Cradicle Explorer
darling-security
/ keychain / securityd / com.apple.secd.sb
com.apple.secd.sb
 1  (version 1)
 2  
 3  (deny default)
 4  
 5  (import "system.sb")
 6  
 7  (allow file-write-data
 8      (literal "/dev/random"))
 9  
10  (allow file-read* file-write*
11      (subpath "/private/var/db/mds")
12      (regex #"^/private/var/folders/[^/]+/[^/]+/T(/|$)")
13      (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Keychains(/|$)")))
14  
15  (allow file-read*
16      (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.imessage.bag.plist"))
17      (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.facetime.bag.plist")))
18  
19  
20  ;;;;;; will be fully fixed in 29465717
21  (allow file-read* (subpath "/"))
22  
23  (allow user-preference-read
24      (preference-domain ".GlobalPreferences"))
25  (allow user-preference-read
26      (preference-domain "com.apple.security"))
27  (allow user-preference-read
28      (preference-domain "com.apple.imessage.bag"))
29  (allow user-preference-read
30      (preference-domain "com.apple.facetime.bag"))
31  (allow user-preference-read user-preference-write
32      (preference-domain "com.apple.security.sosaccount"))
33  
34  (allow distributed-notification-post)
35  
36  (allow iokit-open
37     (iokit-user-client-class "AppleKeyStoreUserClient")
38     (iokit-user-client-class "AppleAPFSUserClient")
39     (iokit-user-client-class "RootDomainUserClient"))
40  
41  
42  (allow file-read*
43      (literal "/usr/libexec/secd")
44      (literal "/Library/Preferences/com.apple.security.plist")
45      (literal "/Library/Preferences/.GlobalPreferences.plist")
46      (literal "/AppleInternal")
47      (literal "/usr/libexec"))
48  
49  (allow mach-lookup
50          (global-name "com.apple.system.opendirectoryd.api")
51          (global-name "com.apple.SystemConfiguration.configd")
52          (global-name "com.apple.security.cloudkeychainproxy3")
53          (global-name "com.apple.accountsd.accountmanager")
54          (global-name "com.apple.CoreServices.coreservicesd")
55          (global-name "com.apple.distributed_notifications@Uv3")
56          (global-name "com.apple.ak.auth.xpc")
57          (global-name "com.apple.cdp.daemon")
58          (global-name "com.apple.cloudd")
59          (global-name "com.apple.apsd")
60          (global-name "com.apple.analyticsd")
61          (global-name "com.apple.symptom_diagnostics")
62          (global-name "com.apple.ak.anisette.xpc")
63          (global-name "com.apple.corefollowup.agent")
64          (global-name "com.apple.windowserver.active")
65          (global-name "com.apple.powerlog.plxpclogger.xpc")
66          (global-name "com.apple.SecureBackupDaemon")
67          (global-name "com.apple.SecureBackupDaemon.concurrent")
68  )
69  
70  ;; Used to send logs for MoiC.
71  (allow mach-lookup
72          (global-name "com.apple.imagent.desktop.auth"))
73  
74  (allow iokit-get-properties (iokit-registry-entry-class "IOPlatformExpertDevice"))
75  
76  (allow ipc-posix-shm
77      (ipc-posix-name "com.apple.AppleDatabaseChanged"))
78  
79  (allow network-outbound)
80  (allow system-socket)
81  
82  ;; to be deleted once SecTrustEvaluate and SecTrustCopyKey can avoid touching legacy cert and keychain stack
83  (allow file-read* file-write*
84      (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
85      (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
86      (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$"))
87  (allow mach-lookup
88      (global-name "com.apple.SecurityServer"))
89  
90  (allow system-fsctl (fsctl-command afpfsByteRangeLock2FSCTL))
91