Modified: trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in (283181 => 283182)
--- trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-09-28 17:55:47 UTC (rev 283181)
+++ trunk/Source/WebKit/GPUProcess/mac/com.apple.WebKit.GPUProcess.sb.in 2021-09-28 18:06:16 UTC (rev 283182)
@@ -24,7 +24,7 @@
(version 1)
(deny default (with partial-symbolication))
(deny nvram*)
-(allow system-audit file-read-metadata)
+(allow system-audit file-read-metadata (with telemetry))
#include "Shared/Sandbox/preferences.sb"
@@ -34,10 +34,10 @@
;;;
;;; Allow registration of per-pid services.
-(allow mach-register (local-name-prefix ""))
+(allow mach-register (with telemetry) (local-name-prefix ""))
;;; Allow read access to standard system paths.
-(allow file-read*
+(allow file-read* (with telemetry)
(require-all (file-mode #o0004)
(require-any (subpath "/Library/Filesystems/NetFSPlugins")
(subpath "/Library/Apple/System")
@@ -49,13 +49,13 @@
(subpath "/usr/share"))))
;;; Allow reading internal profiles on development builds
-(allow file-read*
+(allow file-read* (with telemetry)
(require-all (file-mode #o0004)
(subpath "/AppleInternal/Library/Preferences/Logging")
(system-attribute apple-internal)))
;;; Allow mapping of system frameworks + dylibs
-(allow file-map-executable
+(allow file-map-executable (with telemetry)
(subpath "/Library/Apple/System/Library/Frameworks")
(subpath "/Library/Apple/System/Library/PrivateFrameworks")
(subpath "/System/Library/Frameworks")
@@ -64,7 +64,7 @@
(subpath "/usr/appleinternal/lib") ;; <rdar://problem/72317112>
)
-(allow file-read-metadata
+(allow file-read-metadata (with telemetry)
(literal "/etc")
(literal "/tmp")
(literal "/var")
@@ -72,7 +72,7 @@
;;; Allow access to standard special files.
-(allow file-read*
+(allow file-read* (with telemetry)
(literal "/dev/autofs_nowait")
(literal "/dev/random")
(literal "/dev/urandom")
@@ -80,22 +80,22 @@
(literal "/private/etc/passwd"))
(allow file-read*
- file-write-data
+ file-write-data (with telemetry)
(literal "/dev/null")
(literal "/dev/zero"))
(allow file-read*
file-write-data
- file-ioctl
+ file-ioctl (with telemetry)
(literal "/dev/dtracehelper"))
;;; Allow creation of core dumps.
-(allow file-write-create
+(allow file-write-create (with telemetry)
(require-all (prefix "/cores/")
(vnode-type REGULAR-FILE)))
;;; Allow IPC to standard system agents.
-(allow ipc-posix-shm-read*
+(allow ipc-posix-shm-read* (with telemetry)
(ipc-posix-name "apple.shm.notification_center")
(ipc-posix-name-prefix "apple.cfprefs."))
@@ -106,41 +106,41 @@
(preference-domain "com.apple.opengl")
(preference-domain "com.nvidia.OpenGL"))
;; CVMS
- (allow mach-lookup
+ (allow mach-lookup (with telemetry)
(global-name "com.apple.cvmsServ"))
#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 || PLATFORM(MACCATALYST)
- (allow file-read*
+ (allow file-read* (with telemetry)
(prefix "/private/var/db/CVMS/cvmsCodeSignObj"))
#endif
;; OpenCL
- (allow iokit-open
+ (allow iokit-open (with telemetry)
(iokit-connection "IOAccelerator")
(iokit-registry-entry-class "IOAccelerationUserClient")
(iokit-registry-entry-class "IOSurfaceRootUserClient")
(iokit-registry-entry-class "IOSurfaceSendRight"))
;; CoreVideo CVCGDisplayLink
- (allow iokit-open
+ (allow iokit-open (with telemetry)
(iokit-registry-entry-class "IOFramebufferSharedUserClient"))
;; These are needed for Encrypted Media on some hardware (MacMini8,1 for example)
- (allow iokit-open
+ (allow iokit-open (with telemetry)
(iokit-registry-entry-class "AppleIntelMEUserClient")
(iokit-registry-entry-class "AppleSNBFBUserClient")
)
;; QuartzCore
- (allow iokit-open
+ (allow iokit-open (with telemetry)
(iokit-registry-entry-class "AGPMClient")
(iokit-registry-entry-class "AppleGraphicsControlClient")
(iokit-registry-entry-class "AppleGraphicsPolicyClient"))
;; OpenGL
- (allow iokit-open
+ (allow iokit-open (with telemetry)
(iokit-registry-entry-class "AppleMGPUPowerControlClient"))
;; GPU bundles
- (allow file-read*
+ (allow file-read* (with telemetry)
(subpath "/Library/GPUBundles"))
;; DisplayServices
- (allow iokit-set-properties
+ (allow iokit-set-properties (with telemetry)
(require-all (iokit-connection "IODisplay")
(require-any (iokit-property "brightness")
(iokit-property "linear-brightness")
@@ -161,7 +161,7 @@
(allow process-codesigning-status*)
(deny sysctl*)
-(allow sysctl-read
+(allow sysctl-read (with telemetry)
(sysctl-name
"hw.activecpu" ;; <rdar://problem/56795575>
"hw.byteorder"
@@ -213,7 +213,7 @@
(sysctl-name-prefix "hw.perflevel") ;; <rdar://problem/76783596>
)
-(allow sysctl-write
+(allow sysctl-write (with telemetry)
(sysctl-name
"kern.tcsm_enable"))
@@ -482,7 +482,7 @@
"display-scale"))))
(deny mach-lookup (xpc-service-name-prefix ""))
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(xpc-service-name "com.apple.PerformanceAnalysis.animationperfd")
(xpc-service-name "com.apple.audio.SandboxHelper")
(xpc-service-name "com.apple.coremedia.videodecoder")
@@ -490,7 +490,7 @@
(xpc-service-name "com.apple.hiservices-xpcservice")
)
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(global-name "com.apple.accessibility.mediaaccessibilityd")
)
@@ -507,13 +507,13 @@
(define (allow-read-directory-and-issue-read-extensions path)
(if path
(begin
- (allow file-read* (subpath path))
+ (allow file-read* (with telemetry) (subpath path))
(allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path))))))
(define (allow-read-write-directory-and-issue-read-write-extensions path)
(if path
(begin
- (allow file-read* file-write* (subpath path))
+ (allow file-read* file-write* (with telemetry) (subpath path))
(allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") (subpath path)))
(allow file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") (subpath path))))))
@@ -544,7 +544,7 @@
*uuid-pattern*)
;; Read-only preferences and data
-(allow file-read*
+(allow file-read* (with telemetry)
;; Basic system paths
(subpath "/Library/Dictionaries")
(subpath "/Library/Fonts")
@@ -563,7 +563,7 @@
(home-subpath "/Library/Dictionaries"))
-(allow file-read-data
+(allow file-read-data (with telemetry)
(literal "/usr/local/lib/log") ; <rdar://problem/36629495>
;; Needed for AES3 support
(subpath "/Library/Audio/Plug-Ins/Components"))
@@ -611,10 +611,10 @@
;; Sandbox extensions
(define (apply-read-and-issue-extension op path-filter)
- (op file-read* path-filter)
+ (op file-read* (with telemetry) path-filter)
(op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
(define (apply-write-and-issue-extension op path-filter)
- (op file-write* path-filter)
+ (op file-write* (with telemetry) path-filter)
(op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
(define (read-only-and-issue-extensions path-filter)
(apply-read-and-issue-extension allow path-filter))
@@ -623,11 +623,11 @@
(apply-write-and-issue-extension allow path-filter))
(read-only-and-issue-extensions (extension "com.apple.app-sandbox.read"))
(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
-(allow mach-lookup (extension "com.apple.app-sandbox.mach")) ;; FIXME: Should be removed when <rdar://problem/13066206> is fixed.
+(allow mach-lookup (with telemetry) (extension "com.apple.app-sandbox.mach")) ;; FIXME: Should be removed when <rdar://problem/13066206> is fixed.
;; Allow the OpenGL Profiler to attach.
(if (defined? 'mach-register)
- (allow mach-register (global-name-regex #"^_oglprof_attach_<[0-9]+>$")))
+ (allow mach-register (with telemetry) (global-name-regex #"^_oglprof_attach_<[0-9]+>$")))
(if (positive? (string-length (param "DARWIN_USER_CACHE_DIR")))
(allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_CACHE_DIR")))
@@ -636,7 +636,7 @@
(allow-read-write-directory-and-issue-read-write-extensions (param "DARWIN_USER_TEMP_DIR")))
;; IOKit user clients
-(allow iokit-open
+(allow iokit-open (with telemetry)
(iokit-user-client-class "AppleMultitouchDeviceUserClient")
(iokit-user-client-class "AppleUpstreamUserClient")
(iokit-user-client-class "IOHIDParamUserClient")
@@ -648,16 +648,16 @@
;; cookied.
;; FIXME: Update for <rdar://problem/13642852>.
-(allow ipc-posix-shm-read-data
+(allow ipc-posix-shm-read-data (with telemetry)
(ipc-posix-name "FNetwork.defaultStorageSession")
(ipc-posix-name-regex #"\.PrivateBrowsing-")
(ipc-posix-name-regex #"^WebKit Test-"))
;; Audio
-(allow ipc-posix-shm-read* ipc-posix-shm-write-data
+(allow ipc-posix-shm-read* ipc-posix-shm-write-data (with telemetry)
(ipc-posix-name-regex #"^AudioIO"))
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(global-name "com.apple.audio.AudioComponentRegistrar")
#if !ENABLE(CFPREFS_DIRECT_MODE)
(global-name "com.apple.cfprefsd.agent")
@@ -676,7 +676,7 @@
)
;; Various services required by AppKit and other frameworks
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
#if __MAC_OS_X_VERSION_MIN_REQUIRED < 101400
(global-name "com.apple.FontObjectsServer")
#endif
@@ -708,7 +708,7 @@
#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 || PLATFORM(MACCATALYST)
;; <rdar://problem/47268166>
-(allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService"))
+(allow mach-lookup (with telemetry) (xpc-service-name "com.apple.MTLCompilerService"))
#endif
#if __MAC_OS_X_VERSION_MIN_REQUIRED >= 101400 || PLATFORM(MACCATALYST)
@@ -720,25 +720,25 @@
#endif
;; Needed to support encrypted media playback <rdar://problem/40038478>
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(global-name "com.apple.SecurityServer")
(global-name "com.apple.ocspd"))
-(allow file-read* (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
+(allow file-read* (with telemetry) (subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
(with-filter (uid 0)
- (allow file-write*
+ (allow file-write* (with telemetry)
(subpath "/private/var/db/mds/system")) ;; FIXME: This should be removed when <rdar://problem/9538414> is fixed.
)
-(allow file-read*
+(allow file-read* (with telemetry)
(subpath "/private/var/db/mds")
(literal "/private/var/db/DetachedSignatures"))
-(allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-create
+(allow ipc-posix-shm-read* ipc-posix-shm-write-data ipc-posix-shm-write-create (with telemetry)
(ipc-posix-name "com.apple.AppleDatabaseChanged"))
;; CoreFoundation. We don't import com.apple.corefoundation.sb, because it allows unnecessary access to pasteboard.
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(global-name-regex #"^com.apple.distributed_notifications")
#if !HAVE(CSCHECKFIXDISABLE)
(global-name "com.apple.CoreServices.coreservicesd")
@@ -745,17 +745,17 @@
#endif
)
-(allow file-read-data
+(allow file-read-data (with telemetry)
(literal "/dev/autofs_nowait")) ; Used by CF to circumvent automount triggers
-(allow ipc-posix-shm
+(allow ipc-posix-shm (with telemetry)
(ipc-posix-name-regex #"^CFPBS:")) ; <rdar://problem/13757475>
-(allow system-fsctl (fsctl-command (_IO "h" 47)))
+(allow system-fsctl (with telemetry) (fsctl-command (_IO "h" 47)))
;; Graphics
(system-graphics)
;; Networking
-(allow network-outbound
+(allow network-outbound (with telemetry)
#if __MAC_OS_X_VERSION_MIN_REQUIRED <= 101500
;; Local mDNSResponder for DNS, arbitrary outbound TCP
;; Note: This is needed for some media playback features. <rdar://problem/38191574>
@@ -770,11 +770,11 @@
)
;; CFNetwork
-(allow file-read-data (path "/private/var/db/nsurlstoraged/dafsaData.bin"))
+(allow file-read-data (with telemetry) (path "/private/var/db/nsurlstoraged/dafsaData.bin"))
#if PLATFORM(MAC)
;; FIXME should be removed when <rdar://problem/9347205> + related radar in Safari is fixed
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(global-name "com.apple.system.logger")
(global-name "com.apple.system.notification_center"))
#endif
@@ -803,7 +803,7 @@
(global-name "com.apple.speech.recognitionserver"))
#if PLATFORM(MAC)
;; Also part of unnecessary NSApplication initialization, but we can't block access to these yet, see <rdar://problem/13869765>.
-(allow file-read*
+(allow file-read* (with telemetry)
(subpath "/Library/Components")
(subpath "/Library/Keyboard Layouts")
(subpath "/Library/Input Methods")
@@ -813,7 +813,7 @@
#endif
;; AirPlay
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(global-name "com.apple.coremedia.endpoint.xpc")
(global-name "com.apple.coremedia.endpointstream.xpc")
(global-name "com.apple.coremedia.endpointstreamaudioengine.xpc") ;; <rdar://76029596>
@@ -826,7 +826,7 @@
)
;; Data Detectors
-(allow file-read* (subpath "/private/var/db/datadetectors/sys"))
+(allow file-read* (with telemetry) (subpath "/private/var/db/datadetectors/sys"))
#if PLATFORM(MAC)
;; Media capture, utilities
@@ -877,9 +877,9 @@
(with-filter (extension "com.apple.webkit.camera")
(shared-preferences-read "com.apple.cmio")
(shared-preferences-read "com.apple.coremedia")
- (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL"))
- (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
- (allow mach-lookup
+ (allow file-read* (with telemetry) (subpath "/Library/CoreMediaIO/Plug-Ins/DAL"))
+ (allow mach-lookup (with telemetry) (extension "com.apple.app-sandbox.mach"))
+ (allow mach-lookup (with telemetry)
(global-name "com.apple.cmio.AppleCameraAssistant")
(global-name "com.apple.cmio.registerassistantservice")
(global-name "com.apple.cmio.registerassistantservice.system-extensions")
@@ -901,7 +901,7 @@
)
#endif
)
- (allow iokit-open
+ (allow iokit-open (with telemetry)
;; QuickTimeUSBVDCDigitizer
(iokit-user-client-class "IOUSBDeviceUserClientV2")
(iokit-user-client-class "IOUSBInterfaceUserClientV2"))
@@ -908,16 +908,16 @@
(allow device-camera))
#endif // PLATFORM(MAC)
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(global-name "com.apple.relatived.tempest")
)
-(allow iokit-open
+(allow iokit-open (with telemetry)
(iokit-user-client-class "AppleAVDUserClient")
)
(when (equal? (param "CPU") "arm64")
- (allow iokit-open
+ (allow iokit-open (with telemetry)
(iokit-user-client-class "IOMobileFramebufferUserClient")
;; VideoToolbox VTImageRotationSession
(iokit-user-client-class "IOSurfaceAcceleratorClient")
Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb (283181 => 283182)
--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2021-09-28 17:55:47 UTC (rev 283181)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.GPU.sb 2021-09-28 18:06:16 UTC (rev 283182)
@@ -34,7 +34,7 @@
(import "util.sb")
(define-once (allow-read-and-issue-generic-extensions . filters)
- (allow file-read*
+ (allow file-read* (with telemetry)
(apply require-any filters))
(allow file-issue-extension
(require-all
@@ -42,7 +42,7 @@
(apply require-any filters))))
(define-once (allow-read-write-and-issue-generic-extensions . filters)
- (allow file-read* file-write*
+ (allow file-read* file-write* (with telemetry)
(apply require-any filters))
(allow file-read-metadata
(apply require-any filters))
@@ -52,7 +52,7 @@
(apply require-any filters))))
(define-once (managed-configuration-read-public)
- (allow file-read*
+ (allow file-read* (with telemetry)
(well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
(front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
(front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo")))
@@ -59,13 +59,13 @@
(define-once (managed-configuration-read . files)
(if (null? files)
- (allow file-read*
+ (allow file-read* (with telemetry)
(well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles")
(front-user-home-subpath "/Library/ConfigurationProfiles")
(front-user-home-subpath "/Library/UserConfigurationProfiles"))
(for-each
(lambda (file)
- (allow file-read*
+ (allow file-read* (with telemetry)
(well-known-system-group-container-literal
(string-append "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/" file))
(front-user-home-literal
@@ -82,13 +82,13 @@
(allow-preferences-common)
(for-each (lambda (domain)
(begin
- (allow user-preference-read (preference-domain domain))
+ (allow user-preference-read (with telemetry) (preference-domain domain))
(allow file-read*
(home-literal (string-append "/Library/Preferences/" domain ".plist")))))
domains))
(define-once (framebuffer-access)
- (allow iokit-open
+ (allow iokit-open (with telemetry)
(iokit-user-client-class "IOMobileFramebufferUserClient")
(when (defined? 'iokit-external-method)
(apply-message-filter
@@ -111,13 +111,13 @@
(extension "com.apple.assets.read"))))
;; <rdar://problem/10710883>
;; <rdar://problem/11569106>
- (allow file-read* asset-access-filter)
+ (allow file-read* (with telemetry) asset-access-filter)
(if (memq 'with-media-playback options)
(play-media asset-access-filter))
(mobile-preferences-read "com.apple.MobileAsset")))
(define-once (play-audio)
- (allow mach-lookup
+ (allow mach-lookup (with telemetry)
(global-name "com.apple.audio.AURemoteIOServer")))
(define-once (play-media . filters)
@@ -140,7 +140,7 @@
(extension "com.apple.security.exception.files.absolute-path.read-write"
"com.apple.security.exception.files.home-relative-path.read-write")))
;; CoreMedia framework.
- (allow mach-lookup
+ (allow mach-lookup (with telemetry)
(global-name "com.apple.coremedia.admin")
(global-name "com.apple.coremedia.asset.xpc")
(global-name "com.apple.coremedia.assetimagegenerator.xpc")
@@ -182,14 +182,14 @@
)
;; AVF needs to see these network preferences:
- (allow file-read*
+ (allow file-read* (with telemetry)
(literal "/private/var/preferences/com.apple.networkd.plist"))
;; Required by the MediaPlayer framework.
- (allow mach-lookup
+ (allow mach-lookup (with telemetry)
(global-name "com.apple.audio.AudioSession"))
- (allow mach-lookup (with report) (with telemetry)
+ (allow mach-lookup (with telemetry)
(global-name "com.apple.airplay.apsynccontroller.xpc"))
;; Allow mediaserverd to issue file extensions for the purposes of reading media
@@ -202,7 +202,7 @@
(mobile-preferences-read
"com.apple.mediaremote"
"com.apple.mobileipod")
- (allow mach-lookup
+ (allow mach-lookup (with telemetry)
(global-name "com.apple.mediaremoted.xpc"))
)
@@ -215,12 +215,12 @@
(with-filter (extension "com.apple.webkit.camera")
(allow user-preference-read
(preference-domain "com.apple.coremedia"))
- (allow file-read* (subpath "/Library/CoreMediaIO/Plug-Ins/DAL"))
- (allow mach-lookup (extension "com.apple.app-sandbox.mach"))
+ (allow file-read* (with telemetry) (subpath "/Library/CoreMediaIO/Plug-Ins/DAL"))
+ (allow mach-lookup (with telemetry) (extension "com.apple.app-sandbox.mach"))
(allow device-camera))
;; Support incoming video connections
- (allow mach-lookup
+ (allow mach-lookup (with telemetry)
(global-name "com.apple.coremedia.compressionsession")
(global-name "com.apple.coremedia.decompressionsession")
(global-name "com.apple.coremedia.videoqueue"))
@@ -227,7 +227,7 @@
)
(define-once (accessibility-support)
- (allow mach-register
+ (allow mach-register (with telemetry)
(local-name "com.apple.iphone.axserver"))
(mobile-preferences-read "com.apple.Accessibility")
@@ -239,7 +239,7 @@
(define-once (media-accessibility-support)
;; <rdar://problem/12801477>
- (allow mach-lookup
+ (allow mach-lookup (with telemetry)
(global-name "com.apple.accessibility.mediaaccessibilityd"))
;; <rdar://problem/12250145>
@@ -250,7 +250,7 @@
(define-once (url-translation)
;; For translating http:// & https:// URLs referencing itms:// URLs.
;; <rdar://problem/11587338>
- (allow file-read*
+ (allow file-read* (with telemetry)
(home-literal "/Library/Caches/com.apple.itunesstored/url-resolution.plist")))
;;;
@@ -272,7 +272,7 @@
"IOAccelDevice2"
"IOAccelSharedUserClient2"))
- (allow iokit-open
+ (allow iokit-open (with telemetry)
(iokit-connection "IOGPU")
(iokit-user-client-class
"AGXDeviceUserClient"))
@@ -286,10 +286,10 @@
(iokit-property "MetalPluginName")
)
- (allow sysctl-read
- (sysctl-name #"kern.bootsessionuuid"))
+ (allow sysctl-read (with telemetry)
+ (sysctl-name #"kern.bootsessionuuid"))
- (allow mach-lookup
+ (allow mach-lookup (with telemetry)
;; <rdar://problem/47268166>
(xpc-service-name "com.apple.MTLCompilerService"))
@@ -335,14 +335,14 @@
(deny file-read* file-write*
(vnode-type BLOCK-DEVICE CHARACTER-DEVICE))
- (allow file-read* file-write-data
+ (allow file-read* file-write-data (with telemetry)
(literal "/dev/null")
(literal "/dev/zero"))
- (allow file-read* file-write-data file-ioctl
+ (allow file-read* file-write-data file-ioctl (with telemetry)
(literal "/dev/dtracehelper"))
- (allow file-read*
+ (allow file-read* (with telemetry)
(literal "/dev/random")
(literal "/dev/urandom"))
;; <rdar://problem/14215718>
@@ -350,7 +350,7 @@
(literal "/dev/random")
(literal "/dev/urandom"))
- (allow file-read* file-write-data file-ioctl
+ (allow file-read* file-write-data file-ioctl (with telemetry)
(literal "/dev/aes_0")))
(define required-etc-files
@@ -372,7 +372,7 @@
;; <rdar://problem/14555119> Access to high quality speech voices
;; Needed for WebSpeech
- (allow file-read*
+ (allow file-read* (with telemetry)
(home-subpath "/Library/VoiceServices/Assets")
(home-subpath "/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice"))
)
@@ -392,7 +392,7 @@
(global-name "com.apple.CARenderServer"))
; UIKit-required IOKit nodes.
- (allow iokit-open
+ (allow iokit-open (with telemetry)
(iokit-user-client-class "IOSurfaceAcceleratorClient")
(iokit-user-client-class "IOSurfaceSendRight")
;; Requires by UIView -> UITextMagnifierRenderer -> UIWindow
@@ -407,7 +407,7 @@
(define-once (dictionary-support)
; <rdar://problem/8548856> Sub-TLF: Sandbox change for apps for read-only access to the dictionary directory/data
- (allow file-read*
+ (allow file-read* (with telemetry)
; XXX - /Library ought to be allowed in all UI profiles but isn't (CF, MobileSafari)
(subpath "/Library/Dictionaries")
(home-subpath "/Library/Dictionaries"))
@@ -417,7 +417,7 @@
(deny file-write-mount file-write-unmount)
-(allow file-read-metadata
+(allow file-read-metadata (with telemetry)
(vnode-type DIRECTORY))
(mobile-preferences-read "com.apple.security")
@@ -426,7 +426,7 @@
(mobile-preferences-read "com.apple.PrototypeTools"))
(with-elevated-precedence
- (allow file-read*
+ (allow file-read* (with telemetry)
(subpath "/usr/lib"
"/usr/share"
"/private/var/db/timezone"))
@@ -433,7 +433,7 @@
(allow-read-and-issue-generic-extensions
(subpath "/Library/RegionFeatures"
"/System/Library"))
- (allow file-issue-extension
+ (allow file-issue-extension (with telemetry)
(require-all
(extension-class "com.apple.mediaserverd.read")
(subpath "/System/Library")))
@@ -444,14 +444,14 @@
(subpath "/System/Library/Caches/com.apple.factorydata"))))
(deny file-issue-extension file-read* hw-identifying-paths))
- (allow file-map-executable
+ (allow file-map-executable (with telemetry)
(subpath "/System/Library")
(subpath "/usr/lib"))
- (allow file-read-metadata
+ (allow file-read-metadata (with telemetry)
(vnode-type SYMLINK))
;;; <rdar://problem/24144418>
- (allow file-read*
+ (allow file-read* (with telemetry)
(subpath "/private/var/preferences/Logging"))
(allow user-preference-read (preference-domain "kCFPreferencesAnyApplication"))
@@ -463,11 +463,11 @@
(literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
(allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
- (allow file-read-metadata
+ (allow file-read-metadata (with telemetry)
(home-literal "/Library/Caches/powerlog.launchd"))
(allow-read-and-issue-generic-extensions (executable-bundle))
- (allow file-map-executable (executable-bundle))
+ (allow file-map-executable (with telemetry) (executable-bundle))
;; <rdar://problem/13963294>
(deny file-read-data file-issue-extension file-map-executable
@@ -486,7 +486,7 @@
"com.apple.security.exception.files.home-relative-path.read-only"
"com.apple.security.exception.files.home-relative-path.read-write"
"com.apple.sharing.airdrop.readonly")
- (allow file-read* file-read-metadata)
+ (allow file-read* file-read-metadata (with telemetry))
(allow file-issue-extension
(extension-class "com.apple.app-sandbox.read"
"com.apple.mediaserverd.read"
@@ -497,17 +497,17 @@
"com.apple.app-sandbox.read-write"
"com.apple.security.exception.files.absolute-path.read-write"
"com.apple.security.exception.files.home-relative-path.read-write")
- (allow file-write*)
- (allow file-issue-extension
+ (allow file-write* (with telemetry))
+ (allow file-issue-extension (with telemetry)
(extension-class "com.apple.app-sandbox.read-write"
"com.apple.mediaserverd.read-write"))))
;; <rdar://problem/16079361>
(with-filter (global-name-prefix "")
- (allow mach-register
+ (allow mach-register (with telemetry)
(extension "com.apple.security.exception.mach-register.global-name")))
(with-filter (local-name-prefix "")
- (allow mach-register
+ (allow mach-register (with telemetry)
(extension "com.apple.security.exception.mach-register.local-name")))
(allow-read-and-issue-generic-extensions
(extension "com.apple.security.exception.files.absolute-path.read-only")
@@ -520,7 +520,7 @@
(allow user-preference-read
(extension "com.apple.security.exception.shared-preference.read-only"))
- (allow file-issue-extension
+ (allow file-issue-extension (with telemetry)
(require-all
(extension-class "com.apple.nsurlstorage.extension-cache")
(extension "com.apple.security.exception.files.home-relative-path.read-write")
@@ -533,21 +533,21 @@
(internal-debugging-support)
)
-(allow file-read*
+(allow file-read* (with telemetry)
required-etc-files
(literal "/"))
-(allow file-read*
+(allow file-read* (with telemetry)
(subpath "/private/var/MobileAsset/PreinstalledAssetsV2/InstallWithOs"))
(device-access)
-(allow file-issue-extension
+(allow file-issue-extension (with telemetry)
(require-all
(extension-class "com.apple.app-sandbox.read-write" "com.apple.app-sandbox.read")
(extension "com.apple.fileprovider.read-write")))
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(global-name "com.apple.logd")
(global-name "com.apple.logd.events")
(global-name "com.apple.distributed_notifications@1v3")
@@ -554,32 +554,32 @@
(global-name "com.apple.aggregated")
)
-(allow mach-lookup (with report) (with telemetry)
+(allow mach-lookup (with telemetry)
(global-name "com.apple.tccd"))
-(allow ipc-posix-shm-read*
+(allow ipc-posix-shm-read* (with telemetry)
(ipc-posix-name-prefix "apple.cfprefs."))
-(allow mach-lookup (with report) (with telemetry)
+(allow mach-lookup (with telemetry)
(global-name "com.apple.lsd.mapdb"))
;; <rdar://problem/12413942>
-(allow file-read*
+(allow file-read* (with telemetry)
(well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
(allow iokit-get-properties
(iokit-property "IORegistryEntryPropertyKeys"))
-(allow ipc-posix-sem-open
+(allow ipc-posix-sem-open (with telemetry)
(ipc-posix-name "containermanagerd.fb_check"))
(with-filter (ipc-posix-name "purplebuddy.sentinel")
(deny ipc-posix-sem-create ipc-posix-sem-post ipc-posix-sem-unlink ipc-posix-sem-wait)
- (allow ipc-posix-sem-open))
+ (allow ipc-posix-sem-open (with telemetry)))
(allow mach-lookup (with telemetry)
(global-name "com.apple.runningboard")) ;; Needed by process assertion code (ProcessTaskStateObserver).
-(allow system-sched
+(allow system-sched (with telemetry)
(require-entitlement "com.apple.private.kernel.override-cpumon"))
(deny sysctl-read (with no-report)
@@ -588,30 +588,30 @@
"sysctl.proc_native"))
(with-filter (system-attribute apple-internal)
- (allow sysctl-read sysctl-write
+ (allow sysctl-read sysctl-write (with telemetry)
(sysctl-name "vm.footprint_suspend"))
- (allow nvram-get (nvram-variable "emu")) ;; <rdar://problem/78363040>
+ (allow nvram-get (with telemetry) (nvram-variable "emu")) ;; <rdar://problem/78363040>
)
-(allow mach-lookup (with report) (with telemetry)
+(allow mach-lookup (with telemetry)
(global-name "com.apple.system.logger"))
-(allow file-read-metadata
+(allow file-read-metadata (with telemetry)
(literal "/private/var/run/syslog"))
;; ObjC map_images needs to send logging data to syslog. <rdar://problem/39778918>
(with-filter (system-attribute apple-internal)
- (allow network-outbound
+ (allow network-outbound (with telemetry)
(literal "/private/var/run/syslog")
)
)
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(global-name "com.apple.system.notification_center"))
-(allow ipc-posix-shm-read*
+(allow ipc-posix-shm-read* (with telemetry)
(ipc-posix-name "apple.shm.notification_center"))
-(allow mach-lookup (with report) (with telemetry)
+(allow mach-lookup (with telemetry)
(global-name "com.apple.diagnosticd"))
(managed-configuration-read-public)
@@ -619,14 +619,15 @@
(deny system-info (with no-report)
(info-type "net.link.addr"))
-(allow file-read*
+(allow file-read* (with telemetry)
(subpath "/private/var/db/datadetectors/sys"))
(allow-well-known-system-group-container-subpath-read
"/systemgroup.com.apple.icloud.findmydevice.managed/Library")
-(allow mach-task-name (target self))
+(allow mach-task-name (with telemetry) (target self))
+(allow process-info* (with telemetry))
(allow process-info-pidinfo (target self))
(allow process-info-pidfdinfo (target self))
(allow process-info-pidfileportinfo (target self))
@@ -658,7 +659,7 @@
(url-translation)
;; TextInput framework
-(allow mach-lookup (with report) (with telemetry)
+(allow mach-lookup (with telemetry)
(global-name "com.apple.TextInput"))
(mobile-preferences-read "com.apple.da")
@@ -673,7 +674,7 @@
"/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
;; Access the keyboards
-(allow file-read*
+(allow file-read* (with telemetry)
(home-subpath "/Library/Caches/com.apple.keyboards"))
(mobile-preferences-read
@@ -694,11 +695,11 @@
(with no-log))
;; <rdar://problem/12985925> Need read access to /var/mobile/Library/Fonts to all apps
-(allow file-read*
+(allow file-read* (with telemetry)
(home-subpath "/Library/Fonts"))
;; <rdar://problem/7344719&26323449> LaunchServices app icons
-(allow file-read*
+(allow file-read* (with telemetry)
(well-known-system-group-container-subpath "/systemgroup.com.apple.lsd.iconscache"))
(allow-preferences-common)
@@ -713,7 +714,7 @@
(dictionary-support)
; <rdar://problem/8440231>
-(allow file-read*
+(allow file-read* (with telemetry)
(home-literal "/Library/Caches/DateFormats.plist"))
; Silently deny writes when CFData attempts to write to the cache directory.
(deny file-write*
@@ -743,7 +744,7 @@
(mobile-preferences-read "com.apple.AdLib.plist")
(deny sysctl*)
-(allow sysctl-read
+(allow sysctl-read (with telemetry)
(sysctl-name
"hw.activecpu"
"hw.availcpu"
@@ -859,10 +860,10 @@
;; Sandbox extensions
(define (apply-read-and-issue-extension op path-filter)
- (op file-read* path-filter)
+ (op file-read* (with telemetry) path-filter)
(op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))
(define (apply-write-and-issue-extension op path-filter)
- (op file-write* path-filter)
+ (op file-write* (with telemetry) path-filter)
(op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read-write") path-filter)))
(define (read-only-and-issue-extensions path-filter)
(apply-read-and-issue-extension allow path-filter))
@@ -873,7 +874,7 @@
(read-write-and-issue-extensions (extension "com.apple.app-sandbox.read-write"))
;; Access to client's cache folder & re-vending to CFNetwork.
-(allow file-issue-extension (require-all
+(allow file-issue-extension (with telemetry) (require-all
(extension "com.apple.app-sandbox.read-write")
(extension-class "com.apple.nsurlstorage.extension-cache")))
@@ -882,7 +883,7 @@
(media-accessibility-support)
;; Various services required by CFNetwork and other frameworks
-(allow mach-lookup (with telemetry-backtrace)
+(allow mach-lookup (with telemetry)
(global-name "com.apple.analyticsd"))
;; Silence reports about things we do not want access to:
@@ -894,16 +895,16 @@
(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
;; Allow loading injected bundles.
-(allow file-map-executable)
+(allow file-map-executable (with telemetry))
;; Allow ManagedPreference access
-(allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))
+(allow file-read* (with telemetry) (literal "/private/var/Managed Preferences/mobile/com.apple.webcontentfilter.plist"))
-(allow file-read-data
+(allow file-read-data (with telemetry)
(literal "/usr/local/lib/log") ; <rdar://problem/36629495>
)
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(require-all
(extension "com.apple.webkit.extension.mach")
(global-name
@@ -914,7 +915,7 @@
)
)
-(allow iokit-open
+(allow iokit-open (with telemetry)
(require-all
(extension "com.apple.webkit.extension.iokit")
(iokit-user-client-class
@@ -936,7 +937,7 @@
(xpc-service-name "com.apple.audio.toolbox.reporting.service")
)
-(deny mach-lookup (with telemetry-backtrace)
+(deny mach-lookup (with telemetry)
(xpc-service-name "com.apple.iconservices")
(global-name
"com.apple.PowerManagement.control"
@@ -945,16 +946,16 @@
)
)
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(global-name "com.apple.systemstatus.activityattribution")
)
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(require-all
(extension "com.apple.webkit.extension.mach")
(global-name "com.apple.iphone.axserver-systemwide" "com.apple.tccd")))
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(require-all
(extension "com.apple.webkit.extension.mach")
(xpc-service-name-prefix "com.apple.AGXCompilerService")))
@@ -961,7 +962,7 @@
(media-capture-support)
-(allow mach-lookup
+(allow mach-lookup (with telemetry)
(global-name "com.apple.audio.AudioQueueServer" "com.apple.audio.AudioComponentRegistrar")
)
