176cbb6f21460ee940527d4e6f73115277b9e298
[WebKit-https.git] / Source / WebKit / NetworkProcess / mac / com.apple.WebKit.NetworkProcess.sb.in
1 ; Copyright (C) 2013-2022 Apple Inc. All rights reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions
5 ; are met:
6 ; 1. Redistributions of source code must retain the above copyright
7 ;    notice, this list of conditions and the following disclaimer.
8 ; 2. Redistributions in binary form must reproduce the above copyright
9 ;    notice, this list of conditions and the following disclaimer in the
10 ;    documentation and/or other materials provided with the distribution.
11 ;
12 ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
13 ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14 ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15 ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16 ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17 ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18 ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19 ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20 ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21 ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22 ; THE POSSIBILITY OF SUCH DAMAGE.
23
24 (version 1)
25 (deny default (with partial-symbolication))
26 (deny nvram*)
27 (deny system-privilege)
28
29 (allow system-audit file-read-metadata)
30
31 (allow system-privilege (with grant)
32     (require-all
33         (privilege-id PRIV_NET_PRIVILEGED_SOCKET_DELEGATE)
34         (require-entitlement "com.apple.private.network.socket-delegate")))
35
36 ;; We can remove the catch once we no longer need to support older macOS
37 (catch (lambda)
38     (import "dyld-support.sb"))
39
40 ;; Silence spurious logging due to rdar://20117923 and rdar://72366475
41 (deny system-privilege (privilege-id PRIV_GLOBAL_PROC_INFO) (with no-report))
42
43 #include "Shared/Sandbox/preferences.sb"
44
45 #if ENABLE(SYSTEM_CONTENT_PATH_SANDBOX_RULES)
46 #include <WebKitAdditions/SystemContentSandbox-macos.defs>
47 #endif
48  
49 ;; Utility functions for home directory relative path filters
50 (define (home-regex home-relative-regex)
51   (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
52
53 (define (home-subpath home-relative-subpath)
54     (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
55
56 (define (home-literal home-relative-literal)
57     (literal (string-append (param "HOME_DIR") home-relative-literal)))
58
59 #if PLATFORM(MAC)
60 (deny mach-register (local-name-prefix ""))
61
62 (allow system-automount
63        (process-attribute is-platform-binary))
64
65 (allow file-map-executable (with telemetry))
66 (allow file-map-executable
67     (home-subpath "/Library/Caches")
68     (home-subpath "/Library/Containers")
69     (subpath (param "DARWIN_USER_TEMP_DIR"))
70     (subpath "/Library/KerberosPlugins")
71     (subpath "/System/Library/Frameworks")
72     (subpath "/System/Library/KerberosPlugins")
73     (subpath "/System/Library/PrivateFrameworks")
74     (subpath "/usr/lib"))
75
76 (allow file-read-metadata
77     (literal "/etc")
78     (literal "/tmp")
79     (literal "/var")
80     (literal "/private/etc/localtime"))
81
82 (allow file-read-metadata (path-ancestors "/System/Volumes/Data/private"))
83
84 (allow file-read* (literal "/"))
85
86 (allow file-read*
87        (subpath "/System"))
88
89 (allow file-read*
90        (subpath "/Library/Preferences/Logging")      ; Logging Rethink
91 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 110000
92        (subpath "/private/var/db/dyld")
93 #endif
94        (subpath "/private/var/db/timezone")
95        (subpath "/usr/lib")
96        (subpath "/usr/share"))
97
98 (allow file-read*
99        (literal "/dev/urandom")
100        (literal "/private/etc/master.passwd")
101        (literal "/private/etc/passwd")
102        (literal "/private/etc/services"))
103
104 (allow file-read* file-write-data file-ioctl
105        (literal "/dev/dtracehelper"))
106
107 (allow file-read*
108        (require-all (subpath "/AppleInternal/Library/Preferences/Logging")
109                     (system-attribute apple-internal)))
110
111 (allow network-outbound
112        (literal "/private/var/run/syslog"))
113
114 (allow ipc-posix-shm-read*
115     (ipc-posix-name "apple.shm.notification_center")
116 #if !ENABLE(CFPREFS_DIRECT_MODE)
117     (ipc-posix-name-prefix "apple.cfprefs.")
118 #endif
119 )
120
121 #if ENABLE(SET_WEBCONTENT_PROCESS_INFORMATION_IN_NETWORK_PROCESS)
122 (allow mach-lookup (global-name "com.apple.coreservices.launchservicesd"))
123 #endif
124
125 #if !ENABLE(CFPREFS_DIRECT_MODE)
126 (allow mach-lookup
127     (global-name "com.apple.cfprefsd.agent")
128     (global-name "com.apple.cfprefsd.daemon")
129 )
130 #endif
131
132 (allow mach-lookup
133     (global-name "com.apple.system.opendirectoryd.libinfo")
134     (global-name "com.apple.trustd")
135     (global-name "com.apple.trustd.agent"))
136
137 (define (system-network)
138     (allow file-read*
139          (literal "/Library/Preferences/com.apple.networkd.plist")
140          (literal "/private/var/db/nsurlstoraged/dafsaData.bin"))
141     (deny mach-lookup 
142          (global-name "com.apple.SystemConfiguration.PPPController")
143          (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
144          (global-name "com.apple.networkd")
145          (global-name "com.apple.nsurlstorage-cache")
146          (global-name "com.apple.symptomsd"))
147     (allow mach-lookup
148          (global-name "com.apple.dnssd.service")
149          (global-name "com.apple.nehelper")
150          (global-name "com.apple.nesessionmanager")
151          (global-name "com.apple.usymptomsd"))
152     (allow network-outbound
153          (control-name "com.apple.netsrc"))
154     (deny system-socket 
155           (socket-domain AF_ROUTE))
156     (allow system-socket
157          (require-all (socket-domain AF_SYSTEM)
158                       (socket-protocol 2))) ; SYSPROTO_CONTROL
159     (allow mach-lookup
160          (global-name "com.apple.AppSSO.service-xpc"))
161     (deny ipc-posix-shm-read-data 
162          (ipc-posix-name "/com.apple.AppSSO.version")))
163 #else
164 (import "system.sb")
165 #endif
166
167 ;;; process-info* defaults to allow; deny it and then allow operations we actually need.
168 (deny process-info*)
169 (allow process-info-dirtycontrol (target self))
170 (allow process-info-pidinfo)
171 (allow process-info-setcontrol (target self))
172
173 (deny sysctl*) 
174 (allow sysctl-read
175     (sysctl-name
176         "hw.cputype"
177         "hw.memsize"
178         "hw.ncpu"
179         "kern.maxfilesperproc"
180         "kern.osproductversion" ;; Needed by CFNetwork (HSTS store and others)
181         "kern.osrelease"
182         "kern.ostype"
183         "kern.osversion" ;; Needed by WebKit and ASL logging.
184         "kern.tcsm_available" ;; Needed for IndexedDB support.
185         "kern.tcsm_enable")
186     (sysctl-name-prefix "kern.proc.pid.")
187     (sysctl-name-prefix "net.routetable"))
188
189 (allow sysctl-write
190     (sysctl-name
191         "kern.tcsm_enable"))
192
193 (deny iokit-get-properties)
194 (allow iokit-get-properties
195     (iokit-property
196         "Ejectable"
197         "IOClassNameOverride"
198         "IOMediaIcon"
199         "IOServiceDEXTEntitlements"
200         "No-idle-support"
201         "Product Identification"
202         "Protocol Characteristics"
203         "Removable"
204         "acpi-pmcap-offset"
205         "driver-child-bundle"
206         "iommu-selection"
207     )
208 )
209
210 (deny mach-lookup (xpc-service-name-prefix ""))
211
212 ;; Remove when <rdar://problem/29646094> is fixed.
213 (define (HEX-pattern-match-generator pattern-descriptor)
214     (letrec ((pattern-string ""))
215         (for-each  (lambda (repeat-count)
216             (if (zero? repeat-count)
217                 (set! pattern-string (string-append  pattern-string "-"))
218                 (let appender ((count repeat-count))
219                     (if (> count 0)
220                         (begin
221                             (set! pattern-string (string-append  pattern-string "[0-9A-F]"))
222                             (appender (- count 1)))))))
223             pattern-descriptor)
224         pattern-string))
225
226 ;; return a regex pattern matching string for 8-4-4-4-12 UUIDs:
227 (define (uuid-HEX-pattern-match-string)
228     (HEX-pattern-match-generator '(8 0 4 0 4 0 4 0 12)))
229
230 ;; global to hold the computed UUID matching pattern.
231 (define *uuid-pattern* "")
232
233 (define (uuid-regex-string)
234     (if (zero? (string-length *uuid-pattern*))
235         (set! *uuid-pattern* (uuid-HEX-pattern-match-string)))
236     *uuid-pattern*)
237
238 ;; Read-only preferences and data
239 (allow-reading-global-preferences)
240
241 (shared-preferences-read
242     "com.apple.CFNetwork"
243     "com.apple.DownloadAssessment"
244     "com.apple.WebFoundation"
245     "com.apple.ist.ds.appleconnect2.uat" ;; Remove after <rdar://problem/35542803> ships
246     "com.apple.networkConnect")
247
248 (allow file-read*
249     ;; Basic system paths
250     (subpath "/Library/Frameworks")
251     (subpath "/Library/Managed Preferences")
252
253     ;; On-disk WebKit2 framework location, to account for debug installations
254     ;; outside of /System/Library/Frameworks
255     (subpath (param "WEBKIT2_FRAMEWORK_DIR")))
256
257 (allow file-read-data
258     (literal "/usr/local/lib/log") ; <rdar://problem/36629495>
259 )
260
261 ;; Sandbox extensions
262 (define (apply-read-and-issue-extension op path-filter)
263     (op file-read* path-filter)
264     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
265 (define (apply-write-and-issue-extension op path-filter)
266     (op file-write* path-filter)
267     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
268 (define (read-only-and-issue-extensions path-filter)
269     (apply-read-and-issue-extension allow path-filter))
270 (define (read-write-and-issue-extensions path-filter)
271     (apply-read-and-issue-extension allow path-filter)
272     (apply-write-and-issue-extension allow path-filter))
273 (read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
274 (read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
275
276 (allow file-read* file-write* (subpath (param "DARWIN_USER_CACHE_DIR")))
277
278 (allow file-read* file-write* (subpath (param "DARWIN_USER_TEMP_DIR")))
279
280 ;; IOKit user clients
281 (allow iokit-open
282     (iokit-user-client-class "RootDomainUserClient") ; Used by PowerObserver
283 )
284
285 (deny mach-lookup 
286     (global-name "com.apple.PowerManagement.control"))
287
288 ;; Various services required by CFNetwork and other frameworks
289 (allow mach-lookup
290     (global-name "com.apple.FileCoordination")
291     (global-name "com.apple.SystemConfiguration.configd")
292     (global-name "com.apple.cfnetwork.AuthBrokerAgent")
293     (global-name "com.apple.cfnetwork.cfnetworkagent")
294 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 120000
295     (global-name "com.apple.cookied")
296 #endif
297     (global-name "com.apple.ist.ds.appleconnect2.service.kdctunnelcontroller")
298     (global-name "com.apple.logd")
299     (global-name "com.apple.logd.events")
300     (global-name "com.apple.lsd.mapdb")
301     (global-name "com.apple.nesessionmanager.flow-divert-token")
302     (global-name "com.apple.nesessionmanager.content-filter") ;; <rdar://problem/47598758>
303     (global-name "com.apple.system.notification_center"))
304
305 (with-filter (system-attribute apple-internal)
306     (allow mach-lookup
307         (global-name "com.apple.aggregated")
308         (global-name "com.apple.analyticsd")
309         (global-name "com.apple.diagnosticd")))
310
311 (allow mach-lookup (global-name "com.apple.webkit.adattributiond.service"))
312 (allow mach-lookup (global-name "org.webkit.pcmtestdaemon.service"))
313
314 (allow mach-lookup (global-name "com.apple.webkit.webpushd.service"))
315 (allow mach-lookup (global-name "org.webkit.webpushtestdaemon.service"))
316
317 (deny mach-lookup (with no-log)
318     (global-name "com.apple.DiskArbitration.diskarbitrationd"))
319 (with-filter (uid 0)
320     (allow mach-lookup 
321         (global-name "com.apple.DiskArbitration.diskarbitrationd")))
322
323 (deny mach-lookup 
324    (global-name "com.apple.ctkd.token-client")
325    (global-name "com.apple.securityd.xpc")
326    (global-name "com.apple.CoreAuthentication.agent")
327    (global-name "com.apple.ocspd"))
328
329 ;; Security framework
330 (allow mach-lookup
331     (global-name "com.apple.SecurityServer"))
332
333 ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
334 ;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
335 (allow file-read-data file-read-metadata
336     (subpath "/Library/Keychains")
337     (home-subpath "/Library/Keychains"))
338
339 ;; Except deny access to new-style iOS Keychain folders which are UUIDs.
340 (deny file-read* file-write*
341     (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
342     (home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
343
344 (allow file-read* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
345 (with-filter (uid 0)
346     (allow file-write* 
347         (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
348 )
349
350 (shared-preferences-read
351     "com.apple.crypto"
352     "com.apple.security"
353     "com.apple.security.common"
354     "com.apple.security.revocation")
355
356 (allow file-read*
357        (subpath "/private/var/db/mds")
358
359        ; The following are needed until the causes of <rdar://problem/41487786> are resolved.
360        (literal "/Library/Preferences/com.apple.security.plist")
361        (home-literal "/Library/Preferences/com.apple.security.plist")
362
363        ; Likewise for <rdar://problem/43310000>
364        (literal "/Library/Preferences/com.apple.ist.ds.appleconnect2.plist")
365        (literal "/Library/Preferences/com.apple.ist.ds.appleconnect2.production.plist")
366        (home-literal "/Library/Preferences/com.apple.ist.ds.appleconnect2.plist")
367        (home-literal "/Library/Preferences/com.apple.ist.ds.appleconnect2.production.plist")
368        (home-regex (string-append "/Library/Preferences/ByHost/com\.apple\.ist\.ds\.appleconnect2\." (uuid-regex-string) "\.plist$"))
369        (home-regex (string-append "/Library/Preferences/ByHost/com\.apple\.ist\.ds\.appleconnect2\.production\." (uuid-regex-string) "\.plist$"))
370 )
371
372 (allow ipc-posix-shm-read* ipc-posix-shm-write-create ipc-posix-shm-write-data
373        (ipc-posix-name "com.apple.AppleDatabaseChanged"))
374
375 (system-network)
376 (allow network-outbound
377     ;; Local mDNSResponder for DNS, arbitrary outbound TCP
378     (literal "/private/var/run/mDNSResponder")
379     (remote tcp))
380
381 (with-filter (uid 0)
382     (allow mach-lookup
383         (global-name "com.apple.system.logger")))
384
385 ;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
386 (allow mach-lookup
387     (global-name "org.h5l.kcm")
388     (global-name "com.apple.GSSCred")
389     (global-name "com.apple.ist.ds.appleconnect.service.kdctunnel")) ;; Remove after <rdar://problem/35542803> ships
390 (allow network-outbound 
391     (remote udp))
392 (shared-preferences-read
393     "com.apple.GSS"
394     "com.apple.Kerberos"
395     "edu.mit.Kerberos")
396 (allow file-read*
397     (literal "/private/etc/services")
398     (literal "/private/etc/hosts")
399     (subpath "/Library/KerberosPlugins/GSSAPI")
400     (subpath "/Library/KerberosPlugins/KerberosFrameworkPlugins"))
401
402 (deny file-write-create (vnode-type SYMLINK))
403
404 ;; Reserve a namespace for additional protected extended attributes.
405 (deny file-read-xattr file-write-xattr (xattr-prefix "com.apple.security.private."))
406
407 (deny file-read* file-write* (with no-log)
408     ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
409     (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
410     (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
411
412 (macro (with-filter form)
413    (let* ((ps (cdr form))
414           (extra-filter (car ps))
415           (rules (cdr ps)))
416     `(letrec
417         ((collect
418              (lambda (l filters non-filters)
419                  (if (null? l)
420                      (list filters non-filters)
421                      (let* 
422                          ((x (car l))
423                           (rest (cdr l)))
424                          (if (sbpl-filter? x)
425                              (collect rest (cons x filters) non-filters)
426                              (collect rest filters (cons x non-filters)))))))
427          (inject-filter
428              (lambda args
429                  (let* ((collected (collect args '() '()))
430                         (filters (car collected))
431                         (non-filters (cadr collected)))
432                  (if (null? filters)
433                      (cons ,extra-filter non-filters)
434                      (cons (require-all (apply require-any filters) ,extra-filter) non-filters)))))
435          (orig-allow allow)
436          (orig-deny deny)
437          (wrapper
438              (lambda (action)
439                  (lambda args (apply action (apply inject-filter args))))))
440         (set! allow (wrapper orig-allow))
441         (set! deny (wrapper orig-deny))
442         ,@rules
443         (set! deny orig-deny)
444         (set! allow orig-allow))))
445
446 ;; FIXME should be removed when <rdar://problem/30498072> is fixed.
447 (allow network* 
448     (local udp)
449     (remote udp)
450     (local tcp)
451     (remote tcp))
452
453 ;; For reporting progress for active downloads <rdar://problem/44405661>
454 (allow mach-lookup
455     (global-name "com.apple.ProgressReporting"))
456
457 ;; Needed for TCC.
458 (allow mach-lookup
459     (global-name "com.apple.tccd"))
460
461 (deny mach-lookup (with no-log)
462     (global-name "com.apple.tccd.system")
463     (global-name "com.apple.CoreServices.coreservicesd")
464     (global-name-prefix "com.apple.distributed_notifications"))
465
466 ;; <rdar://89031731>
467 (allow mach-lookup
468     (global-name "com.apple.networkserviceproxy.fetch-token"))
469
470 (allow file-read* file-write*
471     (home-subpath "/Library/HTTPStorages"))
472
473 (allow file-read*
474     (prefix "/private/var/db/com.apple.networkextension."))
475
476 (when (defined? 'syscall-unix)
477     (deny syscall-unix (with telemetry))
478     (allow syscall-unix (syscall-number
479         SYS___channel_get_info
480         SYS___channel_open
481         SYS___channel_sync
482         SYS___disable_threadsignal
483         SYS___mac_syscall
484         SYS___pthread_kill
485         SYS___pthread_sigmask
486         SYS___semwait_signal
487         SYS___semwait_signal_nocancel
488         SYS_abort_with_payload
489         SYS_access
490         SYS_bsdthread_create
491         SYS_bsdthread_ctl
492         SYS_bsdthread_terminate
493         SYS_change_fdguard_np
494         SYS_close
495         SYS_close_nocancel
496         SYS_csops_audittoken
497         SYS_csrctl
498         SYS_dup
499         SYS_exit
500         SYS_fcntl
501         SYS_fcntl_nocancel
502         SYS_ffsctl
503         SYS_fgetattrlist
504         SYS_fgetxattr
505         SYS_fileport_makeport
506         SYS_flistxattr
507         SYS_flock
508         SYS_fsetattrlist
509         SYS_fsgetpath
510         SYS_fstat
511         SYS_fstat64
512         SYS_fstat64_extended
513         SYS_fstatat
514         SYS_fstatat64
515         SYS_fstatfs
516         SYS_fstatfs64
517         SYS_fsync
518         SYS_ftruncate
519         SYS_getattrlist
520         SYS_getattrlistbulk
521         SYS_getaudit_addr
522         SYS_getdirentries
523         SYS_getdirentries64
524         SYS_getegid
525         SYS_getentropy
526         SYS_geteuid
527         SYS_getfsstat
528         SYS_getfsstat64
529         SYS_getgid
530         SYS_getgroups
531         SYS_gethostuuid
532         SYS_getpeername
533         SYS_getrlimit
534         SYS_getsockname
535         SYS_getsockopt
536         SYS_gettid
537         SYS_gettimeofday
538         SYS_getuid
539         SYS_getxattr
540         SYS_guarded_close_np
541         SYS_guarded_open_dprotected_np
542         SYS_guarded_open_np
543         SYS_guarded_pwrite_np
544         SYS_iopolicysys
545         SYS_issetugid
546         SYS_kdebug_trace
547         SYS_kdebug_trace64
548         SYS_kdebug_trace_string
549         SYS_kdebug_typefilter
550         SYS_kevent
551         SYS_kevent_id
552         SYS_kevent_qos
553         SYS_kqueue
554         SYS_listxattr
555         SYS_lseek
556         SYS_lstat
557         SYS_lstat64
558         SYS_lstat64_extended
559         SYS_madvise
560         SYS_memorystatus_control
561         SYS_mkdir
562         SYS_mkdirat
563         SYS_mmap
564         SYS_mprotect
565         SYS_msync
566         SYS_munmap
567         SYS_necp_client_action
568         SYS_necp_open
569         SYS_open
570         SYS_open_dprotected_np
571         SYS_open_nocancel
572         SYS_openat
573         SYS_os_fault_with_payload
574         SYS_pathconf
575         SYS_pipe
576         SYS_pread
577         SYS_pread_nocancel
578         SYS_proc_info
579         SYS_pselect
580         SYS_psynch_cvbroad
581         SYS_psynch_cvclrprepost
582         SYS_psynch_cvsignal
583         SYS_psynch_cvwait
584         SYS_psynch_mutexdrop
585         SYS_psynch_mutexwait
586         SYS_psynch_rw_rdlock
587         SYS_psynch_rw_unlock
588         SYS_psynch_rw_wrlock
589         SYS_read
590         SYS_read_nocancel
591         SYS_readlink
592         SYS_recvfrom
593         SYS_recvfrom_nocancel
594         SYS_recvmsg
595         SYS_rename
596         SYS_rmdir
597         SYS_select
598         SYS_select_nocancel
599         SYS_sendmsg
600         SYS_sendmsg_nocancel
601         SYS_sendto
602         SYS_sendto_nocancel
603         SYS_setattrlistat
604         SYS_setrlimit
605         SYS_setsockopt
606         SYS_shutdown
607         SYS_sigaction
608         SYS_sigaltstack
609         SYS_sigprocmask
610         SYS_sigreturn
611         SYS_socketpair
612         SYS_stat
613         SYS_stat64
614         SYS_stat64_extended
615         SYS_statfs
616         SYS_statfs64
617         SYS_sysctl
618         SYS_thread_selfid
619         SYS_ulock_wait
620         SYS_ulock_wake
621         SYS_unlink
622         SYS_workq_kernreturn
623         SYS_write
624         SYS_write_nocancel)))
625
626 (when (defined? 'SYS_map_with_linking_np)
627     (allow syscall-unix (syscall-number SYS_map_with_linking_np)))
628
629 #if HAVE(SANDBOX_MESSAGE_FILTERING)
630 (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'mach-kernel-endpoint))
631     (allow mach-kernel-endpoint
632         (apply-message-filter
633             (allow mach-message-send (with telemetry)))))
634             
635 (when (and (equal? (param "ENABLE_SANDBOX_MESSAGE_FILTER") "YES") (defined? 'syscall-mach))
636     (deny syscall-mach (with telemetry))
637     (allow syscall-mach
638         (machtrap-number
639             MSC__kernelrpc_mach_port_allocate_trap
640             MSC__kernelrpc_mach_port_construct_trap
641             MSC__kernelrpc_mach_port_deallocate_trap
642             MSC__kernelrpc_mach_port_destruct_trap
643             MSC__kernelrpc_mach_port_extract_member_trap
644             MSC__kernelrpc_mach_port_guard_trap
645             MSC__kernelrpc_mach_port_insert_member_trap
646             MSC__kernelrpc_mach_port_insert_right_trap
647             MSC__kernelrpc_mach_port_mod_refs_trap
648             MSC__kernelrpc_mach_port_request_notification_trap
649             MSC__kernelrpc_mach_port_type_trap
650             MSC__kernelrpc_mach_port_unguard_trap
651             MSC__kernelrpc_mach_vm_allocate_trap
652             MSC__kernelrpc_mach_vm_deallocate_trap
653             MSC__kernelrpc_mach_vm_map_trap
654             MSC__kernelrpc_mach_vm_protect_trap
655             MSC__kernelrpc_mach_vm_purgable_control_trap
656             MSC_host_create_mach_voucher_trap
657             MSC_host_self_trap
658             MSC_mach_generate_activity_id
659             MSC_mach_msg_trap
660             MSC_mach_reply_port
661             MSC_mach_voucher_extract_attr_recipe_trap
662             MSC_mk_timer_arm
663             MSC_mk_timer_cancel
664             MSC_mk_timer_create
665             MSC_mk_timer_destroy
666             MSC_semaphore_signal_trap
667             MSC_semaphore_timedwait_trap
668             MSC_semaphore_wait_trap
669             MSC_swtch_pri
670             MSC_syscall_thread_switch
671             MSC_task_dyld_process_info_notify_get
672             MSC_task_self_trap
673             MSC_thread_get_special_reply_port))
674             
675     (when (defined? 'MSC_mach_msg2_trap)
676         (allow syscall-mach
677             (machtrap-number MSC_mach_msg2_trap))))
678 #endif // HAVE(SANDBOX_MESSAGE_FILTERING)