[iOS] Deny mach lookup access to frontboard services in the WebContent process
[WebKit.git] / Source / WebKit / Resources / SandboxProfiles / ios / com.apple.WebKit.WebContent.sb
1 ; Copyright (C) 2010-2020 Apple Inc. All rights reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions
5 ; are met:
6 ; 1. Redistributions of source code must retain the above copyright
7 ; notice, this list of conditions and the following disclaimer.
8 ; 2. Redistributions in binary form must reproduce the above copyright
9 ; notice, this list of conditions and the following disclaimer in the
10 ; documentation and/or other materials provided with the distribution.
11 ;
12 ; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
13 ; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
14 ; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
15 ; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
16 ; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
17 ; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
18 ; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
19 ; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
20 ; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
21 ; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
22 ; THE POSSIBILITY OF SUCH DAMAGE.
23
24 (version 1)
25 (deny default (with partial-symbolication))
26 (allow system-audit file-read-metadata)
27
28 ;;;
29 ;;; The following rules were originally contained in 'common.sb'. We are duplicating them here so we can
30 ;;; remove unneeded sandbox extensions.
31 ;;;
32
33 (import "util.sb")
34
35 (define-once (allow-read-and-issue-generic-extensions . filters)
36     (allow file-read*
37            (apply require-any filters))
38     (allow file-issue-extension
39         (require-all
40             (extension-class "com.apple.app-sandbox.read")
41             (apply require-any filters))))
42
43 (define-once (allow-read-write-and-issue-generic-extensions . filters)
44     (allow file-read* file-write*
45            (apply require-any filters))
46     (allow file-read-metadata
47            (apply require-any filters))
48     (allow file-issue-extension
49         (require-all
50             (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
51             (apply require-any filters))))
52
53 (define-once (managed-configuration-read-public)
54     (allow file-read*
55            (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
56            (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
57            (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo")))
58
59 (define-once (managed-configuration-read . files)
60     (if (null? files)
61         (allow file-read*
62                (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles")
63                (front-user-home-subpath "/Library/ConfigurationProfiles")
64                (front-user-home-subpath "/Library/UserConfigurationProfiles"))
65         (for-each
66             (lambda (file)
67                 (allow file-read*
68                     (well-known-system-group-container-literal
69                         (string-append "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/" file))
70                     (front-user-home-literal
71                         (string-append "/Library/ConfigurationProfiles/" file)
72                         (string-append "/Library/UserConfigurationProfiles/" file))))
73             files)))
74
75 (define-once (allow-preferences-common)
76     (allow file-read-metadata
77            (home-literal "")
78            (home-literal "/Library/Preferences")))
79
80 (define-once (mobile-preferences-read . domains)
81     (allow-preferences-common)
82     (allow user-preference-read (apply preference-domain domains)))
83
84 (define-once (mobile-preferences-read-write . domains)
85     (allow-preferences-common)
86     (allow user-preference-read user-preference-write (apply preference-domain domains)))
87
88 (define-once (framebuffer-access)
89     (allow iokit-open
90            (iokit-user-client-class "IOMobileFramebufferUserClient"))
91
92     ; IOMobileFramebuffer
93     (with-filter (iokit-registry-entry-class "IOMobileFramebuffer")
94         (allow iokit-get-properties
95                (iokit-property "AppleTV"
96                                "DisplayPipePlaneBaseAlignment"
97                                "DisplayPipeStrideRequirements"
98                                "PerformanceStatistics"
99                                "appleTV-VID0"
100                                "appleTV-VID1"
101                                "hdcp-hoover-protocol")))
102
103     (mobile-preferences-read "com.apple.iokit.IOMobileGraphicsFamily")
104 )
105
106 (define-once (asset-access . options)
107     (let ((asset-access-filter
108             (require-all
109               (require-any
110                 (home-subpath "/Library/Assets")
111                 (subpath "/private/var/MobileAsset"))
112               (extension "com.apple.assets.read"))))
113         ;; <rdar://problem/10710883>
114         ;; <rdar://problem/11569106>
115         (allow file-read* asset-access-filter)
116         (if (memq 'with-media-playback options)
117             (play-media asset-access-filter))
118         (mobile-preferences-read "com.apple.MobileAsset")))
119
120 (define-once (play-media . filters)
121     (if (not (null? filters))
122         ;; <rdar://problem/9875794>
123         (allow file-issue-extension
124             (require-all
125                 (apply require-any filters)
126                 (extension-class "com.apple.mediaserverd.read"))))
127     (allow file-issue-extension
128         (require-all
129             (extension-class "com.apple.mediaserverd.read")
130             (extension "com.apple.security.exception.files.absolute-path.read-only"
131                        "com.apple.security.exception.files.absolute-path.read-write"
132                        "com.apple.security.exception.files.home-relative-path.read-only"
133                        "com.apple.security.exception.files.home-relative-path.read-write")))
134     (allow file-issue-extension
135         (require-all
136             (extension-class "com.apple.mediaserverd.read-write")
137             (extension "com.apple.security.exception.files.absolute-path.read-write"
138                        "com.apple.security.exception.files.home-relative-path.read-write")))
139
140     (mobile-preferences-read
141         "com.apple.avfoundation"
142         "com.apple.coreaudio"
143         "com.apple.coremedia"
144         "com.apple.corevideo"
145         "com.apple.itunesstored" ; Needed by MediaPlayer framework
146         "com.apple.mobileipod" ; Ditto
147         "com.apple.audio.virtualaudio" ; <rdar://problem/57170333>
148     )
149
150     ;; AVF needs to see these network preferences:
151     (allow file-read*
152         (literal "/private/var/preferences/com.apple.networkd.plist"))
153
154     ;; Allow mediaserverd to issue file extensions for the purposes of reading media
155     (allow file-issue-extension (require-all
156         (extension "com.apple.app-sandbox.read")
157         (extension-class "com.apple.mediaserverd.read")))
158 )
159
160 (define-once (media-remote)
161     (mobile-preferences-read
162         "com.apple.mediaremote"
163         "com.apple.mobileipod")
164 )
165
166 (define-once (media-capture-support)
167     ;; Media capture, microphone access
168     (with-filter (extension "com.apple.webkit.microphone")
169         (allow device-microphone))
170
171     ;; Media capture, camera access
172     (with-filter (extension "com.apple.webkit.camera")
173         (allow user-preference-read
174             (preference-domain "com.apple.coremedia"))
175         (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL"))
176         (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
177         (allow device-camera))
178 )
179
180 (define-once (accessibility-support)
181     (allow mach-register
182         (local-name "com.apple.iphone.axserver"))
183     (mobile-preferences-read "com.apple.Accessibility")
184     
185     ;; <rdar://problem/10809394>
186     (deny file-write-create
187         (home-prefix "/Library/Preferences/com.apple.Accessibility.plist")
188         (with no-report))
189 )
190
191 (define-once (media-accessibility-support)
192     ;; <rdar://problem/12250145>
193     (mobile-preferences-read "com.apple.mediaaccessibility")
194     (mobile-preferences-read-write "com.apple.mediaaccessibility.public")
195 )
196
197 (define-once (url-translation)
198     ;; For translating http:// & https:// URLs referencing itms:// URLs.
199     ;; <rdar://problem/11587338>
200     (allow file-read*
201            (home-literal "/Library/Caches/com.apple.itunesstored/url-resolution.plist")))
202
203 ;;;
204 ;;; Declare that the application uses the OpenGL, Metal, and CoreML hardware & frameworks.
205 ;;;
206 (define-once (opengl)
207     ;; Items not seen in testing
208     (allow iokit-open (with report) (with telemetry)
209            (iokit-connection "IOGPU")
210            (iokit-user-client-class
211                 "AGXCommandQueue"
212                 "AGXDevice"
213                 "AGXSharedUserClient"
214                 "IOAccelContext"
215                 "IOAccelDevice"
216                 "IOAccelSharedUserClient"
217                 "IOAccelSubmitter2"
218                 "IOAccelContext2"
219                 "IOAccelDevice2"
220                 "IOAccelSharedUserClient2"))
221
222     ;; Items with known uses
223     (allow iokit-open
224         (iokit-connection "IOGPU")
225         (iokit-user-client-class
226             "AGXDeviceUserClient" ;; Used by WebGL
227     ))
228
229     (allow iokit-get-properties
230         (iokit-property "IOGLBundleName")
231         (iokit-property "IOGLESBundleName")
232         (iokit-property "IOGLESDefaultUseMetal")
233         (iokit-property "IOGLESMetalBundleName")
234         (iokit-property "MetalPluginClassName")
235         (iokit-property "MetalPluginName")
236     )
237
238     (allow sysctl-read
239            (sysctl-name #"kern.bootsessionuuid"))
240
241     (allow mach-lookup
242        ;; <rdar://problem/47268166>
243        (xpc-service-name "com.apple.MTLCompilerService"))
244     
245     (mobile-preferences-read
246         "com.apple.Metal" ;; <rdar://problem/25535471>
247         "com.apple.opengl" ;; <rdar://problem/23321675>
248     )
249 )
250
251 (define-once (debugging-support)
252         (allow file-read* file-map-executable
253                (subpath "/Developer"))
254
255         (allow ipc-posix-shm
256                (ipc-posix-name-regex #"^stack-logs")
257                (ipc-posix-name-regex #"^OA-")
258                (ipc-posix-name-regex #"^/FSM-"))
259
260         (allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-unlink
261                (ipc-posix-name-regex #"^gdt-[A-Za-z0-9]+-(c|s)$"))
262
263         (with-filter (system-attribute apple-internal)
264             ;; <rdar://problem/8565035>
265             ;; <rdar://problem/23857452>
266             (allow file-read* file-map-executable
267                    (subpath "/AppleInternal")
268                    (subpath "/usr/local/lib")))
269             (with-elevated-precedence
270                 (allow file-read* file-map-executable file-issue-extension
271                    (front-user-home-subpath "/XcodeBuiltProducts")))
272
273         ;; <rdar://problem/8107758>
274         (allow file-read* file-map-executable
275                (subpath "/System/Library/Frameworks")
276                (subpath "/System/Library/PrivateFrameworks"))
277
278         ;; <rdar://problem/32544921>
279         (mobile-preferences-read "com.apple.hangtracer"))
280
281 (define-once (device-access)
282     (deny file-read* file-write*
283           (vnode-type BLOCK-DEVICE CHARACTER-DEVICE))
284
285     (allow file-read* file-write-data
286            (literal "/dev/null")
287            (literal "/dev/zero"))
288
289     (allow file-read* file-write-data file-ioctl
290            (literal "/dev/dtracehelper"))
291
292     (allow file-read*
293            (literal "/dev/random")
294            (literal "/dev/urandom"))
295     ;; <rdar://problem/14215718>
296     (deny file-write-data (with no-report)
297           (literal "/dev/random")
298           (literal "/dev/urandom"))
299
300     (allow file-read* file-write-data file-ioctl
301            (literal "/dev/aes_0")))
302
303 (define-once (logd-diagnostic-paths)
304     (require-any
305         (subpath "/private/var/db/diagnostics")
306         (subpath "/private/var/db/timesync")
307         (subpath "/private/var/db/uuidtext")
308         (subpath "/private/var/userdata/diagnostics")))
309 (define-once (logd-diagnostic-client)
310     (with-filter
311         (require-all
312             (require-any
313                 (require-entitlement "com.apple.private.logging.diagnostic")
314                 (require-entitlement "com.apple.diagnosticd.diagnostic"))
315             (extension "com.apple.logd.read-only"))
316         (allow file-read*
317                (logd-diagnostic-paths))))
318
319 (define required-etc-files
320   (literal "/private/etc/fstab"
321            "/private/etc/hosts"
322            "/private/etc/group"
323            "/private/etc/passwd"
324            "/private/etc/protocols"
325            "/private/etc/services"))
326
327 (define-once (speech-synthesis-and-voiceover)
328     ;; Speak Selection & VoiceOver
329     ;; <rdar://problem/12030530> AX: Sandbox violation with changing Language while VO is on
330     ;; and <rdar://problem/13071747>
331     (mobile-preferences-read
332         "com.apple.SpeakSelection" ; Needed for WebSpeech
333         "com.apple.VoiceOverTouch" ; Needed for non-US english language synthesis
334         "com.apple.voiceservices") ; Ditto
335
336     ;; <rdar://problem/14555119> Access to high quality speech voices
337     ;; Needed for WebSpeech
338     (allow file-read*
339         (home-subpath "/Library/VoiceServices/Assets")
340         (home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice"))
341 )
342
343 ;; Things required by UIKit
344 (define-once (uikit-requirements)
345     (mobile-preferences-read
346         "com.apple.UIKit"
347         "com.apple.WebUI"
348         "com.apple.airplay"
349         "com.apple.avkit"
350         "com.apple.coreanimation"
351         "com.apple.mt"
352         "com.apple.preferences.sounds")
353
354     (deny mach-lookup (with telemetry-backtrace)
355         (global-name "com.apple.frontboard.systemappservices")                 ; -[UIViewServiceInterface _createProcessAssertion] -> SBSProcessIDForDisplayIdentifier()
356     )
357
358     (allow mach-lookup
359         (global-name "com.apple.CARenderServer"))
360
361     ; UIKit-required IOKit nodes.
362     (allow iokit-open  (with report) (with telemetry)
363         (iokit-user-client-class "AppleJPEGDriverUserClient")
364         (iokit-user-client-class "IOSurfaceSendRight")
365     )
366
367     ; WebKit-required IOKit classes
368     (allow iokit-open
369         (iokit-user-client-class "IOSurfaceAcceleratorClient") ;; Media rendering into pixel buffers
370         (iokit-user-client-class "IOSurfaceRootUserClient") ;; Needed by Tiled Grid code.
371     )
372
373     ;; Silence sandbox violations from apps trying to create the empty plist if it doesn't exist.
374     ;; <rdar://problem/13796537>
375     (deny file-write-create
376         (home-prefix "/Library/Preferences/com.apple.UIKit.plist")
377         (with no-report))
378 )
379
380 (define-once (dictionary-support)
381     ; Dictionary Services used by UITextFields.
382     ; <rdar://problem/9386926>
383     (allow-create-directory
384         (home-literal "/Library/Caches/com.apple.DictionaryServices"))
385
386     ; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
387     (allow file-read*
388         ; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari)
389         (subpath "/Library/Dictionaries")
390         (home-subpath "/Library/Dictionaries"))
391 )
392
393 (deny file-map-executable)
394
395 (deny file-write-mount file-write-unmount)
396
397 (allow file-read-metadata (with no-times)
398        (vnode-type DIRECTORY))
399 (with-filter (apple-signed-executable?)
400   (allow file-read-metadata
401          (vnode-type DIRECTORY)))
402
403 (with-filter (apple-signed-executable?)
404   (managed-configuration-read "CloudConfigurationDetails.plist")
405   (managed-configuration-read "CloudConfigurationSetAsideDetails.plist")
406   (mobile-preferences-read "com.apple.security"))
407
408 (with-filter (system-attribute apple-internal)
409   (mobile-preferences-read "com.apple.PrototypeTools"))
410
411 (with-elevated-precedence
412     (allow file-read*
413            (subpath "/usr/lib"
414                     "/usr/share"
415                     "/private/var/db/timezone"))
416     (allow-read-and-issue-generic-extensions
417         (subpath "/Library/RegionFeatures"
418                  "/System/Library"))
419     (allow file-issue-extension
420         (require-all
421             (extension-class "com.apple.mediaserverd.read")
422             (subpath "/System/Library")))
423     (let ((hw-identifying-paths
424             (require-any
425                 (literal "/System/Library/Caches/apticket.der")
426                 (subpath "/System/Library/Caches/com.apple.kernelcaches")
427                 (subpath "/System/Library/Caches/com.apple.factorydata"))))
428         (deny file-issue-extension file-read* hw-identifying-paths))
429     
430     (allow file-map-executable
431            (subpath "/System/Library")
432            (subpath "/usr/lib"))
433     (allow file-read-metadata
434            (vnode-type SYMLINK))
435
436     ;;; <rdar://problem/24144418>
437     (allow file-read*
438            (subpath "/private/var/preferences/Logging"))
439
440     (mobile-preferences-read "kCFPreferencesAnyApplication")
441     (allow file-read*
442            (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))
443
444     (allow file-read*
445            (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
446     (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
447
448     (allow file-read-metadata
449            (home-literal "/Library/Caches/powerlog.launchd"))
450
451     (allow-read-and-issue-generic-extensions (executable-bundle))
452     (allow file-map-executable (executable-bundle))
453
454     ;; <rdar://problem/13963294>
455     (deny file-read-data file-issue-extension file-map-executable
456         (require-all
457             (executable-bundle)
458             (regex #"/[^/]+/SC_Info/")))
459
460     (unless (defined? 'restrictive-extension)
461         (with-filter
462             (extension
463                 "com.apple.app-sandbox.read"
464                 "com.apple.app-sandbox.read-write"
465                 "com.apple.quicklook.readonly"
466                 "com.apple.security.exception.files.absolute-path.read-only"
467                 "com.apple.security.exception.files.absolute-path.read-write"
468                 "com.apple.security.exception.files.home-relative-path.read-only"
469                 "com.apple.security.exception.files.home-relative-path.read-write"
470                 "com.apple.sharing.airdrop.readonly")
471             (allow file-read* file-read-metadata)
472             (allow file-issue-extension
473                    (extension-class "com.apple.app-sandbox.read"
474                                     "com.apple.mediaserverd.read"
475                                     "com.apple.quicklook.readonly"
476                                     "com.apple.sharing.airdrop.readonly")))
477         (with-filter
478             (extension
479                 "com.apple.app-sandbox.read-write"
480                 "com.apple.security.exception.files.absolute-path.read-write"
481                 "com.apple.security.exception.files.home-relative-path.read-write")
482             (allow file-write*)
483             (allow file-issue-extension
484                    (extension-class "com.apple.app-sandbox.read-write"
485                                     "com.apple.mediaserverd.read-write"))))
486
487     ;; <rdar://problem/16079361>
488     (with-filter (global-name-prefix "")
489         (allow mach-register
490                (extension "com.apple.security.exception.mach-register.global-name")))
491     (with-filter (local-name-prefix "")
492         (allow mach-register
493                (extension "com.apple.security.exception.mach-register.local-name")))
494     (allow-read-and-issue-generic-extensions
495            (extension "com.apple.security.exception.files.absolute-path.read-only")
496            (extension "com.apple.security.exception.files.home-relative-path.read-only"))
497     (allow-read-write-and-issue-generic-extensions
498            (extension "com.apple.security.exception.files.absolute-path.read-write")
499            (extension "com.apple.security.exception.files.home-relative-path.read-write"))
500     (allow iokit-open
501            (extension "com.apple.security.exception.iokit-user-client-class"))
502     (allow managed-preference-read
503            (extension "com.apple.security.exception.managed-preference.read-only"))
504     (allow user-preference-read
505            (extension "com.apple.security.exception.shared-preference.read-only"))
506     (allow user-preference-read user-preference-write
507            (extension "com.apple.security.exception.shared-preference.read-write"))
508
509     (allow file-issue-extension
510           (require-all
511               (extension-class "com.apple.nsurlstorage.extension-cache")
512               (extension "com.apple.security.exception.files.home-relative-path.read-write")
513               (require-any
514                   (prefix "/private/var/root/Library/Caches/")
515                   (front-user-home-prefix "/Library/Caches/"))))
516 )
517
518 (debugging-support)
519
520 (allow file-read*
521     required-etc-files
522     (literal "/"))
523
524 (allow file-read*
525        (subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))
526
527 (device-access)
528
529 (allow file-issue-extension
530     (require-all
531         (extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
532         (extension "com.apple.fileprovider.read-write")))
533
534 (allow mach-lookup
535     (global-name "com.apple.logd")
536     (global-name "com.apple.logd.events")
537 )
538
539 (deny mach-lookup (with telemetry-backtrace)
540     (global-name "com.apple.distributed_notifications@1v3"))
541
542 (allow ipc-posix-shm-read*
543        (ipc-posix-name-prefix "apple.cfprefs."))
544  
545 (deny mach-lookup (with telemetry-backtrace)
546     (global-name "com.apple.lsd.mapdb"))
547
548 ;; <rdar://problem/12413942>
549 (allow file-read*
550        (well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
551 (allow iokit-get-properties
552        (iokit-property "IORegistryEntryPropertyKeys"))
553
554 (allow ipc-posix-sem-open
555        (ipc-posix-name "containermanagerd.fb_check"))
556
557 (with-filter (ipc-posix-name "purplebuddy.sentinel")
558     (deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait)
559     (allow ipc-posix-sem-open))
560
561 (allow mach-lookup (with telemetry)
562     (global-name "com.apple.runningboard") ;; Needed by process assertion code (ProcessTaskStateObserver).
563 )
564
565 (allow system-sched
566        (require-entitlement "com.apple.private.kernel.override-cpumon"))
567
568 (deny sysctl-read (with no-report)
569       (sysctl-name "sysctl.proc_native"))
570
571 (with-filter (system-attribute apple-internal)
572     (allow sysctl-read sysctl-write
573            (sysctl-name "vm.footprint_suspend")))
574
575 (allow file-read-metadata network-outbound
576        (literal "/private/var/run/syslog"))
577
578 (allow mach-lookup
579        (global-name "com.apple.system.notification_center"))
580 (allow ipc-posix-shm-read*
581        (ipc-posix-name "apple.shm.notification_center"))
582
583 (logd-diagnostic-client)
584
585 (managed-configuration-read-public)
586
587 (deny system-info (with no-report)
588       (info-type "net.link.addr"))
589
590 (allow file-read*
591        (subpath "/private/var/db/datadetectors/sys"))
592
593 (allow-well-known-system-group-container-subpath-read
594        "/systemgroup.com.apple.icloud.findmydevice.managed/Library")
595
596 (allow mach-task-name (target self))
597
598 (allow process-info-pidinfo (target self))
599 (allow process-info-pidfdinfo (target self))
600 (allow process-info-pidfileportinfo (target self))
601 (allow process-info-setcontrol (target self))
602 (allow process-info-dirtycontrol (target self))
603 (allow process-info-rusage (target self))
604 (allow process-info-codesignature (target self))
605
606 (with-filter (apple-signed-executable?)
607     (mobile-preferences-read "com.apple.demo-settings"))
608
609 ;;;
610 ;;; End common.sb content
611 ;;;
612
613 (deny mach-lookup (xpc-service-name-prefix ""))
614 (deny iokit-get-properties (with partial-symbolication))
615 (deny lsopen)
616
617 ;;;
618 ;;; The following rules were originally contained in 'UIKit-apps.sb'. We are duplicating them here so we can
619 ;;; remove unneeded sandbox extensions.
620 ;;;
621
622 ;; Any app can play audio & movies.
623 (play-media)
624
625 ;; Access to media controls
626 (media-remote)
627
628 (url-translation)
629
630 (mobile-preferences-read "com.apple.da")
631
632 (speech-synthesis-and-voiceover)
633
634 ;; Permit reading assets via MobileAsset framework.
635 (asset-access 'with-media-playback)
636
637 ;; FIXME(209309): Remove this telemetry once we have confirmed there are no more lookups.
638 (deny mach-lookup (with telemetry-backtrace)
639        (global-name "com.apple.mobileassetd" "com.apple.mobileassetd.v2"))
640
641 ;; allow 3rd party applications to access nsurlstoraged's top level domain data cache
642 (allow-well-known-system-group-container-literal-read
643     "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
644
645 ;; Access the keyboards
646 (allow file-read*
647     (home-subpath "/Library/Caches/com.apple.keyboards"))
648
649 (mobile-preferences-read
650     "com.apple.EmojiPreferences"
651     ; <rdar://problem/8477596> com.apple.InputModePreferences
652     "com.apple.InputModePreferences"
653     ; <rdar://problem/8206632> Weather(1038) deny file-read-data ~/Library/Preferences/com.apple.keyboard.plist
654     "com.apple.keyboard"
655     ; <rdar://problem/9384085>
656     "com.apple.Preferences"
657     "com.apple.lookup.shared" ; Needed for DataDetector (Spotlight) support
658 )
659
660 ;; Silently deny unnecessary accesses caused by MessageUI framework.
661 ;; This can be removed once <rdar://problem/47038102> is resolved.
662 (deny file-read*
663     (home-literal "/Library/Preferences/com.apple.mobilemail.plist")
664     (with no-log))
665
666 ;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps
667 (allow file-read*
668     (home-subpath "/Library/Fonts"))
669
670 ;; <rdar://problem/7344719&26323449> LaunchServices app icons
671 (allow file-read*
672     (well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache"))
673 (deny mach-lookup (with telemetry-backtrace)
674     (xpc-service-name "com.apple.iconservices")
675     (global-name "com.apple.iconservices"))
676
677 (allow-preferences-common)
678
679 ;; Home Button
680 (with-filter (iokit-registry-entry-class "IOPlatformDevice")
681     (allow iokit-get-properties
682         (iokit-property "home-button-type")))
683
684 (uikit-requirements)
685
686 ;; <rdar://problem/9404009>
687 (mobile-preferences-read "kCFPreferencesAnyApplication")
688
689 (dictionary-support)
690
691 ; <rdar://problem/8440231>
692 (allow file-read*
693     (home-literal "/Library/Caches/DateFormats.plist"))
694 ; Silently deny writes when CFData attempts to write to the cache directory.
695 (deny file-write*
696     (home-literal "/Library/Caches/DateFormats.plist")
697     (with no-log))
698
699 (framebuffer-access)
700
701 ; <rdar://problem/7595408> , <rdar://problem/7643881>
702 (opengl)
703
704 ; CRCopyRestrictionsDictionary periodically tries to CFPreferencesAppSynchronize com.apple.springboard.plist
705 ; which will attempt to create the plist if it doesn't exist -- from any application.  Only SpringBoard is
706 ; allowed to write its plist; ignore all others, they don't know what they are doing.
707 ; See <rdar://problem/9375027> for sample backtraces.
708 (deny file-write*
709     (home-prefix "/Library/Preferences/com.apple.springboard.plist")
710     (with no-log))
711
712 ;; <rdar://problem/34986314>
713 (mobile-preferences-read "com.apple.indigo")
714
715 ;;;
716 ;;; End UIKit-apps.sb content
717 ;;;
718
719 (deny sysctl*)
720 (allow sysctl-read
721     (sysctl-name
722         "hw.activecpu" ;; Needed by JSC engine.
723         "hw.availcpu"
724         "hw.cachelinesize"
725         "hw.cpufamily" ;; <rdar://problem/58416475>
726         "hw.cputype"
727         "hw.l2cachesize"
728         "hw.logicalcpu"
729         "hw.logicalcpu_max"
730         "hw.ncpu"
731         "hw.machine"
732         "hw.memsize"
733         "hw.model"
734         "hw.pagesize_compat"
735         "hw.physicalcpu"
736         "hw.physicalcpu_max"
737         "kern.bootargs"
738         "kern.hostname"
739         "kern.memorystatus_level"
740         "kern.osproductversion"
741         "kern.osrelease"
742         "kern.ostype"
743         "kern.osvariant_status"
744         "kern.secure_kernel" ;; Needed by XPC bundle resolution
745         "kern.version"
746         "sysctl.name2oid"
747         "vm.footprint_suspend")
748     (sysctl-name-regex #"^net.routetable") ;; <rdar://problem/57665153>
749 )
750
751 (allow iokit-get-properties
752     (iokit-property-regex #"^AAPL,(DisplayPipe|OpenCLdisabled|IOGraphics_LER(|_RegTag_1|_RegTag_0|_Busy_2)|alias-policy|boot-display|display-alias|mux-switch-state|ndrv-dev|primary-display|slot-name)")
753     (iokit-property "APTDevice")
754     (iokit-property "AVCSupported")
755     (iokit-property-regex #"^AppleJPEG(NumCores|Supports(AppleInterchangeFormats|MissingEOI|RSTLogging))")
756     (iokit-property "BaseAddressAlignmentRequirement")
757     (iokit-property-regex #"^DisplayPipe(PlaneBaseAlignment|StrideRequirements)")
758     (iokit-property "HEVCSupported")
759     (iokit-property-regex #"IOGVA(BGRAEnc|Codec|EncoderRestricted|Scaler)")
760     (iokit-property "IOClassNameOverride")
761     (iokit-property "IOPlatformUUID")
762     (iokit-property "IOSurfaceAcceleratorCapabilitiesDict")
763     (iokit-property "LGHSupported")
764     (iokit-property "Protocol Characteristics")
765     (iokit-property "als-colorCfg") ;; <rdar://problem/52903475>
766     (iokit-property "artwork-device-idiom") ;; <rdar://problem/49497720>
767     (iokit-property "artwork-device-subtype")
768     (iokit-property "artwork-display-gamut") ;; <rdar://problem/49497788>
769     (iokit-property "artwork-dynamic-displaymode") ;; <rdar://problem/49497720>
770     (iokit-property "artwork-scale-factor") ;; <rdar://problem/49497788>
771     (iokit-property-regex #"(canvas-height|canvas-width)")
772     (iokit-property "chip-id") ;; <rdar://problem/52903477>
773     (iokit-property "class-code")
774     (iokit-property "color-accuracy-index")
775     (iokit-property "compatible") ;; <rdar://problem/47523516>
776     (iokit-property "compatible-device-fallback") ;; <rdar://problem/49497720>
777     (iokit-property "device-colors") ;; <rdar://problem/51322072>
778     (iokit-property "device-id")
779     (iokit-property "device-perf-memory-class")
780     (iokit-property "dfr")
781     (iokit-property "display-corner-radius") ;; <rdar://problem/50602737>
782     (iokit-property "emu")
783     (iokit-property "external")
784     (iokit-property "graphics-featureset-class") ;; <rdar://problem/49497720>
785     (iokit-property "graphics-featureset-fallbacks") ;; <rdar://problem/51322072>
786     (iokit-property "hdcp-hoover-protocol")
787     (iokit-property "iommu-present")
788     (iokit-property "oled-display") ;; <rdar://problem/51322072>
789     (iokit-property "product-description") ;; <rdar://problem/49497788>
790     (iokit-property "product-id")
791     (iokit-property "region-info") ;; <rdar://problem/52903475>
792     (iokit-property "regulatory-model-number") ;; <rdar://problem/52903475>
793     (iokit-property "soc-generation") ;; <rdar://problem/52903476>
794     (iokit-property "software-behavior")
795     (iokit-property "vendor-id")
796     (iokit-property "udid-version") ;; <rdar://problem/52903475>
797     (iokit-property "ui-pip") ;; <rdar://problem/48867037>
798 )
799
800 ;; Read-only preferences and data
801 (mobile-preferences-read
802     "com.apple.LaunchServices"
803     "com.apple.WebFoundation"
804     "com.apple.avfoundation.frecents" ;; <rdar://problem/33137029>
805     "com.apple.avfoundation.videoperformancehud" ;; <rdar://problem/31594568>
806     "com.apple.voiceservices.logging")
807
808 ;; Sandbox extensions
809 (define (apply-read-and-issue-extension op path-filter)
810     (op file-read* path-filter)
811     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
812 (define (apply-write-and-issue-extension op path-filter)
813     (op file-write* path-filter)
814     (op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
815 (define (read-only-and-issue-extensions path-filter)
816     (apply-read-and-issue-extension allow path-filter))
817 (define (read-write-and-issue-extensions path-filter)
818     (apply-read-and-issue-extension allow path-filter)
819     (apply-write-and-issue-extension allow path-filter))
820 (read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
821 (read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
822
823 ;; Access to client's cache folder & re-vending to CFNetwork.
824 (allow file-issue-extension (require-all
825     (extension "com.apple.app-sandbox.read-write")
826     (extension-class "com.apple.nsurlstorage.extension-cache")))
827
828 (accessibility-support)
829
830 (media-accessibility-support)
831
832 ;; Remote Web Inspector
833 (allow mach-lookup (with report) (with telemetry)
834        (global-name "com.apple.webinspector"))
835
836 (deny mach-lookup (with telemetry-backtrace)
837     (global-name "com.apple.PowerManagement.control"))
838
839 (deny file-write-create (vnode-type SYMLINK))
840 (deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
841
842 ;; Allow loading injected bundles.
843 (allow file-map-executable)
844
845 ;; Allow ManagedPreference access
846 (allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))
847
848 (allow file-read-data
849     (literal "/usr/local/lib/log") ; <rdar://problem/36629495>
850 )
851
852 (allow mach-lookup
853     (require-all
854         (extension "com.apple.webkit.extension.mach")
855         (global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd" "com.apple.nehelper" "com.apple.nesessionmanager.content-filter" "com.apple.uikit.viewservice.com.apple.WebContentFilter.remoteUI" "com.apple.diagnosticd" "com.apple.lsd.open" "com.apple.mobileassetd" "com.apple.mobileassetd.v2" "com.apple.frontboard.systemappservices" "com.apple.iconservices" "com.apple.webinspector" "com.apple.PowerManagement.control" "com.apple.cfprefsd.daemon" "com.apple.lsd.mapdb"
856
857             ;;; FIXME(207716): The following should be removed when the GPU process is complete
858             "com.apple.airplay.apsynccontroller.xpc" "com.apple.audio.AURemoteIOServer" "com.apple.audio.AudioComponentRegistrar"
859             "com.apple.audio.AudioComponentRegistrar" "com.apple.audio.AudioSession" "com.apple.coremedia.admin" "com.apple.coremedia.asset.xpc"
860             "com.apple.coremedia.assetimagegenerator.xpc" "com.apple.coremedia.audiodeviceclock.xpc" "com.apple.coremedia.audioprocessingtap.xpc"
861             "com.apple.coremedia.capturesession" "com.apple.coremedia.capturesource" "com.apple.coremedia.compressionsession" "com.apple.coremedia.cpe.xpc"
862             "com.apple.coremedia.cpeprotector.xpc" "com.apple.coremedia.customurlloader.xpc" "com.apple.coremedia.decompressionsession"
863             "com.apple.coremedia.endpoint.xpc" "com.apple.coremedia.figcontentkeysession.xpc" "com.apple.coremedia.figcpecryptor"
864             "com.apple.coremedia.formatreader.xpc" "com.apple.coremedia.player.xpc" "com.apple.coremedia.remaker" "com.apple.coremedia.remotequeue"
865             "com.apple.coremedia.routediscoverer.xpc" "com.apple.coremedia.routingcontext.xpc" "com.apple.coremedia.routingsessionmanager.xpc"
866             "com.apple.coremedia.samplebufferaudiorenderer.xpc" "com.apple.coremedia.samplebufferrendersynchronizer.xpc" "com.apple.coremedia.sandboxserver.xpc"
867             "com.apple.coremedia.sts" "com.apple.coremedia.systemcontroller.xpc" "com.apple.coremedia.videoqueue" "com.apple.coremedia.volumecontroller.xpc"
868             "com.apple.coremedia.visualcontext.xpc" "com.apple.mediaremoted.xpc"
869             ;;; FIXME(207716): End services to remove.
870 )))
871
872 (allow mach-lookup
873     (require-all
874         (extension "com.apple.webkit.extension.mach")
875         (xpc-service-name
876             ;;; FIXME(207716): The following should be removed when the GPU process is complete
877             "com.apple.MediaPlayer.RemotePlayerService"
878             "com.apple.accessibility.mediaaccessibilityd"
879             "com.apple.audio.toolbox.reporting.service"
880             ;;; FIXME(207716): End services to remove.
881         )
882     )
883 )
884
885 (allow mach-lookup
886     (require-all
887         (extension "com.apple.webkit.extension.mach")
888         (xpc-service-name-prefix "com.apple.AGXCompilerService")))
889
890 (media-capture-support)
891
892 ;; These services have been identified as unused during living-on.
893 ;; This list overrides some definitions above and in common.sb.
894 ;; FIXME: remove overridden rules once the final list has been
895 ;; established, see https://bugs.webkit.org/show_bug.cgi?id=193840
896 (deny mach-lookup
897     (global-name "com.apple.webkit.camera")
898 )
899
900 (when (defined? 'syscall-unix)
901     (deny syscall-unix (with send-signal SIGKILL))
902     (allow syscall-unix
903         (syscall-number SYS_exit)
904         (syscall-number SYS_read)
905         (syscall-number SYS_write)
906         (syscall-number SYS_open)
907         (syscall-number SYS_close)
908         (syscall-number SYS_unlink)
909         (syscall-number SYS_chmod)
910         (syscall-number SYS_getuid)
911         (syscall-number SYS_geteuid)
912         (syscall-number SYS_recvfrom)
913         (syscall-number SYS_getpeername)
914         (syscall-number SYS_access)
915         (syscall-number SYS_dup)
916         (syscall-number SYS_pipe)
917         (syscall-number SYS_getegid)
918         (syscall-number SYS_getgid)
919         (syscall-number SYS_sigprocmask)
920         (syscall-number SYS_sigaltstack)
921         (syscall-number SYS_ioctl)
922         (syscall-number SYS_readlink)
923         (syscall-number SYS_umask)
924         (syscall-number SYS_msync)
925         (syscall-number SYS_munmap)
926         (syscall-number SYS_mprotect)
927         (syscall-number SYS_madvise)
928         (syscall-number SYS_fcntl)
929         (syscall-number SYS_select)
930         (syscall-number SYS_fsync)
931         (syscall-number SYS_setpriority)
932         (syscall-number SYS_socket)
933         (syscall-number SYS_connect)
934         (syscall-number SYS_setsockopt)
935         (syscall-number SYS_gettimeofday)
936         (syscall-number SYS_getrusage)
937         (syscall-number SYS_getsockopt)
938         (syscall-number SYS_writev)
939         (syscall-number SYS_fchmod)
940         (syscall-number SYS_rename)
941         (syscall-number SYS_flock)
942         (syscall-number SYS_sendto)
943         (syscall-number SYS_shutdown)
944         (syscall-number SYS_socketpair)
945         (syscall-number SYS_mkdir)
946         (syscall-number SYS_rmdir)
947         (syscall-number SYS_pread)
948         (syscall-number SYS_pwrite)
949         (syscall-number SYS_csops)
950         (syscall-number SYS_csops_audittoken)
951         (syscall-number SYS_kdebug_trace64)
952         (syscall-number SYS_kdebug_trace)
953         (syscall-number SYS_sigreturn)
954         (syscall-number SYS_pathconf)
955         (syscall-number SYS_getrlimit)
956         (syscall-number SYS_setrlimit)
957         (syscall-number SYS_mmap)
958         (syscall-number SYS_lseek)
959         (syscall-number SYS_ftruncate)
960         (syscall-number SYS_sysctl)
961         (syscall-number SYS_mlock)
962         (syscall-number SYS_munlock)
963         (syscall-number SYS_getattrlist)
964         (syscall-number SYS_getxattr)
965         (syscall-number SYS_fgetxattr)
966         (syscall-number SYS_listxattr)
967         (syscall-number SYS_shm_open)
968         (syscall-number SYS_sem_wait)
969         (syscall-number SYS_sem_post)
970         (syscall-number SYS_sysctlbyname)
971         (syscall-number SYS_psynch_mutexwait)
972         (syscall-number SYS_psynch_mutexdrop)
973         (syscall-number SYS_psynch_cvbroad)
974         (syscall-number SYS_psynch_cvsignal)
975         (syscall-number SYS_psynch_cvwait)
976         (syscall-number SYS_psynch_rw_wrlock)
977         (syscall-number SYS_psynch_rw_unlock)
978         (syscall-number SYS_psynch_cvclrprepost)
979         (syscall-number SYS_process_policy)
980         (syscall-number SYS_issetugid)
981         (syscall-number SYS___pthread_kill)
982         (syscall-number SYS___pthread_markcancel)
983         (syscall-number SYS___pthread_sigmask)
984         (syscall-number SYS___disable_threadsignal)
985         (syscall-number SYS___semwait_signal)
986         (syscall-number SYS_proc_info)
987         (syscall-number SYS_stat64)
988         (syscall-number SYS_fstat64)
989         (syscall-number SYS_lstat64)
990         (syscall-number SYS_getdirentries64)
991         (syscall-number SYS_statfs64)
992         (syscall-number SYS_fstatfs64)
993         (syscall-number SYS_getfsstat64)
994         (syscall-number SYS_getaudit_addr)
995         (syscall-number SYS_bsdthread_create)
996         (syscall-number SYS_bsdthread_terminate)
997         (syscall-number SYS_workq_kernreturn)
998         (syscall-number SYS_thread_selfid)
999         (syscall-number SYS_kevent_qos)
1000         (syscall-number SYS_kevent_id)
1001         (syscall-number SYS___mac_syscall)
1002         (syscall-number SYS_read_nocancel)
1003         (syscall-number SYS_write_nocancel)
1004         (syscall-number SYS_open_nocancel)
1005         (syscall-number SYS_close_nocancel)
1006         (syscall-number SYS_sendmsg_nocancel)
1007         (syscall-number SYS_recvfrom_nocancel)
1008         (syscall-number SYS_fcntl_nocancel)
1009         (syscall-number SYS_select_nocancel)
1010         (syscall-number SYS_connect_nocancel)
1011         (syscall-number SYS_sendto_nocancel)
1012         (syscall-number SYS_fsgetpath)
1013         (syscall-number SYS_fileport_makeport)
1014         (syscall-number SYS_guarded_open_np)
1015         (syscall-number SYS_guarded_close_np)
1016         (syscall-number SYS_change_fdguard_np)
1017         (syscall-number SYS_proc_rlimit_control)
1018         (syscall-number SYS_connectx)
1019         (syscall-number SYS_getattrlistbulk)
1020         (syscall-number SYS_openat)
1021         (syscall-number SYS_openat_nocancel)
1022         (syscall-number SYS_fstatat64)
1023         (syscall-number SYS_mkdirat)
1024         (syscall-number SYS_bsdthread_ctl)
1025         (syscall-number SYS_csrctl)
1026         (syscall-number SYS_guarded_pwrite_np)
1027         (syscall-number SYS_getentropy)
1028         (syscall-number SYS_necp_open)
1029         (syscall-number SYS_necp_client_action)
1030         (syscall-number SYS_ulock_wait)
1031         (syscall-number SYS_ulock_wake)
1032         (syscall-number SYS_kdebug_typefilter)
1033         (syscall-number SYS_shared_region_check_np)
1034         (syscall-number SYS_getpid)
1035         (syscall-number SYS_bsdthread_register)
1036         (syscall-number SYS_sigaction)
1037         (syscall-number SYS_gettid)
1038         (syscall-number SYS_workq_open)
1039         (syscall-number SYS_chdir)
1040         (syscall-number SYS_memorystatus_control)
1041         (syscall-number SYS_sem_open)
1042         (syscall-number SYS_sem_close)
1043         (syscall-number SYS_fsetattrlist)
1044         (syscall-number SYS_guarded_open_dprotected_np) ; <rdar://problem/48166729>
1045         (syscall-number SYS_mremap_encrypted)
1046         (syscall-number SYS_dup2)
1047         (syscall-number SYS_fileport_makefd)
1048         (syscall-number SYS_os_fault_with_payload)
1049         (syscall-number SYS_persona)
1050         (syscall-number SYS_work_interval_ctl)
1051         (syscall-number SYS_open_dprotected_np)
1052         (syscall-number SYS_pread_nocancel)
1053         (syscall-number SYS___semwait_signal_nocancel)
1054         (syscall-number SYS_kdebug_trace_string) ;; Needed for performance sampling, see <rdar://problem/48829655>.
1055         (syscall-number SYS_fgetattrlist) ;; <rdar://problem/50266257>
1056         (syscall-number SYS_fsetxattr) ;; <rdar://problem/49795964>
1057         (syscall-number SYS_abort_with_payload) ;; <rdar://problem/50967271>
1058         (syscall-number SYS_kqueue) ;; <rdar://problem/49609201>
1059         (syscall-number SYS_kqueue_workloop_ctl) ;; <rdar://problem/50999499>
1060         (syscall-number SYS_psynch_rw_rdlock) ;; <rdar://problem/51134351>
1061         (syscall-number SYS_faccessat) ;; <rdar://problem/56998930>
1062         (syscall-number SYS_objc_bp_assist_cfg_np) ;; <rdar://problem/55924791>
1063         (syscall-number SYS_shared_region_map_and_slide_2_np) ;; <rdar://problem/60294880>
1064     )
1065 )
1066
1067 (when (defined? 'mach-bootstrap)
1068     (allow mach-bootstrap
1069         (apply-message-filter
1070             (allow xpc-message-send (with report) (with telemetry))
1071             (allow xpc-message-send (message-number 206))
1072             (allow xpc-message-send (message-number 207))
1073             (allow xpc-message-send (message-number 711))
1074             (allow xpc-message-send (message-number 712))
1075             (allow xpc-message-send (message-number 718))
1076             (allow xpc-message-send (message-number 800))
1077             (allow xpc-message-send (message-number 803))
1078             (allow xpc-message-send (message-number 804))
1079             (allow xpc-message-send (message-number 805))
1080         )
1081     )
1082 )
1083
1084 (when (defined? 'syscall-mach)
1085     (allow syscall-mach (with report) (with telemetry))
1086     (allow syscall-mach
1087         (machtrap-number MSC__kernelrpc_mach_port_allocate_trap)
1088         (machtrap-number MSC__kernelrpc_mach_port_construct_trap)
1089         (machtrap-number MSC__kernelrpc_mach_port_deallocate_trap)
1090         (machtrap-number MSC__kernelrpc_mach_port_destruct_trap)
1091         (machtrap-number MSC__kernelrpc_mach_port_extract_member_trap)
1092         (machtrap-number MSC__kernelrpc_mach_port_get_attributes_trap)
1093         (machtrap-number MSC__kernelrpc_mach_port_guard_trap)
1094         (machtrap-number MSC__kernelrpc_mach_port_insert_member_trap)
1095         (machtrap-number MSC__kernelrpc_mach_port_insert_right_trap)
1096         (machtrap-number MSC__kernelrpc_mach_port_mod_refs_trap)
1097         (machtrap-number MSC__kernelrpc_mach_port_request_notification_trap)
1098         (machtrap-number MSC__kernelrpc_mach_port_type_trap)
1099         (machtrap-number MSC__kernelrpc_mach_vm_allocate_trap)
1100         (machtrap-number MSC__kernelrpc_mach_vm_deallocate_trap)
1101         (machtrap-number MSC__kernelrpc_mach_vm_map_trap)
1102         (machtrap-number MSC__kernelrpc_mach_vm_protect_trap)
1103         (machtrap-number MSC__kernelrpc_mach_vm_purgable_control_trap)
1104         (machtrap-number MSC_host_create_mach_voucher_trap)
1105         (machtrap-number MSC_host_self_trap)
1106         (machtrap-number MSC_mach_generate_activity_id)
1107         (machtrap-number MSC_mach_msg_trap)
1108         (machtrap-number MSC_mach_reply_port)
1109         (machtrap-number MSC_mach_voucher_extract_attr_recipe_trap)
1110         (machtrap-number MSC_mk_timer_arm)
1111         (machtrap-number MSC_mk_timer_arm_leeway)
1112         (machtrap-number MSC_mk_timer_cancel)
1113         (machtrap-number MSC_mk_timer_create)
1114         (machtrap-number MSC_mk_timer_destroy)
1115         (machtrap-number MSC_pid_for_task)
1116         (machtrap-number MSC_semaphore_signal_trap)
1117         (machtrap-number MSC_semaphore_timedwait_trap)
1118         (machtrap-number MSC_semaphore_wait_trap)
1119         (machtrap-number MSC_swtch_pri)
1120         (machtrap-number MSC_thread_get_special_reply_port)
1121         (machtrap-number MSC_thread_self_trap)
1122     )
1123 )
1124
1125 (when (defined? 'mach-kernel-endpoint)
1126     (allow mach-kernel-endpoint
1127         (apply-message-filter
1128             (allow mach-message-send (with report) (with telemetry))
1129         )
1130     )
1131 )
1132
1133 (when (defined? 'iokit-external-method)
1134     (allow iokit-open
1135         (apply-message-filter (with report) (with telemetry)
1136             (allow
1137              iokit-external-method
1138              iokit-async-external-method
1139              iokit-external-trap)
1140         )
1141     )
1142 )