<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[286004] trunk/Source/WebKit</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/286004">286004</a></dd>
<dt>Author</dt> <dd>pvollan@apple.com</dd>
<dt>Date</dt> <dd>2021-11-18 07:56:37 -0800 (Thu, 18 Nov 2021)</dd>
</dl>

<h3>Log Message</h3>
<pre>[iOS] Block access to unused resources in the Networking process' sandbox
https://bugs.webkit.org/show_bug.cgi?id=233129
<rdar://problem/85411927>

Reviewed by Brent Fulgham.

Based on telemetry, block access to unused resources in the Networking process' sandbox on iOS.

* Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebKitChangeLog">trunk/Source/WebKit/ChangeLog</a></li>
<li><a href="#trunkSourceWebKitResourcesSandboxProfilesioscomappleWebKitNetworkingsb">trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebKitChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/ChangeLog (286003 => 286004)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/ChangeLog    2021-11-18 15:52:42 UTC (rev 286003)
+++ trunk/Source/WebKit/ChangeLog       2021-11-18 15:56:37 UTC (rev 286004)
</span><span class="lines">@@ -1,5 +1,17 @@
</span><span class="cx"> 2021-11-18  Per Arne Vollan  <pvollan@apple.com>
</span><span class="cx"> 
</span><ins>+        [iOS] Block access to unused resources in the Networking process' sandbox
+        https://bugs.webkit.org/show_bug.cgi?id=233129
+        <rdar://problem/85411927>
+
+        Reviewed by Brent Fulgham.
+
+        Based on telemetry, block access to unused resources in the Networking process' sandbox on iOS.
+
+        * Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb:
+
+2021-11-18  Per Arne Vollan  <pvollan@apple.com>
+
</ins><span class="cx">         [macOS] Block access to unused resources in the Networking process' sandbox
</span><span class="cx">         https://bugs.webkit.org/show_bug.cgi?id=233086
</span><span class="cx">         <rdar://problem/85376544>
</span></span></pre></div>
<a id="trunkSourceWebKitResourcesSandboxProfilesioscomappleWebKitNetworkingsb"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb (286003 => 286004)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb 2021-11-18 15:52:42 UTC (rev 286003)
+++ trunk/Source/WebKit/Resources/SandboxProfiles/ios/com.apple.WebKit.Networking.sb    2021-11-18 15:56:37 UTC (rev 286004)
</span><span class="lines">@@ -63,27 +63,23 @@
</span><span class="cx"> 
</span><span class="cx"> (define-once (allow-network-common)
</span><span class="cx">     ;; <rdar://problem/8645367>
</span><del>-    (allow system-socket (with telemetry) (require-all (socket-domain AF_SYSTEM) (socket-protocol 2)))
-    (allow network-outbound (with telemetry)
-           (control-name "com.apple.network.statistics")
</del><ins>+    (allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2)))
+    (allow network-outbound
</ins><span class="cx">            (control-name "com.apple.netsrc"))
</span><span class="cx"> 
</span><del>-    (allow sysctl-read (with telemetry)
-           (sysctl-name "kern.ipc.maxsockbuf")
-           (sysctl-name "kern.nisdomainname")
-           (sysctl-name-prefix "net.routetable.")
-           (sysctl-name "net.statistics"))
</del><ins>+    (allow sysctl-read
+           (sysctl-name-prefix "net.routetable."))
</ins><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/10642881>
</span><del>-    (allow file-read* (with telemetry)
</del><ins>+    (allow file-read*
</ins><span class="cx">            (literal "/private/var/preferences/com.apple.networkd.plist"))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/27580907>
</span><del>-    (allow file-read* (with telemetry)
</del><ins>+    (allow file-read*
</ins><span class="cx">            (literal "/private/var/Managed Preferences/mobile/com.apple.SystemConfiguration.plist"))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/13679154>
</span><del>-    (allow file-read* (with telemetry)
</del><ins>+    (deny file-read* (with telemetry)
</ins><span class="cx">            (literal "/private/var/preferences/com.apple.NetworkStatistics.plist"))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/15711661>
</span><span class="lines">@@ -91,7 +87,7 @@
</span><span class="cx">            (global-name "com.apple.nesessionmanager"))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/7693463>
</span><del>-    (allow system-socket (with telemetry) (socket-domain AF_ROUTE))
</del><ins>+    (deny system-socket (with telemetry) (socket-domain AF_ROUTE))
</ins><span class="cx"> 
</span><span class="cx">     (if gizmo?
</span><span class="cx">         (with-filter
</span><span class="lines">@@ -104,32 +100,34 @@
</span><span class="cx">             (allow network-outbound (literal "/private/var/run/mDNSResponder"))
</span><span class="cx">             (allow mach-lookup (global-name "com.apple.dnssd.service")))) ;; <rdar://problem/55562091>
</span><span class="cx"> 
</span><ins>+    (deny mach-lookup (with telemetry)
+           (global-name "com.apple.SystemConfiguration.helper")
+           (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
+           (global-name "com.apple.SystemConfiguration.DNSConfiguration")
+           (global-name "com.apple.SystemConfiguration.PPPController"))
</ins><span class="cx">     ;; <rdar://problem/10962803>
</span><span class="cx">     ;; <rdar://problem/13238730>
</span><span class="cx">     (allow mach-lookup (with telemetry)
</span><span class="cx">            (global-name "com.apple.SystemConfiguration.configd")
</span><del>-           (global-name "com.apple.SystemConfiguration.helper")
-           (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
-           (global-name "com.apple.SystemConfiguration.DNSConfiguration")
-           (global-name "com.apple.SystemConfiguration.PPPController")
</del><span class="cx">            (global-name "com.apple.SystemConfiguration.NetworkInformation"))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/11792470>
</span><span class="cx">     ;; <rdar://problem/13305819>
</span><del>-    (allow mach-lookup (with telemetry)
</del><ins>+    (deny mach-lookup (with telemetry)
</ins><span class="cx">            (global-name "com.apple.commcenter.xpc")
</span><span class="cx">            (global-name "com.apple.commcenter.cupolicy.xpc"))
</span><span class="cx"> 
</span><del>-    (allow mach-lookup (with telemetry)
</del><ins>+    (deny mach-lookup (with telemetry)
</ins><span class="cx">            (global-name "com.apple.securityd")
</span><ins>+           (global-name "com.apple.symptomsd"))
+    (allow mach-lookup
</ins><span class="cx">            (global-name "com.apple.trustd"))
</span><del>-    (allow file-read* (with telemetry)
</del><ins>+    (deny file-read* (with telemetry)
</ins><span class="cx">            (literal "/private/var/preferences/com.apple.security.plist"))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/13301795>
</span><span class="cx">     (allow mach-lookup (with telemetry)
</span><span class="cx">            (global-name "com.apple.usymptomsd")
</span><del>-           (global-name "com.apple.symptomsd")
</del><span class="cx">            (global-name "com.apple.symptoms.symptomsd.managed_events")) ; <rdar://problem/32768772>
</span><span class="cx"> 
</span><span class="cx">     (with-filter (entitlement-is-present "com.apple.private.networkextension.configuration")
</span><span class="lines">@@ -140,9 +138,9 @@
</span><span class="cx">         (prefix "/private/var/db/com.apple.networkextension.")
</span><span class="cx">     )
</span><span class="cx"> 
</span><del>-    (allow mach-lookup (with telemetry)
</del><ins>+    (allow mach-lookup
</ins><span class="cx">            (global-name "com.apple.AppSSO.service-xpc"))
</span><del>-    (allow ipc-posix-shm-read-data (with telemetry)
</del><ins>+    (deny ipc-posix-shm-read-data (with telemetry)
</ins><span class="cx">            (ipc-posix-name "/com.apple.AppSSO.version"))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/30452093>
</span><span class="lines">@@ -152,7 +150,7 @@
</span><span class="cx">     (allow-network-common)
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/9193431>
</span><del>-    (allow mach-lookup (with telemetry)
</del><ins>+    (deny mach-lookup (with telemetry)
</ins><span class="cx">            (global-name "com.apple.networkd"))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/20094008>
</span><span class="lines">@@ -163,16 +161,16 @@
</span><span class="cx">                    (require-entitlement "com.apple.networkd.modify_settings")
</span><span class="cx">                    (require-entitlement "com.apple.networkd.persistent_interface")
</span><span class="cx">                    (require-entitlement "com.apple.networkd_privileged"))
</span><del>-        (allow mach-lookup (with telemetry)
</del><ins>+        (deny mach-lookup (with telemetry)
</ins><span class="cx">                (global-name "com.apple.networkd_privileged")))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/20201593>
</span><del>-    (allow mach-lookup (with telemetry)
</del><ins>+    (deny mach-lookup (with telemetry)
</ins><span class="cx">         (global-name "com.apple.ak.anisette.xpc")
</span><span class="cx">         (global-name "com.apple.ak.auth.xpc"))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/15897781>
</span><del>-    (allow mach-lookup (with telemetry)
</del><ins>+    (deny mach-lookup (with telemetry)
</ins><span class="cx">            (global-name "com.apple.nsurlsessiond"))
</span><span class="cx">     (allow file-issue-extension
</span><span class="cx">         (require-all
</span><span class="lines">@@ -186,12 +184,13 @@
</span><span class="cx">             (global-name "com.apple.sharingd.NSURLSessionProxyService")))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/15608009>
</span><del>-    (allow mach-lookup (with telemetry)
</del><ins>+    (deny mach-lookup (with telemetry)
</ins><span class="cx">            (global-name "com.apple.nsurlstorage-cache"))
</span><span class="cx"> 
</span><ins>+    (deny mach-lookup (with telemetry)
+           (global-name "com.apple.cfnetwork.AuthBrokerAgent"))
</ins><span class="cx">     ;; <rdar://problem/10423007>
</span><span class="cx">     (allow mach-lookup (with telemetry)
</span><del>-           (global-name "com.apple.cfnetwork.AuthBrokerAgent")
</del><span class="cx">            (global-name "com.apple.cfnetwork.cfnetworkagent"))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/12620714>
</span><span class="lines">@@ -198,21 +197,21 @@
</span><span class="cx">     (deny file-write-create (with no-report)
</span><span class="cx">           (home-prefix "/Library/Logs/CrashReporter/CFNetwork_"))
</span><span class="cx"> 
</span><del>-    (allow mach-lookup (with telemetry)
</del><ins>+    (deny mach-lookup (with telemetry)
</ins><span class="cx">            (global-name "com.apple.cookied"))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/17910466>
</span><del>-    (allow mach-lookup (with telemetry)
</del><ins>+    (allow mach-lookup
</ins><span class="cx">            (global-name "com.apple.accountsd.accountmanager"))
</span><span class="cx"> 
</span><span class="cx">     ;; GSS-API
</span><del>-    (allow mach-lookup (with telemetry)
</del><ins>+    (allow mach-lookup
</ins><span class="cx">            (global-name "com.apple.GSSCred"))
</span><span class="cx"> 
</span><span class="cx">     ;; <rdar://problem/17853959>
</span><span class="cx">     (mobile-keybag-access)
</span><span class="cx"> 
</span><del>-    (allow mach-lookup (with telemetry)
</del><ins>+    (allow mach-lookup
</ins><span class="cx">            (global-name "com.apple.nehelper"))
</span><span class="cx"> 
</span><span class="cx">     (allow-well-known-system-group-container-literal-read
</span><span class="lines">@@ -230,11 +229,11 @@
</span><span class="cx">     (allow system-socket (with telemetry) (socket-domain 39)))
</span><span class="cx"> 
</span><span class="cx"> (define-once (managed-configuration-read-public)
</span><del>-    (allow file-read* (with telemetry)
</del><ins>+    (allow file-read*
</ins><span class="cx">            (well-known-system-group-container-subpath "/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
</span><span class="cx">            (front-user-home-subpath "/Library/ConfigurationProfiles/PublicInfo")
</span><span class="cx">            (front-user-home-subpath "/Library/UserConfigurationProfiles/PublicInfo"))
</span><del>-    (allow mach-lookup (with telemetry)
</del><ins>+    (deny mach-lookup (with telemetry)
</ins><span class="cx">            (global-name "com.apple.managedconfiguration.profiled.public")))
</span><span class="cx"> 
</span><span class="cx"> (define-once (allow-preferences-common)
</span><span class="lines">@@ -252,7 +251,7 @@
</span><span class="cx">         domains))
</span><span class="cx"> 
</span><span class="cx"> (define-once (mobile-keybag-access)
</span><del>-    (allow iokit-open (with telemetry)
</del><ins>+    (allow iokit-open
</ins><span class="cx">         (iokit-user-client-class "AppleKeyStoreUserClient") ;; Needed by NSURLCache
</span><span class="cx"> ))
</span><span class="cx"> 
</span><span class="lines">@@ -299,16 +298,13 @@
</span><span class="cx">              (global-name "com.apple.osanalytics.osanalyticshelper")))
</span><span class="cx"> 
</span><span class="cx"> (define required-etc-files
</span><del>-  (literal "/private/etc/fstab"
-           "/private/etc/hosts"
-           "/private/etc/group"
</del><ins>+  (literal "/private/etc/hosts"
</ins><span class="cx">            "/private/etc/passwd"
</span><del>-           "/private/etc/protocols"
</del><span class="cx">            "/private/etc/services"))
</span><span class="cx"> 
</span><span class="cx"> (define-once (allow-multi-instance-xpc-services)
</span><span class="cx">     ;; <rdar://problem/46716068>
</span><del>-    (allow mach-lookup
</del><ins>+    (deny mach-lookup
</ins><span class="cx">            (with telemetry)
</span><span class="cx">            (with message "Create a radar and set it as a blocker to rdar://problem/48527566")
</span><span class="cx">            (xpc-service-name "com.apple.WebKit.Networking"
</span><span class="lines">@@ -315,27 +311,24 @@
</span><span class="cx">                              "com.apple.WebKit.WebContent")
</span><span class="cx"> ))
</span><span class="cx"> 
</span><del>-(allow sysctl-read (with telemetry)
-   (sysctl-name "kern.bootsessionuuid"))
-
</del><span class="cx"> (deny file-map-executable)
</span><span class="cx"> (deny file-write-mount file-write-unmount)
</span><span class="cx"> (allow file-read-metadata (with telemetry)
</span><span class="cx">     (vnode-type DIRECTORY))
</span><span class="cx"> 
</span><del>-(mobile-preferences-read "com.apple.security")
-
</del><span class="cx"> (with-elevated-precedence
</span><span class="cx">     ;; System files.
</span><del>-    (allow file-read* (with telemetry)
</del><ins>+    (allow file-read*
</ins><span class="cx">         (subpath "/usr/lib"
</span><span class="cx">                  "/usr/share"
</span><del>-                 "/private/var/db/timezone"))
</del><ins>+                 "/private/var/db/timezone")
+                 "/private/var/preferences/Logging"))
+
</ins><span class="cx">     (allow-read-and-issue-generic-extensions
</span><span class="cx">          (subpath "/Library/RegionFeatures"
</span><span class="cx">                   "/System/Library"))
</span><span class="cx">     
</span><del>-    (allow file-map-executable (with telemetry)
</del><ins>+    (allow file-map-executable
</ins><span class="cx">         (subpath "/System/Library")
</span><span class="cx">         (subpath "/usr/lib"))
</span><span class="cx"> 
</span><span class="lines">@@ -342,9 +335,6 @@
</span><span class="cx">     (allow file-read-metadata (with telemetry)
</span><span class="cx">         (vnode-type SYMLINK))
</span><span class="cx"> 
</span><del>-    (allow file-read* (with telemetry)
-        (subpath "/private/var/preferences/Logging"))
-
</del><span class="cx">     (allow user-preference-read (preference-domain "kCFPreferencesAnyApplication"))
</span><span class="cx">     (allow file-read*
</span><span class="cx">         (front-user-home-literal "/Library/Preferences/.GlobalPreferences.plist"))
</span><span class="lines">@@ -353,7 +343,7 @@
</span><span class="cx">            (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist"))
</span><span class="cx">     (allow managed-preference-read (preference-domain "kCFPreferencesAnyApplication"))
</span><span class="cx"> 
</span><del>-    (allow file-read-metadata (with telemetry)
</del><ins>+    (deny file-read-metadata (with telemetry)
</ins><span class="cx">         (home-literal "/Library/Caches/powerlog.launchd"))
</span><span class="cx"> 
</span><span class="cx">     (allow-read-and-issue-generic-extensions (executable-bundle))
</span><span class="lines">@@ -365,10 +355,10 @@
</span><span class="cx">             (regex #"/[^/]+/SC_Info/")))
</span><span class="cx"> 
</span><span class="cx">     (with-filter (global-name-prefix "")
</span><del>-        (allow mach-lookup (with telemetry)
</del><ins>+        (deny mach-lookup (with telemetry)
</ins><span class="cx">                (extension "com.apple.security.exception.mach-lookup.global-name")))
</span><span class="cx">     (with-filter (local-name-prefix "")
</span><del>-        (allow mach-lookup (with telemetry)
</del><ins>+        (deny mach-lookup (with telemetry)
</ins><span class="cx">                (extension "com.apple.security.exception.mach-lookup.local-name"))
</span><span class="cx">     )
</span><span class="cx">     (allow managed-preference-read
</span><span class="lines">@@ -398,11 +388,13 @@
</span><span class="cx">     (internal-debugging-support)
</span><span class="cx"> )
</span><span class="cx"> 
</span><del>-(allow file-read* (with telemetry)
-    required-etc-files
</del><ins>+(allow file-read*
+    required-etc-files)
+
+(allow file-read* (with telemetry) (with message "Allowing read access to root")
</ins><span class="cx">     (literal "/"))
</span><span class="cx"> 
</span><del>-(allow mach-lookup (with telemetry)
</del><ins>+(allow mach-lookup
</ins><span class="cx">     (global-name "com.apple.logd")
</span><span class="cx">     (global-name "com.apple.logd.events"))
</span><span class="cx"> 
</span><span class="lines">@@ -414,57 +406,6 @@
</span><span class="cx"> (allow system-sched
</span><span class="cx">     (require-entitlement "com.apple.private.kernel.override-cpumon"))
</span><span class="cx"> 
</span><del>-(allow sysctl-read (with telemetry)
-    (sysctl-name "hw.busfrequency")
-    (sysctl-name "hw.busfrequency_compat")
-    (sysctl-name "hw.byteorder")
-    (sysctl-name "hw.cachelinesize")
-    (sysctl-name "hw.cachelinesize_compat")
-    (sysctl-name "hw.cpufamily")
-    (sysctl-name "hw.cpufrequency")
-    (sysctl-name "hw.cpufrequency_compat")
-    (sysctl-name "hw.cpufrequency_max")
-    (sysctl-name "hw.cpusubtype")
-    (sysctl-name "hw.cputhreadtype")
-    (sysctl-name "hw.cputype")
-    (sysctl-name "hw.l1dcachesize")
-    (sysctl-name "hw.l1dcachesize_compat")
-    (sysctl-name "hw.l1icachesize")
-    (sysctl-name "hw.l1icachesize_compat")
-    (sysctl-name "hw.l2cachesize")
-    (sysctl-name "hw.l2cachesize_compat")
-    (sysctl-name "hw.l2settings")
-    (sysctl-name "hw.l3cachesize")
-    (sysctl-name "hw.l3cachesize_compat")
-    (sysctl-name "hw.l3settings")
-    (sysctl-name "hw.logicalcpu")
-    (sysctl-name "hw.logicalcpu_max")
-    (sysctl-name "hw.pagesize")
-    (sysctl-name "hw.physicalcpu")
-    (sysctl-name "hw.physicalcpu_max")
-    (sysctl-name "hw.physmem")
-    (sysctl-name "hw.tbfrequency")
-    (sysctl-name "hw.tbfrequency_compat")
-    (sysctl-name "hw.usermem")
-    (sysctl-name "hw.vectorunit")
-    (sysctl-name "kern.boottime")
-    (sysctl-name "kern.clockrate")
-    (sysctl-name "kern.development")
-    (sysctl-name "kern.hostid")
-    (sysctl-name "kern.maxproc")
-    (sysctl-name "kern.maxvnodes")
-    (sysctl-name-prefix "kern.monotonicclock")
-    (sysctl-name "kern.monotoniclock_offset_usecs")
-    (sysctl-name "kern.ngroups")
-    (sysctl-name "kern.saved_ids")
-    (sysctl-name "kern.usrstack")
-    (sysctl-name "kern.usrstack64")
-    (sysctl-name "kern.waketime")
-    (sysctl-name "security.mac.sandbox.sentinel")
-    (sysctl-name "vm.loadavg")
-    (sysctl-name-prefix "kern.argmax")
-)
-
</del><span class="cx"> (with-filter (system-attribute apple-internal)
</span><span class="cx">     (allow sysctl-read
</span><span class="cx">            (sysctl-name "kern.dtrace.dof_mode"))
</span><span class="lines">@@ -471,43 +412,40 @@
</span><span class="cx">     (allow sysctl-read sysctl-write
</span><span class="cx">            (sysctl-name "vm.footprint_suspend")))
</span><span class="cx"> 
</span><del>-(allow mach-lookup (with telemetry)
-       (global-name "com.apple.system.logger"))
-
</del><span class="cx"> ;; Needed by WebKit LOG macros and ASL logging.
</span><del>-(allow file-read-metadata (with telemetry)
</del><ins>+(deny file-read-metadata (with telemetry)
</ins><span class="cx">        (literal "/private/var/run/syslog"))
</span><span class="cx"> 
</span><span class="cx"> ;; ObjC map_images needs to send logging data to syslog. <rdar://problem/39778918>
</span><span class="cx"> (with-filter (system-attribute apple-internal)
</span><del>-    (allow network-outbound (with telemetry)
</del><ins>+    (allow network-outbound
</ins><span class="cx">        (literal "/private/var/run/syslog")
</span><span class="cx">     )
</span><span class="cx"> )
</span><span class="cx"> 
</span><del>-(allow mach-lookup (with telemetry)
</del><ins>+(allow mach-lookup
</ins><span class="cx">     (global-name "com.apple.system.notification_center"))
</span><del>-(allow ipc-posix-shm-read* (with telemetry)
</del><ins>+(allow ipc-posix-shm-read*
</ins><span class="cx">     (ipc-posix-name "apple.shm.notification_center")) ;; Needed by os_log_create
</span><span class="cx"> 
</span><del>-(allow mach-lookup (with telemetry)
</del><ins>+(deny mach-lookup (with telemetry)
</ins><span class="cx">     (global-name "com.apple.distributed_notifications@1v3"))
</span><span class="cx"> 
</span><span class="cx"> (managed-configuration-read-public)
</span><span class="cx"> 
</span><del>-(allow mach-lookup (with telemetry)
</del><ins>+(deny mach-lookup (with telemetry)
</ins><span class="cx">     (global-name "com.apple.ctkd.token-client"))
</span><span class="cx"> 
</span><span class="cx"> (deny system-info (with no-report)
</span><span class="cx">     (info-type "net.link.addr"))
</span><span class="cx"> 
</span><del>-(allow mach-lookup (with telemetry)
</del><ins>+(allow mach-lookup
</ins><span class="cx">     (global-name "com.apple.system.libinfo.muser"))
</span><span class="cx"> 
</span><span class="cx"> (allow mach-task-name (target self))
</span><span class="cx"> 
</span><del>-(allow process-info* (with telemetry))
-(allow process-info-pidinfo (target self))
</del><ins>+(deny process-info* (with telemetry))
+(allow process-info-pidinfo)
</ins><span class="cx"> (allow process-info-pidfdinfo (target self))
</span><span class="cx"> (allow process-info-pidfileportinfo (target self))
</span><span class="cx"> (allow process-info-setcontrol (target self))
</span><span class="lines">@@ -523,52 +461,25 @@
</span><span class="cx"> 
</span><span class="cx"> (deny lsopen)
</span><span class="cx"> 
</span><del>-(deny sysctl*)
-(allow sysctl-read (with telemetry)
</del><ins>+(deny sysctl*) (with telemetry)
+(allow sysctl-read
</ins><span class="cx">     (sysctl-name
</span><del>-        "hw.activecpu" ;; Needed by JSC engine.
-        "hw.availcpu"
-        "hw.cacheconfig" ;; <rdar://problem/78213563>
-        "hw.cachelinesize" ;; <rdar://problem/15721872>
-        "hw.cachesize" ;; <rdar://problem/78213563>
-        "hw.cpu64bit_capable"
-        "hw.cpufamily" ;; <rdar://problem/15721872>
-        "hw.cpusubfamily"
-        "hw.l1dcachesize" ;; <rdar://problem/15721872>
-        "hw.l1icachesize" ;; <rdar://problem/15721872>
-        "hw.l2cachesize" ;; <rdar://problem/15721872>
-        "hw.l3cachesize" ;; <rdar://problem/15721872>
-        "hw.logicalcpu" ;; <rdar://problem/15721872>
-        "hw.logicalcpu_max" ;; <rdar://problem/15721872>
</del><ins>+        "hw.activecpu"
+        "hw.machine"
+        "hw.memsize"
</ins><span class="cx">         "hw.ncpu"
</span><del>-        "hw.machine" ;; Needed by CFNetwork (CFURLProtocols)
-        "hw.memsize"
-        "hw.model" ;; Needed for bundle loading
-        "hw.ncpu" ;; <rdar://problem/76782530>
-        "hw.nperflevels" ;; <rdar://problem/76782530>
-        "hw.pagesize" ;; <rdar://problem/76782530>
-        "hw.pagesize_compat" ;; Needed by bmalloc
-        "hw.physicalcpu" ;; <rdar://problem/76782530>
-        "hw.physicalcpu_max" ;; <rdar://problem/76782530>
-        "hw.physmem" ;; <rdar://problem/76782530>
-        "kern.bootargs"  ;; Needed for bundle loading
</del><ins>+        "hw.pagesize_compat"
</ins><span class="cx">         "kern.hostname"
</span><del>-        "kern.hv_vmm_present"
</del><span class="cx">         "kern.maxfilesperproc"
</span><del>-        "kern.memorystatus_level"
-        "kern.osproductversion" ;; Needed by CFNetwork (HSTS store and others)
-        "kern.ostype" ;; Needed by NSURLSession
-        "kern.osrelease" ;; Ditto.
-        "kern.osvariant_status" ;; Needed for bundle loading
-        "kern.osversion" ;; Needed by WebKit and ASL logging.
-        "kern.secure_kernel" ;; Needed by XPC bundle resolution
-        "kern.tcsm_available" ;; Needed for IndexedDB support
</del><ins>+        "kern.osproductversion"
+        "kern.osrelease"
+        "kern.ostype"
+        "kern.osvariant_status"
+        "kern.osversion"
+        "kern.secure_kernel"
</ins><span class="cx">         "kern.version"
</span><del>-        "sysctl.name2oid"
</del><span class="cx">         "vm.footprint_suspend")
</span><span class="cx">     (sysctl-name-prefix "kern.proc.pid.")
</span><del>-    (sysctl-name-prefix "hw.optional.") ;; <rdar://problem/70973527>
-    (sysctl-name-prefix "hw.perflevel") ;; <rdar://problem/76782530>
</del><span class="cx"> )
</span><span class="cx"> 
</span><span class="cx"> ;; Access to client's cache folder & re-vending to CFNetwork.
</span><span class="lines">@@ -586,12 +497,12 @@
</span><span class="cx"> ;; enough access to make it possible.
</span><span class="cx"> 
</span><span class="cx"> ;; IOKit user clients
</span><del>-(allow iokit-open (with telemetry)
</del><ins>+(deny iokit-open (with telemetry)
</ins><span class="cx">        (iokit-user-client-class "RootDomainUserClient") ;; Needed by PowerObserver
</span><span class="cx"> )
</span><span class="cx"> 
</span><span class="cx"> ;; Various services required by CFNetwork and other frameworks
</span><del>-(allow mach-lookup (with telemetry)
</del><ins>+(deny mach-lookup (with telemetry)
</ins><span class="cx">        (global-name "com.apple.PowerManagement.control"))
</span><span class="cx"> 
</span><span class="cx"> (network-client (remote tcp) (remote udp))
</span><span class="lines">@@ -600,23 +511,25 @@
</span><span class="cx"> (allow-well-known-system-group-container-subpath-read
</span><span class="cx">     "/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
</span><span class="cx"> 
</span><del>-(allow file-read-data (with telemetry)
</del><ins>+(allow file-read-data
</ins><span class="cx">     (literal "/usr/local/lib/log") ; <rdar://problem/36629495>
</span><span class="cx"> )
</span><span class="cx"> 
</span><span class="cx"> ;; Security framework
</span><del>-(allow mach-lookup (with telemetry)
</del><ins>+(deny mach-lookup (with telemetry)
</ins><span class="cx">     (global-name "com.apple.ocspd")
</span><span class="cx">     (global-name "com.apple.securityd"))
</span><span class="cx"> 
</span><span class="cx"> ;; PassKit framework
</span><del>-(allow mach-lookup (with telemetry)
</del><ins>+(allow mach-lookup
</ins><span class="cx">     (global-name "com.apple.passd.in-app-payment")
</span><span class="cx">     (global-name "com.apple.passd.library"))
</span><span class="cx"> 
</span><ins>+(deny mach-lookup (with telemetry)
+    (global-name "com.apple.FileCoordination")
+    (global-name "com.apple.dmd.policy"))
+
</ins><span class="cx"> (allow mach-lookup (with telemetry)
</span><del>-    (global-name "com.apple.FileCoordination")
-    (global-name "com.apple.dmd.policy")
</del><span class="cx">     (global-name "com.apple.siri.context.service")
</span><span class="cx">     (global-name "com.apple.ctcategories.service"))
</span><span class="cx"> 
</span><span class="lines">@@ -645,7 +558,7 @@
</span><span class="cx">         (global-name "com.apple.analyticsd")))
</span><span class="cx"> 
</span><span class="cx"> ;; For reporting progress for active downloads <rdar://problem/44405661>
</span><del>-(allow mach-lookup (with telemetry)
</del><ins>+(allow mach-lookup
</ins><span class="cx">     (global-name "com.apple.ProgressReporting"))
</span><span class="cx"> 
</span><span class="cx">  ;; <rdar://problem/47598758>
</span><span class="lines">@@ -652,25 +565,15 @@
</span><span class="cx"> (allow mach-lookup (with telemetry)
</span><span class="cx">     (global-name "com.apple.nesessionmanager.content-filter"))
</span><span class="cx"> 
</span><del>-;; Various shared memory accesses required by system frameworks
-(allow ipc-posix-shm-read-data (with telemetry)
-    (ipc-posix-name "/com.apple.AppSSO.version"))
-
</del><span class="cx"> ;; Access to ContainerManager
</span><span class="cx"> (allow mach-lookup (with telemetry)
</span><span class="cx">     (global-name "com.apple.containermanagerd"))
</span><del>-(allow ipc-posix-sem-open (with telemetry)
</del><ins>+(allow ipc-posix-sem-open
</ins><span class="cx">     (ipc-posix-name "containermanagerd.fb_check"))
</span><span class="cx"> 
</span><del>-(allow file-read* (with telemetry)
-    (literal "/dev/aes_0")
-    (literal "/dev/random")
</del><ins>+(allow file-read*
</ins><span class="cx">     (literal "/dev/urandom"))
</span><span class="cx"> 
</span><del>-(allow file-read* file-write-data (with telemetry)
-    (literal "/dev/null")
-    (literal "/dev/zero"))
-
</del><span class="cx"> (if (system-attribute apple-internal)
</span><span class="cx">     (allow file-read* file-write-data file-ioctl (with telemetry)
</span><span class="cx">         (literal "/dev/dtracehelper"))
</span><span class="lines">@@ -682,15 +585,15 @@
</span><span class="cx"> (allow mach-lookup (with telemetry) (global-name "com.apple.webkit.adattributiond.service"))
</span><span class="cx"> 
</span><span class="cx"> ;; Access to MobileGestalt
</span><del>-(allow mach-lookup (with telemetry)
</del><ins>+(deny mach-lookup (with telemetry)
</ins><span class="cx">     (global-name "com.apple.mobilegestalt.xpc"))
</span><del>-(allow file-read* (with telemetry)
</del><ins>+(allow file-read*
</ins><span class="cx">     (well-known-system-group-container-literal "/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"))
</span><span class="cx"> (allow iokit-get-properties
</span><span class="cx">     (iokit-property "IORegistryEntryPropertyKeys"))
</span><span class="cx"> 
</span><span class="cx"> ;; Needed for TCC.
</span><del>-(allow mach-lookup (with telemetry)
</del><ins>+(allow mach-lookup
</ins><span class="cx">     (global-name "com.apple.tccd"))
</span><span class="cx"> 
</span><span class="cx"> (when (defined? 'syscall-unix)
</span><span class="lines">@@ -701,6 +604,8 @@
</span><span class="cx">         SYS___channel_sync
</span><span class="cx">         SYS___disable_threadsignal
</span><span class="cx">         SYS___mac_syscall
</span><ins>+        SYS___semwait_signal
+        SYS_abort_with_payload
</ins><span class="cx">         SYS_access
</span><span class="cx">         SYS_bind
</span><span class="cx">         SYS_bsdthread_create
</span><span class="lines">@@ -715,6 +620,7 @@
</span><span class="cx">         SYS_connect_nocancel
</span><span class="cx">         SYS_csops
</span><span class="cx">         SYS_csops_audittoken
</span><ins>+        SYS_dup
</ins><span class="cx">         SYS_exit
</span><span class="cx">         SYS_fcntl
</span><span class="cx">         SYS_fcntl_nocancel
</span><span class="lines">@@ -756,6 +662,7 @@
</span><span class="cx">         SYS_listxattr
</span><span class="cx">         SYS_lseek
</span><span class="cx">         SYS_lstat64
</span><ins>+        SYS_lstat64_extended
</ins><span class="cx">         SYS_madvise
</span><span class="cx">         SYS_memorystatus_control
</span><span class="cx">         SYS_mkdir
</span><span class="lines">@@ -773,6 +680,7 @@
</span><span class="cx">         SYS_openat
</span><span class="cx">         SYS_os_fault_with_payload
</span><span class="cx">         SYS_pathconf
</span><ins>+        SYS_persona
</ins><span class="cx">         SYS_pipe
</span><span class="cx">         SYS_pread
</span><span class="cx">         SYS_pread_nocancel
</span><span class="lines">@@ -784,6 +692,8 @@
</span><span class="cx">         SYS_psynch_cvwait
</span><span class="cx">         SYS_psynch_mutexdrop
</span><span class="cx">         SYS_psynch_mutexwait
</span><ins>+        SYS_psynch_rw_rdlock
+        SYS_psynch_rw_unlock
</ins><span class="cx">         SYS_pwrite_nocancel
</span><span class="cx">         SYS_read
</span><span class="cx">         SYS_read_nocancel
</span><span class="lines">@@ -797,6 +707,7 @@
</span><span class="cx">         SYS_select_nocancel
</span><span class="cx">         SYS_sem_close
</span><span class="cx">         SYS_sem_open
</span><ins>+        SYS_sendmsg
</ins><span class="cx">         SYS_sendmsg_nocancel
</span><span class="cx">         SYS_sendto
</span><span class="cx">         SYS_sendto_nocancel
</span><span class="lines">@@ -808,6 +719,8 @@
</span><span class="cx">         SYS_shm_open
</span><span class="cx">         SYS_shutdown
</span><span class="cx">         SYS_sigaction
</span><ins>+        SYS_sigaltstack
+        SYS_sigprocmask
</ins><span class="cx">         SYS_socket
</span><span class="cx">         SYS_socketpair
</span><span class="cx">         SYS_stat64
</span></span></pre>
</div>
</div>

</body>
</html>