OSX/sec/securityd/com.apple.secd.sb

   1 (version 1)
   2
   3 (deny default)
   4
   5 (import "system.sb")
   6
   7 (allow file-read* file-write*
   8     (subpath "/private/var/db/mds")
   9     (regex #"^/private/var/folders/[^/]+/[^/]+/T(/|$)")
  10     (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Keychains(/|$)")))
  11
  12
  13 ;;;;;; will be fully fixed in 29465717
  14 (allow file-read* (subpath "/"))
  15
  16 (allow user-preference-read
  17     (preference-domain ".GlobalPreferences"))
  18 (allow user-preference-read
  19     (preference-domain "com.apple.security"))
  20
  21 (allow file-read*
  22     (literal "/usr/libexec/secd")
  23     (literal "/Library/Preferences/com.apple.security.plist")
  24     (literal "/Library/Preferences/.GlobalPreferences.plist")
  25     (literal "/AppleInternal")
  26     (literal "/usr/libexec"))
  27
  28
  29 (allow mach-lookup
  30         (global-name "com.apple.system.opendirectoryd.api")
  31         (global-name "com.apple.SystemConfiguration.configd")
  32         (global-name "com.apple.security.cloudkeychainproxy3")
  33         (global-name "com.apple.accountsd.accountmanager")
  34         (global-name "com.apple.ak.auth.xpc")
  35         (global-name "com.apple.cdp.daemon")
  36         (global-name "com.apple.cloudd")
  37         (global-name "com.apple.apsd")
  38         (global-name "com.apple.ak.anisette.xpc")
  39         (global-name "com.apple.windowserver.active"))
  40
  41 ;; Used to send logs for MoiC.
  42 (allow mach-lookup
  43         (global-name "com.apple.imagent.desktop.auth"))
  44
  45 (allow iokit-open
  46     (iokit-user-client-class "AppleKeyStoreUserClient"))
  47
  48 (allow iokit-get-properties (iokit-registry-entry-class "IOPlatformExpertDevice"))
  49
  50 (allow ipc-posix-shm
  51     (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  52
  53 (allow network-outbound)
  54 (allow system-socket)