]> git.saurik.com Git - apple/security.git/blob - keychain/securityd/com.apple.secd.sb
Security-59754.60.13.tar.gz
[apple/security.git] / keychain / securityd / com.apple.secd.sb
1 (version 1)
2
3 (deny default)
4
5 (import "system.sb")
6
7 (allow file-write-data
8 (literal "/dev/random"))
9
10 (allow file-read* file-write*
11 (subpath "/private/var/db/mds")
12 (regex #"^/private/var/folders/[^/]+/[^/]+/T(/|$)")
13 (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Keychains(/|$)")))
14
15 (allow file-read*
16 (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.imessage.bag.plist"))
17 (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.facetime.bag.plist")))
18
19
20 ;;;;;; will be fully fixed in 29465717
21 (allow file-read* (subpath "/"))
22
23 (allow user-preference-read
24 (preference-domain ".GlobalPreferences"))
25 (allow user-preference-read
26 (preference-domain "com.apple.security"))
27 (allow user-preference-read
28 (preference-domain "com.apple.imessage.bag"))
29 (allow user-preference-read
30 (preference-domain "com.apple.facetime.bag"))
31 (allow user-preference-read user-preference-write
32 (preference-domain "com.apple.security.sosaccount"))
33
34 (allow distributed-notification-post)
35
36 (allow iokit-open
37 (iokit-user-client-class "AppleKeyStoreUserClient")
38 (iokit-user-client-class "AppleAPFSUserClient")
39 (iokit-user-client-class "RootDomainUserClient"))
40
41
42 (allow file-read*
43 (literal "/usr/libexec/secd")
44 (literal "/Library/Preferences/com.apple.security.plist")
45 (literal "/Library/Preferences/.GlobalPreferences.plist")
46 (literal "/AppleInternal")
47 (literal "/usr/libexec"))
48
49 (allow mach-lookup
50 (global-name "com.apple.system.opendirectoryd.api")
51 (global-name "com.apple.SystemConfiguration.configd")
52 (global-name "com.apple.security.cloudkeychainproxy3")
53 (global-name "com.apple.accountsd.accountmanager")
54 (global-name "com.apple.CoreServices.coreservicesd")
55 (global-name "com.apple.distributed_notifications@Uv3")
56 (global-name "com.apple.ak.auth.xpc")
57 (global-name "com.apple.cdp.daemon")
58 (global-name "com.apple.cloudd")
59 (global-name "com.apple.apsd")
60 (global-name "com.apple.analyticsd")
61 (global-name "com.apple.symptom_diagnostics")
62 (global-name "com.apple.ak.anisette.xpc")
63 (global-name "com.apple.corefollowup.agent")
64 (global-name "com.apple.windowserver.active")
65 (global-name "com.apple.powerlog.plxpclogger.xpc")
66 (global-name "com.apple.SecureBackupDaemon")
67 (global-name "com.apple.SecureBackupDaemon.concurrent")
68 )
69
70 ;; Used to send logs for MoiC.
71 (allow mach-lookup
72 (global-name "com.apple.imagent.desktop.auth"))
73
74 (allow iokit-get-properties (iokit-registry-entry-class "IOPlatformExpertDevice"))
75
76 (allow ipc-posix-shm
77 (ipc-posix-name "com.apple.AppleDatabaseChanged"))
78
79 (allow network-outbound)
80 (allow system-socket)
81
82 ;; to be deleted once SecTrustEvaluate and SecTrustCopyKey can avoid touching legacy cert and keychain stack
83 (allow file-read* file-write*
84 (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
85 (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
86 (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$"))
87 (allow mach-lookup
88 (global-name "com.apple.SecurityServer"))
89
90 (allow system-fsctl (fsctl-command afpfsByteRangeLock2FSCTL))
91