securityd/etc/com.apple.securityd.sb

   1 ;;; Copyright (c) 2017 Apple Inc.  All Rights reserved.
   2 ;;;
   3 ;;; WARNING: The sandbox rules in this file currently constitute
   4 ;;; Apple System Private Interface and are subject to change at any time and
   5 ;;; without notice.
   6 ;;;
   7 (version 1)
   8
   9 (deny default)
  10 (deny file-map-executable process-info* nvram*)
  11 (deny dynamic-code-generation)
  12 (deny mach-priv-host-port)
  13
  14 (import "system.sb")
  15 (import "com.apple.corefoundation.sb")
  16 (corefoundation)
  17
  18 ;; We inspect all the binaries,
  19 ;; resolve symlinks, realpath(3), and equivalents,
  20 ;; read preference files in-process
  21 (allow file-read*)
  22
  23 (allow file-write*
  24        (subpath "/private/var/db/mds"))
  25 (allow file-ioctl (literal "/dev/auditsessions"))
  26
  27 (allow process-info* (target self))
  28 (allow process-info-codesignature)
  29 (allow process-info-pidinfo)
  30
  31 (when (string=? (param "LEGACY_TOKENS_ENABLED") "YES")
  32     (allow process-exec (with no-sandbox) (subpath "/Library/Security/tokend"))
  33     (allow process-fork)
  34     (allow signal (target children))
  35     (allow file-write* (subpath "/private/var/db/TokenCache")))
  36
  37 (allow user-preference-read
  38        (preference-domain "com.apple.security")
  39        (preference-domain "com.apple.security.smartcard")
  40        (preference-domain "kCFPreferencesAnyApplication")
  41        (preference-domain "securityd"))
  42
  43 (allow system-audit)
  44 (allow mach-lookup
  45        (global-name "com.apple.SecurityServer")
  46        (global-name "com.apple.CoreServices.coreservicesd")
  47        (global-name "com.apple.system.opendirectoryd.api")
  48        (global-name "com.apple.securitydservice")
  49        (global-name "com.apple.ocspd")
  50        (global-name "com.apple.PowerManagement.control")
  51        (global-name "com.apple.security.syspolicy")
  52        (global-name "com.apple.security.agent")
  53        (global-name "com.apple.security.agent.login"))
  54
  55 (allow ipc-posix-shm
  56     (ipc-posix-name "com.apple.AppleDatabaseChanged")
  57     (ipc-posix-name "apple.cfprefs.daemonv1"))
  58
  59 (allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
  60
  61 (allow network-outbound
  62      (path "/private/var/run/systemkeychaincheck.socket"))
  63
  64 (with-filter (system-attribute apple-internal)
  65      (allow nvram-get
  66             (nvram-variable "AMFITrustedKeys")))