keychain/securityd/com.apple.secd.sb

   1 (version 1)
   2
   3 (deny default)
   4
   5 (import "system.sb")
   6
   7 (allow file-write-data
   8     (literal "/dev/random"))
   9
  10 (allow file-read* file-write*
  11     (subpath "/private/var/db/mds")
  12     (regex #"^/private/var/folders/[^/]+/[^/]+/T(/|$)")
  13     (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Keychains(/|$)")))
  14
  15 (allow file-read*
  16     (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.imessage.bag.plist"))
  17     (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.facetime.bag.plist")))
  18
  19
  20 ;;;;;; will be fully fixed in 29465717
  21 (allow file-read* (subpath "/"))
  22
  23 (allow user-preference-read
  24     (preference-domain ".GlobalPreferences"))
  25 (allow user-preference-read
  26     (preference-domain "com.apple.security"))
  27 (allow user-preference-read
  28     (preference-domain "com.apple.imessage.bag"))
  29 (allow user-preference-read
  30     (preference-domain "com.apple.facetime.bag"))
  31 (allow user-preference-read user-preference-write
  32     (preference-domain "com.apple.security.sosaccount"))
  33
  34 (allow distributed-notification-post)
  35
  36 (allow iokit-open
  37    (iokit-user-client-class "AppleKeyStoreUserClient")
  38    (iokit-user-client-class "AppleAPFSUserClient")
  39    (iokit-user-client-class "RootDomainUserClient"))
  40
  41
  42 (allow file-read*
  43     (literal "/usr/libexec/secd")
  44     (literal "/Library/Preferences/com.apple.security.plist")
  45     (literal "/Library/Preferences/.GlobalPreferences.plist")
  46     (literal "/AppleInternal")
  47     (literal "/usr/libexec"))
  48
  49 (allow mach-lookup
  50         (global-name "com.apple.system.opendirectoryd.api")
  51         (global-name "com.apple.SystemConfiguration.configd")
  52         (global-name "com.apple.security.cloudkeychainproxy3")
  53         (global-name "com.apple.accountsd.accountmanager")
  54         (global-name "com.apple.CoreServices.coreservicesd")
  55         (global-name "com.apple.distributed_notifications@Uv3")
  56         (global-name "com.apple.ak.auth.xpc")
  57         (global-name "com.apple.cdp.daemon")
  58         (global-name "com.apple.cloudd")
  59         (global-name "com.apple.apsd")
  60         (global-name "com.apple.analyticsd")
  61         (global-name "com.apple.symptom_diagnostics")
  62         (global-name "com.apple.ak.anisette.xpc")
  63         (global-name "com.apple.corefollowup.agent")
  64         (global-name "com.apple.windowserver.active")
  65         (global-name "com.apple.powerlog.plxpclogger.xpc")
  66         (global-name "com.apple.SecureBackupDaemon")
  67         (global-name "com.apple.SecureBackupDaemon.concurrent")
  68 )
  69
  70 ;; Used to send logs for MoiC.
  71 (allow mach-lookup
  72         (global-name "com.apple.imagent.desktop.auth"))
  73
  74 (allow iokit-get-properties (iokit-registry-entry-class "IOPlatformExpertDevice"))
  75
  76 (allow ipc-posix-shm
  77     (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  78
  79 (allow network-outbound)
  80 (allow system-socket)
  81
  82 ;; to be deleted once SecTrustEvaluate and SecTrustCopyKey can avoid touching legacy cert and keychain stack
  83 (allow file-read* file-write*
  84     (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
  85     (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
  86     (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$"))
  87 (allow mach-lookup
  88     (global-name "com.apple.SecurityServer"))
  89
  90 (allow system-fsctl (fsctl-command afpfsByteRangeLock2FSCTL))
  91