/Preferences/com.apple.springboard.plist")
+    (with no-log))
+
+;; <rdar://problem/34986314>
+(mobile-preferences-read "com.apple.indigo")
 
 ;;;
 ;;; End UIKit-apps.sb content
 ;;;
 
-(uikit-app 'with-opengl 'with-location-services)
-
-;; Access to media controls
-(play-media)
-(media-remote)
-
 (deny sysctl*)
 (allow sysctl-read
     (sysctl-name
         "kern.memorystatus_level"
         "vm.footprint_suspend"))
 
+(deny iokit-get-properties (with partial-symbolication))
+(allow iokit-get-properties
+    (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
+    (iokit-property "APTDevice")
+    (iokit-property "AVCSupported")
+    (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI|RSTLogging))")
+    (iokit-property "BaseAddressAlignmentRequirement")
+    (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)")
+    (iokit-property "HEVCSupported")
+    (iokit-property-regex #"^IOGL(|ES(|Metal))BundleName")
+    (iokit-property "IOGLESDefaultUseMetal")
+    (iokit-property-regex #"IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler)")
+    (iokit-property "IOClassNameOverride")
+    (iokit-property "IOPlatformUUID")
+    (iokit-property "IOSurfaceAcceleratorCapabilitiesDict")
+    (iokit-property-regex #"^MetalPlugin(Name|ClassName)")
+    (iokit-property "Protocol Characteristics")
+    (iokit-property "artwork-device-idiom") ;; <rdar://problem/49497720>
+    (iokit-property "artwork-device-subtype")
+    (iokit-property "artwork-display-gamut") ;; <rdar://problem/49497788>
+    (iokit-property "artwork-dynamic-displaymode") ;; <rdar://problem/49497720>
+    (iokit-property "artwork-scale-factor") ;; <rdar://problem/49497788>
+    (iokit-property-regex #"(canvas-height|canvas-width)")
+    (iokit-property "class-code")
+    (iokit-property "color-accuracy-index")
+    (iokit-property "compatible-device-fallback") ;; <rdar://problem/49497720>
+    (iokit-property "device-id")
+    (iokit-property "device-perf-memory-class")
+    (iokit-property "emu")
+    (iokit-property "graphics-featureset-class") ;; <rdar://problem/49497720>
+    (iokit-property "hdcp-hoover-protocol")
+    (iokit-property "iommu-present")
+    (iokit-property "product-description") ;; <rdar://problem/49497788>
+    (iokit-property "product-id")
+    (iokit-property "software-behavior")
+    (iokit-property "vendor-id")
+    (iokit-property "ui-pip") ;; <rdar://problem/48867037>
+)
+
 ;; Read-only preferences and data
 (mobile-preferences-read
     "com.apple.LaunchServices"
     "com.apple.WebFoundation"
     "com.apple.mobileipod"
+    "com.apple.avfoundation.frecents" ;; <rdar://problem/33137029>
     "com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568>
     "com.apple.voiceservices.logging")
 
 ;; Various services required by CFNetwork and other frameworks
 (allow mach-lookup
     (global-name "com.apple.PowerManagement.control")
-    (global-name "com.apple.accountsd.accountmanager")
-    (global-name "com.apple.analyticsd")
-    (global-name "com.apple.coremedia.audiodeviceclock"))
+    (global-name "com.apple.analyticsd"))
 
 (deny file-write-create (vnode-type SYMLINK))
 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
 ;; AWD logging
 (awd-log-directory "com.apple.WebKit.WebContent")
 
-(network-client (remote tcp) (remote udp))
-
 ;; Allow ManagedPreference access
 (allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))
 
+(allow file-read-data
+    (literal "/usr/local/lib/log") ; <rdar://problem/36629495>
+)
+
 ;; Allow mediaserverd to issue file extensions for the purposes of reading media
 (allow file-issue-extension (require-all
     (extension "com.apple.app-sandbox.read")
 
 ;; Support incoming video connections
 (allow mach-lookup
-    (global-name "com.apple.audio.audiohald")
     (global-name "com.apple.coremedia.compressionsession")
     (global-name "com.apple.coremedia.decompressionsession")
     (global-name "com.apple.coremedia.videoqueue"))
+
+;; FIXME: remove the send-signal when this rule is no longer generating crashes.
+(deny mach-lookup (with send-signal SIGKILL)
+    (global-name "com.apple.backboard.hid.services"))
+
+(allow mach-lookup (extension "com.apple.webkit.extension.mach"))
+
+;; These services have been identified as unused during living-on.
+;; This list overrides some definitions above and in common.sb.
+;; FIXME: remove overridden rules once the final list has been
+;; established, see https://bugs.webkit.org/show_bug.cgi?id=193840
+(deny mach-lookup
+    (global-name "com.apple.AGXCompilerService")
+    (global-name "com.apple.CoreAuthentication.daemon.libxpc")
+    (global-name "com.apple.FileCoordination")
+    (global-name "com.apple.FileProvider")
+    (global-name "com.apple.Honeybee.event-notify")
+    (global-name "com.apple.MediaPlayer.RemotePlayerService")
+    (global-name "com.apple.ReportCrash.SimulateCrash")
+    (global-name "com.apple.accountsd.accountmanager")
+    (global-name "com.apple.appsupport.cplogd")
+    (global-name "com.apple.assertiond.processassertionconnection")
+    (global-name "com.apple.audio.reporting.xpc")
+    (global-name "com.apple.bird")
+    (global-name "com.apple.bird.token")
+    (global-name "com.apple.cfprefsd.agent")
+    (global-name "com.apple.containermanagerd")
+    (global-name "com.apple.coremedia.assetcacheinspector")
+    (global-name "com.apple.coremedia.audiodeviceclock")
+    (global-name "com.apple.coremedia.audioprocessingtap.xpc")
+    (global-name "com.apple.coremedia.endpointremotecontrolsession.xpc")
+    (global-name "com.apple.coremedia.sandboxserver")
+    (global-name "com.apple.coremedia.videocompositor")
+    (global-name "com.apple.coremedia.visualcontext.xpc")
+    (global-name "com.apple.coreservices.lsuseractivitymanager.xpc")
+    (global-name "com.apple.ctkd.token-client")
+    (global-name "com.apple.cvmsServ")
+    (global-name "com.apple.duetknowledged.activity")
+    (global-name "com.apple.dyld.closured")
+    (global-name "com.apple.gpumemd.source")
+    (global-name "com.apple.hangtracerd")
+    (global-name "com.apple.itunescloudd.xpc")
+    (global-name "com.apple.itunesstored.xpc")
+    (global-name "com.apple.librariand")
+    (global-name "com.apple.locationd.spi")
+    (global-name "com.apple.locationd.synchronous")
+    (global-name "com.apple.lsd")
+    (global-name "com.apple.lsd.advertisingidentifiers")
+    (global-name "com.apple.lsd.icons")
+    (global-name "com.apple.lsd.openurl")
+    (global-name "com.apple.lsdiconservice")
+    (global-name "com.apple.managedconfiguration.profiled.public")
+    (global-name "com.apple.marco")
+    (global-name "com.apple.mediaserverd")
+    (global-name "com.apple.mobile.usermanagerd.xpc")
+    (global-name "com.apple.nesessionmanager")
+    (global-name "com.apple.pegasus")
+    (global-name "com.apple.pluginkit.pkd")
+    (global-name "com.apple.pluginkit.plugin-service")
+    (global-name "com.apple.quicklook.ThumbnailsAgent")
+    (global-name "com.apple.revisiond")
+    (global-name "com.apple.springboard.backgroundappservices")
+    (global-name "com.apple.system.libinfo.muser")
+    (global-name "com.apple.webkit.camera")
+)
+
+(when (defined? 'syscall-unix)
+    (deny syscall-unix (with send-signal SIGKILL))
+    (allow syscall-unix
+        (syscall-number SYS_exit)
+        (syscall-number SYS_read)
+        (syscall-number SYS_write)
+        (syscall-number SYS_open)
+        (syscall-number SYS_close)
+        (syscall-number SYS_unlink)
+        (syscall-number SYS_chmod)
+        (syscall-number SYS_getuid)
+        (syscall-number SYS_geteuid)
+        (syscall-number SYS_recvfrom)
+        (syscall-number SYS_getpeername)
+        (syscall-number SYS_access)
+        (syscall-number SYS_dup)
+        (syscall-number SYS_pipe)
+        (syscall-number SYS_getegid)
+        (syscall-number SYS_getgid)
+        (syscall-number SYS_sigprocmask)
+        (syscall-number SYS_sigaltstack)
+        (syscall-number SYS_ioctl)
+        (syscall-number SYS_readlink)
+        (syscall-number SYS_umask)
+        (syscall-number SYS_msync)
+        (syscall-number SYS_munmap)
+        (syscall-number SYS_mprotect)
+        (syscall-number SYS_madvise)
+        (syscall-number SYS_fcntl)
+        (syscall-number SYS_select)
+        (syscall-number SYS_fsync)
+        (syscall-number SYS_setpriority)
+        (syscall-number SYS_socket)
+        (syscall-number SYS_connect)
+        (syscall-number SYS_setsockopt)
+        (syscall-number SYS_gettimeofday)
+        (syscall-number SYS_getrusage)
+        (syscall-number SYS_getsockopt)
+        (syscall-number SYS_writev)
+        (syscall-number SYS_fchmod)
+        (syscall-number SYS_rename)
+        (syscall-number SYS_flock)
+        (syscall-number SYS_sendto)
+        (syscall-number SYS_shutdown)
+        (syscall-number SYS_socketpair)
+        (syscall-number SYS_mkdir)
+        (syscall-number SYS_rmdir)
+        (syscall-number SYS_pread)
+        (syscall-number SYS_pwrite)
+        (syscall-number SYS_csops)
+        (syscall-number SYS_csops_audittoken)
+        (syscall-number SYS_kdebug_trace64)
+        (syscall-number SYS_kdebug_trace)
+        (syscall-number SYS_sigreturn)
+        (syscall-number SYS_pathconf)
+        (syscall-number SYS_getrlimit)
+        (syscall-number SYS_setrlimit)
+        (syscall-number SYS_mmap)
+        (syscall-number SYS_lseek)
+        (syscall-number SYS_ftruncate)
+        (syscall-number SYS_sysctl)
+        (syscall-number SYS_mlock)
+        (syscall-number SYS_munlock)
+        (syscall-number SYS_getattrlist)
+        (syscall-number SYS_getxattr)
+        (syscall-number SYS_fgetxattr)
+        (syscall-number SYS_listxattr)
+        (syscall-number SYS_shm_open)
+        (syscall-number SYS_sem_wait)
+        (syscall-number SYS_sem_post)
+        (syscall-number SYS_sysctlbyname)
+        (syscall-number SYS_psynch_mutexwait)
+        (syscall-number SYS_psynch_mutexdrop)
+        (syscall-number SYS_psynch_cvbroad)
+        (syscall-number SYS_psynch_cvsignal)
+        (syscall-number SYS_psynch_cvwait)
+        (syscall-number SYS_psynch_rw_wrlock)
+        (syscall-number SYS_psynch_rw_unlock)
+        (syscall-number SYS_psynch_cvclrprepost)
+        (syscall-number SYS_process_policy)
+        (syscall-number SYS_issetugid)
+        (syscall-number SYS___pthread_kill)
+        (syscall-number SYS___pthread_sigmask)
+        (syscall-number SYS___disable_threadsignal)
+        (syscall-number SYS___semwait_signal)
+        (syscall-number SYS_proc_info)
+        (syscall-number SYS_stat64)
+        (syscall-number SYS_fstat64)
+        (syscall-number SYS_lstat64)
+        (syscall-number SYS_getdirentries64)
+        (syscall-number SYS_statfs64)
+        (syscall-number SYS_fstatfs64)
+        (syscall-number SYS_getfsstat64)
+        (syscall-number SYS_getaudit_addr)
+        (syscall-number SYS_bsdthread_create)
+        (syscall-number SYS_bsdthread_terminate)
+        (syscall-number SYS_workq_kernreturn)
+        (syscall-number SYS_thread_selfid)
+        (syscall-number SYS_kevent_qos)
+        (syscall-number SYS_kevent_id)
+        (syscall-number SYS___mac_syscall)
+        (syscall-number SYS_read_nocancel)
+        (syscall-number SYS_write_nocancel)
+        (syscall-number SYS_open_nocancel)
+        (syscall-number SYS_close_nocancel)
+        (syscall-number SYS_sendmsg_nocancel)
+        (syscall-number SYS_recvfrom_nocancel)
+        (syscall-number SYS_fcntl_nocancel)
+        (syscall-number SYS_select_nocancel)
+        (syscall-number SYS_connect_nocancel)
+        (syscall-number SYS_sendto_nocancel)
+        (syscall-number SYS_fsgetpath)
+        (syscall-number SYS_fileport_makeport)
+        (syscall-number SYS_guarded_open_np)
+        (syscall-number SYS_guarded_close_np)
+        (syscall-number SYS_change_fdguard_np)
+        (syscall-number SYS_proc_rlimit_control)
+        (syscall-number SYS_connectx)
+        (syscall-number SYS_getattrlistbulk)
+        (syscall-number SYS_openat)
+        (syscall-number SYS_openat_nocancel)
+        (syscall-number SYS_fstatat64)
+        (syscall-number SYS_mkdirat)
+        (syscall-number SYS_bsdthread_ctl)
+        (syscall-number SYS_csrctl)
+        (syscall-number SYS_guarded_pwrite_np)
+        (syscall-number SYS_getentropy)
+        (syscall-number SYS_necp_open)
+        (syscall-number SYS_necp_client_action)
+        (syscall-number SYS_ulock_wait)
+        (syscall-number SYS_ulock_wake)
+        (syscall-number SYS_kdebug_typefilter)
+        (syscall-number SYS_shared_region_check_np)
+        (syscall-number SYS_getpid)
+        (syscall-number SYS_bsdthread_register)
+        (syscall-number SYS_sigaction)
+        (syscall-number SYS_gettid)
+        (syscall-number SYS_workq_open)
+        (syscall-number SYS_chdir)
+        (syscall-number SYS_memorystatus_control)
+        (syscall-number SYS_sem_open)
+        (syscall-number SYS_sem_close)
+        (syscall-number SYS_fsetattrlist)
+        (syscall-number SYS_guarded_open_dprotected_np) ; <rdar://problem/48166729>
+        (syscall-number SYS_mremap_encrypted)
+        (syscall-number SYS_dup2)
+        (syscall-number SYS_fileport_makefd)
+        (syscall-number SYS_os_fault_with_payload)
+        (syscall-number SYS_persona)
+        (syscall-number SYS_work_interval_ctl)
+        (syscall-number SYS_open_dprotected_np)
+        (syscall-number SYS_pread_nocancel)
+        (syscall-number SYS___semwait_signal_nocancel)
+        (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
+        (syscall-number SYS_fgetattrlist) ;; <rdar://problem/50266257>
+    )
+)