REGRESSION (High Sierra): PDFPlugin won't render PostScript Files
[WebKit-https.git] / Source / WebKit / WebProcess / com.apple.WebProcess.sb.in
1 ; Copyright (C) 2010-2017 Apple Inc. All rights reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions
5 ; are met:
6 ; 1. Redistributions of source code must retain the above copyright
7 ;    notice, this list of conditions and the following disclaimer.
8 ; 2. Redistributions in binary form must reproduce the above copyright
9 ;    notice, this list of conditions and the following disclaimer in the
10 ;    documentation and/or other materials provided with the distribution.
11 ;
12 ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
13 ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14 ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15 ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16 ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17 ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18 ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19 ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20 ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21 ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22 ; THE POSSIBILITY OF SUCH DAMAGE.
23
24 (version 1)
25 (deny default (with partial-symbolication))
26 (allow system-audit file-read-metadata)
27
28 (import "system.sb")
29
30 ;;; process-info* defaults to allow; deny it and then allow operations we actually need.
31 (deny process-info*)
32 (allow process-info-pidinfo)
33 (allow process-info-setcontrol (target self))
34 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
35 (allow process-codesigning-status*)
36 #endif
37
38 (deny sysctl*)
39 (allow sysctl-read
40     (sysctl-name
41         "hw.availcpu"
42         "hw.ncpu"
43         "hw.model"
44         "kern.memorystatus_level"
45         "vm.footprint_suspend"))
46
47 (deny iokit-get-properties)
48 (allow iokit-get-properties
49     (iokit-property "AGCInfo")
50     (iokit-property "AccelCaps")
51     (iokit-property-regex #"^(Accurate|Extended)MaxDigitizerPressureValue")
52     (iokit-property-regex #"^(Activation|Animation)Thresholds")
53     (iokit-property "ActuationSupported")
54     (iokit-property "AllowDisplaySleep")
55     (iokit-property "AlwaysNeedsVelocityCalculated")
56     (iokit-property "AppleIntelMEVABundleName")
57     (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
58     (iokit-property-regex #"^ATY,fb_(linebytes|offset|size)")
59     (iokit-property "BacklightHandle")
60     (iokit-property-regex #"^CEA(ModeID|PixelRepetition)")
61     (iokit-property "CFBundleIdentifier")
62     (iokit-property "CapsLockDelay")
63     (iokit-property "ConfigState")
64     (iokit-property "Device Characteristics")
65     (iokit-property "DeviceEqID")
66     (iokit-property "DisplayRouting")
67     (iokit-property "Driver is Ready")
68     (iokit-property "EnableLPVP")
69     (iokit-property "Endianness")
70     (iokit-property "Family ID")
71     (iokit-property "ForceSupported")
72     (iokit-property "HIDPointerAccelerationType")
73     (iokit-property-regex #"^IOAccel(DisplayPipeCapabilities|Index|Types|Revision)")
74     (iokit-property-regex #"^IO(Class|MatchCategory|NameMatch)")
75     (iokit-property-regex #"^IOAudioControl(ChannelID|ID|SubType|Usage|Value)")
76     (iokit-property-regex #"^IOAudioDevice(CanBeDefaults|TransportType)")
77     (iokit-property-regex #"^IOAudioEngine(ChannelNames|ClientDescription|CoreAudioPlugIn|(|Device)Description|Flavor|GlobalUniqueID|IsHidden|OutputChannelLayout|SampleOffset|State)")
78     (iokit-property-regex #"^IOAudioEngineClock(Domain|IsStable)")
79     (iokit-property "IOAudioEngineDisableClockBoundsCheck")
80     (iokit-property-regex #"^IOAudioEngine(Input|Output)Sample(Latency|Offset)")
81     (iokit-property-regex #"^IOAudioEngineNum(ActiveUserClients|SampleFramesPerBuffer)")
82     (iokit-property "IOAudioSampleRate")
83     (iokit-property "IOAudioStreamSampleFormatByteOrder")
84     (iokit-property "IOBusyInterest")
85     (iokit-property "IOCFPlugInTypes")
86     (iokit-property "IOChildIndex")
87     (iokit-property-regex #"^IOClass(|NameOverride)")
88     (iokit-property "IOConsoleUsers")
89     (iokit-property "IODVDBundleName")
90     (iokit-property "IODeviceMemory")
91     (iokit-property "IODisplayParameters")
92     (iokit-property-regex #"^IOFB(CLUTDefer|Config|CursorInfo|Dependent(ID|Index))")
93     (iokit-property "IOFBCurrentPixelClock")
94     (iokit-property-regex #"^IOFBCurrentPixelCount(|Real)")
95     (iokit-property-regex #"^IOFB(DetailedTimings|Gamma(Count|HeaderSize|Width))")
96     (iokit-property-regex #"^IOFB(Blue|Green|Red)GammaScale")
97     (iokit-property-regex #"^IOFBI2CInterface(IDs|Info)")
98     (iokit-property-regex #"^IOFB(HDMIDongleROM|Integrated|MemorySize|NeedsRefresh|ProbeOptions|ScalerInfo|TimingRange|Transform|UIScale|WaitCursor(Frames|Period))")
99     (iokit-property "IOFramebufferOpenGLIndex")
100     (iokit-property "IOGeneralInterest")
101     (iokit-property "IOGLBundleName")
102     (iokit-property "IOHibernateState")
103     (iokit-property "IOI2CTransactionTypes")
104     (iokit-property-regex #"^IOInterrupt(Controllers|Specifiers)")
105     (iokit-property "IOGVAVTCapabilities")
106     (iokit-property-regex #"^IOGVA(Codec|EncoderRestricted)")
107     (iokit-property-regex #"^IOGVA(.*)(De|En)code$")
108     (iokit-property "IOMatchCategory")
109     (iokit-property "IONDRVFramebufferGeneration")
110     (iokit-property "IONVRAMProperty")
111     (iokit-property-regex #"^IOName(|Match(|ed))")
112     (iokit-property "IOPMStrictTreeOrder")
113     (iokit-property "IOParentMatch")
114     (iokit-property-regex #"^IOPCI(Express(Capabilities|Link(Status|Capabilities))|MSIMode|Resourced)")
115     (iokit-property "IOPMIsPowerManaged")
116     (iokit-property-regex #"^IOPlatform(SerialNumber|UUID)")
117     (iokit-property "IOPowerManagement")
118     (iokit-property "IOProbeScore")
119     (iokit-property "IOPropertyMatch")
120     (iokit-property "IOProviderClass")
121     (iokit-property-regex #"^IOReport(Lures|Legend(|Public))")
122     (iokit-property "IOScreenRestoreState")
123     (iokit-property "IOSourceVersion")
124     (iokit-property-regex #"^IOVA(BundleName|Renderer(|Sub)ID)")
125     (iokit-property-regex #"^InternalStatistics(|Accm)")
126     (iokit-property-regex #"^MetalPlugin(Name|ClassName)")
127     (iokit-property "MetalStatisticsName")
128     (iokit-property "MTHIDDevice")
129     (iokit-property "MT Built-In")
130     (iokit-property "MaintainPowerInUILock")
131     (iokit-property "Max Packet Size")
132     (iokit-property "MinDigitizerPressureValue")
133     (iokit-property "Multitouch Serial Number")
134     (iokit-property-regex #"^Multitouch (Subdevice |)ID")
135     (iokit-property "NVArch")
136     (iokit-property-regex #"^NVC(AP|LASS)")
137     (iokit-property-regex #"^NVDA,(Features|NVPresentment-version|accel-loaded|invalid-config|mm-version)")
138     (iokit-property-regex #"^NVDA(Type|initgl_created)")
139     (iokit-property "NVRAMProperty")
140     (iokit-property "NXSystemInfo")
141     (iokit-property-regex #"^VRAM,(memvendorID|total(MB|size))")
142     (iokit-property "NoAutoRoute")
143     (iokit-property-regex #"^PerformanceStatistics(|Accum)")
144     (iokit-property "Protocol Characteristics")
145     (iokit-property "Serial Number")
146     (iokit-property "StartupDisplay")
147     (iokit-property-regex #"^Support(AudioAUUC|sSilentClick|TapToWake)")
148     (iokit-property-regex #"^Sensor (Columns|Rows)")
149     (iokit-property-regex #"^Sensor Region (Descriptor|Param|Rows)")
150     (iokit-property-regex #"^Sensor Surface (Descriptor|Height|Width)")
151     (iokit-property "SurfaceList")
152     (iokit-property "TimeStampFiltering")
153     (iokit-property "Transport")
154     (iokit-property "WANTS_FRAMES_IGNORED")
155     (iokit-property-regex #"^acpi-(device|path)")
156     (iokit-property "assigned-addresses")
157     (iokit-property "attached-gpu-control-path")
158     (iokit-property-regex #"^audio-(codec-info|device-mvalue|device-nvalue|selector)")
159     (iokit-property "av-signal-type")
160     (iokit-property "bcdVersion")
161     (iokit-property-regex #"^(board|device|revision|subsystem|vendor)-id")
162     (iokit-property "boot-gamma-restored")
163     (iokit-property "built-in")
164     (iokit-property "class-code")
165     (iokit-property "compatible")
166     (iokit-property "connector-type")
167     (iokit-property-regex #"^(device|revision|subsystem-vendor|touch-size)-id")
168     (iokit-property "device_type")
169     (iokit-property "graphic-options")
170     (iokit-property "hda-gfx")
171     (iokit-property-regex #"^id(Product|Vendor)")
172     (iokit-property "iofb_version")
173     (iokit-property "model")
174     (iokit-property "mt-device-id")
175     (iokit-property "name")
176     (iokit-property "nv-stats")
177     (iokit-property-regex #"^parser-(options|type)")
178     (iokit-property-regex #"^pci(-aspm-default|debug)")
179     (iokit-property "port-number")
180     (iokit-property "reg")
181     (iokit-property "rm_board_number")
182     (iokit-property-regex #"^(rom|vbios)-revision")
183     (iokit-property "saved-config")
184     (iokit-property "startup-timing")
185     (iokit-property "touch-size-id")
186 )
187
188 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
189 (deny mach-lookup (xpc-service-name-prefix ""))
190 (allow mach-lookup
191     (xpc-service-name "com.apple.accessibility.mediaaccessibilityd")
192     (xpc-service-name "com.apple.audio.SandboxHelper")
193     (xpc-service-name "com.apple.coremedia.videodecoder")
194     (xpc-service-name "com.apple.coremedia.videoencoder")
195     (xpc-service-name-regex #"\.apple-extension-service$")
196     (xpc-service-name "com.apple.hiservices-xpcservice")
197     (xpc-service-name "com.apple.print.normalizerd")
198 )
199 #endif
200
201 ;; Utility functions for home directory relative path filters
202 (define (home-regex home-relative-regex)
203   (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
204
205 (define (home-subpath home-relative-subpath)
206   (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
207
208 (define (home-literal home-relative-literal)
209   (literal (string-append (param "HOME_DIR") home-relative-literal)))
210
211 (define (allow-read-directory-and-issue-read-extensions path)
212     (if path
213         (begin
214             (allow file-read* (subpath path))
215             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path))))))
216
217 (define (allow-read-write-directory-and-issue-read-write-extensions path)
218     (if path
219         (begin
220             (allow file-read* file-write* (subpath path))
221             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path)))
222             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath path))))))
223
224 ;; Remove when <rdar://problem/29646094> is fixed.
225 (define (HEX-pattern-match-generator pattern-descriptor)
226     (letrec ((pattern-string ""))
227         (for-each  (lambda (repeat-count)
228             (if (zero? repeat-count)
229                 (set! pattern-string (string-append  pattern-string "-"))
230                 (let appender ((count repeat-count))
231                     (if (> count 0)
232                         (begin
233                             (set! pattern-string (string-append  pattern-string "[0-9A-F]"))
234                             (appender (- count 1)))))))
235             pattern-descriptor)
236     pattern-string))
237
238 ;; return a regex pattern matching string for 8-4-4-4-12 UUIDs:
239 (define (uuid-HEX-pattern-match-string)
240     (HEX-pattern-match-generator '(8 0 4 0 4 0 4 0 12)))
241
242 ;; global to hold the computed UUID matching pattern.
243 (define *uuid-pattern* "")
244
245 (define (uuid-regex-string)
246     (if (zero? (string-length *uuid-pattern*))
247         (set! *uuid-pattern* (uuid-HEX-pattern-match-string)))
248     *uuid-pattern*)
249
250 ;; Read-only preferences and data
251 (allow file-read*
252     ;; Basic system paths
253     (subpath "/Library/Dictionaries")
254     (subpath "/Library/Fonts")
255     (subpath "/Library/Frameworks")
256     (subpath "/Library/Managed Preferences")
257     (subpath "/Library/Speech/Synthesizers")
258     (regex #"^/private/etc/(hosts|group|passwd)$")
259
260     (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
261
262     ;; System and user preferences
263     (home-literal "/.CFUserTextEncoding")
264
265     ;; FIXME: This should be removed when <rdar://problem/8957845> is fixed.
266     (home-subpath "/Library/Fonts")
267
268     (subpath "/Library/Audio/Plug-Ins/HAL")
269
270     (home-subpath "/Library/Dictionaries"))
271
272 (allow file-read-data
273     ;; Needed for AES3 support
274     (subpath "/Library/Audio/Plug-Ins/Components"))
275
276 ;; Preferences support
277 (allow user-preference-read
278     (preference-domain
279         "kCFPreferencesAnyApplication"
280         "com.apple.ATS"
281         "com.apple.CoreGraphics"
282         "com.apple.DownloadAssessment"
283         "com.apple.HIToolbox"
284         "com.apple.LaunchServices"
285         "com.apple.MultitouchSupport" ;; FIXME: Remove when <rdar://problem/13011633> is fixed.
286         "com.apple.QTKit"
287         "com.apple.ServicesMenu.Services" ;; Needed for NSAttributedString <rdar://problem/10844321>
288         "com.apple.WebFoundation"
289         "com.apple.avfoundation"
290         "com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568>
291         "com.apple.coremedia"
292         "com.apple.crypto"
293         "com.apple.driver.AppleBluetoothMultitouch.mouse"
294         "com.apple.driver.AppleBluetoothMultitouch.trackpad"
295         "com.apple.driver.AppleHIDMouse"
296         "com.apple.lookup.shared"
297         "com.apple.mediaaccessibility"
298         "com.apple.networkConnect"
299         "com.apple.security"
300         "com.apple.security.common"
301         "com.apple.security.revocation"
302         "com.apple.speech.voice.prefs"
303         "com.apple.systemsound"
304         "com.apple.universalaccess"
305         "edu.mit.Kerberos"
306         "pbs" ;; Needed for NSAttributedString <rdar://problem/10844321>
307 ))
308
309 ;; On-disk WebKit2 framework location, to account for debug installations outside of /System/Library/Frameworks,
310 ;; and to allow issuing extensions.
311 (allow-read-directory-and-issue-read-extensions (param "WEBKIT2_FRAMEWORK_DIR"))
312
313 ;; Allow issuing extensions to system libraries that the Network process can already read.
314 ;; This is to avoid warnings attempting to create extensions for these resources.
315 (allow-read-directory-and-issue-read-extensions "/System/Library/PrivateFrameworks/WebInspectorUI.framework")
316
317 ;; Sandbox extensions
318 (define (apply-read-and-issue-extension op path-filter)
319     (op file-read* path-filter)
320     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
321 (define (apply-write-and-issue-extension op path-filter)
322     (op file-write* path-filter)
323     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
324 (define (read-only-and-issue-extensions path-filter)
325     (apply-read-and-issue-extension allow path-filter))
326 (define (read-write-and-issue-extensions path-filter)
327     (apply-read-and-issue-extension allow path-filter)
328     (apply-write-and-issue-extension allow path-filter))
329 (read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
330 (read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
331 (allow mach-lookup (extension "com.apple.app-sandbox.mach")) ;; FIXME: Should be removed when <rdar://problem/13066206> is fixed.
332
333 ;; Allow the OpenGL Profiler to attach.
334 (if (defined? 'mach-register)
335     (allow mach-register (global-name-regex #"^_oglprof_attach_<[0-9]+>$")))
336
337 ;; MediaAccessibility
338 (allow user-preference-read user-preference-write
339     (preference-domain "com.apple.mediaaccessibility.public"))
340
341 (if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
342     (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_CACHE_DIR")))
343
344 (if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
345     (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_TEMP_DIR")))
346
347 ;; IOKit user clients
348 (allow iokit-open
349     (iokit-user-client-class "AppleMultitouchDeviceUserClient")
350     (iokit-user-client-class "AppleUpstreamUserClient")
351     (iokit-user-client-class "IOHIDParamUserClient")
352     (iokit-user-client-class "RootDomainUserClient")
353     (iokit-user-client-class "IOAudioControlUserClient")
354     (iokit-user-client-class "IOAudioEngineUserClient")
355     ;; Following is needed due to <rdar://problem/10427451> && <rdar://problem/10808817>
356     (iokit-user-client-class "AudioAUUC"))
357
358 ;; cookied.
359 ;; FIXME: Update for <rdar://problem/13642852>.
360 (allow ipc-posix-shm-read-data
361     (ipc-posix-name "FNetwork.defaultStorageSession")
362     (ipc-posix-name-regex #"\.PrivateBrowsing-")
363     (ipc-posix-name-regex #"^WebKit Test-"))
364
365 ;; ColorSync
366 (allow ipc-posix-shm*
367     (ipc-posix-name "com.apple.ColorSync.Gen.lock")
368     (ipc-posix-name "com.apple.ColorSync.Disp.lock")
369     (ipc-posix-name "com.apple.ColorSync.Gray2.2")
370     (ipc-posix-name "com.apple.ColorSync.sRGB")
371     (ipc-posix-name "com.apple.ColorSync.GenGray")
372     (ipc-posix-name "com.apple.ColorSync.GenRGB"))
373
374 ;; Audio
375 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
376     (ipc-posix-name-regex #"^AudioIO"))
377
378 ;; Remote Web Inspector
379 (allow mach-lookup
380        (global-name "com.apple.webinspector"))
381
382 ;; Various services required by AppKit and other frameworks
383 (allow mach-lookup
384        (global-name "com.apple.FileCoordination")
385        (global-name "com.apple.FontObjectsServer")
386 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 101200
387        (global-name "com.apple.FontServer")
388 #endif
389        (global-name "com.apple.PowerManagement.control")
390        (global-name "com.apple.SystemConfiguration.configd")
391        (global-name "com.apple.SystemConfiguration.PPPController")
392        (global-name "com.apple.audio.SystemSoundServer-OSX")
393 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
394        (global-name "com.apple.analyticsd")
395 #endif
396        (global-name "com.apple.audio.audiohald")
397        (global-name "com.apple.audio.coreaudiod")
398        (global-name "com.apple.awdd")
399        (global-name "com.apple.cfnetwork.AuthBrokerAgent")
400        (global-name "com.apple.cookied")
401        (global-name "com.apple.coreservices.launchservicesd")
402        (global-name "com.apple.dock.server")
403        (global-name "com.apple.fonts")
404        (global-name "com.apple.iconservices")
405        (global-name "com.apple.iconservices.store")
406 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
407        (global-name "com.apple.mediaremoted.xpc")
408 #endif
409        (global-name "com.apple.lsd.mapdb")
410        (global-name "com.apple.nesessionmanager.flow-divert-token")
411        (global-name "com.apple.speech.speechsynthesisd")
412        (global-name "com.apple.speech.synthesis.console")
413        (global-name "com.apple.system.opendirectoryd.api")
414        (global-name "com.apple.tccd")
415        (global-name "com.apple.tccd.system")
416        (global-name "com.apple.window_proxies")
417        (global-name "com.apple.windowserver.active")
418 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
419        (global-name "com.apple.audio.AudioComponentRegistrar")
420 #endif
421 )
422
423 ;; Security framework
424 (allow mach-lookup
425        (global-name "com.apple.ctkd.token-client")
426        (global-name "com.apple.ocspd")
427        (global-name "com.apple.securityd.xpc") 
428        (global-name "com.apple.CoreAuthentication.agent.libxpc")
429        (global-name "com.apple.SecurityServer"))
430
431 ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
432 ;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
433 (allow file-read-data file-read-metadata file-write-data
434     (subpath "/Library/Keychains"))
435
436 ;; Do permit creating per-user keychains
437 (allow file-read* file-write*
438     (home-subpath "/Library/Keychains"))
439
440 ;; Except deny access to new-style iOS Keychain folders which are UUIDs.
441 (deny file-read* file-write*
442     (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
443     (home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
444
445 (allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
446
447 (allow file-read*
448        (subpath "/private/var/db/mds")
449        (literal "/private/var/db/DetachedSignatures")
450        ; The following are needed until <rdar://problem/11134688> is resolved.
451        (literal "/Library/Preferences/com.apple.security.plist")
452        (literal "/Library/Preferences/com.apple.security.common.plist")
453        (literal "/Library/Preferences/com.apple.security.revocation.plist")
454        (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
455        (home-literal "/Library/Preferences/com.apple.security.plist")
456        (home-literal "/Library/Preferences/com.apple.security.revocation.plist"))
457
458 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
459        (ipc-posix-name "com.apple.AppleDatabaseChanged"))
460
461 ;; CoreFoundation. We don't import com.apple.corefoundation.sb, because it allows unnecessary access to pasteboard.
462 (allow mach-lookup
463     (global-name-regex #"^com.apple.distributed_notifications")                                                       
464     (global-name "com.apple.CoreServices.coreservicesd"))
465 (allow file-read-data
466     (literal "/dev/autofs_nowait")) ; Used by CF to circumvent automount triggers
467 (allow ipc-posix-shm
468     (ipc-posix-name-regex #"^CFPBS:")) ; <rdar://problem/13757475>
469 (allow system-fsctl (fsctl-command (_IO "h" 47)))
470
471 ;; Graphics
472 (system-graphics)
473
474 ;; Networking
475 (system-network)
476 (allow network-outbound
477        ;; Local mDNSResponder for DNS, arbitrary outbound TCP
478        (literal "/private/var/run/mDNSResponder")
479        (remote tcp))
480
481 (allow mach-lookup
482        (global-name "com.apple.pbs.fetch_services"))
483
484 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
485 ;; CFNetwork
486 (allow file-read-data (path "/private/var/db/nsurlstoraged/dafsaData.bin"))
487 #endif
488
489 ;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
490 (allow mach-lookup
491        (global-name "org.h5l.kcm")
492        (global-name "com.apple.GSSCred")
493        (global-name "com.apple.system.logger")
494        (global-name "com.apple.system.notification_center"))
495 (allow network-outbound
496        (remote udp))
497 (allow user-preference-read
498     (preference-domain
499         "com.apple.Kerberos"
500         "com.apple.GSS"))
501
502 (allow file-read*
503         (literal "/private/etc/krb5.conf")
504         (literal "/private/etc/services")
505         (literal "/private/etc/host")
506         (subpath "/Library/KerberosPlugins/GSSAPI")
507         (subpath "/Library/KerberosPlugins/KerberosFrameworkPlugins"))
508
509 (if (defined? 'vnode-type)
510         (deny file-write-create (vnode-type SYMLINK)))
511
512 ;; Reserve a namespace for additional protected extended attributes.
513 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
514
515 (deny file-read* file-write* (with no-log)
516        ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
517        (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
518        (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
519
520 ;; Deny access needed for unnecessary NSApplication initialization.
521 ;; FIXME: This can be removed once <rdar://problem/13011633> is fixed.
522 (deny file-read* (with no-log)
523        (subpath "/Library/InputManagers")
524        (home-subpath "/Library/InputManagers"))
525 (deny user-preference-read (with no-log)
526     (preference-domain "com.apple.speech.recognition.AppleSpeechRecognition.prefs"))
527 (deny mach-lookup (with no-log)
528        (global-name "com.apple.coreservices.appleevents")
529        (global-name "com.apple.pasteboard.1")
530        (global-name "com.apple.speech.recognitionserver"))
531 ;; Also part of unnecessary NSApplication initialization, but we can't block access to these yet, see <rdar://problem/13869765>.
532 (allow file-read*
533        (subpath "/Library/Components")
534        (subpath "/Library/Keyboard Layouts")
535        (subpath "/Library/Input Methods")
536        (home-subpath "/Library/Components")
537        (home-subpath "/Library/Keyboard Layouts")
538        (home-subpath "/Library/Input Methods"))
539
540 ;; AirPlay
541 (allow mach-lookup
542     (global-name "com.apple.coremedia.endpoint.xpc")
543     (global-name "com.apple.coremedia.endpointstream.xpc")
544     (global-name "com.apple.coremedia.endpointplaybacksession.xpc")
545     ; "com.apple.coremedia.endpointpicker.xpc" can be removed when <rdar://problem/30081582> is resolved.
546     (global-name "com.apple.coremedia.endpointpicker.xpc")
547 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
548     (global-name "com.apple.coremedia.routediscoverer.xpc")
549     (global-name "com.apple.coremedia.routingcontext.xpc")
550     (global-name "com.apple.coremedia.volumecontroller.xpc")
551 #endif
552 )
553
554 ;; Data Detectors
555 (allow file-read* (subpath "/private/var/db/datadetectors/sys"))
556
557 ;; Media capture, utilities
558 (if (not (defined? 'sbpl-filter?))
559   (define (sbpl-filter? x)
560       (and (list? x)
561            (eq? (car x) 'filter))))
562
563 (macro (with-filter form)
564    (let* ((ps (cdr form))
565           (extra-filter (car ps))
566           (rules (cdr ps)))
567     `(letrec
568         ((collect
569              (lambda (l filters non-filters)
570                  (if (null? l)
571                      (list filters non-filters)
572                      (let* 
573                          ((x (car l))
574                           (rest (cdr l)))
575                          (if (sbpl-filter? x)
576                              (collect rest (cons x filters) non-filters)
577                              (collect rest filters (cons x non-filters)))))))
578          (inject-filter
579              (lambda args
580                  (let* ((collected (collect args '() '()))
581                         (filters (car collected))
582                         (non-filters (cadr collected)))
583                  (if (null? filters)
584                      (cons ,extra-filter non-filters)
585                      (cons (require-all (apply require-any filters) ,extra-filter) non-filters)))))
586          (orig-allow allow)
587          (orig-deny deny)
588          (wrapper
589              (lambda (action)
590                  (lambda args (apply action (apply inject-filter args))))))
591         (set! allow (wrapper orig-allow))
592         (set! deny (wrapper orig-deny))
593         ,@rules
594         (set! deny orig-deny)
595         (set! allow orig-allow))))
596
597 (define (home-library-preferences-regex home-library-preferences-relative-regex)
598     (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_PREFERENCES_DIR")) home-library-preferences-relative-regex)))
599
600 (define (home-library-preferences-literal home-library-preferences-relative-literal)
601     (literal (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-literal)))
602
603 (define (shared-preferences-read . domains)
604   (for-each (lambda (domain)
605               (begin
606                 (if (defined? `user-preference-read)
607                     (allow user-preference-read (preference-domain domain)))
608                 ; (Temporary) backward compatibility with non-CFPreferences readers.
609                 (allow file-read*
610                        (literal (string-append "/Library/Preferences/" domain ".plist"))
611                        (home-library-preferences-literal (string-append "/" domain ".plist"))
612                        (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
613             domains))
614
615 ;; Media capture, microphone access
616 (with-filter (extension "com.apple.webkit.microphone")
617     (allow device-microphone))
618
619 ;; Media capture, camera access
620 (with-filter (extension "com.apple.webkit.camera")
621     (shared-preferences-read "com.apple.coremedia")
622     (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL"))
623     (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
624     (allow mach-lookup
625         (global-name "com.apple.cmio.AppleCameraAssistant")
626         ;; Apple DAL assistants
627         (global-name "com.apple.cmio.VDCAssistant")
628         (global-name "com.apple.cmio.AVCAssistant")
629         (global-name "com.apple.cmio.IIDCVideoAssistant")
630         ;; QuickTimeIIDCDigitizer assistant
631         (global-name "com.apple.IIDCAssistant"))
632     (allow iokit-open
633         ;; QuickTimeUSBVDCDigitizer
634         (iokit-user-client-class "IOUSBDeviceUserClientV2")
635         (iokit-user-client-class "IOUSBInterfaceUserClientV2"))
636     (allow device-camera))