supd/com.apple.securityuploadd.sb

   1 (version 1)
   2
   3 (deny default)
   4 (deny file-map-executable iokit-get-properties process-info* nvram*)
   5 (deny dynamic-code-generation)
   6 (deny mach-priv-host-port)
   7
   8 (import "system.sb")
   9 (import "com.apple.corefoundation.sb")
  10 (corefoundation)
  11
  12 ;;; Homedir-relative path filters
  13 (define (home-regex home-relative-regex)
  14     (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)))
  15
  16 (define (home-subpath home-relative-subpath)
  17     (subpath (string-append (param "HOME") home-relative-subpath)))
  18
  19 (define (home-prefix home-relative-prefix)
  20     (prefix (string-append (param "HOME") home-relative-prefix)))
  21
  22 (define (home-literal home-relative-literal)
  23     (literal (string-append (param "HOME") home-relative-literal)))
  24
  25 (allow process-info* (target self))
  26
  27 ;; For resolving symlinks, realpath(3), and equivalents.
  28 (allow file-read-metadata)
  29
  30 ;; For validating the entitlements of clients.
  31 (allow process-info-codesignature)
  32
  33 (allow user-preference-read user-preference-write
  34        (preference-domain "com.apple.security.analytics")
  35        (preference-domain ".GlobalPreferences")
  36        (preference-domain "com.apple.CFNetwork")
  37        (preference-domain "com.apple.nsurlcache")
  38        (preference-domain "kCFPreferencesAnyApplication"))
  39
  40 (allow file-read*
  41     (literal "/usr/libexec")
  42     (literal "/usr/libexec/securityuploadd")
  43     (subpath "/Library/Keychains/SupplementalsAssets/")
  44     (literal "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist")
  45     (regex "/private/var/db/mds/messages/([A-Za-z0-9]+/)?se_SecurityMessages"))
  46
  47 ;; Read/write access to analytics DBs and reports directories
  48 (allow file-read* file-write*
  49        (subpath "/private/var/protected/")
  50        (home-regex #"/Library/Keychains/[0-9A-F-]+/Analytics(/|$)")
  51        (home-subpath #"/Library/Logs/DiagnosticReports/")
  52        (home-subpath #"/Library/Application Support/com.apple.ProtectedCloudStorage/"))
  53
  54 ;; Read/write cache access
  55 (let ((cache-path-filter (home-subpath "/Library/Caches/com.apple.securityuploadd")))
  56   (allow file-read* file-write* cache-path-filter)
  57   (allow file-issue-extension
  58     (require-all
  59       (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write")
  60       cache-path-filter)))
  61
  62 (allow mach-lookup
  63     (global-name "com.apple.securityd.ckks")
  64     (global-name "com.apple.accountsd.accountmanager")
  65     (global-name "com.apple.SystemConfiguration.configd")
  66     (global-name "com.apple.AppSSO.service-xpc")
  67     (global-name "com.apple.dnssd.service")
  68     (global-name "com.apple.usymptomsd")
  69     (global-name "com.apple.ak.auth.xpc"))
  70
  71 ;; Legacy SecKey operations
  72 (allow file-read* file-write*
  73     (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
  74     (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
  75     (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$"))
  76 (allow mach-lookup
  77     (global-name "com.apple.SecurityServer"))
  78
  79 ;; allow network
  80 (allow network-outbound)
  81 (allow system-socket)