b81d64484e758bff607d3ef9bda7fec19534a292
[WebKit-https.git] / Source / WebKit / WebProcess / com.apple.WebProcess.sb.in
1 ; Copyright (C) 2010-2017 Apple Inc. All rights reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions
5 ; are met:
6 ; 1. Redistributions of source code must retain the above copyright
7 ;    notice, this list of conditions and the following disclaimer.
8 ; 2. Redistributions in binary form must reproduce the above copyright
9 ;    notice, this list of conditions and the following disclaimer in the
10 ;    documentation and/or other materials provided with the distribution.
11 ;
12 ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
13 ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14 ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15 ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16 ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17 ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18 ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19 ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20 ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21 ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22 ; THE POSSIBILITY OF SUCH DAMAGE.
23
24 (version 1)
25 (deny default (with partial-symbolication))
26 (allow system-audit file-read-metadata)
27
28 (import "system.sb")
29
30 ;;; process-info* defaults to allow; deny it and then allow operations we actually need.
31 (deny process-info*)
32 (allow process-info-pidinfo)
33 (allow process-info-setcontrol (target self))
34 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
35 (allow process-codesigning-status*)
36 #endif
37
38 (deny sysctl*)
39 (allow sysctl-read
40     (sysctl-name
41         "hw.availcpu"
42         "hw.ncpu"
43         "hw.model"
44         "kern.memorystatus_level"
45         "vm.footprint_suspend"))
46
47 (deny iokit-get-properties)
48 (allow iokit-get-properties
49     (iokit-property "AGCInfo")
50     (iokit-property "AccelCaps")
51     (iokit-property-regex #"^(Accurate|Extended)MaxDigitizerPressureValue")
52     (iokit-property-regex #"^(Activation|Animation)Thresholds")
53     (iokit-property "ActuationSupported")
54     (iokit-property "AllowDisplaySleep")
55     (iokit-property "AlwaysNeedsVelocityCalculated")
56     (iokit-property "AppleIntelMEVABundleName")
57     (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
58     (iokit-property-regex #"^ATY,fb_(linebytes|offset|size)")
59     (iokit-property "BacklightHandle")
60     (iokit-property-regex #"^CEA(ModeID|PixelRepetition)")
61     (iokit-property "CFBundleIdentifier")
62     (iokit-property "CapsLockDelay")
63     (iokit-property "ConfigState")
64     (iokit-property "Device Characteristics")
65     (iokit-property "DeviceEqID")
66     (iokit-property "DisplayRouting")
67     (iokit-property "Driver is Ready")
68     (iokit-property "EnableLPVP")
69     (iokit-property "Endianness")
70     (iokit-property "Family ID")
71     (iokit-property "ForceSupported")
72     (iokit-property "HIDPointerAccelerationType")
73     (iokit-property-regex #"^IOAccel(DisplayPipeCapabilities|Index|Types|Revision)")
74     (iokit-property-regex #"^IO(Class|MatchCategory|NameMatch)")
75     (iokit-property-regex #"^IOAudioControl(ChannelID|ID|SubType|Usage|Value)")
76     (iokit-property-regex #"^IOAudioDevice(CanBeDefaults|TransportType)")
77     (iokit-property-regex #"^IOAudioEngine(ChannelNames|ClientDescription|CoreAudioPlugIn|(|Device)Description|Flavor|GlobalUniqueID|IsHidden|OutputChannelLayout|SampleOffset|State)")
78     (iokit-property-regex #"^IOAudioEngineClock(Domain|IsStable)")
79     (iokit-property "IOAudioEngineDisableClockBoundsCheck")
80     (iokit-property-regex #"^IOAudioEngine(Input|Output)Sample(Latency|Offset)")
81     (iokit-property-regex #"^IOAudioEngineNum(ActiveUserClients|SampleFramesPerBuffer)")
82     (iokit-property "IOAudioSampleRate")
83     (iokit-property "IOAudioStreamSampleFormatByteOrder")
84     (iokit-property "IOBusyInterest")
85     (iokit-property "IOCFPlugInTypes")
86     (iokit-property "IOChildIndex")
87     (iokit-property-regex #"^IOClass(|NameOverride)")
88     (iokit-property "IOConsoleUsers")
89     (iokit-property "IODVDBundleName")
90     (iokit-property "IODeviceMemory")
91     (iokit-property "IODisplayParameters")
92     (iokit-property-regex #"^IOFB(CLUTDefer|Config|CursorInfo|Dependent(ID|Index))")
93     (iokit-property "IOFBCurrentPixelClock")
94     (iokit-property-regex #"^IOFBCurrentPixelCount(|Real)")
95     (iokit-property-regex #"^IOFB(DetailedTimings|Gamma(Count|HeaderSize|Width))")
96     (iokit-property-regex #"^IOFB(Blue|Green|Red)GammaScale")
97     (iokit-property-regex #"^IOFBI2CInterface(IDs|Info)")
98     (iokit-property-regex #"^IOFB(HDMIDongleROM|Integrated|MemorySize|NeedsRefresh|ProbeOptions|ScalerInfo|TimingRange|Transform|UIScale|WaitCursor(Frames|Period))")
99     (iokit-property "IOFramebufferOpenGLIndex")
100     (iokit-property "IOGeneralInterest")
101     (iokit-property "IOGLBundleName")
102     (iokit-property "IOHibernateState")
103     (iokit-property "IOI2CTransactionTypes")
104     (iokit-property-regex #"^IOInterrupt(Controllers|Specifiers)")
105     (iokit-property "IOGVAVTCapabilities")
106     (iokit-property-regex #"^IOGVA(Codec|EncoderRestricted)")
107     (iokit-property-regex #"^IOGVA(.*)(De|En)code$")
108     (iokit-property "IOMatchCategory")
109     (iokit-property "IONDRVFramebufferGeneration")
110     (iokit-property "IONVRAMProperty")
111     (iokit-property-regex #"^IOName(|Match(|ed))")
112     (iokit-property "IOPMStrictTreeOrder")
113     (iokit-property "IOParentMatch")
114     (iokit-property-regex #"^IOPCI(Express(Capabilities|Link(Status|Capabilities))|MSIMode|Resourced)")
115     (iokit-property "IOPMIsPowerManaged")
116     (iokit-property-regex #"^IOPlatform(SerialNumber|UUID)")
117     (iokit-property "IOPowerManagement")
118     (iokit-property "IOProbeScore")
119     (iokit-property "IOPropertyMatch")
120     (iokit-property "IOProviderClass")
121     (iokit-property-regex #"^IOReport(Lures|Legend(|Public))")
122     (iokit-property "IOScreenRestoreState")
123     (iokit-property "IOSourceVersion")
124     (iokit-property-regex #"^IOVA(BundleName|Renderer(|Sub)ID)")
125     (iokit-property-regex #"^InternalStatistics(|Accm)")
126     (iokit-property-regex #"^MetalPlugin(Name|ClassName)")
127     (iokit-property "MetalStatisticsName")
128     (iokit-property "MTHIDDevice")
129     (iokit-property "MT Built-In")
130     (iokit-property "MaintainPowerInUILock")
131     (iokit-property "Max Packet Size")
132     (iokit-property "MinDigitizerPressureValue")
133     (iokit-property "Multitouch Serial Number")
134     (iokit-property-regex #"^Multitouch (Subdevice |)ID")
135     (iokit-property "NVArch")
136     (iokit-property-regex #"^NVC(AP|LASS)")
137     (iokit-property-regex #"^NVDA,(Features|NVPresentment-version|accel-loaded|invalid-config|mm-version)")
138     (iokit-property-regex #"^NVDA(Type|initgl_created)")
139     (iokit-property "NVRAMProperty")
140     (iokit-property "NXSystemInfo")
141     (iokit-property-regex #"^VRAM,(memvendorID|total(MB|size))")
142     (iokit-property "NoAutoRoute")
143     (iokit-property-regex #"^PerformanceStatistics(|Accum)")
144     (iokit-property "Protocol Characteristics")
145     (iokit-property "Serial Number")
146     (iokit-property "StartupDisplay")
147     (iokit-property-regex #"^Support(AudioAUUC|sSilentClick|TapToWake)")
148     (iokit-property-regex #"^Sensor (Columns|Rows)")
149     (iokit-property-regex #"^Sensor Region (Descriptor|Param|Rows)")
150     (iokit-property-regex #"^Sensor Surface (Descriptor|Height|Width)")
151     (iokit-property "SurfaceList")
152     (iokit-property "TimeStampFiltering")
153     (iokit-property "Transport")
154     (iokit-property "WANTS_FRAMES_IGNORED")
155     (iokit-property-regex #"^acpi-(device|path)")
156     (iokit-property "assigned-addresses")
157     (iokit-property "attached-gpu-control-path")
158     (iokit-property-regex #"^audio-(codec-info|device-mvalue|device-nvalue|selector)")
159     (iokit-property "av-signal-type")
160     (iokit-property "bcdVersion")
161     (iokit-property-regex #"^(board|device|revision|subsystem|vendor)-id")
162     (iokit-property "boot-gamma-restored")
163     (iokit-property "built-in")
164     (iokit-property "class-code")
165     (iokit-property "compatible")
166     (iokit-property "connector-type")
167     (iokit-property-regex #"^(device|revision|subsystem-vendor|touch-size)-id")
168     (iokit-property "device_type")
169     (iokit-property "graphic-options")
170     (iokit-property "hda-gfx")
171     (iokit-property-regex #"^id(Product|Vendor)")
172     (iokit-property "iofb_version")
173     (iokit-property "model")
174     (iokit-property "mt-device-id")
175     (iokit-property "name")
176     (iokit-property "nv-stats")
177     (iokit-property-regex #"^parser-(options|type)")
178     (iokit-property-regex #"^pci(-aspm-default|debug)")
179     (iokit-property "port-number")
180     (iokit-property "reg")
181     (iokit-property "rm_board_number")
182     (iokit-property-regex #"^(rom|vbios)-revision")
183     (iokit-property "saved-config")
184     (iokit-property "startup-timing")
185     (iokit-property "touch-size-id")
186 )
187
188 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
189 (deny mach-lookup (xpc-service-name-prefix ""))
190 (allow mach-lookup
191     (xpc-service-name "com.apple.accessibility.mediaaccessibilityd")
192     (xpc-service-name "com.apple.audio.SandboxHelper")
193     (xpc-service-name "com.apple.coremedia.videodecoder")
194     (xpc-service-name "com.apple.coremedia.videoencoder")
195     (xpc-service-name-regex #"\.apple-extension-service$")
196     (xpc-service-name "com.apple.hiservices-xpcservice")
197 )
198 #endif
199
200 ;; Utility functions for home directory relative path filters
201 (define (home-regex home-relative-regex)
202   (regex (string-append "^" (regex-quote (param "HOME_DIR")) home-relative-regex)))
203
204 (define (home-subpath home-relative-subpath)
205   (subpath (string-append (param "HOME_DIR") home-relative-subpath)))
206
207 (define (home-literal home-relative-literal)
208   (literal (string-append (param "HOME_DIR") home-relative-literal)))
209
210 (define (allow-read-directory-and-issue-read-extensions path)
211     (if path
212         (begin
213             (allow file-read* (subpath path))
214             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path))))))
215
216 (define (allow-read-write-directory-and-issue-read-write-extensions path)
217     (if path
218         (begin
219             (allow file-read* file-write* (subpath path))
220             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path)))
221             (allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath path))))))
222
223 ;; Remove when <rdar://problem/29646094> is fixed.
224 (define (HEX-pattern-match-generator pattern-descriptor)
225     (letrec ((pattern-string ""))
226         (for-each  (lambda (repeat-count)
227             (if (zero? repeat-count)
228                 (set! pattern-string (string-append  pattern-string "-"))
229                 (let appender ((count repeat-count))
230                     (if (> count 0)
231                         (begin
232                             (set! pattern-string (string-append  pattern-string "[0-9A-F]"))
233                             (appender (- count 1)))))))
234             pattern-descriptor)
235     pattern-string))
236
237 ;; return a regex pattern matching string for 8-4-4-4-12 UUIDs:
238 (define (uuid-HEX-pattern-match-string)
239     (HEX-pattern-match-generator '(8 0 4 0 4 0 4 0 12)))
240
241 ;; global to hold the computed UUID matching pattern.
242 (define *uuid-pattern* "")
243
244 (define (uuid-regex-string)
245     (if (zero? (string-length *uuid-pattern*))
246         (set! *uuid-pattern* (uuid-HEX-pattern-match-string)))
247     *uuid-pattern*)
248
249 ;; Read-only preferences and data
250 (allow file-read*
251     ;; Basic system paths
252     (subpath "/Library/Dictionaries")
253     (subpath "/Library/Fonts")
254     (subpath "/Library/Frameworks")
255     (subpath "/Library/Managed Preferences")
256     (subpath "/Library/Speech/Synthesizers")
257     (regex #"^/private/etc/(hosts|group|passwd)$")
258
259     (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
260
261     ;; System and user preferences
262     (home-literal "/.CFUserTextEncoding")
263
264     ;; FIXME: This should be removed when <rdar://problem/8957845> is fixed.
265     (home-subpath "/Library/Fonts")
266
267     (subpath "/Library/Audio/Plug-Ins/HAL")
268
269     (home-subpath "/Library/Dictionaries"))
270
271 (allow file-read-data
272     ;; Needed for AES3 support
273     (subpath "/Library/Audio/Plug-Ins/Components"))
274
275 ;; Preferences support
276 (allow user-preference-read
277     (preference-domain
278         "kCFPreferencesAnyApplication"
279         "com.apple.ATS"
280         "com.apple.CoreGraphics"
281         "com.apple.DownloadAssessment"
282         "com.apple.HIToolbox"
283         "com.apple.LaunchServices"
284         "com.apple.MultitouchSupport" ;; FIXME: Remove when <rdar://problem/13011633> is fixed.
285         "com.apple.QTKit"
286         "com.apple.ServicesMenu.Services" ;; Needed for NSAttributedString <rdar://problem/10844321>
287         "com.apple.WebFoundation"
288         "com.apple.avfoundation"
289         "com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568>
290         "com.apple.coremedia"
291         "com.apple.crypto"
292         "com.apple.driver.AppleBluetoothMultitouch.mouse"
293         "com.apple.driver.AppleBluetoothMultitouch.trackpad"
294         "com.apple.driver.AppleHIDMouse"
295         "com.apple.lookup.shared"
296         "com.apple.mediaaccessibility"
297         "com.apple.networkConnect"
298         "com.apple.security"
299         "com.apple.security.common"
300         "com.apple.security.revocation"
301         "com.apple.speech.voice.prefs"
302         "com.apple.systemsound"
303         "com.apple.universalaccess"
304         "edu.mit.Kerberos"
305         "pbs" ;; Needed for NSAttributedString <rdar://problem/10844321>
306 ))
307
308 ;; On-disk WebKit2 framework location, to account for debug installations outside of /System/Library/Frameworks,
309 ;; and to allow issuing extensions.
310 (allow-read-directory-and-issue-read-extensions (param "WEBKIT2_FRAMEWORK_DIR"))
311
312 ;; Allow issuing extensions to system libraries that the Network process can already read.
313 ;; This is to avoid warnings attempting to create extensions for these resources.
314 (allow-read-directory-and-issue-read-extensions "/System/Library/PrivateFrameworks/WebInspectorUI.framework")
315
316 ;; Sandbox extensions
317 (define (apply-read-and-issue-extension op path-filter)
318     (op file-read* path-filter)
319     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
320 (define (apply-write-and-issue-extension op path-filter)
321     (op file-write* path-filter)
322     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
323 (define (read-only-and-issue-extensions path-filter)
324     (apply-read-and-issue-extension allow path-filter))
325 (define (read-write-and-issue-extensions path-filter)
326     (apply-read-and-issue-extension allow path-filter)
327     (apply-write-and-issue-extension allow path-filter))
328 (read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
329 (read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
330 (allow mach-lookup (extension "com.apple.app-sandbox.mach")) ;; FIXME: Should be removed when <rdar://problem/13066206> is fixed.
331
332 ;; Allow the OpenGL Profiler to attach.
333 (if (defined? 'mach-register)
334     (allow mach-register (global-name-regex #"^_oglprof_attach_<[0-9]+>$")))
335
336 ;; MediaAccessibility
337 (allow user-preference-read user-preference-write
338     (preference-domain "com.apple.mediaaccessibility.public"))
339
340 (if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
341     (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_CACHE_DIR")))
342
343 (if (positive? (string-length (param "DARWIN_USER_TEMP_DIR")))
344     (allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_TEMP_DIR")))
345
346 ;; IOKit user clients
347 (allow iokit-open
348     (iokit-user-client-class "AppleMultitouchDeviceUserClient")
349     (iokit-user-client-class "AppleUpstreamUserClient")
350     (iokit-user-client-class "IOHIDParamUserClient")
351     (iokit-user-client-class "RootDomainUserClient")
352     (iokit-user-client-class "IOAudioControlUserClient")
353     (iokit-user-client-class "IOAudioEngineUserClient")
354     ;; Following is needed due to <rdar://problem/10427451> && <rdar://problem/10808817>
355     (iokit-user-client-class "AudioAUUC"))
356
357 ;; cookied.
358 ;; FIXME: Update for <rdar://problem/13642852>.
359 (allow ipc-posix-shm-read-data
360     (ipc-posix-name "FNetwork.defaultStorageSession")
361     (ipc-posix-name-regex #"\.PrivateBrowsing-")
362     (ipc-posix-name-regex #"^WebKit Test-"))
363
364 ;; ColorSync
365 (allow ipc-posix-shm*
366     (ipc-posix-name "com.apple.ColorSync.Gen.lock")
367     (ipc-posix-name "com.apple.ColorSync.Disp.lock")
368     (ipc-posix-name "com.apple.ColorSync.Gray2.2")
369     (ipc-posix-name "com.apple.ColorSync.sRGB")
370     (ipc-posix-name "com.apple.ColorSync.GenGray")
371     (ipc-posix-name "com.apple.ColorSync.GenRGB"))
372
373 ;; Audio
374 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
375     (ipc-posix-name-regex #"^AudioIO"))
376
377 ;; Remote Web Inspector
378 (allow mach-lookup
379        (global-name "com.apple.webinspector"))
380
381 ;; Various services required by AppKit and other frameworks
382 (allow mach-lookup
383        (global-name "com.apple.FileCoordination")
384        (global-name "com.apple.FontObjectsServer")
385 #if __MAC_OS_X_VERSION_MIN_REQUIRED < 101200
386        (global-name "com.apple.FontServer")
387 #endif
388        (global-name "com.apple.PowerManagement.control")
389        (global-name "com.apple.SystemConfiguration.configd")
390        (global-name "com.apple.SystemConfiguration.PPPController")
391        (global-name "com.apple.audio.SystemSoundServer-OSX")
392 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
393        (global-name "com.apple.analyticsd")
394 #endif
395        (global-name "com.apple.audio.audiohald")
396        (global-name "com.apple.audio.coreaudiod")
397        (global-name "com.apple.awdd")
398        (global-name "com.apple.cfnetwork.AuthBrokerAgent")
399        (global-name "com.apple.cookied")
400        (global-name "com.apple.coreservices.launchservicesd")
401        (global-name "com.apple.dock.server")
402        (global-name "com.apple.fonts")
403        (global-name "com.apple.iconservices")
404        (global-name "com.apple.iconservices.store")
405 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200
406        (global-name "com.apple.mediaremoted.xpc")
407 #endif
408        (global-name "com.apple.lsd.mapdb")
409        (global-name "com.apple.nesessionmanager.flow-divert-token")
410        (global-name "com.apple.speech.speechsynthesisd")
411        (global-name "com.apple.speech.synthesis.console")
412        (global-name "com.apple.system.opendirectoryd.api")
413        (global-name "com.apple.tccd")
414        (global-name "com.apple.tccd.system")
415        (global-name "com.apple.window_proxies")
416        (global-name "com.apple.windowserver.active")
417 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
418        (global-name "com.apple.audio.AudioComponentRegistrar")
419 #endif
420 )
421
422 ;; Security framework
423 (allow mach-lookup
424        (global-name "com.apple.ctkd.token-client")
425        (global-name "com.apple.ocspd")
426        (global-name "com.apple.securityd.xpc") 
427        (global-name "com.apple.CoreAuthentication.agent.libxpc")
428        (global-name "com.apple.SecurityServer"))
429
430 ;; FIXME: This should be removed when <rdar://problem/10479685> is fixed.
431 ;; Restrict AppSandboxed processes from creating /Library/Keychains, but allow access to the contents of /Library/Keychains:
432 (allow file-read-data file-read-metadata file-write-data
433     (subpath "/Library/Keychains"))
434
435 ;; Do permit creating per-user keychains
436 (allow file-read* file-write*
437     (home-subpath "/Library/Keychains"))
438
439 ;; Except deny access to new-style iOS Keychain folders which are UUIDs.
440 (deny file-read* file-write*
441     (regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)"))
442     (home-regex (string-append "/Library/Keychains/" (uuid-regex-string) "(/|$)")))
443
444 (allow file-read* file-write* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
445
446 (allow file-read*
447        (subpath "/private/var/db/mds")
448        (literal "/private/var/db/DetachedSignatures")
449        ; The following are needed until <rdar://problem/11134688> is resolved.
450        (literal "/Library/Preferences/com.apple.security.plist")
451        (literal "/Library/Preferences/com.apple.security.common.plist")
452        (literal "/Library/Preferences/com.apple.security.revocation.plist")
453        (home-literal "/Library/Application Support/SyncServices/Local/ClientsWithChanges/com.apple.Keychain")
454        (home-literal "/Library/Preferences/com.apple.security.plist")
455        (home-literal "/Library/Preferences/com.apple.security.revocation.plist"))
456
457 (allow ipc-posix-shm-read* ipc-posix-shm-write-data
458        (ipc-posix-name "com.apple.AppleDatabaseChanged"))
459
460 ;; CoreFoundation. We don't import com.apple.corefoundation.sb, because it allows unnecessary access to pasteboard.
461 (allow mach-lookup
462     (global-name-regex #"^com.apple.distributed_notifications")                                                       
463     (global-name "com.apple.CoreServices.coreservicesd"))
464 (allow file-read-data
465     (literal "/dev/autofs_nowait")) ; Used by CF to circumvent automount triggers
466 (allow ipc-posix-shm
467     (ipc-posix-name-regex #"^CFPBS:")) ; <rdar://problem/13757475>
468 (allow system-fsctl (fsctl-command (_IO "h" 47)))
469
470 ;; Graphics
471 (system-graphics)
472
473 ;; Networking
474 (system-network)
475 (allow network-outbound
476        ;; Local mDNSResponder for DNS, arbitrary outbound TCP
477        (literal "/private/var/run/mDNSResponder")
478        (remote tcp))
479
480 (allow mach-lookup
481        (global-name "com.apple.pbs.fetch_services"))
482
483 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
484 ;; CFNetwork
485 (allow file-read-data (path "/private/var/db/nsurlstoraged/dafsaData.bin"))
486 #endif
487
488 ;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
489 (allow mach-lookup
490        (global-name "org.h5l.kcm")
491        (global-name "com.apple.GSSCred")
492        (global-name "com.apple.system.logger")
493        (global-name "com.apple.system.notification_center"))
494 (allow network-outbound
495        (remote udp))
496 (allow user-preference-read
497     (preference-domain
498         "com.apple.Kerberos"
499         "com.apple.GSS"))
500
501 (allow file-read*
502         (literal "/private/etc/krb5.conf")
503         (literal "/private/etc/services")
504         (literal "/private/etc/host")
505         (subpath "/Library/KerberosPlugins/GSSAPI")
506         (subpath "/Library/KerberosPlugins/KerberosFrameworkPlugins"))
507
508 (if (defined? 'vnode-type)
509         (deny file-write-create (vnode-type SYMLINK)))
510
511 ;; Reserve a namespace for additional protected extended attributes.
512 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
513
514 (deny file-read* file-write* (with no-log)
515        ;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
516        (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2")
517        (home-literal "/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2-journal"))
518
519 ;; Deny access needed for unnecessary NSApplication initialization.
520 ;; FIXME: This can be removed once <rdar://problem/13011633> is fixed.
521 (deny file-read* (with no-log)
522        (subpath "/Library/InputManagers")
523        (home-subpath "/Library/InputManagers"))
524 (deny user-preference-read (with no-log)
525     (preference-domain "com.apple.speech.recognition.AppleSpeechRecognition.prefs"))
526 (deny mach-lookup (with no-log)
527        (global-name "com.apple.coreservices.appleevents")
528        (global-name "com.apple.pasteboard.1")
529        (global-name "com.apple.speech.recognitionserver"))
530 ;; Also part of unnecessary NSApplication initialization, but we can't block access to these yet, see <rdar://problem/13869765>.
531 (allow file-read*
532        (subpath "/Library/Components")
533        (subpath "/Library/Keyboard Layouts")
534        (subpath "/Library/Input Methods")
535        (home-subpath "/Library/Components")
536        (home-subpath "/Library/Keyboard Layouts")
537        (home-subpath "/Library/Input Methods"))
538
539 ;; AirPlay
540 (allow mach-lookup
541     (global-name "com.apple.coremedia.endpoint.xpc")
542     (global-name "com.apple.coremedia.endpointstream.xpc")
543     (global-name "com.apple.coremedia.endpointplaybacksession.xpc")
544     ; "com.apple.coremedia.endpointpicker.xpc" can be removed when <rdar://problem/30081582> is resolved.
545     (global-name "com.apple.coremedia.endpointpicker.xpc")
546 #if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101300
547     (global-name "com.apple.coremedia.routediscoverer.xpc")
548     (global-name "com.apple.coremedia.routingcontext.xpc")
549     (global-name "com.apple.coremedia.volumecontroller.xpc")
550 #endif
551 )
552
553 ;; Data Detectors
554 (allow file-read* (subpath "/private/var/db/datadetectors/sys"))
555
556 ;; Media capture, utilities
557 (if (not (defined? 'sbpl-filter?))
558   (define (sbpl-filter? x)
559       (and (list? x)
560            (eq? (car x) 'filter))))
561
562 (macro (with-filter form)
563    (let* ((ps (cdr form))
564           (extra-filter (car ps))
565           (rules (cdr ps)))
566     `(letrec
567         ((collect
568              (lambda (l filters non-filters)
569                  (if (null? l)
570                      (list filters non-filters)
571                      (let* 
572                          ((x (car l))
573                           (rest (cdr l)))
574                          (if (sbpl-filter? x)
575                              (collect rest (cons x filters) non-filters)
576                              (collect rest filters (cons x non-filters)))))))
577          (inject-filter
578              (lambda args
579                  (let* ((collected (collect args '() '()))
580                         (filters (car collected))
581                         (non-filters (cadr collected)))
582                  (if (null? filters)
583                      (cons ,extra-filter non-filters)
584                      (cons (require-all (apply require-any filters) ,extra-filter) non-filters)))))
585          (orig-allow allow)
586          (orig-deny deny)
587          (wrapper
588              (lambda (action)
589                  (lambda args (apply action (apply inject-filter args))))))
590         (set! allow (wrapper orig-allow))
591         (set! deny (wrapper orig-deny))
592         ,@rules
593         (set! deny orig-deny)
594         (set! allow orig-allow))))
595
596 (define (home-library-preferences-regex home-library-preferences-relative-regex)
597     (regex (string-append "^" (regex-quote (param "HOME_LIBRARY_PREFERENCES_DIR")) home-library-preferences-relative-regex)))
598
599 (define (home-library-preferences-literal home-library-preferences-relative-literal)
600     (literal (string-append (param "HOME_LIBRARY_PREFERENCES_DIR") home-library-preferences-relative-literal)))
601
602 (define (shared-preferences-read . domains)
603   (for-each (lambda (domain)
604               (begin
605                 (if (defined? `user-preference-read)
606                     (allow user-preference-read (preference-domain domain)))
607                 ; (Temporary) backward compatibility with non-CFPreferences readers.
608                 (allow file-read*
609                        (literal (string-append "/Library/Preferences/" domain ".plist"))
610                        (home-library-preferences-literal (string-append "/" domain ".plist"))
611                        (home-library-preferences-regex (string-append #"/ByHost/" (regex-quote domain) #"\..*\.plist$")))))
612             domains))
613
614 ;; Media capture, microphone access
615 (with-filter (extension "com.apple.webkit.microphone")
616     (allow device-microphone))
617
618 ;; Media capture, camera access
619 (with-filter (extension "com.apple.webkit.camera")
620     (shared-preferences-read "com.apple.coremedia")
621     (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL"))
622     (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
623     (allow mach-lookup
624         (global-name "com.apple.cmio.AppleCameraAssistant")
625         ;; Apple DAL assistants
626         (global-name "com.apple.cmio.VDCAssistant")
627         (global-name "com.apple.cmio.AVCAssistant")
628         (global-name "com.apple.cmio.IIDCVideoAssistant")
629         ;; QuickTimeIIDCDigitizer assistant
630         (global-name "com.apple.IIDCAssistant"))
631     (allow iokit-open
632         ;; QuickTimeUSBVDCDigitizer
633         (iokit-user-client-class "IOUSBDeviceUserClientV2")
634         (iokit-user-client-class "IOUSBInterfaceUserClientV2"))
635     (allow device-camera))