<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[209280] trunk/Source/WebKit2</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/209280">209280</a></dd>
<dt>Author</dt> <dd>bfulgham@apple.com</dd>
<dt>Date</dt> <dd>2016-12-02 15:21:22 -0800 (Fri, 02 Dec 2016)</dd>
</dl>

<h3>Log Message</h3>
<pre>[Mac] Update sandbox profiles to use modern syntax and avoid duplication
https://bugs.webkit.org/show_bug.cgi?id=165332
&lt;rdar://problem/26898991&gt;

Reviewed by Anders Carlsson.

Update the Mac sandbox profiles to reflect that modern Cocoa applications
communicate with cfprefsd, rather than plists on disk (and have done so
for the past several releases).

Get rid of some duplicated rules, as well as old compatibility rules that
are never triggered under supported operating systems.

* DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
* NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
* PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
* WebProcess/com.apple.WebProcess.sb.in:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2DatabaseProcessmaccomappleWebKitDatabasessbin">trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in</a></li>
<li><a href="#trunkSourceWebKit2NetworkProcessmaccomappleWebKitNetworkProcesssbin">trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in</a></li>
<li><a href="#trunkSourceWebKit2PluginProcessmaccomappleWebKitplugincommonsbin">trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in</a></li>
<li><a href="#trunkSourceWebKit2WebProcesscomappleWebProcesssbin">trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (209279 => 209280)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog        2016-12-02 23:07:41 UTC (rev 209279)
+++ trunk/Source/WebKit2/ChangeLog        2016-12-02 23:21:22 UTC (rev 209280)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2016-12-02  Brent Fulgham  &lt;bfulgham@apple.com&gt;
+
+        [Mac] Update sandbox profiles to use modern syntax and avoid duplication
+        https://bugs.webkit.org/show_bug.cgi?id=165332
+        &lt;rdar://problem/26898991&gt;
+
+        Reviewed by Anders Carlsson.
+
+        Update the Mac sandbox profiles to reflect that modern Cocoa applications
+        communicate with cfprefsd, rather than plists on disk (and have done so
+        for the past several releases).
+
+        Get rid of some duplicated rules, as well as old compatibility rules that
+        are never triggered under supported operating systems.
+
+        * DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in:
+        * NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in:
+        * PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in:
+        * WebProcess/com.apple.WebProcess.sb.in:
+
</ins><span class="cx"> 2016-12-02  Gustavo Sverzut Barbieri  &lt;barbieri@profusion.mobi&gt;
</span><span class="cx"> 
</span><span class="cx">         Fix build break when disabling some features.
</span></span></pre></div>
<a id="trunkSourceWebKit2DatabaseProcessmaccomappleWebKitDatabasessbin"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in (209279 => 209280)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in        2016-12-02 23:07:41 UTC (rev 209279)
+++ trunk/Source/WebKit2/DatabaseProcess/mac/com.apple.WebKit.Databases.sb.in        2016-12-02 23:21:22 UTC (rev 209280)
</span><span class="lines">@@ -37,12 +37,21 @@
</span><span class="cx"> (define (home-literal home-relative-literal)
</span><span class="cx">     (literal (string-append (param &quot;HOME_DIR&quot;) home-relative-literal)))
</span><span class="cx"> 
</span><ins>+;; IOKit user clients
+(allow iokit-open
+    (iokit-user-client-class &quot;RootDomainUserClient&quot;))
+
</ins><span class="cx"> ;; Security framework
</span><span class="cx"> (allow mach-lookup
</span><span class="cx">        (global-name &quot;com.apple.SecurityServer&quot;))
</span><ins>+(allow user-preference-read
+    (preference-domain
+        &quot;com.apple.security&quot;
+        &quot;com.apple.security.revocation&quot;))
</ins><span class="cx"> (allow file-read*
</span><span class="cx">        (subpath &quot;/private/var/db/mds&quot;)
</span><span class="cx">        (literal &quot;/private/var/db/DetachedSignatures&quot;)
</span><ins>+       ; The following are needed until &lt;rdar://problem/11134688&gt; is resolved.
</ins><span class="cx">        (literal &quot;/Library/Preferences/com.apple.security.plist&quot;)
</span><span class="cx">        (literal &quot;/Library/Preferences/com.apple.security.revocation.plist&quot;)
</span><span class="cx">        (home-literal &quot;/Library/Preferences/com.apple.security.plist&quot;)
</span><span class="lines">@@ -55,16 +64,14 @@
</span><span class="cx">     (allow file* (subpath (param &quot;DARWIN_USER_TEMP_DIR&quot;))))
</span><span class="cx"> 
</span><span class="cx"> ;; Read-only preferences and data
</span><ins>+(allow user-preference-read
+    (preference-domain
+        &quot;kCFPreferencesAnyApplication&quot;))
</ins><span class="cx"> (allow file-read*
</span><span class="cx">     ;; Basic system paths
</span><span class="cx">     (subpath &quot;/Library/Frameworks&quot;)
</span><span class="cx">     (subpath &quot;/Library/Managed Preferences&quot;)
</span><span class="cx"> 
</span><del>-    ;; System and user preferences
-    (literal &quot;/Library/Preferences/.GlobalPreferences.plist&quot;)
-    (home-literal &quot;/Library/Preferences/.GlobalPreferences.plist&quot;)
-    (home-regex #&quot;/Library/Preferences/ByHost/\.GlobalPreferences\.&quot;)
-
</del><span class="cx">     ;; On-disk WebKit2 framework location, to account for debug installations
</span><span class="cx">     ;; outside of /System/Library/Frameworks
</span><span class="cx">     (subpath (param &quot;WEBKIT2_FRAMEWORK_DIR&quot;)))
</span></span></pre></div>
<a id="trunkSourceWebKit2NetworkProcessmaccomappleWebKitNetworkProcesssbin"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in (209279 => 209280)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in        2016-12-02 23:07:41 UTC (rev 209279)
+++ trunk/Source/WebKit2/NetworkProcess/mac/com.apple.WebKit.NetworkProcess.sb.in        2016-12-02 23:21:22 UTC (rev 209280)
</span><span class="lines">@@ -38,6 +38,12 @@
</span><span class="cx">     (literal (string-append (param &quot;HOME_DIR&quot;) home-relative-literal)))
</span><span class="cx"> 
</span><span class="cx"> ;; Read-only preferences and data
</span><ins>+(allow user-preference-read
+    (preference-domain
+        &quot;kCFPreferencesAnyApplication&quot;
+        &quot;com.apple.DownloadAssessment&quot;
+        &quot;com.apple.WebFoundation&quot;
+        &quot;com.apple.networkConnect&quot;))
</ins><span class="cx"> (allow file-read*
</span><span class="cx">     ;; Basic system paths
</span><span class="cx">     (subpath &quot;/Library/Frameworks&quot;)
</span><span class="lines">@@ -46,13 +52,7 @@
</span><span class="cx">     (literal &quot;/Library/Application Support/CrashReporter/SubmitDiagInfo.domains&quot;)
</span><span class="cx"> 
</span><span class="cx">     ;; System and user preferences
</span><del>-    (literal &quot;/Library/Preferences/.GlobalPreferences.plist&quot;)
</del><span class="cx">     (regex #&quot;^/Library/Managed Preferences/[^/]+/com\.apple\.networkConnect\.plist$&quot;)
</span><del>-    (home-literal &quot;/Library/Preferences/.GlobalPreferences.plist&quot;)
-    (home-regex #&quot;/Library/Preferences/ByHost/\.GlobalPreferences\.&quot;)
-    (home-regex #&quot;/Library/Preferences/ByHost/com\.apple\.networkConnect\.&quot;)
-    (home-literal &quot;/Library/Preferences/com.apple.DownloadAssessment.plist&quot;)
-    (home-literal &quot;/Library/Preferences/com.apple.WebFoundation.plist&quot;)
</del><span class="cx"> 
</span><span class="cx">     ;; On-disk WebKit2 framework location, to account for debug installations
</span><span class="cx">     ;; outside of /System/Library/Frameworks
</span><span class="lines">@@ -115,6 +115,13 @@
</span><span class="cx"> 
</span><span class="cx"> (allow file-read* file-write* (subpath &quot;/private/var/db/mds/system&quot;)) ;; FIXME: This should be removed when &lt;rdar://problem/9538414&gt; is fixed.
</span><span class="cx"> 
</span><ins>+(allow user-preference-read
+    (preference-domain
+        &quot;com.apple.crypto&quot;
+        &quot;com.apple.security&quot;
+        &quot;com.apple.security.common&quot;
+        &quot;com.apple.security.revocation&quot;))
+
</ins><span class="cx"> (allow file-read*
</span><span class="cx"> #if __MAC_OS_X_VERSION_MIN_REQUIRED &lt; 101240
</span><span class="cx">        (subpath &quot;/Library/Keychains&quot;)
</span><span class="lines">@@ -121,7 +128,8 @@
</span><span class="cx"> #endif
</span><span class="cx">        (subpath &quot;/private/var/db/mds&quot;)
</span><span class="cx">        (literal &quot;/private/var/db/DetachedSignatures&quot;)
</span><del>-       (literal &quot;/Library/Preferences/com.apple.crypto.plist&quot;)
</del><ins>+
+       ; The following are needed until &lt;rdar://problem/11134688&gt; is resolved.
</ins><span class="cx">        (literal &quot;/Library/Preferences/com.apple.security.plist&quot;)
</span><span class="cx">        (literal &quot;/Library/Preferences/com.apple.security.common.plist&quot;)
</span><span class="cx">        (literal &quot;/Library/Preferences/com.apple.security.revocation.plist&quot;)
</span><span class="lines">@@ -146,13 +154,12 @@
</span><span class="cx">     (global-name &quot;com.apple.system.notification_center&quot;))
</span><span class="cx"> (allow network-outbound
</span><span class="cx">     (remote udp))
</span><ins>+(allow user-preference-read
+    (preference-domain
+        &quot;com.apple.GSS&quot;
+        &quot;com.apple.Kerberos&quot;
+        &quot;edu.mit.Kerberos&quot;))
</ins><span class="cx"> (allow file-read*
</span><del>-    (home-subpath &quot;/Library/Preferences/com.apple.Kerberos.plist&quot;)
-    (home-subpath &quot;/Library/Preferences/com.apple.GSS.plist&quot;)
-    (home-subpath &quot;/Library/Preferences/edu.mit.Kerberos&quot;)
-    (literal &quot;/Library/Preferences/com.apple.Kerberos.plist&quot;)
-    (literal &quot;/Library/Preferences/com.apple.GSS.plist&quot;)
-    (literal &quot;/Library/Preferences/edu.mit.Kerberos&quot;)
</del><span class="cx">     (literal &quot;/private/etc/krb5.conf&quot;)
</span><span class="cx">     (literal &quot;/private/etc/services&quot;)
</span><span class="cx">     (literal &quot;/private/etc/host&quot;)
</span></span></pre></div>
<a id="trunkSourceWebKit2PluginProcessmaccomappleWebKitplugincommonsbin"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in (209279 => 209280)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in        2016-12-02 23:07:41 UTC (rev 209279)
+++ trunk/Source/WebKit2/PluginProcess/mac/com.apple.WebKit.plugin-common.sb.in        2016-12-02 23:21:22 UTC (rev 209280)
</span><span class="lines">@@ -78,33 +78,16 @@
</span><span class="cx"> (if (not (defined? 'os-version))
</span><span class="cx">     (define os-version (param &quot;_OS_VERSION&quot;)))
</span><span class="cx"> 
</span><del>-;; Graphics
-(if (defined? 'system-graphics)
-    (system-graphics)
-    (begin
-        (shared-preferences-read
-            &quot;com.apple.opengl&quot;
-            &quot;com.nvidia.OpenGL&quot;)
-        (allow mach-lookup (global-name &quot;com.apple.cvmsServ&quot;))
-        (allow iokit-open
-            (iokit-connection &quot;IOAccelerator&quot;)
-            (iokit-user-client-class &quot;IOAccelerationUserClient&quot;)
-            (iokit-user-client-class &quot;IOSurfaceRootUserClient&quot;)
-            (iokit-user-client-class &quot;IOSurfaceSendRight&quot;)
-            (iokit-user-client-class &quot;IOFramebufferSharedUserClient&quot;)
-            (iokit-user-client-class &quot;AppleSNBFBUserClient&quot;)
-            (iokit-user-client-class &quot;AGPMClient&quot;)
-            (iokit-user-client-class &quot;AppleGraphicsControlClient&quot;)
-            (iokit-user-client-class &quot;AppleGraphicsPolicyClient&quot;))))
</del><ins>+(system-graphics)
</ins><span class="cx"> 
</span><span class="cx"> ;; Read-only preferences
</span><span class="cx"> (shared-preferences-read
</span><span class="cx">     &quot;.GlobalPreferences&quot;
</span><ins>+    &quot;com.apple.ATS&quot;
</ins><span class="cx">     &quot;com.apple.Bluetooth&quot;
</span><span class="cx">     &quot;com.apple.CoreGraphics&quot;
</span><ins>+    &quot;com.apple.HIToolbox&quot;
</ins><span class="cx">     &quot;com.apple.QuickTime&quot;
</span><del>-    &quot;com.apple.HIToolbox&quot;
-    &quot;com.apple.ATS&quot;
</del><span class="cx">     &quot;com.apple.driver.AppleBluetoothMultitouch.mouse&quot;
</span><span class="cx">     &quot;com.apple.driver.AppleBluetoothMultitouch.trackpad&quot;
</span><span class="cx">     &quot;com.apple.driver.AppleHIDMouse&quot;
</span><span class="lines">@@ -250,21 +233,7 @@
</span><span class="cx"> (if (defined? 'mach-register)
</span><span class="cx">     (allow mach-register (global-name-regex #&quot;^_oglprof_attach_&lt;[0-9]+&gt;$&quot;)))
</span><span class="cx"> 
</span><del>-;; Networking
-(if (defined? 'system-network)
-    (system-network)
-    (begin
-      (allow file-read* (literal &quot;/Library/Preferences/com.apple.networkd.plist&quot;))
-      (allow mach-lookup
-             (global-name &quot;com.apple.SystemConfiguration.SCNetworkReachability&quot;)
-             (global-name &quot;com.apple.networkd&quot;))
-      (allow network-outbound
-             (control-name &quot;com.apple.netsrc&quot;)
-             (control-name &quot;com.apple.network.statistics&quot;))
-      (allow system-socket
-             (require-all (socket-domain AF_SYSTEM)
-                          (socket-protocol 2)) ; SYSPROTO_CONTROL
-             (socket-domain AF_ROUTE))))
</del><ins>+(system-network)
</ins><span class="cx"> 
</span><span class="cx"> (allow network-outbound
</span><span class="cx">     ;; Local mDNSResponder for DNS, arbitrary outbound TCP and UDP
</span></span></pre></div>
<a id="trunkSourceWebKit2WebProcesscomappleWebProcesssbin"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in (209279 => 209280)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in        2016-12-02 23:07:41 UTC (rev 209279)
+++ trunk/Source/WebKit2/WebProcess/com.apple.WebProcess.sb.in        2016-12-02 23:21:22 UTC (rev 209280)
</span><span class="lines">@@ -56,26 +56,6 @@
</span><span class="cx">        (literal &quot;/Library/Application Support/CrashReporter/SubmitDiagInfo.domains&quot;)
</span><span class="cx"> 
</span><span class="cx">        ;; System and user preferences
</span><del>-       (literal &quot;/Library/Preferences/.GlobalPreferences.plist&quot;)
-       (home-literal &quot;/Library/Preferences/.GlobalPreferences.plist&quot;)
-       (home-regex #&quot;/Library/Preferences/ByHost/\.GlobalPreferences\.&quot;)
-       (home-regex #&quot;/Library/Preferences/ByHost/com\.apple\.HIToolbox\.&quot;)
-       (home-regex #&quot;/Library/Preferences/ByHost/com\.apple\.networkConnect\.&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.ATS.plist&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.CoreGraphics.plist&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.DownloadAssessment.plist&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.HIToolbox.plist&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.LaunchServices.plist&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.MultitouchSupport.plist&quot;) ;; FIXME: Remove when &lt;rdar://problem/13011633&gt; is fixed.
-       (home-literal &quot;/Library/Preferences/com.apple.QTKit.plist&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.WebFoundation.plist&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.avfoundation.plist&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.coremedia.plist&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.speech.voice.prefs.plist&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.systemsound.plist&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.universalaccess.plist&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.lookup.shared.plist&quot;)
-       (home-regex #&quot;/Library/Preferences/com\.apple\.driver\.(AppleBluetoothMultitouch\.mouse|AppleBluetoothMultitouch\.trackpad|AppleHIDMouse)\.plist$&quot;)
</del><span class="cx">        (home-literal &quot;/.CFUserTextEncoding&quot;)
</span><span class="cx"> 
</span><span class="cx">        ;; FIXME: This should be removed when &lt;rdar://problem/8957845&gt; is fixed.
</span><span class="lines">@@ -92,6 +72,38 @@
</span><span class="cx"> 
</span><span class="cx">        (home-subpath &quot;/Library/Dictionaries&quot;))
</span><span class="cx"> 
</span><ins>+;; Preferences support
+(allow user-preference-read
+    (preference-domain
+        &quot;kCFPreferencesAnyApplication&quot;
+        &quot;com.apple.ATS&quot;
+        &quot;com.apple.CoreGraphics&quot;
+        &quot;com.apple.DownloadAssessment&quot;
+        &quot;com.apple.HIToolbox&quot;
+        &quot;com.apple.LaunchServices&quot;
+        &quot;com.apple.MultitouchSupport&quot; ;; FIXME: Remove when &lt;rdar://problem/13011633&gt; is fixed.
+        &quot;com.apple.QTKit&quot;
+        &quot;com.apple.ServicesMenu.Services&quot; ;; Needed for NSAttributedString &lt;rdar://problem/10844321&gt;
+        &quot;com.apple.WebFoundation&quot;
+        &quot;com.apple.avfoundation&quot;
+        &quot;com.apple.coremedia&quot;
+        &quot;com.apple.crypto&quot;
+        &quot;com.apple.driver.AppleBluetoothMultitouch.mouse&quot;
+        &quot;com.apple.driver.AppleBluetoothMultitouch.trackpad&quot;
+        &quot;com.apple.driver.AppleHIDMouse&quot;
+        &quot;com.apple.lookup.shared&quot;
+        &quot;com.apple.mediaaccessibility&quot;
+        &quot;com.apple.networkConnect&quot;
+        &quot;com.apple.security&quot;
+        &quot;com.apple.security.common&quot;
+        &quot;com.apple.security.revocation&quot;
+        &quot;com.apple.speech.voice.prefs&quot;
+        &quot;com.apple.systemsound&quot;
+        &quot;com.apple.universalaccess&quot;
+        &quot;edu.mit.Kerberos&quot;
+        &quot;pbs&quot; ;; Needed for NSAttributedString &lt;rdar://problem/10844321&gt;
+))
+
</ins><span class="cx"> ;; On-disk WebKit2 framework location, to account for debug installations outside of /System/Library/Frameworks,
</span><span class="cx"> ;; and to allow issuing extensions.
</span><span class="cx"> (allow-read-directory-and-issue-read-extensions (param &quot;WEBKIT2_FRAMEWORK_DIR&quot;))
</span><span class="lines">@@ -121,8 +133,8 @@
</span><span class="cx">     (allow mach-register (global-name-regex #&quot;^_oglprof_attach_&lt;[0-9]+&gt;$&quot;)))
</span><span class="cx"> 
</span><span class="cx"> ;; MediaAccessibility
</span><del>-(allow file-read* (home-literal &quot;/Library/Preferences/com.apple.mediaaccessibility.plist&quot;))
-(allow file-read* file-write* (home-literal &quot;/Library/Preferences/com.apple.mediaaccessibility.public.plist&quot;))
</del><ins>+(allow user-preference-read user-preference-write
+    (preference-domain &quot;com.apple.mediaaccessibility.public&quot;))
</ins><span class="cx"> 
</span><span class="cx"> (if (positive? (string-length (param &quot;DARWIN_USER_CACHE_DIR&quot;)))
</span><span class="cx">     (allow file* (subpath (param &quot;DARWIN_USER_CACHE_DIR&quot;))))
</span><span class="lines">@@ -170,6 +182,7 @@
</span><span class="cx"> #if __MAC_OS_X_VERSION_MIN_REQUIRED &lt; 101200
</span><span class="cx">        (global-name &quot;com.apple.FontServer&quot;)
</span><span class="cx"> #endif
</span><ins>+       (global-name &quot;com.apple.PowerManagement.control&quot;)
</ins><span class="cx">        (global-name &quot;com.apple.SystemConfiguration.configd&quot;)
</span><span class="cx">        (global-name &quot;com.apple.SystemConfiguration.PPPController&quot;)
</span><span class="cx">        (global-name &quot;com.apple.audio.SystemSoundServer-OSX&quot;)
</span><span class="lines">@@ -177,32 +190,31 @@
</span><span class="cx">        (global-name &quot;com.apple.audio.audiohald&quot;)
</span><span class="cx">        (global-name &quot;com.apple.audio.coreaudiod&quot;)
</span><span class="cx">        (global-name &quot;com.apple.awdd&quot;)
</span><ins>+       (global-name &quot;com.apple.cfnetwork.AuthBrokerAgent&quot;)
</ins><span class="cx">        (global-name &quot;com.apple.cookied&quot;)
</span><ins>+       (global-name &quot;com.apple.coreservices.launchservicesd&quot;)
</ins><span class="cx">        (global-name &quot;com.apple.dock.server&quot;)
</span><span class="cx">        (global-name &quot;com.apple.fonts&quot;)
</span><ins>+       (global-name &quot;com.apple.iconservices&quot;)
+       (global-name &quot;com.apple.iconservices.store&quot;)
+#if __MAC_OS_X_VERSION_MIN_REQUIRED &gt;= 101200
+       (global-name &quot;com.apple.mediaremoted.xpc&quot;)
+#endif
+#if __MAC_OS_X_VERSION_MIN_REQUIRED &gt;= 101100
+       (global-name &quot;com.apple.nesessionmanager.flow-divert-token&quot;)
+#endif
+       (global-name &quot;com.apple.speech.speechsynthesisd&quot;)
+       (global-name &quot;com.apple.speech.synthesis.console&quot;)
</ins><span class="cx">        (global-name &quot;com.apple.system.opendirectoryd.api&quot;)
</span><span class="cx">        (global-name &quot;com.apple.tccd&quot;)
</span><span class="cx">        (global-name &quot;com.apple.tccd.system&quot;)
</span><span class="cx">        (global-name &quot;com.apple.window_proxies&quot;)
</span><span class="cx">        (global-name &quot;com.apple.windowserver.active&quot;)
</span><del>-       (global-name &quot;com.apple.cfnetwork.AuthBrokerAgent&quot;)
-       (global-name &quot;com.apple.PowerManagement.control&quot;)
-       (global-name &quot;com.apple.speech.speechsynthesisd&quot;)
-       (global-name &quot;com.apple.speech.synthesis.console&quot;)
-       (global-name &quot;com.apple.coreservices.launchservicesd&quot;)
-       (global-name &quot;com.apple.iconservices&quot;)
-       (global-name &quot;com.apple.iconservices.store&quot;)
-#if __MAC_OS_X_VERSION_MIN_REQUIRED &gt;= 101100
-       (global-name &quot;com.apple.nesessionmanager.flow-divert-token&quot;)
-#endif
-#if __MAC_OS_X_VERSION_MIN_REQUIRED &gt;= 101200
-       (global-name &quot;com.apple.mediaremoted.xpc&quot;)
-#endif
</del><span class="cx"> )
</span><span class="cx"> 
</span><span class="cx"> ;; Security framework
</span><span class="cx"> (allow mach-lookup
</span><del>-       (global-name &quot;com.apple.ctkd.token-client&quot;) 
</del><ins>+       (global-name &quot;com.apple.ctkd.token-client&quot;)
</ins><span class="cx">        (global-name &quot;com.apple.ocspd&quot;)
</span><span class="cx">        (global-name &quot;com.apple.securityd.xpc&quot;) 
</span><span class="cx">        (global-name &quot;com.apple.CoreAuthentication.agent.libxpc&quot;)
</span><span class="lines">@@ -220,7 +232,7 @@
</span><span class="cx"> #endif
</span><span class="cx">        (subpath &quot;/private/var/db/mds&quot;)
</span><span class="cx">        (literal &quot;/private/var/db/DetachedSignatures&quot;)
</span><del>-       (literal &quot;/Library/Preferences/com.apple.crypto.plist&quot;)
</del><ins>+       ; The following are needed until &lt;rdar://problem/11134688&gt; is resolved.
</ins><span class="cx">        (literal &quot;/Library/Preferences/com.apple.security.plist&quot;)
</span><span class="cx">        (literal &quot;/Library/Preferences/com.apple.security.common.plist&quot;)
</span><span class="cx">        (literal &quot;/Library/Preferences/com.apple.security.revocation.plist&quot;)
</span><span class="lines">@@ -251,10 +263,6 @@
</span><span class="cx">        (literal &quot;/private/var/run/mDNSResponder&quot;)
</span><span class="cx">        (remote tcp))
</span><span class="cx"> 
</span><del>-;; Needed for NSAttributedString, &lt;rdar://problem/10844321&gt;.
-(allow file-read*
-       (home-literal &quot;/Library/Preferences/pbs.plist&quot;)
-       (home-literal &quot;/Library/Preferences/com.apple.ServicesMenu.Services.plist&quot;))
</del><span class="cx"> (allow mach-lookup
</span><span class="cx">        (global-name &quot;com.apple.pbs.fetch_services&quot;))
</span><span class="cx"> 
</span><span class="lines">@@ -266,13 +274,12 @@
</span><span class="cx">        (global-name &quot;com.apple.system.notification_center&quot;))
</span><span class="cx"> (allow network-outbound
</span><span class="cx">        (remote udp))
</span><ins>+(allow user-preference-read
+    (preference-domain
+        &quot;com.apple.Kerberos&quot;
+        &quot;com.apple.GSS&quot;))
+
</ins><span class="cx"> (allow file-read*
</span><del>-        (home-subpath &quot;/Library/Preferences/com.apple.Kerberos.plist&quot;)
-        (home-subpath &quot;/Library/Preferences/com.apple.GSS.plist&quot;)
-        (home-subpath &quot;/Library/Preferences/edu.mit.Kerberos&quot;)
-        (literal &quot;/Library/Preferences/com.apple.Kerberos.plist&quot;)
-        (literal &quot;/Library/Preferences/com.apple.GSS.plist&quot;)
-        (literal &quot;/Library/Preferences/edu.mit.Kerberos&quot;)
</del><span class="cx">         (literal &quot;/private/etc/krb5.conf&quot;)
</span><span class="cx">         (literal &quot;/private/etc/services&quot;)
</span><span class="cx">         (literal &quot;/private/etc/host&quot;)
</span><span class="lines">@@ -293,9 +300,10 @@
</span><span class="cx"> ;; Deny access needed for unnecessary NSApplication initialization.
</span><span class="cx"> ;; FIXME: This can be removed once &lt;rdar://problem/13011633&gt; is fixed.
</span><span class="cx"> (deny file-read* (with no-log)
</span><del>-       (home-literal &quot;/Library/Preferences/com.apple.speech.recognition.AppleSpeechRecognition.prefs.plist&quot;)
</del><span class="cx">        (subpath &quot;/Library/InputManagers&quot;)
</span><span class="cx">        (home-subpath &quot;/Library/InputManagers&quot;))
</span><ins>+(deny user-preference-read (with no-log)
+    (preference-domain &quot;com.apple.speech.recognition.AppleSpeechRecognition.prefs&quot;))
</ins><span class="cx"> (deny mach-lookup (with no-log)
</span><span class="cx">        (global-name &quot;com.apple.coreservices.appleevents&quot;)
</span><span class="cx">        (global-name &quot;com.apple.pasteboard.1&quot;)
</span></span></pre>
</div>
</div>

</body>
</html>