4 (deny file-map-executable iokit-get-properties process-info* nvram*)
5 (deny dynamic-code-generation)
8 (import "com.apple.corefoundation.sb")
11 (allow process-info* (target self))
13 ;; For resolving symlinks, realpath(3), and equivalents.
14 (allow file-read-metadata)
16 ;; For validating the entitlements of clients (for keychain and trust settings)
18 (allow process-info-codesignature)
19 (allow process-info-pidinfo)
22 ;; ${PRODUCT_NAME}’s preference domain.
23 (allow user-preference-read user-preference-write
24 (preference-domain "com.apple.trustd"))
26 ;; Global and security preferences
27 (allow user-preference-read
28 (preference-domain "com.apple.security")
29 (preference-domain ".GlobalPreferences")
30 (preference-domain "com.apple.MobileAsset"))
32 ;; Read/write access to a temporary directory.
33 (allow file-read* file-write*
34 (subpath (param "_TMPDIR"))
35 (subpath (param "_DARWIN_CACHE_DIR")))
37 ;; Read/write access to keychains and caches
38 (allow file-read* file-write*
39 (subpath "/private/var/db/mds/")
40 (subpath "/private/var/db/crls/")
41 (subpath "/private/var/protected/")
42 (subpath "/System/Library/Security/")
43 (subpath "/Library/Keychains/")
44 (subpath "/private/var/root/Library/Caches/com.apple.nsurlsessiond/"))
47 (literal "/usr/libexec")
48 (literal "/usr/libexec/trustd")
49 (literal "/Library/Preferences/com.apple.security.plist")
50 (regex #"/.GlobalPreferences[^/]*\.plist")
51 (literal "/Library/Preferences/com.apple.SoftwareUpdate.plist")
52 (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains"))
54 (allow file-map-executable
55 (regex #"/CoreServicesInternal")
59 (global-name "com.apple.ocspd")
60 (global-name "com.apple.SecurityServer")
61 (global-name "com.apple.SystemConfiguration.configd")
62 (global-name "com.apple.mobileassetd.v2")
63 (global-name "com.apple.securityd.xpc")
64 (global-name "com.apple.cfnetwork.cfnetworkagent")
65 (global-name "com.apple.nsurlsessiond")
66 (global-name "com.apple.dnssd.service")
67 (xpc-service-name "com.apple.powerlog.plxpclogger.xpc")
68 (global-name "com.apple.nesessionmanager.content-filter"))
71 (ipc-posix-name "com.apple.AppleDatabaseChanged"))
73 ;; Read IOKit properties for personalization
74 (allow iokit-get-properties
75 (iokit-property "image4-supported")
76 (iokit-property "Content")
77 (iokit-property "boot-uuid")
78 (iokit-property "IORegistryEntryPropertyKeys")
79 (iokit-property "IOClassNameOverride")
80 (iokit-property "Protocol Characteristics")
81 (iokit-property "board-id")
82 (iokit-property "chip-id")
83 (iokit-property "unique-chip-id")
84 (iokit-property "boot-manifest-hash")
85 (iokit-property "crypto-hash-method"))
87 (allow network-outbound)