OSX/trustd/macOS/com.apple.trustd.sb

   1 (version 1)
   2
   3 (deny default)
   4 (deny file-map-executable iokit-get-properties process-info* nvram*)
   5 (deny dynamic-code-generation)
   6
   7 (import "system.sb")
   8 (import "com.apple.corefoundation.sb")
   9 (corefoundation)
  10
  11 (allow process-info* (target self))
  12
  13 ;; For resolving symlinks, realpath(3), and equivalents.
  14 (allow file-read-metadata)
  15
  16 ;; For validating the entitlements of clients (for keychain and trust settings)
  17 ;; see 31353815
  18 (allow process-info-codesignature)
  19 (allow process-info-pidinfo)
  20 (allow file-read*)
  21
  22 ;; ${PRODUCT_NAME}’s preference domain.
  23 (allow user-preference-read user-preference-write
  24     (preference-domain "com.apple.trustd"))
  25
  26 ;; Global and security preferences
  27 (allow user-preference-read
  28         (preference-domain "com.apple.security")
  29         (preference-domain ".GlobalPreferences")
  30         (preference-domain "com.apple.MobileAsset"))
  31
  32 ;; Read/write access to a temporary directory.
  33 (allow file-read* file-write*
  34     (subpath (param "_TMPDIR"))
  35     (subpath (param "_DARWIN_CACHE_DIR")))
  36
  37 ;; Read/write access to keychains and caches
  38 (allow file-read* file-write*
  39         (subpath "/private/var/db/mds/")
  40         (subpath "/private/var/db/crls/")
  41         (subpath "/System/Library/Security/")
  42         (subpath "/Library/Keychains/")
  43         (subpath "/private/var/root/Library/Caches/com.apple.nsurlsessiond/"))
  44
  45 (allow file-read*
  46         (literal "/usr/libexec")
  47         (literal "/usr/libexec/trustd")
  48         (literal "/Library/Preferences/com.apple.security.plist")
  49         (regex #"/.GlobalPreferences[^/]*\.plist")
  50         (literal "/Library/Preferences/com.apple.SoftwareUpdate.plist")
  51     (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains"))
  52
  53 (allow file-map-executable
  54     (regex #"/CoreServicesInternal")
  55     (regex #"/csparser"))
  56
  57 (allow mach-lookup
  58         (global-name "com.apple.ocspd")
  59         (global-name "com.apple.SecurityServer")
  60         (global-name "com.apple.SystemConfiguration.configd")
  61         (global-name "com.apple.mobileassetd.v2")
  62     (global-name "com.apple.securityd.xpc")
  63     (global-name "com.apple.cfnetwork.cfnetworkagent")
  64     (global-name "com.apple.nsurlsessiond")
  65     (xpc-service-name "com.apple.powerlog.plxpclogger.xpc")
  66     (global-name "com.apple.nesessionmanager.content-filter"))
  67
  68 (allow ipc-posix-shm
  69         (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  70
  71 (allow network-outbound)
  72 (allow system-socket)