keychain/securityd/com.apple.secd.sb

   1 (version 1)
   2
   3 (deny default)
   4
   5 (import "system.sb")
   6
   7 (allow file-read* file-write*
   8     (subpath "/private/var/db/mds")
   9     (regex #"^/private/var/folders/[^/]+/[^/]+/T(/|$)")
  10     (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Keychains(/|$)")))
  11
  12 (allow file-read*
  13     (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.imessage.bag.plist"))
  14     (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.facetime.bag.plist")))
  15
  16
  17 ;;;;;; will be fully fixed in 29465717
  18 (allow file-read* (subpath "/"))
  19
  20 (allow user-preference-read
  21     (preference-domain ".GlobalPreferences"))
  22 (allow user-preference-read
  23     (preference-domain "com.apple.security"))
  24 (allow user-preference-read
  25     (preference-domain "com.apple.imessage.bag"))
  26 (allow user-preference-read
  27     (preference-domain "com.apple.facetime.bag"))
  28 (allow user-preference-read user-preference-write
  29     (preference-domain "com.apple.security.sosaccount"))
  30
  31 (allow distributed-notification-post)
  32
  33 (allow iokit-open
  34    (iokit-user-client-class "AppleKeyStoreUserClient")
  35    (iokit-user-client-class "AppleAPFSUserClient")
  36    (iokit-user-client-class "RootDomainUserClient"))
  37
  38
  39 (allow file-read*
  40     (literal "/usr/libexec/secd")
  41     (literal "/Library/Preferences/com.apple.security.plist")
  42     (literal "/Library/Preferences/.GlobalPreferences.plist")
  43     (literal "/AppleInternal")
  44     (literal "/usr/libexec"))
  45
  46 (allow mach-lookup
  47         (global-name "com.apple.system.opendirectoryd.api")
  48         (global-name "com.apple.SystemConfiguration.configd")
  49         (global-name "com.apple.security.cloudkeychainproxy3")
  50         (global-name "com.apple.accountsd.accountmanager")
  51         (global-name "com.apple.CoreServices.coreservicesd")
  52         (global-name "com.apple.distributed_notifications@Uv3")
  53         (global-name "com.apple.ak.auth.xpc")
  54         (global-name "com.apple.cdp.daemon")
  55         (global-name "com.apple.cloudd")
  56         (global-name "com.apple.apsd")
  57         (global-name "com.apple.analyticsd")
  58         (global-name "com.apple.symptom_diagnostics")
  59         (global-name "com.apple.ak.anisette.xpc")
  60         (global-name "com.apple.corefollowup.agent")
  61         (global-name "com.apple.windowserver.active")
  62         (global-name "com.apple.powerlog.plxpclogger.xpc")
  63         (global-name "com.apple.SecureBackupDaemon")
  64 )
  65
  66 ;; Used to send logs for MoiC.
  67 (allow mach-lookup
  68         (global-name "com.apple.imagent.desktop.auth"))
  69
  70 (allow iokit-get-properties (iokit-registry-entry-class "IOPlatformExpertDevice"))
  71
  72 (allow ipc-posix-shm
  73     (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  74
  75 (allow network-outbound)
  76 (allow system-socket)
  77
  78 ;; to be deleted once SecTrustEvaluate and SecTrustCopyKey can avoid touching legacy cert and keychain stack
  79 (allow file-read* file-write*
  80     (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
  81     (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
  82     (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$"))
  83 (allow mach-lookup
  84     (global-name "com.apple.SecurityServer"))
  85
  86 (allow system-fsctl (fsctl-command afpfsByteRangeLock2FSCTL))
  87