From 8f41fa026f5967276443ea8585d9727063d20211 Mon Sep 17 00:00:00 2001 From: CristiMacovei Date: Thu, 24 Jul 2025 23:05:48 +0300 Subject: [PATCH] add a test Signed-off-by: CristiMacovei --- Dockerfile | 9 + .../iPhone5__1_9.3_13E237/inputs/sandbox.kext | Bin 0 -> 520192 bytes .../rev_profiles/AGXCompilerService.sb | 386 ++ .../rev_profiles/AGXCompilerService.sb.xml | 40 + .../references/rev_profiles/AdSheet.sb | 1508 +++++++ .../references/rev_profiles/AdSheet.sb.xml | 39 + .../references/rev_profiles/AirTraffic.sb | 135 + .../references/rev_profiles/AirTraffic.sb.xml | 24 + .../references/rev_profiles/BTServer.sb | 654 +++ .../references/rev_profiles/BTServer.sb.xml | 41 + .../references/rev_profiles/BlueTool.sb | 399 ++ .../references/rev_profiles/BlueTool.sb.xml | 40 + .../references/rev_profiles/CFNetworkAgent.sb | 173 + .../rev_profiles/CFNetworkAgent.sb.xml | 41 + .../references/rev_profiles/CVMServer.sb | 235 ++ .../references/rev_profiles/CVMServer.sb.xml | 40 + .../references/rev_profiles/CommCenter.sb | 436 ++ .../references/rev_profiles/CommCenter.sb.xml | 44 + .../references/rev_profiles/DataActivation.sb | 860 ++++ .../rev_profiles/DataActivation.sb.xml | 41 + .../rev_profiles/EscrowSecurityAlert.sb | 238 ++ .../rev_profiles/EscrowSecurityAlert.sb.xml | 40 + .../rev_profiles/IDSCredentialsAgent.sb | 305 ++ .../rev_profiles/IDSCredentialsAgent.sb.xml | 40 + .../IDSRemoteURLConnectionAgent.sb | 495 +++ .../IDSRemoteURLConnectionAgent.sb.xml | 40 + .../rev_profiles/IMDPersistenceAgent.sb | 305 ++ .../rev_profiles/IMDPersistenceAgent.sb.xml | 39 + .../IMRemoteURLConnectionAgent.sb | 493 +++ .../IMRemoteURLConnectionAgent.sb.xml | 40 + .../rev_profiles/IMTranscoderAgent.sb | 617 +++ .../rev_profiles/IMTranscoderAgent.sb.xml | 39 + .../references/rev_profiles/Lowtide.sb | 1260 ++++++ .../references/rev_profiles/Lowtide.sb.xml | 45 + .../rev_profiles/MTLCompilerService.sb | 186 + .../rev_profiles/MTLCompilerService.sb.xml | 40 + .../rev_profiles/MailCompositionService.sb | 1171 ++++++ .../MailCompositionService.sb.xml | 40 + .../references/rev_profiles/MobileBackup.sb | 9 + .../rev_profiles/MobileBackup.sb.xml | 21 + .../references/rev_profiles/MobileCal.sb | 875 ++++ .../references/rev_profiles/MobileCal.sb.xml | 41 + .../references/rev_profiles/MobileMaps.sb | 970 +++++ .../references/rev_profiles/MobileMaps.sb.xml | 41 + .../rev_profiles/MobileSlideShow.sb | 1154 ++++++ .../rev_profiles/MobileSlideShow.sb.xml | 43 + .../references/rev_profiles/PasteBoard.sb | 178 + .../references/rev_profiles/PasteBoard.sb.xml | 51 + .../rev_profiles/SafariSafeBrowsing.sb | 192 + .../rev_profiles/SafariSafeBrowsing.sb.xml | 40 + .../rev_profiles/ScreenshotService.sb | 195 + .../rev_profiles/ScreenshotService.sb.xml | 40 + .../rev_profiles/StreamingUnzipService.sb | 201 + .../rev_profiles/StreamingUnzipService.sb.xml | 40 + .../references/rev_profiles/WebSheet.sb | 1118 ++++++ .../references/rev_profiles/WebSheet.sb.xml | 40 + .../references/rev_profiles/accessoryd.sb | 202 + .../references/rev_profiles/accessoryd.sb.xml | 43 + .../references/rev_profiles/afcd.sb | 416 ++ .../references/rev_profiles/afcd.sb.xml | 40 + .../references/rev_profiles/appconduitd.sb | 433 ++ .../rev_profiles/appconduitd.sb.xml | 40 + .../references/rev_profiles/apsd.sb | 381 ++ .../references/rev_profiles/apsd.sb.xml | 44 + .../references/rev_profiles/assertiond.sb | 241 ++ .../references/rev_profiles/assertiond.sb.xml | 43 + .../references/rev_profiles/cloudphotod.sb | 19 + .../rev_profiles/cloudphotod.sb.xml | 37 + .../com.apple.AssetCacheLocatorService.sb | 455 +++ .../com.apple.AssetCacheLocatorService.sb.xml | 40 + .../rev_profiles/com.apple.GSSCred.sb | 185 + .../rev_profiles/com.apple.GSSCred.sb.xml | 40 + .../com.apple.WebKit.Databases.sb | 114 + .../com.apple.WebKit.Databases.sb.xml | 42 + .../com.apple.WebKit.Networking.sb | 327 ++ .../com.apple.WebKit.Networking.sb.xml | 42 + .../com.apple.WebKit.WebContent.sb | 764 ++++ .../com.apple.WebKit.WebContent.sb.xml | 42 + .../com.apple.assistant.assistantd.sb | 683 ++++ .../com.apple.assistant.assistantd.sb.xml | 39 + .../references/rev_profiles/com.apple.bird.sb | 629 +++ .../rev_profiles/com.apple.bird.sb.xml | 42 + .../rev_profiles/com.apple.cloudd.sb | 600 +++ .../rev_profiles/com.apple.cloudd.sb.xml | 39 + ...apple.datadetectors.AddToRecentsService.sb | 210 + ...e.datadetectors.AddToRecentsService.sb.xml | 40 + .../rev_profiles/com.apple.homed.sb | 724 ++++ .../rev_profiles/com.apple.homed.sb.xml | 39 + .../rev_profiles/com.apple.nehelper.sb | 491 +++ .../rev_profiles/com.apple.nehelper.sb.xml | 41 + .../com.apple.nesessionmanager.sb | 466 +++ .../com.apple.nesessionmanager.sb.xml | 46 + ...com.apple.quicklook.QLThumbnailsService.sb | 466 +++ ...apple.quicklook.QLThumbnailsService.sb.xml | 40 + .../rev_profiles/com.apple.rtcreportingd.sb | 494 +++ .../com.apple.rtcreportingd.sb.xml | 40 + .../rev_profiles/com.apple.sandboxd.sb | 67 + .../rev_profiles/com.apple.sandboxd.sb.xml | 43 + ...om.apple.siri.ClientFlow.ClientScripter.sb | 207 + ...pple.siri.ClientFlow.ClientScripter.sb.xml | 40 + .../rev_profiles/com.apple.snhelper.sb | 139 + .../rev_profiles/com.apple.snhelper.sb.xml | 40 + .../references/rev_profiles/com.apple.tccd.sb | 450 +++ .../rev_profiles/com.apple.tccd.sb.xml | 41 + .../rev_profiles/com.apple.tzlinkd.sb | 140 + .../rev_profiles/com.apple.tzlinkd.sb.xml | 40 + .../references/rev_profiles/com.apple.ubd.sb | 527 +++ .../rev_profiles/com.apple.ubd.sb.xml | 43 + .../references/rev_profiles/container.sb | 3520 +++++++++++++++++ .../references/rev_profiles/container.sb.xml | 29 + .../rev_profiles/containermanagerd.sb | 411 ++ .../rev_profiles/containermanagerd.sb.xml | 40 + .../rev_profiles/coresymbolicationd.sb | 170 + .../rev_profiles/coresymbolicationd.sb.xml | 40 + .../references/rev_profiles/cplogd.sb | 173 + .../references/rev_profiles/cplogd.sb.xml | 41 + .../references/rev_profiles/dataaccessd.sb | 512 +++ .../rev_profiles/dataaccessd.sb.xml | 44 + .../references/rev_profiles/debugserver.sb | 166 + .../rev_profiles/debugserver.sb.xml | 46 + .../references/rev_profiles/deleted.sb | 251 ++ .../references/rev_profiles/deleted.sb.xml | 40 + .../references/rev_profiles/duetexpertd.sb | 337 ++ .../rev_profiles/duetexpertd.sb.xml | 39 + .../references/rev_profiles/findmydeviced.sb | 654 +++ .../rev_profiles/findmydeviced.sb.xml | 40 + .../references/rev_profiles/fmfd.sb | 592 +++ .../references/rev_profiles/fmfd.sb.xml | 39 + .../rev_profiles/ftp-proxy-embedded.sb | 137 + .../rev_profiles/ftp-proxy-embedded.sb.xml | 42 + .../references/rev_profiles/gamed.sb | 591 +++ .../references/rev_profiles/gamed.sb.xml | 40 + .../references/rev_profiles/geocorrectiond.sb | 19 + .../rev_profiles/geocorrectiond.sb.xml | 37 + .../references/rev_profiles/geod.sb | 483 +++ .../references/rev_profiles/geod.sb.xml | 41 + .../references/rev_profiles/gizmoappd.sb | 483 +++ .../references/rev_profiles/gizmoappd.sb.xml | 41 + .../references/rev_profiles/gputoolsd.sb | 394 ++ .../references/rev_profiles/gputoolsd.sb.xml | 50 + .../references/rev_profiles/healthd.sb | 515 +++ .../references/rev_profiles/healthd.sb.xml | 39 + .../references/rev_profiles/iapd.sb | 559 +++ .../references/rev_profiles/iapd.sb.xml | 43 + .../rev_profiles/identityservicesd.sb | 576 +++ .../rev_profiles/identityservicesd.sb.xml | 41 + .../references/rev_profiles/itunesstored.sb | 569 +++ .../rev_profiles/itunesstored.sb.xml | 40 + .../references/rev_profiles/keyboard.sb | 419 ++ .../references/rev_profiles/keyboard.sb.xml | 32 + .../references/rev_profiles/librariand.sb | 353 ++ .../references/rev_profiles/librariand.sb.xml | 41 + .../rev_profiles/limitadtrackingd.sb | 170 + .../rev_profiles/limitadtrackingd.sb.xml | 41 + .../references/rev_profiles/lockdownd.sb | 347 ++ .../references/rev_profiles/lockdownd.sb.xml | 41 + .../rev_profiles/lsuseractivityd.sb | 293 ++ .../rev_profiles/lsuseractivityd.sb.xml | 41 + .../references/rev_profiles/mDNSResponder.sb | 131 + .../rev_profiles/mDNSResponder.sb.xml | 52 + .../references/rev_profiles/mediaanalysisd.sb | 612 +++ .../rev_profiles/mediaanalysisd.sb.xml | 39 + .../references/rev_profiles/mediaserverd.sb | 852 ++++ .../rev_profiles/mediaserverd.sb.xml | 43 + .../rev_profiles/mobile-house-arrest.sb | 435 ++ .../rev_profiles/mobile-house-arrest.sb.xml | 40 + .../references/rev_profiles/mobileassetd.sb | 507 +++ .../rev_profiles/mobileassetd.sb.xml | 42 + .../references/rev_profiles/nanomaild.sb | 422 ++ .../references/rev_profiles/nanomaild.sb.xml | 40 + .../references/rev_profiles/nanomapscd.sb | 616 +++ .../references/rev_profiles/nanomapscd.sb.xml | 40 + .../references/rev_profiles/nanomapsgd.sb | 543 +++ .../references/rev_profiles/nanomapsgd.sb.xml | 40 + .../references/rev_profiles/navd.sb | 532 +++ .../references/rev_profiles/navd.sb.xml | 40 + .../references/rev_profiles/network-filter.sb | 296 ++ .../rev_profiles/network-filter.sb.xml | 32 + .../references/rev_profiles/nfcd.sb | 314 ++ .../references/rev_profiles/nfcd.sb.xml | 40 + .../references/rev_profiles/nlcd.sb | 68 + .../references/rev_profiles/nlcd.sb.xml | 41 + .../references/rev_profiles/nointernet.sb | 6 + .../references/rev_profiles/nointernet.sb.xml | 20 + .../references/rev_profiles/nsurlsessiond.sb | 569 +++ .../rev_profiles/nsurlsessiond.sb.xml | 40 + .../references/rev_profiles/nsurlstoraged.sb | 384 ++ .../rev_profiles/nsurlstoraged.sb.xml | 41 + .../rev_profiles/online-auth-agent.sb | 304 ++ .../rev_profiles/online-auth-agent.sb.xml | 40 + .../references/rev_profiles/passd.sb | 786 ++++ .../references/rev_profiles/passd.sb.xml | 41 + .../references/rev_profiles/pfd.sb | 160 + .../references/rev_profiles/pfd.sb.xml | 40 + .../references/rev_profiles/printd.sb | 459 +++ .../references/rev_profiles/printd.sb.xml | 41 + .../references/rev_profiles/ptpd.sb | 239 ++ .../references/rev_profiles/ptpd.sb.xml | 43 + .../references/rev_profiles/quicklookd.sb | 1151 ++++++ .../references/rev_profiles/quicklookd.sb.xml | 40 + .../references/rev_profiles/racoon.sb | 120 + .../references/rev_profiles/racoon.sb.xml | 42 + .../references/rev_profiles/replayd.sb | 355 ++ .../references/rev_profiles/replayd.sb.xml | 40 + .../rev_profiles/reversetemplated.sb | 197 + .../rev_profiles/reversetemplated.sb.xml | 40 + .../references/rev_profiles/revisiond.sb | 271 ++ .../references/rev_profiles/revisiond.sb.xml | 41 + .../references/rev_profiles/routined.sb | 654 +++ .../references/rev_profiles/routined.sb.xml | 41 + .../references/rev_profiles/seld.sb | 547 +++ .../references/rev_profiles/seld.sb.xml | 40 + .../references/rev_profiles/sharingd.sb | 895 +++++ .../references/rev_profiles/sharingd.sb.xml | 39 + .../rev_profiles/social-services.sb | 821 ++++ .../rev_profiles/social-services.sb.xml | 39 + .../rev_profiles/softwareupdated.sb | 222 ++ .../rev_profiles/softwareupdated.sb.xml | 40 + .../rev_profiles/streaming_zip_conduit.sb | 367 ++ .../rev_profiles/streaming_zip_conduit.sb.xml | 40 + .../references/rev_profiles/studentd.sb | 501 +++ .../references/rev_profiles/studentd.sb.xml | 40 + .../references/rev_profiles/suggestd.sb | 310 ++ .../references/rev_profiles/suggestd.sb.xml | 39 + .../references/rev_profiles/syncdefaultsd.sb | 416 ++ .../rev_profiles/syncdefaultsd.sb.xml | 44 + .../references/rev_profiles/syslog_relay.sb | 135 + .../rev_profiles/syslog_relay.sb.xml | 41 + .../references/rev_profiles/test-common.sb | 131 + .../rev_profiles/test-common.sb.xml | 40 + .../references/rev_profiles/transitd.sb | 83 + .../references/rev_profiles/transitd.sb.xml | 40 + .../references/rev_profiles/userfs_helper.sb | 344 ++ .../rev_profiles/userfs_helper.sb.xml | 40 + .../references/rev_profiles/userfsd.sb | 386 ++ .../references/rev_profiles/userfsd.sb.xml | 41 + .../rev_profiles/vibrationmanagerd.sb | 276 ++ .../rev_profiles/vibrationmanagerd.sb.xml | 39 + .../references/rev_profiles/vpn-plugins.sb | 417 ++ .../rev_profiles/vpn-plugins.sb.xml | 53 + .../references/rev_profiles/webinspectord.sb | 251 ++ .../rev_profiles/webinspectord.sb.xml | 40 + .../rev_profiles/wifiFirmwareLoader.sb | 217 + .../rev_profiles/wifiFirmwareLoader.sb.xml | 41 + .../references/sandbox_bundle | Bin 0 -> 425970 bytes .../references/sandbox_profiles.txt | 121 + tests/iPhone5__1_9.3_13E237/references/sb_ops | 125 + tests/test.py | 118 + 248 files changed, 59826 insertions(+) create mode 100644 Dockerfile create mode 100644 tests/iPhone5__1_9.3_13E237/inputs/sandbox.kext create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/AGXCompilerService.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/AGXCompilerService.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/AdSheet.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/AdSheet.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/AirTraffic.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/AirTraffic.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/BTServer.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/BTServer.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/BlueTool.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/BlueTool.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/CFNetworkAgent.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/CFNetworkAgent.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/CVMServer.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/CVMServer.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/CommCenter.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/CommCenter.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/DataActivation.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/DataActivation.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/EscrowSecurityAlert.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/EscrowSecurityAlert.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSCredentialsAgent.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSCredentialsAgent.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSRemoteURLConnectionAgent.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSRemoteURLConnectionAgent.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMDPersistenceAgent.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMDPersistenceAgent.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMRemoteURLConnectionAgent.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMRemoteURLConnectionAgent.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMTranscoderAgent.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMTranscoderAgent.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/Lowtide.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/Lowtide.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/MTLCompilerService.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/MTLCompilerService.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/MailCompositionService.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/MailCompositionService.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileBackup.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileBackup.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileCal.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileCal.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileMaps.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileMaps.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileSlideShow.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileSlideShow.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/PasteBoard.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/PasteBoard.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/SafariSafeBrowsing.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/SafariSafeBrowsing.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/ScreenshotService.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/ScreenshotService.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/StreamingUnzipService.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/StreamingUnzipService.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/WebSheet.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/WebSheet.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/accessoryd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/accessoryd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/afcd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/afcd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/appconduitd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/appconduitd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/apsd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/apsd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/assertiond.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/assertiond.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/cloudphotod.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/cloudphotod.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.AssetCacheLocatorService.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.AssetCacheLocatorService.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.GSSCred.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.GSSCred.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Databases.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Databases.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Networking.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Networking.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.WebContent.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.WebContent.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.assistant.assistantd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.assistant.assistantd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.bird.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.bird.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.cloudd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.cloudd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.datadetectors.AddToRecentsService.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.datadetectors.AddToRecentsService.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.homed.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.homed.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nehelper.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nehelper.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nesessionmanager.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nesessionmanager.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.quicklook.QLThumbnailsService.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.quicklook.QLThumbnailsService.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.rtcreportingd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.rtcreportingd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.sandboxd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.sandboxd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.siri.ClientFlow.ClientScripter.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.siri.ClientFlow.ClientScripter.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.snhelper.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.snhelper.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tccd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tccd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tzlinkd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tzlinkd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.ubd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.ubd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/container.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/container.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/containermanagerd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/containermanagerd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/coresymbolicationd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/coresymbolicationd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/cplogd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/cplogd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/dataaccessd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/dataaccessd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/debugserver.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/debugserver.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/deleted.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/deleted.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/duetexpertd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/duetexpertd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/findmydeviced.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/findmydeviced.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/fmfd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/fmfd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/ftp-proxy-embedded.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/ftp-proxy-embedded.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/gamed.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/gamed.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/geocorrectiond.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/geocorrectiond.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/geod.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/geod.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/gizmoappd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/gizmoappd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/gputoolsd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/gputoolsd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/healthd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/healthd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/iapd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/iapd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/identityservicesd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/identityservicesd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/itunesstored.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/itunesstored.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/keyboard.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/keyboard.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/librariand.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/librariand.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/limitadtrackingd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/limitadtrackingd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/lockdownd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/lockdownd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/lsuseractivityd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/lsuseractivityd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/mDNSResponder.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/mDNSResponder.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaanalysisd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaanalysisd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaserverd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaserverd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobile-house-arrest.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobile-house-arrest.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobileassetd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobileassetd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomaild.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomaild.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapscd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapscd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapsgd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapsgd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/navd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/navd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/network-filter.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/network-filter.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nfcd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nfcd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nlcd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nlcd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nointernet.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nointernet.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlsessiond.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlsessiond.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlstoraged.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlstoraged.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/online-auth-agent.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/online-auth-agent.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/passd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/passd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/pfd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/pfd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/printd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/printd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/ptpd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/ptpd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/quicklookd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/quicklookd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/racoon.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/racoon.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/replayd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/replayd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/reversetemplated.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/reversetemplated.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/revisiond.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/revisiond.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/routined.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/routined.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/seld.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/seld.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/sharingd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/sharingd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/social-services.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/social-services.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/softwareupdated.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/softwareupdated.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/streaming_zip_conduit.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/streaming_zip_conduit.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/studentd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/studentd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/suggestd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/suggestd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/syncdefaultsd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/syncdefaultsd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/syslog_relay.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/syslog_relay.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/test-common.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/test-common.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/transitd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/transitd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfs_helper.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfs_helper.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfsd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfsd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/vibrationmanagerd.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/vibrationmanagerd.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/vpn-plugins.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/vpn-plugins.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/webinspectord.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/webinspectord.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/wifiFirmwareLoader.sb create mode 100644 tests/iPhone5__1_9.3_13E237/references/rev_profiles/wifiFirmwareLoader.sb.xml create mode 100644 tests/iPhone5__1_9.3_13E237/references/sandbox_bundle create mode 100644 tests/iPhone5__1_9.3_13E237/references/sandbox_profiles.txt create mode 100644 tests/iPhone5__1_9.3_13E237/references/sb_ops create mode 100755 tests/test.py diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..b845e8d0 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,9 @@ +FROM debian:bullseye + +RUN set -xe; \ + apt-get -yqq update; \ + apt-get install -y python2.7 python3 python3-pip; \ + pip3 install lief; + +COPY helpers /sandblaster/helpers/ +COPY reverse-sandbox /sandblaster/reverse-sandbox diff --git a/tests/iPhone5__1_9.3_13E237/inputs/sandbox.kext b/tests/iPhone5__1_9.3_13E237/inputs/sandbox.kext new file mode 100644 index 0000000000000000000000000000000000000000..fb07cbea3904ac843a6680a09de891eac5f6fc04 GIT binary patch literal 520192 zcmeFadw5jU6*s)knKLtIZpq|A2oPX0xj2Ck0|G{*Itjxei3m{(J$dI8UE%hh6oDX~BX!?_2)B`OXZk z!?L#1b=<8XmeE|Y{{w4_;qh4okB;&=<^A58yIjPAdxlG#fp+C!xMcqpELeW;f(KSD zyW_rl7p!>je%$|ec_S-?^8H~}3djHaH~a(ZFlKbQMBveQ@PE~@XyJnk&(}H_j?9r= zt{MQ4dE|f9ap!%@mfg2JQOn>u7LD$5<;P$4?+ceGfb)U{cRcXGfct@c*@QaE;sqF5 z694+w!LG}2ELbqJYSuN=9aRasE{%_cZ{S!Y>R|JuCUNus=ZyNFK?g^mj%*wYuR7-8 zZoh2Q^HVz;J@&i#=C9`G0@@uVH|zBSk`c`B`<%iWwC-?3^xh zSCTV!vpu|y4wJ~(ZvToIq@BL5+CT1FVtU;Bj5MiAEzLgXs?CwIq*V?L)%8rM%A#EA z`07;-zf4@K9og;2aVEAZ-{y`Qf^QcKl1<_pb0vQ7(HZNdH@iscF#lov9q%isvY-|d zy(e1MnuqHN%H7haw?cE=BHfI86J3P6oD;L@)%rKPa#FL~-|V_Nb(Ei2yk{D(*7)Bb z7HPbsq0@Va?L$B3Vc(f4pK9{)9`6sX`*dFrJR^Fc_K;Iks}9VjMm-;}pv2ss8cF3n z(m_o02x(vN6(QDFwZwws-G31B1`hY@+2kA682i+#d{Yq#WVAUckfJ7G|z-u;L2j?>UNVeg&9rt_6c*Q2)QBHpD$)_dRo zHg%sSPzro}6n;-8Uf{wCz!wdkiXLq%0A!rLR5DhVOYePa+{bF06K(-ag3my4y zEb4#_kUSM87E7(sk{Fwx0FM8z^FX{#eo&obl6BtHug(R7>WuvDLUnG6*C`CDlO*dL z*RRe=gX%nf!8&h`*Qp*<=O>{=-&OtUGz_Y98|qYOL0Z#lS*o^aPyVfgP?buhQK_1j zYUuYN3r5Rr*U<0U82%G@8X`R-71g;UQk3Dl=OS~vpsKltOTSL!&is~h3?~6G-_TX8 zuK{)FdktqcXy(eoY!b+KPHe4p7UAhHBE%N-X9cpW=SfC|8pebKi4+g@mEwJ7wWW5R z#71>Vs1`Jm<|CHo+KIKz&JSeB9qCHpGTiyMV!6Y3$t2Jn(9*0f(E2x#^yOr}Xd48)&jkkQ9&wUi5VH$3;0ll5dyPfj=C$v`B0hB(uzoPNUJ(Za*nD`yA8LF5ixcV`tS$E4DSRg#)_7EV)ceSm zT#2(rgWvROr0zDghuvMMdhcdB~Le67p z)p)oju~yTl3TQlHD_C)ZQhkqqx=Yg2)xK#rz)|GtiAAPOZRZJdr6geT|LMP>^Bu3M>;<^$*HAIV?V%JOv z;CJxkUgfQtKCL`mfv3N~(|P!AUG${9MtN(bxzUr~4$a$Mq5e!)=^sw4b#m}j)~T`v1>N!YFZj~25OfOTTc6POV%xHUSe)t zxTJicAy9@Aob$N~!8bX6#rYR5;c6#BtI#_ytK_ECIrOzAIwfRTqNb*3X=S0a&Y^bx z1saqcH1tvrCzaxSphqLwoF9Kn_L=BTJky^spy^-s@RA+c56LspJw14vXLF`W!}0w+ zJ@p+#X9M0h;%ia)dQ*=Jbrj;+Bk@|F>|vN_0e8s&JlA!QOVfv!_oDz%BGJ=-DcpIT zB4=WKSJOjp*MOd;0>2`T6ddPZzn#MI(XX_`iE{~_9bHZ+cPOsQfG$S*%)o+){zFbx zu)(yNAHaDRwF>>Ha3JSYDABxo6^+l=G${pagX%qxxbv_wjV`%Mjp~o{EGhQc1qbp62T}Jv?bYvA7 zH?ndS@T`%t+f$@T&g^zhy0&$bWLuJpUKRkyf^XRpG7fSve^{VpNrlAavzfgFGuo-p z!ye3Wl3VI*sSw(oOG<0a;0`(M8yA|L?|rN0hSX|68Ae(YwJ2PP9=RW|tjDnehb9ge z>?w7M3T)Ke!8ulu$RSzf&BU3q@nb&HQgj`}Z(RXD|%5BZ5tWZYq(J0rV-Zx&Vw5n-W zl=HN-8mX#psl@CN4mJJ&N*muswuAa%nY^TwO^KIX02yVX^|Cr3RvL3-_1zdP^t=fU z$hTj@XbF|KSs3?J$Mqz`&3%>yNzISr{G3G>&{gvL%F&}5xxnHCtzRk=PhQiT zXE=^;&rd?~Wv^ztmbhNOPg>`NWZuSR-k~Vxbsb^P40KVSxy?w=^paNB5uuV;g{nHo zD#$38-AL!X-MdRmp5F`Kre(#9#9UbK9R;czzc5q!V0kn+A)E#VEBo*=#a(Ju8MCYK6w^lGz%YQ#(OxU-a>>ffp&gZI5thWwUG~DQJcDI<5Yg z{GcluBxvoDICa^Q)V04Sh6lzYSwEz*6oz+ENcMyECDw!SQMGhq8?1LKM9t@1vpGL0 z-~&cF1kcYy@E9P7;X9S}6ZrmJ9~nn>GO9AtPosIBLvdT?{D|E__9NE@S< zD6^ddJm>K+HjW1YUtHUJIny3$!M}TpoEE2%PVK#n`C;(n(%uQz^3sILT<4?Ut7GtF zdGDo_W1P88#_ub8$0e^TddDWO=l2%HuL)|Kq|~Z|&d+Ms(MROGDna4%i$b~AGTZP` zM{#YYZ#2ANBrl_y6s~eagI_@^alR7xuNcqw_u5;D#a65E|4^19ZMu4gR5BkG$;$)} zAg~Xj!QY3nTho-cpZ79-nE9pFysRY?aLmQw!12vXTB66f6X(7rExFGRUWofqLpjpn zgYN;)L=8vI;5x>KhE&>fS%1qSPH<==oft{0oTofl8!=bwa>czbh%=}SiXVua~S zM);eE#R&T(yH&5;H$`;Hxgo;18EL-*?LQ0M@fEbg&cDX-F^*mwtljLQAtz_kak{^C zaMYAF!cs8i(ur4GHLdd6^z`)WZ%)7I*4mrzx|yUwqjTAL`tcEV*3)~AB%a*#wmJUp zmA7NhRCHlm;%a;H>fgz$$!{gzJ|3?{MOP=wKHeUCD^SlNfre#hCOShP)`mch@md7> zc-w3`OIInmjwIfB4<|}~eK_%~;;s0+H~rCDb@uItMzMLQ&XgW?JR^;Bj&oKw90j+& zHTg(U)2n(l9^$US+z9p% zcqOj%9gxJ=O5<}5_JxIOT5R1cTS%(qGAYX~w7?tVRa0wk-4bDUO{YlGeLrh^vx`p^ z+F>Ev1VE*-fqxWg0?;vA#C>-|mK%Ec-C~QHszMxmA+N~Q9@}uPy;Qm;uHiwRg-9Vi zoxsy~z*FNr3ZC?vz$?yc8oz#y;p)B6%vTwwh;fDqfHD`H@iJ~SIKwS&vE|lA%%dLB z!`TY`yX1UgrsmYU{4)W;ije3gHap$u8v82A?Q_}`-kOFQMq96NkCl$e9j?|TSHjb= zS?(cAJe9zen(ph-c(hHrEu#DFC7;R`7e>lUO0M=1+fV$go>(p4g=28+Ck&1&fU7Bh zV{?z-Q8#fmR=Uui21u;_v8Zz_AfavgWa&Sn^k{3g0>dKjNjcj*T!G@Jq|$SVn@0&} z5ARVaQ1H+Q^KgiVS)VkhDbRKvj=iWUJJB1ZrdWSMB+(})_)NK?1u&>`S}jsv@b6L4 zvn(z}mM6#MS(%Lq6Q5`@_b#T(}?oh7JQt>Mu|4QR;}xp|fwt<*5;JNUccG z7`2_3M%Cf8xIDc+E>C~1)Hqn4UZvE_bZrLTqH3laFnO8@iZLnDMFR_((MU|9GVLt~ zb;qR04T{c?4ryJh)IL}{OO*%6&$F5zh5Nfu0`BYLa9?%-xDE8HD8p$2AFq|g^oxt* zfJ2siOLd_|Ir|S!4_Jh17WZJ(Kg&6O&sUb&_)KZ@|Q3h#eq0C&_7o&%JLQJ=+P-x+RQcFU&f=;WHPmI}txIQ2ZnB#1m4uv$Z_DA^o>w8y))aZ99 zG!G-)6iUaHk)8@=?42et9~x`31m4M2Xpyk_F-YGw(84HZ6{zm;K-`qrehmLS+AXn~ z-9lF;f!^Z|EKPS??p=6q=9VHU1A16Ac=ZKw^<5up&;RDY_TJ9^vGzWcf2=+21>1Y0 zFU~)e`7rk)?XdN-^K%XMQheMeDl~gcp3@u+!WYqR>|>Ubfj*I}|0Op5`WSyU4j8-o z=A+B|fA?6c|aRoitU-0$BD6QR@#X1pvvws7il9wCkE<@s^WBVZ=APbJ+U8+#B3Y` zeNd^F;pUUY7v>KJdP|he)ms$)@VrvXdHygbS-$b2<)tY4Yy3^Wt{%Eg@KTB=ZAdSf(rv&`-K0k)8V&W%E!@&`cAn_(C4 zY|W3`Vg?%OGgYf0M~K@Zad}+9YKIoOK9izX^}?4~Fga0r2j%;MX9w7}2Kqv>{N#(4f4X1! z^bclh-U zbo8Kh3a?T4nZbzlM^|k9v4pKc!b0})zS270#vLaGnSm8`q+nAk4E+&zmAs66`Ob!S{+iK)i|`FFDUo1nR)oUw@GRFW!S-p zowGCCCg%NwvJ3OC^W(PxEgb!inJ|5$NV+yABmSLk=nKB5w36T}$@#DJFH!&TACavF zI_IMGH(aoO#{m4T7?aTXevCFOXovaip6bXIomf?wZOy2khH<(>X=N~Nq{V#(jQ&zC zqURWBcQ4~(OO$zbl~T`nK1RcddHzw>#rWVSO8MA49W|)DFIoO)7cKurzw&(%Hsh zzHCtWPGvnG{XhH8!x!tnuV4A>LFGS8mS2C-@?NEUnbJODkp{rOH(9>oqUGKF%AXum z{^?|S{-Whq^eca8Q2Be3<=Pk@*gJ4ufJ${Z@=jh|T{2<@K~PY4ffRHchsk_BlUV2d zT00fH>1M2nYGQU%p@F^+yFc@sYwcz^8=jkCB-1^lLE{rzG_Z}*U|H6Nh25Fdm73~% zxXlKA^&3P<<|rE0U4&P@8iuc~4fFWQo?7IS4zsUL^oWRgu?7rOgSFs#_v&1mEsU_~1*E zK6pJ{0)Ir``!U@&t{a?v<41J^3H?8>dx-sXk0&o+|LW=FB%VJ2p6A*|CUsM$&%|_^ zoOMT+M}jX#-*T>(0;|oiN;CW{O6huEVN$!-hsMXX`e!K6jFjBAH$_g+T()+>ift>bVFjR-(_bbrhPy_3?^|3O%uSSXlRedv(7Dr{= zBG%K_`i21K_q~@~<77JL*{enA0j&w`mH6Y-|Fdu3Hunn?#i>r^*a<=PZ>b#Hu!KO!G9=`dso53^MV*# z(KFC%Wv)O}u)JA*q2}_2vPJ`)CTm)lH`Y>PhE|`|!2Hhw{YuvCdc946e;F%Mz~bk! zuQ4h}Oh1q5=<^S-o;-%0Ou>2wsWVeCRm8fbp4K3mQspBBr1(bv zO@Vi@qC*M{bduuLy2dyA99dD&kiRFtVS;39xTK*F9(V)&67gNk?wk-JC(c37)Z5AKq;z{ky}j`sb~b_5$vW_L$dl5_T2 zu_DX2OBV4?OtttQj#IdvHbqkh*{>QpB7}&=0*04Uy}w9WE++IIJ_A?~dc;?fg6~cr zdR9vw{aydLJfpkQ`M>Q5J*`C_&d=raeslS`3-}Qj{?6NgGrBk3^M9u2>uE9C>96N! z#P$5;N-G2Pd_5f*N!pt5nWae9su|sudl+{f35r!BWtxd)b49|&6i!*IiX41V!HM)h zcGczz?Wtk-t2s3se@FO+SE&P;RjR-c+-3SQ@i(oX|58uCOs-e!n0?xqiFsrl3>RV) z^jHHV?W-0G_VfoU?HM@keo(YKab!GLY+sG%YjHf@)U!5$qkntXOEbC`*8p-d3ULRU zB;q8_d)=QS?k*B6iHv#m@%UyykWelP@4OSJM z7}f69DYH;dH}q|m^X;T$DAt;5T`fz7xo3Db%MaKK-5S5TMTZjEC@~_c-pzR89`L~e z9D8vTA}Ux<=OYGzlvMajXEDFqV-7BWcy;~WF6_gxsZYGwm6v*%@6E2%RIC_{>+;W) z$GB82H%q#G6_Se5J`UHrWV5|O8naJDJNg(c3zXv!dB$(4P@f=_-HY71iW8q*lbkPO z`i6kIi{PD^$M|>QYQ)*R62)9E)M4)bwr33fzTLwj>T}xXf!-JO-0PXqJ*FJk<5oFz zPMuR!R;QN5S3ðw;c}oL1L^+kkJ!(8`cJG{Ux@A_!Ga5TKlJqDgng@i$vdNa z>y(T6SR=t{z2|+bdg?_x2_I{^JEK0~TTR30%`8m*r*R2aD%B-t zd6t6L1dV5jKPJ<5ZT%NV80L0jObd$kN87*8)=E$%TH)=w~$O$J;}8 za~_qOZ)7XvkzkF?@0Q}Tqg0xa)U(5ieaPmfCH+0~vR-&$g7mG5?ve_H2(u43EaS9yfp$IvUTRA+nk1X|pw zanCqgKb_%`VR4+3?S$Y1nno^wy)1b5u<}mW9ec}r^z_wGsni=>gVe0yPYGfwn2-NDc#n&uS+Im6L5E`J zCuT}aOV-iv2dur%IQ!9$>IlaN*txU&&6SJ+EyR56I@kj--|~#J_fNjCKSfVl6o15O zaL`DQD%NtsH>{)2E9KXL4l^Ya-j9;C)f%ZNH%}rBs~tM}C&VN(Jf7^s>J}m*Nqg{; znBD_ATIi;_i z7LV491jmMV$pVQ*CUEVAoi!vOV|Db?xXqcsQDgRx$)7jihd3{P`t$JMfOX{rj$Tr1 z^F;lVf3*H5WNjQrwm6Rdc)@yC_pun@4c@n$*y&*WR0f}_f3`!zBi0bfAFR}O?QFfg7*KBefUEUi!ruYgnd|c9kEt8Fd zELb&t6T4V?gO4g!y*23%$&0VR>S$r#h<@#{@tp9ZGG35PaU3j<z z)O~8T;w{kk_wbpY)6uV?@sLIYmIfE0M>z-c;#!Z6`Vjd(Ub<76JK2bmThW$Qt$Ni) z*G{uZF6_qC(_hLd)fVuc)sEiao$yxc==+$Ty+L(^hj&g#+xr}fY~tIe$0d`Fz6$%c z=GTN=k0Wj?D)3Fc2z(7m_%a8<=jsRF2l9pBo81q-JglbZ=)($pulL5_yYB+<-3Iu) z2MIZVgTWW0O{sf(T)#Nal?TR%>1bKh7$27v@o{%H!R^^)XxvwAyknL7%UtN3(dUISf8!e^j8?mb{X`36HK2j!kvEUk#WH_V3B zwQ?5M5lz+6cw3jo+hXy!%a`GMlu6J8>qGu62_MVF*AY(-!_FYZnLZVE6O942J*kuw{XD#dV-Q{4 z8=Q=Nb)>HRSup`MOFbaPLDhY+`b}~v*8XMO~F@d;M?Z|q|lg83YZLssgBtaXzSTDZ=yDdiA?mo&WL+=(`p%z@>nGw8Ce<^0R%19F=f)>hzjAEqVXBB>ymd z~d|Ez1Xi>gw-(} z{dHW6H29?M0|oe=XpKJY zSK7_fE>)i8_NKX+TzRfXkkVTCdL7#jT&(v0m3eXDIU}~^zAVqsCT`jsc<{Dz=6$08 z`|WYqZ$f?qA~M*~{~-*19y+LMCxbsTpt7(%6;?NUPYR{(aYb-*V*kldU!Ddxo^H?dj3A zT|~u?K@EHvdp9<_y+R7NUDru?aK3fx;I|W}tvz?={vm;3SFo?}Ju$`WVe{LJ`Mvhs z4f{Du#aYt?tejL3y2ABllIGuu?-(TX=dR(N+=a`ARwX}4n%@Qgp?(^nYg{g>!IhoXyEK+5uuqQ3{{p>I@|(c0 zG6v(qF2b4OwE)K4H0*G))2Cf5PlI-oXZt4n+qoNme#Ib2-DBFDg2?)*&2~f)mNg%f zCpK%Kcf>5GwdYR1mI7Ogjjbm1gFP)q%6_ogtV$jIm%>>J zeU`l}QaTS5_K(PKhgvby^0rufF`79DUhr1$^BA4aeG>yNiajIKM88I{OQ*Qw7;Cl! zuE*@r(QQ4$0-&sBBPj2k)12jbX^Pw8xzcS8=&&EaArtH~=XZ~Ds&+D(9Oq2;PeE+I#(yQ|PENb2%S(7V8&SH& zd$8ZOYby_4mM72yz1Ts9F}1pweba)#q;754#;)j;EQS#Mp#h z)$CCtBZ3_}^~XgLPrrM0+IF>PeTB}iX{rFf`V*v<;KBIIIc=AnW>*~6*BF#{W8d1+ zWch?Va`ZjyuWVk#?$aS1dJz9l0$Byv z=MRg|`eKaVKZUk6O553J`x9k{=L}}4E8MxjucNP^KgNR$o}VhKSA2tx-VeV92dT9< zREaoB9lZr_c=Ua4Xk*1FKfkL3ocEtHlg&Bp-ep)P^N%Y?38)H&2Sm?ONxPl#L+tpR zpl%{ty~}j;0NO1Dgl<5{6>#WlRfzRig1)b#J0Rh7fH|(qV7+eIqmP4j=Gj3zB*lKnLBZKnswNR%p~b0{!u&C#j4NPw^;?2fWmcFj6jAESM6~2 zcf~3Phdeg1JvAmD$)&fr`yOJ$C&T;w+MUtRd4>cqBM# zj56Iqhdrqr)kI^wT}Q9%xg;(DCilMMk+tQv_oX-KsHi-LKA}L7zVq;Dt4Gt7&F3|x)iVu@S0n&- zoKc>DH;V6oTc%@n32Y^%P#Z|wLB?W7G8KqW$lkFPM1zk#7{`aj1TU5m2fS7m0}ee_X>`cZk_Bq+37*7` z!>krFsOTn{jMMn{BqcJTZ@5a7RVf|4B9zv|_Ad!V)MQ@$z zzQpqrx6N~v`#xv`tYsbYbr9P;A8~7>!acUVm+WH{KU48ezu;%9AEOkRK5S3+-l5>% z^Ia_8Ms*Lv?b>sr_7{4xcj@S;@WzT-fA;o5$UhzIS+z72BZ(X!D^tQF<&b>A}?j2iu?t%UHp)`jj<`o{j`ymg* z4#Sepz4ElNV9sfc#eqI?mY>vbmSv(2V+pIyTI)@iA-+FsR>;u(9F__J8x&UxDA?$ZRQrCdp%sI&&8p z_pLvr5nlV+YhX=qRE-QTtSl+9`$l-g-1K^>I&}wEmbMd~%x0{wZ8?S=QL1gTsi@+& z%s$t%@E9z7Qm=6@g^Wk$9D`OF<)4H|myOHV()t6rZ^-dGM)6~~6GHJc|D@^%vXB1I zvoKpq$NoYcEed5cagK~Fl{p!1FTNE&8>`5cWpY-56|2-KyRCtuS1-9@9yEQ9J{u~m zBG_d)X1?Z(T{XKiJ^ktV8rf_aGoLHXwDB~Re|r8cEB@op*q*VkRLXA>=~LKae^5%< z4T@LhUQh6j$VsW_8&dq9zi@|GV6Hap6t|gyH?E#TQM{nr-?W+HDDF zkz>du=Dl>f`3^0a3>|qi4jqoSz{fAe5ybI390}gknADx8cfaw7b}weSL5+w4QHj7v z!&)jSj71jA@uoJWG@2SkIzrLOZ$ZWfk-pcbQD(_>?61(YuzNWTEjpFQ(eMaJ|4wOT?7PdTh+x2zA4sLR02{;-Td!KmscVtYeJeZZgCSYhv zfrcy6Kf~`s3W>rK?3it>y`V(;bT6|rp6oSwdV=f2Lz3B#25Pe+*8gF_p!DBQtGkMb zkc;^pQn}S#6O`+S%;Wk>x{N+=LzRM}7wlX<#sjPyODhIxxL$ve+uT-*MJ;$UST7OqI?G$n? zi}YQyphF*#YjJfG5%K0X^1I)rb7PS0i4;D4n%`k+DMxSb4I!^m{MsGT1$fYz!Izc4 zD*45JrT(?&R_-?jVr9zWPn`Qr9u;))qu(0yM9deKQv>;1Qn^xO)8G?Xr+z!sX8i*C z<%jSnreY^jid)|$5|RF@FEIisYy^tep0n?-fo(bgQ2kA5f#s(%)lY=J@ey>5bvUNg zpQq6mywkgL<|zBLg*A?RXTCG9UZk5MDGKF@$gzd-#XXBY8VT#jBC;LZ*%oBc#*!TJVyp9XcrvTl4}6T-X69dpXaeCEA5H+c#+QOHF`|2x+ft< z##KuS*!qWvc$JtwMd&Wq^>Iy^qi-s_l+Xs32gb-I{%} z(98vxSBLfd5@bffnxm~7a_^v|ktVg4F8!d*yR-Pa2;mDr z8XJjWfl?>41dPb3B@&ili+wu*-!7h5%2t8#t+{!PgOy+-*Aqkrm_k-U@Y_!t3$Hqj z{aA(b03(T(Vf@eSJU{MVVce}(k^;t)QU*jhZD>ttFg1wuiC&{Z0~**2M$o_$u$c+{ zvrF7liWn@6zalT~;4O>-#A%!_tKeXOjbm&S--zd`VQXD?S7{Z^=_GW;6s&+T>8{;w z>dMiNmqgDEfbivbZLhdYdztrd8lE*kJ3x*R`aG;#4!LWHg;`sqImJzKIjh=j@`QuG z=u6oh`|9TyeeGT~c)l9@4r9+Yy40}1Sn26u^=`C`XrZZkv->)!LP~XKxYMEQxy@;) zNkl#sR%WR`H7=>E{VdN42kKbTtM78D;b~~#-2ztQ>`pEqU>(bS&?k${g8Mw3d=EM) zWpv{IT(;wU);G!Xx$H2ntN6G7FQAdnzfI3ecrX6xx5C3aUg2SHKxZc7CZcp1_|1Pp zAIfDlT90bihwwW2V9&EvvZE(BKzUg&vcV{kTRp*Oh``$f8$V=HyEe= zN~F()nSRQ2pl?EU;58Ka$7xoVsn=NWJ?LV_4nqF@v-7m^YtV)!lPJ_^Le3>dTbI=v z8x4?8kM!sjs^|&3Bt59&5ha>rj_;?*dHRhU)0#_t43}BvpVbEg2&s^ATUiqy;I;ZWpD! zX9&mr;JV{xNxfC1-d=Unri$UmYXIAUUKQ4%k-HR<>v}01d>h&xDOr2&j{OE?^E7x? zJHo+t*vdc&BuAm4@y63v7v6CCu_i)(ien;Q zwxLyajCnX{j~r?p62G1T?rQdNg^2jX`Z)(WygbZmeHL;?g*hR_y`P+iSs5>e%39s> z6mvP{ITy~*|G*~$rymFW&*RvSgRN<;^NJKXI~DqV2C|dYZU{SCV|kV$N}eS)i>Aq( zvYy5CyeGUQce$kAf=C-s^;FE`N84Dwop(|zI?MTrPX9_$r1tYos_o;i8D>wLCW1?< z;}kh5Vv{tmWz~Cxy&`>B;Q`byG~xYDk$$P@byxev$?(k~E?n=FRqGVnQvb@|;n#z2DqYc)+hOsg`ndejo>J%-mO=hfk&c$L z@+q6WSfzvylm0EPO<2}3>BYRyb}Fr7^cQQzz7Bncb|6wdq*W+lJ?6F+l*Ypk!RQyO zmhdbs<T27B5NehuH>KpW<9PmZ6^}eh?5j0l)F^7s zY$6V)Iz*5%QrQt8|W^Q03EX+*huRgFL4qtBg@agr;@(i%Q2bMApIyBsR`T^WM zfV)rRGIuqenZhrh=EsWu<;hwF)?fY3(@T?2dP3~Uw$re|y_tJ5_Oe#f_sxS&a7&L$ z8qs=36@$l!b%)laBFzjRSeo5>dsXHRtg-}dt9k(MSnDT4=^jGI_6@~+xua(ua(Wf? zonZacFFvi>jhw0Cp)MV~&(-_OVF|qZjUDy>D}q%ooWF_i&|=xQOv_C5r0g~~#eH0p zs}LzCLUUnxRgn1*vA2TsY#Z|p8JkEE$_RSj!Re~cuFls4RQaB7c+V}87I`uSNwu4d z8|S|it>G)t7O?iCr*$C)^YT#38s^b4`8%AS!+V?YSJK59Y>-T_ui!mo<$iOT{Wa!) zE@|P9O>ZP*JP!8En$PNRgqVfNgF~z7?TXINa@dMA5MP@J2j7cKKl`1A&Gc9{FXl+Ap97jEl)i^fd_yvx&IM};oIQ{{<<69hOaXg0m6dYr5*m3mXFaehA_%RCS zzu{mxw;%UH+G3?lOLsD@+Q;nytX3`E2)lk{E6E=fm{pJyNQ-M5gubYFxzl_c{ENAY zE}^AA#kV)MvDnCP@Utkm8uOwQAhsx;C-&c*&w-_-d)PX=g0~^@4DYKPgbr7*GAxO`Z=l2MYU_`qukqx@ zHl31jQ%k%1Y=A};5y}zl!Az&8#@U%%tvfP z{E7GlLL+g>Z}2UJY$=BqM@#od$}k$`l8U+!(O|T|KD2Ogsr^`d3|QT-U<_7Ya2?-b z1%GuNlV5RZsV!PuX~lXo=VTac>l*{_hL$cJm16-CHUh4G{~>oH`b)6$QlOg4f$2RN`Sc826xsn}z@iKS`waD+0{aP-@!w#Bs_5JQYb5n@rz5mQFDau|L zO09N8X?Z!$X znQ{#>?N<&7abst9a%ttAnRRuJG-*9r%#Svo(UYSG%x8qmO04B^lRN#OtX!5?o#lfh z?XN$ZoZpDuc68??^9^Jn#>=S8aK^{`M|o+f98p^e5ZA?W!f++AoG>@a_S7X#>phI;zL@i`U;7*piMoS;-dk+>M%fslDc-S~4)^Kn*Vk!PB zdkuEqXzB0cG5EjoW>h)4*Gx`u+*Qb-XoY6=n?CI8%TEn(@t7hleJP@g(=TRH9+$rw zaRauf75WeleJBrlCirJh!_UEcaU^Jk;UN3UcwD4m2s{Cs6z`-)s!?!|liV$)r4L24 zu%Fqk`tjgh<1yklfO8^l9T9p1^ABk0-91O8L>oK3r889ppCV`c*jZ~Fng;xOz&TIm zr*igDM2`hNm2;qLo<1y%+8eJw8j!C zOBULP&8+Oy+m@|rl=;BSPH|=i6&b$jBrTe@ zdUI!T1tVu^8rC?_D|dlYyA7UkcLL&9>dw^ZVo?5k*(yh;Di3hy1J0w}b-0@bcnVTx z8n(^s)D)Vo0S=m{cWNY-Wz6)dv2kOECZ#f$Y)isaucdXp>HT0@33wP>d_R~rd+o?< znD4BYiMvp$m${?$z{}Tlz|_x?^~YP)Y0RI6b^%2*gF-!Bd_~hx*=Z=K1{AD)ZQ}-D zr~GWjbz}?g*3zH#=2uO$Dp=W4oU5fJkRQ2~76)$|ae@?Q`PH7$GiTUFA-f?gOFwDi zJgr^Pt4Dm1GczA^LEOnQCzdfSu~=bdGs^y`#zO;f7mqo-~L0$imz?rYCB+m+>gG)1VN4pV*V2@KEeIR zIG@1rU_TzX(@VCwkdu98rK9^Q7M*Q~?c`$-AI#^jfk*IOuN&BM16LdC-es7&)V}Iq z-SkeOfMKhl`wbN=r}52@+FI(B ziB03vR1vGIBb}_THJ7@PvzAG$ZTL+H7VEk4&V|))J(G}U_;r)6`5G?3em`Nnlgq<8 z;IOAzeR&y&48Ut#TppjBofB&K-bDN$f&nqroU78Y#(w=Ei)LN`J5tIu00(26sda zh#}AgNE5sJD4N|$3fQj|Fntleow%lRREo82!7rTHqNJeU&gND4-2vvqr}IMv3twDW zurPop0jC!61;i4l4Xh*uU)R4G2@oNBJYuP%o>5m zZN&^Bz?Hfy@|CQ|!$PF=nTl?Ir6WOy8=x2GNjJ!IQi-j=|8<>e@5kS!a%3xSCF8_) zl{FMBgV+1ow%TPvSFMWQ!|fHQR`KuXeXK`k`bgnorAOcNy>wUMVgc()&3AF0z+G%@ zMSw()(I*?b6JE#J>&pb@gAqwV|Cs8^b@lRWV!^Hs=&SI$k&=;E{dTS38kS(BCrCmA z^J@o|YH0(YVVcUf;bm>RWECL=%y*R8KGs7lwRdxt4XB5W?e)oM>l@-@tfBYy+Xum5 zdEa(1SZc@$1s3M-B_)^mhF31ZY8BT&8qPyf6Nlu5@Oy25-b_5@ZD#6P3s{;+?!vpl zjqo%E9lT{&&uLcRtGOtAqX8d>MEETKEa$Ag=Z@B=@A1om`$Wz)({;yn&Ogpib39dt zmCxMtK(&(_qdy7zGQ>&RO0l}m!7_dohO!W0t8?n>svsG-T<%GNd(%^dT=Qg7pHd4_ zty67dr5B_0&6PLDOKU?}1@3^w$*r=lDu-MN)Djz^KgIf%i?IB@*F>6?Co5dU@-d`I zpq6D;z5TOX=hJn6P}-Z_`CI&ImMXRO1hdg^_EjUoZe7K-$6>weu9pg(E9bvHe>&j$ z1KCnB>$7sI;@4MPb-bK%sw_yj@8`q&seb6T12_wsnb1k5b*iUL>*Vj^tSg7LGG1&Y zV=DdYDx{MWD<@U|%E@}oIn$l0Gw5O-JZ3>|bPUA6_{^!GbPggYe zGf|1ez}lQkJfl`+%WBK57*Un=IN4iq%V!n%1*m5#rX2^)G}&0`&XzStD=3d^O>G4g z^x3j10DT1GrJ2SRPU}p$Q-4OqU(bGFppfmge!9Yb@>d7>Ga{EJb2+4_1giqv7Q{p5 zaV^YWmnVgSExjFW_$?mTMw{=zc_HTs1s{aoZh(jA@#z`IEzZ74_+=^Q(-r$LX1ad( z)zH1sEDN8|J}sfsEC=)xr!}-2HmG`)0nTsO0G|$Q+5g~h;(9rb z-{45t1Dm`fk+-whU`vk^zd=S2`M}d>W#>}Fv@AR- zZ!p`IXlP2GihkI$Wa)3^lcE!{ZJ`D+UIN8^ZL0{)9Uk{6aeFR^x#@FhuOwI~f|8GG2GV(gB=yC<_QwrRtL=WKp z547>jgDaCzk5HiQ0Mr`#+bDzjUt&?bRo$Rgzm*w`U-t3RooFpB{#AG1z@B`feDz0s zH7^d+4XFE9eFvnuxaXbN9pz&=QjWo{gB^$+k3ut{CuHnZY}V}51lWBHYwQaa@x)f9 zhhhIeNzL*@2e+`j|J)AJKwY_ z?pdvw@N_zSEs*|Nf5*}ltxQ*$j+Kuo{uan`4W3!>jH79IRtg=Flt3%C)N~riP=D7_ zQk3aiQuhVms%k5!`o{sRqHf2p=Ezp?GsHyowA3NDb$dSLg!NKJUax|Dk(nnNe6j~xQ1b_}U>6hfrafn-mK?eYc@S{E1#@8- zj_r@*_f>KJ9Oq3q&f)k7Hq86ew4@tH?6(#yOX}JJPCKZlpbx*u5Tmx-zpoU08v5&A z%RtH9cXhJGFa-r%=L%hgaLa#C3CclYCIo!)8P!zVq> z^agbfa+JG~qx^9tZhD+^NkgjdQ;aon+NbM%FLd2VfY}q1&+c5$pxKOX{<2=vh2Nyg7u`c!*e+WQ@S#&8K-9RNN(}hx zAV&PP6FvSqiN;<2ce96cZmu{=f3l9FzkX9gAH^?X)K@kr9FNeyv}=(6l#{krZdIOW z=#U6kh&XRAi_@9@ciwTxx$eFUa4p2a(Uf*Xkl5KT@R8yvK8vz*w++_%MDo?rKQ3eO zmihi|75_PL$obq-*D?*=54!CDb^}YFTBe^*#$>l&I)>1IOLRc}!0&S!oU0va&f%EH z$KeylymLKR)eQaxejU*UwpDxxt9iH-tLrJ$^^X6yfkRH$QjKlA-=OTl&51#Tb)i>X z7DbC@&o%V<$X82Ul6$%i-&LRn_RNVI2z}1=)l&C#<7W(Nw$h;W89cG~$f1V!TU@Mn zC(*JCdUNT2wX+KC2)5D6a}8a7fp#V;^(<4`F(lj3B-_cy``di1mCuw`w4l6!y^(-h z-j%c3}wPH&bry4)j{Fw&!EGKagA~N-#RkrFUc>-!|F>pH&@T?<3c1v+PLpInTv2dujNztA^cT*1wVnX|4aGb z@$d70;J@O(<~#U8)e4nM^>fu$RfEc-+K-UEUe)hKPG}WE!UXkX^-}c%>fehWtG`e) zir{SJ)a^RtJPO+9=rf2KBF@UzLryoW3R@dHLwm=Y$6RkYnQh8qg;-p|+}CRFQZV(7xc$qi;J`EMB>s6cPIElZTwV`8OYWw5I}Si5F^$$L7*WBMOzgFZAPp=B0{jWezo6PXVkV>)DCW- zba@Cell}KO_q~}UPulO&?;m&Oo%im(ob8@_?h6M3_W{ed<1CXVI-%oK;4rJWGBJyZ zPX#KOAl9Q4!s!KmK&L-$1 zm~{RmwZwq-O{4mQKN#c1zJABu58|$RtXcm9jNP@Bu{?xikeXoZF-q)gX~ZMTBm;7K zjps!DACC6FSw{W++P0_`k`IW(z<$||mVm%Sa3CiF8qnNq>FSOz^9o_}+~>auJOFwv z{dGH&w(mF#x>*PsKPS+RG5Le`St}D~Z`mdK)nWQ&Xu7{Tk4&^Nv;{M9 z*lWwAu!xA(S)T=Sb`8mS(~z9|w++pC_;qs5Ja&-h>_0iIm1W>ASS1Ilk4vi9aTIlV zb2Zg$FqYV}O~w)~DH~7!Gb~})PFO-Kw;FTyq$`LmvZY_Tw#SQ>fPV%w9fb3j1nR8M zb~C|hWS7pctb_<4e6llzb`WcF$GX!#Sky-x{Z#Hxxz3|^)UQr6yXvyP#@#HK2@AG4 zI7h~~T~D_3#luYc;?y!JJmSZnE|Vf6e)wr{#r^r=;EMah!?fbk6kJPd@OSuzJ3#uV zq~MzW8f%_&Wy<<^wE-A4CbTM&;bpFJd#(Z0lCaAEgS}0*^epnpuGo%~drzSrPn{ZE z^AitWzqdbW2=?})c>169_Ofl%+l%>37{JR6v(6yB2&py6nxs&^W$?=YTqbQhMK+&{ zgvSGmuqN4hy~KJC1Qy{A-E6658ybf1IZ~#y`dH zu!z6lcX-4{=c#{(<7)=*RnupzW91gcZjFY0!*IsvZrG+7VXR;yW2X@)wjQxZqNhCY zY(#R+cz9W%^NPlKI914V(M$dPvehJ$Y}@jI(bfi{4*n4`e9&4nTPoUyo<|OPk@8^D z*W242kFIY7p88@t&NUqd0aD{HyU$f6)Y8TFFfZ6vcb(0o+l2JNh`NaX^FYY zriXiBBR7#ri_uF>fhD|T%QoOIam=xEd9F#GwWAJ`t^X!7*#ez_R(tBS=#QeNjrs`Q z?!2Qg-c0(qftiX{-<&bRBh0AJ?R@`(Pcw0*_P%Kmo;A~qo_(JV!|C$4XC6;R^Hv->7NBxWNfH^qcC5u1+u8`u$DRlRJvwR zpJ!dC&jSG;@8=AqpT9;+pIsQek2yD+wG!DY!gpaH4>oCe*mu&y7P0}fQ4ih00lcLW z-rcqnmI_ljhR|YU-rg1oYDk>K8#K2Z`R%xavX3Z9ghjA;Xv9t4A9yjxm~?!b%$5Bz zuydj4jK*0*EyhhQ)5=C1p_1j zM8Qm6T1!M}2IIoB=mK6Lf`;r>tcke3DAOE;6_F}-w&%apSZ zP53OT#ehB}O4*Dxf2m!U~EzHdG5|Bh`6_?y9RzKr`{Nj8gxln9*>DEZ9|M7x)C-SFuN z=%V#J{>t7%SPN4cDD7={UW?O&0U($s zkH>dWZoBIFg}y~EP3`IPp9ar;;_~R|`U;%uDl~SOum>DmQxT4@5}UE6zOIjMb-gsg zv3zxgc^BVZpf%o6-*KK==Is%nB{*@}fR_ET{+H*8W(t-%YaMS@pMPgZR4VS}>A;=j zT{6ypy8daz`X$l<|JS#khc%;UEVLH>9*ZU~f)4jNx13P6|g_XEdT`#@T)5uHP z1x==2`j4LNxl>W524!xk--6uUgd}^P^**I1*Y*S@+1ZC$&KuB+nlw{~ZeMtUuGwIo z^!X}_2f6&P518D<(w2CNR!`5!Q}8%5&G((a&Iyy2)-OH3Js#BOt4QHcZj8r>G@k@c zJ5Z});+QRcSBsJ?S-@`^=~JwL8O6jW%&MPtex#(04)abwPuzHB{YX$MCZ*$F7p?Q0 zcHCG-6u|`82>7I9T$yG{wlub$tVFY=woj>8-4{@ zQ!hpLwu9CY7OMx{eXD{nCgJ=)x!N7pO>eoq6hCdAXJpH5zLN&V9!FS)b@+G%)+*Lw z8lJWIf1sSPALE@7|13Ff_vqb}a&!}|jnPMz2a?6#f{!Gsqmh=wMw@8PLeQLrLN;o# z0(#tqF(!8t=nPH|APv3E42*0MW(!k=v!oNjUcUD+ALU1sdNHTe+g&u5?VP?pc=f&) z!Bv*|{l%F1i9DBTALb9_?#HcYO7OG>1W}U_hwmE0Z&$|#!m}Q|kM;m( zxL*xuvL-|nUx`lr5qRF6$6*Zxn`8%Mw=<;^c&_Q76dDI|W=(R=LUZnE$oiD?IG*!_ zj4|HmR^+W6;fPtieD!;v9fF*O7x`1kaxVB^8Tu`=L_nSm{wr<rg6H-QdpP&OYwj0V>M-=tRP<4cn10|mM-uBgn z6VALeA#K!I&MkoFd#x)RaW8|eOtoh6xT%1@>LR@L_b!sP4@1@-&FSBP!2OW1VJj)1 z4lz^*aB(pQpbvR0U;wPgf0!7B^lu}-;NGBKS{JHU?l(2_Nlz_%S8>8Kil$?oqG8ud z(*l{0yVtJ+ox%T3{NIcJefWQ<40?5h|HQm*N)BUt)-(3Lld&)GpN=^4Uf}M4mHFDm z(i82&`EA|3{(9K3YL1yS#VeIWPpFBW3I1gB08pgkK=@8DkAwzgKwBF7&Sw^#oeg&gmo&y$XuzOd$p6uO`k5^OO?Dn^!eH?K?~wN35CdhX$r&(cVT&0qWU_y3e;-lzG#NdTNzXApAGMI}#o^ zv%DV!wlm%3Mx*Xpqe1gT20UCnelZ80fub5>xLZEO8@Fd}#Kcb|hL}%uRWp&d6rqZ8xMw$S3Isya@rlsKe}x#90%K zVLF|t!h7(*lkRU{;f~KX(k@c^qaGpi5pN50jnje0uwL+lGcOnJz_>I!82c9U%8X~4 zcfm1gZp;1Vl{kLZlHW~Dr(kBinL}vSHzLX=TSn6PC5d6r)*$ua0kHP zFSw#!BwUs?KKupTKsFw>nvp_NL`%A*s4hQ{!E{nRkKgPHSGf5{T_lkd)=fyWdskT! zO*-7K9Nu!bB{3-<+Gw40H;-TD(zTd2|LUb?a52T3+0}<~M?^f4Yx6#{SsUfHoO|g& z?!Df=bX|u=IwQE!wVv~v+3@<@<*@rRZJ|_)y|yis%6)0Xbc^@tEke}WFYV0D@t)s8 z@ot5ko9O|HH^*yxAQ*3^_vr`Zc$wbw4^X^xZ&-_IE5%Fp+O`JcP4GUwRgO2-dwwg$ z8|}^TkzOBXPthI++CwL<%NDE7mRmvzQGaKjH>-Si9G zDcBeOLSzg1BX5}B4<9cq1*|Ft`+Wur@KcIyb8x;r(zerLctXg)Nw#mcKpP!#Nuw9`JaZ{R2ToycvMC8(Ko9iF z(m{a-r&%J8&L4SpKXToY7VUlJQlw^;Wvi*z{}|^|A9vw|s|asgq6S_a3_h}y1=R!$ zZHajJQiPtLO}IgS@WtE(9~z!?!4^CNZPmditET18mJQ>I#$q?M#n^%KC=ptma}jx& z`dx=EMd}#lWfC+B4=K`0mgj6BN}O$ZI@biMVT{pZbY}G99W(4pPDnEg=2VNJnfVO6 zgagmd-~E0B&a@rMjr`DXU^()ERg{#_p8^|W19700xA_7XA)UvxFdtqOb<)-T+r`Bn`IpBa7!t$Y@2P-U(x}42rNHs!r8dI`_YyxoUPJHfA6at zOJ(S!uW$yyfR!{{$=#^r{u@|I=zU=dbQ*UJhK2Tj?^?syUW9uPeuMBFLU7ERV7o4) zPdFEGNiZ;Ykcss<65Db$XN9^g=^9U4ZutALzL^O$BENzzAE(@A3t3k#%uGnen|5w5 z_9a=lhh_q4k;6Rtg&1)yc2arEH}=EF&g{Qk=(7V~nX&`AaW1T*H(n#!H`=0c+>scT zp)C|XOd=|FNi)i5u@&m1C;JZ-rdhtg(@*+E+n{+m=iJjztZR_x;(LN}dF{pEgJrF38rvimk5b7U;FU*$cQSFo%&X zST=a(ck>dCy=&csJKcrLx(NBUkR0GUCe^#{3FsnO+EuSkI@22uTf6Z+Z(`hm4|{(D zk0Kuj3eS8TDDiDFd%-`FZP-0uhZ|Bn?Mo+N4#ZuGFyvhxrdu-~xYf|uA*9yOlMYYG z#*W$8uSm3DWU`Di!qPtZ@MWIw4ZS(neigFZztM5K@0hjzBFm>TC->^4$9v+BVpL`f z$BiWq_2gXJeIrAQf*2^x8{d+3TqkWF6sxo+ejn_#fSF<~WNjViiE19ROOV7)A#E~j zDx%mbq{snZu9N=QN2ew)b&tU+CGR`NrdhsWSZz}*!&@27r3pNx$w3Z!$KMog(r61e3qlG0)@749zE;O43PhSj+R^rE5%69KOe6+;?}!?bcZ$VfpVWT!Z~Bjr35bjF+Z+ z5{^+`_x5S|X$P{G9+irjeF(kAM})JAt$|Cf(k73a9>lWzpbNbV1i+ z-)LZaJMzgNx+%>~NQ1M|Jk6}`gk$4@$0*gWa2sgCvDLm&t@pS`*5zAtCJoMTCL9}v z^Ks8&tvrX2aO~u_u7`B*k8TD2#P{dG*}6&(yMJbhc@kc>jMTn@o}ZVRc}W^xl7W}h z*G1oKJ*)W{$=DX`gz51+oSj!Yk z#J+(s*6fCUA~2>UCsC80h8PXqQAqJnH_0i9INhg_oSl7NvQ-NLuO#9=k<>8O4BTW) z4`ZzeyVJthW5wW+@gKxjjo35L9d0E{Vd>$3{>kq-yBu^5V!M0h5;hIGt3_MQ2?VLieogw+T)Al#0SkFXFS7GX2O zXawq?CETvNaXoQh*hePIzo^^^xKk-ZL*B;1Pmx?2{+EjyDSX7M<0fa_YFYOER}0p@ zTCuU7S>YXx@D#;>E-h+3dkWqO)BkY-((qc> zfYn!WVWNi;IG+Fyt8_E)Oh`CA*q@CDFDhhFtS}xc0q*Ga$W#Qg$_ z#q{O-8PgSncz|J#Voi;1+g0Mb zA>?i2W996;2n&84&WjKR6-*ge>8}KIhnIufdcN-zP8-29rAfwGaWxe9M4LLZ?$q6PKWNJ3{*d$vV;;E%v_ zH^T3rt^dz~{Fo`0-;R0wB2GKPBJ3XY(mlQL?g(D>X^wbBh!1mb?;uqu5<`oDDqh!3>&_*X9h25R*5eto$BX(GSq2@dK zUMz#R3+XMKw-*kx-RYQx*ZhBgKHJymkMy>Qs z5%jbabjEQ=Crt>zFOc+MZ#32#S#f>G*TESq{*{&9m|BC+jU}H+qXL_ zhQFT%=^)bUa1a#cJ?ywW?a7X>9PV#j6=&cr_GMl}_z^WyEyI0o)KTESViVOJ!H5v4 zlPWup3}xEC+yn;oP6OjenSS1!o*X}WXcAw9)+;I5m#i7h?;bG@-m%Kl8}LbU4Rd`S_kTlvCL3##F~-F8X*y)z!qO?N zw6ibG3=8s_i;gt23v2hHBjDb=(0!?C`eyUUU9d6GjM_B<7EG%fYV(AwP4G|uH|(Mi zMY*G4M63RCzMzADNBDtE8nG{TCEc`=%?_iVCv@m9$G{ulsHOvW0|`ru`#;)z?H>mo zXd}zuF`go8abBGn8t?HLj@I0;_f}bcWobcw*gEGyyDz$(4&x0hUGm~yM4qeeiB;B7 z=w}`FTOWod^-k-^eWS2`by7^A@%SCex0~@T%$pzjrU}47muCWO9Y(dK9bdFi#5q?Q zP4Xpok-UPKw9?;uv`skcjyr|4==Tv`wBZnWwv6xS@r%8N%TatL8c+|)a%qf;GC`Hx{Km z2OkY9vCc&$yb2?!j}e|)4O@L1V+`R^A$&35|0O6gC*qqcA&eE`-R}|SG(tPV5rkXt z&J!I5W{9!B-V2)tgm)26BXn3N?gP&zHTTc7&=|9{$=GigZ4ujFMJ+})MTn!Ch940j zD`+G)B-y#=s88V$2fzA{ATy+CK8iaJABVR=~3JmA5HnXdWo>m{pJ;uq;Ws-4e&t@LU? zt&JjO{%fU%K8L$d`F0H7BE9#8zSZ=J?f0U!@>t!SM;K0bU?T9@iA#H?8~4U{WPj6t zgCnuWf2B(YyqbZ!7WL@@deY(WEBQTOEZC1$Wa1z=fqP z@Fuma#ynkRF`t8XWPBG=jCHiOro*OgI-d;=fo8n+@1xB8QpXLS{DXoOLZfvp_p#)LC5f!#;e*nu}93&v4wNl@j`X zw$ONRvpEhLpr`XjkB4uKlanka$cq(N0~;)i9moF+tPc_Y-^aflAs3+#Ap;=+Vej3H z?LhdgnXv^}Z<8$3)4u1;a6FM4{$Z9S5&imQ-y}RWZdbWg$n<+teYr1HTWgfIz1*ARE4R+Hlq>MD-UMGIFYzak^Bofo56L^}Fx#^nT+p}v6^ceN+?%@)dOOYu-KBV2*L#w{3wQrE&>78=@hIvd#o!ymb4X$R` z`ktiuGoq{ELb^2x_tw;z3p=AD;9Uc{E}>FH{;BY;G6Od`YhjOKLZ6aGE6Y96nsg+? zGIBqS>bE_y`=_`Q`5S`&248=%d;0yICs_yU>F=*w1^+piGk*NPga11*k8VdeI~qD> z%(ZreI}i>b6eF1NZ5qOdczzw>0MaDlKY;YQF!&t_4`ci9!C5&3+OuM?)6z;`!&{nO zt{-Sr40fjkXcn6wBTYqoIzLI2>`&mX$Rf;jO7`J?%+~1R$S8AzCqS#t#Vo&P$NsE~XAA8aw=yC6K&v4LrtcSr> zGwBfjJsHsX?h5DG%smS2tb#xv}!%kFTq{oQ%{kU@k^ijq_dVaJs zhCff>=Uz1(6BQXwi#r>B7>9E@2s;q2jSOS&qmTasp=1Q!pO&NHfb&ax)=4(y^+xKvXR+`)m9!xY9`A~xto6V+$|MNpOs!eXE z&qmzEA)J8=_ZqF?%3A$nH}%)OoeZPZc4`;OEb2f0DcX4+D>V$=}zk57rNU{6(ikp1o?as$!xe&wJY4prh*rCn2L0Ti5)ud zLt5$00C@m7b+IX1E1h`t4ahC;Av}v9r(KCN-xTlp061AM?OHTtgEqG}ouYc_al(`G zexfT1|2hXw%B*8k!#tw%aBe3~b5P1XbcQ~e=B8G91ae~==A;Ap*CAvhP(FqwI-Fuk z!zn?%M{X5-{lRZ5#r=6~7>sXeGbPuC{L!oL9R5={)yw}98^ zll%U&F0JxqL;zkfc-;l`g@pF)MA@wfUwt2Ts958(@l0}^4)?xkrQuykPOJqJOBEzb z;LOR1Rue{tdV#}y%>QNbz30ZI$VK=0lpC{nLH+Fr4MoLWpfOC7GaIN zgzzkaJQjtR)A1eM{__4qPMnx=Dk5xPve7K0_54VuJfph( z`5jY{Ur?Ui-u47`SF}&8LLcC+2Y&u14_7FSuC7Er9m6g%CK*r$TzT$YVo_|0&5&c`!r!b)n<>=X72*iV8b zr8ig>r7l&_XYn#`qD&<4fIPmy*LX!cDfUH zc0eOK1AAID>t4b6_5>evOUnWs>CGj7fOHo*&Q)k5wLHg3Esqn) zHURpqklvyM^d$>4=U4cry1(x1_y4Seb;zw?Cum%TTSh^{M&2@r?!FqxLjQXLjbax1 znBKe&eG(*5E8QNamDZtN(y4mnC+GIbkh~xR;ASG0Io3n7;7R0_j=WlUUQv8>!yOu_ z4c@XMJc1*w?c`RESMmPk>wJ3#-wxt^3&KCoJEFsd z?;Ea@z5wZq@P5^GzHP)e3*OH~puS>~+}{TDH(`Kb7+31)7BLMy9Tw^x6L>pX@xuZ% znndlTQzgQ8+w~#x|8#g5`v^hZ=KsXE-{Solgy7n1X^XO)MJeC%_ zdXn~8%1wc3iE-^@-}hR5H0+7D)ssDO44cjtvI6!vtA|4E75sYGC-`N;XrW%Xg>pK= zBqMx1lB|U@1oh;-afb8m`8e@ZzY3J0Me#i=M!!LfZ~uHYHwOLGtx)tGDac!&p!-D;*@eFswX zWe@3MG_bSi_gBDsf4?7hWkGlT1#D=d>5hv-&t1;dkRNWk?}#13=^?5Sd>v%N%jr#l z+(bRfn^`}6e{`$c`6Hx?L8@$C_jh`Nb^p-icDCSKB)&~Wjw>_~$T3aH@rB-z&?n&p zp6jN-ibNyw8(tr=KeF|*a}Cl&Ax##~@0n13Zr5dJCBB8>TO#r+(io6myprF;p&I@k zITj@zutuiWnX{#@UCgl~H(Tm)?YA2Che3061M)B;50U3z8_K`l^%x%?iv5A>Q9RE< zOf6zYp|mQE2BjI5(w2rw`w2>`N_^BhoR@Y|Debqe9ahbLElMMAh5i0fy*D8*9rB9d zrQWQRYVmFimHCXT7SD40`+Fz)3PPh9=^5j@F&AE)R)W{OgR#FyfY(GA7~wkyjqpdX zG`{S)5BmYMDzJ+V_@S$tUySk5S~}hxm73*a(*(~3(4l@m{LA28D4J;+=|?;Uz3uPH#+<(q{AstpzI)`s zEK9sXFEV)kn|RE>Ubum`@dj%+PhZ~mn+tRgNSZH==lI5jNj!EDkA0uzl?%z%X!N4S zH^~}_|5>m|UDlM8psGX&vcS>g{p(ZtmNMRCVSVc)qRgrxzwD1aJWF+wot7|N9XlFmA2*Uyc7C;lCCC?_xaPMj%{DvXveb zpLRX4r`-qcr|^bC+BaaLyni(ygLxonu~b7L(f>Hlsz7S~68B-pRM5b6xH+lY|9V#n z_5!~33O9yL`v%BYpnbHEJtpAZRT7g3veDS}i-d;Jf0#kVuqxDi(fPde~K$~ru#-xT!IjR^N4 zThkVz07_l#wzRKQzN`v;vGH`%d+4l9y-Vwp*X(5YYQ5^;4!&oe z_h;BE!>w7nje9iG@!s#}SrWrVeN)(OcnjEzbG?`wtNK=8G)%a=Z%=OY`@foJG*^$s zDOhH{%naLdK`+@HvWCPChG;q4ZnZ`p)#3It_C)w3VVB`~jCQl}2Weu_i*e@y-!I7W+OdPXB9IZ2j<}}6+(1UQ2K$%9oz4K4(H zI_33rhWkp>TSi-1dL1}+!ICI;`)@^`Bx0ZSZ=D~wjhS;gmR)t#!shs*3HydvcPa3} z8K67eyZ!G$CN%ntqGKy8pUdLg8;4wqBY$TB8&WH%aJw0Fu7sJsU7yU^M+3(tcWZ5B+7Y&^kH zi-kgq2DaP4<6A2%gv~u)=^uT4{;lt0E}wbBe186%_u65Z@Wc7Z-lr~WqF%!(m@)6M zDTy7MF*ewL6w*E6myN>M!Vd$wm{|VH(qlZaQkdpfmt!=>4r5Y;Pry9`Np3lY(WLdo znTGp}NwH>>HEFE5IoI(1Hb(;fHSg8iFl&5CCL_oG!1`M%7Z4ub2Dy^zuQ@Wxg8CoT z@Eg5<-md|#s`Ch~!uM9d6AA8l5p}-tZt{?m4t+?lh2$AJ=y!T(K3blSt6xr|*@sk0 zugGa=3>(@=T135?(SPVUZ9v1vF^Ip>YnkLJm83n|e+ly>NMXkKj_1$Z!JPF;|K7%XA<({BPAN}5$fbP%= z%d^gQ2i@MIfqgs8#3)b1B?D|Fjae)pjKeuEV;Ai_P8)u9UZKyCJu1DiJzna0Gle}rQow_d(y*mlJzVjh3_R|}A z&dTxGZmmgpf=wd3SeiKle*WShIcH&4GzwVb9qjs(mS`s0^>%-ZTc+Q1@=+so@Naa# z6}=@2-|zo_%9^AZ*Z@0rExvXd8B^gj_hF~d$kJhv(U|3;IONyp zZ#+&uPOVb^pzi}X)kvok;F}fJ!HQNiwC;yJj54qyM3yN6OE|zKnmp5-eQxrY20rBw z*)eORgl_!D7;pvv_iJ{ie$9;ZUUwuHmJ=H3Gth@M?whSQD;z;_C-do2vn+argVf=E z9ac!b)-}?%U79AIb|2<2&Yx`Kmed-YM`0#dUtmpY_nF|^L1@i2-(yY!wWCyBC?U>G zyycC)KYXQ|q-z7cergYzhOjzP_s2IoX$+Nh=-{9WWFqb4q%;Q!Z!?;6;2 zOw!=&*jqf$Xyh5?%W%R1WFO@QKf};(;+*-kFi$wXh3Cx#KE!+r?7hHJcVGDC8v}b~ zF=M|&*okl#!fFH@T@Ugx`eBwCz@>CoUkm)FkO1Dc|mK+#ak198*9zM+X&w&%soBNdvu@G9mVBx%C!-gwcme3FN1DD z#@;uhUC{`4Ah-}(5q^*GEds3@* zck`7h-R(S`fv3Agl`dycx=vNPNjzN`Pd8DO4*I-Mc`-O*9>h(LwBaUDi)OFhl3FN8 zPxr}oV`Fho&u*-kAU9+PEKIHRLC?AyzQPXm`#-?Afft^m-#hH`s7T#j?OyVc-tRBu znvqpr{XQ)}v7T?y9TlXtm^TMuJ21=g=9R~0R$Te%Ecb9ogwnbGxNln@%JEKK3X2Nd zN+Cp_J9o2ha-J6VZNY~QcyKm#EGQ}bs=0Ir;s3R#!D6x+j?Bb(=^bg{*jC`wUAcQa zpCy8Hyq`v@uqPg#hbjM~{UdyagXG;EKGLM0_og|>?>B6|I<@;KW;Oia6Ghh*!oCjt zp*5B6z5|8F{ps)}8qy1ruja|al=bxA4eVn)QMwARna~+ zHO51`1ynZ0u7}$h)(Y^17i?|gjV6TpN;YiPd9o02!G29cjfKcWVY^Fu*a7dLFkwP3!h4UlPuRScl7yZo!;RamOjo4 zYxksgcNHL?tNuOMD`VL6u5^jV$V+lOX6=XkOu-s&pWo4)ZR|?R{-(^uQtrns8>@X$ zJXStpy~$(cc@tX}9?=0l&EXvH@RoOvzN9Mv+Kzy0YE3xB&GZ%?($x3e2OKRz;_ziq->dwYD#Sj1&g zo$H|^X8wLV-m}aK*qP4bv#{Ua-4zGCh&$5y{?YR4C1~tni52V@>69Ri>=BPf|7XIy zEKmJH@YU6uafkA|&v*H2;enR=$IahJbDiP2i$=l`Iq z&;KMWA{fq%H`E^pG_iu#clXI>61Kq~LZ5$JPyP9ILrO67^vBW5zeMV-NWIccDTC?m zq zUr-|(S1%sMoVE4%Pxj4g8TReNKj`=0)kS*HH(k%6jhd!Yn9;=*_5!|4)Z3y2iWNb~wD4yrA%M&!L zIpRq8(SCmccEuu}U{h}Qo(fFJifCOsZ`r0LM5)`CEnq#j z1pkGUyn>@C@OikI*EOPdcAlX{*Q&*xO(PQYE!%Ra1^qpAMhv&Yozq>;7I0spLzk4( zlyg{+8c^nM+84Iu?5oe!ei)T9!k3g1<0HP6tjr)a=)*nPmN~NtUzr>Wk1lK#q)Mc* zSYCyk|7*;HpTZ_?Ip#zcf(7{dZ*ZqF7a6uQw3pw2Efz%V335Yqunx^6({4m{e5JOrJ+Evq9ijUtLFiuUg+za~$+!EiM z1AX2C=oNIw!(f4U(XDMU!j=tjen@sJxYvc-t>{|>_{?p9>=X;U{mbq+aCGzFiGc0a z!S3>7)DQEc`&>ZBA}>ebY}K!oea*%NOTT%mWKgZS%_;8hRQLfw`hF+tI1PTc?t+2s z``o~?pd$&=!iV7>c(`R7*6M0cC2T0id4ye%{aiR>a>&eEsRPY7VbtFU98%~sywt+F z<_^mniex}EuW-Q}>kJ3sDr>hNKLR+LWfnr)mO=f5UVRTUhUUw??&%Ae2wR+@&CuS`%4g7D_WLvYr>Nq3+>;5X zIKmxF>gg9lt%HpRO8OXfLSY`9m*keHF@@lGv(mvA6&8(C<)gKXbdOoM8Q3iDJ74aF z)%#}i2%OS8R5Z9YU-kugJd!_2hTb-hv6)v4tPkt*4-mN`@SO35fxU^jmXCGUhX3#5 zAIEjLE-VUrXNB-Ru@?2jJvr-yEU}0*S)|X20Z$5VC;ZDHd^yCw49K^S^0Nq0mdSyH zsIVr}X0pu|*H3a3tv|mm^&z6n$%@686+7L1uy3Q@UgvrGJMF7>A4J;@F2vk)0e8da zHTCtzKE>A5yHAy((M@zq?(^J1eXjSK)@LK-X4E;|^SCON)^dyc(Y&1;lg2_{5*6{4 z?~(7sVN;?#+w!*YSX3V-3e8lTEYwEFQ^~$Hf;~^tVzzY36?TM5uI-fToGrcV3Tt`p za)N-q?Zb+SAPWDyOZy_;!GM?E+!RPiEKUcV$L{M!7v0jWxqaF9F;|Wln!;N8{CD=@ z6fbuFwz}Z;)%$?2Bpq}<9rrBZ?6=|hKL0bMk4P_u$Jajpl)z$N@clmMRp)!}@vTW; zgt+=6&t0CW(H&)b`~0qcjm3byN{jcVz|5)o{cAID%kRE;jLr8T_Xg8%;&Pugv|b7w zz5ZMJ6GPvf$bYo=7Qln^UZLb2&-2!0Eb;1E_4_F8mi{olJPw+Pdu*DL%r| z@W&b;kAD;Rxs*5`;qwtb+VhI`Wm?BVLL25w0rd5S6uzhOCH|2L=Tz#A@3f@nJ!swv-13-(@JA!)(da&NKo=!qk0UA( z`#h38fTyVCXlFL&^B8`&3bp!sfJSi$xKNr2XoM#o_ozfg5l@%V>1vNd4@LM^BDbu< zaQ;tz8gxFgRl?gup-`^X8?gNoLNaRNUk$7WZF?T=I0M=2HuMSo--CaW*=FItazJL& zH{eW;3-bIfi`B6lXX?LzRqo%QWf3F>EdtC3cISZ4yy71Q-rn3k1Gnqad7LZ$kz6Vt zj`KKI{C@1pb^5Qtl9m$ffTG)h|E$fm&3inTwssLYu;Xed=EVd$*X<6{t-PRr>=Tm2TkC}q=lGKxbqtn zdYPAHj`CRZ($;5g4(>g`eic4aH}ufC9Gw603-I;YuLsq}$;h5tFi*5ix|X(Y zyC0hNz8+)y0(Qz5dgy5;#;W6Oc^7vd_WEMYrsO%fMqmnO!e`uZ#o;DME)CetD-!_D!2zxND;PKhp%J^pT`!60t z?c#7F9Q?RHfj)sQiAg*A;WNQ9Dj-Bo2mYB&+DFONKROSmh%RezHkx|oBWSNafgDb) zLI3tg=Vjpuldq@7W zIrkp#wcwm9;Jqf#xp|#K=iGPat8vJD%^8$7MU__8pGR3ltV)&|gIlbrC4cX0JSpOI zZjz_huj`ei-6TjBOzMPPI_6aqofM_f)WgrRrG2DwKJSV@lKZ_H!&lxv0@)bZzjsA) zdrt=ce{rdLU%1t@p2qI;UQH^ryg^NS>ctDIFjip*2N7;Zp!FozFV5n!Kn%gnI=#Rn zI?G427Y%<395d~qoq=!sXJ8L$X&)ZK0dI1T)zEWco;?qpZKwZ87d%>U-5~B&Rh9mC z%%576ITnHTaN@yB_2GO}l!+)2c1|p=Qv>f84|%VwdwmmR9rGd~`Q{}%EQZ}%%wf%A z9mZYZdm=5(*w1Um%{4!)`+eQWfbJKwtXR}v81TnlimgIm26Ej^V{n(>GrxwOXwE1Bz_Cq!0mMt zm+;%`4$uu*xV_GfTi9yp7Pg1^?R89w#BB=D@=Jc;#?edCEHMghG~nj7m?hY;<+s-j zUlP1|?Qh<&eJtgKgZ4^>VV~p+^ci?*VdQA$`apFD+nlU{yX;>2vmr!BVe4jn411@t zv=Wa|wBj`56c4@8fYPy6pLPa zlCK6G@}e6{XX5QN;ProaiJR4U58ubqzVgD~E$!NfatW-X^{gQ@CJk-E6FSs>l6BXh zk{;l9xX<=Xq?4mY8ZU!myfxiHPw=BBl7!W?;Dj3#68A&3xN&B()8!WS-%T<#dJZ;s ziiI%jY|vtjCx-894h!XRLdk<939pxr6>w~@7tqJ3V=}@7girnysxS87U6vTyUzMtW zZN%Zs6qCeo-!oPP{6osnt>E2Lj}uj-UYH0g=?u%*ykA$4|C^QtS&kK!F#`};jgC;KdxiEd;x8;sCVkpX8H-_e;L%nF@VLRFC6%b_yHAMse(&X@G2F&SOsUR;MpoTO$8^a;20IG zQ^9bZGGxB~RR#N0@CPdREfxHl3T{)uKUcvmD)@&g*rkGNRIoz@uU5hND%h-o=cwSR zDp*v(qg1eQ2)y`O&jW+|bMZAv1%IxB&#K_xso*mz_+=G*SOq_+f}2$Eb`@Nwf=g9! zp$cB9f~_iet_sdl!O1E(UIj;~V5WkvmJaRTiz@gd73@*LZ>ZoCD)^WRKBR(otKdcz z{D2CsRKX=Gc$ErXtb(&u@N5;Frh*eyaEuDpso=osq5b(+73@>NAE@BBRPbvmxJ?EB zTm`qN;2)}BmkO>?!44I?S_S8;V6zIIqk^ZZU{M8+Qo%+Q+_QLSe@ZI&a}|761^-S3 zpHaattKh>b_(>Jqq=L7r;5rpts)7qu@JbbIRl##raFz;AR>AQqI7$UG6?}E>(Eh!s zfey0v z0Fj@n?d3Jja(gMu3BD5Tbv5?#YG*~c82VUZFREQzP*zc5XL+G`{H3_2)V8*o*=kFi z6$Q598s`Q(%OOBifVK9TN?VPCg>o%e<1DoosNR*?iX8>zwle#mc+QIT&YFVaQYWfd zP+M)U3O*N?+N!GuMXao-cGjs=S612A*sJX2#rA@diZYwCd{6>)1{{_%sI01>`h^-< zYPYSomxw8)rL|(wrW$*71WPKmm6uo4h*kEr&gvR_l~`2kEJY`ZN?LKFv&JEoSHQNp z%$~%QuX6TEw~K3RD5ONJsX#6pD%RV@%8II*YB4RPBwbunQ6*M7QD#X*s2bmiUsO?1 zQ(aSKtK=#F2MHY&)iwVl&GdmT!hzB9imEbOsdF=`$p6z+R)d}? z3+9-_2C4yt*PJ@06kbqbtFhr@c?|~LUd528$XQZiFV9r!l38V^l3B6CUc9~loyd}E z%k6cQXc8KS(Wf!3*;I+KE3vP!)t1&UTV-Xb-M#@6F%xT|1k=67QBmdGY@<%dta7e( z)MQo^QGrOZ!C7q2Q2sNEF$bz_L8#1GTvbu&s3^Cy63m?{XHhN6%*1SRu5lL2xnVZf zFq(rI{5P}MQH8OVpPd!OHKod9b#<*hGqkGYm!;0~_3~4htr8#Y#kDoIB1~t>FSBfY zc}0oxSW#Q9S{KW7#r>tOlvn}H%^SVlCw4EY5|M}y#sjeNMNrE-L7drj?H zr_y5iRgJUEUOlJ|nYHBueI`ed+p^Y<%$&uUPE|Mmpr$;Na1o=25)@flVJqQ)GP{_= zS&~V!ud1SyaTJyz|9vMb{xP$n(q67aKz%bYi7V|@HBQu0{to;(*DFL$ zql^uusoqq*LC%<-GRvyh^6GLR*gP3F80Bi`+H$P4Vj^Ls)x6V* z=43GX%?x2v8N?#3uEyvR*~l!ds90ZHDSsg3sU)FCtgvExCC34TztPb(1MxDefl+|o zFj9j*sV5XKe{dNXem=v76kJ*5MEiMMdd%ddQ^ted)!3@n^TOnJLGmO+{39o@<@TD5 z6;+ z^$R|+zVng~IAQQ&dv$e2@PT8np%7{d^o;!R8;S-Lzdi&w%hyy4q#-D?6u1@?wR%XL zOuV75-+8&_pS%WQp&tKk8Zd95-rKQl{hp!>lW|HxvgUnz`siG+c>a zWv7J~gsMT1L*)@JBxD`>SW&zlvr9=>U5mw4UV{Fqt{oI-qpdO+L&hKj>l!51&iL8` z7fI}+{45ih5Qm^zoSDSQWy*v{j$Z@XR?coo$;v1#tyBM12idio#U(kb3RW&#G=FKq z9eMZ62WwOzR)d==jX>IJmNjGMtl2l*c+;Hk*@}w6V-UAO4JnYb4-xeOh2>In%QCSZ z#7Ng{1cwvks)GQrFl;35yTvVB@9CNs8P+p-ZNCWO-Adk=oOkFG?Th*ok%sGvV4wzcb8jjTlCHqd% zw3awihnXf9UTG^{UsSth4Hg`sTktW}HN;1xRNtFYa-RsiFUvXhl4)@MAio^^sv7*Q zcq?b`BT%xEJ-q>=Kerr=+HK%jF%D~riA|ypwGo6di0@FM-F|!Ug*sknAUS7$v&d)O z&B!}l+!DdUDG!3gwAymaP{7o((qngDb`tXLyfZz?b54H{CT>oxC!I<0x+jNQ(SoYXl>{xD@oFV50-(;ds#)*CJ{)gLY72$`L$JcNMzM(s_b?V8Ugw*863w} zBc@a)4T|9`-vE*BdU0y1YRi!``n1YkP>jg{G&)Dv7(am z;S^6nGc->8lMG*HU4c5$HoXL_ zOxDW`R2j^#y>4LCHrT41BteT%5ZGj`n4+GbW=~F;mQg*K5E9qG3_?kyRs(V>!@pAK znrhB|SEK6u0qucmA=m*##4r;oHrT7ylvZqH3Z@6ifN~4#U~A}2s78E(L+zBjWh(>! zZeIg+2atnO;hV)!iclVWiX|m)NfNPac|%e4nv!WyPn2(BwDLEy5Jjyns^a`^urD|g zvLl(IwBg!{AdX4{fhkZXMo9soPRs*k>i_G6N}>WnarOery+B6Ostg8*k$Bz02GyHq zHKg>xiH8(8sF0u*PnN|(4a4%Tt}TW>59s8-j(xpuD6YUz+pG9wB_s@JQ&|z|!*~~# zKow+LTMlv3SzJAqYF6Jr{&dbTn?I31RZtJvAQ<<%7jkBP* zqH#H}fGt9NNvM<25U3*2l;8v&f|r9@ zQ}FpTULa|pUiRuBCkcXH0hMY{TRXUAXa=}--dU(M=!j?=RArKkhzF#1U`&U0C!~Z> zZvsKpRu-et#K(l19Gt%Ls0_~7Nh)Qzqq*8uStY@j)dP8;!8O5UioAjTO2DGn+4U;E zwyL7Ga=J_(2IcU7)e52oHZi24MrSj0PBkVMG0CA;i>axi2~*itUf{4*7jU^;7NLTI z2TffO-$Z*^ksV6w60y9tR4jJbfE_`^u+dUVQraeLM@ z-wk%G&-Kny@Vsk@cyjikwB%leQMvDCG0k38bt|z~gwG&~)s}OH`+u36oXK>h8>WLs zPA{t{g7`IkUaLE#MoG|7Z;S-Ff{h+f+AiJ zO9BHa@^_`cOlc{bYtzNsIBybySC=O-ibd1n-eA=GAa_nqDV{u)coKQjV)FFKB;MXU zXd-~hkU)u{p;mFqPaR1DKlq#J`M@@LDN z)gfrestn8;uId15#5Ei@i%U5+R-^{gAaeUJ(twLml^>D`u3G34X%Y=oJw&Sp zB@Rt$%-u>1#6YQvj$g@;gd$Rb4ve*u8|^FuD-Oz1EkDVdqcrTb&Js)~@Fc-nLM z$^(olWrXTOB;yMBP!|quGbjJRUNZHk*dmk$WqhMgE+UjrAs|GskYI2{sY;NN?Lc}q zGy?b#6}&}+W(=}<4P`S`EVpk|%S0xD*Z4b<>oh^)v9cp_AXfy&pG6OS!|L6LX3Wl;?R z2N;UM!s{&}aCb$Os!l;EkW)BPO>%B^$f(#vQpXM=mpm@@IrIr6S`IGd=0SD*Z{^Kd zfPW)%Wx?<|42%Y`k}`)KS{JGg{BKoGod?JGa#8=irVp-NXqI26Vq)fPL&rB*y}=n= zuX(EO`!^b?%IW{Isj950lHY0Yz@oYtT$HS=B22*NqtXk5C)eP`WCKARNY9sn%mk}3 z80M^!6)`OQsW&tafhmF0pw8J1XMgw>!NH(z4I15BPV+j;NNet3l z&Js(WI)Ng=(>s4pN4cmc60K}x*7inba+1qXev zE&s1#ki-lzLFvd)9>Kx~B=F#F3bxa*od@d^OUOD&nLxob_9{&0fAN)1v3W}h7R_I= zv|z>j<#*1%V`ag-W#;+V23xQ+XXTwM<`;0qD3)a=Z_)oev!yF@@|Hp^`tRkFlb^ph zZ(h#Iyk$%O&79Nm)*XZl!22NO}zwLI@QQS~0LqAqF_OJ_>*`uyTRpYHVvE;=)X!7F$jwB4J0q z^cB2AYZH`XP!zc+zTSY4cx|zLSfD6Y2w#5Z8$`MPPu+QdM^&_cdp8IOqRFO*-fQT+ zcaYv|KnR9j0)!fbO#+A%u^=jnVgY*rO%%Z{*ik_cv0+EVhS;#>yMJ@e*|UKSki5MA z>w7uZ|vNQ9DPRcw%rFZgY+*8Xs5OP~Y6P|SvWL6bT@Il+aR(ix@tt6(56wgc@tbKXr zFdk%Ehk8=?^uR#ztOLh$E04343M!7wo|zOezhYgghe4B>$g3{Wlbgkf6+1iqQhx3T z=-+YhrHeg*VpY@wOdU|t6U<(Kg@m_GOM0vcyj8`dYI9}!2X{AXOU{A$LaWzVTkYqwFS_^u7bP8 z#d@+W26sVFR)Yq!4h+g;BVdiqB_CzrD4XBis?srCdJOE^d2qjhBgUu>xsRg|*W@q_ z5I8(H+skt+S(lE3I|faAq0;Vhx`AS)owwS~ssNlRs?=52eeX zQ_O>)jLxag^3Ec2;NUIrbT!G0Evw9EY)e;UUztg*=>2(;HJIJsfp&N{$(8 zb#+tu=FyzaN`w3~E6-an#tO1uX0V?LsHZv4>q?HFmdsmNyot@bM)>PBZ=SpE)nc1YQcPr^()ajj!IsX{qCQ8PGiX3z2l_oAfCDobPd7_$y#m zf!oeCGrb3qRxf!R=Zn0(TvsFCdUYsu#nKp=r`{_=i}i)a8hq2B z5P9c!|2Y)EdLLH{W?kz`2|#a>ov}63IJ)PFwfpwUxmHy^H|ASTYwO}Jh@pyQ$H~9z z21js{3VN@Nl{jb+R5U47beFIRdXdyDFIEUg+?Df;B>RjxC=F{Mc}#rssEiF8kFtXv z!82Idl*~1c!SnRG;0JLgQy#(48CiBxc$A*!IM_ONZp~~$Yw=J%#ZE6zcgT~T4uyHr z5^TO(uK)&K>N0k$Qy{ac(30yK-`dFrZCmUEZRbEUuz@W^sw(v<@0*;Gx@~x?Iv6ch zrzu#D`MwV1)=2Hzwarv|TI*QN5E#0_^{OWxX8UBtp>0{|tEG`>o|^P<8Xfo&j@fCs zPZ+J8qN>eo6ld@l#QDOK&I+wQ>~>0L=WC@BYR#kXINg@5Wqy73v;h{VPX>jZ>8azv zbVoP!GY^X3!I!7dr|i+K{V%7^*4L11`zCKCYa?cD_^Mz~s#<~`?P~d>&CFI%Tg|{@ zBy0UF$6q`VAUnUI8&JV^v|rQFOdfl`DHX4eC;{Px6%1+14js{G83tkv!=M z`bTT?XgA^x@bxn}v-vEwJ2_^~zW zdK%*YoVOnT7n~Izmfz)VAb)c|OpLA3$kWWkYwT%a{F{lyYig(0%%m4nqq(Og{;zvm zh~|En7*nH_r;YJ%ZO3n8;z!qL>uHbwJKlDpi4PN_Yjp7NqkH&wwBvU&@wYbX?BNHP z${+A{5lwuUxV2d~4?lv5e|J0nr6&F#wR?E@0nG9rczcQ_K1__L(VK6BdiZa(`-sLL zCi-gh^9;cMh_}CJ{9$5Lje#EilcnW}E zpY)CpjXz90S|rKCe}G*+*E>oy{xI>oBA0o_;$JjujA;B};`ab_If5W+t;Y?5f=!^CfjOrdXi$|rlB!t&o0JEE3Lvv2ZR-fb(EEI3HGq3t$bn5Y~n1umM~I zo4_kz3%D4zhf82L=!d;v2J8nj;UJg=hry*V2`+=la5Y1@Z7-<9ADsBFP4AJbED^W zem&`Jq?=$7?;W0-VKKM?mVmdwFA2XD9)TO-x9~Rj1LXel7kf7;ecI;^F?OHlPSb9$ zdG7K&OuYR_cf*5lGyDKbZ?k3;qnv{!cT*Gdi3ivo;Mebe6jwz@siWDWbrRje_VgQdo*>-qzP#re#$S{ z-@KKpfK&WAP35}{_{ZgquMLp`#!piv@-HH9IA2kl%{N_7%b#~*ctM+U$ug(JxBWRT z;3X?g7ZUObx4$LpDVsOkvM$D?j+@4V#M#N@p>Y0{*B@7Z>tWX*!a2+6qc4s0s&YMnWY^u&|6m4xztM_h$y6U^rX&NTM8R)TJ=hW2M zeBsW#*uW2!A-j+ zslNv)G|24!IgXt$dE#8!iGy~fiDY%_Q~P^z3Ma|>cZ$Br6DM+NLMHZYr}if-9Q#Gh zdY8|fmO3$op&wihP7U-OUtStA-@>xrCNrj?G)O^(-Sx4P?KOt(a!~1(m}peu~vKoQ`6@R-009=3K_P zwC6t_&>y!v);v&8uka>MOsO}7JgnY3+pe#W^F|=PRi{ewl=;a@cOqjudDYHN5bx=8HYFyDT>&=`-Vtn8wR8zuJ<`aIKVzR0=i{mO7qO=5HsS$yni4^~bG8J3P1xjIsKi;_)w5f86-g+m2bWC$s6YUtDPslQ(kA1NS>cEE$Hhu#I2Z5 ze9B>d*h4>8pnsabPcJWDP^_mfG}IlpkUfUtY22J1&&i)fjJndPslMQ@e;WMx$5;7T zNhWd!4K{&a(y&iv&!VTkio-KReVJX8IeCQMA35dH1kE$L$(LKo5fg zqf{+idE3dUce~xKUSC&V0h-MdSCY=BJa+uKyf8==F&AN2SpUx04=2q>Res0E`oRTr zL+E~Br*A*8&`M){n=rqAV8@>_eok7lb`jS4KX1BDy*Z_uJ-+TV^+?;_ZO7!4DdsEQ z1Y|tnpWi_>eFJTpwJpBMhT@Kc;(<@ldm_}Icb7e2Xg6HeD{xV-n@gq-bn{BBryow;sU zc*DYLxg7r-JBCW{_{9c7BLkmGEOhkCNI$XQ=LJq&$Jga?!rZj1c>ITDLE0(w2Yim% zzBy>`)VIqc3*K9BV1d*2YZhF&V9J6u3#{;N3)(M8T+nSnZJe%}IQLF{s)X#^o8ymN z5M{2|1+fbvx$?$UOgHYW^PNzu=PPW(d`G_=|NQx>ff$aj%hTIF#~-@qJ8hrN(Snns z%WeL#CQr+!=lo0Ox0>J6&bRseCiAP#Z$7^=PFF>od#65?MRqkR$hd!Jo|BS0?t`^I zU*q1x?cY4tx@X$l33G?eoi=yS+=2X^Hn%^{NzI~F7RRq3J>SVO$KTVW z*?n&JxxqcZ>D+>@c%kR~26lG7!zd7H@rF=fx z2haJ3W*?gUI?lT1mD#&yXU~3R_G36*TX9Zm77IV?jSZyaYCmGOqhF4{@9f@z7>=*Y zbJyOP^V{U3eKV7%rA_$k@Y#RN3b*q;GVAcHw`U!hwFjr`4cz(CenB9m(ArO#H6akg z)!O+~aP9xhNBbFmcem4VR>xV5ah8tNXH}gQJ*)bxNSv++Twd)j|9u9|t(%o#XK8pD6})OF^VnVoUEI^vwv zEEc}!|B&jW^FL4hG!Vnp+WBp zYA2ko4mhXG7F!}aHCHej@5>oZO0M?7ZU6F&U4a;m&MwbgdncFbJQQ<2yL@g&$_!Wg zo2K71J==fNbSu2_^uMPao%YSNuclR=uIqE?-lR7aUqM#9<5QixzM85Ol+K5I zvaTHe4O15pBYkQ*e;r?!r)!_>Ul2%9DJxA`xK7)j;L)FxqszSZ{luvgr;fl`;X|hm zp4w&V(5anpx;o(8JN2pXE8hRLegAhp+8>|d+V`cVl$w(5zi5i3Ca!v+Z`O@R--VKlGw^|;mJvi+;Z zS>d(Dl^FM1a;>`ey;YR*L&-1r(1G2ay&KN zZ2##!|7=#yqdBosXV>dp_D%80+qIdyVNe zCfnb0jHO$`n4)7&T$V8AI8N7(Ft7HXUY57*&;4vCmOHJ>o%MouJNrhzF*?Wp`smmB zdoJ3aZMXC0U1y*5c8uOJ`XQWEuKP#dJNl;4_m5tW)3pxgl-Z(HF2}DRJ>MNKp?m(C z(W}U7<>-~?sQuYyy$|xye$Hs=U}-RP^w7~AahB9#bd%9lN4FSV8K z(sVQ^I16&`+2T6dHd>oCXc_439!RXR1N8$)Wp&0m#TbmEpwDw%Y0WJ$YDe;Rpg zmV*~E`{IgtqP=Mjr)}&uNs*#($#O_$n!JnIX(YqKH3NO{K+FHk4(Z@ zIu0K>bY!=Y!$)?(>FR_#U)uj)pY5F39OlVec1d|pwi=CWMEy6ib^LEW#XNu7JN-7l zac}ATdp_D%GX2epbMeTFkuDBsf6>S@Kf^6fOegn(o#{R`!f6S2#VeeZ(~aH|dd2&2nENazb6DoE6r7cBr(w;9)fm=kST&rkDmbS^7Rw_$ zbziWye_*JSlH2yd>;1B!3j;A+t({N7+B@llZhPl!rzu}Habk*AsX5sisx+;TVnd4| z6|?jGWXPT&&kXrw$WENDr*Oe35=xZFA?->1}_uSugy7&~5+P z0HtZ=w0Xeh0qbyDQ z;jDOj`n}O_N54J&w&Qd?fyP@i)5LzEwRg(9 zG9T^x^>f?4cE4Kv!u!>>OXltOTi>tydi#Be)Abp2QnOh2o_~E`CnZb!l_OV<3~u`s zeU}Ad1h={M`SfvrwmHArL*5W=zmz;&?VWtAk}dALxNkZx_;Si@aiO`}@mtV$zPT3k zwJyisp_@;Re@Z|%g--6PYkc3l`3K+Ugji{uoA%EA;>d?W_x#`$Z&2SseLLZ-``Yzw z)wg!vc71E&bXCU%r}*D|eqX+C*+5>wnp>YkX@BOPzvLXWFV(kH-+%j*vh)3KuJ^8u zce0ODqrv0;d_Bu?(!MGm?T_`bdXwV4+UM0icjK&k*7aG|C#}!AKB;}C^LJgJsW>M! zi-jNe4Ff5Kp7pBqIn%7Cnbw_ct+JfC?dv~$_MRWzC%R8DoR!|w^NREden;EW=hSz! zKP>cK&u#nA+Mn;XZ78yog~aLF((TS}x0vhBZX3GY&~2UV@803o za*qG1E{^{q^Jz|(IbB9~aWu^F&*|K?vlF9B=PsSwb#BeoimP?!Y=2|I5(D9iw>-U8 z9$Di;HeMy$_ef6Yo*zzX&KNq@=~$-^a8|y%Iz8WMYo}eE9>M8)2D z)UZ>wzoD&ToldnnC3LFODGsMA2KT?J{p0y)|93~%!X4jne8;{xOUH5@V>({Yv0TS6 zoUYss@KnIp2^I5dFFEvj?`WTP4%*+- z;hqjR<1Fp3?{IC0j1Jd#Sc21a1thM#|^qp?E4xzPo z%DXLJ?cJUq-66U|QJi(piT20af7bp)`@=Y0ALE?VEC$c{1+#GP2&5ER`&I3i2V$Iy z_W8BFQ{LL!L-+h??X8}qcnR$j+W*-u!Or*7cKh4yYWHco7je3t#W|^2dMyE!>2-PpWD`L`|P&aZP(*0-TZCS+Fst) z-!>ViYYZ;0_JwbIPaq{%``~lEuiAXp#>vao+WAy)?Z@p1t$pzOdipNryKVk2zKgj$ zpqr(=^jgx!(axFmEd3o{m!Y%|J?@=ZZ&E(mk89($ePo+RN)Tz6>}2Z`t-ok}vh`;; zU59Z_dsr-d+m8>VWNELnozblw{c`+mTQ?_0v)0Y{>-f41rTv-D^N)qpURo&Cyjm4R zD#*QOi|go@H-E?1VPW20_#veByuDy*+{*7ns}rrV{U=&k()+FUwtBAB`>meA>Dr0Q zTdvce<(%u&j7fo%+;Kmaysaz8-@jGwKn%y%WvI44bI%{NGxWG`X7aSOD$%M$tDjny zu=D-ADTJ~w#24_i4S~h4|v1OB%<#D>o;+)hhMj|`+S|i9UpX=}3+JO;z1PCI+nMzav^YRK$2XY4`C2KRS^G<#4&C;_-$q>AVsVRsI4iyCEuva@ zTU2lHPxHT;SBEG0YlS#}3qR{^Ywn~Gy6vxPzB&*iSZnL^x%Yf0m-Wwt)_!_(cg`=- zyhQVCe+fI^ubO?(?Db|}HG37O>t&pinnkNDj$c7`J8sW-&ZN0=l*&j%qVM z{)?L}=C9-HGC%F-1)tEv@D?p4E74<9UrOscYlrjjJ~9+PE@KR~#;{_7@^M_ZDoaJt^bIhtB5e9zwyNGWvNuWGP75W}exmj!S8 z`Y)XQ3HIy;V;W@pXWRJ>Z!o;UU|jH(SNnd%blcu7ozsGOW6Rg^X%Nt@zDYx2!O!oV zc;e~lhSL7@wzuxJQu^nG(Br;T1NU1=Z`Xgj{-ZeSjxF^!)?ZV9OZ}BNT`O=_i1XKv z>}phyp5HW(Qs}m?RKI*6#;MvDX3p>VVrcD))OXt?v!1_Rwm-9;rCpDD&FfXG*P~t) zoUTeZM{kRN)OGL8@qbtMsJXtY`(52{xbnue+R*VE7zpicKJ~2Ivu=Bnnw4USx+fEJ z{J$ptn)plNxoLlT+gp1*t935h6JTsnwm6t#-RZw|ztOb;fQ)orpUB){e0AJyH9| z+J|eOsQocc*N3>g+86$G*jp4UtZhQzHRNcwWD#? zJ-^rbs@DEmzt?)F)?57jz1EvJCpC+OZ~Ga6lw9qD+kRxN;ei z`DkCihO2!b(^<*cl}vifYCrQ@XPW2^V8KB;;ioUUHDyxMm`c4o|iS-3HQlw9q7)tx@h z8#~p*0x=w4m!bB0r_cGC^}Kc}gI)s_rbPFD?_ z(_$72KknbC>ZIhheXy1DY}Ka&F;1_Ob8mZR#jE#f=$`*@Ri$o~WlhyJNNenTS5#eI zb#B!aRnu^~X5pMN|EJow3Z&#}-^7%}DovfLwE{8DhxSAB(LVSYZg|!3s$QI>+rL%* zs&cH#zg3RnbREIv)&2`)r{)Sa>)jYg$<_XvDvqAK&sU|OXFK^>IaZ02Pto2g^)~;I zD(-py*OkAnobCU*vUSG`m2)a@sr*9ayK%bi#O2lgmdYE5@AwtO!aY{Wxhu5xFIIXw z5W}exm#6pqvwbfo{Dt({CxCKIdOs>D<1P^?&`I zZkdqUZ}X>DQk`1*CRIv8O0u=@SE*;ER+aiyYJt<$4Cl0%#rnw3z4`b2Wo=9A<9 zprVtK)%J%f9;&#vqSLy(Ene~EKn%y%<>_so-+MdGtT!be?StF?p^6Vx+<>!6c3s6a z6|bmxUBz^qt_3)!%oeTkIDQ4``EH%LJ%3J+_LC}(59H-)?R*NQeduxTl@dd;Tncr2PK!f0o~e)AbI{NzLL5$gUm*`IWKX$~h^y-$MSOoTFWi ze{;Ewff$aj%hR<#+qfV9dZ=-~o;;MQRhBvB=9HU>v!tozrk0z43%;B(TTC%`yME)! z>2l?~pWJ+M{Dbqv>R(P*uORJ%?{u}cKIz>J=aU=n^tM-+quG*>+HdnWGkIF6lqpxH z+{HLcI{VX%5_z;QNY8(ztW$2c=Lhd}ca|;aiWhpH@8oi2KH3M5`z>X+l)VXeuG*hI z=b!7FE7Q)R{kZe2{Vn-uKd`LZBlU)Qm$J?q>g~(6EnBy2`?7U#x@zH^y0lpMo$lXd zoRmVheXxalYR?aKqWycB)7#$Z^~z~SKH48HrXEgL zBF-tZ#loL%>?rM|A;#L$YXg2xn0WfEm*0x#)IjPRp=P~p{sks| zt1LZB_bgopXGt-oiXO-;Q z*cGw!W3P>!i_?{cbINS7@ZZ*^-!rF_UAK#7xBL8jo|z>}a17Q@FMdW#a{FKPu+@tay(0f9IopAIk4& z&@!fZO!b(SwvJEFs}vI(<61f4e9o(V;a9v5qn(u8wh#V&y_x6vcQuQ?6}s(rMZ4Nx zAANoFQk+$?#nI`}lcN_$PsHgOk8{dwvG8;L&rwcFuJ*xge>m#nKn$n9yDWImZ=H|! z!EY<(MCC-?i?d30Yt)9Ql~K1wt-$G8j&sUvvGC)*Paq{%`{2D^tEgsy7_QdNr*qfd zDQ{{%+Lwz`npUi>ky|5g!CBIkkxL?HL|z#=4X0}g&PmOpRT{^yAUjyESU^9$eh&gn+*d%D4GU(mf?esjLl zGH;xN_6;H%L{`R~tM-MT^&IVk+y1|){ho8sKJPxibYy(wg^{Hri{W$?!8vtl@qb7A z-$H7i>pSLi$Nhfae&0(tOShfACw=$$cKSBsblrvfU)8?h+o4yywL#i1^eyyF!dW_w z^^NlN_Ko%R#Ob;ecfPbQA4n1u$>t9@N$w-pPr+bI%ADYW+ItL>fgdOV(Dzh!3oF9`P(`wJEg_r&F9 z77H&P?pYDRvuzkxBJ0BN65*aJ!;xXJ18-;hOTy?Zer*#bz*4Xryckx2m%!RE9M*#o zunF|R7BCXFgHf<6jE22n4D1JE;ZPU{N5FVE3MRlYury48W#B|u7EXobU}{$R@QUG{ z@=2K$#0p-@4U5gosuW%Y|MaZNqVb2t{M=U+E``;?J;hhR>d32M4Y(H8gxAAb@J3i0 zZpf-bYkA7A%S;qadNA%y>akw9$G4Yyst@-g<6q9}X-H4;#Jz|NGmCo~8+n2y6W%nu z8R4%WL&BSfw?I}n^hRf7`&)*4%H`&^3U5t#G4z7oSp3_-S((R|w1sJ~9gN4nJ)Fn= z9pD1k5pK%tq!o^1bMt zr_i42|Kmv~H*-SxM7#e(`v0Wx$#(yT#g?wl_D_M^*JS&r!W86bP~%}b)OeTyH6Bu- z#=}gg@h}T&Jj{j~4{1>2VGh)Im+6lIevM4{4dLqvSHFXV-xz)qvcjS1_cxn< zzajhBD0~?IXYqf;==Es$R?^XUhv>O2{4r$Z z19gA+<5qgCteUTKL{l!vID0aDyFJdJ8D~$~<=bJGZzt3^dm3t-Jp(n)o+ZA<*>h0i z?0I{fy@0Io^&-^xdI@TL?Sl8A=We(Sz6_=JEAY{qvi+}`a=aG)2J*1Gv;D8bBq%v` zbGH9Yn0{@xe-HfqE^A!gmi2b{JN7t&aa*$XhVQe-kvQ3F=Eb;G5AP3ukMe!$IUssF zFXg+a#9#IB!SF-)ANIU28h?oY2jL&#|F-8t5&vvIq<%kU7iQHrq#qqNvigzyS3Ue$ z_!r#wf#-A4qzAe0%kZyASM371@9Xd*$hr@j{`U>>a&wP{e@nRLU1<8>F{u9c9aR7O z9;*NS0M-9~gzA4k!A+URRUZ1^&!TB(=$*gn_>x~pKg{z-_^(F4-@^YOpHDr%i>92A z@V~=Pn(#lv|2BI3C7N(ZxF_Nt6aH_w2mKFwazzsk(bLOL)zVYc{9XjApI-nkp&pkd zdc5lA#kf!Xyf{=pzmWUY&r3k{^OD40_3%Xz7n9G2o>C(Du>M2!|4U4M;SmwUQ~!tL z?~8~;Ry{+~jgE+d+hG~%B`GsTH1z^WKQ1DH^gr;#i$)Jf|1Pa~nTI?%e#kf}8&NL8 zT92R^C*_GJ{VG7|R}pHQRDv2Om7&H-72<20RD~KR)ks(CQFUakM>U|vOHHWpQVVLl z)P}dBZyk6SOoR`>x}>XmtOqw-$@-7~o(CF4G(^6V@g%N#xKTtC^4a5QESh?Q_&1Gc zj{p0fW}@+j__v5?h5wtLmZI^8__vN|i~k#*Hlp!|aRW2jMRcS-hh?-Esm~5#W>M-3 z65c7Is|oKc65d73yug#~hlF>F=wZUUi-cb)W)>kF#;wfg8PSLEwHdu5dchYUa;AQr z9}?a-Vt@(nAJNZ*_m`ZheHbKsV8jp;J~(2K2_GyuQ~L?%4X1w$h2`Kd{7ZO-M~p!3 ziY#6VN5TP_NfD#DKPhvRX!;GL{Vt0bYy8KE#vd}SlOx8Fzs5E6YCm;3{W3Qj`ic@g~AFI09&t4Ql`Q7}Wmnaj5-YHq`zv2WtQK1l0cTNvQqbcBuW| zQ&9WA9Z>tfolyI~r=j+L&p_?}o`u@~JqJ^>o{xCZjE5IQQy-B1-%Am@@lVg%B^rNd z_J1!!?f+hhu4#A3??+JU@5fN%^b@FY zdKhY)ehN2bex`gGU!RLcU+Dc}CI3$n%wT^0%9Q78Q$Cf4a5E0Rfm%n767NF%zlB#2 z{}_y?Uwj9jTbAwr9`0WDW5f?|#?l`nu$SWA!e4fi*45+qYhC>rYF#}+ep*+5fm&C8 z#lOWh+5X?4%Jn9f|!i;y+WOF^xZ7elR+ zmq4wP;ZXGz0aaf z`%m=?y%R~l9R4$*Gu|ustnpqEJ#sTE`6~OY@eUd9ReV)_)_8}-#&KUYsBv5!Y8=;q z8pk!E#&IpEaaqCv>22kU;A=Ef-1T~HuLyhAmP~*5M z)HrSiHIAD@jpG(DHLInswQ1K@qG?yiIBw%>hktrjThaJKGmhIsjpGhJYaDk();R72 zHI6$&jpHs*GO7sD3`qgs1o}H}|FZCQzP<-tnT@M@gRGo#@lJ)xOpl zzmo~q_?-eZey5uIvHzjQ?{p*2@TJ=2a5xiL<9HU~Ue9b_8s*S9hRAb#bCFd}NV@ZV z^Wb*4(6sjg(dY>o$LYRB_Be)S9A9DUx7gNi3Dh|DLyhAMsBxT0e2wEQsByd$J+DLE*@7ettntpxI*6)2=ze7;{rc>A z{rWJn`pu_M{rWSge*HOAzy1PVMESlXzS{dMQ|=?auZ_M(d`C_FeIuIslbquH_LP49 zz3)5I&%XElNO{!He}HNaWcuq*zMqj*?&DD9M#ley?-yj1AJWf%_5DUZDla7bci$hj z4C&`5eSew!{}fGmApQIw-`^(wKc=6jc>fLV=SDA2q}5NoQ0K*AQ2mg3-FxCK?Egr$ zS5cl`TkQww=f#bzevV9diO7{(7`Q1jR{1gx;zZLwto##9d6Yl0spm3K^<0+x#(B#{mgj!W*JAYz z*#GcL^s5Mu!AkH)_{KtOKUM`<{k|$xzpqC5!zg!ksD57qfA#O0M*muowaHKY8&V&2 zA`_8S9?1RmBI}y;>hX4j_FwfyQ+`PQZW!4p(%OGP)4v^Ro7z9g(GPCn$Y8+xm8~_3etk z^zCN!>mGS2`Ac7jzC9v)B1>P${kl<6|IH zyA6WUcQBN`L!k5>N_^=%3`*bOw!R~frSC{6eUqT{9R;QDXj9J1BF98}F3@=cbo4iN zW-{r^&KwtM*_oHaQrBerQ{dOPVE@B!;RHBz9ri!mmo$EL5-LBP~&9*)OcA4 zHD1!8#>*neIe_wIyet+?`Jg#h^pk#=CnGWoxdHlQ!WIx2|D}=3khQKr%Ddc@U*+X~ z(@ra(+UY9F_pxVXUxp2H%JUjt49-f3658H{aaqtxN zp>e+hS>s?Q)Hrw=Y8*TRH4dJII-h(F>U{EfsPoAexc_6%i;*uOs~yGFobT_#f1qb~ zz=l`%fd<&}m--c@ccc9vTFZm>U z_eH*otbD}s*Ju0poBDh&@_=cF_afgX-dOKJ(Uep281JFT4{TXfKlqUP8JO`=@NKceC-#|0pc%wAm zghdsJvgR9T=9>$k&O3`jop%<4ns16j%{Lc9%{L{uU+0}Aq0T!m!ap7VQc&le7ek$Q zUIKOA84g##2&nT;A6%0e6%`2|gfUT?x1vQ;Zpe9OY*f7Qj}whQWS%P>l>qO7WleY) z(S$?q?zfzC%nDKEqqKjj5LF5Nwcb>On#YjwuN+ksS>vn<)Hp-NzgkpvWQ{k-eym1R zP14mkgM`1Yw|0j*Z@m=ioV5p3{ypKotX{l# ztp3)fRu<;%_NA2lG#I(LDby9|sP6lI;ez+x9~XZ?pa^BjE$YygMC zYLs&rocI>&Km0Nq`ybXOd?ftlan^rW`fApHsPo#R z4(goea;S5j6sU8a@lfYH6QIs{CPJO_OoBS+nGAK#GX?6LXDZY=&oroWp6O8MJTsuq zc~YUyd1gYL^UQ)e=a~(4&XWdp&NBz4c%rk4vJabLdwe~y%%{+4*)V}6=sC~^ksCniF zsCi~R)I4(|+?08f@@0OwSv2}u`QKv7qx_N0_}&OLzHj5c!St8g;b^!C_J?=C8H}Gh zq1KJNpw4aYhB{Z=40kWPCu$3vvGkrO_7{21ZSTWh`;7ac_8AYLUzi8`A8McR5dPXH zJZ$Rck*G&0kM;?W`q~<`4O!)d-2ZsgVG5B_^Io``xf%CZxn*(Yqb z^?b_Ka|hJ?wG(RodKzlpdWQJgH$MxtUwDrC*M8x7WX)qQK1hrq-1Uj@TJ--E2&u_y=c@Fvx z{55M|)LuAt>At9UDep=8AvEW~`=QQ*4?vvd~} z0Dc1x!K3ga_$@pPk3r3^-@#e%dpHOF0O!LW;l8Y&?0NEd@HjK`V@`z8#&$NX6YK0^Ep;5GOcg?hiK7}R@B#o-iqAxwoO;5=9oR^YyiU{zQO zmM8s-6;AzL0xKhj!x}IG)`mV<4@Sa9FbXz<(Xb7SfgNEi>;~gtFBlK|!vr`OmWCr> z8F(2i3%_7ImxEu!@=)`C1^5H32#>=`@Hbc){spT*5BgMv7p$%xT@4mnTRpm7w5R;+ zr8S~!MqA?&mcMXyt?1ge49k~VT_-xxmSK6{>bknmjAK|Vc6I&ehWM9R-9R+{uvkU% zYXqyn#;^u#0=2F+g>_*wsCBS8Yyw-rmarvk4_m>mur=%r+rUAvEgS*c!LhJCoJad~ zfa$O!^utb2>tAQ6^{)%m`qvd|{p$v`{&k01|1O1E|9U{Je?6hrzg|%5UvH@OuMgDv z*B5I2>j$;|^@m#j20*QU1EJQxK~U@8V5s$P2u#fy8a)$A-^>1{vwf(QA=a4oEuJMqdNB!|P3ZUMHIJL)N)<(Kkd}>l`%e+wHdbGIRDox2@so!bPp&fNjE&fN+7vVPnJ4=rc?hsCLn&F~=g zvju((?}4hXd!gFp$}Ecd`D%?W}i?z^>%;D0~5VD|{Vp zgYUw};79OrC_6nH%1+OLveTb{vdf<&{ehnC(N7`E9u)VJ?hg1d+zGWFKMlWv&k(JR(QlKV+5r;&PV`<|hVfG~_C@a}zS4geDt%<`I}m*c zS?RxLhaZH>=Y2b#!n@H~5(T^C6{0C4VSh0u z05zZf2sNMn1T~)?hni1+hMG@LK+UJWK+UJWLd~bYLCvSXL(QjuK+UHoq2|*+q2|-S zpyt!Rq2|+npytzmq2|+En40B@35(Hu>J`oSgUqKzVv6FQo^^p}{Gpjoi$Tq&#bd1b z^g?9KrzN1~(~?m0=|xcUX(_lN>tenMt$FGa(WIyOw5TT{#uvl>l70x8C!%5^VHk|I z{UQD_d}G?0Patx9Oq_`qACq9mgZP(@DHCJOGmv?=Y)m<1&AZUdyXA?On_D5KBH@~M zp_zBLnRKhfR5s~WiK%L*3rV+{$zSsq`J40d8iZ?JtO+$Q)-v~T{tq=T)-m_hjY%~A zbz|z;>4};r>znWfF%2o7=1E9Cjba+x<%gu(G^PpM4qKXbY9^ZcgVa+C$)^6qy&0`y zTE|%PCN%SA8`9HwY6~@<+Chz@_E6)e1JwBJNPNwkouKB;&eV_Q%`V6quU(<$&2CWh zW_PH0^HQkye0#v9ce4IN&3C<^hxxEK)I4TA_w5(cH%8;WU(5jVRk`{@l?xgFfiZ)T zRlY$`GhTZZv1?oNu)d5QX!b6zr<`?b%%EXLaB zkAc7MVf~l9mh~U*%Nl3;X;S9p!TmJy1o71D)R>ue|AVIg&4OC@XG5*~X;AC_9H@1FF4Vd|4{pkwuY4I#3q;c& zpjr3RO}|(aa|QAd$_**kVpC3)i+HBq{ZRFuLA-s$%Y@&-EO-zug~9uP<;d#qS3>po z6(%3nf2jVx(#We~Ruis#9j-xEf4|z4V{Obe=T@lxvk|J_+(vx$@7tmJ_a?i4-+`=tbSG5* zz6+{<-woBjH$&CW7N~xF57c^mFVuQ`A5?wa4^>|eK-skq!jJKP2>zP&NX)}uY;{I1)TR6g!B$c$9VSBls=+jec+pYTxl4<;~6fKIVrQ zYu^Fccl;RhQ;fCmfM(xu9BSY3Gt|E01k}Fc7btuBS9t7d)_*Ab^>?^}@IT-#!cRik z+kZmY+ke4%wDaFk_Vzze_V&L}_I56mz3qv$>}@ZUy&VQ+Zx?~Gw=aOQw~IpA+r^;l z?cz}O_JvUPb_pnZyCnPxUIeeDe5K&LtV?1qhUKrmBsM(OYIlgF1Y!&ul0#=&kd9(IHYunjB?o53=$5iASq!E&%REDvkIigtdm*zc6L z64W_CWvFw4Dp2PGRiVxYszIF(REIhrr~!38P!nFTx^`?WSZrL#M`hvs~s8PxeebExxy7Et@m zmQd#dt)R{aT0@-=w1GMwXbW{d&<^T+pgq+2KnJMvfsRn;1D&AG2Rg$r`h6Ezl=|rk zOTcbW=LX%O&J8YwIydM6m%*NJ1?&ZN?%o^f+`SLfd3#@|^Y(sF=k5KW_QwOD_QwOE z_Q!*u_Q!*v_Qyk@_Qyk^_Q%7Z_Q%7a_QxZj_QxZk_Qy$3`{Pki`{U72`{T=?_QzwO z_QzwP_Q%Ok`{Qv?`{T=DYF0|@1ll1fbG&HU0n(o*#!kjRJ!_I^{Gr(&Pl4JWPmQ(q z$J3CtKb{V?Kb`@#KTd_(AJ2pvvS#sHP+HGtizYp5zcGhjiL%y9$bMp;k+q*dX8l|c zyO40LpOEnM*hR<+hi1QV1@Uro7soCkT>D*U_8Wev{YD1Vej^iVzmWyC-&hK@-&h7W zWiD5~llu!AGd9I3GO?WcTgIAJ%WzQ-j%dW(q@HMel6RzjQqRu7OnsQ%b^ia7; z$LvS0gW8W=PrMo2zYhNSCg=Z9>*{*Aa1ZDIFbm!USHqj(4R8az4c-Fpg}1`3aHGlZ z_SoA@d2WxrgL01cZW4|CD|wXn&e*$bS=2f5-LNd*H`@%GEYI<8fqHIt57hI4d!gdp z2X`-fAohMZW9b92LC*)!|Do7N@mKvkZ0hF`BddNK|EQ(D3^gg)qx!7mn*YJ7UADZ{c zUw}Htc@b*A_7drPJ-cFe6Hog!i2QQwE68d$NcmoieHCtpZ{7qB?}=Svs?zk&(y zYgic`fr;=N*c2W$^>ZxtThlJbV!ubf(cbSw)2@<7d4Gug(UwKM5AhRxit-$X&%>YL z%kTs&O1u67b#C-4)Va}bQ0GR!L!BG_0d;P466)OOPq_WczheKUe$?)edj2Q&Ut5Nx zlZ#}9L(=och1oJB-6C-p*fJ#jqH)D+8In)&xC?C=GEPdwU4&d=X-Pxni|qYvMO0iV z*nDMF+{LgByaaZJ;qX!z0sBH991J625{$Ofhu**GmoZTL?^vk)cO2CIJ02e8eUk+E zGb{}?F3Z5bk;}qMsK;_~9v*R)kE?*JaVB0veN}`FR`UOx!6vXW)VQw#b)Hrg>O8F) z)OlKU(ow&yfvj`2n#ej=s|Cw=YRA>VU+IfFS4+fS=W2Cff~Q_weLGy#ywU(F{f2}q z-A1s2r*T{pJDxazbeh89uo=|*HO*la@@WC}y@{4k&&gUrJtu1o^_;8?RJq$iJuhnq z^}MV-R6TWoyO(u}>j-Bo?Gz`w#Qxqye3^`{ab4nMUw4h`PJ3uPc7qy^$oO9x*ArRe zvIo?-M8>~YTyJEJPl&zVC$2B)Yg|IY`^ELQWypIF1L6ju_bBf`(bOL#{~>XMP5dEo z!%X;4(S$?J3x~&zBp;P)1XQ_@$uB8x46@2K$_^h5RldvYc!YER*tpA0__(-a<3G;G z>c9AtPDiW_g@O^TZU+agai@h6#Z#U~#9W=h<2{3|S-DsulcBP(3~-7;px zrQ)ymLc}r|v*KpLhLCd#)1J`SYiV(wvX8R=ngd^8KAH=I?Y;TPviBB1*?SA2?7ejI zk-fJF%HF#If7yGBp`L3lf$N|jro#-_h2KrcgtFtZpzOG%Pb=OTpzN@fa3%KSDyVX=hAQ_OC_C|LDEn+J>;|uakKlhTd<mhvO_e4;nk~5hy$FQ7AiaE0mqL4QikL7;MA)aF4@UYgqr`D(WW(%Km!- z%HDetb|c<)*o60Ao`U5l?+&QvzdNCx`#uf5$j`u%@L9N!c+bHbNcVX-fOKAfdd~YI ze1Lc_L7jK+f_ndEHDwJLM8kAl6I+R`c2Gn!hH=*pxJy3S#TTpi8 z+fa7pJ5YAzUMRbAACz7BE|gulAIh#g03U(x!N=i2_#}KE?tq8jv+x7>BK#1_e)$N> zZuuC>j{XG7PCg7}r+x}$r+x-y2YwD^Uwr{(UwsK>Uws8-UwsW_Umbz6ufBn@uZ}|5 zSKmU}SI402tM8!ftM8%gs~@23s~@54&7Yv`&ErsZ{m)Q#=Lsmg^A{+)^H(Ul^EW8F z^LKc`>XUJQz+!7p#(Cpqcm5goSDe+~A$I5AasSvd#P0kzF4vYJcBdzv`^@-&*qveV z7m!Yw)kQ?(4~^Yf6zctfVz3b`4x7UZVH;Qi-bQ~Z3D+TC1ix92{SRdaUJPXiUIJwY zhC|tb5m0uZ56TXVgt7yppzOeCC_69)$_|W$vIFCw?7(;^J1_yt4lE622bO`d1It3$ zf#sm=!17RbUWe3(pmK|6R$_}g#Wd}BZvI85!4Oxx&1!UP-jYX3lG`}0vG~VOe zN&7d0cfjUwBWwZP-w|rXFDqO7b?D7`ll4Ddc41rNFT2q3hwSG&#CIgV_VbWOKX%6{w(H)Zxw{^-?LG@KD(Qx4{YU=`m(GxE^oNvVcKl3JzS;4!U{T~b z+}C48ni$ugeXr!M+&@?Ta31Uf=fnPR0UQh$!r?F-YX7Jw&~Cy#(sL zYd_R`*BQhc?#+zPLe_I+NV%59FE!;_7Jnt-!@SEylaAz}-WBmz*|I2mcqP<+auwXY zY)$-XIAiIW_`LS;+W716S9@PWI+Z=w8d>FY{I56u>*8-9p8Q4G!|S2!;Txgs;hRkP zSpQAEvHlzRmiSuxYzS&{8rjmb~Qxa7XKKs`XiK{ z@sC6F=GW6T@8pQ4-#}wmKM7@5Z-=t0pMtWhcTj(_BX%P1&3HQgnRv^thQ_XbmVC5d zeh#X?KM%D}egSHK{36u8{UzeduHFS@SMP?}zrPG+SHA*fSHB8nSHA||!9IB%>ivl~ zU{ma?H{lrMJupe{|53gq@7wY3Agg^vjjz2>cJ4kXJNI2EJ9j^noqGVv&V3Kc&OHb< z9^Z!=kB6Yf;|EaV@k99gU9A7`)f-v=$+w5+lla5P>gOU`lJsPlz?q0Sd_q0SdP36_2AO^|&YmQVy)^&!eWz5r_e zDGD|J6oZ<7ibKsm7edWHC7|Y?k}wHg1ZB6Eg0inKhO)0OftsJfq3rnxD0|)qWzR=a zjuGCdglJ@yL)1A^3{-!Qh3fBdQ2jlg`0DQo$m%zxq2A*u121JiQWo}y<=~C9S9z#; zumaRPSP^O-tVBA)y_FNHAgh0f`u<7P1l4!-glaGh)+F9AZw=9uPx4T2t%TaPEXp3Q z17(jVLfPYWq3rQ`Q1*CzD0{pCls(=MYW{2lcQ0#_&=}5G+9V;!9;e=#CA3J;KCe0d zmxKCK3z2xv_ZwO#v`UaY**c+Zf;GjJA@$Z<>30dPFVz+iq z=tBM)?~w4W3EgZNVmEhB=s|qVBbP#@kIa2N6Z#@6{a$u>Z>W6w*zpKw-1bZ8Z{l zOu{HQ6^=IdjY+r+mO&oNefm8n82@HQa>6*$)B6Hq*QJvZE{8o}3hV>N!~Spr91JJI z;c$vcpY8UG%aC{ou1e* zV{XDcQRAnEMweEaH14L%mBxE8IS3 z$Vl*%{re5RsE`_=HYyYY9gyrO`^Mot$*LlJUc#`m|pzdD@b^j`;`&UEV zzXn#u4!auaykafXdBrtQ=M~pN+56YQeOcG5KeOJgv-`J||7}_86K+hf>}tsG#od%} zbAn}8!(zW#Abw+G6Odke~rdmGA*dk4yn+Y4pK?Sr!8-i5N`_Cwim2cYb@ z_n_>!gHU$d`%re=At*cU11LN0Lnu4$BPcuWW0;!tNy4YpZ&K!A(bO-*j{7X(3;ffw zJ{OHYGrAHL~ouBT#nSH&AxmQ7Aj^Teuwbo=J@*U$Ly)ykgxF`l8CmujGV9VG2`A~-+BZVN|4jG`S>e#w zZ-29H<>vmA@Gs%A-=MMIa-r-uc8A7(^FrBgVNmv45h(lZ0=Ox&DF0iL?6+c~sUK+U zt_vwgn5RVPlE`tiKSaK$bSdQGce4H)`Qp--AV17L3=$q*Is#eyV~Ff49fhoYbtKfj z8X5hfm7md1)Or&Owcf-LZ`m8H|4{qB1o$O#X;_8&ECcJpvhWA|%Ta%AyyZ(*K-RuO zydVFHCZEcs{~uX*9&gnYH-7w_q!JlI!##JNhjYcX8-{-T=xv$6b{Qi2szH85Wuf5iHuf5N`d0{{DGYXmS z)M$Z*`HWAA7G)HtV>N#$LGy=FG=C^#zW&kj48NN;f2jR_I?i;TUnO68 zct?b|MMg`ed;V%|70O#@w4vPdSnH9Y{HTn!lzTpFZ5PUq&S+1$=e5=jq5PPPPLz9o zJEG^eHtw8`k42wPx-fq<(lz6_biG63ZW-Ov*8w?>o*6xGB_2<`7?|j#p z)6wUTGthkUOf;Vyh~|@Lq4nf!w4R)UJ{O#eQz##V)A2mK3(v=Ws5ckj!FVCgq5LBD zqeJxKj7x~EKWhEC6wOZuqxtC&G(R1R=BJm1^EWKx@^Br7Wn95}PK^%NupZ-6qE}{& zNXKgZx(cmdSEKdo8s_UC9hq@0vGq&MPstDI=SOFZ$}mqDoiUd4=zTHd zGc{vMSbl1TdB-WyX&R>MWt_L#yyBLONakSTTQU89Bjg)1*q-^u?Ub8u+=1p1ccOX3 zU1%P0H=0MxMBh)`gTA-87tJeXp?S%D=yvW$-#^T@93Q~9a1Q#uVJ`Z=E=m#}f2C$5Qk?$D_D0`56EI&HHDW zhWiJ@dy3_pSKm`SkrCNv9?Px3OWFS?InTbgcq$|H-eM*C-r{M>Yu{7&UgFt|R37vk z=dmWSD&zT#RQ`nIK`&&yn32k#F!bLqq5b}9w4Z+&SJJ<)!7%=hz881}dolf0^gY9C zIFS8%9ev-h4*h-E8@SgB`hPr^>2IO=%G>DshxO=thj*|szw_OIbr#Y8^R$oAJZ%fso$_hMCs=R#rx{<tDNS^jh#&?v*rhKcR97CS=J({QefaYmGqWRfR zXnyuHnxFlG=4Zd6`Pp_fKl=^M&wfYqvp>-MYzLa3?L_maUFdlHpXhk}ZafPALdWC( zM)S0P&^&Dq`g`bq(ed~ibUZ#1OO3}z(ed~?=y?2I=yzUq(eJ$WM!)l_hmP~tN5}aa z-~`+UCt^c1|JxVM|Mo-kzeZ@@w?CTq9f0P22cmi3L1^CB7|r_*M)STy(7f+ZH1BJI z=6y}kyssIW_ccfJz6><)i=la6CJs+##d2caXW1IA7n1ko#_}m2oy^lvjv?n3NlBXRWV)HcO=r8Md z{*O6d%UCPsGoM4|YaMGt?0gvVxg(jcrsk+vTc(@OVaVs&q50g==y-g4G@t8$=5xoO z`CLbwo#^ED+0V`z_7lm&y2QFM-SOG3tUo_;T!`)OC}(>2SP!O~cc|m;Jwth~*zv^X z9msL?4#($lu-?!gorv~FeVFfSj`t+|7yGiEeo^{=;wEp<|6?Yeg7(+_u^;iN=s5Ff z=s3v$Tsz^6*y%W|`i$6_tl#ezFnm`rFzm(5ML>(4!C{ka$4=XdC{(7#iEUs(VBu?L6;%%lHD|4zNJzh9Yy zMJzWL{d@KEa0mDGgXsA4Luh@RkLHgLV;S==K=Z_fXg;OY$exYH~WWSyzyyt zyzv=yyzyCdyzx17ym1ve-uOH^-uMD~AH9fcC#;UWgu|*=$6jW=-bWa|Gg^ZM?C)Ci zd#G2?@0DIfzkhm-{rCH)*D)4Z7kh(p?*sMwr#C70`=__CdF1Wb`t)>leD)o5e0Bpm zKD!b9F6v!$JMXca^=lL6MBa~mK)LHzzl-`1{VwXGa36de+Z^tnk7J)O|H;uU8s<0d z8~rp!z8vCI-uy-E^O$+=7qKrnZu91?X#FRq{Hxg4#NG$n(EEUx@^50_5_>-&dGmL% z@7a!dGcx^$*pKNLneV6A&y<@tYm2I1V!txo^NQrr+hf0n{rgSB{vmnvj@Tbz{v9#% z=)TdN8m8j`jV`6#ibW1+hPyEv|H2&n8*`EVCya~jp?`8*>|ge$CQ%cMWTx^#Bp-}s z*2zregBbFLz0mI{>SEW0^#9o7Vfufxf3J`B?+wuYeIGP0X^8go`=b5)erP}62<_+h zNBj8$(0=|vw4Xl+?dKb#{rtgbKYs|?&mW5R^G(oxzA4(zH$(gR<~Tf=k(rrkKOfW3 z-XZ;bR%Q<6qm$Vh$}#lwxoAJ1mznD4^NH=}3($VP5bfuS(0;xcXC_PdpWXJKr5e_k z>gUV(Z{DeP8R@^{A-4Y}rky@4^KhoyP9xKg$ZSFEbPWA_OXjPoX_eWU>Gtm!`u8?y z|9&LezaNG6?`_fky&c-WAC0pU?cFZ>*FnSnrMBNO?2p?g4)wh=THlXldnZMC{%3jH zxvuyG?Q3nn*p1kJu{+u?_FzBjuzx+#ez6zj_D{!$?cz1`)8h#>3z~a^R)DSo|@iIV#)_(otL==0IZa zOXR*hEAwo&<9&%tKPU6tbd1ertvfGs5I%<9Umib(=g$jRkI$bMW~QD$FH)YfE=HdN zFTvY6KbN9^e`zpoOb!Y4VqjwEf9plK|1PKAc>fJ!y)}v9nOCImKji+qGIK=w{=<-` zUxiz_|E@;ww`k04c`IW9qJMNKUy#EN!QDJ)Ae!| z<<`slLOr}cb2jJOdWqD_2QudnTQ8C2=Vi_f>zkMPP&lp!HS9lQM9LaHffPR1YA^P`dK0?1k z+>CyQ_%Zq&;uiEf#81%g5I;q~L;MW=4)JqzoZ$=fJH)N%cZgr2-ywd5euuaX{SNVK z^nUyXy&u0t@5k@Z`|*49e*6KwAAdye$Dh#q@n`gY`~|%qe?{-d?dbjZ8+t$fj^2-d zp!eer^nTol-jBP``|(foe%y`2lYeFY6YA~X8tN@_zV>9+g!}Pd4doc_$4FM{evD?N z`oB8F-j92s_hVi3e%u?qAM4@FWc{pE|JOjn`Y?Q_)-Wq_&>NHK|M4~457X~6!u`5` zR;nL40KH!i%u4km2ci8)W6Hf>4<=^(KkLw})cuOYO|qI2d%q&fH_vJo*4I2MmSsPZ zp<#cJ`!zEwD=T%sVz^(kS>F3K2fbf&(fc(IyT z_iHJ7zm}o*YdQM7Q4zKq&pM3Q=Z#AAdBgZTJREy0V*DTd?xh9#{X$FhyO&nzb4P3R zyO%cTb44m|ZJTvemi<}VtfSdqkEb1aJj9f@&pL+KvpNxbd`SP;IqO)~ z>+vAdyJU4u$H;s0AleH9G{+#>0uo61kRh|m?vgM z8s5Y4_F?^A-;?kM{?1_EtVn~2l%I?@VZW@@ch{#deG)PCDvTSRO1<+wIt{B70- zr{mub(*L95YiFYMbs&z%v(WzL>~#G;huHDNbJ6>F5PH9!hi8%Jvb`G`MR@+titPP8 z`$-(???u#O-_H?;eC!hT?~--&|7adI7|p|mpn2F(bpJ2Ickyz(hWUqaJ{CuYd*9TJ zIKIpJ8nN9gnSKC{z_HAC6&^%Ju{hojMYI0pT@onz6z z+j)Ifq;B2FxU3|x&$r{z`dfv4*uMn2ywlz9YIMIRp!9G?Ht-&ak?4_NQbID+|Z3Hx=c=OgUbZIruTGtm9H9Y?X< z+Vg%VvFG6~^gP^+u6HK7-g|H`)9*#s&vKz3ye}(~If(dvbliS6K8_Dy1D-$UpyT*+ z@kz?(;Z|h%@ZRAeV&6N=N8dXuEsC$72JycPUTB9-~S4&2ix!) z{2G72Z}1oV7JtX@@Ia39du)O~;Kt;Sp`RR>`02m>WM~(ENw=zE<%D8FtJ{Xg1nQXj+nnq9P4zOVTccT&C^&BOlU`qU);&iW@S^?Z-yVSBRv z%}PDrW5}0ka0u;XB%8beqv-EY>R=V_h1FOW&C~Wq-viY{+u8cqgnq68nwRZ^=4B1h zylh`IAKMSj#~Pve*#2lfb^w}>9f;;*2ch{`V>BN-7|q8HLG!Ug(R{24nvXR_^RZ_5 z75md1eXo&$zSoGM?};+e-y3A1?>Dm1_ZvCck^1LhE^+RZ?c?&$_g4A%9v0wcEW}T- z2z?$a#;>si7h);;9;OU^4^xi5hp9l{!^F|^Q;D9R!_f0{IGVQ}fu5%p=y__1o~Ksm zd1{TGr#9$$IubokN1^AbEqb2Xq37vn^gOjk&r=8VJRO7P-5t^2y>!A`*nVdmne38% zEM`yZlHD~s)h;0W*Dd=v%%9dRyL-AES>GwyJ@5?diT$w`_Qm6|H}=Nvcmf`aCt?Te zgGb^?*b@8VVR$l@V?Qjx{^{*u_+8Ga==-SC(DzXT(DzZN<5WBYZ^kpx_iqEy_ityR z?;X!Z-@~1Q*57l{_i%&IJmNg`J>2=|d$&-@{#uzK6R6egAbS-id>8 zCJw>-rVh=%JUfy-Z|Y?l@=*-;+c5Ng8;;&@SD^1zuf(M|0+-`e=zVuJzJS-@8XSr1 z@LJq}*P+i%qwo_PjazXHevM=CN4y?=jv9x%a6JBvRT!Z@B+%cVCDGqYRip0>C!l{H z^aeZ#Z^R}z5q+O{Q+8xxQH1`V*yp&(cqLB3kvJ7c<20sdKPQzRAHoOh* z#2I)m-j4U<9XJo~M1Kc%7y3J}yV2i)&BSN$9(*3}#nm_~J91+o`*$Dl9^(7ayl*!8 z{PqC){5A)Dew&NtgY(emw+GR@^C2|voR2=gJ&ZoTEkK{&7NXB@i_qt{#pv_fBk1$n z67>0PDf;~ODEj>N82bFS42LHl&whe>Gcd7SL%l)n&lTBEQ9e5Pq=s?~`Rz(HzkQna zY$85G?DN~R==0liXg<6OeSUi$XC`0BrXOK^@I?*l!|?pJIy?1!+RNy3+!}lk*W$zY z3NFG|aVfrr%kXu40@vYF_y#_UZ{myi7Oug!(dWYT_&?vdZOHzM``vLFWL)&!5IZhP z9DRcKW1Daq%e{}c;|JM34}O^a5zF~Jh%C1``(t94!!Vw@h52e~KFR)+>5ivj$frL; z$5TH?$5X#R^U1AfUi~GSSAT`G6WiP$&ezu(&KENN`EB+OO!qzDcdS1@@_mSXKS4Ru zf6V@g>0_C$<9J{CGv0{5gz3L#Zzq0&>B#)QW&go?`b2-%FwT#Z@5tUsyovdccvtqH z#J(Ry&cp6-zB~`?S9o6g8+~5;hxv|P$NPVr$$9)2=VDD*566-di9ScHp65F0crRQ` zTo--sx;Og1s2;AJ&>*Ki4y$gEvrkUyeGx_v=C~W8-}mo}b#9{n$9mWZ8{+id!=n8*2RibHPLKCT&-F}*puo(%TK@492e z^LSp)#D$oJ9hjbtdy+Xh`ON3**P2{XG+{&jZolVVs4&7d;z&FM1C8Ui4gaoOBTSUi3Wlz3BO9J--0gPPi!N zLL63oQO?EekMBh>y!X6>^P3r=|HoKlaLy3Qz3%FJ&!LoOF#R%Y9=SYcSbDntIB~`J z;kX^IK+ngO==lWxnIiXCtocE#z~6K}>ocnkK&TX7)HNUtBm?}u(je?N2w`um|f(e~vo zw0*f7ZC_@h?aMv5Ki-Q?aTa==??cb?{g_Mn?DTnlfY`sMF$Y`WTFHWby>_Vy_R< z@9mS@Fdgf3mfM%|-qHPX8>P#U{%`->1JbeD{~eg?em2fM2)LsTiBZs+#3C&2_xGS#Ac$VL#R!?Z=2IkL6|&+n;5k{TVUk*||By_G`#Ec5ZGS z+p#}GrswAtq+?|KyD+zy`CWezx_)AoE6J@OcKxO4>1F74%G2{XJ!f$|w=&Gn^FQl7 zxcac%!_%=2tvVvNRam}dZi}#7%Mja+QqFc-=eDD~O;y|6HetTDxkutL#7Bks+lJ}R z&wR9tN9P_xc}{hEW%&*vcDiw_s#9)9Y=NDb-*yO_ZKGZv8_K)pc0qpsm)o7`-zU4} z9)}lJcQX$6k>xv*J#%~Dpz5Bv$5XyL*-KfD{-5$a$=C+GIX7IGc0$I{iNmW&bQMsXjONyil(OX{cw&dM?O4A6wv<@z%QwHB84a&U3%U^xX*4w@3R@q=kGCZN85=zu+?my|M4=~p}TP11N8rR zC9!$2e;42$;+1$W`hIa%*gpL~`hM~L5YNt?!*uuO0d#+AJ$W2$ zN0y`Q)Dz5a{=EY2&!6P_m>)hxY`e7*&BLEY^YCZTJp5Vo{5^-Bzg6h@dmcT1FQEP2 zi)g?9658*tM)UTU@h;|HgZ_?tEt;=vxh8cVyh?q&g!R;F2+t^aSN>-C#x zy?-k`|J%4RxjtRb-}(RQ`9_Yt77}6UM_o&P|PnZ(+Y`5})LLnwuIAN5;cH%l$kzH6D&(9QF%zJbWuUKKCU$KKB(q zvz+mN^!Ey1qvNOFpx@Vji;k;)hmJdbkB&S3fQ~!#`2HWm z_x~8a|HttCKRWKX1HLdV-0qvLG{qvLIdpyO?aqT_8%(DAmW z=y+Q*biA!OI^LFnjt=Jch5uH-Sg3Q_X6g( z-MtWPcQ0c7w!0S-+wNY1w!4?2?e1W--5r8H?+iuT%gfN`xXaP!xMApX+;H@GuRxFY zO7wU~pzZQi*pB$>aNHyFt_jCIGVi)@+}CP2ZsYFJQF;G6KOUPmCeJ)(Y~DDI$Ncqr z^gI(&K0Yr&>~UA2$4yLmGOwE0<45wX33)fL9gi28eq-Lmbd1b*Q{E)X{jOO{swd}7 z4f``i!~S8jSk?5rX<_;4dE`;-@6B49SB38^Hqn1K=Xh@m$2%kMcGhn_LF(@vd3O?9 ze=*eGyO^)0=I*?iOt=1GsK3ibrt*M$iOmCMp?Sc4;r!A6qj|t=%I!BE2-};JH<$I> zza#Z@UfzT0?IX+2&wD7WZ+_l_&|W;OIsPAMq<>$SwId(DS_% zJ>QR_=lL<_x1KFS>)GQRkM(RhvFH5>w4SX%>)DfNJ$nj0UtV{8n)ndPpFzJDc^18I zYy0O_dA#R;mHr>?pI^YnEcYTFiZ7wx3)Ig4GW%zLz9v2YTFhtqE9iF+ucF^UyoP=U z@jC9qde))u*WW%FukU9DQ$Ffqf~DqyMkA5~r}= zhoSFb4@dux)Dc+2dRyRL)bEz)`^{G9cLS|)B==z(^t*v0(fvIN{cfNw`rSY~^t*wh z(eDP@qu&j5K))L}2K{cJBl_JyC-l34&ggdo$D-d2bV0ux=!$+fa2)!cwHx}LwLAKr zwFmm1wI}+XwHNw+{&@8Ld~fvq{0Zpa1vwFYpWFwn*C(O%x-VLh&4_Q%41W`*HDh3USEjT>xN!`Sc_lo}8RN zmGd|-F-609MC$Lf{F^Bsot&gnxD$2ZzDFJo`L4mx1;&=9cVs%C(caX zl}|rK-g&o%^5xsU9>%&YIsPvyEI}U5PzsG$h%=c{mDq{cM z$8+f4`ygid=ks46HXlch=f!Y*9uMme`O0cEUwN7N{2ksJ^zW#wMf25Hu!{5iDo()H zaDUF@>$sVC9e#;#;GX20`RiGqJPoSfHV(&wY=2|^J7K>z=5N5giQi+nUK8Kd zFph2P-^191{ymKM(Z7fB0mt7h`eFV@#QttlkL2(3Z4T?*lK*j7@0R>eneVvhCmQli zig|4(D!~@aqWb!^1sAk)nDarV?TWFhf&8%eZJUG^-cb_`Kjj$4Ef%7 z%xAv$J$n9rK=ZvH(R}YGG~fG~`OWu!LG!&|*&p-0?ZoDLzoGfw?`XdF2b%BgK;QT7 zMBnf1LdWI*MBn%BMxQhOLZ37KMxQhO!I4~#J?Q(Df6?n&gTB{_6r{Ev#hgf;g1rh- z=Sls2WnJ|5m3yPlGxgBlyVghRLj&}AXCJg)G(_vgzPM%q{XhENwGsN>b$?^_>j0d@ zdX(Cz)N4$MV+4oC51(u5qZ3$orQ3g2DppWr2qGEvdMqposE1k&=R9+#Ac7zt_Z4 z4fPaRE?!U`=8G3pg!$qHhcRFOiIp1Ow;20g@o@CLT2tplzJM{iI8ofW-Gher8hk|2>y+737CwD~aNhh?PbVlpR zvFLlyE@(aPij~|?$D#LCw{Uzt3c82m>rv2)^&c1QsbN2jyGD;M=$($$_wOg5@83^E z-!Jt+-?N{D-fw+z?Sy^>C*!c{eg&s+p1j{M{JqWo=>N$`z4sYVa9V-Sp#uueU_S4+ z)6x5lnDR3V&LZ}{8;IU_#FU?1a1OEeAM#v#Zowed>-~mIKd<2Ybd1b*LBWNT`&_F- zt1c?IgmSlcF}gis)^lmWWyEf8aC-U>bh|^-^D&)zcX`2;#C58#C>R#%-Ed>--4)7u z=>IWRbydL#Y=PH?<*wFHU#|(vjWiDR6kG!Q zKCdhCoIbuF5w2I2hURdak;g?bak_7Ti;idagpAtL`nBRgikF!jNy?hvu92qxt4+G~avx z%{S+u`Q}_S-<*f$n-5~$Df0^+!g|x^7cAvEjHrINU_tsiAo=FPf<@^V$u}1lJd%!) zd~=D*h2uu@%|{ECQ68J}n1*r;`R3zjzPTLDH=jWB%@t_A`6QZeK85C+E75%OX*Az_ z2F*90Mf1()(0p?hnr}Xj=9@2|-*3K%=94d>`Q&OepL`k3C)c3)KCnoqus=9BBueDWPMpWJ}vlN-@|@?9LBe6Qer&eOoe zCJpBa$tOQ3_=xh+$qzM@W5_2rqxs~=1*v>;3$gj+CulzTDVk4yhUSx>~swI;;+nCQ?tF`H>R5}V#pVNNAtx$(0p+RnlJ7|^Tl0gzW683PV9EO-Pt{;UqM<7RuI<7RaW?f2;a(Q&hSlzSi6CyquM z6z)@)I({T>Shz2-+d-CZRJdPQU!%eU3cZf|YuG;|k2%<{Ig2c!FU z2-?0Lingmw(005j^P5LCL-U2^g{eFygV=UGhUQV3Xdab?=26*b|CfXIf4OM?mxrE* zd>sBD&;RJ}iVAVpT;Bhqzr!uY9m&$d5*$=rT1dYXz6;S+)Ti>oNM=9Q<8z2{oc*<3 ztfbs=x5LuY4>zV=I|3blYJnS*EeliaWGfBlskWVL!|~Zp9?5oXACD?bwU2Gl_OTu1 z|7{=J7pB_B4s5?BaZF*y!c_Z+w2z$%I~S(fM-1)Fv1ohK1#NG-qV3IbXnWHQZEw1x z?M)A~z3GXzH@(pI=6JNd>5aBGC!p=kiD-M%2W@XoLff0ZXnS)q+TQd-+nZC+_NG7D z-kgfIH>aWP%>cB$IUQ|p&OqCnGtu^DAllxXg|;_mqwUQ(XnS)m+TIL8+ne)nc=G(h z3qw7*h?zdJ@LHyOe<9PaD;!1abPVmuXy&V_8B;ix z>9!{r+LP-7f9P1P#ZV+Ww7Uf80KCQ}5H8(ED@} z%k`w*Pez{$rcmA`-L7n?npQYHeV=2v&u>mIe@lA#ThaUcHuOH9f!^o0Gr#xw9q4_2 zC&%UU(p|*f=Xay``AqaazX!d~@5L5ue-^qw_o4Um{W$Ca`hV=Pi2fgK@8)28=AVn5 za30!DJczav525YEe6$^S7-9eq{R7h0mm8B!0H= z|K?|_XkW_NkJ@(W1=eS~^rGz$zJ&gcZZ-Dc`R-+OTzw5XuD%u>SAPXv&#P#=^%`zW zzMgKk*8R6Whdk{~>bv9LZ?V0a#M_1I)9nz_4!u*jA>9sP7(d;Jj-S4Z{vE>i&~eR8 z=(y(lSj6@}K*uXTM8`otLdR7%qvNU{qrd0cg2yrr`w99x;ZMrMZm@OSQ?5!F8y{*=Cd zkUa6{!e7!ck|+LJxIG;sdE##_7w$JCPyC~BC*`pzJ2aGI$P;&=dE%dFyS*E2um3{Z z>%YggSOWV(e`>@w7uRBZLb@l?e+d>dwl@fULT0I*9W2Pbz`)>J{WDU4?)}OL(%rS z3EEya#o@_jMHxlr70orAAEdpG6=hLAI+>}V97B7Zjkec0MXB~Wm)Q0?4{fjW(e}Ck zZLbS)X0oWretAZsSi|~|_PDgDqA1dIKKDymQ6$kNT5cSkmyqf4q7#^Idycf%hlSYo znwaTF6t!Tw?I|+7Wl<|)r(Lm^e0iX3@ZOtXsG)XW>>n8|??q!5Hnw zxnV!gD;gB`|Gc6LSiW=gd=1BMd`$GhqW^wR;P+)0Gu{5;5;Q-)G%Qd5kLJfiLOitS zGNyapYP~#^4=Wl@x#zFeD?<5|MI$Kp{MC9DvH9H9OpivcDH_T7vmPPwwMEwvdw!Aq z7+o|9SK`=kKaA0Eosm5I`l4|~sXQA)|2sZ?U8>U8C4u%kNwnXoM*Euy%y0jD1KR)I z$a%50 zx|8jDU)|1pU7~jwhwGx&hr1~66urA>X1W}y5BC(^n~stCFstakbgb5g`_cL^8?6ry z;1qtxJcs%FMdlXGBX+z@cg>~$$M2Z`A#_}EK02=WFgmWd0DofoLNs4kgysv2(R|^N za6C(kmSCO8(xS)MPUq;O8ji>KnCP;i$J4Po4!0c5AD+NNUfVt{l|MXH^kk9!`%^_v zbAHSpR-*S6G3Cz`JxAsKcoHGFKB=EE83rJ$KlD}iv9@q@9!G!U!*_V zQM4=cXFD~NW9ZNRMEkSd>Hh35V*9hd(f;fov_IQ}_Gka%%w$cvKZ_Lqr$5^_m-9;; zo?G`SPJORY7yW-8d*jJiJH38!Dt~N1x%uNh=yw(k(fn~=^m~u}(B&JU%kPgHlLxq6 z`t1Y%yZvyz8yBap_rb-HhFzKekmCRST-&5Lb-kOi{hCCx;^xJv>y2FRjN({v>Uv|y zA2ZQ>C=1Q^veA4m2Yp|ki{^uQXuZfs>qP-tFAC9mQH0iuVzgeAp!K2@trulzy(mZP zMFm zKSSm_rMN$_^I^z?PG!EDn$wC0Fx@-|LmqTGng^YM=0RtodC)*K4>}9YgU-g;iF4dO zdC<8U&KJ@ypI3Z7)9tU3_=4gKiS4J6_@d&AiT%61$o^guj>G+B`OppzM%&>b>|clI z(BjLO-}X`e;5aWw`h>^Nef4e$fA;dB(LN zzOHx_)7|e{M~Ct;#bYUV|7*QIl#eSOPr1iYYZbA1MuO?lNV2$^kIFCr4F}Zk3aVpQikY`LypPy;z^D`aopKeC`r(4i|=~m`9&$tcE zGiGoe%`oNzuE_1OC*I^#|e;^)2-*?jghUMoI`<>mx=y!Gt(E3Ju7W$(_+(-6Di#e{E z#3RK^((Mz{J}oVNG~GU7`1>l4q0hU^@CAGvZHJbl?a&iwJG26Ahn_^+p{LMxXeHVX zJ&m?Q&!FwlvuL~X9NO-zLff6^(RSwrwB30TZFgQm+nv>DyYn&*Pp&C`C0ysV8m=?a z?z~$3dT4iE(@>6~-C2jWJ8z`hoi~YXZ{9-No43*SW)#w{q~Umx`~3jt zOMJxsBJIXOC5=l`?FNQ+<6!3V{2hXxzeCY>qY2t>G)3EuX3TH9(Hw0zGFY$eMvT~Y zBNJ^mve0%T8*Mjo(BF^dvYysU^GXU>Ze1i_!+s*=g(bz5zZNOdaDI^EDk&+W{KH78 zhH|95yd+Nfn~@3)7O3Zs(l(b?#kGCayyu_5ZE;*9e z<8Ffp|RUCGgG&*Md=w=e0Cj*;UyrleCizK+WFSByuN>s-<`Og~mR z&Mq4E4_VJ~B|XCQZp!rT8m1%vH?LPo&#<0eCC8`t2U)In$=|I!?h{J-g!6HthUJj* zlbp`^=&PaJ`B%{{^kcf?lBblU^2+|`cgLrq-yNTZes??o{qFd5^gG@&@Pqpq|3~xC zf#~`6a3L`vUf(CUIfOMJ1{H5^29LF1e&6 zm0w~#|L@tQ==ZvV(eE6Gp!wubG{3yea=!b#9R2;!Fm#-8I6BUF1v<`nB|6SH0v%_( z3LR&>8Xaf61|4S{iFK!3S8^@Zn|@tM75CkU>QN=5)At=R&N!xIY&u598LuxHmyVHf z#_=u}jvEx}oaRNHdcmq1lcq5uePejKXZ$k6yN$7avWOTf73Oe36 z6&-J!hK@H*N8bC)z*Wh4znkqy6Jd zw12z@?H}(&`^Q;m|9BtTKi-e_kF(J{{Q)#jpM&<7bJ6~C9@<|%i1wEcq5b82w7+~9 z?JpOg{pCU&o?KM&2X|H_ezq5jTDto(2NrG0*;rN1h9@{U0&YpD%fV>9*g<^cPEB zB6d24{&6+))zrLPvWDsQj~M#LwP^qN3fe!uiuRAMq5b3QX#cnlXD8lpyY!E5YB*lE zUnlZ*$p)tT{o;DopC5TA#O7&~Gks&pdrbGc#dp!~7L6Te+!Ut2U-AL5<7CM3d>D?; z<6-@w{oIVUpC2=y-$iXfzl-_={VwWLw%b1XS;^*uj^^Jo=Cslpmd+oRKJa(-)_kA_G9~^ z*I_@j|7wKxU;Cr|)&b0KzkMLuZy!{e>bDyc+m9WL_S=V`{q~_~zug4=4zelw9b_}~ zd&1`EcaRzAb&sLfJrlj|S**W(G`lp1*z2x-50{Hx|2*{i=i{XNc>YJn^9s@Nydrcw zuNeJ)uLS*mvJ`#(C_}&FD`z{I5uX1s7KxWuQtowCzvDZM@(iXQj?E)Sl(tAuSJ&5) za`Tr~m=kGT+9o|+{T}m3^n1*s!u4ub+7|0X+Lg9v{?^f>HEhqgRkTB?&n;p5;qNAN zD(zTm|Jib3r(rsVe4u}6B=ZsONBZXw zpT_#l4+c=~xYOxqesBhwADoHi2LsXk;4Jk0<=N=_%X84b?|Ck|-a+X9XFCu5|7_=@ ze}D7>G=I1dE0*y6KW-?|q4`-9h^{o^RKe;keW zk7LmOaV*+DUXS*Vh-kq3-JeM`l2OXsCy zqB*@-9IKKMVdVH9UKfE}#8I{KN0 z>BjA%UzGmee*8GIuSxxY&PVS8&L ze``3tRJ^D3-*k*@zos-&mb$LBMv2V}>XdoD_A0Aemby=nc<-`$#9nvgd^9Mlk1MfZ znR&rJ8tNyK7wlWMUs)pU-VtM=AwUJDi1^dkJnIM zfY#qawEh;cA8n(>WhKO3UmZtzDf)k`%FzE~RgV50t_rkX$I*VhGJPC}VNT@mvLh&W zJ!-$+0`1pZqW3{7^gd{f-Un^a``}2lo*#wQ|F&p7X~%loM2{|OPwaY;deEWlm~^aB z>QBdTJv*0m!a9-8WnGx>=;*N;mNRY_?OOJ~^M>wa-OB9eyO;IkI(Z#?px2Su{=cj@ zvDfo>^m-CgenQ!a#9mh5Te|%~#xG`+-JXt-@rygk z?o7wX_{Ci=7tSX#elfG`Udm%r?$J<=Vfk%~XT7u?XOVPaRQ8e#* z49&Zip?TNiXx_CP&AXmJ^R5+W-t{D!cRhvXT`SSN>uEIadIrtAo<;Mn=Wuv(RoM%i zpMioYX(`W(%>zCiP?tvEaJrQ0X( z`bxujLE6i&%f4f}{rxwrKR@zqh;45vXZrVLKQP^X9f^M|`-Rx{`6sj={~7JaDQEhx zWxuhWHIeNa&IeNdd)Xhv=3VOe#}3M)k)7eZc>L^7Xovqq+u_~Jw{$Jv|DpZZ->kQ7 z^q;al#O@y^j*9+UR+Em^agIoNs-KFMM-oRy>y+j^&-b{VEF-I`2))vGre{6APv)vTSX5p|G)Xz zp-eX)Yl7xuO~dl^|7bqeJj5C0Sxoo(#8^*0O}w$&tu42l;a^2+mxy>7J@ z5Ic@ih~{NQVZP$>GGdRn1ihZ6==H2EFHe_Oq|4)Bxytgx+3uRiVH)-)6(3RFA{`_9 z(XzZ1vDdxU*2LyzZI~X799e!;dFnnw;X^ zQ+X;c!;qJCW_kPbW6^rl1;g_{hUb5@|L(^8=4IW{ysQVu<2Xf6V*B%6XkK*2veRd^!pN&B8 zv#Zei>}vErx(215(evK=yV!qbV z@fwyhZWT?GC)2Sy?p2MBdrd&cy;9$wO)S5$+`MgK`6TLv_2wqD-VjqhxqK?I^=ArN ze~2lcRz98BdW7VGH<#bSdaXCe^jphsOUFnaIHUZIuwS=p*iR%6ysP}qF#lcUGsE<| zHB3j=e@{92U>J9*%?oFh^M4xG{?GW){mf@xIGb|w!Uxd5M>7X+Wxl!S|8tp#=7|rY z%RhwXd-KtJ?_o55T!7|%3(>!Gvj{gP7ni54$V7Op?Syi zXx{Mxns>a2<{dAgdBTnUPbec*U-Gg3oHSa+3g-=6lzCg_M&&$7Hy6q=2eQWub#7@VMPkhCEH8tDH zzh=7m1crR#8#JHz7R@KVL-UF6(R|_uG@tkpXD5DgyW|r;YdBuFPyb)Oo$0ps$o~8m z_Rsxcdbq#-K<}>|%r}vGxDzkIU1)pxXISp9^4(#5f0h5kezuJMt>L~fZV}z{|MjOe zOt(LcRHXXTXodU3^FP|3?nSx%Ufoc>cSSv7_p{de#P&-Km>!MnQ_-*@b)J!U--`W+ zJr1N_+P|U^uEYZ??3WJEa30Y2{}qiZ((nI?H*vfNv%KxgA?WcRinc3F&~~LM+MYCH z{_y@E?UyntQtfe!*!Cq8!~1^>@Bh($DF^L`a?!ufoQM56uleZTAt=DJi3`#5U4)+R zVzgfW%Mu&*TuL+^oWZ8{hZyZqGg5c zVXKNZ9G}PE8a;ku%8#sQOYC_#3Ox_Rl((xmn%MJ!w6EG(9YunTA6||eQbF^n+JiaH}wLR@+IUbKkbG~}x z2Ie~36?IY4Yo>noSBGo=( zc)xx+-p=#a8R&D}nb>h5{XhDgdKUVedN%r;dJg)WdM^5$ItYDEJr8|OJs*8ey#VV@ zxv1hotT+9lip#0DBdRa1xFlU~k>}J)D+Z@yM*E3daCq|8iW!`jfr;BRoEM~@xV_>|%10;f&`^${pSTO{ zC+@CD^%FCR?I-R*`-yweeqt8dPuzzyllO;uHzP6ozx9sxYEH$o)Gzx9q#u|UV*3GN zrax3MpXs(|$n=LR77#lfLqD;Q`D$twRV-$@{RD=7;t{l;Sc3KwOVNJfQM8|U4DBbD z;q1iYZkK*yxrXC)`+VnB@g&o)Uqt_pJ`X+>%2!rAP27h24cX6U!hXA-EEn33=g{_J z75jBW^!bVxnZIlG3mX1D1SSrT(*NUOxH_z7O~uP${c9@LQeH{9R^TfvKY0!PKi-V5 z;T`xo4x;^AhqjY%;Qlii|HlH#-wNwpU-5QW@A`@jtS=sYN5lJAx1-heTcS)AEE8xX0#prnECA&wxIpOC#>H*{ZnGw#m~@w;d8WK z_yX-0wld!l(Jw2u5qGWrO2c_FewpL^n(3aeZ;1Up>9@q5x9`I7{ZR3JIKCe$ex%&< zrk=N-n71Xu({eqsqU(xfo9X)@)q37>+oPvMguDSI8cp%H~#Ls;HkB1QdiRSCO z(R}?cG++N4{XYl)pubn$gZ{4MU-Wv^g#C@iBXR3jG`?5d>rqF;`8O_)){Wagc|B73 zfBks9xcy1}_&)Je{c3>LFJj6Y#`h!kdhCl{4`Rw2#rG%nx*+}20r3Obj@JR1eo(w| zI!5}ZgX4#=ea{=xFExoD8s=*fZ<;R0W^Ly+i)XT&=d(F_J~Pns8AHz})0@p&lNHZP z&zGH^FDE@;ZhAhZvw!*V0_OL={2kZoAz}Lwkj^+r8r_Qa(C)f`)Po?RFou-99OvYPb6m+istXw%h&C zcKZ~x-R_Swlc&bb7iJ_*)383|JHpfBXL21rkDQ_0uPeqQEq&6O#du0Uc+?c_!8lGJwCP<`i*Mz zzMc@4yCFW2(>oc55?!lQ_m+D`k{xJ-~4<5dY%@d z?cO4^-CK;dcaJc?{m>G$A6m-#?S~#Ew*7ky?T413{m|oRKeQaT&)q)m3EVT6d>id= zo<#eDr|>-5xs_Od9{qoMz0a`S$xEJ%uOfac@|=d_K+2zwzexFqkry1J*Nn$%paH?DzV} zN6LP$7>~5iAICop)3<2i?Z_t@jtklD*7#>Q6h9B^+Zz7@UnSlamitmUe_v@>4r$-N ziGPhP@cS^|x5|9qX_yb$zaQg2U~l}1`8-}^xu5M1*zaHB+ga|-$gdifL&|>({l*)S z-$TFQ`DXqM|IRe+U9|t2UGbgFKM?<3h(>=kPE39aIf&#Ykl&vm?`^*ahq0+bq8qI^I8vy?tc?> z|C^%w-wge~(aq80$Uu)Hh8{;IdK_8kab%;%k%JybE_xh!=yBwuKyr z!cL4g7o-1Ix&&upDf)M&%g}Mda&&yK0)76CEpP{-5f@F`IGRBd`zq(E@W> zt|d05ycIgG*cyEg-3EOReI)uG`Y7~0bX#=Xu^sw+eKd9_ZjXK!-vKu!kE!JP&`)>N z+Ws^A-m-IL>i3q%R;K>nMi=z&3w5nb{e7Y1(7!L#tuhk+-$r+QmgDHba+gPXR`z0k z^Fy^AX8jHPKODU)BMr7bn5vieB~PsEQ<=(hu<1j|lPddGrt%yujne;DM(WL39_Fv- zclD=j(F4)v=(EsqfwR%)>2uKM z>2uNN=|Sl8^m*v>^!e!X^abei^o8j2^hN0N^u_4&^d;!{!lmf=!eDfKVF)_DFcckM zxC|X%xEvi{7>15749B`tuB^NQ>rKD1a#W?`3nMD8s!UxUWPIW3%4^awGQKdf^4fHa zj4xd0a^ZR+;|rrJ$5I}fGDbr=hVg~#F}(jr|9k=^m~c<==T#3qu)&|z>*d8|5(BN zi||DDdolX=vme2)_zq(U9>(;gIEwv$6#r)bAHzw+%h2D4JdQULFGv4g))Q!+zXBca ze-d}GzNhda;*~fApT;Zj8T@}--Fe)M)&KbM8DtGf$rhrJa_{?or<714MYNX|p_Gai z_Y5hC7HulYl8Vq~DJ7Ijp^!=o(Oyc6UAlj-*O~G7`2PNSKHlfL=Gw1w-sfD`%(TSC zcs#y|{!jT^=>KFdLH{TFZS;T3m!kh$z6|}}^5y9NmcN6(|M4#R{>KXR`z`OG{gL<4 z{>TSte`F=v5BU)7hkS(gLsp^vkkx2EWDVL6`55hoe1i5v)}sB8b!b0iJ=zcX6zzv> zz$@@Gv>)<0+7I~xhr~B_{EF+oU+hZ_*FDk?`MTpK%16Y%(NK<|AF>(khkV;H(GS@| zY(Hcx+7I~-?T37i_CtQaN%0>;JvuS=)1md~UG->(w{?sJf9)6v|7Y?SOxvP?5a48xEjvH!*CW>$9Y%- zU&WfZ5NqLLtc`DD9efuL$CX$YS7SX~hxKv#%e4Qv{{h;6{EYG=aU(WFf3N!}^!K`t zM*lau5q`t;V{kEXWAuCHO>hP_MgOO|8Tvof&2cUsi!Wmf^na>bqW@Ff3jgLFs-uNKX&%?*@e4LDZaP%9D|6_Od`vUZLWcuMWruWCClwXL? z5nqHa;>Gw1UV;npQtZckm*L2{wEy@X@fG+c)2~Fwq3*W-1R-+(vcP;4`b@qhF^gPYLrvkXJO&vG;R zeU@81-_cuBh7+5AA?M?^lo8=P-Ij6((~pbZuAzTn+$wr!$|3!3uIGxBSn~7gdm3@{ zIo2rj`PgXmJ&n8gy#3ZO#A_?=PPr!~(I3XpA0C@L|Mw=(|2VY&cOTmS8;|ybCNRJK z;rr44@B?W7??JR5{1Dm?o{08?AI9rB&X1tuoR6a8oR6X7oR6c|*(BW0@Ay1{j(0wZ zJL8j6p2AB;O-^~5_3w?-{uBGZvs3U^mir9$;Ch^jUXRnz>v1}IJ{4 zUCu|Z%LV9lxe&cB7opeX>+GM`uE0)+)eq%xRLTt(ElY~i<|iTIy`MO?LRtx{VDpqbp!gG_A~T%-akkGzxWIEe~LHa z737IuqW?ep71m)rU!%`+zrkZUPMf%nYehDvd`s+oqdvdgg1$$z6@9PgJM=xG@9_ux zfzLIMF#eCtB0r`4Ou6-}`X13Qls9Giuh=B=TgtZNboF`g@96mZAL#wP9sR%WKhgXA zFLb?s^Lg*Hf3Rg_N6JphU61-c(Ju6TqTOh{um`Od_M-K|K0envxpdaTF$9GPA}^@wDQ%-10GNXi{|*Y3+3rXI!go}52q z+@(?K(cyEAQjekB(p;Z76qq;&}A`TTej$ueB|9X1m& zF*0tEmf8_FVhVnZskj-_lk;Kd$7kTWcxGy%zn-O`y~ofG&Ph%5gLC;@Wh^f>KQ+;> zM*6`8sfDSDel>>vS`qsDnZ@YuXO^J<3sj0fyh8hrjkxd1(f)4_-?7)ljTT%=z`RScJVX2hYO{JReiA4|c%5*be(8*N4@2v%US%{>p`Df8`>yzj86! zuet>7w_J+$TP{QUEtjMHmMhSH%av%qWdPc5xeD#KT#fcyu0i`P*P{KFfoQ+wI<((1 z2<^8FM*A&8a7g_6)S;>NTW-*Bo{{5vW9l%!MBax>a*xg|BxZ@HD&e#>yQ z-!cO2x7>#ITW-fm@jJrxG%;{1}=iKaS?flWBaF@-yCn53{1M+ymSglgma{Z0e_85sVvoZ?-wEaKrmmpe z<8jdUh#lv9pXt%a2dOJrp64HlKTQ3I*yDxl&+61wxClQE*ZCR^=LN|lKS^Din#dzD zXOyp87{JM)I5OsedM8B%k>!_3vbiZJ+;Y^upz9@$?z+2b+P|1Pwrbh|EW-b=6IS9G7)c`!!6=@KRj?mcOG|7&hW~#) z4AaKWA6Xr!khPJfdD&-89?%dTB?nT+eTP^!yT2-XN_Z zvFG_n^gI(&epK4g#GY?#+_j=n+A*xp^NUPxoYo{6YnM^Y)0$#GY=+(O*zh^}|6%?X zX~%{6=>LcL=>LcL82@Mbz>3ysC$PR&700Kw!S-nE@kG|&Hti(h?1~O)?ZSK=(%NG& z@rl?To$ma|@i{roe52*4j>_j#LhN+n>id?3yd#Xurl-*!6K7zj7wG?Ecg(_HD9=XQ zmmKtWtaH(EzC0Ys_+>tJVg3SiJi8Db$1Xz0v5V31>k_nGD@EJ6GW5N(a@@{(PC>^f zJK+xEQ?V7(PeaGiJEP;2r{iv>pMkb#UGT0KdH)Yb5_d)0scvbBcB(tE?d)0DpY0@{ zX|R#c_ef(r2hYJR*b^Pk>4nL5Ci)rWy*ZxN`{$wc{`qLV--qk1S(N@iHpL6D3HHOr z*q`})o^c`Z?8rrFthZW(-<@LQD|*K=+JC0U@lqUvm*H5vocUWs|GM)E;$e(WU5SrS zJ^&}-Rruy}wEy@F@iokUY?St&cp>pX{GER3b(A-!d=T+U$_L|hEN=*oh|&MY^_1U$ z?&nbEcYkg~_va>be}BXaRj=*x1q=DcJz4NfgZ0r@dg}; zH)2Ivq*^szdE&T4N3dOS%B?p?q4nly9KP&-`SF;vNb`9t|8Dd-(>-_`)5l`FL*^UD zePAAaALZuJXixxbHti@B5FE_x&nj z^V8L6e!2$DPd`TU(@$_xd~GE@Lf^2*IZmk<8!w#9SeexV-6qtWBo2tAI+pvSQ> zZXs@h+p#G+uF?#*k(V?_$CHjl$B|l~<5exuai3P`cqjQv7#C>GeuVyidb0nI{txvD z==1irxGvrOVQ9w-(C6NTX#G@#KKCw0 zpL>^}&%I00JfRGI?p==N3#Xv@LMQaO_o-;!a2opDyE8t;^T*TC@qjbX=dfLHGTVJ7 z{!H8zrxABUpNDowpL3pt<_~AH-N!^}|A}Wa-#K_6pX-S)F)q;y=Td$yzKp$b0iK7C zbN)9*OdUgO>&t8Srvsa__>@{dTdo5be4n*tO>(F|35L(X;M(f!jXgzy94vF88eq*=~ zhibTO3tG?Knx4q7h7()QjzH_#+t7OUcC? z>BrG}dJ@wAcfI!iH5{+R`X`6&as9-ho}Pl%W6$t8@4Kn!eK!p=aXQ=4C`$WJ+>Q8I z?7wto`g37_X#a^XrTlrk0&&->zbCK84=OS;Q&qWra`}HQeUvHuNwIsP; zZxh$ycq~QtZyEN&<=B7eJL&Hx_Y=c@u0Z$mJ-iy<$3gf3?w&^fA8#Q35F3tKpZ*aJ zerA38Djc?Sefny=4cA}=evEhFCwK*}#lZ{Lr?12D#GkVMDiQks#Qu-$2K?9Yf409o z@_G6f#Ew&|0c+OtK;+EP~Md3o3Ke_bNV6u(@^hk;XGLHZ%x+w z-(eod@B2{S|B$Tje?0WQ3H9^O+*jtCzwr6W*stloCF^ITe%_Y;d$NAU>g_o`f1vs0 zb~KOt6Rns2LhGf!(R%40v|ieQ)=N9ldTAG0FYQL_r9Ei9v=^!m7ay;K#4#H(dg&oDnYOvC+z)JruoYEeESUQ1%>Qww76r);)D4?+l)x_AE^i1VRNQiZ@$HToXC2;emYQYf9Is+d?zR8>xk>(DPceR#ZnL5 z&u|^3a~!;mGFVP!EHfi3Bhk(y*HLyxPDY}g$MBw6E_xm1p})(LkG8u7*o%H?A^Kic z5qf^5Zf*hGyRH;E17P) zflMEeaTT%CF|=D(Ghb!pH5u13-F6E@yEPDPx2{9mtwCtJH5hHThM?`%^*AMVgX`t` zAF5%0U4NCxO&P{<+nCS%_;%d>4DCN2 z;CS4Lsnnw*u`TU-1^&i!=@{F8bTpnZir9Kp8!kQAuHBU}CV3xXxDW46uJ4}Y`o^O7 z;l1d6I1arJ?_+-N!|~{SIDz%puH8@UefR)+A3liQhYz9m;Y4)%AI1{iOL+v{{zuX6 ze+=FJ$IAoZ)!k(;3gOU9DLD6b$WuD4&`!o!IT4 zhHgJG^Uuh5me~D3#_wikJjZg~Ze;rN880MbO}%?o#%#*Zno0kk_(1%{49ES_nST!D zeJLkyv1b0fjF*z<8S5qA?+*3IE3D6Ys5mc$;{2WQm63qsjgU)0g>qrZ3kp-Fj_u{N0Qd$$AKRZ}+{7 z_mlMy*0_}VhxtPNwUYbH`s+jHtBie=u`2mFr2bl+u_pOB4DX+QjJ|*R3Htu&TJ-(X zb?AGi>(Td3KgIFXV;gWfeui@?{~WFVzChnA-H31Fm-r!mg}zt%HTquZH|RLdCiHpe zX7oAdx9I-|Zb94Qt+)-pL*M)S9$&>D@JIX+eUI`d^gYU-(failw0`{+tzUmb>(^~) z{rWpvzy5*NuiMf3^-r{Z{R^#6|3>T6f6)4L2U?%*MC;RCXnndHtxxx$_32(565p5c zZ>UfAYp6$%`t(3XWvEa8(@>6~K8<81>eFauqP?y{Y&}{Ptw*b&_2^+ZDPBF3^G!Wf zL&I{sPF8W=Yh@;$Bi2TrBi2EmBOZ=EN34s!pH~lkKd(Oee%=x2`*{t}_w$ZK-_L7^ zzMpp#+7CGzeg4=8ll>2_+s2tq`5pOhBTba+cK%4DyjkY4ly8nS*HDg>x5#Wo`Nxr# z8m@Dson{o$_xY-87UVj~QFhFY_X%PpG&svp+6F z;_!bN82&HgVm$Q!GA?ELj20JQ8h>D_E}Wag5k@EsnOw zqtNzvG}<2Dg+A{bgT7C7H}1rH(ErgGi#`Xum-S@L9hW(t<$f5sPs4s7IVXSk(yqf2NPEcsBESrcbDNE^{U>L*j5f zA=6*Td@)R)ojEH^pKTnA@Og~Z=lst>-#?p6d9BF2%$JBA-_$ekWjrVLO6F^PzF+KB z4c7&7e&%N`4CMzx54<`sNL;yUNPNnQt=P`UXRN^A`HtX9@b;=WVpU zS&G&-%h39!U-+HycQfDN|4Gs--pzcE<$GPNK(8xe%HPjiN$mCY0eXEAQ~qJ*N5o!d zNWQcxb2ZELxH3Ej!fT@`BhlXmdvm5hxnGvZ*UdmoA}(lb2evg;d38HzSXc^ z-=7-hL$>dq%)hZK?qEKTBl5YOnft@%c4hA2bE_h|HGB@)pS@1!y5Fav-1&P}{F_2z#`eoyZ>^!swHab3Jk zSZ}}B@fz+o40&$btVEvMj`dW=+Gm}ZmFTAKGwVGPUhd#0a)jw5tJ|3CXwbo~4@+)6*IGak=&o{o;=pMic4 zt_%7-xHHl3zjZ~w|JDut{#$qS`)_BV-+wzBtBpG+s|Qw}a86cV&hOAsJ+pd+>x%Jz z;+o^m&FY$9`v*6o{ezp({=qPG{N-kJ{N)z3zi=zsUl@+| z7e=7{h1<~n!tH2(;SRLFa3|Vd7>PsT6~; z_{-f{iT=Vp#E!p=Mf(l+qWy+(Xush;oD?4)?x%^d35VWKq2KU8R^qwBgJ_=r5Sr&t z#Q!~KcqHp3?l1Eyq}_Wg#I}3Hbj-g$g%zTxVPiIYGy6qx{ zcJUcB51)$W;nUD|aXQ*A&OqD6XK_kwrt2jSe@?@3!SFqs7g&Ck$gHdviT&QpZ1j6G z#FWp;noI2WW{~Zj7q;K+<@2F^eHm?EUtzvp+-I+%Oax*{g>sO@4wOW{SSJ+ccABcCwjhjq33%ydcOCd=X)=D zzW1@-qoVt>{w4N&>pb4?J`ncnzpO|$zZWo_@qfzuq4AIzeE$!3PhBLw#1%iB#&vA-JbP$ zUXkf1W_L)&$nO%Jlzp->=LN|tJ7%X4d!CW)NXt$QpG(V5PnILg&&bZC-0wkXyHQ!$ zIblDtHS8Di`Mm7h@cF##+sKC+MDsOF*T}{_a5; z`nw0^n9uf|g2mVgegEoI>_mJTo`DCKcRJf^o^=N0=2=~E0Qty2*TdFb|?k8WQdbo=_E+jjxB zW;y-P_s068zdvyy`u^BOXr6a5`aZ`cxGsKaHv2_8c$tR!0K+)y6&`=aQLp59`X0xC z?8JK_bRsN^^f8(QrvJ-jZV2)d5Y)JO?*@?Un$s2FT z9-5uV8?k!%bF}|x{&f?Y4-T`O`{8CZFT4fK3vWg9z~R^vN1)%AzYWdzZpZc(C??;&G!Bpq5n_pdvas359jq> zG>;vJ=85;AdDnO}@0x(-UH7AT*8^zY^&pyeJ%r|66VbfuVKnc01kJl1Mf0x5(7fw$ zH1C>(=ATcXdGeEJ9{LoThfYTG(5KNnbPAe>K7-Z9P0OB&)hA5Lo|SDLIz4+vcH%lf z^3Z3qXC`AL4}C8C`DBdbp)dHkaNQtz=MRp!worG+%rZ%@^N7^Tj1-zW6qp zFD^y%#bs!|xE#$F-$C=mchP)t1rCY7m;C|z)i3tGhW$eF#g*9~Q9dI6p@wn{`Qj=x zUtFD?$QRcTn=gKh=8K=8`QlnMUtEWi;_JixI5GC=q4y*8{b$*KalhEUBYEBzAvVt= zw*Alkis`oZ$n>wXzae%yhCFZ+^YQ<`+21nVJP<=3xCPAvx1xFAcW55?J(>spfaZZe zBLDyEddUNS*08^>pWpw_{*CG3_y5uFUvCTLzh`eJHoy4;&2Na=-ao_kyS;oqv`2rV z?a@EXcPI7t4jhg7=6ANk2j5Su$#nC(T4;V(JICWd z`;X>#hljXsPCcf3Tn<{F*!LEX2-6$nG$i);9El#EgYi+x_-OR^_#2`1>oI&T8fl!< zBqwn_AaT>2X2c#(WP6UyX^xAqWscWv3k~NBqiZW#3A1$ z2AY3mvb-*ltek9OkGFdMbI|w4b8$HNRUX^p^^i~O^-zF|d0(aw%>#iL$Ay8(d)8L zxGwwVTtMt`QuD)pl$S^P=Uhl^9<076bP?svBeeh6EOJTCrOD~)dqS5{-jwN=W0S}g zIsZ3*yeelvj``kIIoEL9y-u!1uM=X*ug$rR*z08=dc6=+J}74}vDXcfKMu*cp7nX1 zAk%Ni8Jdi-@l8u^%(;o!>jU}RupIKbkQd@{-6+2$Cvx05cq{h7;n*KX;H7vQ4#3-S zAezq<;GHbDQz8!IXB9b#=gTpCkNhQ$nM@yrIXD^}AG-^EZ+{H>p8nl<80YmK97N3W z!}9KBd(8{SQEpy%ADWMiNAti5XkKI znpZxCj^{m&&B%8q;V`a;C-4T!pG2RVKZWksWOTotM)zw9x?j(r`!yBauW9IhO~(zy zGtl1+dlvoOv6;9TpF_tLpGU_NUqJK8S$G!CM)TPhu{X}aemED+kLTe4d)oT>Zw;X)Ki|fIq~@;=W{)phc3uT{QlNLJc`dP;(VHyzMhlFOW#2A(#4dA_x~`N zkMesDOLE3ukho8f=le@@mgOY!P~`dk@|<^a5_u?w-%)xO{hg#0=;6I~_wi{4w)YR(_JRmg%;`7~0`=Xgj&Q1DwjQwDc6oD{@7tU$ z#IxSw`G1JF=6px&_yV#Y--rEjKUi+K-+x5!_n(;0`t)a(KPd7`&acGQKf0Fp__UT>PMp*>Ph2z(W<%ClCd^s zxrd?KQyo`~u9;f{2al?mOCE5{8p_QF)>hQct&^K*PcgKohvz1aTV3?H)kEvY`e^-l z1X?dPV1C=vBhmJ>A=_bldK9tspy%-< z^gN!79=DF@c}zincOw<&Os4%u+wpYtcR4a}9G}Z%dwNE)a6klYE>#h4vr)9gITsd2JDPVtO&=V+meD{!ofuPi5%uPLwB)_bJ#i(kb^;%DrFI z-<>!O{oRSqSnnR%fAo75XQ1D==z{)U$Cj!F;o zcSO!Xe@~?+ICP`>=iWqvvbbKI3}PzPT49W3`>{N4f2Me{2@H zF!!S5bhVwom~z|sOR!1g(%j3E({&i1zZ}h1uE2ZnN_+$dp!v{MI18`F1$Yg5p0C9f zqp!;yh=WI6m+O0@-XGYwS;dgt!MV2gLvnB6x;KBg9=$J!DIc196S4Qljp+SBO!=_f zn~A+oko@76+*?_`_XRS2c2Y+uqmuJ6opGqUa_{Ci)r*eNaNLpo8Jl|#rXzU?)9=+V9Ya2FUv8xN7_NiyI2I@1 zeRw}UfDhoI`NKo3*Zg53<>n6$qxr)lX#Vghnm;^-<`0jfzsETV9XEOc<1F_{TuJ#; z==vw4>wg+u{}gon&){n2n~Ju})6o23I{G`CGthSZS#-Qk z3vKUbqwW2RXgfa#-OstWETD-s2i{yyIhZ z+~^ZLg?KHVj_c6zoAub0_)~OTYXkPd&(QIa&(ZObFVOLkjp+Eum+1J&SLpc2*Xa1j zH|Y4tCUkscGde!nl^gpQB=jE;}|fdAe%ZSxX&8S;N%{~Cw;F%kclTbaCnk-RLD=lten&UfjX^#9TS z8LOISy<08sFs7UTAoEwxtC5@^LmpR?`6?@G<<(}oc^rm3t`3^V9ggO4bqw&z+b&Vg^u~EjnC|=0NZd598F7uN zwErP)p4XDt|4TbIIbRF(|N1Cr{#JRd!*M!J!*N2&+vFWj?05xo98L(w$>YFwg?h9d zT93Bp^L3*q=59wPIdHKod+K>9I00&?pUXMjM9E+L1RBw|Dih-{U5s1!ghDgJDu3$sa_{%B;zjlI`Nq-w??#UUN>Ubqvns@(f08y zTrs*w-q|>KRFAxKIF7cD812n=9voNdMeMlJx#+l3@34OQ|LC~V`62F;*N^F5AAMPG z>&OKmcD)D7`-k!i^DbgO%hhqDi_!6?OTuz4&AW`)>*%1Dhw>}(uB6=S>7WBb`Biz> zQtolMI{CS4(Cg}8`M_j+U6_AR-VnCq-N;}K+mVQ`&$}TRBiG%~yc>zV?hbkrvHiDU zOpiux&bx)~)D8r`z&I;3B+(`>9{-b`AFvlAqt1H!?4gpJT|+EBL&5 zK@7c~<7hrG3e5vXqj|?&%x``^2F=g!W`E4j?;$o18H?uU_oDgvI5a=M56#cVqxty+ zG(W!|&CefTId!8C<~>C0`9bcViFpqvWA*-d1igPAMemQt(EH|b^gf!z=jueC$a|95 z<*4_|Q}_r@#!2`zdjCwp$;8i~<5N@7-;tZfa%xAX=glB?IeI^N>9e?=`DfxLd=7uc z=kYIm0e#Ln3wOp}%$tpujCwI|4##gV^)`mzmz#^`+w;&o@+CB1eVO%|ufBrKBCqDX zM!D-(^VRv3o3AdwCXt1Ci;~mTak$sfak4j=Y!)RpR<0)L%v{oRmwN! zMQUD0f9*@kJ8+!7qC7e75%Q{U@)CK~CYDJoe)2o|y@5Z_?+t86^O!%; zJmxPnkNF$TWBx(&m>p;yvlGo@cA;EAyY8kUFQy`YBqiSG{_g??|~X!LsnjnMB69D{yu zpfUQrfhOqp2AZPZ8)%0Adw=NI{H**$y@}*8EkkVHLrgt-Tz+e&TaO~s+vFcl>~suy z&I!y{S=lzf9n;NoFyuMy(LCowG|%aP<~b*!dCtjbp3@Ph#8O-@`ns;{V_ulQAU{7Wry#%3?Tga><6(HPJuPN_ z+tU)XJuMCMGyadZr{y6&CBGBX-HwBvO6+}f8q=eZ&iSXa9kxG6d`5m3Vz(1nZrA)X zaS?V8*H1SM`-!waXXT%rpJ;zDv_CzP`*%)q|9YbBPcO9nITvkzdNaT6&v|J3b3XfL z`_qTm_NOn}{#<~zKmE}5r$0LGb79!ti}NoE`+0HxCCTHY9;Xw+_rxyGzbxPW?B)4a zvR>Q8E70RkO!@xYl+=Xq+dNS|2o#|b|KRTKG=G=#?0xYT_sz|$$Nupxl-obP7407nNBhSk(Ejml zX#e&vCS$I|}XRj>dKIyTX0iFE-}T`!v+6_i!Kk zy|1xsS7q$p{Bik-dKIZx@5>*bpQu+c^j9aK{nh)?_g)`B`>hY6_2@(Bd#n?2KHK#$ zzJZV6+xRG2uReyp$ND(>9_u7rGM)ZE`u^&Z=zlzq+uc7_S`Dp#T0EfgE=D!~9uSFW}FQk5cBmd1%KQGo$j-h^j z3$34*BTW*3a+Yr1-nZ`gz5n=biih{rs(*U+V#+zFZk%>q}y$ zf0Vz9>DCL#^ws%mh@Fm!@qgxH{6Bv!)5G{b<^JBoIt=6g7{>q6`g8+^@qe^F{Tvzp zcfF4PYuI1c&-j1-CZ>n+f0obqe~8UnC};ZS{BN1=I6tzzTf+9cy?j30_urxS{rAjQ z%ysnx%c&OqG5;rGm!l)O9)Cvj$zSkA;$Oq^w&nj8*0U}D4?b5l`n!hD8CQvJ&$nK7 zIS1?KznE_Q{5M)Z{}Vn>`;XSoJ43uHe=pPBuiat4_Jr8w94y}#%J=90n_QpT&p8l2 z|6hJ3vHN|{NI{~0j}~|wsuWZ$NSs$Bu2yguvBw43t{Mf^aS_%kFh8iN;kcvY{{?jl zlH>ox8#sQ4^Lgvhy6Ew&ht{9<(facUwBBsM{9*hbt=}6KBq?iKMqp3gSudy~h9{W+na z9r5{mt}XiBr17QLp5@#VIkBJvvCC2W3n!uD?CI(jZ`#WPYcI6qaYot zL^2ApSYFj=riSGiSBYj9{NLx$c?G!zwkvrB1sp$*Z$5f_i778EC?@te7oo?QnDUZ> zQeuxc(oU5Xl(Qa>FEagi^VKU063G4vD&y11;erWgb@XC?#rR0 zZY#Jwd0!&$uia5_XEH|KUmICak&Kb|*J6Gy91rCEwNV9kQQmCaXbt5U-d`JozR!0z z`aa)1XuCQVeV^}M^nJc@==*&4q2tQq(f9c#pzrhDkG{|M0Qx@PgXsHw525e#O+?3~ zAI25LkD%@HqiB2n7}_s;9Brp3q3!e&XgmER+D<=(w$qc*cKT_wot}cW)6byo^i;H+ zo`$y5)6sT%2HH+Pi?-7<(RTVdw4Ht)ZKq#A+v!=%o1@`4BJK3N zf|n^D5r0WTIfi!n6||jxwII=tdX3n2dOq4tFF@Prg=jmy2q(o~57+g?*c*pl*VNx{ z7JR|=XFH9w!%ISJJ4_sHOue)ei*Z?~hn5$-!~E9w$o%gXtRQxN4DI%N%vV|Ye!&M! zx826jZm&e!?GMp*`y;g7UWK;XtI>9Q4Ni%D>~_#@f1+Xkk@|04!3L(=zO85Zts|d? z*m~7+pWA;Hw)69_A8sd~3-#YdwEp{&`K-Uc!asSh?Q7hD-{4-{gg(dIj8mx}zQwNW z{}!yreYF)M#NS~}{61{g4+TFGwuA>-l|X{l1_1 zZBPG2+tUNA$NtiP#MbwfXnPtdOthy_v^}kYwx?Cm_Ou$>o*ss_r`6H^R1NewdQJ2> zdM)&MZEf`U*Flf};pp+Niyr@a=<%M5*lzWI z8rq=eA@SU{ZQ%)pwvTNK+ZQITw|40DMojsMg(nev9y*}sftd1>3p)~fK9Ke{r7)G{ zdi;^;X@%*@7@04lFq87|{y#RW$S%wZ^JN#>p1M6cj^lW+KbTjT=(pu#|M|54_!H9$ z(e|J6lS*{l_v~%k*+Q6Hmbn*a_`7o{IJxPeb2(>WsF>r{gg%GX9VL zZ($d-|9B?49bM7w=!R}bceFow7WzE(Y_whOf&QM-IruB~M4zYjLZ7Fei#|{7jXqC3 z4{h(yN1v0lkGp#4{hfM6eimFt2mC8v8xNODNMBUNIQRR;lRQ~JCC8Aybf(A2chlcV6>ea zg0_>_qwVAkXgfI+Z6|L;+sT{Ic5)cnPTq{RleeJlH*bm`Bj@fk$x@ z*VSX_IKbn09oNky^!pA^U^%}Z`6S-V_5Bpu-=B<*3p|axa0>eWd(U7U#%HHu3+9`K zt#LZ~yD&4*@6$euexG(G`u`cvVG%x$<@f@2##z`EXJZe15&iz{9PEp8(fbGUkZO^y7>@>eCRhcAKHfIL%*Z>&>v_%v>nZd{=_M< zzg#c*(BB&N7el_YgXLF=>@3_(?ECS%(D&ns*}gqtd)+?f4|&i&v|ZZIeEu)izi4}W z00(oO{f9SUB@V|(5zlEbivC|!6}%R!;u}~E-@(Ih6;?;TFHi$*k7}aNcWa@~acbj= z(T5k+!NH>rFRELVc#ebN{q1__``h)=_qUHIio~MP21VvOw!ewIr(w}iMUkfdeg=lT z=V+E=KerLOf5)KhZDX{(ZGyJ5O_|@krx}{}G-vtdJ;xH;?zTYlo|fo1LMt@yIS$Qh zTBCVQ8#J#u9zBjHpzpV}Mc;dChrY+w9vxpe5glLXfWF6e5_;TEMvr?(^th*>$2}E2 z?rG?8Pe+e?20HGL8TLP`D2Lc_hir7*!Fb3F#{aPc>&e62)9C-Bc|n2l`9k))XQZg8 znAqd0{{L19E}2dHkLGn{Xr5P&6Zrfo_!xFV$0<%l$0<%jpHp^bxy>WA|JW>YMo|~a z&8O7olxI@jl<8fuNu*m*_vCanuR068Zq7!3*R2Phj_07y4SS-`4SS)_4bMfN8}>%? z#PiVShv%cu5Bs3kU0+-=x?j-+ICxaQqW)YDK0m~8-Cc-YcNd}8-NkHQGiNWOPn(IA%V zb%#tJTr?yZBlBHfbOYt)dpfXUXwglSyS^LI^%1k2VMW79?Tky)`)>)46^| z6x|l)r~Suf6?YWfj_G)4{^uCGsB(`Okf5{xcrUeh?uV_|L`2JtfjG{z6jDG*GXl61-zyDYCd@@GA|L5mIy^VhVuV@bCeE&~FIVQgU zhecd}^YBXUvzO5J`DL_yeg$oxUq##J*U6c62>|qU-q!?brN`j$i(RzJIy{?Jw;_`&YZr=X1N!{?s0{zqA+aFYQD7Mf=h1 z{uk{R9l&+*|H5(Z7ppw3N8+}DQ{S1(T7*BHhxYoOzo zHPQR87JC2HM(@8m=>2y%djHi$@4tHJ{Z}8o|Bk?F$c~QN@Y# zg4};c7dJ}A$o+RrapPo++<#5{TsV)&{nxDcSjwA?Yp$Uj!~NF+9lvae)=RC>dg(Z{ zUTTfjOKs44>3FnWIsvVh+M@MRJG5SEkJd{kqV-Y-v|c(1eXe;j+HdKIy*bY*==-s$ z==-s0==-th=<~-6G~ds}(U^t)|8_Q-|L36je=eH;=b`z3KAQg*p!t6xn*SG}^-D2Y zzm%Z$ODS5vl%e%YIapK{c;9czjQ(Cmow4&r7K#$ zbVKWx?r8mT7FxfYjr{&^aZk=uzt}k%&J$9<^eXO6`H1+r8p<)$FXy54%lXBL`lS!C z^-Ev0ez^dxU;3f-OMm3|e~T0K%S9TNhtv<36p!Tkw!T2}`^!RXeoxHwD~hjVy7dP# zeL(S5#7@VM|6k2~{Qht8wM;kv$B_RIMDzda(ENW8n*R?*^Zy}e{(n94`@gQ2`fsR) z?Q{M7{%`RuOm{qV7|U-RxjDqdTW?(c=2t-_76s&{R3h?e|zyA#6Iss_UF#9 zf9?;<4|zrfnrFnA&wMqGzbA4Rn&*!}^R2sa#ptoc_u$}BV~g))Ip$j! z@~v@bzI7j(Z;faB$uNuWCpO@|aZ4Vv~pQrst+k+=U{ABUdO!v4w6^`5F5WAd%r>wgorXRyogS7m zqj)B<$MsqCxE_q3OUBQK`CcfVMeK1t=xk#1rWctWjm#;Y%kl9#L*jYGFA;klko|b2 z_+?y#uZ8>JRSnkxG7dbyctLTZKZKz_w2;r6CoV$I-|J|8_y(F6E=KdvH<{o5&|7GK zXbJmmf9P#u^U|ege`p!nA6ky~hu%TQf!{^@2P@G2!h7gA@cU?g=>xRCv=Z$veTZI1 zAK?hTU%U!;Pow?EzxaOn8Z@u}7|rWHLBGee7I!dx9aiFc^#6E2MaP3Tp!xr2Xg}n0 z_QQV27uYPavG_~MJ-=!{IQGwIzvUOS-|{QEf4`yow+-Fy-_d@{A85a2J9;1ei7Q6` zUHlgg9`$$eKb$x3BMkS^4)i|SiQY%M*dC5(@gCyPUq<^ad&70Lzj$A`9`_d?V7|)8 zzZ$mN_`k@1#sBv?akH|h z)GDc6lDM9b>2*pDPsYf6bxZ0|Za+ucjjCVLpv3JtLc{hU{gs9#M~2TgETO-`^rJLP z$B>^jDoOl)%rR)b(->dldTD}hVpCj>&F}+kj=ec<$13x;K=Uu^|FFDPY@hkuag>|S zwMO%~HfTO~Jetp)faY^;(ciCWhkie~J^DK~Cpvv5?LYc{)k)~~os4c@M|AsA(Cte_ zw=WIdzI0{&40QW4@nfcE;d0_^+<-agczmug)AP{Z-N{Gu!2&doEJX9jA~cUIM)SxL zblklZ%?rzLUA(-+_OV~=6g}8JhVk-KIZyTzPb-Op?;CgKd>zelPA^IH7tcWZi(M#p zJpD{Ow7=M`B#~Ek=Qvl!&MG;(B#~Dld1a51b4n6G*wyGb_BH4@_O<9Z_CRzT`#SVF_8>GL8;s`5 zL(qKrdNfbI0nL+#qIvR-Xr6o%nkNs#YU6Gxxf!cZxTR!diFxv^CBsV+=L^Y`N0i)_ zjFCL~_L4i2F_I_W>E{yp1@Hx=CMzpdF+#D9{UuU$4*A`*r(Avb_$xuK7;15Q_(zj8k)yWNAuVj zXde44n#ayW^VsLmJob4U5`Up&Hpj7FY?g-Oh~%*^mdvGmM0}2hatwLwJT#AesU(rd zzD#T$`wE)JzKZ6tuc3MDe4G?t5bo27v4w};r-wbq^=WkUaOD5S!-`GkrzLdrUW9L8iZ7@&U2aG33E3 znXj_)!;+7fZXS#w4_<}l!K=|ccnz8de~jkApP+g0TAUJF=X%M5*K0UluD?oTL&+CR zH=p~A<+qM}9%9>L%guu~hWWlM`I^{#?JG22Bj)qplx!k4KSTCsbJ#!khvkPnY75%# zZDqcrsZYN{^O)~h-~PxCB|j2}_8(8;`2K`>_%oi0zu;N;EB3?R@G9JfH{$Q;@9X@5 zZP@PZ=5q3!$MtZ!fBpOPKKw(rRH?kd?C_G4Gc9;WY&?AEY7#(N@rOZMEE zjL|%KKhw>V|3&lU1L5_2N&5vuK z`Et!tk8iEgI>a9L+URjV7$2UD>xTL2mDVTrJRI~0V%v)bOpiv6ENxhtxDJu{sM4c} zJx|Df98=l|7h#i9@3+Ppt`j6rZd%%`G?6D`$djA%dGq9B(ev8^&1YJo`AjP`k2#L{ z&68WBd2$=}+x+i%V)Nt^&^);9%h(y;!qagj zo`L4QUC`ehIuk#qyes-#q#OD?q&xaM1!v)ROg|g#KlDKR59gr$hn{FY-V4qD&qed` z-WbOJ(ft2>_QU+Y4>pVRExmwp_eahD`%!NG-yfSqE-bw$IbD4YaWS@G{!7sN@KW?X zybQe$FXwanB3G1NN$h!0^XviPy1csds&GADU3x9^?TuWcVg1H?A_Gf1j!eYZxLL*E z(m|!>#e++)=X&#c9D-ht#FXDqdLyydqzfa--dU@rm9goiGfESADw3x@TRO8ek*8wyx@_Nb_&E8?^JpIQ0?x!)SY;N^ z|M5uXdl64yf9K#a#B*^Y^UXv5C-^1w`}8lP`Qs~SKJ+U3efrnXaliTKxZeUae_e>- z`9Fr|{}`VCqj}O|G*5aH&6D0j^Q0wcp7b`FCoM(uq-AKHv>eTo-a+%EchNj)1)3+l zhvrG|qj}N?Xr8nZ&67Sv^Q4c^JZTl0C#}XI@inENgnIj94aXnJlh&55r+h?worZD@ zdD5q7p0uGfktcmdY@YNvnkRjM=1CjTJn2iE6#pum=ZUee4?WMcC!0$D;e49sAbHHU zAvTX8X8P9B@0f0TgG~Rv^ao<6W5{!UWWLJEpGtpbx_J(UJm(iQ&-oS2bAChfoNZ{H z^E;a7{DD(q+g&et&Yv3gH?jV|!}hp-;!scQKH%7Uh_TXUd>%Hjj z)$GI1a6f*D|KesmfZyYP_zPB|?Lnk0F|HRy$0MrXiqX}|s^Z{L)yl{#!gz%Fg?UAF z%FQckpm{~jGTVQ~|IxgnHs$6Abz5rt?0zE4IkKz)F2bYA zY}XrVI4(%Leso!*vP8R%pEjr%Q4$s2&_$Kq6h%2xIdOl7<&&SE= z`RItAj}-KLq@w2|4Lu*}cslh)28Q4NV>|i%zp`v%+aL9O<)H0jE}C!Tq2D{s$DQ%Q zvI4whRAE^W`@fg_0Ym#-jJEG3X!~A@wx?z2xKuehE_Die9dyDKqfaY46$g(xt&Dao zTnAXc@zwtuKRKf;(tHlvPdysihcj8P^?p~%t@pbnr+3G7@w3X9kMn!BhVzS|{ynEG zQUCVj^Odn)W#^V9>R+V(?Ok?WS)%^c-4WV<+=YE`C-&v@)_WJA^sf!2FhqV?VYwBEZ4t@o}*>%D8xdhc4a-W!P4 zd)MKR_@J^O;kq8IVZV`j@A|T#l#httprIT?y>}y8@7+|EsP~2uTkqYB)_b?0_1>*$ zy*C^u#YcqWJ27_Kp~si|?T)gCIF8nPNWC^P#MW!XOpletneP3FOdnM?n%Lb<*| zud;GX+1*UH-osGu-GkP9W6^r=UbNmDht_-dq4nN)oD!Shda3vB*Ra2d^*tVO(dA;s|^U@4&UYbm~_0iK|f2Wi^ z!}2{I$o@|)n?~&Vka6Y4}OOK{|noh(Zh1z`&h#I9M5|j{hs_%=5su6Sy^H{Z#g=i_YURB zalG)o`W0o7T7y`R%ds7JpXna&576ViGI_i|Odju#lAm7{j_>NSHSE8~8#&$|mwiI) z@kTzsu54{s-nz0+!|`6P;dmp*dqdf0$>WXTcz@34t^dD3uak}F@%|D$-d~}|`)lU+ zcz=T)?@h_$y_wkK{VjUDx1h&+D|)=YL;EM+qy3W~(EiDf==)heh3)yd>{nvn&-w*@ zKg)Q?4Awg=Q6Fxj-a9le{)6qZe%zj{AOA$hW&c9QW&cLshyDkBA9@EmPP-G$pLd~o z?`|~j-Gk=6d(pgiADZ{>N7wr=u8SWC^+Lbce}~o!(Yl<^NV(@DT7GPK;`|`@f7K9s z{}V@lS-|*zn6G+y4d(N_A@kKNuSM*980v}I%vV`ir~GiHTTfu9C+ed0L_M^gsE^hY zN1*jY1GJtv5~su(x_;`3qqL>}kLh+e&eMqHSBV@`-k8{N1SD=!-i+AshopAVmj<_}$Q#pv$k-Ei=z?&be~ z9(gw9)*n64`s19iJ@o(4`nnh8jxU`X%6pfeN9_4N==q_%Px%Fud*1t^=lx*ZFB$(o zs_r{Hit7FQ_=FOgpcE;FCe?xp3Wy47vPrh32SJJoiim)qh^SE@n*fmxq7>;x1Tmo{ z(t8yFrAd*ZNE1-O0wN{9_vhZ>dcIHod0qD@Q_hrgW_D)M5p^DWf$|Z~i_tH!{dFEf z;!e?>iM4+q%kfI|%eWk0W&i6C>LP1t|3l70U87%%4xeYy&O_bY{pxjhzv_-U5A{Hu zhkByULvK)C=bv7*o6h&WiFN*Y6LtQ13w8eKgF64bjXMAIMV)`%L7jj4q4wK%vC3rn zf7Jf@K59SCK<&pLp!VYrQTu6s)c!jFwZ9HT?XQ`r{gsa;v%h9VXA^6Gl{!BRLhZMM zQTy!>)ON^0?Y|!>9fwjs+8Gu-oLKdx?$eAQUH555Vw5u~dbFF5c7J9JR&&Nif9$49 z9S7q`Pjfzr{*+kzm(+1E9(5c{Kph7YQOCg~)N$|`>NuE;Iu53wj)SSF<6s)zKau%C*dBj=|sryI^QP&ZRQ1{OkqsHe;P~-EZsPTC|YJ6UR8lQiSI=+_SmO(3` zmt(K&711l%&-A;oOv_vqy_WsAZRTpp{<}un|9wO9*F|r%{PmLj4Kh@W?S$lSir#AZ znMr2U^aW+=B?Y z(j#JulCJYs5!88$nDk;X#ff$PLhe6C#*~N&pSO_wk};*+7%5jerVQ!2|0ts}%f{Sc z<;upCqnwU2)bIZ>i<$*-rOKYwz&Cb2*N>fvH6D2xH6D4zrpxs|YCQ6)#a&}w zBVY5mZ8u_#FJ8C#c8}@7eAG_Ja`cROgILRfOt*JTFXaFK#=OOP@c)0Mtp_r`=o9m{ zyZzC&e_wa`-*K0}A8Px*i`xG0p|=0~l-KspKyCjI-0lA%v9^DI)b<~M+WrGk+rNH> zWA|S|G2#0!Sxm1mlpQlDCVc+|x&JaaW=Kr<{tMdwC(1$nf1;02_g#jf?z;>_-FF#| zy6-Xqb>C$q>b}b;)P0xHsQWHsQ1@NNqVBtVjJoeK4t3w<6V!c|Pf_<>#-r}LOhDat znTWdYG6{9xWYf8*CYv-xb+8Md;GCgJ{=^0rwq@|iAiSI(}B6j-S=2<7W*{ z53SXFSiF48xn484{>K}<=ewQdx#V#D zkAL6}{2jj~zZvVl6ImMd%x~`TjCMT#?zZP2ZhKxr9nY6h z$Mc`4v;Yfbv*yW`ssXrg;>Y)Rn+nPFY0){hB}`ALv5eyN@x4rpq{qRP1N?e zh1x!ap619C4mm$A2YCDyo z9QXY_cUbwdo^qb>c9Pmo^egoD$0msptvsXBANU88PXVJe7&nK6j(qhnVy# zo~p!ZCuCew&2ta)Rl6YhQJ(5{(mTBnJ_vrXOSpau_k#0~=Ml>9E_hhl{(%in6kHzA*rWU=9?I3+U+}1=XZcu847(~;>!dptJ%7-`eT+vUqe zI+q8qJa&IS-sAATzt`iZe14u!T6yF<0s&6~=^0r;Y3W$K@ytX|GU=CdlVt5ZEGP2& zZ;Gd_rKft*NH0e^QZC)|9P!m$`hWZniEG}>ZKLuwU1WaGdtS2g?L6(>`bhl_o)_Hu z9o_oG)PGUstv*)&?~_iRm#utfY4b;x_chNeSZm5_o-Vkd;5E;yxD~si2Vb{(-DK?s zEI0DKpiL|@j zAAE;+4{<-#@8<8~0elbjord>O&xK~-3H$)-;D^`%`=fqGAAk?xK#rd^^k12%`;j5i z^?Oa0mCyDJW;y$050chiSpBZiLp&c@dXBVoWPcdy8BThB-Y{wDNcsrR7}8hdjr5Fi z(~<2nTItqqNV&0|iKOq$``9ziEr*o*#5109+7CWO?FYnc#|bKL^TFy*6ny5HggbBw z`59T0rR5{-Hq|rT(x*vF$LcK$W_Uig`ONgpcIPw8oewednWKCwkL(w7J@c&m7t;1) z7-13mACrHarBMnTPwdq+WI5+vv+#-So$t$>AO+qsqe5FevdVfe3oOc zXTO!-CvE>g*6)Dlpr!vHEgjkafAk!}!+02v;t@Q7$E^HOY2}gachYklYfU-nIe{Ar zPI`XAt@tx~@RZg2MOr=NdG6DmvzC5FS~_yPU-X>AH3b(vzv6eq=dtqWi=GR(kN9`1 z_nWli9jpI1?GMjoOTQ#79huLcp1&>qFIjv2Li&HwbwB?f9F1471ztsc@9baHbKcib z-#hyc*AQRFb>!c`OyZmP4C8@Y=)pqN?*mS3_`DN=`W|Qz^pal`^?O7y3=$W|rsPNB zEi8fhouVWrkzWe+JbY=~NPZbiCH)Sp!F0;vZpxR#)}-HwftlR@$F{`fQQwWJfG=T1 zd>JcY)A98GsQ({Z8M|_yw+eP6u8J#}Up4GWd=K`tZ#QyB>}tu8$vM100VHaT4B#Gw^<#jSrxHuXzxEV7`rT9_bI^ z43_g@+(Y^!m`i$NT!Kxo%@^GNNB#e?$FP9(rdX1=87?Poj;ru-)bBklurEG=`hDn0 z)bB%2p?)7~iTZu073zC=Pvanb2K7AEvp52yaXiN0B=q1^jK$9}4)uRl;&CB*QT>z; zx1t~Q-a`O)VGz}SCE!_1#0!{&e_%4|z1S3t$5h-iDlIlW)~Qm3`$Wib-#Yd=H%5;4 zcCl^nFt){`_&lD#_HH@k_pT1H^qX8?ca(OX!tnQhV%_imP<~i$r`VT?cR8J<-Di?_ zj(R2b)mZg^U8L2=QcVjA26n|}_!>6HZumI9PCfmO+C4V>J8BQq@2EY=*Z&88gZVYh z>lOPZ^ZUl>Ep2}CJ?^K!Mfw{~pV+sFb)QqZzrV7a@5H`q%h^v_J+$}p-?Qnyuk~cQ z8Pf8R|L^u;Z2#Esbv*L_-3G)Cj16DM%kzxuGGm>{SC(YOhOi9|V!bctX3N@T^0@zR z)93y_)2YvRbV#gIqBGB-oY zQk;y-a0;%(skj!W;YOT}`airg@F>p2E42G8)c1^Mv)+ZFIkBI+?T6e4nH&3s+kR;8 zN6bULA2A>Ge#Dok_ahddo(ud6^?pPy>ivj3)cX+&QSV1ALcJfc81;U{64d(D4v)|d4E%IEyI7xjM4KGb)d_A4C^U;_Stsdy0e9fd>KhWIeP zfJg8Z{1GoPoujDtZ;qk9H+>wtlYatx;ZN8Xf5!LmBo4q|Q11_&!ffKxn1g3i@z$L^*oQ`i7zOh_##dw{tfjW%kOxG`hVaU@-N{G@-O4(_$Pjef8iqh8|PF0 zA6!a&1y|rzT#NsrzNd8!pQK;;4>ys19b<`a;CAAhsOMF0;cntWESN?AAII@TyGP(& z(u?2$EQ&|47%re*aXdjBiKnpyCNcezc!9VSUc%CtMtT|4_pR>0mx;^b3s?@XQ0`9D zbFp_}4bsb_{%=AByg`0N)c;GUgv*%!-MAVnW5iPWe=LqwQQz;XhIisUSOKH3GFHcG zSOaTfO{{~pus+ttMtCna!8+I!>tZXchp|{6z1RQ)*btNOK1{{?@p*gzJK%$;|C`we zU&n_~&;34(ZxBC%eXudUi%swYd=v-bV>k$#;xKH6W3f4&VmgoGKm7jN0w<9E1Wv^# zaV9>6`rcVf>`S}0LOoCXG+xDL@N>#Ni@6w$OECuZeKZfQW&eo9m88dEakfW1MxYl< zqYpQd@5dudH-KA+gSZ_NQ2$Rp5%vGVl2HFoJ{gPhJ8lYoOSx3sgK0R5<1`)he=}O6 zzSH&`9wlyrC$TM_!{_lLw!^=%JzmES7{&5+#3J-lFJK|*FJf_?w|)srV<#+&ov}Q= zjC#-S6+F)RbitGODpn%DD^|^aEv{Rf^N{0oi{l82jLLsKu1B0xvsQk0Y3D2dk}q@^SM z@OyC?qzCffmzIu^N%Pz{vOVC&f)B z?w|jev~n03%AXQ9jr1Y;Q>CS2$eu1=l82L^9vbYtb@6KN?Egkv42`l5)kiIv6RorSf9cvz< zok-_*igj^o(V4O?ZUgDZ^4CkNkBr+k#(hKj<=jnio8!XQ>qxvMZX2=g!)!&}hau)Z zz;>0l`pEciN8BDO|83k(w?0yTSKN1Q{oQVTV(Ndd@>U-?ukDRHY~}aG?RV=V^$)}y zbnE}%)+eU^A(glK7`bBBk+`E){zqB+XVx1dPvswvJBCL_9*_IU@=r*+AA!7o@pIfS zmVQ#&^*z!ar{hjx&5@_$&RYH%8NU7}z02@lAAV@{#fAzi}6_9sY)` z@pnwYKQM@wFdi>sH2#S#@h@zSf8(S04?c`n@BzGv4e>vl?=@-j#mL|CugBfA^c&LB zG4kEfx8j_5wP&HUbd0<>JR-iRr5BNwj=bMoJiZtf#}bwwDJ>uQUQMa^l6Y4^srWLM zUs_r|(yn*K-+_f#7K;|#6<-cZ;GI|oD_Fhq((Z#G$A886yDhzvtUYld{XglYMplWh zjK#5<v%T*@y+<5{dXKm|>OJBbsP|}UqTZXSg?ewMHtM~Zd*dCh&*=Y& z^&QT-sPAyrLw$#{KI(fs4N%|XX^8qiPWPeS*SR0Z;{!MeAH=C68pS`%a?T#{khJ|2 z?LD7IQ16L1M!hHA1ofW#qnL+};ZkghdOy7xuEXZI86U?T*aG+96L=7x#AEmrp2U`T z23z4pd>ZwB{4;nJpT+AKjSl@>4C=jh59)pOSk(VfiNo?3kCo9IAHE*+5%(na<69WO zei+0IOu$S`#6g&Z!!Q{~VhVnYsW=|fa5ARjG;EEt@ws?sNIm+eHpKU{Ty0VBPd$&1 zVmo{s+ha@Yfc>&wi0_CsN4^mMBHLH@6_De$Q~XOBU9bL@_fVh?;6d*TE51~$ar?)=dHpZc4q-_PGd{eIpD_51nT zsNc`~qJBSr2le}TKh*E%@1lM`e-HKh`TMBf&ofZJpMQY*{rp4J@8|tdzn>34{eC_W z_4|1ycEJ$p_wy{&@8{XrJ8Mw<5cb~=p~2GjU!+}g;)jx+k@bi6@}sNc`W;H0dv@!Ut?cj=F%O%Df`V|&kx5Bn*eb;id}WWJ4; zOpsO%2iJAWo%^5ildb%e_-R&tsMO+4FV`-e@o)=i2 z`uaU??*EG`%w5dy|M505|82n{0YCplbDOAF)!Zv_>8kUeqp>*@e=VO z(*It(G=4F0y(O#Tm*9Q4lyavjmrwpJ$`znP`qx+#mthH9j-_!0-ZTwERy^;F6;&)s9-Il*{@pu2bo$b2?d*bgBJ7ITJZ7 zw}`hG=|`NR(w0*m%_;6J;nndTDQ$ijk)Ko2dnf6ab4z(kd&A=?BrfAEORVj62Woo} zv%KY0-s&UMy~|t0%9r<6aO)%WD|+vC>sNB?6H~vk%3FPmcxPc%?>$z&nylT0aRPE5 zHOgC^eBDPy*1LwcChMo?HjwqM<*n_mH`?>`%ur<+>g^k52!skk3A@DIg#fj8hanI_I=pfnCbuIJR+@qk^H9KCYJxG zw<-BYoX4c)Bl#`7%`CsUw*~npoX4f*Bl%BwTN3O07*CR4$9c+PJ%_Dyy*JUy%Efx0 zCT_j>8E>q$+q2#nYv+Q2(bmod1Bq#8kMddmf`Q2NRzF#Cf4N{FQZCio+NPf-nSQ#o`_D-JbKV!ppEk6u zw++rgV#+=5ZAUr%-ipNSy&Z|Q-*rIkcf_pE3o38Rg-q`y?<-7a(a=tkdYz>mCokhs zrbkS3x#FT$cT6yK4%IWTX9itX?_x7~>9@6rW>Ac~6ll+Sddr9i| zmbSkl`F*`_v3;B7_3`#)`yF@QmbQJ7{CB+lh(Bce$^mT8cX0^5M}CC!z8%NfzuDg+ zZf1Sp9l-R8u>C(|ekHT}E4KAV%7?rIZMq?ECKe~ork+11OIAtYy$d-kcaV1o%X7>b zENyv^^c?R{(vLbHNlQo4hj~Yk{+%;iS~`+G(mR^;UCt;;I{iQCwK`OZvZy zKK6dX^5*A_lPqs$268@};QbWW<9J+wlPI?~Z=$sI!iY`NKl4r@o!|eZrDH_Ou&LhZ zmOf3|bdh$Q;hjl-^q|@1j-1)vS;QOgb1Oeb+H{cf)fe8mR{jg`e9NCFEgvKH<$US= z%F-7|OUH<_xw+mYq+ia>^Dbh$YyVt`+CPceKNlaCV`9AU(<8Ed`kEq$Hj`Gw33q#ZVRH{_m?^ep|I78NBoA(=Ht;crMdJwZbJ5=752k9Snd3V}$cX{_)z1`mL-02|G z`QE$Noz5P2I>bz8pUT^GFk(T@0q;>O|AY6STOX-^$a}=Cf7q>0O#L5K-s)q7ci1uS zDJy^6d&25xW+3%{@}9K%nHfJ@{mcwv>i?qh)X&U7_Mg+r=*)(hDmuX+Eq>0a|XJ}u9G-s|pkkobo8mOGuB?sSM*zCx9^=^*=Ugs-I4FXAie z3vXwnelcGpv9@z@)OIGOehHPg`WO-UQ7PXYR=%{f{iF<5V1FTw$or(M?@r4vC&|yu zz=*opclqwN^zzc`RX{x-QW5ohNF~(sA>>Ca8&}y^!^&5YR=%oRzM5P99=CiH>bb1y zsPj4Hd0(iuuO`-8RNGez8)03W-o4Vw*Kx}ehYmXRd<`iV7pgC5j|S4pVdw|vKHvT1 zd$Jpuw-z??JwRM!Q6t}j*lS87-@{h#A!+q6qE6l;z9yF5SXw$pL@a*P*VNJrDH_R#c96QmYyyx9r-_9&-vO~dK+o!7_lR}o$q;;ucy<_*TM4JOY-Ue z$$x!eN8gK<{(`jr7DM}-mwYdi@5$~YS)b0*?lUR9>afg=S5WU+b-^uzy82$lUfErJ zuld67S;?k(-F)4d-VWz=$@B^aBI!MRZ;<|t(^Hbp@Ber&{dF(YcSd_-_raG3yovWS zzqjx)>_h!>lz*FeHs5vVi}UdvY)O7UyqWc`FN1RG-``{TOJ={X*p5e}fA8=60E^&< zSR4mZ&!00uTK}$C>o@kp@Ozda;vB{oSvU-{QO{2gLOnk{n0mu`4fE;EPtZ!GxGEECP~Xj@~8MFTmBT^4DwgxP4!K4^O5a6UFo)eBjsoLW?K1K zzWLyzJTV>0! z+PA^#t?{jM>#cR`5mRry@~s}Sd>egRZ22}xmT$AP@k2O$t8crdZV^aSjqQ{qKEyD5r4+67TixCssS}L$xz8%XvWMZ8^i! zIpjNN(>dfjVf7CCj=0l7rt_okm^+=L?sSNm&T*Bu=^)Gfv+pNdj_0i2N#8H-bdc$s z@||&~bK0E_G1ED#@-`i0I_G`A+H}tQE?T_{($)*f|K0bS<^S&c%kuw_mVXJ=-(5!a zcYmV#JMw9_zkUBwZ_&_yB+GL}+J1W#)vtx~ula6R{(sW)ueS0}rp^DB&+%(I zh0@9)^NH{m_v<>RsJ{rdKw`=jlU6RAU&0@0`6c|NEWf0*d}Kal{H1X@mbLslq@9nE z`IPgQC;#HYJ0;V1b+_>)OjKb1(mlG#a$ZTc9|DksICX6=?LtHe=196#qzx9#_w zzcm(jp7Xb*yg#RnwEhce@Am%Ztz3J5J1f`T-;r{yb2`W>?U|k&mivPLC6;TK^P;qV z3rX+ff0^_{PG@Q9Nct=OS4rRLbdi>hq<8gqBmGSei zLAU~kQf@`w5Pyza4mo~5Qo8Lw$n=K!M_IYy{t<3Dq})iQTRCLj^O-Jg_^MC2qpYPTurv3tz zxBAF^iCq6e(lfI1q@^R%UF2V4>5HYMW5kY}eE(A1fL~jFfwX+&dTp71g{3c-mX2Hx zuJW(M=s~OeYb<}Yw0z_~#9IF*(l6((^KWpMd%e5d#4Ptl!Tsk8Ia({X1}A-nahmt=>-mZnxepw;nO|zEi%{L+*F%_3y##yuJQ|R&SsG zfLm|BTaTD}KPcboA@@5D`wwA1{L$(ikv1+tmj9^#xTPPHHXcFJPx#MR`cM9!N!R!T zX_u4!Q^eXIenIUI#LV}!%G-P~Vph&M|5==be^|X={pa23Ak(?v|IMAwMRz*HOy_r% zx9K4FH7@zDTKUWVKi&FB{lEPGxb^>b>l0J|ippDk|>7(J+B;2x`2DR8$t9b`I{16AGW zRB@+6%yg=$yiEr~)19b5b*2*+s$q_pS0hlz>erMu9;tMOY;33OzBrP8!N`Lflps}StA}t*$-z3o7 z(jS$U{upXp*c3G`Y=#;alFxmU#{(^`d<$vipK!}R>6U-WEl)o8OGyAw8O|n9Ruz0 zF6@AJ8sIxhILg&CMR_`IC&Xe8EytS}fpeu2a zMco3gVXrCO0^P0N>(c5W_jh^(-mvtZ($bOpEWHA6+4Oo#*7Hqi`N(~iK7n^E|7}Tr zUupX*(tiB{?^*i0($bOpAQ^%8$?xf81U|I<52WQ|M7xCp0{!tX%(VQ0(#F@weUeZh z+tRb7r6a$u4Gs*#i>9}Rk%)kunl|3^sD-gb~Bb(;U4t!3%9nKud`V|aB(&q-| zk^YVIg|zV>l0HAMfb{Lom(tSZn&~|MkDD+Tb>AnCavC2m#9Gdxz+$(&)c=)Pg8IKQ zOR+oVx;weMghQo+bY1;s)(>0~-%57AOfs3`f!cb@JD-bwzb%yPl9xB-bnMVLO4e^;=gN`=@NH68w6O1C(@BUKXiKVV;GgdD;_$)>d z$52oAossGJgB}cGES}Et2jg%jaXjUQ<$8mD+UGmRC)vLX1|r{C2m})?KPW@Hodjw7 zKQg`4U=sGgWSd@UFa@^}x3+p|lI!$zY4wohYZH79n_xRD*H%*Qd1>X4-e*fS=xBdXPJ~8z(m2dS` zerxuiU=|L{8x+jOY#eI!2M2T9`a|6M#MJ*t`BooU?qR`E)QiX)5gd;FkeK<8ly+T) zEa#ZuXj{%P!B4FG$HB2y{$s_IA1AFm(q5kiCy}3+JzkPOLE1QWB5K@D%ycIQKeO_a zgEJ{#H+zbt{8VY>r=iBx(^2E<8K`kJ`RqTlf}c~bPTp)uy*bjxXUKj#H~1ynt9ItR z;1_rw5>sxzv~tMyUJzVNezVMl!LO|R!eB18BF?jV3zbj3Mbhda^IZ}wu=-0S`T5fF zl^&J3Eci7x!If5ixuo0*Y2}dhSQT7L{sVcdCHZS)?T1-UWW2I2xPkqBhqGR?zZVQd z)^BrgBW}Y@Hl5AEZB~AZWZbh=+VO!b&o{yC*aUZ4xgC;n-%2Zow8yUC_m;m~GEVwV zT0T;LPjJ8G@0H~5la`O1f9U_M+`-@vHob$vBjlgYIvhNNU9t}=ws8fr9zO<;5$kw8 ziaK72S&rkulf*h+Pq_I%p^n?1-E!nJE;$wa1v_P*3Z5bTTGnYveV+d#{bttL;04l) zWSv88O?*At^_J8W4i1j{p^@Q;I*fmh^W7j0zeXrWy_pP14^Y8TA_p-c& zp*jh56TfeD2T}iTt`X`z ziyowQ1ACPMZMqK4E26*bJY92kE7o2ZGpvx zKbi0ZMvi(iAtpihf1gTdnGkL#RG!Y@ArBV;z*Ag z9xE*!?fu?()c=L^qTYM&%dLF(b>UsDV zP|w4^hUI{*8q2^YFch^*nrU)bsFfqMnC;3-vsFADoo+w(alZLVf>t zf9HCnU%~|TOa0!2j9=fgSmRe>@-q@XAYZ>fA^9IB^e0w6+W2+=kVZ279@OW%e^2Wm;6c2SJI}Vc)XLBu+WWV zB+Io3>u^5dyLGJZl7ywiYA3lTGe4mq!Tqj3@d4KJYj?eux$C_g)t{|E^rlThtw;U7v;p<|(neG}ZbIE>*o?Z*umyFWVJqsp$=guv zydCx3lP2PcO_is_{z7y5%yHM@E8`bXLq1yd>RJ-qC`L;QG6ZR3S-KD;dyC3yj z$^ksVe(?ipdmKbKahUpBog)c95^H-%eP{WoZI|N-$85VCPxy&)lbjRM=A(GL z^K-&UHdq#dNl<@&HsM#=S>uaysQr(a^z#W9iM2g0ptc9G z`u~LAiM3sj{`HT9OH5bW0m;9d@TVIi<^D?en{-_d$f(RK3IABRD+yOAr*@Z*>XCWY+|{@@N|*++?jY6v8IRA zuaH>YrdJ`cQlieU6{Ve5kmKO)#L9``;{feAs6u_Ue^pfbS3|Y?J*ak%LbZ2w%Ii3& zfjSOqCWeoLTEuGq+Nk5;Ues|=2X!2ipCs5ykcoL^F-=|RTCAP$9&M&P{-)nsu^<9f+usX~0 zEb9HjXskmVgALJxdQUJG*HS(X^&Vh6>U%C;)c-5aU+e_1A4s{dHSZfBihFzix->uiK;g>kimE zt7GDewm-cft(}qn`lZCqq-SJxl9rCvU%!m%uU|aV+^`s>$F{dG5- zl=Zr8&vBvd|GPce&wD10W4o!p#?WS`mts5a!ttAlZ@DqjU-z-{>aSI9!&m(NZ^z3! ziT#+4ju)idyNT}+s~lRt{yyaj3o{ZwAYc7DTEG4ws$cJq>emOL`t^aRemxV_uZM7Y zC`(OE+N+QNlU}?NnA#(^(a8K zO<&=rue5rr64zM!u9h~xaJ)8gof}J?pVw2K@Bb%mq@A^&BJrlg&BWRc z$a-&0+=9z-yB$y4r0pNb`T3i~9q#!V?fm?$yZv^$+iw@@{Ja}=e*O-1e*T{FIzR70 zouBuz+#09sBi8wOKkEE^0Cj%;0d;;pi2A>)hfx0q?J(;9t{y@C-_;*c`^!=EaXvhT zDR><9|I<#O_M@Lr`_a#+{pciWKl%l=pPWMNKc`XK;S9^S#W|aJj#%3f*^hrsJnzOb zg6&g3!><1mFD6?5pZEvstN!YD)c#CNzkez5Phz#pWmLNmlm1uY-^6Mk)O~@(D@<4I zf#hFJ{MU_f;wHzg)A`=le~H)K{sQ^l*Nw!RZhwK1gIRuEH>>|Hq`vlRCn>yNMxfkB9p@V2NIV^DoL#U1KB@HCzZnGct?`@?=sT%4`lx+n^Z0- z+<&9(A9qq;?Qs{XJ<6lnp#rKMDx%iE66Ljj+>P2lDkp{ak1E7!kE*EsqZ(@exCga= zL}7^az1@%3NOG#b7hZqs*K09-_3O1s*ZqlmF@7ffzgw;@?#-%~6z-?%OIsgg{Tn7d zO?@3N$ocqwi*-IGCjY^tM&zq~ko<>|9wt^k+WGns$`uwiPHIBF&ev$?>qk-N>&H;% z>!zslbu-lYx;g56{Wwk!wa|PyUq2yj`859`&QnP($uBXJ{@<3Tl`Wr^hkR@IXHf0_ zEag0()Bj^n+UNFp&qJ*JBNlbui?iv{|D*N~uf@J3Klz%^Z3D#GZ-O@8grr2~qjo~t zB`GPHSj&M-H#I2*mt(r^H)+z=1KDp{Cq3uxH)#7!8+ZBJy37AOYQJfR+HcyU_L~lr z*M8Fxwcotp?l&(IYrlC3wcm6??KhoK`_0R!_IL#s@Vjjn>=fRQ?0!>MrlbF#_8M+< z=>N&T@Co<-i8m0lf7m#rM^bpa)e|-TdIL31>V*TbH)@>mW>R>Z@fNYhEqzem!Fn4t zZt9C2=kxp@YTVQhHEv=)gZ19}dr9H<*okkyhiv=H2P~KNmk&|E;3&%|{Y!Uay2_VZ#6>&KbFrbBGU%V3U&nzX|Ztn)v|(ML>I$I(#IbsP=DD&!Bx zC>(*RHxgBE6zV?UXxy7M#y!5q{_pW+Q_V)*r<#Mh zPxU$KKHXf@eY!7D_vz-L?$gaj-KYB!b)Rkl>OS39sQYxeSZw&hq&$oqwJ>QJ`+J}4 zMM;a@{T;baw+4bD^$n=;`bN}#w+S^~-;CPtwxIUAt*G((Hq>~1J8HcC4Qjl; z12ta%7Bybqi5jo(LXFpVqsHssp~maqqxSnf*gI=)(tg&bLujA0^+Cq#2a*nwo{{x~ zv~;xN=n(2SI_w@tM~F3E{}DA_KZ+W!A484TkK?4Q6Sm)t3;p!J`(2gk3+VstJoQUb zL~{7Ng`B@nTdeapG3T+fN$1!Pbsj_Ve@!}1tbDZd`vs;`Sa>n%H}Z9UM?1g&jyk{p zfjYlmLY?0)qmI`5vChv(d@HGtSohPA^>C7zo~?&ee_RCBFBD}y^O#OCT!_VS8AhVcA0@CT`&CIS zgQcup$|RS@B2Jm)vb5V;=MHJ(B*kl-a>?pnG;X@x&)h}6`kC^mex`!er~gOwGnFj9 zJGnCXTF={7vGl6R)kxR+-u50#k4mmiy4L%)H7vbmaxK!e{Pqn>$~lPEMLRq2Dls_V7qh(-6w6kpe={ollfqBqvY^-2d&?F$Zg+;-S&M1)o(RM z^;=C){nn$DSHJZbs^4l#yJ?bfIh6teEim4!Q_Co zb1*s4wts@O?X7r?la$PO%;NCjyz3>3` zMt!&cO+1Qkp}yPS2lbuiw{dS)-(>n<_Oo}S?PqBH{_#ELTNrvjIU_mTKO+6( z2gx5MhxeKhoZjEI}G)G-r?99N1(pXI}%^SQK;|ljz;xEV^ICjSX4jsF{&RLhw6tu zLG?qQqWYonsD5Yysvnw&>W3zw`k~KI{m^7oKQsl^4^2h&L(@?G&~#KkGy~NS%|!J> zv#@v8?Bvhw_?{!J-H~>in>>&7jI1xDrK9yj^HKfKm&xJr+yY|tLtml#p*9hw4kzca&mX<70vwzJ07NdL3KV)Z}75iuN} ztL%7OoxFx}>Zg!$Ym?Uzs~lQCwVrZ?g&UGLlCORWt)JS2>ZdlN`l&6berhYKpW24% zr?%tt&^MYt{nQR=?Sd@lPFpU`pV*G?-KgXHJL>5?^F7vMdH3MMxYy1f`;zw)2Z^QD z=YSjkfGvm*+VqbkAF}dCk`H5X=ZN(${+u7BJ;!&upE*W7^)ts&{mcog$MwI}Xg)Nd6s{<7L~wE=g-Iq~G{6`7gKMKe3)OEFqWTRdh4VT0Ln2VyqX=qy6h&>1VyN~mj@k~9sO?e$ zmk*);$2gvUEQK40OXChKgZuCfJc?ygoGP`bS1v{EQa5gzpI`(J%N>j?KUul*S?pK;) zS;{|-d$U^T|9aCuJRxmAy4^oKl@jhBT2j9-)GFoalyLum^bgOZJev~kA28Cx^<^~H z;(8$lBbdGi^*cc<>i2;-)b9cD$cIh`dQsOyKCC^Q{vWT;;r>7B`YVXtF#$_aJ`wf% zK@#fvDH(PBl!Cf`N=02irJ=5$(oxq>tx?xc&tb9QZByD{G_m)DdF`- zuAkbcbZ}$j`l(~e3vP^DKfS1W)=tRvQ>T=dNsk)dSz0>U_2et4>&Y&t>&RD8*O6UO z*O9NGt|Pmlt|MPZT}O6DT}SpnT}SprT}Qrwov;_G-|LO)_ufSHdvBroy*{XZ?`>4S z*B90Ay@Tra`l0&0cTxS`d#HZzeN?}ff$H}@K=pecqWZo5sD5t%s^1%k>i05H{ay%r zXJw@fqCGlYlyUTw0`d+RKGVgCEV`~BUZmR9M$iQK=pegQT^U1 zoRl@%_SYa=d?>@+JGH&Ywts^@+vmuZYPXpE7}bollYci7Atam5O>e>MZvpUp(|XR~m6Xtw4{e>O+j`l4NT&9(E<7b)|I z^?&1#<(hBHspX=aofj6M&I?~r?k44OQRmk@mTM);wGaz%5$5A!@()sOiA^s*WvR_4 zKc#^D739n1c)LGaMtSvT%TfK=ig5XXD^b@?t1MofvW9#u=WW*#tG`-DeuT3=WdqBp z_D153DVvD39>{dJq-@6JxXt#9t94k@e3KHs&Oz(1cDU>Rt-Jm^QRl;5sPo`% z)Oq$h%B#Qn9@Ss%Vg1x!?IqTEcOR<1+K=k54xsw0A5iUhkn(EBL&Q5+zr(l-kD#uD zenedd9YtLS9i#kG${#1z|EW7ctoHv2)&4(|?xp@oOu}DqAD%*Om(%zop0Rd1mvYwH z_gu=a)YtZr+CJfa=wiwR>o+c@{LcESpZE>6KM>QO{E>2*SnYBN)h@)O|C#a^vDyde zAO24Hhxw{Kko+qtSKSyX_ixHI(sf-U`TalTy1N`$H7fIF$_=Y`Q~ixCAI@Fo(Eq16 zbH7IV3+rbhQp5dBk<@TMQxxt0|KQ%N;;G?&CQ{n=N4pXghOz8gQn%A^lP zE%(%{s;Sjd!~Giad&fPgQK{j64XuBooLw)~AlCiFnv^RH)k>}H)Zcw`eKbF{= z`mI)|e(Pyezx52N-+C6+Z$+c}tr%3lhF?K{ap&Gze`2+cWJ2pE*;h1wMO-K&!PIeHmLrtEvmnJ z9@XEqL-lvhE4e^>;5}@2pO#FVn6aLY<|xE7IS+lKLv?8ChMV zrK9zCT~YnrYpLP>t{buXyVp_uU3XM}*8|nx^~6b8Z`koOF4XIPj~~vrZ>E04{-^UV z(x3IQSp69>`F&I0Az$ZXB)?zkyTr;z>+jy9Tw&q+sTt&}zeDTqK0x(%AENrZ{;2+L z0II(mi0bb$ae64E`O@EINn2mE{%#P{=lB2AA;juOkmbs;<j>2ObtLNiJBs`YOlP!BXKd;ioBr6;kI7#`zFdsA`?*gjuYT@RR6jS~%G3X& z`nib~PfGoad@bK?Cll-ZF@^jHXKLy+mQU@B#M4t}5Nr97>CQ@>iOX@0?GLl1wFA=6 zeV#fuHQdi(#DPri|GVow&t32NsPp-ksPp*()Oq|X%B!EtMfG!ete^V1g~U3qFGBTm zi&6dD5>!986xEOAqx!J|R6q7Ls(qI+9kuUrRQs+VeZ)MT|0AC6tV&%?tmojQ-k)59 z>fhF40N0`Vx%Jq2HvK>Kw0$-btAE^ty1%y>wY|1jyKPI|YVEx(bvxy?y`;8RxZnFW zbw{fDsc%zvvHt4!cB1wRV$ye~eow4+`VQ4j#H8;@-Ak-~oM zKYhPrU;G2##Y?E?#V(_s7yA?SJlS8U=f?g<{XeyTQ2*cU3hMv6UB&0{U)2A1yN3Ed zf&Zb_<2q_RZlIp8zlnRZZn^z<;s2h8tbdG13-^yj($qf|O)Hib?pKliv3Oc!TDV_D z`#rM+>Upw~sD7Xn>N)PxsQ#b~>i4EQQ2$@3EEZvT%3%q-6ZL;c?n3n&<#7P(UjdH} zqyI|HpDSjwY^*`hR0pQ1>&dVn4P^HPrpgdrN)=ha3wy7 zYq1gPe&<7|>+6S6zso&>x_)kq8fP>?jWZrajWZrYjWe2}#u?2})jgv{=%khI^!? zqm47-P~(hv)HuV78fW;>p8rRUGXkh_Mi4d5NI;D<5>exfB-A(~88yyGL5(v~QR9p> z>__{gqyB$GYaEErp`L4OgLLBm*@L`2aNz`4BY@>5r4L2BdLbqn{rrZF)$57)qPPajyOm8E0f$tZ@c0 z`GeDjkgxs{$>7digTS!X&Qh1@9(r*$k#Y*D{36J&Fa(t+j{W(zr{P!z9nDV z>9#v9eOKCU(zU&A`yH{K>;E40y~#azIfwq=%I{0tPps{D+XKXUF7gM4e=efNJHMgEJHMmGIe$=IMwHsOS?|2?Ivfkf84-Fa&D&GV!rxr z0@{81LezbGCp~=MJ_2>$z6k2ReNohX`(k)At9W|J^zeQinXdi1gkoz4jA)fpD!oj) z+OM>q!#J-IQ0Km&AB(d zj+-xa{MAK0H(C$%+-QB&bE6GV&zm;Hg|yFo_)pdY>Gxx&><7{xWO=V~zQu@lSdKCaLw&v`~#dnnFzqSG0_TO1z8$EJJIHSUg0 zk7xecpW{&bGcoDjbU(57YaeRACMG?Q9wgTOjf~?H(i54F_GctNDLvVZk>62L($grf z>8GNmPfWe^^tQyBerq@XIn;dGxaG)azkEKuBXN=J4(aV|zih9V{j!5(I`sb-mHA@& z3)lo-wt6o~J5P7AdYu*9{*2V?n*Iv*z%Ev=Yx=7gMf@7|^d7E^&+L}|I_bI&kqxuE zr}wn>>>;f^k$Sz--@qow^#<+TTUtKab;esvPuCfJ(!iXe5+?(}&y887Fp$uv3fi|xHFg-l3@6YrLLj%$WriaJ%$hbZ;J(M0E*Q1T! zvQYn*GaEHt8iX1z4MvTZhM>kvIjHf{N2u}AP}F#77;3yU95r4Vff_H3M2(k5p~g$2 zQRAgCsPWQR)OhJ*)OcweYP|FbYP|F*YP>WaduL5ZpTu_S5Sl1$eUb6fXX#T&=llQC z($U6CQ&HokY3bqd(sW{tmu8^GOEXd9rCF%)(rlcRHOJa@TUtIs&`HTLaboFOnq57L#I}Y>G7t-$PZ;Ti(gEKOg6%dx=LFJFeY zC+T}KzfND49`0|@`kUp{*YUFgb^NSE9XG2`$IEKe@wkTa>TlMf`kQs^r|NIk6YKcg zfa-5HqWYUnsQzX%PUpP01>a`>+lnRGKenOzm+h$g3*Xps?MUBA+;%qoKXyRHz2|WK zk2){!X1>)OuKzL0`96IQ={he%H)U_zKH&2-|%@ z|BtT|A3ymriUjF~~uiUJH zfq$|7dd~Ro^zeQ2e`ue(sdptkd|&-4>c0BFq-+1WhI$V9_Hlom{a5$9Z?OJ_p_}Qq z+~XcO?hDhM*5TtG?Rq`}bv<7Md(sX?QP=0i@M+e&IO@J{B$KK&@c(gj-|=40|KtCkrIIb7anh6$Elm_ErBEto&)1nD z6(JOLUgxBP7D|LPWn>fCLiVa`C9<x5w-0_xAhzb-mo5dp;ib$K&~YzFukR zEz(o>4bl!iEWKqMBkkZ;>8;}!X$QA)zHpx*?cjFl?HQgn^KcErF|>n^K-<9`&~|V~ zv>kjT+79l7wu6sC+rdYp?cmO6JGcwl4(^J!gS(;a;O=NU_!zVu+yk>Yjy=(Sm0oDS zL2tCZ+Xrp$_C?#f$D-}sdql5uAC;%4{+Fx*pWyl%gYo-V zRkt(W+38W$O1vW7a(!$%hH@ThFOLhc?d8mCFSH*?Ef8X=hegw>4%<)qo@~V z;l9MPu`$lU<~W!Ax-GgU{aRwne@w1m{_BYS?t32ba^m^K!v=1EJ+ar@+vxT7Z@eLnH=_00 zJ4|0EdN=(&j)!>@62G7R0kPL5vi%>We~4>v6Z@Z+{8+>OW1amt|C{ju`~(}}7F=KX zY5HgBseB4UKDCwQnooU>Uguw+`P7$aKJ^uvPkqhw=2PFG`P8@UxB1jIV)Lo*(0uB9 zG@tqb&8L3EC%IpK!WZyod<}oWxA9keAAiHm_&a+1wxjpi4zwM-6Kx0ofwqHp#rNNz zXnFKkTps<+c<;yE=>7N)dOy~p_hXcix*zLgct6(7*n`;n5ySmhkJ$UMKC$;>17h#T zJ<)V)+i@K-j?741Cmqr2gqY!-GL9zpdN~Tc zUWggqIim})*A3FX?3&Sy<$IkVXXqo zjxl*tbZo})ET;qK?Kn(hxx}omUk2^V&_2bszmV76JT>)uPA6uhe$VM7^gZ?g*c$)M zn+Ij2euwE~^!J(uqrcBI1dH+C>4vf%^Xp*@H@`j={r#rX(D_bB^XTDdemw$R&Kc-( zMxyVTj6(D2(dh3&orxQ&(lb~O_j87Z`x!&KHY+2Q-)6J^+GI{fZbqtIi{!U?8TlEh z{1!ugTY%=bg*c!5stEo4rUd$XPQ_?mT7o{mDn;|sGCY;>bN0!@YIZHag5}_l^Mx6M)Ke) z=L^Rf$%Ch7%wTxh%quhu$B+ltpn33>XdZkOng?Hv=D{=3Ja`tG2hT?H;5ld>JQvM_ zuR-(RYtcOTIy4WShvvca(fs#%H2+fabL~qIvB?G_So0&1-K)^V(amCoV$s z+FQ}Qb}^dQE zcVfsp*P(gmi)h~Y5}J3ujOLxMpn2!3xH$Qm>m?6)UBmvm{<_hd8E-M(-vvVAw=*^n z@41xvAAN2>%%KWL~|jTb~eW&9k+>hC}Og8oj@ulUmv>VNFS@ZYf~ZV$`- zBV$Kc?jIRDv3~SN#-EHIR$?ie`ov^ru#eNAJ%tcv|GdajjxYtGos8?tk$n} z(E7D5TEFg*86|Is>Sfj^wtm%i<{La0T3@+mX2Z->-h?4<+AA}4T=zzg>po~bxG!1{ z?uXWY`!l_H(*bDSbRg?7Z)!wreRvR>H#J7{ri0PE=@9fh9g3c(Cg^!;ik_!t=y__6 zo~JbQJhed2(_!d&YUyzDpjNDRbksVt4YB*Dp1-!49>2pg+hJWig6S4U?KK=f;{{QN z%#Lxa{yx-^==tk}{vOs*= z(?i4gM7F0-X0I?^pUmE2x;~l5GF^I2Uk%SkjLi#=L-WGp(Y&x99(g70fAsvF5SDjR z=80i>CuI&~e{PHhXxKmF>!U%LC&#gReGEpgk0I#waSGGj5Dm>7M(puZ^RH9U-vLWK zM;M-YdZzi!@XRyVPV?#!==DL&@R6CLiM>unq1Op9!_Ul2C-!cn0Y~%{=&>jVf;lJ#v|h|$-Fp>za(=C&kRrv9(wEywH{is*4KjwKe7;c_d zgKb&PmFVwaU4_24bTxLyndo-RLbqc!x*c=S?U;*h$2I77T#IhUb?A1?L$_l-`d-!b z*qz}E(D$ouK;N&r5$(@ih(m~PLf^-_8GV217WBQVMQFe6t>|-;#c03n613lTDcWzl z4DGjFj`rKGK>KZPLyyNwG+(_PH&oq`naWS^)KJg;o1d=AOy#F{bKGi^_hjCinaWR* z{Pe!e`!iGdDTd$idH{Xz=|S}UrHAkwd>AL-YMg|RU=xnRqv-F8t}({P(0uiAtYNw* z@LclBC(-w!p28N)_cWT1K7+mw^(^|n(^~wH`JO}b+UL>tZ(cy($61HIhw~!(KGjPO z$CuIfvtD8U+DFv?#OANBq513UX#V;Jn!mn@=C5y|`Rm(g{<-#^j*-@nj2 z`EN8&-i_wT|DbttEt)4sS*bj^4w@&|Mf2o6&^);wnkUys^W+9-p1dcTCpSd%_Jh?fVC#T`Usuo$^pYxK3X;>bH{@hksss7y7xPgA4EM>5{L5*gnq>nLK!W5}nEX1dzi&RJa;Z$6D7pYDq0 z)7{W~x;vUrAA{!8Jq5`s+r0vyNxHzdLp;%WoSU7ve$G2M#w+ z?iZ%(pLGJU@6#ajotSkJvH3Kz9|OXExgRVy)YF5|dirFh^Y?HDEx{_p!w<&3w#v;yrf9TVoK{g3vSo*m+Ivc@sq^D&m?w2jUUvFGF8;p4;b z30ddG>qE}R`B@W*JwN|?0kQ8pU5GwMz9>vLDeGcl&)dIVLTo?jrHtqIf3v1=Tx|a# z@nu<;6MJ5f?Vgr371v-g+<%oCt|ug~uga>vADhl3(0}BZ+Uu9J~d~a1o}@p#DdH*J-iCsRx(f9P;C(IG*X2 zVSSG8a`b(u6}S;^!%G;y5`8b~cB~@4183l!cop7-Ue~M8>-ui=y1oZ}-|Ai*f%l>B z6Wxzq?+>8wFFhC^w}-G*^l;W{hI{>}{}1#C`u{+WqWz<5m~KGySk~k5bn0{VCm7x$ zqW;IU=&7uy$K_Sg8j z=$)*0;~2S~-_Lq4O#gn?hm4;WeV}1_<7=ajvi|??F>TJ;lx5z%Icp2s;dT58dL0up z{L`$h#9q&zq1Q7p!#~gZg4pXCX@7i~^%d*!I!4BSo%Kx|Bh!7GwTzTdNUg#FsCVK_41A6YxYe1Bw- z_p{%-G>pg44)`l8YO$4k^>2I-cjF^S{TK4~T4M9|C_9z6*Fp34y4k7u_dxUgdJH$; zua7RT0Zzv~@fq^YhG;n*nPjppI|;CkE_&ENM!^Y;DGy!`<5yNCnPJi8H^ryqoV zAJG`i(+@`T_Cv4|4@L9(CO8Y5qQA4!41J%YIWE97T!<}j5gvw1uqFEbR4ZJCt?@o= zgC3{0=y7U?kK^I^6t>6b@CbYnJK!tW5#PWg@oVga-{DdC6CRDfVQ1V>)g{|}Brn-j z|IJ52{@*=2mH!`uJ18%Dpzm+=pPZfAJ|yoRoINCtk-Ynq z?4fat}iRRr|Xx^QT=G{4H-kpo)-Fax@0<_(AA=(bR2yK5&!dZAR&c#d6cEY8&04L)@oPvvHU6wtS^RRr@ zZdhIZvNv|U+=wkwn9`#Dv3FIMA2I30Z+as@tvGw=nh!B_E0T#r}b`*<~O#+kSk zXW>^k8^6anX!~+5?!;^GFT55b_WL^Yxy(G=3+JQlrR&l6g%)5Vya5lz8`1AT7IJ^s z{=A9UcJIx2KHh@1Qy1Z6ycH{PF;2%Ncr`A?*|-d^!{xXDSK!Tf8{Ud5aXH?Ocj6uB z^PfA>?||+?zXMu@kK^6w^PPLp=R)^#-yY6(-bZZv?0&R;_5j*Gdk}4(J%qN;9!8&I ztVY{skD%?dN744#8nk`(7}`F29BrRHfws?{MB8Uiq3yG$(e~LhX#4D0w0*V~ZJ#}d z6RMuiUdMHlmwZ9Pb%WdwFJ`~Y@X1v#X&8>7efA34K6^Dg)joTT*!J1$X#4C9w0-s_ z+CF;=7goI;%ENid_5UpotFPgGhV9wb_wQt5$Y+uE)q5efeU%#jLH37?H@`*3f0X?( zvEwnczc#U)+S<+8pD^C`7l!uN7PS5KDcb(}3~hgHMcZGWqwTLRaB=cW*Gv2BD-HYY z`s+sDWPita^ZjpGe%okUh|Sj=Zu{%|Fx?N?KN6eYBkhIN(|!uWf6o4e;r>6pPG$OE zaR&az_&U+=VSn8}))(@Z9ccctlj-W-M*AQ8QJ(K&xbG$ZN!*6{|H5;w_+{$fcqHR@ zV-Nf%p01YI|7nbJQvcIf2VG8G++DRtPJ^7(`_c7sDF3VL8;AWywrj7PJ+Uq}#QJD^ zX;{tP8v3mnjh+X`GX4e_&{T9L#o@w;h7+ z_n~OM)&$Mhnxc7HGp4uw(HuX;G&EmpfwnsiL)#rK(RN2Gv|Z5}ZCA8G+ZAomtVdMD+hbPr@o3fVM{l;$j?xtMFu8jf3$i9D*<5Dfl)HMSnkP7=DhY z;`ewO`hTORqyINL9R0u15$OMoo`L?~=t%VcMn_>M9F6|p=$UvdrsE*Yz|%1kZO3I{ zA!g%Qn8W_JjB<1Gh&?_!m*M&7|B@D<*LxxQzobRDt*SUDfo0XjIVGG||CbcQcO9j; zy{bH?3=`GmITeiG#dr+=PdWzuf6}usqJ4fg?v3Z*!8jIM;<@PmmyW}(HRE$8upGa` zLGH8jaxNgQ%l4ih?z4%;;XcDU{cA4FnH27~i!^*!lZr3Rxj5W^m*!j&?!QZOrZD}m zn#mgOKjc20nsZs0ZfefuVY;a~wvWX|aN9}9{d7&vwZy)+ zqG^@a<;)AissF?L^K-6`V`O;?a&92@{zJacxH0D@Vz+l8y1m3~$IUs5iQV2?;_-{n z?Y=dhj`86+&XTa)WjRa3e9LlfV|%w%t;ku9Wz{Q;!*${C?Nztuti(k1?KyWcd{@;S z%KE7P8P4~AIrlQWZuLDmtHSxb+nDotkA~?qt@8ey`>;Dc9OipK!*%drnC~Iua2+7? zt;t!9WATwN-Zg@K9nVeL+0mJ*+ z&!YMFTD0Bp9NK^XJldXk0c}UDL)#HAqV0&6(00VjXglH+tT*$uoL8~IoY!(TvL6$x zU(b0X-VdZ5@n+6jag4Mh-p*Mc$4EP3gY$*`M%oeY=PG@jlv)_yBE3 ze2BImK0@0MAEWJuO=$aJGunRm1Z_WTLE8_XqV0#z(DuVtwEgfo+HUv)&C|X_^R%zf zJnd^VPx}VV)4oOXv~6gf_8pq1eUIj8KcIQqk7%Cu6Pl;}jOJ;-pn2M_XrA^Pny3Aa z=4so}JZ%S>r|rZERe$9C$??fc?$U64kUZ_LoZSqcT=lnx;TZC?f6zRwHYb&*MY*Xw ztqz)})kX8PJT`o+hof4u$^(BpI>dYn!|kJA9= zkB#*O6+(HdG~2dS6h2}?r_GNcVo!A zN1%E48ED=;63x3up?UXcH19qW7bnwQFV|g$hU+f1{;aS)uAev@mmKuC*&;`#3K-?Z5YN_#Lk# z>+^e~s@y32PFFR4&V18ZzTX{Pk(>JNXa@S-Q4PaAZj=KJw=&&TxhaW5Jv5VY!~UyT zY)@@+cJ7?qR6T^$LvwSl$xYQm80wpA(fZ~(v>uv=);sgjdgpqy-dTXwJ2#;9&W%`a z=1sW^vB8|1a+h&lCRX2^drN#?ka}lP?yYf*)H{oFm&7qr?<{q`a2}C*XL;^z3{RW6 zLc?$j_0CGP-nkvEckV#z&pXlj=PtDVS%ua=ccb;sJ!t)NFIxZHht@y$qxH`NX#Mjb zTK_zRpKx3sM(dx|X#MjDTK_zX)<0{|`sXpU{&^g&f1W_=pC{4!=P9)Qc^a*Moz|i!LeS4^&pWuV>fN~hdGEj1E%)aKxj%C~dB39V z{}5Xa5i@>M?qHdD5pM0%c(EWa_UR8ocana zr@ltZsc&#`@>|zSIkip0{$i^A&+_X=Kji*M>~lM0yM7AW>2@()D8GI|%dcOV&gVtH zh3U5E{vPJvp1YInn;Y%W(7rLA6aA6&C&ab6QC@0$ z{hiip2Hv8W6j^$Z{Lz?TKq}?>x`{UK;irDF^q-+cz(29a@LmV-^vaF%4>;rqgHusSnk}YwT9zqJSS?K*Dj8ABllk_FE}EveO{>l z^E$Gf?nei7KZvdW^Nu2Re>$Q2L(K4_^Ewl|Ur1iiC9f;Xbw7~t-SWD}F*4mTc|90z zUZ5SSd*<~H+to|Mc4E`C%D#Dh!u);n$QRh|V>OJ&Bd%tS;Kk#w_G2Rmnzp!VgB0W(7a)Jsd61D*H6tm zEiYBBW9Uyl9qsQOj^@)N(Ei*r&~j}gTCR;k%eB#HxppR6uBD^pS_WFKWuoO;7Fw=l zqvcu-TCU}yArMP_CVgmTTwarOLIj#FlI4qUG8+v|JmHmTMDmVbyuzIL}L-|KH;r^6Crn zQu*|S_-{VV|NrLA96 zx4gqp-X+oUt_m&hs?qXpI$GXcftGhOkpKU6y_9!XYB&z5^c0I`aH{~r1 z%eyJ>mT=x~*05bjd9*0+*0?;vP#!Igw{Jn1* zUc>Fg-p6;K<$ucOz{>*#g# zI(h@Wj^0GCqqlHz@@?14b+lf?`Evcd|DX2`!g@Z<+sgLOj6Ty)ei~mLeV+H9)4l`?C96L z--vymTHT-D(f!$u?#~W%e|F-b_y=Bg4gLSvg7{BtgMXp>`!{yN-RSq1|6q5l#hw`D zN6A@iSDpN*&Jg0d!~>!|^6L@XkE-@V*JpSOrfYy{(VqDYpXztT(9eD-wqv_e z^>VZPruo*R&GOTj&U(2ydOZ*`yhVOXV$aKA=y@S#c&q%@#GW6dUT%}$mgRb0kn!#E z507J{9&VrCA#Cpv8nz#)hmXwf7^Xim|EMs&lZNrga*odLOdPg1tglNx^>e7-G1SZ5 z818-DJwH_sAA@bVpL?M1XY@qhtL}xqpV1qA@1PI*yODj--;F#LeJ|oT+)#CVeyaZN zr{TW(xBfmMKUII9$a-s&C*=>wPu1T@{XH;$P=2cZ#_(Rk$>@8@gVFERhM?ccor3de zrwqj>xPFJB_57(giTybZ{a)^L^n1DC_%zdvz;BrE47A-e5`Eq~3Vq%?8vUKWGtuYT z>1dvif#wOBXr7RT<_Xzoo{)p)3At#VkcZ|8`DmU{faVE>Xr54n<_QTjPbfz7gc3AQ zC`I#xGBi&pNArXVG*1|V6ROV2KPTTj>1++h8QK4_`QsQqx$0aE!!hIuH7od5Mj#n~WZEZ5Yit*+H7|QW#v>cy~mg85T<@gM=9Irvk@hfq0@+#L$ zIexW<{dN6yqgnZL8SnGa*(|?pG$+KCD-37*t_j=g_A!09f3HLD-+9b8jO%4S4#(?p zG%mpYcmrBK-pF#ViWcVox4bsLxS8?h7q_7K#iFo1^#7yz#o`bz$zRTRw{L0KzGWeH z`~DriA`HJReFLT!Z(A>*YQT z#|g<#9>{+%Kh<8sP`^ABACHIQq)-z8KTb@0M z<|j{~`N`90z4HwET=rS?x$Ii>x$JZ3bJ^$d_S*Ye*WHs5(2&3BCbo#8jb`Fbn=ZDNn7`kZb(!>^1s&rYZe~012qIdJ( zBeq^tf0ylj^mo}lK%ZNt>VuE-KMLjU$N8H%KGp}D(Cdkq^7xbdPl-K_ThQZ3%<#|h zw-S3ik^12C{4ZFp#}66*W&T%jj7|G4|Jrgq?Ek;z__xe&IlhhZ*Y?zR*n|E3K9t8l z#O3ji|Gj@hzuV93pZ#vXV5f-oKkJG6)j~ho@7(|PqitvTwaFd%JLB>iDX;&?-xZhF z7|PQ>@kWlzU)YWH|BaTfyU}v=AG92;Ma$8sAXSdmLCev)XgRtET8`F3%hCF1Iobd% zNB2a_(S~R_x))lG?v0kC`=I6MzGykRA6ky?kCvkcpylX+IH9UhLE{3;(StPH7f3mJ zaKWJrpImi_hT#~>(I#j)+O!~5jy5B<9Bq!4qiJY4+5#;{55t93Eeos{=OtTdSRQh} zwkhaakh*`7apKT8?(d#mQq_FWc8c!}huUx>2u!-i$XNMz*I<*gm(1@!>i@7QN1o z!%fR*|A*=N7xWAB_b)h+?W&1R&~V=w&xlSc_`l`mK*n2c4noV#lf(Sf|7f{6gyH6! zr(h?puc3G}?@whUrf$IGxz-{nz2dUe_ZSUne@FU?kgVd5OfM3PuyVKgfF1 z3(mwfm>I5%3=PKvDKE1MvI|n>C5G}chxxtVbJ63Fhu-J;=zU&*-rt2xZ+TgSmX`^R zgXLv0vG;okT3(i-MLyANKdWf(hX`omVh1oR{-8oEPI6(FFyRXCY3NYm*8tDzF@yRB#E)bw4jg_mi06 zmljMRc7G?M`%BF5%L*gM9t`{SP{G42$Nfh3b9KQZ#I6UKe@(%oVR>r` z9uN1&V;Z&#xj&vLcrv~}Fx($c#oPCEynWB0*UPi$^|BVdPM%|W?~muv`{My5B#d@0I_AzE}P;`d;}j=zHbAqV2oi(0-lY(f8=Lqwm-6K;Ng| ziM~(&2l_t!F7$o+Khfj*7y3T>-{|}3yV3X2|3TkJuf+K5)%7&U1^ zIftyTUSa(>M%KGmVFUaS_ry)u5Vzpo@pRbYAC|ih*5!Qei}i6o^gQp6p63JbKs*rr zKDZG!!-McJY>XSK4ld++ATKyX!}X1!UD~8D)h=y{JGd{Jp?Okswxc$gR@kC2)viVI zq{9kZ7N**@7~bPmDL-3EORx-C{>JFLdTaW&Ufd-S>95$Jo~9q>8gj_Cj0 z9Esm!C;S z^gZzc^gZ!H^!@%KoK!{qkG|hujK0@jg1*;ZioVxhhP|;IeV@MqeV=~}`ab_z===O< zqwn*dgTBu{7JZ-pT=aeZaa@n>Bl`b|eLsBy`hNO(==66j-)2E>Cr(cG?pME*|e)?4O{q$+*`{|YF`{_ya z{q!pClf&80YGU65n~px0zXE+OKLdR(UxPlEzY={ee--*%{%Z8O{7kGjb9Uh@Y%phb z;q_cc6RYPG&W*1lk?Y~#h_TQ^$`|mZh{r5WB{(A#$|GkN} z|K38|e{bW2s`Z5%Ij?!i4I0iXa-82Oe2?LitKQWx97Fr>eYE}eL1C)>_aU+EzmL%N z-^XbCZxh=7+l&jVJ_+^7yyTYu)+gb4+h>JQqZM4gTk&@M9Ph#}@Lv29AHc8hVf-2& z#c%Ky{1%_UZTKvHhcDpw_%i;0ui=mQzvp>B7d9(O<#|Z{`fG^IUy19?X8PX?qdN0( zd!c#Yj>4UsXY)X0`acSH5j#DGeD_bLtF8U3@NdSO?_$Vzccc04KWM&Ni{`r#>oMQ0 zgXX(+adC2wBGym7TTjDrN7|tciuPi>{bhTyy=|k0A+{ff;f&wAXdlM=J%jo^!@lVE z4Ev$aarO_>9Z+;2@xx4q%-5)>G0VFmI!Hr%0vUdA(ILd|G93~hTGWKtb|rE=n!0`A zc&P27=4k$%#&p;4`%f)cZdLTl)WdK(wq*FcWxW4~ekaiy{Z66{`kh2u^gD@mEXViZ z4kz}#@%HF@<42(1Np!&7RUM0tVmja7K9b|ru)33RI9|y1btyVJY8jy9ZR0O^AG|x(R)sMvF8bsQ==1$PKskpULFl78W_iFf8HRLTPGS^baGh!;G$EQ?y_iz zhUFMfiG~&pi(~cs-)k>RouAW)?O!|{?Oz;@_Aib=`xnn(e%loziPu+-DjHpsYR_Y6 zubj#8@qDJE=Q9IsuVkX_l`OQqlFjtCS8~wyN-o+?$wS*I`Di<(0BxrfqSr+c>#yc| zNTAn8F($Eu@jEzfrSbNa5&L~cIr@D@1^Ru)81%W=Sxna=qW;IU=$xXl4EH#z-)Ef5 z@aBvkhs~n#MHAxj>h~Gvq2FhmkA9yq5&b^n0<^#3LiBx>i_rI3CZXSLT#SCVaS8f; z%B5&O=w$SGPeG5zW$5=Dm!scvOhv!vn1+7OQHg%fkwm}es6xNzs7Al%n2vtWaRvH4 z#|-p)jvDlPjw{jcIj%y#=eQdEo?|BZJ;yBcdyd)Y_Z)N3?>Xk8?Zs=*?>VkTzvs9P z{hnhU$E#&Dzvy~mkEhyCynyrWeR%`={_c$o_xp~8=zV$3iLaj+mQGFi&i4<{}Mr zuBqv5-dRQzPo+@yw`g{ewK3_$T=WFP9 zP_J_yz0cnu_ISUE9_P2v}JQv9ahKw!?NPGXJ|p@5M2){P&AKh+|}V z9~ONS$H;O&F4`2w$nrNAeGqWT>1komv*7$(VrYI%cH+AE&97?x6`vfYI*bz!!3_$u~`%) z>LgO*)$6e?wqyD|us`dohl8;`T7EY`>ynAnThklGzr+a)-&NIL znVz|(3bEsj(<)06#n>H7 zncnMP8z##VW5RIi|1cf(KaOQP9p0h(ti(Ctx;$IM^@S|&+{9Syj#H+2-Hy{R9z*}- zgarMF+()b9_+ICw?FfOc>IO9q3WUp)6qVfq~UlY_sb=T+017@G14BG9Aeu8 z#EiczaXI5{FCgQmCZ-WP9z%PflIeKd4uL)pJ-4A1{DJpV`A3p3F6LJitp zxDt8(?|Nx3T&-dIQtO`;w#W4ohwFI`dOgo&KJWW$h^H>4{wJP;e@soiA2^TL{_^=~ zfBE&HT%i6(`^#@&xc%ifhW%WaxQXR>9FYCKIdKcI>qX|jHL)lx@7BZ;wlgoeSi^QA z`RCHavP3HX#E^e3XMXR$73lWfhTeB8(fjRo^!~qt>CHdyMDwk?IF8nLtB5TR?nd*_ zd(b@eUNjHA4}I_Ne)Kpz!16o}4-!{n=lHsKnBiU*tK;k95w!pM(QsX?iLZ;t{(D`7 z{?I29ss7L>nZGvqRO0DGsy`Iz4}B)_Y$DYkilIMmE!yAq9NJItJlaq20@_co4(%s+ z5$z{<3GF9%8SN){1??wz740W@4ecj*9qlK01MMex6YVE>3+*R(8|^1pkMGTY z`rVcIGroQ?T)%%Yzt`{I==HlBy?*~euiskq`i+WH*KZy4`mI}>x_$d@V{qBjjU${=$-o1)j6{ofzDQETxvE>Xg#|)(pyf{ohEL`>ct`X+9vPP3srV?C=Xpf- z`{?4%#I6rnPS@ftxCXnkoq5S_8nzQTkH-}EC{C3_7|vtQcsqN=+u0jK{g0l?Z9u33`i3g$i{mE#4KN!vLIp1}P z7@w+th87pFe)ktSucwCC^GeMApI$ti@$Nq|enjyZ#E!>s-bXTBZSAPy(eZi5aNf^E z&wDz0-ZRkio{66KEcCo**c)XYB-*$_2-A}as9;Md>5kUyNLNLcN3Vs^nd5Q zgxK?5ik|l}w$Jlkj-K}lhI_upg#A0K_-vNv{v-Q)PVrb`*N4nMuK3)rym7@7!ucMr zVf&EteO~eT@%hGZz9+`pc|p9L7oz9;BJ_MuLeKZbOz-)=1U=uE#^-x7vFCdVdcH41 z&-dl%`JRgI_cV0B+fPpABgx{_@7q@4(G0If|G!~6`aJFm?8fjJ*b{5e=XFo5(Td@Qeqt8E=;5b~0K4)EqK4)EyK4)El zK4-lRea^ZPea?D2dYtY+kI$Xx@wp2^wy*LQ(!mWw9^MnUgW*r&pZF9G z!KcyphMz&-8-5mj?!6YbvfStJeB$TPJmUrQIr%#DIr)p|^YNF^=i@J<&&OXupO3$a zJ|BM#eLns=`h5Hi^!fOk==1Tn(C6cCqu0rL^g7vqJ|EwRJ|BMvpTl?YMSKr^KK?%X zeEb9Sy7~}(-u)5!y!&JHdG{vtdG}@v&;N1#oGrzlay^;V{4>I51 z#k+}}4?}tT57X7w))q%B*LoI1d0Pi9Z|kDv?H*`(TMsR7>!amu16-WkvxM!Syltpq z`;l^T?~?r(@AH9uSbp1R-w@mGW;o;bFFAnme=OnoKl*z}2ZrH|N)96ao8icGjY|$8 z-g7D6|Dpd2VeIpRL&NwcB~6Ka&Y(VLXofy#XdX|O7N%=aau~7C8Ia|+ENRVlO^#Y= zXpbSo+my5=_BjI*w<|fE*yjvL+`gm(@yEnR;1(o4jNkut|HJWC^Q}&3{c;r3?c#ns zy2Sdtb4gd$dvVl7!+P~#euuOhHplMR29Lpx*aLfDPv*Nc>Q&O4*yE_jGrSKD#J>0$ z<>9eR*E%|`mKYW$>`r}ZhKLO9c6EPD{Lfg9o(BIn~i1wol!gbRJmz<2_ zs|S}1VZYvFI3_QlpZpYt-_7|Niu*I)FkDT1Dn5&+;j4H$zJtSYGmgNo@C@{SE=J-) zuIEv>3`d9KeP&5I@sq^r^_~&OnYfBL3w!fF1KH?voE-FbRCCeiIeF;woP6|oP669* z|3e|M{lrCRKXC$mo>Ppwt4d1Bna+OKQm*fY)n&%v`bN(8StS)=`_3vEgY}8eVZLEC zXKUzRHMZY$EZX09F52HW4(;z7k3P?tfIiPTFD&o;l8MAV&q1!Y3ra2|_IZwaelEh7 zIbV}F{uf0Tms~>Z^?=C>qf1LB$1x@^h^CZW7RPFRe>uyo6HP0b8kRq;B*}CWqe>0S zF`f`rl~l*EdL2y1!K~*B9ELM+IM(1uyb{y#D$K@zpa0Ax_W92&^m)W=wEu7p`ut}u z>$9DF4e|QQYfG*R_X+hs@w=7O{~S;6r}^mpbUm5}EkN_28_+!HMy59pT8QRBH=+5@ z&1n8}3!48dLi3+n(fe{S?#3lyy-Q1$vpp9_%QPGh_5NIe-k-Oj_vcEq+`1jTPwznQ z(>u}o@-FngT!r43ceC8q(LE*i5_`VX`|>{YzPum3FCRef%Lmc>@*%X}_hIz>uSWk@ zPU2{*Lp{Xgm5B^f}IpDtNbHM%3 z=Yad8&jAlWpJN<|J_l@sJ_kGqeGb?deGYhVsm}oqDLs_fx`Cx9GhKSkAPvs}jjhiHqvgmD^f}WhoR=06^*^RX z!%9zOxaUWG&U6~Xn=}4&Y!(eK9TAULpCg`uK1UphUf-k8>w7eMeV>V*k972Y&0sm! z7n#JKuPpRDWuxaQ2R%=@=y}S+H8b){3)m0yd}RK@(xNyqbC8ectj4ZdT zv^^YEg0`52xfPD1mFi_yH|5;U*46n&038GVj81ug$CL!TpFj@Bnr(dUTM z(EG0vEnkypxmAUp-)fGR=XW}$MOT#0aC-JfJ-;;!_xxUo&7!MHua3v7*Yiwl$Mmz% z=ZLe>=ZJIAJYX)G&s@X&lcH-&uOoK(NPaV~bbcJG&k?U@_=VAe(i`I8NSB2Zx z^PHQ)b$v_e&EdMfrSw*&n;0$9uzceQ(c;o2aje!yOVRpj8CpLsN1r3Ez{l9G+wfUj zi7(>q=>G)Vfj(!vljSy!?kZhH?0%@_)ZJ+QbPt+8-HYZ=_o4aI{b>I50GdBNhqV&mlyn4Q#Vz}q)X>1lf zQ~GQ?9-EA=TwD4A6fhE_A`d|^H*F~wY6WDe#3a%&luXz-{Sd9w+%1A@6h)1_h|e12ekeC zBlG*e%|D_4+x#=bCo}vPyc~bUO8gD0@pr7j?Kl&6;H=~yr8{vI{>gUFOYYLJ-N^qy z|5ds>4F6lhaHQQ{Tlx>K#5!fp7nNZckID1dp1Nh^gG*LV+k^N#VlsrLX_XDi>X-RE zvq4$IvQ%EaCz_WNGkmYIeTdD^_eS$`VutTqwjZ&1I`Z6g|FQ#EzWF&a{=l+Eag01y zJ*ccPv3WDH-b2a`4$~b{b|}LwPq69hl}*Z;5_`WR^EE4L9>++WR(2Tcwf)cn-A-cG z-?FSNvD?`y9^V?>-Zt@cjOTfDyRyT>^wj?hA5z)A>u9kzx2z zWu1`U|10al_-$34%Z|pf>dwX??{N6`s%~XnF;U&E>==gcs_L%HNBf`QyQ_MX^fU8NIZq9%dl_?{dTW?Y(<+ZG>x~!K@m8X>r4bz=gHVpd{pNbvP@lKDF zTf@sn61S=zq0E0qh#gPNc^p-i&hYN+|7i68i_b)#vpc*)bw*hh*W-jJQ$x9jOqWxZ zjomRXjL+3D9=T5P%L>B!ssC|sb!k~44#OfGjtLxz#h8vIn2qJk@A}Ko^J1Jfvs^z5E!WRR%k^{6a(ygXuAhsR>rS6nJ-%#0ygcn*d0yERo~Kye<31fC+W%$I zK8^4KY#m)#M*rY`K7YW_4?d}k{!iMi7o+{Xm*87?Dca9C8U3HVDY%j0m!bXJm!tix zQ_+6bX=uM`CEDMeMEk#4Px$_-n%MsM>1coa6=;9_49=td@il0F{FMy1KmICoyRJsJ zYbLr~voQSsABO+`L$_-#zK_?S{n6K={n6K<{nzs_{Qn=?k9$4Z-@gFu@4o@<@4pf4 z?_Y?c@Fujs|7Ntm{}!~re-YZ>e=B-C7Nh?+y#(#=UW)d!FGKr@m!tjPE71P$+tB{+ zm1uwY?Px#v9cVxJooGM!U1&e}DzqQ`ZnPi#9<(3)UbG+lKC~bFezYI_0rdPlh@PK^ z(0=fT(SGpNXg~NPXg~O)Xg~NGv>*I2^!z=Jp3f)H=NC_+&o7=rpI2fl!R;yScH`$hD*#!KjPkC$=%oL9>Ubyj}JN zeu!`4CVUIG;QDwvq+fi4*E{v|Mh)c_(oT7|Y_IZEe>hSvzaL`jW#e(thh-mee_7wF z{e>UnCfro!{F}=@VLkSXBlB-5`;^%EG1TjyF5I6{aaj|+~#&suYRXt`;m6o4`n|y-hS~PS$^B-rx2UJIoy8jUs!+L=-0B} ziT(fL-_ZXrCT95dvK_?scdPx~JJJ5`Kf?H3Wq%RRW&EGG0EwCJ@3Mc0ZzbN1E0CDs zwPjIxs$U$5>y+=oaU37j)lhyS!|RpTC$?W4i5ryfNo>D3a$Fmhvwz{Zs`c&OXnng6 z(@p07-WUD5#zyok89*B2hBfO4s>mamWtT8SiKA7z~m-BH5aj5^%e(EM@ zp57GKO>bV_498bDFHd9r_G4lA-`W=F|JELc{%>tdmNzzPRoqYH9ZiDvUv_<=m z+oAo(hok++?OCq%;}OL6FLXfr7doQ-$4BDss!rvdna=k5QCtTNtB*Dg*8y_8x|Mec z$FW;^SFBHb4D$`E>8_z&j>&VP9_2k5?)9OUa~=0W`^kHw{p5YZa{87ZOKd;6dfguv z$H$}nF0_|5GgZ3+*h4w3-jY+PrbI|^bv1otBxoCgJ zILzm`jYt1?ZUWk_Jr64wem>eCIuS3y3($U}3(^0zy9n*ioP_pUUX1ozUV>LK{!;Y* znT*~)Q_%b8GLDD$&*j8-5>Lf@a2nblP>J4GoP^N7T!r>8SEK#Q)6xFrE71Ps8EF4< z4cfnOCE71^723aiHF}-Q#C6kWm(RlS)w9dza9q7FG2EAP(fjfm^uD~7?Hn6jS3Zx} z^Q``#^nA2`;(D}yVgcITy@Ba%@7{=M(ZceZ81D6=ws&u4xb59ruvxUI{MLB9dY>;w zm$!uRUN1|rRkW;pc|4ukPrCx`r@amBr(KEm)83Bu)82vh)82`m_q)*Zz6w3>cccBZ z_n`f>_oDr@_o4l?_oLVG1L$@3Algs+5ZX`sFxpSM8vS155wxH7QM8|S4cbrp7}`(! zINDG91lmvgB-&5=6xvVwG}=%54BAioEZR@I7VW2f4(+FX9_^=n0qrMRhxXIHi1yRI zg!a?EjP}#M!trYvy;}YnvFAbU|9GAAZn^me+E4o?!|kVi3oS?AM$6IlxUFhq`35Yj z-dO$))7wvrp`Z3$wBPSNv|sRjwEyn|wEyozwEyoTwEyp8++MZ0d=n{j^`8{j^`A{aRmP*P5@(zhQay(<0^mx8>gxTkdZQ z<^FfZq1;FMX@4mHDU^FZYUrm;#lM#S9Lm98%YVW8(XZvdGySld-!#+*NO`%le0!K~ zXZemW-Oln|OqX8shlYMyq~7?m{4a)k{MCBnZ}j=cZuI%bKWIHti`FAiMXH{tgVrB) z(fVW$w4SJk))V#7dY}PXKkSLt7Y)(-eJ`}1Z*R1pZy&T=-WRPe_N$1JXGi;296;>$ zA@#?B6^-IpEe{W3_?W11#li7#q#ik>;?Ou&>yaiE9+zenO|dSfF&#y{hUFWRQdS%m z$7(-cOSGS_723bo8tuPp!}N`#wiWG&-9BA2#$?Rk#US% zkDV%xieu!uJi4ND93$6fmx``&j9jPPD!Rup(oR06q9<{y>K;Mc$Hep>_p9iIeXi

(Bk(v($Kx>%`^U@2(0_aa+OK#b+OK#L+OIf({TmPstQbV>{;TEe z$qcug9gJzwkcv~{@oG6cl;M`M!?0O&YK89yIzQ509$s;Jh3(wo6=$#=*1IFndY72t zBP&J|TmOzi>tAAqpIMPkY(0#$zcVT_S)cVUGCr#!JC2d*aw>8eZvTv?RpwXZh3WDu z3Ye}P+k>H>rZ5aoR21Q9m5GW{#&4@CsVK&>>JsBn?jY^|vWf~~x4RtOZer#eQ!$p< z?LI3We>S@P=fu-7p7Lj0#krWM9#=7e;k&BFYv@lv%8m0XE@XJ!>I*8)uP|SnXiT|r zfrjZct#VSuMab{}R7?)@U96$Jxg^YYsc|T8kol%oOu?~uS(tBX#pRerJdOD*kCFSR zvZ6YSr~VJ)>HkOjJsjSldV0kS&TCn8g@*HrEa%FK8sz_fDy|OWuhK9cnSW-*9M;pi za(2Zm?1;u*&&c-8t(Z^Tt8!k&HDS7W71v^a;_I*@I^OA#>+|}GDfEA|s$QVXe?y2J z?{NDg7FI+pdQr~Ygg?!v{>S5pZ$aDpi_rG3xpt=X_D|WqchX z=lQFOuj3fmp6@EY!4L6U+=Sb33w|F@hxBXwP?74__))`sn(Ej1xuVIKRKEt&FY#-L z?Ux{?e*3**JIk@(0vW%fVkfcVG4xyfLH$=-yQ|_)#@la!q2J;!wBO=ywBKSk+Hdg> z+HX;d_FF__?6;^hhV{{JQCGwExqjOJWAi!}$Hi>`&}_c*t@O7}JR5l|~0@SROL`pfQb!?QcNhgU1{~Y<~lCJPvjH z!tqec<)&!4+>GhW>zm_0+&5|1ko&3yHp0WueuI{1zS0WUO>Z-%HIA=tGo~%ev3-J} zzG&xgmUB2x#P)bG9)b23bU^zFI->mqN22`%omh_L>ruq!w@0J-ZD+KfpbPG<>N@5a zrZZpc#&K_0-Q74GcVs_%jp-5gzt@g9-B*UT>&nq~T?N{%8-q=FU+FA7h2wuV{z!k_IXH@VEVf|$xoA7+|50`4 z@iLbG!zYRLWUr&c0F3nIn=lS}04Um7-0w5K2-~v?`Ib zYLN<2I=|QJn(_F4e&?U(<9*-v+;h*pTtkp;Ko(lh&PMCmIcPmQ z7p-UKq4n&1w4Pmn*0T%I>rjO2#+QsP#%OuT=rNo(?_&)0`>|;G=XUh{u{+TE{W$dg zE=BKe3f@2W!g}w6 zsn|3!ZS?fycItVafu84k(E9aEw0=DctzX}Z*01kFufzT5b$9^14ztnv^>*{UBPu zeh95!&qeRgdFcH!AFW?6K(@`B_3Nk5 z`t{Rj{dy5vzg~>iub)Bd*UzH$>m_LYdMR4Jeh#f)KabY0UqI{EFQWD9m(cq4GR|L< z$jhUb6MG%h`)UQ(+w|rYw0`|6%dKC(hNeHSqv_8|+#P>o^eP-x{>JFlY;XM@re*HFDzg~~~;u}W4gCol~jDDB>S--|mzkUy`UvEU~*YBhC z>rH6=`UA9n{UKVv-i+3-w_w|eAC3N){aL?8(#uaqe@<+A`DsWmKQj*LB~riMI{M3y zj(wq_ew~Q7kKPv2we6$7!fKK2qrYbRJ`;CnNJo+McGu{gVY^+UzX{vz8vPyH4Vw6^ zhWfR!>FxLEbNB;V-~AD-@BW0Qf4kB2_-C%y&5>V5|4QujLel5oM(;_+YJK;2mXD0= z9sNggIg(EQIr^_;tftfZ!f_rLy+0i1fzb!qZbam74f{8~A#!N+Kgn3F@BWL{cMqfK z#eZnMw*q~yC6W>e@3mAy-)pIizSmL(tru5Kv0hv)r8=>{Lsv|wky0}yQ9ehW@1s(V zPR7XnQ!C||WQ^QLwNvUOW8{9Sn{sS2M((TQQjSl?$o*9><%DF6l>bjmsZZRr{G_1e zeq!pyO;Z|R$4O078e$hb8GB$O?2V1_Dm(=TVG|sV&64}aP%lo*2hbv=d5ZO#7AdE* z-u&q_G=Cyy`57s#h|Q;3qWKgt%Uh?MNo;1oXc|S ztJt*scY?4?}&mLs))6%K6Cn|C9?^zdPP3r6Z0i?_?aFW2D}7QA!tL zkGnH^+{ApYYf5)wkGorP{l)0LTf7?N^rSWo^R)|3CE^;MU*EWa-0dhW*?BEvP@ugHEzq}+h*aAa72 zqlWd!=Wj|G#rHHTy(Q&lY=y?&XUOs0nvzC*eramTZDG6Al+oCgI0ajw>)jr?U(-{@ zg!*cR^7+gVC+n-sm%MCTjO{v2Up6ia+Yo2t8FTmE!4nzko4F~G#!X2_^3Zx+K3ab& zKxt!P zeRMoJ&g@RKJ~{zCu8C+p_Aa!3Iti_x-i_8zC!_V#DQNw4D*8L7p~pELt)I?7>!!XjM_0h-CdifJ*z4S@6UiuV<`afDfU4+(87o+vlXVCiT zv*`6&g4R!$qV?0~(E91~X#MmB?1e8P`%hVxyswb&c{ycyGDg1dwUiaO6<@(^_$uze z*OS{}7^k)p9jCSm9jEpNdf%+ZY`$*|+AgpbtslRM){oyp>&NTR`tjRn{dhfYiNBMQ zsMl`L@H}If*Zw`8Gv~G6$bEex`+Ywp@&6+?VN>D{SYAZ_@*&nG-kg&7zmr>t9be0S z!aT1Zr$nl6qu%rh?q~U@=sd5V@%t*uK2O=2l9<;3nb+WplrK{f^BQ27*K->>FXvad zkMj6-JcK)N6!STLjm`tR6P*Y48+0DnUFbZp-=g!teuvKg_&qug><@T4&&Q7#;d%H8 zoj-IpZe{(?==`t0U=`N?iZ$>z96&qK9**<+2>CzprOdmq7ca*@@F#xnpV*i9FC2*b za2W1SiPX3W4-otR)c!{2Jw1rd8+!C^Tswt=Z!rDoj0}#I&W-Kbl%uz=zOuKqVvTzN9T)efzB6u8aBbxv4HgP z40L|jmgxMjt^Tch*Do{7#AdlouR?Aho%vFD)k#I`}_hi!|_4|^_-z;>yL`C;1= zJ3s7s==`u9(D`A{N9TvV0G%JUBRW59Cv<+;3(@&uFGA;s?TpS3+XbB;wkyuZZs`25 z7o+pTUV_dK+Z~-B_EL0y*dFNou$SQ~?1|0~+bcCOKkVhi&JWugogcOjIxp-M=)ACf z(RpF7MCXO=ht3Oo6;_?xKlN&?KCOT1Fz%C_@&Ty>llKWSFYGm`gOV{aFYMsdA;}n- z7j~$h3-=W=FYL9c!&%;F@^u=PW0)8AdURgc8_;=SN1*e<-iX_ABswqbP3XL^H>2~y z-h$2xI|`i__EvOW*xS%~VMn9$!lqzBJS{a9n@mkhO;1gf1CaD3Gc^O7Pt8n?CYK}E zdrWE!uf;4JgxT01bFeSwVlT|Y?wF5VumCT>LTryk*anO7Of12cI5zox80Le$9i4Cb z4s^chap-*0rRY4dWmuVXIF2W9pO<4p9FM2qo#^~86VUlzCZhAd+=U%*5<36O-RS%; zld&gGLFa#&iq8Ks4W0jGI$n!2(D`5PLFa#&iKB29I{(YP==?ADVJv=s>TIs_@UjOq zTxaC`&q;lVrLmq&3Gazk0lP{u@|A^u@|Sh{WGc0vc2uM$o5N8mlC@@ zhW6X%*sh}D`P3I!Z~HBV_S+ZH_S=`x_S`|ZnU`|WbH{dNT|D0{`@;CNrvaJ)$S z>FcR)u-^9DmF&NHWL1c*$FZFCt5eso-u6`_UYq(RvF*5OJMLR(JMKEPz4z^~-TKsb zh;7eBKDQzDJ@!95@~(z*HL`qT>ifjD=OXc@)DMXLKIHs-7|x&PhvN~~x0m*M-irEcfAhD5&7a9qZN zBRf*RPR43`?oPBl_Zzf5cNf~8`z`yo{_!2L?J3`*?I}N??YTc9{r{=Iu$}D_ySWZE z%YQZw*8%yRds2T5$FnE(H>^gym(TT?_`8O72xHq9{y@j~{E3e5`3oK2vkx6NydNDm zd?4)a@6?0DjvGeK@1fLxh#fbq)+7JLVVuXq{O)Tb|D{$Cd;PI&SR|5GDJ>CW+0aPk zv?|G1ZFi`e=J8igtA@P)msXSQhD2&;*pKnx$WduWCu2R*KJ0ZqhS+xE+Gsmm9kiXK zF4|6fET6Z1@HpblrN^h$OG~s9V`wKnAuVxVoQU2RC!zJ&`e^;N0b1{F$o94qpNzKi zHA3s(jnQ`EQ_yzeCTKfxQ*6xlH$&TTPsIWJ-sZTM>(GMZvi??F^QC-qiNb zmMpjZvlTXsv`#xSxn6DeJqsPrdN$hbdk(fCZiBY>wnf`}&qdpN+oA2f?a}t$^U!vt z4rqJt`M7R;$FvJDTHZ0O6TjR09z#3th3NIZ2yN%>jJET33D>V%TGw#>x}{yh@eYYx ztl{?<4~}$CyEGZA?XW%2cG%0%cG#Y1J8Uns9rkjx9kw^x4%-K9hrI%AhwY2D!(NHD z!}delU9UphU9U#lUHhZ$t^?3^*MVre>osV*>man9Ovp?Hik#uc*+C*a0wL8;H*CrT;bPZ{Dy({hRaDPqG(C(Uur>0E~ z_uJI8DOfEsHElZE_nA0NLwbj#D>Kt(gzaXg-4nK(nRYMR4VpMhL%XZ7>EeAD+W*n} z?g0$#|LA#}gZB44$n`Qkd5GBaIu|{k^U(7-A3dK7(DV5)u9)yh+M|4*?K8;d7p6Uy zjFJ66p7umCM)vn)+Ed9G+3(Y7i;^+2|HWy~BxB@zo=sbljFEI_Y1;F|P0ODP`n|-o zXTFm50(PAAO4^Iq1z*A*xD0#a%Xk$o$3eIPhvTcs{bOj)d=1S^ht9I?OeSoHT1^SR^GPa^jB)l05F0sWmP zCbwff>0g8N`Z%(@LHfxoKNxSQe4hND<%i>q(wnlpa(R>V#_6V8rx=rNHPNu0GXHOS zGi3hX^wY!Vnrle!T7=J?W*pKxSzc1-UOw(FRFK6WL(09&E! z-5yC#E==!2+_d~6<@23G?0RDE_pa$;D1t;h63>oHfM^_Z*C zdQ5+`9y0(JlnwNIsmENS;k+lle{eV+zn?hVH$&0;W*DE_Py6wad1J35Ucq+5(fRwX z=eR0!JU5{8_l;n=?Ta^t-!(G*Cidg+Mt9-L3J;>*8O&=BZcWe4+j%#??Z5oaX zDX*rar=};$s~F0wY02YDPaa!~1_|f5w9> z_xC-79^YJaKl9M``T1!3`~vj%JdC!_KZ4Gy_b7Uv7UCPkkKume$I zhj2OCf3gDYKY0ajX8EgVd;V)^d;aTaf6hv@e`OWgzw!p!ud*8LS6PG8aV^@f@+R7^ z@)p{!vJUN6c^mClS&#Osyo2_uY`~@XE_yxRL$BvXv|r_Yv|nWtuEh`VZTt}JSJ{kS z_bq7u$VX`Z$j4~E$S3G{%}>$(iOwt{SsfNC;BCJqWu!zq(_c=jqP^f3B=#BU9vx-{=E42=|7|=`WvwR-=op?-&$zww+>dFd~8NttUm47j0PFD{~nidd`9BBA??5QGEPXwNc-=J87C!Ur2V(Pp9|L+ zY5#4Q(TL@ZCZDWfIfnM%#@K}OehS)t-vpZzH%0q@nxXwRr=sop&Cz!K7HGTvX=uCt z>1ezD8ECtHOSE0T722-f8trE~6K&r=3vJ&&8%N+dSfBf#4W5i`@f184d(j`%4(*3( zkM={IhxS8tz}xYBEX51Z{-}<48lUfk_5)prwqss|tyta}&%rL3$8*vZ&m-=J7vaU& z4KKmVusim}OYth~fdla}9Ev^h2JD45?Ow4Hw>+RlFy+RlG7+RlFqe#>^F@K)kmF%56SEF6utr>CIp z>8WUYdK%gfmyY(sWuX0JnP@**6zwOA;k+qX89Cgy3#VjjxNkA^ljWlQWO-;mSw7lN zR)F@C6{7uQMQA@+G1^a7g7%Y*LHo(ZqWxsIqy1!ep#5ay(0;N~w4baD?I(+){bc26 zKiPP+pX^SwpK$`(Up5i#FS`p*!bxa<+1(k5^ldV+{a91beygcyztuFf-)cJAZ#4t$ zx4H-Ix0;FeTg^iIt?tG7cputtbwAo~^#Iy$H5=`>nuGRRJ&5*OJ%p=pF4}K3FC)=! zHJ|uL=8;=~_Io^x_TxN)_U}H5{{Os%Xg|nfXg|o~Xg|mkXg|o4Xg|nPXg|o)Xg|mz zv>#+K+7I#!+7I$9+7Ge>?FU(k_Jcf!_Jcf+_Jh2D_Jh2L_Jh2H_Jb@#`$1mDSbTZL zE8I83%T{Q(Z;#**+W)Z@=fvO4 zFh8AD_LheIV3_~@?Tp0#yIYUj=aB#7PTYXs;k&pS-^1T$$INg z80t@dq4lSIX#HtFT7No#)}Q`H>rV%9LD?aXi|h7}hUr@KcRnDxE{GG_>s%BOrcD_qp#dWKWYq3UHUo-P4V*88K{-UGN{-Ro8{V|z! zh@H=%HaedHG5f8Xc^t9x6&#DsS3u12<1xBx3uUkhp$k!^}w8 zHIW7y+98nTCucSyw!aC98)u$EY(E4NH_2>9>^#0r(RqA{xz49%a-KrHPi>cIfz~fi zW4lYZA5O>Kcm}q@me>zl;Q(xn)j2O`;t1lia1@@6by$85rVzKm7`DZHJQs_w9oi1o z9>)=%hvTsW*5~u*<7DCs_}v2|9Wy%-J5E{~vHn6l6)(awurr>8U9dfNMf;7qVJG5? z@lw15uf*;+7%#;eu?ME&WtfXS(fI><;aK9!aRTDUKn;}!TQ_Ql0`CBB6Huo|Dg z3Y{}|K`xJ{jkhyi5;)1_TycLVg6sV zAMbh$^Z#-^ZJ!xIZ2SC;X#4y~v>)##Wd7gGTiMR`?pt_{nE%%}JV(fVl9G8__}-Mv z(a8M2nQ45E`F}OEYa8#PoRN->Z_hx-w`X$Q21KHnF=DS9mi3QhWo8rm9IE4WbI|d* zx#;-ZyzqVbnFYlDPBncgOvXj%JP*a_JP#%4bsB??-yMsN-@QHT=Z?&A#E#ol)2Gs8 zT!xPCjic?F1@|GGEKvNjIW5y$h;>RtMe(%MCVhQh0dpRFFK#nedv5j_v4XyhV56JO>Dp7 z9JIaoL9}1-A@*;3%3R{jrSmf9XC~TdFtpPw;ClI-Ka4)-kD%=|kD~1~3( zn#a+0nkUfqnJ3ZqnWxb9nWxeAnMG(n#bUId;u*A`;#o8uS%T&-OVRY?IkcbRd6#qE zUqJgSUPSvVUPAjTmZAL>FQe(tay0!}fu=vNp!4Rwil#rWq3O@-xRlSWMAM&DX!`R8 zn*OXt)1NhH`m+{If8IpXpSRF-XC3ErVC3!0^~B!4>U?zX;8NCaKK5d zvk@JC{yr{e`6jeq;RCc^>O)+^^3C`jZo!Z7BixQ3qy31V;1K46_!NI+`DeHnKS%p5 zwqlt77prpLeu<4ZpWD!M<|{Ov*^Z_oJJ9syYc##tsqE()be`W`Xgc#P+OPB-I)46p zw14#nw14$Sv|r>Wv|nU5+Mn_>+CTCO=gt0+U$If-x6C~(_c>DgM}B9y{Udv^VdRg@ zKa=a#e%Qaze%O6zKkRpy5e>%V9}>tVE?^*^+qwF2#D zjYJdutd-Dy*2-uP6JwIx{$O+Lzx_u(r&w3Ke?PslzrsECJbi5(% zjyH;)jHAjMMH{od{j5lTL6hhyII_G+v?e4};rY-00`Go$7kXBmfl1L-F{C)ze@de}xoKWQRvA3c}l zl_Tw=?XVhlVEaB3&(n~fAfM|PJwI&MF?vDRu4D8PWBX<-~4}?uVK5sk%1caZ+t~$P;_uI zR`Z7;X#Ox1%^!xL`NOqn{%{?dKMcp=cs>5h@1lP#%zH2bo%i5Ibl!uJoWFskH$~e~ z-x*qZvvS>T(Xwi^8zTKBw?%K||3$XL6t*|t7>(u|#4JyZrW2cgq@no-G0QWenZ)KJ zNWV-p8smG-KallV(d=Z5Y?l+wWx4%E+Nd-yn$LREd!*l}AX>zBet#kQ{lx6IIC?v= z-(QkkKL$OHvB~XN&wlQRjtkq9|6{w-(r6jWTX3F`?< z=#22Z++)mnpQ&LxZB%++^j>U-bHeBD*YKP@5I#5CI6P;_=jKHp#B_Wpd~RNJE;b^b z&*v=vA@|>c=%Zmh`F~hX{*R6$ae2$~h0({u{r8xL`w`jClhG%z9X=h_Kc!(kHrQCY zD7u)~_lmS<`Sa0dun#_q{cs8P$E7$3pTlAJBA@sBUqH{3aih{@(U-6tzQ%Um|1YEW z|8n&HUxD8Lub}t;tLXjj_QT6xkFHGaPurEQijJXO+~-1_uXZ)tIbZD>Jb~|Bi~j$| zH_>{g^?v(T)mpZoAgyq@!Ef6F^8x4&fr+TZdn+TZdX+TXGf?QeM>?QhwH_P2b1 z_BVWp?QkomD*n#$ke2w;x?8GhcZ=(D@+EsRGxUVp@!+#g0eT?(;J^QOD`yu*cG|>-$ zw8Q@t-5pKz17K*s`x$L-{{>Itcl?UBFaL(NNAE$~qkl)+qxYii(SM-r(SM@t(0`%r z(EHGK=>2Fr^Z~RT`fs!y`XJg4eF$xb{s(P`{ugbBK8&_Q|A)4BRiN!%k(kF(IaUdq zOsyQN5=)$CZ9#)4bXPEhG@Io$!NP=BeY$vG1@M7 z3feB$1Z|gVinhx&L)+y}Mcd_?qwR7n&~~}g&~~}g(RR5r&~~|&XuDi1v|X+>#^Ptj z&W?HioTcIZLC)_vv9>HPiMP?P97DU@xoEpwyI7)Ku065sa_6D#avjii{qxcGxeIVk zykpG!bXHj>J#wFh_PL8Lx;`~TUF{{L8C)`$LomYa@TiJ|`=L;pX9{(lVp z{}}rJk^XP!Qps9|3BYr{x=lO|Az57%M;h)(L86)OYj2maAMyBxE_5E z;0E^NdjKQQ_W*7T%WsN}4BOolyP5r&zF?)rlSajE!SC_bibcX(fJCe-~rC-RP=q$Y4{(@ zr{jtVGh+8}{GNB@cxT3DC1d1x?v34-jFIEIKlVT}MviZGY)&#pj`P9TL&+F9-np@P z$r#C(=f@r2N_6Eo4eY6U_kBC{mI<}VB`)Lh&KM}M1 z&DdMS-dEV5Z|S<&+kBt*5wd=L?44wc4bn?D#NK0j_x~=se_}qjG4>&``+q;VeiQmV zA0)S9J@?b**p{$8`G45oN3l=C_MgN)4%>YaVy_p=+3#nuZ7e^(^vl@iVY@G5Td^zg z7h(G^!+N)8JI?=CG0Hn!_wCB(cZAsWF1LKMGZtyQiu;oEG{n2ukL82xSh>>(YuJn=iR`u+By{ha&J{`UiD|NGx)|NB9-|NRi!|Nal!|Nbx9|9%+lfBz4w zPL5<%VD)K{teRQ&zgNntoRvt2kpA~7SyhuU(*Is9t9mj<`rm8#xsYxl{qIL*)na+0 z$wzBgj-mhk7<3$BZS=i_I_P@|b)o_5RKy77$zhC=Bb1vPy{k-NoqdJ`#^f#$&^F zw`bi!?0GoiIAY5!rL3>Szxs%C9xS&Yae3BwV$TzDd=s+n#1(i~xIZUqxGqS!Wm4AN zS&4EBhH}f~{yQJde;1(F`C;@rKZ0K8N5geqnDrR3 z*I8{ZdmP8I-zUQPc`ED4a9*FvS`@DL(;BX?aj(eYtp7hBUXt}}migwAtmpXM=95d& z`;M69&u6_z?D=^CJwL=Oe<^DjvF8cNw_eU#&i8m;ko7CFUP;EtcCTi=#&X+_v}O70 zS*ybFtkiIP*q~AA>Z~`y=T~Qu|8cx)G^{_8AHJEz|1swGzJ;0OZ%6XQxA`9P#q}&V zUwj9B?{EW}Kfa6RkME)R<3@BIiTBa{Z9?ab_y7mshd3BFqw_{=!Q1d7^m{+XE%8r6 zdNsW4)BjDcLO%LA>6!WHR*tKp?2D`~vl96zl8th<|}*AeB}=`U-=WwSN=ltm3?TwvLDS?4xstU-)O#a5Y1N(q4~-`Xuk3< z#^Q&wD#CO7pN8ia$yXxTm9x!PDrs1bAz!J2<||dR6ZuLtV)K>iXueVd%~xuo`N~l^ zCw_ExB44ScVSnB?8@WEUvlH)g)IsZ^b@Bh|pT}jNk)23?kbI?Hh|O1sNsmsEU?%e&X=_wnU%bR(#I-P-{F)Ipa)xm-OW3CnRgX#E{#HLsM&~*GNG#$ShO~?DA=WhUd{syAw?;7;{ z4MOv~!RUD$f{v#gil*bk&~*M7IAe<@n8C`0QNakO4hj;43x(R#(5XuVlKr*>g37UcVqQwle1@Wf8~@<$)1|LzmR&xwCw507^zpx$i62TBlU`zelFaP zNWJ3T?E6{XX!3m;mSd<_Jb>0KW~23rIcUA&L9|}+5L&O8i`FaVq4kRSXuVlF*pdc|XCed2L6-*^J8Pdtg{4^N@#{?ll>zX(nD7o+L^GibX1ESl~w zLDT)EXuAI#n(jZ3ru#3T>Hdpoy8jZI?k_{r{g=^ne>s}&uRzoNSI~6-RW#jy4P)`w zvsZEchL^3>aQ={V|BdW5EH8<#*03Byy1y1p_uovW`)?7O?yp1B{kPF{e?6M+zk_q) z8^uE&tBf6R6j6`y2( znoQR*r0bud>H6nry1o@n*S|p1^)JzMeH$()`^xVnUEi+Z_hP6|e9itVM|NiKBDNg; z4O)&SX8E_--w|7GMvnLUaQq%GpAY%Kk7z#d6WgujzSxcL;m>Hg_6vSY{3}}C{0%K{ z?m^3&zw^6#M)qd^L2P*w`JTVB{|w*%SN49^Ul!S?p?qfCBXYoeBE(1XiG!>+pE!i( z6aR$IlmDan#9@}3j{X;xS7cYpN&Maj`g@PWm6LIm9Dje+oNC1W{v%c=HovLCdj9`U z&QUpu>x;xk=hPzh{2<3sJLec&fpv4d59??+|44pwY|e2xiTnmDeZqM>p3hr8u7{r2 z6VUwTL^QuS3C(Znv%UFE12n&Bn3KqFP9`?LX@urCjnVw(6g0nSg8m=rrg$qhL$A}R z*oo)7Ia;r1fz~TdL+cf%qxsAkXg<>ttxvQ<^P$!lWq)U)*ZC~;I-iYR=W{r|o{=^= zZHc|kYQ5szaNgSIvkJKmnG0tZM zI?m@tmU|!bxsZR}l#|FmZ|1lv%5KRSm6OOnk^J-4oZE5|`6q__b2OT7rl9#|Dw=Pm zq4{Pynr~*H`DP}XZ${C4Glu4ySy**)PEIyfpO%wT!gG>So|}`Gd`^&jGe4&w86){- zVNOvpM)J*KKNrpel5dX5xt-;WCXdyy97Dc&2byn=L-Wm2G~X;k^UXM#ZJ>norI~^T|1AKKUS;PdE`n}>$%U&Cy{*c#Sohh60?3;&daPfT}9R}&sjn2dJOsGD{NO$ z@oLU%thfGymF$0e9nB|KqWR=1G@pC}%_mo*`Q#d0P`1|ZC7*m#!|%nAPp%8c@pd>a zkAvkQ-FXL1cQ&xy**xDz@}u{N&5t&s`O*6!eWU)5=0_i}-2CW6^f}xd_P-_PBlhQc zKz{efIiC>weaL=3%lQ;n;MQ=xKG$%ZNPhA~&X>vj1VetZEqR<@C69AEnlA1@)5WjR z^l&HJo1c7x<|n&2kJewlB{qHh4$V)#NAr^((EQ{_JeA-56Pj=AM)QrI(R||=F+nf@T@&%T`f$@B-qIKl(ybNe^?TpdK8 zt3&8>^$+@7{fjx4X4b#sqnc}e_O4a+e+SI48zRlVHAb9Dl- z&((?Ob9EB>T-8UPs|GkH-Z0nvU{=}58uo|WKaF$G%T3%*$aB*q#6CB~tZ$ZkD(k(! zkoC=TTM)Y*!*g{S+f`JYo_hxCeXcM(S1r-!sulWNwML(-GtuYjEcCfL8yA$F;rZ%-K40gvU7i1VzB&^7e04&fuM5Ne$p6vj zt8<9E9_%BpyTcDLC^n8bo}=$bo}?dxCie;$ARCE zwhupm$MQR8qvOEmpzn=6h|W{{5IRroT-*|$7t)8}W%K_xeF){nhq>=8FFwM3^fTx0 z(cDD2aUrqg#>a9K<;KU+a^n*$uZvHj^VdFw$#P_9=UkMVXy06nj#qmI9k2E*I$muF zF2SYfc(v!y@oLYb-Un*y{93aK+?JQb3bIg8VIc&Ej_akD*ld0p$ zK1RoreG=Axn)?~C!+(5hsH{tJSd*fcL$Nv66=lS~+mvBG+g^t_Whs%lg<7zyBj(7SS9q)7y zTeICEbiC6)9JlYg{!8q8@`us)K>v3F1=S9jcj?~IKhS=+iW!)mR^XepHEbAJnn|Ew7 zR_ou#h3~7EcYOH1dU+?ZU6;rS8unw{IdW27{ba13w+85Yu?^ApVoyfji*1Cy7uy(p zFZLAlz1Sw``#4SU-FrEIw4-=moJ#C?qULD1tOYur=rnXZ(dm4@`O_K1n@d~fwaQE6 zdl>S))|?OP;b)@v%UNi?cQ%^uorC6kZP?y?uPvJIor~so?a=(LJ(}O0hvs)3_}=c3 z^Ybns_I#@E1$AV3;|TdbHi}%BcTsY^`d(0HmY>Y}F4!>AHLqK8y;@Ga7%it>f|gUe zqxbiv=>6RTy}vI*@9&=I{oM<_zb{Ac@80PB-3PtDuR!nbzUcjZC3>Cu;U~mb;TL!{ zdcFGN4&nj$6Anb*N4o|c4>bsVA8j!DKH3oUeYBzI`)I?^dCaaw+x@RY=QkUU{y(1U z(eXPspyPx_pyPaQ!~?7!iH=9Q2_xLUH{(%w3;JHxD0KYIt?2lh+tBehqtWpE}D-;c{d$Km9n<8boOaX9(tIGh4> z98MuR4yOnmhf|D>!zn?>;fz7Y;fzJc;oOdn!?^<;hcgZxhf|7>o67c%!@)2PZ5r;2 z&&ZpOBg<#x-NX8Wtj91OXC^uxXBIjh=U#N2*nQ}@ocqynIS-)Ya%Q9Ba^_&$i4W#I z#Qq$YgQRbB^A-?S=D6pD^liRzNZ*igIS=PO8q%FdG>pqh#E<7K4C&D0d5>YW$m4lW zvVEV4PiRQ@ko0j;-cw<_MR`w$?H1)d!*+uvF4izE$Jq4oS+t*N2|CZ+QgnRHb7;Ex zJm>wA$P0Nd5_{f}bo8aXWyx3_U-L4{yG54gtw=6M($iP+UQNbodiq*8zLj~ehvQqB z_XgW_iLBDFf8)-P)p=`@u{yuqTJ-(RH_>_R-a_ZKTZhhT_cl7O-FkFhyLZre?KZH# zdXabY-Xr$-)pU6ynjXK8rpKGm^!NibJ^m1f<7RZ6&KC6j$&b+YCqG8h>rZe#>Gh}h z1X})YT>g0;HCWoqw&wj$y^r?DZFyhj*`B#AZ#&n)bonbZT_$Gvj=Y`3rq5ra=`%6Q zzscK0Y&wm!kA9o?9p4w~|6%?2c|Rm$WV;{peqy=pqncj2JMR~k`+Yy7-$%@Te$CrU z?DzeaT)zkX-rtkkvA$BltiSU9z!~@_)+_%jZ(sO4`9FTgbFv@XmHwS~AT0ko?;p0? z9Y2(J5J#0CG7it1%lE|(=lzQ#%Ma&Ou>4^BKjnDH|5;A{pIdRWp3&gGadfNZdaWF1#S$;zPN%`KVCu+E_ko`2suaE8UhV{reoJRSLi5-Wd zJ5-(JA^v)F9v`47RiWf|XL}7dhe}u5XRV;IQ8M3d`AkX#Oy^ zx15fwzc&9mV%KA+&kSd~ii+#=Z(zOk84UHA5omqpMzlUN60OhNgw|(nM(Z=T;DWMI zelPWzTQ&S{kIVYXX!c(@l9HcBd@jEy741hO=J?XX@p^o0AJT(NG(Cv2-5P#h4A)~8 zzK_`)=Y(J5}%6Yv9Pw|v0Y_|Zb;=>%* z17(loFJ!w}WshpO&RBMSgn9RQPB)i6p8rICqP&lxy#FNMV>y+2l< z_s1*f{qZXM?+|${|8-*T54E3hCCj}(RuQ)&egiw>YV3|{@Jd{ZjDe!qIZz0dM?kxls@B$uoA+lT1=wi&(O zw%{B15!-veeT?33pRnBf?NjuA`wYF`K1c7jt?2#s1$w`IiQaG9xDEqLzsmob>pQe` zyK;SZXt>{y^*i&w4eP&A*6-4Azai_t%l|Q~|6W=DgO*j{xRCqpr~F@7KdtoV{N1<) ziNpPftp7Ft_pp9X{%>LZ9^-I7BJ20&{}tB%ng2&v|EF3y_%aL?5Qc$TNk#1s0H!ByIZdNI% zT98OLF{GQ-(D9~oEj4_Xzp=KFk( zk@aU5oRy4`?anSZhvk+JvC@Wn+7`6IEl9pk`6lH5A$@Jf@p-?uNALIZ*v|XC1A4!o zkKXSWp!a)6^nUMz-tQNp_xnZY`;eW{{=Y8hbut~B%ldA_Gmtp+J6%$c=y&SQ@m7>w zTF|2)k#8gYPL~z*EJ)~5bbxm2JLqmg!VfPM*E$Hp#4rm(SE04Xus37Xus2S7>f@t zxPj|GyzF`n*B|M38c{HksyRIhb8E9I0hG#jrDsuzS}h%U*h}6h2!!2iNpP0hTi{i zw0wS~A9pG@AG*ddVKez&*cN?b2%G*9_O&V`Rs#e zKKl^o&3tw)vCro`G@qT1=CcdXeD+~J@9%wt*ynVxo&AY|*V*3R zhg`R(LhN-T=JzftSj>8VFS7obf@g_ckKwv5VY`Zor3KF=uPcV@`aF7FUqG+xi|BQI z3B9h%(Chj#E+|{>_i|lVXgGfu%B8P{<9IC`m&d{KaQ;@J=g;f9x%7>K)yeaW;XJQN zZnrkM-J9rnehWR%>(KN3Hrsoi*Q4k8o#c7mK-)1ZNzReft`!-*q z@7ruc-?#Y+ecxs~R-OEH!49lG?dyUcIgdHzI}5%^o=4<;n_UIpCS&A%o9_y~PsYgm zHb3~eaNd#kZGI~FndOZp@7Ay!!}~VBpzquKioS328=8LZLEpFe9ev+sFZ#aCAL#ow zf1>Z({Dr=6vk!gWWnd%o4?WbZ4RR8@gX!l{s&Eu|3%Z|!)SW^ADSLlpy_d> zFp(ZtLet~QXnI@)O^>Uh>2WnQJ+6+X$2HLOxF(t&ABCpJN2BR+Ei^qo24nHsg>?%} zkLzeSKS+9fY~k@NFNq(gVL68MxE`7wpHP@ck542vJw6FdkL#o9aRW3xZisW@Cl@Bt z<3<|xhv9iXr7-b4H^BpxTbttlJ=doeb}URh*T{3*BE&wo#5~uh7oNd-pC@E}%feQ~ zuE+3Pw`RMFiZct(V!i1#hUfZh^tnCzL4)dhwnX-Zg=K$rrTZ6bh|5`H{I@rrrQ^@+;sbru;1>5 zm$DzzHRSj9D7=i=??FD_tFUL-U$4R|!gah{!|`FIyGS?tU>fJucynpr!Yd0C={Sb; zrC;)RuSy>8)oA+CA5C8dpy|s%wl{sb22EcE@w-gN2NRpV3_;VEp=kOt3{79IMbnq- z(DY?En!a40JTEs8J3rY79FI3*KF3S?LwWG#!kY>$zujCoisLZ9xdlD1#4NwHa5S;U zdmDPZ#4JxKOeOZXk@8?#VLJQuIFa=kg_+41*)CdWxzF+-hW7}v3L}lL<9M=h1m@sP zn2Wbz9;RbHW?=#T?|7^t_G^1kG0S}qp#+=Lt}_OGe_<^8{=)6(`wMrV?;(ss-$N)x z`{m2fcA_}?{$)81=KIE@$9E@sd=t>)n}{CYUFh*mLXYom^u5i==z9iJFrVd9(RQh6 zXn+57bR5_W9Dw)WV4R7L1Dl06yP3#@{5IdJnt<&hNj<-qv`h( zX!`vmntnfprr%Ga>GvWu{a%cw-_M}w_p@mFy#!6am!j$Sb7=bgJo+B#3uwOfBATzg zgyw6@(0uJ>G+$ee=4&g^eC-viI{CH2SF!rE*9za{In615y>MmnIYsidRfTUPV;cQ6e%p!1f$i_TmA9-hW^--s>o zeLNdC;koz$cEAs@6K=*XxCQU#{`m-*o*ixbUy6Qu@CW9bUy1Z z(D`z{#H}31HgrDnuh99(x1;m$?7)6}?rU_uot@~s)q%$!k^J`gTJ8T1%E}y3;u?V7uzy24^uMea7^?zu7U4iD;k)lL?T?x&v zD`PBPrKnnw`E^wd*B!~Ps~6Q|c}cv6hUFOY>!Z;8`skuWeqD>${Q4L)zpjnu*LBeR zx-QO%A6t~juaDEPKfJR}gnYgz;R!{NYP)%UPb99LTz(AJC$5DJ@Mvs^XXD9iUyJM4 z2#>|aSPxIZlduUk#HQF7n_)9NQch@Ilqe^(K+6fI;XimfM%eBQbYAL~_wPb$JNs`Q zxirM~-?`j&?#se)_6)zrzblL#E%fG=WTE@9)e4WhvIj9ei;6S*M`qsS2Ucs zChOJne0?&$0S~a<2wcJP8}UsXiJR~y+=@5jw|EQwileZ@oy*4EijLd74SkAUH{*>&2*Mq{>nhhUzy?fX#YpcU$GEp73H$t^Pe5ge@=)!|3{YRh2{B0 z1#IVX9m{bQqT^MHu#~tM$72avt{H=cI2L`+`gXLucL(2FDKf68lf znTx*9GY@^AXFmEq&jPf(_%K>td;~2oK8oJY3;F&!<&PCT5$@;5HJpF7-R(*AetrtQ zpP$Ara1nZ6FGlarXVCleS@ix}g5H-)(fjl{^u3nn(f3+jz&b2{5q)3$CA6J=8T!7) z%XljBay%PXU`KofFU41}AHIe|@OAY4^Ofj(DXVZK%ilon>(ywx{hH)?U5ia4Zx+49 za_=`Cz~|QCFnk-GPk249^?NxMdBmvx1Se%R%H45^P(^KUhku==zT=Y z@-K_NBKCgThTc!aEZ<(VgV_5DDX)KBw3F}gK0?-iQ?x4?Binsj^c~ABuj{MRzb~TP zPC6aR@8Lf9k?n17{RwSv-HoQhaa*Eyq_w-zTn)TjDi}IX=nlL3+oG7Ow{l_QzJrn9C z&QB=U*Dp?#>l?7XqO4)@$;s`Ja($!X#>I*4G5r6VQ?NSU(*$Qw&TEQ=9A7i^|Aw53 z_p-b>E~0$a0{wqBr=kA`<#e=sc?MdZYl)UGTcPF4)@b?iOf18*(El@YHr`2m4m$5* z8?=1e7A@bNi_?hPq2=iIcrWpJXnmjqS|2zctq)v))(1MG^?^=kec(d0K5!9QALxu# zCwDFGg4L&WE$&%teV|+M#l?y1h13TwDej((k@~=;#XXWSQXja?&xPxY)CYPM_hxyc z$(L(bj-fu#2dyVvf!34yqV=RJ(Rxxpw4QVoT2Hzftta(I>q!I9deT6&o^%abPa1^Q zlLn*pq#@}1nM1LF=VBN-f9ADledIc{JU<*Q=U{bFBpN&qj@7bkLE~p9?hH3 zc{FcE=h3_cokw#NI*;b9=scRYq4Q{t#?Lt4DQJB$6~E>C({MJ|FCDEfWT5qhOtico zMa%m!w7j2%miM#K@_r6l-p@tL`*~=2KOZgc7og?+LbSYJgqHV<(ei!?THYUnmiNb^ z<^9{y^8OuY``kFRykCm3cv*2d*L8SVT*Gxm&hPl*2`n#(->G3ahVuSIw7h>;aiY9G ziP-Y~-Dr7#GFslBf|mEE;+*)jkZ#N>oBqG)Mkw#!TbwBG&n!-q_h%7X-go&icpqBc zzaK5{n@%{d$n4@scu#%~&gD8hh`t~H5Wa?U(Q-Q5Q|_5xyqxsGau1S@KOADq+r;7j zDm+^3b_`=3$aaqxKSAtv7}EPE*{-7Esp6+uZ@C;p`o9P*moG-k<SpA z&A)cDzEb4p;$JvE?=vL+wfHw;uN$)e-;4L)3jBlP9$vOr!|@>HIAB~oyYoYIPAA`QXT^lXu)}rep zUN2<*`6U-5V`RIIC7oDqxm43jFD&WIa=-5)^!td}PnVKQi2c5<$@SgP@4Yy=9qV}y zp?gV>@Ov-S@cWV9)3f9#-kh z#DU>+S1X_EuY7KRhUXsn-a#eTU^^TZwjZo)KSbGnsD|y4-+67x4Pm?MlzBjk6*N}|{fbHnyo%Jw-W*bVY{)$VLJ@@)*Wa)WgMC>m6lYBRE>ncP+y6cSYIhGAzcjb zp<<|?VBMxEwEvex>NZ2-P*1t5BvCJ!g#LfryRkD)#*1+Z_Q0uV`~5U@oZxhHoZt-n z2Jb=ZH8atA%`9|Wh(kE8t*PoVu2Pon)4Poe!3PvdR42>qRl zF&m#j-?M!d?O$1f)}xl9<1(K^$7Mc`*0Wwf$7Q~V)A1#AT;?)#T;|K@xXk6~xXcyk zxXf43ahb28<1$~vrT98}zE`5>dlfn^^9^)d=4xDvYw&Gci;l~D6W_}5t&)+HOM7R$_J@*HmEBl##D}vfS~azoF#>pPza0-%IxXKkB{%POhrn|7KT|i~>>>qY#Qnapw{c1VPMZHwg;~ zS+WUT*V&o7yW>t{$|jp^Nul@Ndk;Mz9Ymye5ub|fDR#y3?D~B2|9*ex+;;Bl?9OE2 z|K9M~e7X0Yd+w>f^K0jKRwy|a2s!tUEB>VAT%ep2{O1*xoD=*PU<~=-J&`;9wnE7r ze+T{*`TYY(JJ&yv&)cj2d&R$WzCg&s|Fh!XI$xm3m2U$nS6VBTTsaL$xv~jJxw08Z zx$-?g%9R@dDObK1_@2`@Uim)Yd(YZ<> z4TM~|8Q+uk1VXOdeC3w7KjZW*h;kn&a^+S)%9UFKDOYX-q+IzSAmz#r11VQ-3#456 z5g_Ht89>UF9|cmb{1}jO<#s^ImD>X;SIz`duG|4g`Ef@eMqrguAzXsd~_%v`|AoUWTUTK}Q3&!Jqxc(-t_XoZK{0xxi?H&N6JbECIdWg>g z-vS;4`~&cFz`p`#18Mha1x|yUItREBuniakwgWc>&IQsQIuAGlI3Gy+*ug;B$2x$! z0S^K4T-`%~djS^!d9Ln4AkWo33`qOfA|UN!oj~eS4hPacwirnJSl3E5?w8=2=kG2B z^8DQ+fINTqNFdMOJqpP4caH{+0gnOFE_W=DcDdt#JdgMDK%U3@1t8_|ZXnO&{UVU( z@g{&*p3$>1g>iWO8A+myL!jt`93ao*?FHTo>;uyN*bjUhm8$n$uQ2U5RO1oAxI5|HQdmVrEvw*sUdY7oftc$Wcr4)1ax z&*2>cZUbBaq#bf4kb06~AoV08Km2;6*^53w$x~D&QqRo(p^_kmmwl2IRTGmjih& z@D)Jn_pSs!47>{X72wrCo(p^p=F!fWN7v%|Ra{>O{3h^v;CF#H0DlO)5%?zXCg9J3 zHv_4^y9G$S-a6pmn%h?13f%6@+g9GbQmtn|(3Lw^-T~b4%sW@!rSAjLPLHm<8+bHu zJ#Y!|9$+W%Uf`j?F9YWR?*q01?*|?Td;qvF@Il~Sz=wcw;KRV(fsX(`0enn<4=CrT zdnfYeKU4M@GzlR)aFo&r)Y^)!%rsb_%HOFavuUg|j@^-|9R zsh4^INWIjHKgz!2rCtM4FZB%|^-`|`^J~7j@>`gX z$FBYlqRdAi+WFfn-@yG9YraF2`#{l4eHTc*)b~I?P6mD-*VIe>07$*m4}sK6{U?xm zsUHC^UGw9WT<6bU{U%ZJ1Bzbirz@=!cf$Di&ZxTnxxW6zN~NdzC9bKb!gJ9_{d%R+ zL;VIwJMmjU#)0@PkZ~Y>2V@+G-vjRi{sFii_+LQAf%qekaUlK#r2gv9K*oXi3y^Uj z{t9Fqh`#};=lVO)w?qGPr9G_l4nXLw{w3GcTj6@zXCTM_d!>?--v)jka6YKEM}%`vPAEej4~Xa6jO8 zf%^l01pEx}m%syn)Xy9U{58J+S>T_52Lb;D{2Y+y@y-Tr3Ty@LjPWrCxCgLJ>d`(t z7uT)0CUX4D)7SHXd*S+E;EyqnI?zrttwV+n#WnkhIDqF1fV7)01k%2D81U&6I)@hl zb896(!4IE=52*M6SYGQNQ5hs1EV)GsmoMc_ubPU5|elY5A=zZBz9w>?>={7rlRXp2eX?f(xli_NAot0h1LQv0bAjCFeID8$`~Qaj zC3?0Ci0HQqiK15m$~^myl;e`&%kduR#HINDj@D&z&3d`_uaNs!4qt_IyicT__i7;Z zyw?DEUevXcAJ%^$^}W~QKF@c$0Z6&+MtOeI@Xfd;y>amtTvIQ+4tO%~R^VyC+a&$% z!*}AE^ydyB>5qGTm%hGR(ybr97uTdm_W((c-0Lsv>-&HYuYO?oe&B<^2hmQHmw`C1 z>fzysfIkO5qVEHxogS6^9~=G(u1VKid|d8-b@*#&pB=0xh|)gl`pMy^^feIU>FMET za7}vW;0U5y=m5K!{0!; zsV@iO`t{*&;+pFZ5cU4n@P7aw1ft);4}6;_^BE}m<2QiRAAc7}{qgsJ)E|Ez^`rj# z2e^K1)endNbJ+R__tgPKul^%^hjjSIK+@qifz+4&1V}yUPl43S{tW4_HIV)%zX4J&{uYpW@!tZe7yliQbpH21()m9CN$39yNIL&VAnE*{ zfTZ((29nPI1xPyoS0L&9-+-j^e+P1Y{sZ_sT>lfu{h0p^v_Mb(1)L82AK(_ie*<|g z^4mbtduv3|`)NSZ^Clqad^3=A={-Qv{{tCE<-I`C`}d8I-fuiI9oL*!MAG{humXHP zkp3SZ0Mh?s6CnLRHU-lEV>2NAKRyVg|HtM)(!VW$PoJ>W$d*D0A9D!WZ#(PIkp;MBKM)x|W+D2K>-J$l#*bNq z`-~sc3FJC{IFRf3V&JdWEE(wnrq(VQS&Hqa%Q{D;){sxI79-`_j=s+Lw+2 z(!O*okoKkHfPY!@g^|w#zqs}bBi+dFAIJ|V@n*gVWW1RKknv`EfQ&bj1Tx-C3dndf z4v_I?dV!2L(+9Lq?jK1bKgOE@g75g!NEX-RI|fF`cVu`ibP9-gGr5t%2Y+_%vw1z zjQebVBKejPAnj3P6yt@B4N z(9el)oqXTeg~0y;UIgU)x){j$bqSF3>rx=c!(~9ysmqZM=kpb~=6Jah$Z>KNkmKZP zAjioyK#r4Zfe)T^-N^N5N3N?tynn;Ujrtmh{BIh$SziN@-z_8S^feIq-a2xdz6K)y z+ehxu*Fb#d&XK$HH4yyH-6Qwldi%BO1^HcE<2=HLNA3lF`qYOZTU(`&$;kp3G$#z%S`$oNR#1adw94LBj456 zM8-+_9`0{reShQ!`aTeR?GH!(Q(qIgZvIH-)te(fmU;E&$WM`OE9)mj$)DF-SU(&2 zxxOYcPSP)cjFa?BAjkc$fQ*;)YarM4-vGI;zXjyF{#zj9CH)S_cuBuUzFS&<82K+; zvmQj!$v**T8qaT##n~iQN&o|?>*g1iCzWL}@@_ftDE#&!@ycWA9 zP~snK4P^X-ZE%0O^`X%Zyeh&BPH$XfT zI9t+T{Ra-Lnlsvl^yKe=5^t(qp3fVd3p{kyywMIk|Mi-KN9O}mYY*nNtj|Eaf5_+p zT(kU#0$F}s4-B{9XEO`a2D{3^4{l(vMzr?-s|SIv_BB1)F|A6qTzAQMe;I|<0 zd&I9A^Gy5$T)Z0XOh18ZMwOqywZLzzxsLCHeq0~SN9?^fqJ3!Zy$R*;?YFm#t{YYM zTOjPWxAHylQwEA%_V!WOaX=UD!1K3P-#L1hP7j1#_U_U3qbfa6^ziopsfWK8NIm?Q zfz-p_2c#bUejxSm4*;o$e-KDL{6j$M;U5N45B~^|diY0y)Wbgpq#ph&K)pja^bK6U--7%Pq<<*;nf{^Q9}Viqe>nPQv^(_-K+yjm$u;ReuEAfwIrjO~MhhG7y_x?4Idhg!=xjwuF`Ww-Tpi}4T6XKP>w%IxmXT77kc^^AnEB}@qQET{|!j~P^80V1t1sjFKWbrIAGzw^L_B|+DC;{A>+iI&_u%&| zSf0Oc?7i~*eY}?S8z}4DbRgHe80O=}tKZM|NBurPl==Zh&$cO$`nS!1)W3ZY?=_(v zHwRMhwgv8Uer<{CY1UR_TjTreFCebB8T$~f*)Bl5zwOwECBJRQX5f3ruKoy7z6XT9 z=c8jE8&moopy+$H!~0yHwg<93X9Bq{?EvI@v?Gw~=}t&beb3H7%HtnLeJM}uf@`j? zp8!(tvn!B#pWT4e`|J*6|Lg%||9leoejxX;EM65Kn}u>7xymM@oO=?bpMZG2*VsPt zd~YJ2e~Kvm1jO@w$M%=!pC;n@enjEJfas^sjC~f*&sufh*a5&NfVh@^1mgKYW3BRh z_Som-`D|WGKLYW5&e&Xe-aghQ&)az|d>Bypuz5i8Ve@f+x^?ha2d>G75y^)g0z7>6 zp<@g2{;{hU5T!qWXure8I_3T%qTB~!o*h267~khS1Ij$>LVv&g_L8xsc+PnSlzDap zkbKyYK=NTn0Xff(26CPq1LQnA7Vnb}I}XTk`FY%5f%{(oG7eQYka4KK2xJ_p1n^{F z50G)FlE5=oJ7X!}ZNNU1`~20tL@75A0!;@66Z$@Fw7W@;n=y2OplX zsxX!Z-!}_bM7=p4j|Xx*;u`l$V-;L;T$X_xm$=6L!Leny=J*6+U0pslgzs=X0`YtW z*Fm`kV!RBGjp6%8t{Nete4|7eZ$PZiYsOXqp9QW4z63l;-djt=dnXX_-ibsRhd`A7 zl(Cb6vw&wv`csKWe;N_#PbW%xAj)~>*twGKEF#jKO+>nLh%$bG$nU(dizMCoM5Mcb zh;$bcB^{q5{@>VTc#imgW0wFC|Bu%)&Vi`cm1CC!p9Nk4d{j-Yn^FAR_%uV>e3rn|LkhfvDFlW4BAXbws4QZR}P_cN?!|-T;x` z9qfOU`%W1TXRW$>>@G=nH?JifP{#c|K>BCi3*@-IZ%nTWSRFQ!<>8)HH>^5;)$ppq zs^eCDX?0@tuU5rZ|9JHeSHH3P_p5)pdh<2!U31TxmbIIo`obx9o^tUi^S^$<>J>m)?Atb@_gmufP1#%SSKo zx%@kqZ*s-nSG;+}b64DZ#T8eaaK(%(JFZ-C)!tWaf7SG>{&?lrue|@t%dYIZYW-C| zzN&c57q6Lp&5qYhzvg#Wf8*-+U48L2qt|@k+H0O)eXra8y7yi8qidhP_RH6< zzV3?a{`0!cuD|U1zU!a7{@@$-yW!W@Uw*^AH@yGGmK(Rd@yj<}d}H@b2i~;t&A+|r zrkmE?eBR9~Z|=YO#TL#t=nVW+I2r% z_td(p*L~>LzFRwQ-S^g=Z(Vomb+_Jg>(6d|;?~@4$J}=2ZExQ8ncH{0z2o-7Z$JI^ zw{Cy=_S7AR-qCaCqC5A$^BZ?OcE=5OoOQ=ZcYgP-r|-Jvu2pxn-?htK)9?D}o!8%a z=H2DHFSz@ayYIXE6YIaQe%bn0)^B^ymiKIO&)?Voa{V6n?0wJCU$*c2?tQ<$uYCUw z_iuK8)BX3|-}S)W5B&B18y>j)fpZ^ddGG@d{qDil4>}K?{?HE|+WFy)AHL?{rH`ER zNcxfIA9>@EeIMKWv41{#)1!q)cYgGPk6!%PA0K<;D@Q&4^yBLuKkxBBKEB^qZ~p4x zPt1Mdz$f;4;;|>zJ#p3(TYv4?uWkQi^OMt_`sb5>dh)F&fA-{FPxU@^%~QiqedOui zKlOvBUV7@Dr)EDr@bqO*fAX14p83VouRZd^FCPEm3oqXFV(g_$ zUmAU>@1^}-+U})iUpnaJtzId*}`6+9Se|HY2bNell5J~xK&RE+v*-eF}VpF03OG5DBlt9Ncpz5k~;s-zXSQ(N23Y0wswmhX<6IjJAQSI ze(NjdD+N^$wo4$L(QlHl#FVS}587o#1Lf{&>X&|Xno>sJ%}3AXn=0ri>BTQvD0;14 zw5%`ba-`mca&X)nufI3&j(^YY)4eBib`N}af`0L*A9`pe%jv(6D^-e_l2a;yWU2|S zDaMZBbfx}8F`es+C(<}$GhYx=ASp@zHraXQ!HX8o9kGu}=2Om`N;*^SEap>{WEsaV z;rTSX-5GQ;c@p^9%-1dy(}Rh!V-F^Z_QFIi(dVRQb{3spr|9I8PRY*ZdqBSJ`20-1 zCy@y}i5D{IQW;r%4u4ziymH>+MTafvUfMNxaknahCP{YSom$zDjpMI*WzBwDh;f<2 zUmwUss%d6ZC&r`G)Qdl24#dO}%9F(??Ex(!IZ@QfATiVJj1_Y%&>hm8G>Ox096r{@ z_?u=|N<}-9?!o`7cH=dh-myL`&x7rj>aok|tg|AY<3QL2e_PjRj|KU@lD(+l0~BfNnwr7rLsd{62LOVvuYd!7ZrSKY)Za|GWMqXDn%^g`COrx7v{kIlHC@3 zijk|Hc2;^a>10Q)H;*D%ck&;MlUr(y6Zb7v|?9SvE5a9tu266#>Is5r!A4}$3*nIY@tla`A(^v$dtWlXtg8%$<9MRvz|&O zV4D0=TOZeO( zc&dE%1Ku@88*lI$Kc64Yq3*%!6;2T&jQ!-(Mb5kadI(cyCb~*>jkVtY; zwZ&6CEz1%a@{fKyC-FiGFQAX*4a@p;Bl&(QUn%AiXf-KX-R0tY;#7l`@rzM*obg*D29f&Z(-_}Z3a&l6>eM0$Fkz3OFfpod0g3;5G%%q)M8Gt2% zW#LcwhgQmPig3)sdftKI(nm3EDc)+6mqac>^5zd=-jP#JU@aYJY5}dwgD#e2xH3P= z9r!g*N4iB#txYZZ$(H*5CNgj5f#Y8&&&U_y*ZgtZ@57p1ZfZGT&;47ENvyE9v0~G$ zrWSjq)s*CnF2x`mQ9iPi%!%HN=kn!rZ#pUKMRyXlb14p{27k@FA>V-LfU@_4^i!

ZJ_>ZuVyBQVmfMPnQh&TFovlE?bmU5^<#$kjBG)JKaZ!3j(JB9N zm43-$%(Z0l`GHCyp2;T@nU-84>jc`*-pKmP+tbNk@Hb&U2lML_c1&fcULQB#?f5)U zP!R;<;BC@aP~%yS8_B_tH@7fSLZhi!V2PYi?KwoO9OWj;5w)Ig8h&0*>Iq=93n*o&QXmbB zCkq(Wsjb5ACHne`P9KPxZg$Ja7cHrt82Yma!?16txZ}|~d~bNQA5rSxcu&- zT)P9pkXr1Nz=2XR(F(d-?o1?cP`LV$Ui#VRQ^gh%VleLdM}9n#ujHbVgyjyuv&EQV0brW3h%r6-L#mxp{M5EA0Y`ugeJcK6@&2qQ*T z9^uNu`aewn>S}rEkBDBuUPv{vh?Fx!-vxPz4=ibG>rzWdXFo(0)h-+_Uc1TbxPc%0 z(=T^oP+Ck4c^R@Chu(W`KenO6(@Mgjo+OZg(tm*rgFeD|Pcx|~K!af<>eu$?O=c%?f6hmNXQ(#`1!f7hot1QU;iKdi2td)H$c%vWh zLCqbj7$W~QR_tOe@>8yG>(8Q-F1y#N8|*+Ut9e`Pc{^lnzRz{oc;4RDu~7QixG%lb z3OQ}4lrDwFy*$C!v-zU#2C*9%@3%WWl|J%~#(gPoR~hD?Y{@NF6@8eR6f(7t$07I& zk3(-nmu%+Z+A#dV1ZGNRd&*M`NoH!clg@bMa>rFG$QV}fIT&7~0|jvLz4>Ccg>pog zJX)=IUca8C0DY^IDh=h5u9D=ShVmibN%gI-X=!gLA2d+D1>_B?o4!&YH_K{kD8IuJ zx%^^TyNg3AyIII5Ea&n5&Tqh^<-eFF8S-v>XRfcFs_TH_b-QrZ2I^D2*H$;I-O!RErt$Ocyjf^_rR-U(mkoh=5Iob+XI2AHyhuspAIP6 zhVJm@Tx0nZoh(%DkoLTM8k@Inf3yEoR*kifn-7{<&*K9dYM<5=hNhbZa(^?t?98P zmYuhn7APTVx}CLRy-<5M9V|?jg9~t20ei`rR_p}dUNRqro0#5}M8Hti3nhT1v)~|; zWE<@x6PZjQA>J(Y*(rTiglaA-+WjHj*m_MyXJNWe*}eSCP{%Leum1k5VzO|~*DkHT&~)c$P{)6vcQj;#OnTRe@&a73WB#Lz0L`4eI#|y3489sg78-<+YcuFRu zl~qS@e&N^LHFfREb_D$wHJNpq&i{m(?U$RP_VYg-ZmZQ+Y`JPH>Q^G|r1|FgPF^cK zN_M%gl1{~86;b84ZqoI*re-}(o2VY`DAyncCLL22CqhT7tSU(UtWNp7&&j8(F1%Mi zJrHAMykn8#qvsbBg?@;B^Ag!~M$4Tcy6VzNU3jdb&OFHViL%c(Q{JEE)v`S;1{bK@ zTsu1TR1vxpO(t^l_;PEPn9U#w`ra!6f?Z6c(s^B^c@4G8!bIWFbU7||d?;>QVvoE! z8p==jy+o4sC|LS3^vK;HzCN2MCi89cej3pSv9Ab6PbSR9O9>!%NMv-vNj16;h{GL6aU z(X0+=s9b57?p0Y1Zs>hQkQ2Fb+_f&dU4Cdo`E}$9mGVM3B}Xb)kN>bgPY0YK!)5U; zlncM+pV#EqzCNY=+F@YwbKuzMCmQuarp!VMv)$yTYZuLj+9N^pQyd&0{i}MAPo{b< z^ot5DbT~YZpTLGSjE*RSS9tTY*!wn}9 z)Hl#yC^Fw7^w#ail2w)OJ5+bGP2F+E8j-)iyo-D~%lKo!iHJo2p!AT5sfms)EDwtnmd~_<|=D~S8o;>c;pWytm;q!*A zf3knjXAG;_`=CyA?Y%R#UeR8v9WQJ+UWuO!XxSjn)zglxM=AyFKCCSM_c8kWQ3u3O1sU6NAE5wrH((}v?eZOFP@ z;e6dfr{ZoZ+SewRFYIzlJKDqh6aD<$|I?qfex?4W`6o5k+m|O=Z>#uYOvh@dw*pRw zwq%JY^Qg${g5D%AORbH~7hTxEu^6hrIY{0oy1j{fIlk)pay$lQi~SfhaQBO9#rNk} zZ!ESyvSQ!XDi-qflNh%F`?9uB)8U7UBV_v^N7~r>#qFiEbNI4NWAs_*sv7iKGw|79 z{T9+(qz&Gt{ac=C#Z0_(JfwKnWG5qH1M{H?Pkxjiz4orZJf2C9^s4cEl)w07-VfE= z(_1NjrvTd&By91$CThR>^Qqo`_2*N){p!xgvgjY+wV(TbKne)74cLW*(pkBjCEle! zuDQ?IZc`d<*KU9$k}g7@tEAfnX}$8OaV36Dw9sK2M@}}Hxr-Ij(r)3UcgwH&*tUKr zIZ()BX8SLM{H@&dP}@M?f}E7!Z={@fj%^qP@+ejO#JUo_nDO$qWpSL<&mRbn86-aq z=A$a&*S1l+pYN9J=G7PRfFzDZt2uGo@SH5knJWi^IXu1ub%5y?nbs-e{i?+G%@@XsfsBaf}TG#9Gn)O;YQN6-^N*4rsGAZ0_lm}Nb zIbYH%+*(~?+2^BTsD&Ln7u)~O4OZt=g9kxf?)9r<%|?CdpZ~r-$CWkK>vp-VX1iQy zwhL7lNpNIYXeAi%VRAJ;Mb{h}5AM0;u29B_z`injt+sBh4z|I7(FV6zv8#0(d{>wI zn>EY*6|>x?$+!#sH;AHe6M3s5>xuRhym}@`1g)3>`$}6r7*& zY%;U|P7Z}%#t!qip>7plFvgsPLzbTiCQU#hHaUpRuoB5f2Un;R(SI|!)49X8(m&IHx&IgduOT#fPjLH{N-bGJZVzP;1; zE&U@u0{Z<{&2jUsiN;M`_G(wJS)I_kOTqa1&uYVR35Faa$b=?rL<{;WD+bw&I!5lJ zittnO;I7@N97(oht4KVD5{&zHFP^|Xd?>YJ@I8|cT+(03_T&<2?A7KzJ1>7TT^IO8 zdmgMJt(l%mHt?2;?=kLs3!O6f1aa)&4fz}6%jZYs|4Ld);I3{<_UTMAJ>4iR`UOlf zy~p$871{qkx%ZgbvbMvYm)_-j5pD!}F4wVK(w!v#TFt9!j?*tq-8hYmoe?Wm_6d*d zmkRAG<9=?s6_!&h>fZQ^)GMOL_Epoa)^Xcv?{#)AQB7jWeqA$Pes5;A_mny^w9kn8 zBJ+L7MMkiQfWJG^^GCf|UGLc)UGS8jlh6t$`kzJK_Z4Z85AHST^h(K3-+Xv*%D#2) zJLbF#%rwedUOIQ&sdm7VaoSV2Q&%og0J#?v;CCdo)%=Z`u^Yj_pbeBH&L*YYOwX!=?!B=Tq%3{|5IJdF}2#59}-21bKv?s|MzL3*T4! zpeX4u#ccd-QzL$kA=)U(2K&yc`P0{*kLw2?_NQ+=pRhlDBl%!R2e=XC4>Z|)YHb&F zGo}7;vibSbJn9eoY2-7J9I87j%GBUp%Io!)qqhCM{`>-?OE(bhR`utTr2Me(s`whl5K=NdIQx? zHPVR{SuZf;iz4H70fTc%_zx8q#3|Zs^Yl)&ZoGgW^~sU<0>dVt&s2&Vum6=34)?cB z^8JvLR)~)qul{~ZAPNvmJI;Eq+b!50wr-ath#NsCclUkak3{VSV?5J1fuJ$SpZZE` zF&qHe^I6z9!VmFiQ$Ful#J0$ACmr_o@{ZbvuJ5}%5%0_Q^nH49IjL}#n=_I7ywZ~u z4<|4g5|<|Y9kL#w@2l^~Z54mP&Byo-Q+$jsyN;@&;OnXMVrPH2G?qm^&yw~zq;u~4 zcEr;Qr}>D=r>jz=_mngPrNz7(cV~;x^DadFS)A_cFT3ra-(v%Zzf8X%{F?Uxzv3z| z94Ipu!Zg;7znS(YEm5+}WN?Gstk_IZv@m#MIR<8(di8+AhrhuUrb9?IFdr&Dz=$(K z2a-7dQIQ_FTU55jri9aXZz5}{m%m`-+`zKZfByaXU0rSHV@t&;^6!IoiYpgGiOB!y zxF9NCt)EWs8H>dAN%m^)$ zkHlLD#c^a7^iK}tlR(S`6i5eS!6S|zzdC$|a87X*$%(J-P~$m5&Pe!1renRv%g6I8 zMj9E{enNK}Z8x(*Xeb14VQxyEn?$l`KdWuIiZ1vWR7ykHLOGvx!@tPB^FV>U$0D!$ z@44HHQy*lZ{QKo%r6d9x<^RBaq{yl;QM!rQe$}5RD}_9~1%^~Y$~A#>RUE#tKauX= zx_x$@IK3N6nJGn%oFMM+lTV znBGmo6rz_2q^sazFlbXKaF`}b;?rx?v*vpxNYkkb8VBE#^#wb%VgG>?Pbpu;kCO4K z?yEM#TF{AbJTmWt_va3Rtni5x-=x1jy~~pZl+t|?rCG19e)}du!~t1RP7AaH6#WQ# zg1xj1SmyLsdMFJIfg5RCOBiH_Ab6oT_--|6jHN<>o;B{fEJHD&CdI%?ABKyxm+GL30YmI?$KR zx*MMPfe2mp^pviHkV}_^PGQ~O9_xNJ{b^bh_HMMh$hs)oV_~nJo9)5ALd3jUAfXVQ zl)(?U=^Qs5MsvkX>iJIfpQ<#d1#wUI)rbF>ozdjS;mvv*skKY8GPG93gU~^#&6cCn+sNT6K7bO?7xQvwpYje?|+^($Y_kfD!vfcPwzsxU`04qfY+dJ9i$Cgm4I-xm1JZ@gyuc*;qXll{y153&~d z(x)d_L1Y4BU>C&2W@h;N{&Sa!(0q?UFa30sp8AXVT)t9bRwDoU-;=$Qyl==M6sZtz zvBbF$59~`d`Rn9hw$z0wXwrc`tT7Ij6cry0`3t||e^)l}@wW`6Gdc&;SN zx=Htg^pLV*rPPxsx`UJ7iQ~`zeD&nzp^W2(mXpT9I|hAgYh4VH*eSBkvUVHou5=`! z5~wBKkaH?&axILST`7uZxXTEPAI}q%*>xrsX&59e5YN*nhezpC*nCt-EBi3p!H_GI zbG_meyU6;ginXK{buqQF*997mJhIy9BA(stPKFAGp-z!pyhg!$2A}P}=WRc1>19m+ zmPD}!E}KPzPWb5&QI%9p2)!SU+T@q~^!?a29q4$2KBx0|E=*8Kw$Pe+x+$p$OS2wfV4iY>T}j1!oLRI=W}6uq5n}T zI+oL*(|&raf21W^+%@CjM$<{)%E)-}(}Bz>S5if9jdt|Yaaa|7ImQ^r!F1UKlwJm( z=0De=_f^|Q#*d#)Tu0HM5cJYuObq>90l{SvZCLp?qPdz69Y-!nz=?=1Mk=;AUB?)s zTb&x@G%d$90}16N?g38^DC&saGua7#e+I_W;T5OilX9b;;SDwej#B`yj%$z@)_k&bkp6Z=L-O)-eA0Rah|R~*>)x?AL-|%igoW;Lh6G%6a03C<%dx+!43|T;>(;K zZs(Q@xBLeGg@X&=d)|w4F#2)w7_u_tab$s0S};W1_l?4Cr!=E7^h4>~N z^;Oat^sj3U%^$%jCaKiE{y_b(iHQp}rXQSEV9Uyt5DPS4jL(N~ODf>9ebw~_sHE%A z@Bgo=nNc2}AHb?1Q8;yZ40=51`U+}&Xv&b2Xb;FiLji|DrFSsqSD5~gUTD*Rv}43? zi3+h)epwE3fYyw?PnWBD`Yd$Ei=9$|Y=G(?qn@r6g&Z*26~S6`euh3C=}N^Uo*Dgr z804D8Iw*2#(4DuLF)GmIY|N-@{#eL z>lot2y)^3SKBv?xIUD>9R1_-UqoD^3=r2@(jPI&>O@qIBY|3wK(2Fuaoyi|ko8SeU zqu*L!zD^vtjp^|-+B@igBG2h> z6v!8W$KZ<&ypmO=?xl+VXnz{57+` zTZ4QBvoyxFtiM(6V?9{f!TZL%B>(40j(q+B{^Pexw#;k%40=)U!rw#SpnU7n3uF9M z(KCV3*MWeTuQ3le&Q)L-KE%)HKe`Ht#?F{u0nZHeo+1C34n*es;(|(c&s?{v1+g@MqESu46MAd`5V~IZ9+a4{vbCbECaNd^{^;jMr3xH}NytF|eUlJvZ7( z${$d_o8!{o$fjPG^ZWwy1oP`q+4*Ozmuf>E-Z93b=>TQc6Z!cY-uTI#`Hw#@N%s{k zFgJ`b9ezf?dE?WdV`|;;Hbhuvy|gti(w+fDpZebW0j=pGSg~H5<78Qdf)5_| zJXyw#tsQrE;{7e$c9XQRlSsCrq>bGtYpmFixW>vj3Gz{@eEM8u?O-A2V;13qV@do7 zBoRJ-{PM&1CQyDj>4tXu$oV4rWWdiLv-V1Az|b}gTuwQ? z`Bb`hNIS$C@A0`PYz(@u=w4CBs7DGz?(z9ouu;W44(ZWHwi)?AW|e2k9}z2@v5p4j zTfB$dKhKb+D!^6U8gx|XBrF98D6RBNh927!ASjo2i_t_028LcFYL7DPQ17!InZ_Y? zs2*2yYmF;tdw3cT&*kCv!U1eKQyb8@?Tklp@E&#yf_NKzfj^Mdcg*vqFj3Tl>3}%_ zzYXCR<-EvB0*5C-&QR%$^&xUVCH2hVcpA%aGz8kbexwD;0B}6t8ewP0P>9t)~KB4#s8<3B;S8D$aDv#RFHTiO=`P9IAQB{1SNAf`^fBpGsamn38 zfIKK})t`?s06jyJpK<4uC^Ij&DzS84MU4pW*ot5Ha=HL2W_r zN6-fM1UA37-E)5B9B&EoEOu~zU#MF_IS6urK$(fI|a=J`5RSLhNK6iw^E+hkjgax9zfmgi~p|RmURUo{Qsf zaa>~AeIb-o{F)#)?rd#4eR|Vps{FM;VCCU-8409s*y+3m!SN>eMBL+tM6ZA=b^2|* zoJeNki&6e+_m8Y{zl6Bn)zb4m(~CUB{0m70N2Erm8;`o79aQ|Sv}5%7G8`{0ig2N` zzJ7vC;gUQY0}Xj-&JytvIJk8|r+7AK=_H~D^4cLWSWFgBK7(KPo@bOA-jwIO=Ww>d z+YvpI_q@=f5*YH4n)n^G?xGt!tz*Q0_ed=iwB?=U$|_ov&qd_XWhvE;hMWcli_RTd zlEbTpT$mO6h8(l2{MQV*br}v5#sR)LIR2>*8|__9|1SkJzT>rrJAuspT+*fN&Q;sV z69M3a2g1M)?7)Bg@n8~CO_(D72xdBuFdFtUGo5b0lBuVTG9WA$ej+EjgA~_NFU;F* zMSi1a!XV_-9vlt14FU*m#!Xf7qh8mD4<+~c*q0Y!N40yDxRsH|N>3?rXb(Pmk&P52mwx8OR@y#w74pXk}>NZd-i(mV_0ujVhFM18Wb zG*jT@*|@EU$|IqDbiKIm(B+4`3?aVV=l92ovH>dz?kyy#Ji!)|&4(VJ^_wo9v2k)ow=cbctNqc82 z%jxvlLZ@5Oe^mg{&&zYs3skb&Awua1F+6R)=cx;nKGjbzrnsPMg?WXuVbb!1eR<@LWw`pG+XaCFOz$ zKO3n5?D5)M4@Hjlu2j3#;9H+$eO(TK^4iqphaS@Q@ml4C7kgIkS+819*Yq#B=`6p; zM#OykkDB_P$4z~YsYm6hX$X&nIHit-xmm<$XRt9IAydGkB6tP*NZAOmM07o?R8TIZ zJYp1`B+{v{PSpcAks>g5IdkJ_NdewMtGco{Wn zzwows>YU~`R32bujjx?6i*;O{F)!BH7;!gDh$|pFdg58d8}6IEU1E- z?U?`OY<Yn^3q;Co6gX~tg z_9jYg*gKrh&dVeMXD2JYchKI4MZ9FYe7sgvP$9z)Sk`;^57%)beoFrleBWPRZ8%ur z0O3p?)+aY`_a1yHR8ILG{Tw{rl(85b_+WDDir9Uk>G4uaPfrVdTU+R(Rf?BYfQ3Bs z$M{Xx>UVU7US@><<4Ul^TnTW8lokh=**LLNnP~ci5$kDcvDG*Nx#oE1T!IB(rZ zlss@XaPXmhxn*C1Sfnx%U}a-LFXT13hh_NR3w3$VmhuL_A0>A4WTY@O=rZ9e2JkJK zgcXkw9a-_F-pCs^N?HLQ;&M6cbB==4bo(SLHpUiJWJQ(B`V_F%y3ZMFcY16lhCpBw z58jM=Wb@rvAJtZ}X98M{-?RRK$yOkN>aLN{Sh5Lw{1{Vb5fm z;`S0tnf~U*=6g~oCcOGi#LvTJ&<#C6HO5SGF#J-?g)(Y~br)p)eM3*+F8rq7mS!v> zeq>PwM(1nD`{OZCB4;UQm@;Ezs7*M?gX>7dUa930IM=vgxUFl|_nI%SHBWIi;{@yf z#QqTN=u|5HS}`m*fd}PUCbEs7xZ>e}VIOiJxx|W{t=IQY)~Js!zMy8%bxJi=y{y-D z{a&tFzXv8$ze${P8i%}23%{JnYF}X4DosU?6qs%OdFl3HHMCNSr1;PQ18*0U2T$ zbO_kWEq=3+d?$QQ>5(Jf3o_A+H-IwD!k;GxFO+i{{BBN{Q$1Mra1Il^H}p1jEtk&3 zdrCi*Ry$rxc6fSF&_x>32P2)*sj0TnsVs}~R(F~shtD#iMSF7Hb<%X`0BUQ?c)iukG%)vbE)_E2X) z7xqBD6rM`f^L ze1+whTS^x5%etIo1=jSTRvK7D?;7DRMaT^csqNm*fAx^3($Q$>`UQvhNOvAjn2#z~ zN4o@V#3oB@*(oXGWMlqx^kc7*n>X7ni}}_+zb4Li2R5?b&*QwHiuoz1ODi>n)C0GiRRzL^q*>_lE_L*kn+_%aY#|^P@B*=L~S&UIqGaYDixH%z&8YW z23{M&ok*AW85I8&D~2<4WYxALo>cw(ZCVH4!tQqM#@HC2%$TVN%Ha6YMhJ5izt=MEouM_uxpN7#m}q4pxj`GS~4S!I9_D@=UHmTz5MbwtG5W#B7#$ zz$Ax}byw?k{NgVZ%?7reTQjSrm-Q7-)y`~*h|ril)*UWBU)`8rcRHIYWlJig3^!hQ z?iRAot$}efZhnT|nI?C97A!=Gfs%---wpq>l9MRnKx6Po+&;hDG2_pu=XllFm!%sh z;x`wmFu&KaaNOm6D)pplE7N#qX{E7tQxjTkbzfNb+D=93*3crDC)#>?(gRTMh<-@M zCw4B`_-h%zRiIMr`!U|fulaj5`5p+B@49`w12NF+WQEMt?mJctXQv1U^aWJ10e&MJ zq&DLYFOS=RAF5tgH?O&_V)?1vp6}MWI+bG;Oq7h(zZh%krqf~@$(qW6M!7B`7rWyX z&)83m(5rg;iE>kLots=otGJ6D3nd~=GLK*@YE`kUbC_R9&c$+B#z_h=S=#h3c2atm z%Y1~&F5rk-M7PN@Y<3~wo`!e)_}@_cBPNgIZ%Bm9;y=ZXQuTB$jx)gV?t^lmLzj+X zByRgpq3YYMvjL2l1n82oL(Uo95!G7ys{?#3<0H zT)J>KaDL=;n1(WV5n;t(y2dlwx8V`PLl2-!xNigHm~6IWcu*aIMrni|lo^W%Jr4(v zcw`)St!`P&zmah~+5C+-iCl+euW~$FLHyYag3GB$Z?3`A;KPCq!tr6o`ATPN7R0hP z#ybo0%gSzqNAd;Z@l~zdp0R{2Vp-?QzgF{^HOJ$!3C5#1G1Xp&=@PR{EU|Dxwo95e z9dC@S)2!HP8C#5h;+0?7<5bLA_uO<6R8!@Xapq(GK_v`|D~RGT)2+Z#Zp5 zk}5vNd*9X9$oIP7H=f8=wR;MET-uXHl(h1YDhSv8`o}Mf`+76ou6VyT-=KSqOaju< zFTyJ~VjCk&EqFZ%sE}jOFxpuobiKMhnX-X*GC0Svm#^C%5q=!UF{hO$)Rw{Ys-NT` z{o5n?unO8t>TP?T$H=2I7w4DZ1^noT5P479JEVuRsQ-(!SM~Zy%u*=);>@46-tf41 zm(~S-9KTBxG@n;-x{L-_A+fwsu+_FJ`eB#Qi>`1*N5%Ys=)N`2)7%?p>e1a zQ#NLARnhWYJ!*h#H+b%>$XtxUr()9uGMtSv);~`r$Tv*sE+D@aY>Ex945bQ-_!{3Rz=1 zB!?xUaiQ2j7g^=1O24!&Z9}0GavwyJYBu>$b!-?}ZTvGmc89EAAz8%JyX=E{O~em) zemNP%D0`iacOTU4a!<{58Llz4^#qOjuQ$&{E5mR)^kkO|0Z1evn~5HQ~;&5WAI?XUs!%bnXhz#j zp_)$4o=W+ve)-;)zv!=C|NBa&lyH%nm{2YY^U39G!EQyQz6#E8({WHe56p=LBJs-( z>9JBhHrd7%h=_}=FL2G^m7G%$;X|rrkMc$2tH?T?UVzxtT{wlwLHKf!%%b~bST7Oy zzzpzABFzmzEWjs(KdZkzL*XWa_MYt1f@lU%&C?FK#yW=vPReg$MZ24jFxJSznW zaC!@+p`6I`pO2^>jz`7$;PWG}DCEcgj%*rdI<3qJeFUG-h5`%5S=*9sbdkM5QoZT`d##B z`#bfd0sB^>r^?gq;)>y;20>L5lN>&wZVihMB?kn#A?eIhT`z< z<#TCg-+>}P2ok9j++MZX+KgY1xW({>gpoqRr}DtkG>)a!C1Sp^57^JwJ7q-*t4oL# z4F^8a>%o6<24AlBo*W2~&e1=&>T_k7lk*&zn-04p`kJcgz2mD?YG@lm8xswG2Jx3j zLSO!&@b~?NAz5(vXy$m&)uFwN+ayIB*A5g+#~sVMB0G(juN!_-pBpCQ*>69;e6mvy zM;2D3m}bArcpA#~@LV$$(1_o|&lr#1xu~>v1lm>k@y7E#)O-1-uSMEJrz>ge3PS#Z zt3k7xaky2dAf&Dv8rA4`^Er;;iQ@oUFKm^0zDTw7g>*q5`Vp-sd1VRF`@wKM%PTTC z_6zrnap3j>Y`@D{9rK*;M0qfBR2P$(=U{p^2$=Db4y?>&C%v5McIH3T`ZXz=>EY&u z6NgjktYjt?dgZ5g7iJZ77|-digx`4Q;n=e*UrhtO%pi`lr-3()MF^UkfQc?9BiTIv zEO7pt1Tjv*2q3dEDyL9Bz#(-wf|BQ3rFe1*qAAI%)_MUmc;F}`j^Ek6&2u{zhGqRl_uubp_TL*D-hWe}Z>nbu{D&R`uN!0FEi3jDJqB3ycKl6RA6GCY zzQs&I*S}t~Js+N^JsZ_e*V96`i}w0CL(hZ|d@Yzh?QLG0SiE%T(-xtGBL`(2l=h#lEg8O8Qs7K0_#IRr>cM z-EQBl*=|q$pJ+EzYw>L>hP_N`h@0|)oGUAyQ;4Oj&yHeKNL(hgloD#=J(Ua`1kyQm z756RE<4IfjwXt z5k_i4tR^rAjPq0Nt}2@7CH#8&3$6N&$-n!>QtYoOFPQ^O&f!>??*Z?{BU3Bj(A1A| zRM_soeVyv_-E#bHca~OiSAM3ypywZp{}p*CWM{zpxF5rx`d*u`ZWrSkzvgpmj_Z{Z zjq5O-uGa8DI-f-IXW+i1{Fy5T#f6>pM0Yq!{ESBVA=pylu4%>PuMR(384;oM=w zzw>sBy7@I0-%n2ZmQ$%+2bjkEg}h^_;#AyVMtSizD0fw{3#n@0+4z2t7#C7kB*KsK zQY0VohdCH>Y`(WwQmMGKlje`qFlP6-YI^HYl~42iHOJvK6OF@0`Jw3OJWseD*o{xG z$@Sc8#ct(by;qn2j+*7ac%t%$=h0;OooMOLw`@8cfYRHsGr-lHVazd<`C6G{SLuO1bbU53{%v@?RHM67Ax}kWY-6Lg>_vIV=rb?=E$M6n{FkhR)#&!@ z4b0CaG>w&OeER>4?#B&|`{RzEnTT+v+^(pj@OQ7z6u&E8JL7m+MS7|FxHP%HaNHk* z|Ep4QRbeBYPtm;vSEV!bZP5iwB{RI59nc6KeQQTM(kxSp}=tQcaXk=U-&<*qZHo2kDF)Bnlx*>0&%wd@mI?s^Tl>ovyOfU>&r z+%DARRdInCpVJLp%4M8EOmRAaJ!H1?Wch1dqAFZnpl^57rz9 z*O}!r+jA=T>R?@5ZpaPCjK(r2H}qsaY>{a_xCKw`sX>jzug(40FvWx~}@m4N&hiCH9ENu^~8b z#Zpni1D(vU-`=!K*U#UN&+kzGQGb3>cG6`PW^Z7AuDn1#te$dBh7YSJKgCCd`LO!m z_X+=$=~>(v+PJ(@bH1Ci-PN-g{#dLSdI-E4|M6KFG#GCL{0pjd44)f*OpyU<=%@KT z%}Da?h<}1+Se5=&$t~h`-KE{Gt^3q#&3DzD&zDX#pC_bKHnwa8NkR#eo?)J-@$Lsx zwhUq774gAJmIO^;IC>m0z|ip_S_B$i=XIUp2n{JwF;u%+`!$xYWXYK~tJ?coPO29FJ1MPbS-axB>g`ay z{w+1W<4^mH)0apNx!=Gm*51|LqdSMWZ{7Ipq~DXR6`hFKwIIPDn2q^wTYtXdlvpXy&#@rqPI}6P#`bvz`$?_Xa~dj_ zIa4B?nHmxVxytOn1i?!fV*PFtc-t`r^5ODL3YWBL$` z^a6OEKu+Yt>hDjVZ^HJTKE_&cX>MbBA{?-(bD+J}qf@e-$PUN(uv?2|4ox;Le)N~E zonE~@59uatU)nV*dgPM3;b~aSt=+s@TGn^@ao9b-S#w?ain*>t<(?s|E##zASZBsN z>?U%Ii4BfFxL`$BXGB(qU<@10Wu{;pT&yoN7VFon7-RSx z!$n4!r!I#8eR-G%!M4^A4-$}v9+PgXJ1+es8nT2P^gq-30x*{yjD8zaac! zbtqIsfoyj`H8>|Kp?6!cBit6JUv=1j1im;rUK)#Xj4scTn&mmjERR9|Om-T)^uekG zkL&y&s+s@w6XcI`0{w&6#yBtKApegKDPdRqI~RU8!As&hCmh)52pU|2v;16!$Nym zL|zNX{gh85&!<2>F{g*Va<68dL5i!(Rn%*>nVI9f**;j9>POJ)>F*v zTC3^ztQdSNb{D_CFkR2)%BZ;Er|3^?X_m-7qriYu35@+F!GSFa3_E^wV(RbgLi7dl zT7*H~F!Xj1BveL*UM?cAY##oO7K|eMw5keXeAU=@6cPaWoco$OvFp*9lZV@%CHfvu zPI2`^kvI!WJFtH=UJx}Fb5ZfJENyqKvT?*#Z+HT`t(A*5#JsX2`QYRDZHYg1bO!!) z<{bHfgJ0}BcIc~wpN33F|bv_V|-2) z96a`H1^ApuklM?w7<@5zx9-&CyrpJ24KZ#*%BdX1RlM;sl;@KUt9zpr!5h1RD(;JXCat%LzHU9N z+wIFW+wH1}+Rbf;I`uS7=4?7g)H3HVniQ7tas3t6Td`YIORm@DpVEDglhngRN`J0p zV}vQS%V|)%z(y3J2`DqhfDC{ub-6FD+3xV#2#?oE>RHT^2}=~3S@y72tE@1}cmX}K zy=gUd=PtSoS>yIhW2{tX^P+wXVgJiFbi2P^v)vyv+r9pEVhZ#mW-r>{d_^ttfYE2z zlZ7+OWL%x7>o-=je(8zoN82%X`P!gy6-fN~rg=h{sT-OLJwO6$AcLf*A`1z87)pWh zLpoPKpAaQfPw9I7FNiBQsc~p360pbd9yW_12OzdVxst}wBM6QnH8l7iEl|q=tt}-T z9G?lLvwa3I=ZMmumWCwEB8aB1@065Rrs@CdHn56UAY0hA!LDSx&uBmPF37J#U`2qF zd~paYGyPTT@7HvqphJd=JY`o(MZ46K#({c)tXVy4Bm5KtoKadAb_L|FJ+m5m_Q-QzQ&3T$*8A4!!)T^Cf$RBVv;sO50n{e zTosgjEA034+S=#NS&B`RACPOdgHErKskjWGd{k?2-=*aVIzfwnmz>CeulZ*z1a`u+ z#Z>5@4g{$2`G*GWQOHeMw5BNT>%{Fp74%f~A#6j^hj6Y9^H~uD;lUs4fy2?3@!>wt6q@E|N z*MR(~Z1No`21_arF>JH!r;Oz9XIK5)deK9*B4%ST(c7Dr8j_Ah@=@u$vLT812bt$> z<8!Y2K#BT}aJdypw2w;S_>wu5bf%1xL{gQco?xVl;q+)?_Z*Wsh(?%kg4E7BcN$A! zHJ@Jdyqn52gAX(Lfp!cf9rZ#E{prK%NlkeX@`2}f-e<**!Psj$49h1SW~vKwE-US) zBh#luI8FlF-f^1!U({wr%$~@XTU(S@dZ~9*SF-l0L)H|Xx7N_P z6XH@=5eA!vwkbJ-sCL}%h!PVE7aVoSwxCx+@!-g}Ri*3fPyA-$FY=rO-RZ29`h6WH z{Q<*tdSN1mA)J~SiB~;u#4kqoT6#4b&UhXgE%jJyI-GgXa z-A*rpGeY*_k9?&i>9ROywFns`QLdD_2eaK6-=z}#^SVn2cOY_(7{v;7mQBfg_CMc> z&zFS?Er6dU!rys>;@$G+hMt3=O31zVvIxB+6vx5|7n*MNg<6U*eW?t8?*B`EId!+e z8@dg?ZSZjcznn!F9`%p=@y3HMw+bPvHh|hVAk{ooxQ|@RIIWi67;vQPezN&pa>6|B z(LXxOuRwn4chcDw81F=YN@QA85LccQ3k3{cQ1XqRA5<$eU{ccRNt77ho_62J^TRxC zj-1yPNRUsK3ZfIK`W~`xQ`!dWK;#>-3yA#X`rAjo>c8!~(~JERSvBvEb*UOT=afl; z_2<63GFB}r?Sp&p;(EoQJm`NB^a$)l0*BCe|ED!Qmm(d0&F9zT`$s0?`~5l0WwBbp z6EfeGltvaEf)ck0ie>=7qxhWut-zH4ii559_Fy}c|9hlr6#s>eVm2%D}v>ti0GAxT)d)>`E4mWgK3tW303<> z)&*sMnCTy1qR)G(nXe~bOTO=#ezOO3zc_jQCglZh{q@#K->~7G=i8RaS5jyJrB;%2 zm?vzfxY9dB@>hIaD8mD)m7@y(S8ZP_ONCEG>!H_kDLUktfSJ)7(0kYSo;Tiin#_9$ zl~23nIQ1`Lqw`{?02PH(H23Rzhfx2YvRkS-IVrnkWA@xikIO4pl@|gAId9y0Es2i6 zuQ55_9YOIqPJd!Boi8qe?}8t!9r@11U;T1LTFojRK7+D*iy`vje5gM^4r`Um|0zAG zOS2}SCw(66g5Up<1Xf4}y)t3N+~+);lL*{5O9VI+}# z|ABQ`8BpQ_&QMRHFBRv}OUf9c*(%d7XkOP`xDLUVz8f?1*I_9Lc`_J4kOj`A;Gsox zm-BcQsB3jRWIw&4=g4A{a6V{Y-WdPBp{E;bUYOAV@Dw&1%;@;k+%U$RBx-@M?_G7Y~hg#T?sag$tFc<3oO<1v` zSo#erbLf0se;hCbnQdq@y@+C>Qmk6g1FhKJx^(lc7&drHPcOD&9Ssz8dQ3H=Ws#mu z+8-%sThxo6(qFrbXu!}JVBShjvQmU2P;kAJ`53a(L+{;=`49i5R9Ct$2XhY$J?fk@ zGhH@?_@1x=!LD1fOHOx}{=hIm`IDl*iNpDy zwpkv3!)>#4^Xbs`+LHYV?OIJ4X^wvHK>eQSz`Ypx&~ZrHX@MNf9+Oug-`_nof z)_JMUXHot6Ajck*G1b(906liQ6+6JP57AjuoR{B6_;09PA^DeVkIQ4bMb;mYBjA2j zM*lb|q19dJD0H`HL70X2>gUsyy}bH+uwNk0C-H}0^J6vjX*W-#Pn+ES=QemhABK)9 zH!YJ6A86{XYEwvh^gh+pZC?$O`z7j>u*e?hhpia)FktYDKPT$ZTB{!TFvl9Vs~?Jy z#}U_y|KJ^BA7p_##`f_n`!YX}pKWbxZ&izcNtX8RdK~Pknp5rXi?n+cK7;-nU!WWR$LjDS}|@_eKIT7IXgj_2I$6RW82?nqZe`d)Hd zMXA;{v5+6~Y}BoOc{Q8vQ-@D_OF7q}`tvDNitya(siaaaQ}8nK!LNA(&zh*h`B4uf4Z{ldLN5gzt2N%#@=H5h6y=CXTNR&~=9a6chtZ&%m@y&ot9B zFh;QH?yBxCr@E`?s+yig(5pfM3M&{?P>86IMFkfW6gH@sz={D3C?sHr!fG}Q;=8cH zjpoI;|NnEI`*rTETU|8`S$^+S|4u(u_nv$1`FzfEo==3I>={-A4Y#i_U5ZKz9dn+F ztsl}YhRDI`Of<_Rv}?WquXcJq^55%nqveZzdx5G^Tynt(GnXZvAij3LF%$2H`d>m1 zBL7=5^P^j3p9r7Zi|=zoy*BeZtcUQ&gLWdHTc&)GUhAc%oQLh7gOl@6?8{OA{RIDw z%eGA4i;%_1hyEQBeAE=aXaC8nY%!9yYZ?1*6eao(+8Isfno%I431ps>)?1xiZ?G@F zfwl7Al`j-0MjPe25=+B|&}0rfE~aQs`syP62yF@tNy#U4d01u0JJJ=XRx)>(uOD%t z0@IHufzQQ1m`mn3Q6eo@P4$2{5g%$S?F|tLjdM~ty1O_2glz(S3*#m zIm&Dx*a7Px(37#`D&#I0Bu3@}KCUGlTDSez4;NI9s z#1YvcCK3M=CwG1z5vSZQK|iiXwPQQI@vD)@7dFqiQQP+yneBsFad!KH{U~!Y%Jze_ zUVA`zJ@$43AFuEwbeP0rPRC2WUY0a2I6qO3tNnf3l;QgvWEb71{d7-eKS9K>zb8PVNqwLqF2?JdoKQ7|Le1r}eyE484({IquhWZGa;mTN{CXKF7QL{V_S- z7TzVEmUw{q?K73RalG#_G+;d*gc1 zwATy>ntsGmDN+B?U@52jy;N4@4Dq))7n){t zXWB&zx37qkHEGTws7m9)J+4>ZoWeKU!sPQYM+T-Ij;HlGH?!T;rA(H$@cNt%8?%k% z`{doSlN+~uDzFO6kz)3$rd~!L!PuXQei)5()uec&4kd8fv6|;-zw05fcg8P;} z4DXk!U{L!REIAL0McaBOU=J#ED*2W8bRUZOXl7C#6C?aa0}@V}{4)3dadK}o?ZE>= zSL3;ZBG2(DnO@7>KX7udk-V&5w0X)bo)#k}kgRGR(LIy79@@cc@!3OrP}&wwqHeS9 z`*e;>i9b5F`<*S`+rZPrSNP*uWsQ?tWv~OB*z>eUdNRb{JjYcT-d^O3;dRbGcD+ai zYp&YYo<6j3NW54hzl>wE`BW_xl72LKE;jQGj|+daefmc+RdFXK1$p=Z8^pPtg`$7H z)}ntFw%;t)de0hL1}owoW++{m_p$y2pPpl*6r;88Z{65WneWC*y#&K-S@@;{WU)sl zux|F&x~t7kSL>DO5lrjyJWxk1xvuGKI_PL4mz8}({5qgwW``HQ7F@+(cH|*6s*h|h z7OSIWpo|d-3b8}N<;wgDt94GJG`_tIS|NYhhAmT#>9H9y{`|8QTf+9H<)1B%f{{`- zPBoBc9a2Jmk*3#j8eiG70q=C>uviaX3-MELZE6|?;j>8P&6!r4xXO!AzxP!djCW`3 z-FCk`$4Qm@WcQo&&oTI)IJc!eC+uBnnn6G)@-}(g`IG_Omu0O}7h8IqzVFu^->|(6 z>o6kR&X5<_g1MS~^gyiC3xeaT^8>Bly_xm<+TzvECVcw@d6U{9N#onpGm53L!>3@9 z1ar%F-Q(o$4BJKg60WD&I;@+hNeBIZvyNXBJyh0oTu5CbP-Saou(d5f50!ki^!nya zJOwjOhTe$zQ;D~Y^E~@p9?Kt`&yQ>RTs&^bW<+nt5zLL1GGgMDq`x=*eC#>Alm2@TyYkZOTp61 zwrMhX9!#kO=$PJQE9^kyG+9pb=e0L8KgJVsMQqVYwm&y+oT4%E=EMBy z`=W#^Ra5;ca++W*h?6(U}@45#GZ)29cUPm!<#TpIIo%q?%Y0 z{2F_dehy$TixW}oSkU3~!7)JMg|+|wfb5t4Z2Nh%nS750Jm)-%eE4)forNFVhi$so zMwM;(Wg<~e{U@SKx_NGlQEoVeKWSr)7+eBFcg^X{c_dF5P3*pezGsuTAm) zvy=OYPZ@tf+kJIryAks*eja&o+6@K`&}TzfShHl`T;=3oqfXjjEmHe<5G&uTwHnr1 z6zz%qf0KE!;C05XBfd(k*Dd}1;v#)zA|8AF+;VAVJ0E;? z?0TT~?yTg!mG57_X>i^70d5w2=i^7(Ab>JLK7PoLN#yURVI+j-u$1XZyFXYNE0v3( zT^;gJ9-b(tI$NPf&tjq1egd6ZhFsfmzJ=%T>HcQsyhm)J?0LT+(g%$4BL@N%pr zfxhrH+Kx8;hIiNw)NL61q;WSUdJWPnvZLQ`)zI=A{yDAZRhjGUBlddhyq+Z}MpLLk z5nG?|zEoE`v01_gKX`e%j<{bY_9fMKHbw;cBSi8hU?O$5iusMhTQ_fz9HzaZhZkm5 zJ-vJlh7w?*^@9BZ0o+8%oLTq?Jf{KSZlq0?+<&l9GyYwz^S3!{)WlD<)Wd4mTyYFLB<@)IDXx#9 z#nYp++l>mECD$`0PC))NRTNWsOTOVpTd9nfM$7BP%KR zzC@xQVO0!2-LQC0_}>oh|dUVOhzUpI_WLgN&wB+`>R#eJvXH=}L9oZub3y{nJw`(wtVA0rwv0&`2T%ie_$ zbK}o~)#ErH*ZQ`pU$z+awQCmBFI!akK|B5E?$FH$?3@@1kIN6pCrQk&Y`ha$ry6z% zi-PMgD96Nu9jX+@5#5Mb#G<>+eL*o_k-JX!^_lbR;|rT-f$?BF@)b{zFL!O7ul16)n|HL`wuOSR(8@uHZF!|na-EbwaYnD}^xNBvQu-#?=5JU_FY zlZ({O#9ni*lRHQ1-xIID_-fBXXSa70E>7ybby5089-a@vc7nTJ8qLpQ>tKeOw5nIc zn&h*z$TtUDK2Y%H^EQCQIc^yH)6Aqq;Bw&yZ~I9&B@qqH6aryu{(V(BitwBkzE9O} zCsBW}F3QzWIE*##vG8}o{+8#WNI`?}swodza%Y3rPcIecRM;yFrmzAAUnBaqD7&Bp z-VfG+Z{`TGw}1Z;d5hEix0&<63N2?5YnZXYIp)Qs|D(v=c>XTi*zSHO_tz0Td=lH2 zI1h|c=0yIP_F^q^vaZTaIq-Ae(^LNw+D|{u?5Df!^T&Hyi{SJl}A+_9j7BcyJC-(!t%YLEl+)aO6?X)v! zWQTs=Q~9q}$Jw(a@W*wnw)Zoc;|i1K=+sNj|Bl+rL4{Pq{h$siPDU{#|7j=ppZswd zLOm0BDnWvaqfMWOL#v&k2Apofqvm?>WN9h<)_m=pGSDAXHVki-_$z{UN|jn(D0mQa zTL*M?Fv}LC#eILsn`QYM7Q1{FiqAI<=)NU$d=UpcdwkQUrW#kp;^=ZgrYt%PwDGKI zPG4EEb-(K55W`K+VaKxmA$|{ik)A9Xec1V?fy}oKDHxJ^7IITb}zXWOVODFg9p!@Um z`8mW3nA(nY5S&9kul@Ad%zlDP(Z!l4vh*=07%hsj@2KgcjjgV9av#?wEl3_qQ4^TQ(QSlsfFg0_jM42;^%3z~mUy4y?Z|7z z4suDr_y*?o&%c3VDc0XL`lBEX-Fz7~HVsGh9P{PT#?1JXoB|vtmHtiaD?(7_ z4c|xh7;xf^%JbXP>e1x+%GmqBormU>QM8sKQr{n?zt_X|DTDr|JUlV~qR*3l7tTX| zy0XLAn`Y+c`y%;yzRJwM30`_jz_`|X7W|y`KFV1W@`z}A@_bR)A^Gv@SgAfeN*)qF zM4a z^iTWsAq@aR1)QjQFL>y1F$4xv9R`DeZbE1MwQ+Q&!m_a_wWRw|KYY6XTjqMad133Z zEj}@5Y-`pL7g?9^J9U=B2~2!CffocB;b9{GN#LOrd=(+*B7Ehf{DZG*w6iW20taevw`7>%c%B4E_^{M9;ZCjxQO~g}Qdhng{|opt{2^M=q+ajp&AmYgLoM%> zgeRH$lU#ZQe}gXvu`a)fe=4*O)?lT{sd_I3#;~Y>NF9-M%4pF(%rvm6e`xCfQH_zS z(=@ghI-1DZ3+~_)uFHIY$eBgVlqN6|<_^zy_;erbxT_uaO^$n@gGQ7vvwF#a;o_h> zEvRSb_H{&PMGB{YAI3)`6MO!U zxGNkedv67HT#Nqfg%p~)T!q}L!FXguWoNiqSyDKhW~vm8tB!M`saVoVNGVM~vkClIi4{7?#$_!&+bvPP_OrRn;BT8Nu+ zdk8|rU=W$%C4t|*wF;CYQ^zh(G!enW6|Y*8^e$@3bFK2ISCStb68(}P;8Gy!pxOhl z?KW18iTD7LKmOccX%ct?T_!I&qUC#n{OfjNHTrnak~bQE^0K~6{TY`y(jSrg38zHz z0MCa_^1rKCuZ^m`haCqxS}tUw#rpilVx2`<@{CwMIA`5Hj4*r5XUStvuR!Z{6FO&0 zr7=!?Xw@rz--O;^F~Z-A)E|2RiSt?kPMoMh8rZ#C^@`+!_kkc+;=Q_qVzSQ^{E#2= zUTZ#Kag~cuTZNrJ>=MB{WGs4q4&lFWeqvWguNGi!T&%7YM+bd0HEx>Ec&WvH;!mBG z>E(ez7#LFfS(($vqrSo<`0jF9cK?O>xroB7>)YDb>S# z*7$MUMTRf5Mo`!MbZwGW81}pZ1!X2eLFbI@ zvtfD0@77qs_HTw9)AW~xk_*$lz7Y$$&eGqGF35MO$Z9cOyTUL{)BQ4 zo94$GBw{6%s`-cpF6rSgM%odSKVIcLG_Jpp#lpK`Jqkd$DJ7Gin_BK1MD}G=piruj zrmQI{v(~}*j_F!I%9WG$$ms0!4l-Y$L8NV+pGUd5Kp6qq=SU`WP;{0Uk-02Dycfo4sR1t*o zQ~}~Y)>Bm8O#v2O^Yi)LWtTrihiIIdk}L*9zS6%Q>Q~4wpn7&30+uK5dTpXSgd8xIVDiHC8TUKsUyBYy zJ;L{~Le@T0njYODo-^`A(9VSdCK>zB#KDgC_YCH5V;U=`rem4MvP9jj^;)VI#(;*Z z!GK%spI*ChcykekaNH)@bZfoD?nm`u50Ceg*@+9F1w*&G`RT%Rp^7Noy*S@mbW?VI zAVM?x3BA~+&vBuG6tVY5!QJSp;^?%9;dsJ>!!igPS$}*iyfR(F>s#XedA~K!$#G`gU3VoY=J|HSBeADcGL4KbI6?7ifGrFvGznm+c7&6RzO@sgqWtmu}6QI`(L~ z=bUfUOVBeSXBs3BLIxPKGTllL9jinHjM z9dz)3{_`C?jP3}3NQpiCAC_n5AIAZ4mb@ctp6sXzMP0D{e$9DS3N&reN(gB=rVRL*w+t~E>Jcgq(Cv;?Zf2;w+ zIk1fk2^@?a%CPpWct*7uq;w>{%4~hzrjMC87tJbyvkG}xwMgOIXIf=Pmh5sXW2S=_ zSgxO)<;MHf(Dv}Hi@81zlC5NqOKE(OmP{{rz!CWD`CX>`wyLso){-OO`qA z-p;Rn7X&~dziV_1tXgHUlHY>gV7W}e^fTnUy0Q1BZa;c_EW{X^*8FSCOw1PPLU%RF zi!@|d6u0|h+vd>F5H2Vd?qyT)2>E1T`_&&A#yG#DIzuzMaNFez67+&NJlFxxikFH}co;e;?>Ym8xsg!2hGEeg)h3-=Giym>M{ z5B>MGer_cnk5shj`?P}0A7-yjMIQ2rk#EDYDd%@|m#Q(5cpweeNLGmO=47(oCdgPNZ$PVz_=c+L~~P*?%*@pqsD3%-!V<^u?=;iKOj zM4osy(0M~!MD7rl*Y=6fst@fc@)0#En@=P6p+!|AozInPop)v+Am?o!b@I$?oi9KI zpgZ8?Js)@klwmRP2f}vv8)0zts~~`4xZ5ZAf3=28MC9>jk}1|6w;->-Yk#4i;zkm;Fl`{^` zXQPC2dXOUJlV4?s4M-pSuPoUbC-R}>h1R~!>mUu2_OsKv`C0u75w3(Mv*%Ib9B$Qr zdbBWGVg)SvJC)#gA0&+!M7GrCQ~S};#zt|NU@>i|h1p%8Dh%uU46;QyQ-Xnt%LDtmFDziK6*}-EN!^$BV>e zQh$HeMGz(FUPrhh=6q<4Peh@K854ZUrixVQcp=!{?RhXL^Ut6nd5@)^khI4Hq9p4b zY7`R{Ji+sOIQ_zC)7D|-Rsnnq66ACci00!Us^7l}K?vIVG?ZLG=^@WqPCKW$Nv`SL?qmtNt!RYR2s+ zQuH$+WRI!Wh`w>4AbXL%=fj!rDckSafQ^#IEmWeIhu+Xh_(rWsu}g*->bOetZDVUS*eLfkHT|ZF~8B)d()rGACq`r%-?*A z+M4royuGpK)8C4BauLVtyMX8NiZ^2IwATp=#z*L;SiX3FoPsPu#m`}EUM!#lQ}KORuPV8%=J%Tt<>Fq=HS<&L$vN36=Z(+j zNWMXu>z^zUvFDi?d6y$aDcM`_8=vm4Wa6h!c7UI-JsJxPDrDtx3^BG2#H%KZ2@ML< zt`=OFUC2fQcMmaCe}j|zoFZ1z3km&QW2G+*BHh;Heni!nClc}X64+IdPuA?YFn8#A zeZl$FrQ+cWEnm%aIS&?6pX1Wek-2Gr~9j!^8n#vTkTUM zK(=EyZMIXTj`%Y7Je*7$RAi*5ZLw^ndew<}5{B57MXU z`OM~9z>XT_*^Cp5T_U3&CMIlkhx6m|I8wS`1k*10*_0rCQwHx0PX+)0b2 zLWl7m11@Nzq$K1?D82o0X2>_KiI(%8j>=h!a@I+U`bGIGj|mJCxL`E0%pLOru8YLH z?Z-J)J#(yOL-3*gRx%$5MZOC6deZLO)o7Ma_JPPtk&o*xv9C+MP=-*3HYCs4>G`64 z$(-iH=Cr?VA`G3#__kk8v`)tUkK@~ZId;c3A76_v9_eKACPR&*L)bkbK@fIw5PxtC z%B2bU0~-WJ5Z8`TbCCrcmJ?YRd_h7VZXpek=d5xg9VxekznzqFF4}&U!e6lVVp@^X zh_wNHmPbfJ(rE=ygY$ylcHlRu`ht6@?!)k)7Ngy*{VbJU5pMq$81_&4Y*}X`n%_R2 ziG<0e{v@@G5pJ@obDKR%9#-7nL~vMsk>ke?t{sfjY>1eR?VtZx{oCl)1#N-Li=9snj5Dtj63kiNE;8YDXEI z9OBbODz7CzU8MJ<;s@f>MJhjr?+i6=;#2y`)gaR`_qAx48^(yLXHxAu1Vlp@fgqt&+X!m4fMo&Nl%Ol(aT6LF36A>k%};E z3mv&pVmhKY&Ny5lzd-D>W90AGo!pnXgkQ_r4?$^X0CMPoP0(16I03*du_KC+P2`6{4>=^s8cCk2qD9S`j@Tx z^*@N7k-@R47x?-`Y*SeXj`LG(-(#8W`|DQiYdvpX4En{)z3=GU`<6BL{?5rg5VVu? ztn>XQd!FrHxn`bOe3!^XGy~M?zJ+fi&qo)Cv3H!PSD}ty**V|q8|Q)N$k&AYq^gfu zUV+PjQX#%`-$?K$Pl0wJb`abWJ>P`?LBn^9#l`Z=Oy$2w{z#!H_YG<96_$U^jpn4@ zVWNJTFKnLwcB6;UI=?uCq@>Hlhs8S#AEHs4b>SkXxU)F!nlk%vul;i(pH=fUC6JEq zxEw!1DGI>nJ_EY%$z0$6rPca=iSXAXXdF^A1siAmm6N+e*76^rJ?*bI@TH;fIT@kg zI8N=ClRi$Jl@lMQ&guhRp>NTq^TxsxG`fY}Z(yEm>vKjLG+A4xy5XEM`}1FX!I%lk z>-bQ=aFQllZn@cAHcWtKjK|Js!I2hP!{@6~?&jU7{~=h#2A zv&hI7_DxD9*-5+eJUfZ&xzqOtorE&p+Icy6(&&*cs2-Br^jrJu{*-l_6bI!{PT<@D z-#=~2?Y=w{PlL?P-QI#^+VXf zc>VfuSdA<5Qg3vvu%^}9_yYa(rn<)Cp#$4RB;w~6og8EZhe^EI*7!nBZp4r9R{%Q$ zO6^TMof82&*vEZ$9l=iX587{!WcC|K*m%F$dLAzgeVv>eIM|2=90I_^y7`Ar?)x$~ z*iY@RgJ9+d{bb2c5w)n&s1?ikz_lF=uh^A6{1+npAm3zpbOw6$W>-O$Lz?7+Svrgv zca$d8a_u$od_l!zeO95MRw;`G&$-Npb6`Dd9Cu4kbrOzp8{pzl*{lqqQo*fi=g;89 z-hDmGFik&5RY~1bhPG~DpL5@f>yu{dv%(SX%w#z+ zKWLo~r*?1)LWerC+>LK1;m^e6h_j6uchVnm<8dipQ!n>gt_!z+#WH>F#yAZib zn$+nIzB$g-^55y+O}+cJQbegvh)H>v^5*&Bcr|7jE2m)zH3YZ`=5PaFvGJ~X77(MFwk^qRQV+}<(9P|S7tPSi;+=OMek%k~jnDf-Cj&=0*KU_fL8g@E z$oZ`O^31%7ayWR-Yrh$Q3spi!eEc? zM|ZMA=`ot?OhRVc-SqoQa<2;fl0UEG`~PN+@1w28w=Mj`T25o=i3ccMoe@Jz(ikoR zmgDC%8k8CYII`Y3XBI%V*p0^?fmnoxW$?{M=L#+o9D5p$#NA~%XTdv~Ws=jl0C{7x+-zdr`FXIx-@ab(K# z}p5f|qoX+G?QlA)o@{pMi z-S=hA>)UpJUM~ha!(SV>=-PmoEJn}W>*T(pYvY}0SNnKQ+zf`ndr$`HxAx1)9=DFl zgB#xH_;*$>V{hpD$BULn`B8+A7ff8yOA7gWv4-&x_H#0xGknXz2jR)H5Tnv1NzEPT z8_G}kKi%O*mCm`{;4Nl8?@l?sfa?vcPgq}gzk%~|nu(N)TZc~)hvv*-`zN;YnQ#)m z`}4rr4W1J{tVH>Z+E{+PK!zyg=gIf${d{qJn)mU^&Nma}v-T^kC(8?c^|3tK8>hc_ zU=td?9=eu@Eo0intdy6-Khz8YOo;DpxOWl0D&>EXa_lU0jm91ozHj3EJfH>o!bB9c z1}TAun;^S_@i~mD-*Isd??<40QG7lvZsMV&60GTg!7cPuk4vFfE%ZtJxhP`d z9ot`_jW`RW*Q4*Xwwic{A*;1-ry&ZKnDBoWpJ?FeB2TH_AfuN42z|03t|uq{Pu#VY zxtVfhv;b<}5jj}1{U#be^%`czy8m?My8lqCb-$2vU>)K|F76usgi(X<1^0ZVeW7{~ zqkXS%avzJF3wuz>X6+fCfg41`-C@Iz&Bzz-i_(|=uAYy&)a3kX_MY(hNEiy_=ZEt+ z@to|}k*6Z#NO~!eU!p3hq>_c=lX@;oFH-W~B>$c6HvK*r)XNyXWTY9?+?gK5a4@zK z`+cEyvX5!Kf0Q{7p@N&O$MBNvKdF=1-gO>ya^KTA{G_(;A2Qo_PpkH|UT2GQE=_Ho zi&(m%tpRnC*jjzm$^EUivxn^r=O^Q3z}BEp$XiHk8M19J&Wl5MKJrQ=Xu8ghBJvix1N{#qItJV{Uo0F++|gzJ^OwFS->RgW+2@66={oP!1n2hk7i2 zKaWh5W^45kT%!F=yq-9XVnZf>Ax$4gNEY1VJh9}?k<+vapOJ@rn}q)!e-Lp`=)3rQ zi_8|If0cEkEboOm6^FcST78w?JPzSmb z4gnq&K7ZPKA}CSlKH=xY^o}st^#6NqMH~|MurOgCt(%yD6L|XFr+ZnD+A#w?;%A2r z)Ou-_m(Y7Mj>hQ0*r-2^2&s-oWWI!xOY^BONYRNK5z`RrZR68@0M;G#Y@#axx(*3H z*RcPS2VTwpVfpZLO-@Nd4l+(-5Ck&;S8lvgoj28BK3Q1d^OA35nsc9b&3cQJAJ(6q zc8jrCZKfgSu_o? z!oR_{eAACSpCtBIp;zVfB(VnhqE!8P$rmqk0(sl# zM~I(EpBWP?Fke7)jp@>Ot{TelhS5Izb5TH zxGi#up#6wQKRyK))INoWc)I3-w0K+tlc(IG4?1FP+kZJm!#6k|OsK`lv>x ze{39BpzNZ-`=fmsF4EXTI(UZ8OdEp~+B7l|W=8AL;kV|m-L587wtKt-59ae->#=Oe zQ*uEKutiYj_~uH)cR!i<4|SJ_fsxjZWaBD|KpHuN4!E)f4vUgGsa@3Rw)B$rxrZ1qi(|S8kd?=3h9K#t|{k>2Q34%EDVd)U9>{AL&@pWx0nW(+5TQ|5K?d{%*& zOSmt!CN;#sCHfJ5N?3k0j#j<_f9j)}^CaXC=A)06`w}W_FZjD>FoqF?ASc6CQ7Wok{o@ zgu|o*$Eg2VdIdeUY=QC{>By$}=_-|##D{peX}-Y*gzo5O zyr27`m2WcwM$OW*I&nJbws2WSdlw<>Mhm@jvoL-@9@Z-(pV)N;`vUSBzL@xb5Pb}h z*|}i1O*8C~iy-yLgimMs6y*GnDHP6E;@9@q0grjoX4p|iy&pKvKu6_`HVUOm9!s^} zKpZXkp#)85_0u9?y4NTnQc*;27+Y)y?e$}A8tKhHwsP_#FntA~FKaw+?1zVef6^ClL;AY5idh^b zqcm_D=-SkkcMnC3oI}hAn>gSp&(S?QZK+NJCxyBQFpi2nNBe$!x(~?i(cXMgH*3o6k5S2y{WZ9Ur#u@YTol zoh<*l-tNA}$t`grS9(zrd8=i8vWHKFgyBXL^KwIJW;^KRLWxwUh^DObpFwbaTZc~C ztbvkMekJQGEN|?{V~-x09&bRjG(F8DqRoeq`xS|kDkn%w&n-moicG->zM;1J7! zJGx^OAtup+R^!gOFpJp|k_2YlWj%-QYqo*g{b$BOHwHFQ)_YivxgXt#mzyu6M!Ya#Pnv`l^U&E+IDLheY#6_%4+(Okc{hIg`u>sEeQOiLCl!Mm5t9iAqu^ zN2y5YFLHv(@F2^h4kgGjm8_gC=h8Gezt76?&&6D)S?4w3D-5ed4SC5Q$SOCM-}T?3 z`)Fi7%duRJwkQyviw)@hNLK&Q_%GV@q#Dh_x~ZhyG--{Z=j7&8f9k_ppYt;7Ghx@K z!}(=Tr+Ft=H5DO!AM)RKjLy0-|1#+U7RXgkw&?p0XnS^MwI_4_ab{|uI(NW$Ymwy? zT!nn1X*jyvDdzpo$Fv?7c36*gBqW28Rnix%5;{K!wWDs<`efSaXZA}d;Y`=oYFCjm zI>DoB`!96TUMDqPkN;WgHhp5qdK4}$6xSGpJm6)>ewc!HeJr*L?@Q=SiJs-Wi+8DF zPO;#x_y@FKzn3-6E({i<&26=w(+IG|>fW2Qd%t4ggu9*GUn)*ulXyUYB;PuKw@ zI-YunG_t0u7&nPeBjNMn`_-d+0}`UfF$t6e7Uoy4GydR4w2&dpgK5^Gy^&uIoc9`O zVo+eJ-_A((mz7_;lvBP)f!doKFisR z`TU~$c^|}lt^&Ca(op~%&;)~$7 zCebZ675&dn?kE0K`Kh-1Wf4C>*MNo778F0=B($^r{Qw@GYwCPJcUEg3V21p_P`}M@ zkn2&8+|hl2795|{e$TXvaN+fFcj-VIQ#KTT)GYjQiIe+?KPgbRh3^BCVi^Aic*e3b zFnb~TXA}xp^_@?6flMF@m>Vu>Sm^^nnPRNPF1_vUrq zI0E0Lzg+6~)$8+l*tw2xpQ@Cnop<0~*7+y>+{v)6X3j3?yzRaue(^R6^K7>3WNf?) zU7axYkNU-|uq3hUg&qAL|dw*JccBeeQJw0fTk&lKJ3~4es zSx5fRMnqw644#M8lv!J<*c8cxJeC}$F*;k1tVYa9mJ>Fd3yoJqKRj|h7!XTd5M1ZL z^SQnFFMb&WuP8(SlPclj@?!)V-v#$wt zIq!pB`dH?CZ|wejH!5L_=~i&zeq5*tgo$jN9?B#*0pqVw4YY6mr}-o ze2Z$m>XQ*N?*lr^KYz%1g1JJz-G+|pHNdcZ{iD@7lt=^b&e3WL-{hPIHvTfUMbzph z)*Iv7rhmQm&)MfdE>7|9b~znTSu5X_yjEDKf4x&t>GtP$(DHonP01h5gJya~K~L7) zE%Vh1c&qb)&0Od;o89P$e~nh>lQSuyDHqQSD-rps_4%PGuKWH>{Pc}h_{kT@le5!~ z%35+{(nsqCr>l3FdxMkvyo2$KD73{F9bzBeWf0u=wOxOm*)AwSwL@nNS} ztDPZiOo*5sNReqOU=*X%_*e@Z9cioown&*aY5Rzi1FrWQ`kc1&7n$vRq*Xg#ntg16 zJ>fp2d)(hzWBinp`>8gac(VQdEx?W;ic-Avxc1}UW%lD;t@`mle7@MTF@D^ag-K5$$)?kNvwJC*^`m>Uc-dBIDj z2SXDQhUYc@mkSU>m}a)ngW)-}2^}UaBL5~qKU3Ox>P%&>Tr7b6t(42fad7iovFW1& z4dGA1OQ;`=6lLsQIYGF3kxO@8pD-f(vAfeQJWIZKyY;{$5?3ifuWq3G6kngfpFQSm zaxovmc_Gt2ri=O@B*`X~Bxpu@#)-T%qQII)aUv5HNtNeF{Ud84GXF{Er?)rm$ApMw zvw3c9X>@W1@mWgaC({~`&G-Gc`Uf~MFm;E@jmh2teW8I5vrYlXNnja;ktT9XXTOoDs;-5)A}if zSEY}zc_Sk}4;k?Ci1X&p8F1ZY&Sb=STcq=Tpg-{9#^KS1*@uJ3d7tyF{qt1zJnNvm zV4hicMkW=sd~JJcf5F&#T4oWVO`@+5;w!tt4(UkxYyt@?bR^~90UtVu)Dl4faJRJ< zF{EBHdXvr#=nU8JKNd`HehTftr~9%jI^R9F)p<6BFA(zxXk0G93})FfcgD$0Iwo=g z*r5p%Zs-;vhN#cCSO|R+9hZ-4doIXq&y3xkbiJ^(=uz@)M0sedliPsx{*K;W_=EUk zx8UT?z)#$VNrk;&V1vHXw1M@v>G`Pofjg`&n!yrf)j6*s)6l$4Th!Uymu~D`?o*Mw0}FNmHk@`kGkuZxNltI{x8S=cwn&EiNYkK|zKm-YrStQp(fFzV+383w1)`ms4=BuAd6 zkS*RpjuAxxElW*(eN4W2!IIqjgXr)^t{?2v{&96!22jSWGyGSd!@&ivZ9@EaB1&r? zAI}v_W0gFe%lf)?ot3i#z8~Y|bhbZeyCO9rz1M!baAF*X3RALq9mYeNfV$rH*+{iI zj9*H(J92Icy8IzsxA$eP+uPb&x2emhO}!uYk|pl=68Ei3+}}Aa%s|stX0x^bpsxKN zG>Fc_KauVy>(&vgUe2fHe8vliac32T!$HzJk+6c|&gGD;n zJWsh*r2JqYt?R)=F?7X5o!)>ORd@t7;tKT}480@gTrtI&+%DaEfvKx1Hl68@q!nzoF7gjE-_QQQrxz)~KNG%Cod3LOOP{GXAHYZS zpa(W>JbiQDVDH*>8`f=E*E_U%)6lxjTi(t4;?FP~&$Nm%o9Ov94bp`Bf5=QRzIA$T z;Rnz!_fX?WMnwAi3|8f7+KE2{+L)Fe@{cz5zXPvWTx1d@@JpAWL5J)jD9le#w zk#@b4J0WtUJ;TYpi$~gi>NUhB_iz z<@>e`Qxk9UqzY6k>GZ5PYuOusZ&;csHS_K)s-x|8BP@JIW$H4C3b0{01?ibw-&UfU&K;$H>8dwC>ODZhf4lX%v z_V_!_KWKX%$y&cITuj78gEpV!CF3_3KPQP!u{jTc-Qv%*eJ=|;tmb3h(hiIJbz&dG zwO1h}g8SjxawKrw>b<~u(@>frK7toc*bkZg;|utWPxsZC^WsnJdC?E_oJ8~s;al2@ z8`QuXKv_K6@3e>aDkpcD;g{u6$;3R5Ff@ZWz7ZQLHjMjs;<@Bze)O&^LIy=>#lIXi=d<7TGw`J zpd8}l4m70PONM6}csDsB6M!S&*;D#h<&}lunU~f2YTnkC>x+6>W?W^v?$pn$jW=Wb zwbVm(w9W+=+BzcPgXKc(q#5{`{d<{a&hGjtX8dz+SjB+B=B zOA}qkfKki;BS20yAf_EaO*8mK#r6iYnIK#g#U4YiAxIm#peo8{W|bQK|Mux>ILd|I zkSWO!sB2Nb_RERYC_HSStUqLXWAP&y$1$Ft$_R4K3XjM(P#Jyt!&ak3vbb}t2KE7$Ex ztxpf&L}hlYRKRf+=jna$oA{M9NDhg*yPVggUAUj_i$wZ{doIsYlRsYL?Rs>Lcl~2)yl?$rwYPP@BfZPNjr;$$+Pknc=Ut5S%g2uN zdVhb7x9spW-oRmNyx;uWQQlcdr~S)O-kbmRDDSa*R(pL9t@bYd?`ynYE_s#reLVBz z`{ulF5k9=!bN*qu_wFrS-uxL|-a4emzqj05jdbt5%e}3CzS_HH-&Nk1kj{GbD(|=- zuJXSBs=d74yO(=c4XyI7*|^HP<(Mw7_|`7($zdrOeM^`7P4HAu%CbDZ~1q{|OH&bzd6ocF8WEcXsLsmr_R_%83cYR)_7zJKyo zA^qz6|K#2D=s$UvZ&>dAGupTmZ9D||4n}%2(ki5TUf<pk{0*K7PX=bd%fvECrylHcXL*Zl;2i~2nKIQsCK!@Wn) zpHKdx+xrmGKMwBY9rDo?-g6hP@ct2S8Paz@u)^#6>8riZ1NMGwh4)Jj_dm44J91mj z>wS05duZiS?~x;ydP|O2>h-=K5NR1w-ybgZK7Ytk@3GhH>mBo^eZA>F*w_2jr7OHA zPkOcYn|=57zI4e7?+&Dck@mZCh4%o;z76Tk2k+~h19NZ&%b2Ps-c?}yCqO96X7jCUaY3MrcB-5=TI-GcNS z(vcU$?=jy)xVGPgyS&qo`1^8&{2u-M3fIs2lU?3JNYU%3{VB>v@~`c8QTW}z)-Ie! z8FwK42I;tqcX{(j_aN>4(Oup;qzjSmK}suk?~fr5(uGL(Ankn#ej{CoWaqyJ*Y>^? z_mS*-7vkDINPGV$+()wSxB7h{p1DV#d*I_3pUY6r<>)J<`A_WfuKF{y4{7v@usR(ATe+6^_X`^SHA0M?^>jrk?uqK5z>=L|AMsNsZV>aMS2rb9;qK`5NQ;tj5LRI zG13)CUqt!_(tktxA<|Efeu4C_NXs@n?Y$1^Fr>F5or?5cqzcl9kUoL*Wu&ho-Gy{N z(xXT}Mfw$zGx)T30McPdF4EhPwjhlmor82C(ltnTApHPo7gE>8r@e!b-hy;AQXkSr zr1v1rAT^NQkMvQbFCu*v={}_Yf%N|&?X&4=?;xbNAiV==6Vh2oWuykug-D-3`XbVo zk-mxaU8MVv9!Gi(X`i8|y%k7rKzbX}TBOZLQ%L6{U4e89()W>mhV-vUU8kYHkoH45 z80j#iHAsJibSlyrNCl*Gkj_W?DAH$?e!q7LgIXw7<<~Io!_N^A}8ZT{Tx+z zT4*ssp25}u@*MUaz(WAf0pwZtPXT!bBs@`JpF+xhd3{{ra|(Y2_!(UP4d5++zrzP# zoqTPqcbk6rn`gzPU+MGsoq3ixCwfy#6Hb9<~Ur@ji;&qbbF zzIeFz5x@(ZZL%efYL9{IxI-d6x`YM%c=(!I?8-AMi)MDp(fUCX*$vEym) z`ZcD`{}tbFJIZ|jpONoxnhUT0ape1D`2L*czc2EApPf&8pFGBtb4uj*f- z@V%(t|99m3>iMU=&+GLq_}=$6lfM!9&UQsV>|?eiJQqtCHA+%zqca8Y*rU0de?Kz6 zy7|oo++iIg+u7LTo+X#TajrTZ`x(-&>btx{K$lmA!6LWz{M*w5dwO6`5A5lIJw33e z2ln*9o*vlK1ABU4PY>+rfjvF2rw8`*z<)>&T=%tos2j1@4GM2pco!fz8hhQX@LoXh zUG}KEGD@tio#*Uajy-g;yxNOyMO8FH(4c zLQmmNg=K|jE8M1Vi^BB^*D5?w;qeNORd}?*)e4VLxKd${!e_o=+VzyepDTPq;r$Bl zRd~0;n-$)u@CJp~DZEzU)e5gv=qWr;;ZB8hg;j-Rg;NR(3eQ$}rosaiE?2lz;jeEq z?Rs9}vkD(o_@Ki372d1xR)se!yiwr|3a?ang~H1eUZU^{8hg=K|P3JVHXD?CEs zp$b`{1-!UGlVuW-4-r3&{_=qSAQR?`nxD7;MJ1q$!SdgHpiTj31~J%#5foKkqU z!Xbql{OkYKtlu*gZd15L;gG@&3fC)KtMEjH$16Nm;n50LD?CEsp$b`{1-!UGlV zuW*IJzruSJ-mUO1 zg?B2vUE!??Z&rAt!W$G`r|?>ZS1Y_y;S~xmQ+SEOixgg<&{KGx!kr513abjs3a1nn z6rQc{OoiJNZc#X-aD&423fC$;QQ`3lk5zcI!qp0oPVmv zr3&{_=qP*v_@4XFuN6M8@L7e=D11uc&lNtQ@NtEYDtuVsg9`6gc(1~{72c)rPKCEC zyj9`N3U5?+gTm_+UaRnGg;y%PLg8f!FHv}r!V4673eQuxQ(;|URbg4z$&|u^5AQVn zcDBMZ6>d|wMd6Ub4GPyQT&wUzg~uyAR^ibKS1UY1;h_pwD(q2skir8M?yqo#!sQB= zD%?wzruSJ-mUO1g?B2vUE!?? zZ&rAt!W$G`r|?>ZS1Y_y;S~xmQ+SEOixgg<&{KGx!kr513abjs3a1nn6rQc{OoiJN zZc#X-aD&423fC$;QQ`3lk5zcI!qp0oPVmvr3&{_=qP+a z=k>1@KCkduh0iE_O5x8HKB4e&g^wzHSmA>T?^k%Q!n+mTrSMLLw=29=;mrzfRCt5J z>l9wA@M?uuD!fABWeP7*c#*;j6nYBJQ@B%M-M_BuW2eHp!m7fu!YPH9D7--7(r=k{ zVO8N2 zAkR130GaPby?%qjYZYFp_b*cTxL$u$;e!fq*ZWWD@2kIU=&maPx!+u-zc10>7wB(K zfA7@ab^Tq|-&6YgZ2f(v{@$X$hxGS){k>LyAFscU)!(c2_YwMgrT*^G-v{dN{q^^9 z{k>FwJNo+tZQt{Nq${7*-&?+8eh(?!rtnOK&duijUJ7s3bL3L}yXFQ3QyGQYZX4M*VpUs4GN#v>qGi` zi^6RR&s6wx&3Cr`E-0K*c(vXy>+h<Q7c!k0% z6<)3IT7}msyg}iO3U5|;tHRqA-l_1{TCW!r-lf;?R(P+%`xQQ@@L`3IDtug@e_Ve* zq44JlpHldY!e+rfjvF2rw8`*z@8r1(*v13 G@P7bDb1^jl literal 0 HcmV?d00001 diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AGXCompilerService.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AGXCompilerService.sb new file mode 100644 index 00000000..f69fc1d1 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AGXCompilerService.sb @@ -0,0 +1,386 @@ +(version 1) +(deny default) +(allow file-ioctl + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper")) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (literal "/private/etc/master.passwd") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${FRONT_USER_HOME}/Library/Logs/OpenGL") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath "/private/var/tmp") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE)) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (subpath-prefix "${FRONT_USER_HOME}/Library/Logs/OpenGL") + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE)) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient")) +(allow iokit-get-properties) +(allow ipc-posix-shm* + (ipc-posix-name-regex #"^stack-logs") + (ipc-posix-name-regex #"^OA-") + (ipc-posix-name-regex #"^/FSM-")) +(allow ipc-posix-shm-read* + (ipc-posix-name-regex #"^gdt-[0-9A-Za-z]+-c$" #"^gdt-[0-9A-Za-z]+-s$") + (ipc-posix-name "apple.shm.notification_center") + (ipc-posix-name-regex #"^apple[.]shm[.]cfprefsd[.]")) +(allow ipc-posix-shm-write-data + (ipc-posix-name-regex #"^gdt-[0-9A-Za-z]+-c$" #"^gdt-[0-9A-Za-z]+-s$")) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow mach-register + (require-all + (extension "com.apple.security.exception.mach-register.local-name") + (local-name-regex #".+")) + (require-all + (extension "com.apple.security.exception.mach-register.global-name") + (global-name-regex #".+"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (literal "/private/var/run/syslog"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow signal + (target self)) +(allow sysctl-read) +(allow system-privilege) +(allow system-sched + (require-entitlement "com.apple.private.kernel.override-cpumon")) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AGXCompilerService.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AGXCompilerService.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AGXCompilerService.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AdSheet.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AdSheet.sb new file mode 100644 index 00000000..5637d932 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AdSheet.sb @@ -0,0 +1,1508 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension-class "com.apple.app-sandbox.read") + (extension-class "com.apple.quicklook.readonly") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension-class "com.apple.mediaserverd.read") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (literal-prefix "${HOME}/Library/SpringBoard")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Media/Photos") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (subpath-prefix "${HOME}/Media/DCIM") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (subpath "/private/var/tmp") + (require-any + (extension-class "com.apple.app-sandbox.read") + (extension-class "com.apple.app-sandbox.read-write") + (extension-class "com.apple.mediaserverd.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPad/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPad$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPhone/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPhone$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AdSheetP(ad|hone)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AdSheetP(ad|hone)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${HOME}/Media/Debug") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPad/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPad$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPhone/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPhone$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AdSheetP(ad|hone)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AdSheetP(ad|hone)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Media/PhotoStreamsData")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (subpath-prefix "${HOME}/Media")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Media/Memories") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (subpath-prefix "${HOME}/Media/Photos") + (subpath-prefix "${HOME}/Media/PhotoData") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Memories") + (subpath-prefix "${HOME}/Media/DCIM"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPad/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPad$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPhone/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPhone$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AdSheetP(ad|hone)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AdSheetP(ad|hone)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (subpath "/private/var/tmp/MediaCache") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (subpath-prefix "${HOME}/Media/Photos") + (subpath-prefix "${HOME}/Media/PhotoData") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Memories") + (subpath-prefix "${HOME}/Media/DCIM"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (extension-class "com.apple.mediaserverd.read"))) +(allow file-link + (require-all + (require-not (subpath-prefix "${HOME}/Library/AddressBook")) + (require-any + (require-not (subpath-prefix "${HOME}/Media")) + (require-entitlement "platform-application")))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AdSheetPad.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileSMS.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/Ringtones.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${HOME}/Library/Cookies/com.apple.iAd.cookiedb-journal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${HOME}/Library/Cookies/com.apple.iAd.cookiedb") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (literal-prefix "${HOME}/Library/SpringBoard") + (subpath-prefix "${HOME}/Media/Purchases") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.iTunesStore/URLCache") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal-prefix "${HOME}/Library/Cookies/com.apple.iAd.cookiedb-shm") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AdSheetPhone.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.adtracking.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.AdSheetPhone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (subpath "/private/var/db/timezone") + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AdLib.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Caches/com.apple.iad.LocationPermissions") + (literal-prefix "${HOME}/Library/Cookies") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.iad.adlibd") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (subpath-prefix "${HOME}/Library/Caches/com.apple.AdSheetPad") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.reminders.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Library/SMS") + (literal-prefix "${HOME}/Library/Cookies/com.apple.iAd.cookiedb-wal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (subpath "/Developer") + (subpath-prefix "${HOME}/Library/Caches/com.apple.iad") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.springboard.sharedimagecache/Wallpaper") + (require-all + (regex #"^/private/var/mobile/Library/SpringBoard/Lock.+" #"^/private/var/mobile/Library/SpringBoard/.+Lock.+" #"^/private/var/mobile/Library/SpringBoard/Home.+" #"^/private/var/mobile/Library/SpringBoard/.+Home.+" #"^/private/var/euser[0-9]+/Library/SpringBoard/((.*Lock|Home)|.+Home).+") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.keyboard.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-wal") + (subpath "/Library/Dictionaries") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.IconsCache") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-journal") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-journal") + (literal "/private/var/preferences/SystemConfiguration/com.apple.twitter.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.medialibrary.plist") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.SpeakSelection.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore/network-constraints.plist") + (subpath-prefix "${HOME}/Library/Fonts") + (literal-prefix "${HOME}/Library/Caches/DateFormats.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences.sounds.plist") + (extension "com.apple.app-sandbox.read") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath-prefix "${HOME}/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal "/com.apple.xpc.launchd.bootstrap.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapKit.internal.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreMotion.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mt.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.facebook.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreanimation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal-prefix "${HOME}/Library/Cookies") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.homesharing.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-shm") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (subpath-prefix "${HOME}/Library/VoiceServices/Assets") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (subpath-prefix "${HOME}/Library/Dictionaries") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.telephonyutilities.dialassist.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voiceservices.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIStatusBar") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.InputModePreferences.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal "/private/var/preferences/SystemConfiguration/com.apple.linkedin.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebUI.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-wal") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-shm") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes") + (literal "/private/var/preferences/SystemConfiguration/com.apple.sinaweibo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VoiceOverTouch.plist") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]AdSheetPad$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]AdSheetPad/$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]AdSheetPad/.+$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]AdSheetPhone/(?|.+)$" #"^/private/var/euser[0-9]+/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]AdSheetP(ad|hone)/(?|.+)$") + (subpath-prefix "${HOME}")) + (require-all + (require-not (subpath "/System/Library/Carrier Bundles")) + (require-not (subpath-prefix "${HOME}/Library/Carrier Bundles")) + (require-any + (literal "/private/var/preferences/com.apple.security.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]AdSheet(Pad|Phone).plist") + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${HOME}/Media/Vibrations/UserGeneratedVibrationPatterns.plist") + (subpath-prefix "${HOME}/Media/Debug") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/Ringtones.plist") + (subpath "/Library/Ringtones") + (subpath-prefix "${HOME}/Media/Photos") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (subpath "/AppleInternal/Library/Frameworks/RadarCompose.framework") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.aggregated.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/PhotoData") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Media/DCIM") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebKit.plist") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Media/Safari") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.camera.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/WebKit") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataAccess.BehaviorOptions.plist") + (subpath-prefix "${HOME}/Media/Purchases") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath-prefix "${HOME}/Library/WebClips") + (subpath-prefix "${HOME}/Media/Memories") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.videos.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.springboard.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]AdSheetPad-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]AdSheetPad/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]AdSheetPad$" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]AdSheetPhone-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]AdSheetPhone/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]AdSheetPhone$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]AdSheetP(ad|hone)-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]AdSheetP(ad|hone)/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]AdSheetP(ad|hone)$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]AdSheetPad[.]plist" #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]AdSheetPad-.+[.]plist" #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]AdSheetPhone-.*[.]plist" #"^/private/var/euser[0-9]+/Library/SyncedPreferences/com[.]apple[.]AdSheetP(ad|hone)-.*[.]plist") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]AdSheetPad[.]savedState/" #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]AdSheetPhone[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]AdSheetP(ad|hone)[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]AdSheetPad[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]AdSheetPad[.]settings/" #"^/private/var/mobile/Documents/com[.]apple[.]AdSheetPhone[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]AdSheetPhone[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]AdSheetP(ad|hone)[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]AdSheetP(ad|hone)[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPad/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPad$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPhone/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPhone$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetP(ad|hone)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetP(ad|hone)$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-shm") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Metadata") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-journal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Sync/FaceAlbumThumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/syncInfo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPad/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPad$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPhone/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPhone$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AdSheetP(ad|hone)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AdSheetP(ad|hone)$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (require-not (subpath-prefix "${HOME}/Library/FairPlay")) + (require-not (literal "/usr/sbin/fairplayd")) + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (literal "/dev/random") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/null") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE))))) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPad/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPad$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPhone/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPhone$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetP(ad|hone)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetP(ad|hone)$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-wal") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")))) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook"))) +(allow file-read-metadata + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (literal-prefix "${HOME}/Media/Memories") + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore") + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore/ISURLBag") + (literal-prefix "${HOME}/Library/com.apple.iTunesStore") + (literal-prefix "${HOME}/Media") + (literal-prefix "${HOME}/Library/com.apple.iTunesStore/LocalStorage") + (literal "/private/var/run/syslog") + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library") + (literal "/private/var/run/printd") + (literal-prefix "${HOME}/Library/Caches/Snapshots") + (literal-prefix "${HOME}/Library/Caches") + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}/Library/Saved Application State") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices") + (literal-prefix "${HOME}/Library/PPTDevice") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Mobile Documents") + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${HOME}/Media/Memories"))) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]AdSheetPad[.]savedState" #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]AdSheetPhone[.]savedState" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]AdSheetP(ad|hone)[.]savedState") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore") + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore/ISURLBag"))) + (require-all + (literal-prefix "${HOME}/Media/PhotoData") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Saved Application State")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]AdSheetPad[.]savedState" #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]AdSheetPhone[.]savedState" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]AdSheetP(ad|hone)[.]savedState") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/Snapshots")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/com.apple.iTunesStore") + (literal-prefix "${HOME}/Library/com.apple.iTunesStore/LocalStorage"))) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow file-read-xattr + (literal-prefix "${HOME}/Library/Caches")) +(allow file-write* + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Caches/com.apple.iTunesStore/URLCache") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/Ringtones.plist") + (literal-prefix "${HOME}/Library/Cookies/com.apple.iAd.cookiedb-journal") + (literal-prefix "${HOME}/Library/Cookies/com.apple.iAd.cookiedb") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AdSheetPad.plist") + (literal-prefix "${HOME}/Library/SpringBoard") + (subpath-prefix "${HOME}/Media/Purchases") + (literal-prefix "${HOME}/Library/Cookies/com.apple.iAd.cookiedb-shm") + (subpath-prefix "${HOME}/Library/Caches/com.apple.AdSheetPhone") + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AdSheetPhone.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Caches/com.apple.iad.LocationPermissions") + (subpath-prefix "${HOME}/Library/Caches/com.apple.iad.adlibd") + (subpath-prefix "${HOME}/Library/Caches/com.apple.AdSheetPad") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Library/SMS") + (literal-prefix "${HOME}/Library/Cookies/com.apple.iAd.cookiedb-wal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.iad") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AdLib.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.reminders.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/kCFPreferencesAnyApplication.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.springboard.sharedimagecache/Wallpaper") + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/SpringBoard/Lock.+" #"^/private/var/mobile/Library/SpringBoard/.+Lock.+" #"^/private/var/mobile/Library/SpringBoard/Home.+" #"^/private/var/mobile/Library/SpringBoard/.+Home.+" #"^/private/var/euser[0-9]+/Library/SpringBoard/((.*Lock|Home)|.+Home).+") + (subpath-prefix "${HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.springboard.plist")) + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-not (literal-prefix "${HOME}/Library/Caches/DateFormats.plist")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]AdSheet(Pad|Phone).plist") + (subpath-prefix "${HOME}/Media/Memories") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Photos") + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore/network-constraints.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-wal") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (subpath-prefix "${HOME}/Media/PhotoData") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (extension "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-shm") + (subpath-prefix "${HOME}/Media/DCIM") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (subpath-prefix "${HOME}/Library/WebKit") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (subpath-prefix "${HOME}/Library/WebClips") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (subpath-prefix "${HOME}/Media/Safari") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-journal") + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]AdSheetPad-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]AdSheetPad/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]AdSheetPad$" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]AdSheetPhone-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]AdSheetPhone/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]AdSheetPhone$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]AdSheetP(ad|hone)-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]AdSheetP(ad|hone)/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]AdSheetP(ad|hone)$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]AdSheetPad[.]savedState/" #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]AdSheetPhone[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]AdSheetP(ad|hone)[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")))) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPad/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPad$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPhone/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPhone$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetP(ad|hone)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetP(ad|hone)$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPad/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPad$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPhone/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AdSheetPhone$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AdSheetP(ad|hone)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AdSheetP(ad|hone)$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/WebKit/Databases")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/WebKit/LocalStorage")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPad/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPad$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPhone/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetPhone$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetP(ad|hone)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AdSheetP(ad|hone)$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]AdSheetPad$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]AdSheetPad/$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]AdSheetPad/.+$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]AdSheetPhone/(?|.+)$" #"^/private/var/euser[0-9]+/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]AdSheetP(ad|hone)/(?|.+)$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]AdSheetPad[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]AdSheetPad[.]settings/" #"^/private/var/mobile/Documents/com[.]apple[.]AdSheetPhone[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]AdSheetPhone[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]AdSheetP(ad|hone)[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]AdSheetP(ad|hone)[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Cookies")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes")))) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Cookies"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.Accessibility.plist")) + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.UIKit.plist")) + (require-any + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore") + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore/ISURLBag"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${HOME}/Media/Memories"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/Snapshots")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]AdSheetPad[.]savedState" #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]AdSheetPhone[.]savedState" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]AdSheetP(ad|hone)[.]savedState") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Saved Application State")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/com.apple.iTunesStore") + (literal-prefix "${HOME}/Library/com.apple.iTunesStore/LocalStorage")))))))) +(allow file-write-data + (literal-prefix "${HOME}/Library/Cookies/com.apple.iAd.cookiedb") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb") + (literal "/dev/ptmx") + (literal-prefix "${HOME}/Library/WebKit/LocalStorage/StorageTracker.db") + (literal "/dev/aes_0") + (literal-prefix "${HOME}/Library/WebKit/Databases/Databases.db") + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOAccelDevice2") + (iokit-user-client-class "AppleJPEGDriverUserClient") + (iokit-user-client-class "IOAccelSharedUserClient2") + (iokit-user-client-class "IOSurfaceSendRight") + (iokit-user-client-class "IOAccelContext") + (iokit-user-client-class "IOAccelSharedUserClient") + (iokit-user-client-class "IOSurfaceAcceleratorClient") + (iokit-user-client-class "IOAccelDevice") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "IOAccelSubmitter2") + (iokit-user-client-class "RootDomainUserClient") + (iokit-user-client-class "IOAccelContext2") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient")) +(allow iokit-get-properties) +(allow ipc-posix-shm-read* + (ipc-posix-name-regex #"^gdt-[0-9A-Za-z]+-c$" #"^gdt-[0-9A-Za-z]+-s$") + (ipc-posix-name-regex #"^Apple MIDI in [0-9]+$" #"^Apple MIDI out [0-9]+$") + (ipc-posix-name-regex #"^apple[.]shm[.]cfprefsd[.]") + (ipc-posix-name "apple.shm.notification_center")) +(allow ipc-posix-shm-write-data + (ipc-posix-name-regex #"^gdt-[0-9A-Za-z]+-c$" #"^gdt-[0-9A-Za-z]+-s$") + (ipc-posix-name-regex #"^Apple MIDI in [0-9]+$" #"^Apple MIDI out [0-9]+$")) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.assistant.dictation") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.UIKit.KeyboardManagement") + (global-name "com.apple.chatkit.clientcomposeserver.xpc") + (global-name "com.apple.audio.AudioSession") + (global-name "PurpleSystemEventPort") + (global-name "com.apple.medialibraryd.xpc") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.coreduetd.batterysaver") + (global-name "com.apple.fairplayd.versioned") + (global-name "com.apple.securityd") + (global-name "com.apple.tccd") + (global-name "com.apple.mobilemail") + (global-name "com.apple.UIKit.statusbarserver") + (global-name-regex #"^com[.]apple[.]uikit[.]viewservice[.].+") + (global-name "com.apple.iTunesStore.daemon.deatchwatch") + (global-name "com.apple.FileProvider") + (global-name "com.apple.backboard.animation-fence-arbiter") + (global-name "com.apple.MediaRemote.daemon") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.marco") + (global-name "ScripterServer") + (global-name "com.apple.iTunesStore.daemon-notifications") + (global-name "com.apple.audio.AURemoteIOServer") + (global-name "com.apple.librariand") + (global-name "com.apple.PowerManagement.control") + (global-name "PurplePPTServer") + (global-name "PurpleSystemAppPort") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.UIKit.KeyboardManagement.hosted") + (global-name "com.apple.iTunesStore.daemon") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.nanomaps.xpc.GeoServices") + (global-name "com.apple.coremedia.audiodeviceclock") + (global-name "com.apple.lsd.openurl") + (global-name "UIASTNotificationCenter") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.mobilemail.services.xpc") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.lsd") + (global-name "com.apple.uikit.GestureServer") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.MediaRemote.isrunning") + (global-name "com.apple.calaccessd") + (global-name "com.apple.managedconfiguration.profiled") + (global-name "com.apple.GSSCred") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.passd.assertions") + (local-name-regex #"^com[.]apple[.]assistant[.]contextprovider[.]") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.iphone.axserver-systemwide") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.springboard.services") + (global-name "com.apple.TextInput.lexicon-server") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.fig.movie") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name-regex #"^com[.]apple[.]iad[.]") + (global-name "com.apple.accessibility.AXBackBoardServer") + (global-name "com.apple.xpcd") + (global-name "com.apple.airplaydiagnostics.server") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.WebBookmarks.webbookmarksd") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.webinspector") + (global-name "com.apple.MediaRemote.nowplayingserver") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.PersistentURLTranslator.Gatekeeper") + (global-name "com.apple.nehelper") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.mobilecheckpoint.checkpointd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.NPKCompanionAgent.library") + (global-name "com.apple.TextInput") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.mobile.deleted") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.assetsd.changehub") + (global-name "com.apple.aggregated") + (global-name "com.apple.TextInput.rdt") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.lsd.open") + (global-name "com.apple.accessibility.gax.backboard") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.gmmd.cookie") + (global-name "com.apple.accountsd.oauthsigner") + (global-name "com.apple.mobile.installd") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.audio.AudioQueueServer") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.gpumemd.source") + (global-name "com.apple.mobilemail.messageuiservices") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.TextInput.shortcuts") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.bird.token") + (global-name "com.apple.twitterd.server") + (global-name "com.apple.backboard.hid.services") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.imagent.embedded.auth") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.eventpump") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.geod") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.backboard.TouchDeliveryPolicyServer") + (global-name "com.apple.dictationd.recognition") + (global-name "com.apple.ait.client") + (global-name "com.apple.ondemandd.client") + (global-name "com.apple.voiceservices.keepalive") + (global-name "com.apple.cvmsServ") + (local-name "com.apple.iphone.axserver") + (global-name "com.apple.cache_delete") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.dataaccess.dataaccessd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.safarifetcherd") + (global-name "com.apple.revisiond") + (global-name "com.apple.voiceservices.tts") + (global-name "com.apple.assistant.settings") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.pegasus") + (global-name "com.apple.assertiond.expiration") + (global-name "com.apple.companion.camera") + (global-name "com.apple.networkd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.iohideventsystem") + (global-name "com.apple.passd.in-app-payment") + (global-name "com.apple.frontboard.workspace") + (global-name "com.apple.webfilterd") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.pluginkit.pkd") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.quicklook.ThumbnailsAgent") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.backboard.display.services") + (global-name "com.apple.system.logger") + (global-name "com.apple.sharingd.nsxpc") + (global-name "com.apple.dataaccess.dataaccessd.active") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.vibrationmanagerd") + (global-name "com.apple.audio.SystemSoundServer-iOS") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.springboard.processinvalidation") + (global-name "com.apple.passd.library") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.assertiond.extension") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.coremedia.cameraviewfinder") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callstatecontroller") + (global-name "com.apple.imagent.Embedded.Launched") + (global-name "com.apple.bird") + (global-name "com.apple.sharingd") + (global-name "com.apple.UIKit.pasteboardd") + (require-all + (global-name "com.apple.mediaserverd") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.itunescloudd.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.springboard.backgroundappservices") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.capturesession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.coremedia.capturesource") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.remaker") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.recorder") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.pegasus") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.springboard.statusbarservices") + (require-entitlement "com.apple.springboard.statusbarstyleoverrides")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.coremedia.admin") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coremedia.assetimagegenerator") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.audio.AudioSession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.asset") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.coremedia.endpoint.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.fig.movie") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.sandboxserver") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.videocompositor") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow mach-register + (local-name "com.apple.accessibility.gax.client") + (local-name-regex #"^com[.]apple[.]assistant[.]contextprovider[.]") + (local-name "com.apple.iphone.axserver") + (require-all + (extension "com.apple.security.exception.mach-register.local-name") + (local-name-regex #".+")) + (require-all + (extension "com.apple.security.exception.mach-register.global-name") + (global-name-regex #".+"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/lockdown.sock") + (remote tcp "*:*") + (literal "/private/var/run/printd") + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.netsrc") + (control-name "com.apple.network.statistics") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.adtracking") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.AdLib") + (preference-domain "com.apple.coreanimation") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.mt") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.MapKit.internal") + (preference-domain "com.apple.voiceservices") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.preferences.sounds") + (preference-domain "com.apple.mediaaccessibility") + (preference-domain "com.apple.telephonyutilities.dialassist") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.assistant") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.youtubeframework") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.CoreMotion") + (preference-domain ".GlobalPreferences") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.homesharing") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.Sharing") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.keyboard") + (preference-domain "com.apple.MobileSMS") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.iapd") + (preference-domain "com.apple.da") + (preference-domain "com.apple.reminders") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.WebUI") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.springboard") + (preference-domain "com.apple.medialibrary") + (preference-domain "com.apple.SpeakSelection") + (preference-domain "com.apple.AdSheetPad") + (preference-domain "com.apple.DataAccess.BehaviorOptions") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.InputModePreferences") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.AdSheetPhone") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.WebKit") + (preference-domain "com.apple.videos") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (preference-domain "com.apple.camera") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.aggregated") + (preference-domain "com.apple.VoiceOverTouch") + (preference-domain "kCFPreferencesAnyApplication") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Accessibility") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (preference-domain "com.apple.avfoundation") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coreaudio") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coremedia") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.itunesstored") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.mobileipod") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.corevideo") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.reminders") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.AdLib") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.AdSheetPad") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.youtubeframework") + (preference-domain "com.apple.AdSheetPhone") + (preference-domain "com.apple.mediaaccessibility.public")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-fsctl + (fsctl-command (_IO "h" 31)) + (fsctl-command (_IO "h" 32))) +(allow system-info + (info-type "net.link.addr")) +(allow system-privilege) +(allow system-socket + (socket-domain AF_ROUTE) + (require-all + (socket-domain AF_SYSTEM) + (socket-protocol 2))) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AdSheet.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AdSheet.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AdSheet.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AirTraffic.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AirTraffic.sb new file mode 100644 index 00000000..cab1d102 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AirTraffic.sb @@ -0,0 +1,135 @@ +(version 1) +(allow default) +(deny file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/[.]com[.]apple[.]") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/[.]com[.]apple[.]") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/[.]com[.]apple[.]")))) +(deny file-mount) +(deny file-mount-update) +(deny file-read* + (regex #"^/private/var/containers/Data/System/[^/]+/[.]com[.]apple[.]") + (require-all + (require-not (subpath "/Developer")) + (require-not (extension "com.apple.security.exception.files.absolute-path.read-write")) + (require-not (extension "com.apple.security.exception.files.home-relative-path.read-write")) + (require-not (extension "com.apple.security.exception.files.absolute-path.read-only")) + (require-not (extension "com.apple.security.exception.files.home-relative-path.read-only")) + (require-not (extension "com.apple.sandbox.executable")) + (require-not (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist")) + (require-not (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$")) + (require-not (subpath "/System/Library")) + (require-not (subpath "/usr/lib")) + (require-not (subpath "/usr/share")) + (require-not (subpath "/private/var/db/timezone")) + (require-any + (literal "/private/etc/master.passwd") + (literal "/private/var") + (literal "/private/var/root") + (require-all + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist")) + (require-not (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$")) + (require-not (regex #"^/private/var/mobile" #"^/private/var/euser[0-9]+")) + (require-not (subpath "/private/var/tmp")) + (require-not (literal "/private/var/preferences/com.apple.security.plist")) + (require-not (literal "/private/var/preferences/com.apple.NetworkStatistics.plist")) + (require-not (literal "/private/var/preferences/com.apple.networkd.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.homesharing.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.medialibrary.plist")) + (require-not (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-shm")) + (require-not (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-wal")) + (require-not (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-journal")) + (require-not (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb")) + (require-not (literal-prefix "${HOME}/Media/iTunes_Control/iTunes")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist")) + (require-any + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (require-not (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library")) + (require-not (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")) + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist")) + (require-not (literal "/dev/ptmx")) + (require-not (literal "/dev/aes_0")) + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-not (literal "/dev/dtracehelper")) + (require-not (literal "/dev/null")) + (require-not (literal "/dev/zero")) + (require-any + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE)))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (require-not (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/[.]com[.]apple[.]")) + (require-entitlement "com.apple.security.system-group-containers") + (require-not (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/[.]com[.]apple[.]"))))))))) +(deny file-unmount) +(deny file-write* + (regex #"^/private/var/containers/Data/System/[^/]+/[.]com[.]apple[.]") + (require-all + (require-not (extension "com.apple.security.exception.files.absolute-path.read-write")) + (require-not (extension "com.apple.security.exception.files.home-relative-path.read-write")) + (require-any + (literal "/private/etc/master.passwd") + (literal "/private/var") + (literal "/private/var/root") + (require-all + (require-not (regex #"^/private/var/mobile" #"^/private/var/euser[0-9]+")) + (require-not (subpath "/private/var/tmp")) + (require-not (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-shm")) + (require-not (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-wal")) + (require-not (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb")) + (require-not (literal-prefix "${HOME}/Media/iTunes_Control/iTunes")) + (require-not (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-journal")) + (require-any + (require-not (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal")) + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-not (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/[.]com[.]apple[.]") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/[.]com[.]apple[.]")))))))) +(deny file-write-create + (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) +(deny file-write-data + (require-all + (require-not (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb")) + (require-not (literal "/dev/ptmx")) + (require-not (literal "/dev/aes_0")) + (require-any + (literal "/dev/random") + (literal "/dev/urandom")))) +(deny job-creation) +(deny network-outbound + (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AirTraffic.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AirTraffic.sb.xml new file mode 100644 index 00000000..04fe0dbd --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/AirTraffic.sb.xml @@ -0,0 +1,24 @@ + + + + + + + + + +]> + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/BTServer.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/BTServer.sb new file mode 100644 index 00000000..2af0a633 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/BTServer.sb @@ -0,0 +1,654 @@ +(version 1) +(deny default) +(allow file-ioctl + (literal "/dev/uart.log") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper")) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sandbox.pty") + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link + (require-not (subpath-prefix "${HOME}/Library/AddressBook"))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal "/private/var/wireless/Library/CallHistory/call_history.db-journal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.BTServer.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (subpath "/private/var/wireless/Library/Logs/awd") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileBluetooth.debug.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileBluetooth.services.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileBluetooth.devices.plist") + (subpath-prefix "${HOME}/Library/Logs/Bluetooth") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileBluetooth.ledevices.plist") + (literal "/private/var/wireless/Library/CallHistory/call_history.db-wal") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (subpath "/Developer") + (subpath "/private/var/tmp") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal "/private/var/wireless/Library/CallHistory/call_history.db") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal "/private/var/wireless/Library/CallHistory/call_history.db-shm") + (literal "/private/var/wireless/Library/CallHistory") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (subpath-prefix "${HOME}/Library/MobileBluetooth") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.BTServer.airplane.plist") + (literal "/dev/uart.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.carrier.plist") + (subpath "/Library/Application Support/BTServer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.TelephonyUtilities.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (require-all + (extension "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/") + (subpath-prefix "${HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal "/dev/random") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal "/dev/aes_0") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal "/dev/null") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (literal "/dev/dtracehelper") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode))) +(allow file-read-data + (literal "/dev/btwake") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (subpath "/System") + (literal "/usr/sbin/BTServer") + (literal "/usr/sbin") + (literal "/private/var/preferences/SystemConfiguration/preferences.plist")) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/wireless") + (literal "/usr/sbin/BTServer") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (literal "/usr/sbin") + (literal "/private/var") + (literal "/Library/Preferences") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal "/private/var/wireless/Library") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}"))))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/Library/Application Support/BTServer/pincode_defaults.db-journal") + (subpath-prefix "${HOME}/Library/MobileBluetooth") + (literal "/Library/Application Support/BTServer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileBluetooth.devices.plist") + (literal "/Library/Application Support/BTServer/pincode_defaults.db-shm") + (literal "/private/var/wireless/Library/CallHistory/call_history.db-journal") + (literal "/Library/Application Support/BTServer/pincode_defaults.db-wal") + (subpath-prefix "${HOME}/Library/Logs/Bluetooth") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.BTServer.plist") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/hci") + (literal "/private/var/wireless/Library/CallHistory/call_history.db-wal") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal "/private/var/wireless/Library/CallHistory") + (subpath "/private/var/wireless/Library/Logs/awd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileBluetooth.services.plist") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileBluetooth.debug.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileBluetooth.ledevices.plist") + (literal "/private/var/wireless/Library/CallHistory/call_history.db") + (literal "/private/var/wireless/Library/CallHistory/call_history.db-shm") + (literal "/Library/Application Support/BTServer/pincode_defaults.db") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.BTServer.airplane.plist") + (require-all + (vnode-type DIRECTORY) + (literal "/Library/Application Support/BTServer")) + (require-all + (extension "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/") + (subpath-prefix "${HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))))) + (require-all + (vnode-type DIRECTORY) + (literal "/private/var/wireless/Library/CallHistory"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/uart.log") + (literal "/Library/Application Support/BTServer/pincode_defaults.db") + (literal "/private/var/wireless/Library/CallHistory/call_history.db") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "AppleBasebandUserClient") + (iokit-user-client-class "RootDomainUserClient") + (iokit-user-client-class "IOHIDResourceDeviceUserClient") + (iokit-user-client-class "IOUserEthernetResourceUserClient") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient")) +(allow iokit-get-properties) +(allow ipc-posix-shm* + (ipc-posix-name-regex #"^stack-logs") + (ipc-posix-name-regex #"^OA-") + (ipc-posix-name "shm_notif.tacl.R") + (ipc-posix-name "shm_pcm_audio_sco_write") + (ipc-posix-name-regex #"^..:..:..:..:..:..-tacl$") + (ipc-posix-name "shm_notif.tacl.W") + (ipc-posix-name "shm_notif.tsco.R") + (ipc-posix-name "shm_pcm_audio_sco_read") + (ipc-posix-name "shm_notif.tsco.W") + (ipc-posix-name-regex #"^/FSM-") + (ipc-posix-name "com.apple.BTServer.magnet.shm")) +(allow ipc-posix-shm-read* + (ipc-posix-name-regex #"^gdt-[0-9A-Za-z]+-c$" #"^gdt-[0-9A-Za-z]+-s$") + (ipc-posix-name "apple.shm.notification_center") + (ipc-posix-name-regex #"^apple[.]shm[.]cfprefsd[.]")) +(allow ipc-posix-shm-write-data + (ipc-posix-name-regex #"^gdt-[0-9A-Za-z]+-c$" #"^gdt-[0-9A-Za-z]+-s$")) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.BlueTool") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.securityd") + (global-name "com.apple.tccd") + (global-name "com.apple.mobileactivationd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.marco") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.fig.movie") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.symptomsd") + (global-name "com.apple.GSSCred") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.springboard.services") + (global-name "com.apple.BTServer.avrcp") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.BTServer.map") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.lsd.modifydb") + (global-name "com.apple.MobileInternetSharing") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.nehelper") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.ProgressReporting") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.BTAudioHALPlugin.xpc") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.springboard.processinvalidation") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.networkd") + (global-name "com.apple.WirelessCoexManager") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.nanomaps.xpc.GeoServices") + (global-name "com.apple.carkit.service") + (global-name "com.apple.system.logger") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.imagent.embedded.auth") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.geod") + (global-name "com.apple.awdd") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.lsd") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.BTServer.le") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.BTServer.pbap") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.lsd.xpc") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.audio.SystemSoundServer-iOS") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callstatecontroller") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow network-inbound) +(allow network-bind) +(allow network-outbound + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.icloud.findmydeviced") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.MobileBluetooth.debug") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.MobileBluetooth.ledevices") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.TelephonyUtilities") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.BTServer.airplane") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.BTServer") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.MobileBluetooth.devices") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (preference-domain "com.apple.MobileBluetooth.services") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.BTServer.airplane") + (preference-domain "com.apple.MobileBluetooth.devices") + (preference-domain "com.apple.MobileBluetooth.ledevices") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.BTServer") + (preference-domain "com.apple.MobileBluetooth.debug") + (preference-domain "com.apple.MobileBluetooth.services")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/BTServer.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/BTServer.sb.xml new file mode 100644 index 00000000..ab808c0e --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/BTServer.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/BlueTool.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/BlueTool.sb new file mode 100644 index 00000000..bdae9659 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/BlueTool.sb @@ -0,0 +1,399 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal "/dev/random") + (literal "/dev/ptmx") + (literal "/usr/sbin") + (regex #"^/dev/bt$" #"^/dev/bt.+$") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/etc/bluetool") + (subpath "/AppleInternal") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-data + (literal "/dev/btreset") + (literal "/dev/btwake")) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/dev/bt$" #"^/dev/bt.+$") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient") + (iokit-user-client-class "AppleBasebandUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.open") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.cookied") + (global-name "com.apple.networkd") + (global-name "com.apple.lsd") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.securityd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.system.logger") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.nehelper") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/BlueTool.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/BlueTool.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/BlueTool.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CFNetworkAgent.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CFNetworkAgent.sb new file mode 100644 index 00000000..c93080c3 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CFNetworkAgent.sb @@ -0,0 +1,173 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CFNetworkAgent.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CFNetworkAgent.sb.xml new file mode 100644 index 00000000..e8f17749 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CFNetworkAgent.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CVMServer.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CVMServer.sb new file mode 100644 index 00000000..9b1f6ff2 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CVMServer.sb @@ -0,0 +1,235 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/usr/bin/codesign_allocate") + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (extension "com.apple.app-sandbox.read-write") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.app-sandbox.read-write") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.securityd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name-regex #"^com[.]apple[.]cvmsCompAgent") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-exec* + (subpath "/System/Library/Frameworks/OpenGLES.framework") + (subpath "/usr/bin/codesign_allocate")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CVMServer.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CVMServer.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CVMServer.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CommCenter.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CommCenter.sb new file mode 100644 index 00000000..5131a445 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CommCenter.sb @@ -0,0 +1,436 @@ +(version 1) +(deny default) +(allow file-ioctl + (subpath "/private/var/wireless") + (regex #"^/dev/dlci[.]spi-baseband[.]") + (regex #"^/dev/bbcdc[.]") + (literal "/dev/uart.debug.log") + (literal "/dev/uart.umts") + (literal "/dev/cu.debug") + (literal "/dev/ptmx") + (literal "/dev/uart.debug") + (literal "/dev/mux.log") + (literal "/dev/mux.spi-baseband") + (literal "/dev/uart.log") + (literal "/dev/dtracehelper") + (literal "/dev/aes_0")) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath "/private/var/wireless/Library/Caches/com.apple.coretelephony") + (extension-class "com.apple.nsurlstorage.extension-cache")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath "/private/var/wireless/Library/Caches/CommCenterClassic") + (extension-class "com.apple.nsurlstorage.extension-cache")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileSMS.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/logs/WirelessLibraryLogs") + (subpath-prefix "${FRONT_USER_HOME}/Library/LASD") + (regex #"^/dev/bbcdc[.]") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.commcenter.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.carrier.plist") + (literal "/dev/mux.spi-baseband") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (regex #"^/dev/dlci[.]spi-baseband[.]") + (literal "/dev/uart.debug") + (literal-prefix "${FRONT_USER_HOME}/Library/SyncedPreferences/com.apple.coretelephony.plist") + (literal "/dev/ptmx") + (literal "/dev/cu.debug") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.apsalerts.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.operator.plist") + (literal "/dev/uart.debug.log") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.tethering_override.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.videoconference_override.plist") + (regex #"^/private/var/tmp/CSI[.]scratch") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (literal "/private/var/preferences/AeneasCustomFlags.plist") + (subpath "/Developer") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal "/dev/uart.umts") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.cellulardataplan.plist") + (literal "/dev/mux.log") + (literal "/dev/uart.log") + (literal "/dev/dtracehelper") + (subpath-prefix "${FRONT_USER_HOME}/Library/Carrier Bundles") + (literal "/dev") + (literal "/dev/random") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iqagent.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/CommCenter" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/CommCenter" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/CommCenter") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/CallHistory/call_history[.]db$" #"^/private/var/mobile/Library/Voicemail/voicemail[.]db$" #"^/private/var/euser[0-9]+/Library/(CallHistory/call_history|Voicemail/voicemail)[.]db$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]coretelephony" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]coretelephony" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]coretelephony") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE)) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-not (regex #"^/private/var/mobile" #"^/private/var/euser[0-9]+")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/private/var/preferences/SystemConfiguration/preferences.plist-lock") + (literal "/private/var/CommCenter/spool/loading") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal "/dev/uart.log") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (subpath "/private/var/logs/WirelessLibraryLogs") + (literal "/dev/mux.log") + (regex #"^/dev/bbcdc[.]") + (regex #"^/private/var/logs/CoreTelephonyTrace$" #"^/private/var/logs/CoreTelephonyTrace/log-bb-$" #"^/private/var/logs/CoreTelephonyTrace/log-bb-.+$") + (literal "/dev/cu.debug") + (regex #"^/private/var/tmp/CSI[.]scratch") + (literal "/private/var/logs/CoreTelephonyTraceScratch") + (regex #"^/private/var/preferences/csidata$" #"^/private/var/preferences/csidata[.]tmp$") + (literal "/private/var/logs/log-bb-live-stats.txt") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal "/private/var/preferences/AeneasCustomFlags.plist") + (literal "/dev/mux.spi-baseband") + (literal "/dev/uart.umts") + (literal "/dev/uart.debug.log") + (regex #"^/dev/dlci[.]spi-baseband[.]") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (subpath "/private/var/wireless") + (literal "/dev/uart.debug") + (regex #"^/private/var/preferences/SystemConfiguration/OSThermalStatus[.]plist$" #"^/private/var/preferences/SystemConfiguration/OSThermalStatus[.]plist-lock$" #"^/private/var/preferences/SystemConfiguration/OSThermalStatus[.]plist-new$") + (subpath "/private/var/tmp") + (regex #"^/private/var/logs/CrashReporter/Baseband/log-bb-$" #"^/private/var/logs/CrashReporter/Baseband/log-bb-.+$") + (subpath-prefix "${FRONT_USER_HOME}/Library/LASD") + (require-all + (regex #"^/private/var/mobile/Library/CallHistory/call_history[.]db$" #"^/private/var/mobile/Library/Voicemail/voicemail[.]db$" #"^/private/var/euser[0-9]+/Library/(CallHistory/call_history|Voicemail/voicemail)[.]db$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE)) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/CommCenter" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/CommCenter" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/CommCenter") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]coretelephony" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]coretelephony" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]coretelephony") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.commcenter.plist") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-owner + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.commcenter.plist")) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open) +(allow iokit-set-properties) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow mach-register + (global-name "com.apple.CommCenter.lasd") + (global-name-regex #"^com[.]apple[.]CoreTelephony[.]LogChannel[.]$" #"^com[.]apple[.]CoreTelephony[.]LogChannel[.][-0-9A-F]+$") + (require-all + (extension "com.apple.security.exception.mach-register.local-name") + (local-name-regex #".+")) + (require-all + (extension "com.apple.security.exception.mach-register.global-name") + (global-name-regex #".+"))) +(allow network-inbound + (local ip "*:*") + (require-all + (socket-domain AF_SYSTEM) + (socket-protocol 1))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.apsalerts") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.MobileSMS") + (preference-domain "com.apple.iqagent") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.operator") + (preference-domain "com.apple.tethering_override") + (preference-domain "com.apple.carrier") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.videoconference_override") + (preference-domain "com.apple.commcenter") + (preference-domain "com.apple.cellulardataplan") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) +(allow system-socket + (socket-domain AF_ROUTE) + (require-all + (socket-domain AF_SYSTEM) + (socket-protocol 2)) + (require-all + (socket-domain AF_SYSTEM) + (socket-protocol 1))) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CommCenter.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CommCenter.sb.xml new file mode 100644 index 00000000..f81f602e --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/CommCenter.sb.xml @@ -0,0 +1,44 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/DataActivation.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/DataActivation.sb new file mode 100644 index 00000000..377d218a --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/DataActivation.sb @@ -0,0 +1,860 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension-class "com.apple.quicklook.readonly") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath-prefix "${HOME}/Library/Caches/com.apple.WebAppCache") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Media/Photos") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (subpath-prefix "${HOME}/Media/Debug") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (subpath-prefix "${HOME}/Media/Photos") + (subpath-prefix "${HOME}/Media/PhotoData") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Memories") + (subpath-prefix "${HOME}/Media/DCIM"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Media/PhotoStreamsData")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]DataActivation/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]DataActivation$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]DataActivation/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]DataActivation$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]DataActivation/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]DataActivation$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]DataActivation/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]DataActivation$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (subpath-prefix "${HOME}/Media")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (subpath-prefix "${HOME}/Media/Memories") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (subpath "/private/var/tmp/MediaCache") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (subpath "/private/var/tmp") + (require-any + (extension-class "com.apple.app-sandbox.read") + (extension-class "com.apple.app-sandbox.read-write") + (extension-class "com.apple.mediaserverd.read-write"))) + (require-all + (subpath-prefix "${HOME}/Media/DCIM") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (subpath-prefix "${HOME}/Media/Photos") + (subpath-prefix "${HOME}/Media/PhotoData") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Memories") + (subpath-prefix "${HOME}/Media/DCIM"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${HOME}/Library/Caches/WebClips") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]DataActivation/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]DataActivation$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]DataActivation/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]DataActivation$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-link + (require-not (subpath-prefix "${HOME}/Media")) + (require-entitlement "platform-application")) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${HOME}/Media/Vibrations/UserGeneratedVibrationPatterns.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtube.dp.plist") + (subpath-prefix "${HOME}/Media/Debug") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/Ringtones.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.keyboard.plist") + (literal-prefix "${HOME}/Library/Preferences/.dat") + (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (subpath-prefix "${HOME}/Media/DCIM") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (subpath "/Library/Dictionaries") + (subpath-prefix "${HOME}/Library/Caches/com.apple.WebAppCache") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VoiceOverTouch.plist") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebKit.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.IconsCache") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (subpath-prefix "${HOME}/Media/Purchases") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (subpath "/AppleInternal/Library/Safari") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences.sounds.plist") + (literal-prefix "${HOME}/Media/com.apple.itdbprep.postprocess.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.SpeakSelection.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.linkedin.plist") + (literal-prefix "${HOME}/Library/Caches/Snapshots/com.apple.webapp-") + (subpath-prefix "${HOME}/Library/Fonts") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataActivation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix "${HOME}/Library/Caches/DateFormats.plist") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobilecal.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.twitter.plist") + (subpath-prefix "${HOME}/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.camera.plist") + (literal "/com.apple.xpc.launchd.bootstrap.plist") + (subpath "/private/var/db/timezone") + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapKit.internal.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreMotion.plist") + (subpath-prefix "${HOME}/Library/WebClips") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mt.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.facebook.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (subpath "/AppleInternal/Library/Frameworks/RadarCompose.framework") + (subpath-prefix "${HOME}/Media/Photos") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreanimation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (subpath-prefix "${HOME}/Media/PhotoData") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (subpath-prefix "${HOME}/Library/VoiceServices/Assets") + (subpath-prefix "${HOME}/Library/Dictionaries") + (subpath-prefix "${HOME}/Library/Caches/Safari") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]DataActivation.plist") + (subpath "/Applications/DataActivation.app") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.telephonyutilities.dialassist.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobilesafari.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voiceservices.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Library/Caches/Snapshots/com.apple.webapp") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataAccess.BehaviorOptions.plist") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath-prefix "${HOME}/Media/Memories") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.videos.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (subpath "/Developer") + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIStatusBar") + (subpath "/Library/Ringtones") + (subpath-prefix "${HOME}/Library/Safari") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (subpath "/Applications/MobileSafari.app") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.InputModePreferences.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.aggregated.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.springboard.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebUI.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (subpath "/usr/share") + (literal "/private/var/preferences/SystemConfiguration/com.apple.mobilegestalt.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (subpath-prefix "${HOME}/Library/WebKit") + (literal "/private/var/preferences/SystemConfiguration/com.apple.sinaweibo.plist") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (subpath-prefix "${HOME}/Media/Safari") + (extension "com.apple.app-sandbox.read") + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]DataActivation[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]DataActivation[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]DataActivation[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]DataActivation[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]DataActivation-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]DataActivation/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]DataActivation$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]DataActivation-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]DataActivation/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]DataActivation$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]DataActivation/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]DataActivation$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]DataActivation/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]DataActivation$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (regex #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]DataActivation[.]plist" #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]DataActivation-.+[.]plist" #"^/private/var/euser[0-9]+/Library/SyncedPreferences/com[.]apple[.]DataActivation-.*[.]plist") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle/Info[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj/" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]DataActivation[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]DataActivation[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (require-not (subpath-prefix "${HOME}/Library/FairPlay")) + (require-not (literal "/usr/sbin/fairplayd")) + (require-not (subpath-prefix "${HOME}/Media")) + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilemail.plist")) + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.OTASyncAgent.plist")) + (require-any + (literal "/dev/random") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/null") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation$") + (subpath-prefix "${HOME}"))) +(allow file-read-metadata) +(allow file-read-xattr + (literal-prefix "${HOME}/Library/Caches")) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/WebKit") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath-prefix "${HOME}/Library/Safari") + (literal-prefix "${HOME}/Library/Caches/Snapshots/com.apple.webapp-") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobilesafari.plist") + (literal-prefix "${HOME}/Library/Preferences/.dat") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (literal-prefix "${HOME}/Media/com.apple.itdbprep.postprocess.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtube.dp.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.WebAppCache") + (subpath-prefix "${HOME}/Library/Caches/Safari") + (subpath "/private/var/tmp/MediaCache") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataActivation.plist") + (subpath-prefix "${HOME}/Library/Caches/Snapshots/com.apple.webapp") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/WebClips") + (subpath-prefix "${HOME}/Media/Safari") + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.springboard.plist")) + (require-not (literal-prefix "${HOME}/Library/Caches/DateFormats.plist")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/Memories") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Photos") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (subpath-prefix "${HOME}/Media/PhotoData") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]DataActivation.plist") + (subpath-prefix "${HOME}/Media/DCIM") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (require-all + (require-not (subpath-prefix "${HOME}/Media")) + (require-not (literal-prefix "${HOME}/Library/Mail/AutoFetchEnabled")) + (require-any + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]DataActivation-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]DataActivation/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]DataActivation$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]DataActivation-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]DataActivation/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]DataActivation$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]DataActivation[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]DataActivation[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]DataActivation/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]DataActivation$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]DataActivation/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]DataActivation$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]DataActivation[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]DataActivation[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]DataActivation[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]DataActivation[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]DataActivation$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging"))))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.Accessibility.plist")) + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.UIKit.plist")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/Snapshots")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${HOME}/Media/Memories"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Saved Application State")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]DataActivation[.]savedState" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]DataActivation[.]savedState") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOAccelSharedUserClient2") + (iokit-user-client-class "IOSurfaceSendRight") + (iokit-user-client-class "IOAccelSharedUserClient") + (iokit-user-client-class "IOAccelDevice2") + (iokit-user-client-class "IOSurfaceAcceleratorClient") + (iokit-user-client-class "IOAccelDevice") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "IOAccelSubmitter2") + (iokit-user-client-class "AppleJPEGDriverUserClient") + (iokit-user-client-class "IOAccelContext2") + (iokit-user-client-class "IOAccelContext") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/asl_input") + (remote tcp "*:*") + (literal "/private/var/run/lockdown.sock") + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.netsrc") + (literal "/private/var/run/printd") + (control-name "com.apple.network.statistics") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.DataActivation") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.mobilesafari") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.youtube.dp") + (preference-domain "com.apple.keyboard") + (preference-domain "com.apple.mt") + (preference-domain "com.apple.aggregated") + (preference-domain "com.apple.Sharing") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.MapKit.internal") + (preference-domain "com.apple.voiceservices") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.WebKit") + (preference-domain "com.apple.mediaaccessibility") + (preference-domain "com.apple.telephonyutilities.dialassist") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.SpeakSelection") + (preference-domain "com.apple.youtubeframework") + (preference-domain ".GlobalPreferences") + (preference-domain "com.apple.CoreMotion") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.mobilecal") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.coreanimation") + (preference-domain "com.apple.iapd") + (preference-domain "com.apple.da") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.WebUI") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.springboard") + (preference-domain "com.apple.DataAccess.BehaviorOptions") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.assistant") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.InputModePreferences") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.preferences.sounds") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.videos") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (preference-domain "com.apple.camera") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.VoiceOverTouch") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.Preferences") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Accessibility") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.DataActivation") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.youtube.dp") + (preference-domain "com.apple.mobilesafari") + (preference-domain "com.apple.youtubeframework") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.mediaaccessibility.public")) +(allow process-exec* + (literal "/Applications/MobileSafari.app/MobileSafari") + (literal "/Applications/DataActivation.app/DataActivation")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/DataActivation.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/DataActivation.sb.xml new file mode 100644 index 00000000..31b4e67c --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/DataActivation.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/EscrowSecurityAlert.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/EscrowSecurityAlert.sb new file mode 100644 index 00000000..2e35458f --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/EscrowSecurityAlert.sb @@ -0,0 +1,238 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CloudServices") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CloudServices") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.securityd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.tccd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/EscrowSecurityAlert.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/EscrowSecurityAlert.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/EscrowSecurityAlert.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSCredentialsAgent.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSCredentialsAgent.sb new file mode 100644 index 00000000..973cfd18 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSCredentialsAgent.sb @@ -0,0 +1,305 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.IDSCredentialsAgent.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/PPTDevice") + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.IDSCredentialsAgent.plist") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.open") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.cookied") + (global-name "com.apple.networkd") + (global-name "com.apple.marco") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.lsd") + (global-name "com.apple.securityd") + (global-name "com.apple.system.logger") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.xpcd") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.nehelper") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (remote tcp "*:*") + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.netsrc") + (control-name "com.apple.network.statistics") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.ids.IDSCredentialsAgent") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.ids.IDSCredentialsAgent")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSCredentialsAgent.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSCredentialsAgent.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSCredentialsAgent.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSRemoteURLConnectionAgent.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSRemoteURLConnectionAgent.sb new file mode 100644 index 00000000..237fc874 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSRemoteURLConnectionAgent.sb @@ -0,0 +1,495 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (subpath "/System/Library") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.facetime.bag.plist") + (literal "/dev/random") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imessage.bag.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.idsfoundation.IDSRemoteURLConnectionAgent.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/private/var") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/Caches") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.idsfoundation.IDSRemoteURLConnectionAgent.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.facetime.bag.plist") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imessage.bag.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]idsfoundation[.]IDSRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.open") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.cookied") + (global-name "com.apple.networkd") + (global-name "com.apple.marco") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.apsd") + (global-name "com.apple.lsd") + (global-name "com.apple.securityd") + (global-name "com.apple.system.logger") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.xpcd") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.idsremoteurlconnectionagent.embedded.auth") + (global-name "com.apple.nehelper") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.idsfoundation.IDSRemoteURLConnectionAgent") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.facetime.bag") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.imessage.bag") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.facetime.bag") + (preference-domain "com.apple.idsfoundation.IDSRemoteURLConnectionAgent") + (preference-domain "com.apple.imessage.bag")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSRemoteURLConnectionAgent.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSRemoteURLConnectionAgent.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IDSRemoteURLConnectionAgent.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMDPersistenceAgent.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMDPersistenceAgent.sb new file mode 100644 index 00000000..f018d1e1 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMDPersistenceAgent.sb @@ -0,0 +1,305 @@ +(version 1) +(deny default) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (subpath "/System/Library") + (literal "/dev/urandom") + (literal-prefix "${HOME}/Library/PPTDevice") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal "/dev/zero") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imdsmsrecordstore.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Logs/SMSMigrator") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Library/SMS") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.message.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal "/dev/dtracehelper") + (subpath-prefix "${HOME}/Library/Caches/com.apple.MobileSMS") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath-prefix "${HOME}/Library/AddressBook") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Logs/SMSMigrator") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath-prefix "${HOME}/Library/Caches/com.apple.MobileSMS") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imdsmsrecordstore.plist") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Library/AddressBook") + (subpath-prefix "${HOME}/Library/SMS") + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "RootDomainUserClient") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient") + (iokit-user-client-class "AppleKeyStoreUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.lsd.open") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.search.appindexer") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.lsd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.searchd") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.marco") + (global-name "com.apple.system.logger") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.xpcd") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.corerecents.recentsd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.imdsmsrecordstore") + (preference-domain "com.apple.message") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (preference-domain "com.apple.DataMigration") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.imdsmsrecordstore") + (preference-domain "com.apple.PeoplePicker")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMDPersistenceAgent.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMDPersistenceAgent.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMDPersistenceAgent.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMRemoteURLConnectionAgent.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMRemoteURLConnectionAgent.sb new file mode 100644 index 00000000..8f38c475 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMRemoteURLConnectionAgent.sb @@ -0,0 +1,493 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (literal-prefix "${HOME}/Library/Logs/awd/awd-IMRemoteURLConnectionAgent.log") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (subpath "/System/Library") + (subpath "/private/var/db/timezone") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imfoundation.IMRemoteURLConnectionAgent.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/IMRemoteURLConnectionAgent" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/IMRemoteURLConnectionAgent" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/IMRemoteURLConnectionAgent") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (vnode-type SYMLINK) + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches") + (literal-prefix "${HOME}/Library/Logs/awd") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection")))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imfoundation.IMRemoteURLConnectionAgent.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${HOME}/Library/Logs/awd/awd-IMRemoteURLConnectionAgent.log") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/IMRemoteURLConnectionAgent" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/IMRemoteURLConnectionAgent" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/IMRemoteURLConnectionAgent") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]imfoundation[.]IMRemoteURLConnectionAgent$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.open") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.cookied") + (global-name "com.apple.networkd") + (global-name "com.apple.marco") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.apsd") + (global-name "com.apple.lsd") + (global-name "com.apple.securityd") + (global-name "com.apple.system.logger") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.xpcd") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.nehelper") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.awdd") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.imfoundation.IMRemoteURLConnectionAgent") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.conference") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.imfoundation.IMRemoteURLConnectionAgent")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMRemoteURLConnectionAgent.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMRemoteURLConnectionAgent.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMRemoteURLConnectionAgent.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMTranscoderAgent.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMTranscoderAgent.sb new file mode 100644 index 00000000..b1c4ca76 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMTranscoderAgent.sb @@ -0,0 +1,617 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (subpath "/private/var/tmp") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write")))) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileSMS.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imtranscoding.IMTranscoderAgent.plist") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/EffectiveUserSettings.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (extension "com.apple.sandbox.executable") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mms_override.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/usr/share") + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/EffectiveUserSettings.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Metadata") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Sync/FaceAlbumThumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-journal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-shm") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (require-not (subpath-prefix "${HOME}/Library/FairPlay")) + (require-not (literal "/usr/sbin/fairplayd")) + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal "/dev/random") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal "/dev/null") + (literal "/dev/zero") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle/Info[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj/" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")))) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/syncInfo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-wal") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (literal-prefix "${HOME}/Library/PPTDevice") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Media") + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imtranscoding.IMTranscoderAgent.plist") + (require-all + (subpath-prefix "${HOME}/Media") + (require-any + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleJPEGDriverUserClient") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "IOSurfaceAcceleratorClient") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.system.logger") + (global-name "com.apple.lsd.open") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.audio.AudioSession") + (global-name "com.apple.pegasus") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.lsd") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.marco") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.PersistentURLTranslator.Gatekeeper") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.fig.movie") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.assetsd.changehub") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.ctkd.token-client") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.xpcd") + (global-name "com.apple.coremedia.mutablecomposition") + (global-name "com.apple.mobilecheckpoint.checkpointd") + (require-all + (global-name "com.apple.coremedia.videocompositor") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.remaker") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.mediaserverd") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.asset") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.endpoint.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunescloudd.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.recorder") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.fig.movie") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.sandboxserver") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.springboard.backgroundappservices") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.pegasus") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.audio.AudioSession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.coremedia.capturesession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.capturesource") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.assetimagegenerator") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.admin") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.MobileSMS") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.mms_override") + (preference-domain "com.apple.imtranscoding.IMTranscoderAgent") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.marco") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.Accessibility") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (preference-domain "com.apple.mobileipod") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.avfoundation") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coremedia") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coreaudio") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.itunesstored") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.corevideo") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.imtranscoding.IMTranscoderAgent")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMTranscoderAgent.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMTranscoderAgent.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/IMTranscoderAgent.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/Lowtide.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/Lowtide.sb new file mode 100644 index 00000000..d4b30c58 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/Lowtide.sb @@ -0,0 +1,1260 @@ +(version 1) +(deny default) +(allow file-ioctl + (literal "/dev/random") + (literal "/dev/urandom") + (literal "/dev/dtracehelper") + (literal "/dev/ptmx") + (literal "/dev/aes_0")) +(allow file-issue-extension + (extension-class "com.apple.quicklook.readonly") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${HOME}/Media/Debug") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${HOME}/Media/Photos") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Media/PhotoStreamsData")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (subpath-prefix "${HOME}/Media")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Caches/AppleTV")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (subpath-prefix "${HOME}/Media/Memories") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (subpath-prefix "${HOME}/Media/DCIM") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]lowtide/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]lowtide$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]lowtide/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]lowtide$") + (subpath-prefix "${HOME}")) + (require-all + (subpath "/private/var/tmp") + (require-any + (extension-class "com.apple.app-sandbox.read") + (extension-class "com.apple.app-sandbox.read-write") + (extension-class "com.apple.mediaserverd.read-write"))) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (subpath-prefix "${HOME}/Media/Photos") + (subpath-prefix "${HOME}/Media/PhotoData") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Memories") + (subpath-prefix "${HOME}/Media/DCIM"))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (subpath-prefix "${HOME}/Media/Photos") + (subpath-prefix "${HOME}/Media/PhotoData") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Memories") + (subpath-prefix "${HOME}/Media/DCIM"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]lowtide/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]lowtide$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]lowtide/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]lowtide$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${HOME}/Library/Caches/AppleTV") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]lowtide/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]lowtide$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]lowtide/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]lowtide$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath "/Applications") + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore/network-constraints.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.IconsCache") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.apsd.launchd") + (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.storebookkeeper.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (subpath-prefix "${HOME}/Library/MediaStream") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (subpath-prefix "${HOME}/Media/PhotoData") + (subpath "/Library/Dictionaries") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.celestial.plist") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${HOME}/Library/Logs") + (subpath-prefix "${HOME}/Library/Application Support/Front Row") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath-prefix "${HOME}/Updates") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CrashReporter.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences.sounds.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.twitter.plist") + (literal-prefix "${HOME}/Library/Logs/ADDataStore.sqlitedb-shm") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.medialibrary.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.InputModePreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appletvservices.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.SpeakSelection.plist") + (subpath-prefix "${HOME}/Media/Radio") + (literal "/private/var/preferences/SystemConfiguration/com.apple.linkedin.plist") + (subpath-prefix "${HOME}/Media/Debug") + (literal-prefix "${HOME}/Library/Logs/ADDataStore.sqlitedb-journal") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences-sounds.plist") + (subpath-prefix "${HOME}/Library/Fonts") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.accountsd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix "${HOME}/Library/Caches/DateFormats.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.soundpref.plist") + (extension "com.apple.sandbox.executable") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath-prefix "${HOME}/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal "/com.apple.xpc.launchd.bootstrap.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapKit.internal.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreMotion.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.Radio") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AdLib.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mt.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.facebook.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iqagent.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.airplay.plist") + (subpath-prefix "${HOME}/Media/Photos") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreanimation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath-prefix "${HOME}/Documents/var/nrd") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.homesharing.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal "/") + (literal "/private/var/preferences/SystemConfiguration/preferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (subpath-prefix "${HOME}/Library/VoiceServices/Assets") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Logs/Ubiquity") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences.datetime.plist") + (subpath "/private/var/logs/CrashReporter") + (subpath-prefix "${HOME}/Library/Dictionaries") + (literal-prefix "${HOME}/Library/Caches/com.apple.pep.configuration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath-prefix "${HOME}/Media/DCIM") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataAccess.BehaviorOptions.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.telephonyutilities.dialassist.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voiceservices.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${HOME}/Library/Logs/ADDataStore.sqlitedb") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.keyboard.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.frontrow.") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath-prefix "${HOME}/Media/Memories") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIStatusBar") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mmcs.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.LaunchServices.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (literal-prefix "${HOME}/Library/Logs/awd/awd-AppleTV.log") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.aggregated.plist") + (subpath "/AppleInternal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebUI.plist") + (subpath-prefix "${HOME}/Library/Caches/AppleTV") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (literal-prefix "${HOME}/Library/Logs/ADDataStore.sqlitedb-wal") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (subpath-prefix "${HOME}/Media/iTunes_Control") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.sinaweibo.plist") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]lowtide.plist") + (subpath "/private/var/MobileSoftwareUpdate") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VoiceOverTouch.plist") + (extension "com.apple.app-sandbox.read") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ConfigServer.plist") + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]lowtide-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]lowtide/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]lowtide$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]lowtide-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]lowtide/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]lowtide$") + (subpath-prefix "${HOME}")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]lowtide[.]plist" #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]lowtide-.+[.]plist" #"^/private/var/euser[0-9]+/Library/SyncedPreferences/com[.]apple[.]lowtide-.*[.]plist") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]lowtide$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]lowtide/$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]lowtide/.+$" #"^/private/var/euser[0-9]+/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]lowtide/(?|.+)$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles$" #"^/private/var/mobile/Library/ConfigurationProfiles/" #"^/private/var/mobile/Library/UserConfigurationProfiles$" #"^/private/var/mobile/Library/UserConfigurationProfiles/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]lowtide/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]lowtide$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]lowtide/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]lowtide$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]lowtide" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]lowtide" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]lowtide") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]lowtide[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]lowtide[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]lowtide[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]lowtide[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]lowtide[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]lowtide[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (require-not (subpath-prefix "${HOME}/Library/FairPlay")) + (require-not (literal "/usr/sbin/fairplayd")) + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (literal "/dev/random") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/null") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging"))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Caches/com.apple.Radio") + (subpath-prefix "${HOME}/Media/Radio") + (literal "/private/var/db/timezone/localtime") + (literal-prefix "${HOME}/Library/Preferences/com.apple.apsd.launchd") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles") + (subpath-prefix "${HOME}/Library/MediaStream") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal "/private/var/tmp/MediaControlServer.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences.datetime.plist") + (literal-prefix "${HOME}/Library/Logs") + (subpath "/private/var/tmp/AirTunes") + (subpath-prefix "${HOME}/Library/Application Support/Front Row") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.storebookkeeper.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.airplay.plist") + (literal-prefix "${HOME}/Library/Logs/ADDataStore.sqlitedb-shm") + (subpath-prefix "${HOME}/Library/Logs/Ubiquity") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appletvservices.plist") + (literal-prefix "${HOME}/Library/Logs/ADDataStore.sqlitedb-journal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.aggregated.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences-sounds.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mmcs.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.soundpref.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iqagent.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter") + (subpath-prefix "${HOME}/Documents/var/nrd") + (literal-prefix "${HOME}/Library/Application Support") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.celestial.plist") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${HOME}/Library/Caches/com.apple.pep.configuration.plist") + (literal "/Library/Application Support/Front Row") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${HOME}/Library/Logs/ADDataStore.sqlitedb") + (literal-prefix "${HOME}/Library/Preferences/com.apple.frontrow.") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.iLifeSlideshow") + (literal-prefix "${HOME}/Library/Logs/ADDataStore.sqlitedb-wal") + (literal-prefix "${HOME}/Library/Logs/awd/awd-AppleTV.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/kCFPreferencesAnyApplication.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AdLib.plist") + (subpath-prefix "${HOME}/Library/Caches/AppleTV") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CrashReporter.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voiceservices.plist") + (subpath-prefix "${HOME}/Media/iTunes_Control") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (subpath "/private/var/MobileSoftwareUpdate") + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.springboard.plist")) + (require-not (literal-prefix "${HOME}/Library/Caches/DateFormats.plist")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (subpath-prefix "${HOME}/Media/Memories") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Photos") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb") + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore/network-constraints.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-shm") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-wal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/PhotoData") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-journal") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-shm") + (subpath-prefix "${HOME}/Media/DCIM") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]lowtide.plist") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-wal") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-journal") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (regex #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]lowtide$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]lowtide/$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]lowtide/.+$" #"^/private/var/euser[0-9]+/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]lowtide/(?|.+)$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]lowtide" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]lowtide" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]lowtide") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]lowtide/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]lowtide$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]lowtide/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]lowtide$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Media") + (require-any + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")))) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]lowtide[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]lowtide[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]lowtide[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]lowtide[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]lowtide[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]lowtide[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]lowtide$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]lowtide-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]lowtide/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]lowtide$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]lowtide-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]lowtide/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]lowtide$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Cookies")))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles$" #"^/private/var/mobile/Library/ConfigurationProfiles/" #"^/private/var/mobile/Library/UserConfigurationProfiles$" #"^/private/var/mobile/Library/UserConfigurationProfiles/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (literal-prefix "${HOME}/Documents") + (literal-prefix "${HOME}/Documents/var") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.Accessibility.plist")) + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.UIKit.plist")) + (require-any + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${HOME}/Media/Memories"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Saved Application State")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]lowtide[.]savedState" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]lowtide[.]savedState") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/Snapshots")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore") + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore/ISURLBag"))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/com.apple.iTunesStore") + (literal-prefix "${HOME}/Library/com.apple.iTunesStore/LocalStorage"))))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Media")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices"))))) +(allow file-write-data + (literal-prefix "${HOME}/Library/Logs/ADDataStore.sqlitedb") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-flags + (literal-prefix "${HOME}/Media")) +(allow file-write-mode + (literal-prefix "${HOME}/Media") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (subpath-prefix "${HOME}/Updates") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOAVAudioInterfaceUserClient") + (iokit-user-client-class "AppleJPEGDriverUserClient") + (iokit-user-client-class "IOAccelDevice") + (iokit-user-client-class "IODPDisplayInterfaceUserClient") + (iokit-user-client-class "com_apple_driver_FairPlayIOKitUserClient") + (iokit-user-client-class "IOAccelDevice2") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "IOAccelContext2") + (iokit-user-client-class "IOAVControllerUserClient") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient") + (iokit-user-client-class "IODPDeviceUserClient") + (iokit-user-client-class "IOAVServiceUserClient") + (iokit-user-client-class "IOSurfaceAcceleratorClient") + (iokit-user-client-class "IODPAudioInterfaceUserClient") + (iokit-user-client-class "ASPUserClient") + (iokit-user-client-class "RootDomainUserClient") + (iokit-user-client-class "IOAccelContext") + (iokit-user-client-class "IOAVDeviceUserClient") + (iokit-user-client-class "IOAccelSharedUserClient") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "IODPServiceUserClient") + (iokit-user-client-class "IOAccelSubmitter2") + (iokit-user-client-class "IOSurfaceSendRight") + (iokit-user-client-class "IOAVVideoInterfaceUserClient") + (iokit-user-client-class "IOAccelSharedUserClient2") + (iokit-user-client-class "IODPControllerUserClient") + (iokit-user-client-class "AppleNANDFTLUserClient")) +(allow iokit-set-properties) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.absinthed") + (global-name "com.apple.UIKit.KeyboardManagement") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.audio.AudioSession") + (global-name "PurpleSystemEventPort") + (global-name "com.apple.medialibraryd.xpc") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.server.bluetooth.le.pipe.xpc") + (global-name "com.apple.TextInput.shortcuts") + (global-name "com.apple.fairplayd.versioned") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.tccd") + (global-name "com.apple.frontboard.workspace") + (global-name "com.apple.mobileactivationd") + (global-name "com.apple.UIKit.statusbarserver") + (global-name-regex #"^com[.]apple[.]uikit[.]viewservice[.].+") + (global-name "com.apple.iTunesStore.daemon.deatchwatch") + (global-name "com.apple.FileProvider") + (global-name "com.apple.backboard.animation-fence-arbiter") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.coremedia.formatreaderloader") + (global-name "com.apple.atvitunescloudd.xpc") + (global-name "ScripterServer") + (global-name "com.apple.absd") + (global-name "com.apple.backboard.checkin") + (global-name "com.apple.iTunesStore.daemon-notifications") + (global-name "com.apple.trustd") + (global-name "com.apple.coremedia.wirelessdisplay") + (global-name "com.apple.librariand") + (global-name "com.apple.PowerManagement.control") + (global-name "PurplePPTServer") + (global-name "PurpleSystemAppPort") + (global-name "com.apple.mobile.obliteration") + (global-name "com.apple.UIKit.KeyboardManagement.hosted") + (global-name "com.apple.iTunesStore.daemon") + (global-name "com.apple.fig.movie") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.lsd.openurl") + (global-name "UIASTNotificationCenter") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.assetsd.changehub") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.coremedia.formatreader") + (global-name "com.apple.TextInput.rdt") + (global-name "com.apple.uikit.GestureServer") + (local-name "com.apple.coremedia.customurlhandler") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.frontrow.tracerouteix") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.server.bluetooth.le.att.xpc") + (global-name "com.apple.managedconfiguration.profiled") + (global-name "com.apple.symptomsd") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.coremedia.videoqueue") + (local-name-regex #"^com[.]apple[.]assistant[.]contextprovider[.]") + (global-name "com.apple.CrashCopy.OTA") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.springboard.services") + (global-name "com.apple.TextInput.lexicon-server") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.MediaRemote.nowplayingserver") + (global-name "com.apple.airplaydiagnostics.server") + (global-name "com.apple.gpumemd.source") + (global-name "com.apple.iohideventsystem") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.lsd.modifydb") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.nehelper") + (global-name "com.apple.backboard.workspaceserverconnection") + (global-name "com.apple.mobilecheckpoint.checkpointd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.coresymbolicationd") + (global-name "com.apple.TextInput") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.quicklook.ThumbnailsAgent") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.apsd") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.lsd.open") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.networkd") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.mobile.installd") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.fairplayd") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.wirelessproxd") + (global-name "com.apple.PersistentURLTranslator.Gatekeeper") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.adid") + (global-name "com.apple.MediaRemote.isrunning") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.bird.token") + (global-name "com.apple.MediaRemote.daemon") + (global-name "com.apple.backboard.hid.services") + (global-name "com.apple.backboard.system-app-server") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.revisiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.accessibility.gax.backboard") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.backboard.TouchDeliveryPolicyServer") + (global-name "com.apple.dictationd.recognition") + (global-name "com.apple.tzlink") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.coremedia.cpe") + (global-name "com.apple.ondemandd.client") + (global-name "com.apple.voiceservices.keepalive") + (global-name "com.apple.cvmsServ") + (global-name "com.apple.backboard.applicationdatastore.service") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.audio.AudioQueueServer") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.bird") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.server.bluetooth") + (global-name "com.apple.voiceservices.tts") + (global-name "com.apple.assistant.settings") + (global-name "com.apple.pegasus") + (global-name "com.apple.assertiond.expiration") + (global-name "com.apple.securityd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.webinspector") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.aggregated.addaily") + (global-name "com.apple.timed.xpc") + (global-name "com.apple.lsd") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.pluginkit.pkd") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.audio.AURemoteIOServer") + (global-name "com.apple.accessibility.AXBackBoardServer") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.backboard.display.services") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.sharingd.nsxpc") + (global-name "com.apple.mobile.softwareupdated") + (global-name "com.apple.coreservices.appleid.authentication") + (global-name "com.apple.lsd.xpc") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.audio.SystemSoundServer-iOS") + (global-name "com.apple.marco") + (global-name "com.apple.iphone.axserver-systemwide") + (global-name "com.apple.springboard.processinvalidation") + (global-name "com.apple.awdd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.corercd") + (global-name "com.apple.assertiond.processinfoservice") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.xpcd") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.assistant.dictation") + (global-name "com.apple.sharingd") + (global-name "com.apple.UIKit.pasteboardd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.springboard.statusbarservices") + (require-entitlement "com.apple.springboard.statusbarstyleoverrides")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow mach-register + (global-name "com.apple.SBUserNotification") + (local-name "com.apple.accessibility.gax.client") + (global-name "com.apple.airplay.xpc") + (global-name "com.apple.frontboard.watchdogserver") + (global-name "PurpleSystemAppPort") + (local-name-regex #"^com[.]apple[.]assistant[.]contextprovider[.]") + (global-name-regex #"^com[.]apple[.]appletv$" #"^com[.]apple[.]appletv[.]" #"^com[.]apple[.]lowtide$" #"^com[.]apple[.]lowtide[.]") + (local-name "com.apple.iphone.axserver") + (require-all + (extension "com.apple.security.exception.mach-register.local-name") + (local-name-regex #".+")) + (require-all + (extension "com.apple.security.exception.mach-register.global-name") + (global-name-regex #".+"))) +(allow mach-task-name) +(allow network-inbound) +(allow network-bind) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/tmp/hidmonitordsocket") + (literal "/private/var/run/lockdown.sock") + (literal "/private/var/run/syslog") + (remote udp "*:*") + (literal "/private/var/run/mDNSResponder") + (remote tcp "*:*") + (control-name "com.apple.netsrc") + (control-name "com.apple.network.statistics")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.homesharing") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.avfoundation") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.AdLib") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.medialibrary") + (preference-domain "com.apple.keyboard") + (preference-domain "com.apple.soundpref") + (preference-domain "com.apple.mmcs") + (preference-domain "com.apple.mt") + (preference-domain "com.apple.aggregated") + (preference-domain "com.apple.Sharing") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.MapKit.internal") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.mediaaccessibility") + (preference-domain "com.apple.telephonyutilities.dialassist") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.SpeakSelection") + (preference-domain "com.apple.youtubeframework") + (preference-domain "com.apple.appletvservices") + (preference-domain ".GlobalPreferences") + (preference-domain "com.apple.CoreMotion") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.celestial") + (preference-domain "com.apple.voiceservices") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.coreanimation") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.iapd") + (preference-domain "com.apple.da") + (preference-domain "com.apple.CrashReporter") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.preferences.datetime") + (preference-domain "com.apple.preferences-sounds") + (preference-domain "com.apple.DataAccess.BehaviorOptions") + (preference-domain "com.apple.assistant") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.InputModePreferences") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.storebookkeeper") + (preference-domain "com.apple.LaunchServices") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.preferences.sounds") + (preference-domain "com.apple.WebUI") + (preference-domain "com.apple.ConfigServer") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.iqagent") + (preference-domain "com.apple.airplay") + (preference-domain "com.apple.accountsd") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.VoiceOverTouch") + (preference-domain "com.apple.MobileAsset") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Accessibility") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.mmcs") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.AdLib") + (preference-domain "com.apple.soundpref") + (preference-domain "com.apple.aggregated") + (preference-domain "com.apple.mediaaccessibility") + (preference-domain "com.apple.youtubeframework") + (preference-domain "com.apple.appletvservices") + (preference-domain "com.apple.celestial") + (preference-domain "com.apple.voiceservices") + (preference-domain "com.apple.preferences-sounds") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.preferences.datetime") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.storebookkeeper") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.CrashReporter") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.iqagent") + (preference-domain "com.apple.airplay") + (preference-domain "com.apple.itunesstored") + (preference-domain "kCFPreferencesAnyApplication")) +(allow process-exec* + (subpath "/Applications/AppleTV.app")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-fsctl) +(allow system-info + (info-type "hw.uuid")) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/Lowtide.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/Lowtide.sb.xml new file mode 100644 index 00000000..c27b7817 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/Lowtide.sb.xml @@ -0,0 +1,45 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MTLCompilerService.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MTLCompilerService.sb new file mode 100644 index 00000000..671670c6 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MTLCompilerService.sb @@ -0,0 +1,186 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (extension "com.apple.sandbox.executable") + (literal "/private/etc/master.passwd") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath-prefix "${FRONT_USER_HOME}/Library/Logs/Metal") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${FRONT_USER_HOME}/Library/Logs/Metal") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MTLCompilerService.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MTLCompilerService.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MTLCompilerService.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MailCompositionService.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MailCompositionService.sb new file mode 100644 index 00000000..3ca0de6a --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MailCompositionService.sb @@ -0,0 +1,1171 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension-class "com.apple.quicklook.readonly") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (subpath "/private/var/tmp/MediaCache") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (subpath "/private/var/tmp") + (require-any + (extension-class "com.apple.app-sandbox.read") + (extension-class "com.apple.app-sandbox.read-write") + (extension-class "com.apple.mediaserverd.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write")))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (subpath "/System/Library") + (subpath-prefix "${HOME}/Library/WebKit") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${HOME}/Media/Vibrations/UserGeneratedVibrationPatterns.plist") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]MailCompositionService.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/Ringtones.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.keyboard.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (subpath "/Library/Dictionaries") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (subpath "/AppleInternal/Library/Frameworks") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (subpath-prefix "${HOME}/Media/Safari") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.IconsCache") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (subpath-prefix "${HOME}/Media/Purchases") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences.sounds.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.SpeakSelection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Media") + (subpath-prefix "${HOME}/Library/Fonts") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.accountsd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (literal-prefix "${HOME}/Library/Caches/DateFormats.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.twitter.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (subpath-prefix "${HOME}/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebKit.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.camera.plist") + (literal "/com.apple.xpc.launchd.bootstrap.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapKit.internal.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreMotion.plist") + (subpath-prefix "${HOME}/Library/WebClips") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mt.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.facebook.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (subpath "/AppleInternal/Library/Frameworks/RadarCompose.framework") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreanimation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.aggregated.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mail.composition.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (subpath-prefix "${HOME}/Library/VoiceServices/Assets") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.suggestions.plist") + (subpath-prefix "${HOME}/Library/Dictionaries") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.telephonyutilities.dialassist.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voiceservices.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal "/private/var/preferences/com.apple.networkd.plist") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataAccess.BehaviorOptions.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.message.plist") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.videos.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIStatusBar") + (subpath "/Library/Ringtones") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.InputModePreferences.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal "/private/var/preferences/SystemConfiguration/com.apple.linkedin.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.springboard.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebUI.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (subpath "/usr/lib") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.sinaweibo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobilemail.plist") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VoiceOverTouch.plist") + (extension "com.apple.app-sandbox.read") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]MailCompositionService[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]MailCompositionService[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-shm") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]MailCompositionService[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]MailCompositionService[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]MailCompositionService[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]MailCompositionService[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Metadata") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Sync/FaceAlbumThumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-journal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/syncInfo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]MailCompositionService[.]plist" #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]MailCompositionService-.+[.]plist" #"^/private/var/euser[0-9]+/Library/SyncedPreferences/com[.]apple[.]MailCompositionService-.*[.]plist") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/FairPlay") + (literal "/usr/sbin/fairplayd") + (subpath-prefix "${HOME}/Media") + (require-any + (literal "/dev/random") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/null") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")))) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-wal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]MailCompositionService-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]MailCompositionService-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}"))) +(allow file-read-metadata) +(allow file-read-xattr + (literal-prefix "${HOME}/Library/Caches")) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mail.composition.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (subpath-prefix "${HOME}/Library/Cookies") + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.springboard.plist")) + (require-not (literal-prefix "${HOME}/Library/Caches/DateFormats.plist")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]MailCompositionService.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (subpath-prefix "${HOME}/Library/WebKit") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (subpath-prefix "${HOME}/Library/WebClips") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (subpath-prefix "${HOME}/Media/Safari") + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath-prefix "${HOME}/Media") + (require-any + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]MailCompositionService[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]MailCompositionService[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]MailCompositionService[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]MailCompositionService[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/WebKit/LocalStorage")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]MailCompositionService[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]MailCompositionService[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]MailCompositionService-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]MailCompositionService-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/WebKit/Databases")))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MailCompositionService$") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.Accessibility.plist")) + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.UIKit.plist")) + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/Snapshots")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Saved Application State")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]MailCompositionService[.]savedState" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]MailCompositionService[.]savedState") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))) +(allow file-write-data + (literal-prefix "${HOME}/Library/WebKit/Databases/Databases.db") + (literal-prefix "${HOME}/Library/WebKit/LocalStorage/StorageTracker.db") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.UIKit.KeyboardManagement") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.audio.AudioSession") + (global-name "PurpleSystemEventPort") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.suggestd.suggestionmanager") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.tccd") + (global-name "com.apple.frontboard.workspace") + (global-name "com.apple.UIKit.statusbarserver") + (global-name-regex #"^com[.]apple[.]dataaccess[.]dataaccessd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.FileProvider") + (global-name "com.apple.backboard.animation-fence-arbiter") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.marco") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.imagent.embedded.auth") + (global-name "ScripterServer") + (global-name "com.apple.librariand") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "PurpleSystemAppPort") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.UIKit.KeyboardManagement.hosted") + (global-name "com.apple.fig.movie") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.lsd.openurl") + (global-name "UIASTNotificationCenter") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.mobilemail.services.xpc") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.xpcd") + (global-name "com.apple.uikit.GestureServer") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.MediaRemote.isrunning") + (global-name "com.apple.webfilterd") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.itunescloudd.xpc") + (local-name-regex #"^com[.]apple[.]assistant[.]contextprovider[.]") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.iphone.axserver-systemwide") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.springboard.services") + (global-name "com.apple.TextInput.lexicon-server") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.MediaRemote.nowplayingserver") + (global-name "com.apple.airplaydiagnostics.server") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.accessibility.AXBackBoardServer") + (global-name "com.apple.webinspector") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.symptomsd") + (global-name "com.apple.nehelper") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.mobilecheckpoint.checkpointd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.TextInput") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.assetsd.changehub") + (global-name "com.apple.aggregated") + (global-name "com.apple.TextInput.rdt") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.ondemandd.client") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.springboard") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.audio.AudioQueueServer") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.gpumemd.source") + (global-name "com.apple.PersistentURLTranslator.Gatekeeper") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.TextInput.shortcuts") + (global-name-regex #"^com[.]apple[.]uikit[.]viewservice[.].+") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.bird.token") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.backboard.hid.services") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.coreduetd") + (global-name "com.apple.revisiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.accessibility.gax.backboard") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.backboard.TouchDeliveryPolicyServer") + (global-name "com.apple.dictationd.recognition") + (global-name "com.apple.cvmsServ") + (global-name "com.apple.securityd") + (global-name "com.apple.voiceservices.keepalive") + (local-name "com.apple.iphone.axserver") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.mediastream.sharing") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.bird") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.safarifetcherd") + (global-name "com.apple.voiceservices.tts") + (global-name "com.apple.assistant.settings") + (global-name "com.apple.pegasus") + (global-name "com.apple.assertiond.expiration") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.networkd") + (global-name "com.apple.iohideventsystem") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.lsd") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.pluginkit.pkd") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.quicklook.ThumbnailsAgent") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.backboard.display.services") + (global-name "com.apple.GSSCred") + (global-name "com.apple.system.logger") + (global-name "com.apple.sharingd.nsxpc") + (global-name "com.apple.bulletinboard.utilitiesconnection") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.MediaRemote.daemon") + (global-name "com.apple.assistant.dictation") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.vibrationmanagerd") + (global-name "com.apple.audio.SystemSoundServer-iOS") + (global-name "com.apple.corerecents.recentsd") + (global-name "com.apple.audio.AURemoteIOServer") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.assertiond.extension") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.WebBookmarks.webbookmarksd") + (global-name "com.apple.sharingd") + (global-name "com.apple.UIKit.pasteboardd") + (require-all + (global-name "com.apple.coremedia.capturesession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.capturesource") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.remaker") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.recorder") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.pegasus") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.fig.movie") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.admin") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.springboard.statusbarservices") + (require-entitlement "com.apple.springboard.statusbarstyleoverrides")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.coremedia.assetimagegenerator") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.itunescloudd.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.springboard.backgroundappservices") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.coremedia.videocompositor") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.audio.AudioSession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.mediaserverd") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coremedia.endpoint.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.sandboxserver") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.asset") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.network.statistics") + (literal "/private/var/run/printd") + (remote tcp "*:*") + (literal "/private/var/run/lockdown.sock") + (control-name "com.apple.netsrc") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.mobilemail") + (preference-domain "com.apple.coreanimation") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.mt") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.mail.composition") + (preference-domain "com.apple.MapKit.internal") + (preference-domain "com.apple.voiceservices") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.mediaaccessibility") + (preference-domain "com.apple.telephonyutilities.dialassist") + (preference-domain "com.apple.suggestions") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.SpeakSelection") + (preference-domain "com.apple.youtubeframework") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.CoreMotion") + (preference-domain ".GlobalPreferences") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.Sharing") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.keyboard") + (preference-domain "com.apple.message") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.iapd") + (preference-domain "com.apple.da") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.WebUI") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.springboard") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.assistant") + (preference-domain "com.apple.DataAccess.BehaviorOptions") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.InputModePreferences") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.preferences.sounds") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.bulletinboard") + (preference-domain "com.apple.WebKit") + (preference-domain "com.apple.videos") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.accountsd") + (preference-domain "com.apple.camera") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.aggregated") + (preference-domain "com.apple.VoiceOverTouch") + (preference-domain "kCFPreferencesAnyApplication") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Accessibility") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (preference-domain "com.apple.corevideo") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (preference-domain "com.apple.coreaudio") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coremedia") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.itunesstored") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.avfoundation") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.corevideo") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.mobileipod") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.mail.composition") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.youtubeframework") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.PeoplePicker")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MailCompositionService.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MailCompositionService.sb.xml new file mode 100644 index 00000000..c3c699a4 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MailCompositionService.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileBackup.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileBackup.sb new file mode 100644 index 00000000..5d50517e --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileBackup.sb @@ -0,0 +1,9 @@ +(version 1) +(allow default) +(deny file-read* + (subpath "/private/var/run/mobile_image_mounter")) +(deny file-write-unlink + (literal "/private") + (literal "/private/var") + (literal "/private/var/run")) +(deny job-creation) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileBackup.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileBackup.sb.xml new file mode 100644 index 00000000..c2485d32 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileBackup.sb.xml @@ -0,0 +1,21 @@ + + + + + + + + + +]> + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileCal.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileCal.sb new file mode 100644 index 00000000..41ba8802 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileCal.sb @@ -0,0 +1,875 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension-class "com.apple.quicklook.readonly") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobilecal/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobilecal$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mobilecal/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mobilecal$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath "/private/var/tmp") + (require-any + (extension-class "com.apple.app-sandbox.read") + (extension-class "com.apple.app-sandbox.read-write") + (extension-class "com.apple.mediaserverd.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobilecal/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobilecal$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mobilecal/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mobilecal$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobilecal/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobilecal$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mobilecal/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mobilecal$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write"))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.TelephonyUtilities.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (literal-prefix "${HOME}/Media/Vibrations/UserGeneratedVibrationPatterns.plist") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/Ringtones.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.keyboard.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (subpath "/Library/Dictionaries") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (subpath "/AppleInternal/Library/Frameworks") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.IconsCache") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (subpath-prefix "${HOME}/Media/Purchases") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.camera.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences.sounds.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.twitter.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.calendardiagnostics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.SpeakSelection.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.suggestions.plist") + (subpath-prefix "${HOME}/Library/Fonts") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobilecal.timezones.plist") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal-prefix "${HOME}/Library/Caches/DateFormats.plist") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (extension "com.apple.app-sandbox.read") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobilecal.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath-prefix "${HOME}/Library/Logs/Calendar") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (subpath-prefix "${HOME}/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal "/com.apple.xpc.launchd.bootstrap.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapKit.internal.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreMotion.plist") + (subpath-prefix "${HOME}/Library/Calendar") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.accountsd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.eventkit.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mt.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.facebook.plist") + (subpath-prefix "${HOME}/Library/Logs/Handoff") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (subpath "/AppleInternal/Library/Frameworks/RadarCompose.framework") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreanimation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.backedup.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (subpath-prefix "${HOME}/Library/VoiceServices/Assets") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (subpath-prefix "${HOME}/Library/Dictionaries") + (subpath "/private/var/tmp") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]mobilecal.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.telephonyutilities.dialassist.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voiceservices.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataAccess.BehaviorOptions.plist") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.message.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIStatusBar") + (subpath "/Library/Ringtones") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.InputModePreferences.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal "/private/var/preferences/SystemConfiguration/com.apple.linkedin.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.springboard.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebUI.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.sinaweibo.plist") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VoiceOverTouch.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]mobilecal-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]mobilecal/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]mobilecal$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]mobilecal-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]mobilecal/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]mobilecal$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-journal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-shm") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]mobilecal[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]mobilecal[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]mobilecal[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]mobilecal[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Sync/FaceAlbumThumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/syncInfo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]mobilecal[.]plist" #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]mobilecal-.+[.]plist" #"^/private/var/euser[0-9]+/Library/SyncedPreferences/com[.]apple[.]mobilecal-.*[.]plist") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]mobilecal[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]mobilecal[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobilecal/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobilecal$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mobilecal/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mobilecal$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/FairPlay") + (literal "/usr/sbin/fairplayd") + (subpath-prefix "${HOME}/Media") + (require-any + (literal "/dev/random") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/null") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Metadata") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-wal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal$") + (subpath-prefix "${HOME}"))))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobilecal.timezones.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobilecal.plist") + (subpath-prefix "${HOME}/Library/Logs/Handoff") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.calendardiagnostics.plist") + (subpath-prefix "${HOME}/Library/Logs/Calendar") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath-prefix "${HOME}/Library/Calendar") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.springboard.plist")) + (require-not (literal-prefix "${HOME}/Library/Caches/DateFormats.plist")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (subpath "/private/var/tmp") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]mobilecal.plist") + (extension "com.apple.app-sandbox.read-write") + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]mobilecal[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]mobilecal[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Media") + (require-any + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]mobilecal-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]mobilecal/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]mobilecal$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]mobilecal-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]mobilecal/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]mobilecal$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobilecal$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]mobilecal[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]mobilecal[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]mobilecal[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]mobilecal[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobilecal/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobilecal$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mobilecal/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mobilecal$") + (subpath-prefix "${HOME}")))) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook"))))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.Accessibility.plist")) + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.UIKit.plist")) + (require-any + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Saved Application State")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/Snapshots")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]mobilecal[.]savedState" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]mobilecal[.]savedState") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.coreanimation") + (preference-domain "com.apple.mobilecal.timezones") + (preference-domain "com.apple.calendardiagnostics") + (preference-domain "com.apple.suggestions") + (preference-domain "com.apple.mt") + (preference-domain "com.apple.Sharing") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.MapKit.internal") + (preference-domain "com.apple.voiceservices") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.mediaaccessibility") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.eventkit") + (preference-domain "com.apple.message") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.SpeakSelection") + (preference-domain ".GlobalPreferences") + (preference-domain "com.apple.CoreMotion") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.telephonyutilities.dialassist") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.mobilecal") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.keyboard") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.iapd") + (preference-domain "com.apple.da") + (preference-domain "com.apple.assistant.backedup") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.TelephonyUtilities") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.WebUI") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.springboard") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.DataAccess.BehaviorOptions") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.InputModePreferences") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.preferences.sounds") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.assistant") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.accountsd") + (preference-domain "com.apple.camera") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.VoiceOverTouch") + (preference-domain "kCFPreferencesAnyApplication") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Accessibility") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (preference-domain "com.apple.avfoundation") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coreaudio") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coremedia") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.mobileipod") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.itunesstored") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.corevideo") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.calendardiagnostics") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.mobilecal.timezones") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.mobilecal") + (preference-domain "com.apple.mediaaccessibility.public")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileCal.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileCal.sb.xml new file mode 100644 index 00000000..31b4e67c --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileCal.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileMaps.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileMaps.sb new file mode 100644 index 00000000..9551d3a9 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileMaps.sb @@ -0,0 +1,970 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension-class "com.apple.quicklook.readonly") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]Maps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]Maps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]Maps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]Maps$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath "/private/var/tmp") + (require-any + (extension-class "com.apple.app-sandbox.read") + (extension-class "com.apple.app-sandbox.read-write") + (extension-class "com.apple.mediaserverd.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]Maps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]Maps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]Maps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]Maps$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]Maps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]Maps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]Maps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]Maps$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write"))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (subpath-prefix "${HOME}/Library/Maps") + (subpath-prefix "${HOME}/Library/Caches/Maps") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GMM.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Maps.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.weather.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapsSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.accountsd.plist") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (subpath "/private/var/db/timezone") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/private/var/preferences/SystemConfiguration/com.apple.wifi.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.internal.Voltaire.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.backedup.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voiceservices.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath-prefix "${HOME}/Library/SMS") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mms_override.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath "/AppleInternal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.skyhookwireless.wps.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (regex #"^/private/var/containers/Bundle/[^/]+/[-0-9A-Z]+/GeoJSON") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (subpath "/Applications/Maps.app") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal-prefix "${HOME}/Media/Vibrations/UserGeneratedVibrationPatterns.plist") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (subpath "/AppleInternal/Library/Frameworks/RadarCompose.framework") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.keyboard.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-wal") + (subpath "/Library/Dictionaries") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.IconsCache") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-journal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.camera.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-journal") + (literal "/private/var/preferences/SystemConfiguration/com.apple.twitter.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.medialibrary.plist") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.SpeakSelection.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore/network-constraints.plist") + (subpath-prefix "${HOME}/Library/Fonts") + (literal-prefix "${HOME}/Library/Caches/DateFormats.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences.sounds.plist") + (extension "com.apple.app-sandbox.read") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath-prefix "${HOME}/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal "/com.apple.xpc.launchd.bootstrap.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapKit.internal.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreMotion.plist") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]Maps.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mt.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.facebook.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreanimation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal-prefix "${HOME}/Library/Cookies") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.homesharing.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-shm") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (subpath-prefix "${HOME}/Library/VoiceServices/Assets") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (subpath-prefix "${HOME}/Library/Dictionaries") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.telephonyutilities.dialassist.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voiceservices.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataAccess.BehaviorOptions.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIStatusBar") + (subpath "/Library/Ringtones") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.InputModePreferences.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal "/private/var/preferences/SystemConfiguration/com.apple.linkedin.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebUI.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-wal") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-shm") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes") + (literal "/private/var/preferences/SystemConfiguration/com.apple.sinaweibo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VoiceOverTouch.plist") + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (regex #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]Maps[.]plist" #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]Maps-.+[.]plist" #"^/private/var/euser[0-9]+/Library/SyncedPreferences/com[.]apple[.]Maps-.*[.]plist") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]Maps[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]Maps[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-wal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Metadata") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]Maps-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]Maps/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]Maps$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]Maps-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]Maps/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]Maps$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Sync/FaceAlbumThumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/syncInfo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]Maps$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]Maps/$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]Maps/.+$" #"^/private/var/euser[0-9]+/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]Maps/(?|.+)$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-journal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-shm") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]Maps[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]Maps[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]Maps[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]Maps[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (require-not (subpath-prefix "${HOME}/Library/FairPlay")) + (require-not (literal "/usr/sbin/fairplayd")) + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal "/dev/random") + (literal "/dev/urandom") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal "/dev/ptmx") + (literal "/dev/null") + (literal "/dev/zero") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle/Info[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj/" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]Maps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]Maps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]Maps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]Maps$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps$") + (subpath-prefix "${HOME}")))) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]Maps" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]Maps" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]Maps") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}"))) +(allow file-read-data + (require-all + (regex #"^/private/var/mobile/Library/ExternalAccessory/ea[.0-9]+$" #"^/private/var/euser[0-9]+/Library/ExternalAccessory/ea[.0-9]+$") + (subpath-prefix "${FRONT_USER_HOME}"))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GMM.plist") + (subpath-prefix "${HOME}/Library/Maps") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.internal.Voltaire.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.skyhookwireless.wps.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.backedup.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (subpath-prefix "${HOME}/Library/SMS") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Maps.plist") + (subpath-prefix "${HOME}/Library/Caches/Maps") + (regex #"^/private/var/containers/Bundle/[^/]+/[-0-9A-Z]+/GeoJSON") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.springboard.plist")) + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-not (literal-prefix "${HOME}/Library/Caches/DateFormats.plist")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb") + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore/network-constraints.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-shm") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-wal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]Maps.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-journal") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-shm") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-wal") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-journal") + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]Maps[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]Maps[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]Maps[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]Maps[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]Maps-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]Maps/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]Maps$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]Maps-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]Maps/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]Maps$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Media") + (require-any + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")))) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]Maps$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]Maps/$" #"^/private/var/mobile/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]Maps/.+$" #"^/private/var/euser[0-9]+/Library/Caches/com.apple.iTunesStore/ISURLBag/com[.]apple[.]Maps/(?|.+)$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]Maps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]Maps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]Maps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]Maps$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]Maps[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]Maps[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]Maps$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Cookies")))) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]Maps" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]Maps" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]Maps") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.Accessibility.plist")) + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.UIKit.plist")) + (require-any + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore") + (literal-prefix "${HOME}/Library/Caches/com.apple.iTunesStore/ISURLBag"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Saved Application State")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/Snapshots")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]Maps[.]savedState" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]Maps[.]savedState") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/com.apple.iTunesStore") + (literal-prefix "${HOME}/Library/com.apple.iTunesStore/LocalStorage"))))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices"))))) +(allow file-write-data + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb") + (require-all + (regex #"^/private/var/mobile/Library/ExternalAccessory/ea[.0-9]+$" #"^/private/var/euser[0-9]+/Library/ExternalAccessory/ea[.0-9]+$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.internal.Voltaire") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.MapsSupport") + (preference-domain "com.apple.coreanimation") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.weather") + (preference-domain "com.apple.mt") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.Sharing") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.MapKit.internal") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.preferences.sounds") + (preference-domain "com.apple.mediaaccessibility") + (preference-domain "com.apple.telephonyutilities.dialassist") + (preference-domain "com.apple.iapd") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.mobileipod") + (preference-domain ".GlobalPreferences") + (preference-domain "com.apple.CoreMotion") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.homesharing") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.voiceservices") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.keyboard") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.da") + (preference-domain "com.apple.assistant.backedup") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.assistant") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.GMM") + (preference-domain "com.apple.medialibrary") + (preference-domain "com.apple.DataAccess.BehaviorOptions") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.SpeakSelection") + (preference-domain "com.apple.InputModePreferences") + (preference-domain "com.apple.Accessibility") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.WebUI") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.mms_override") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.camera") + (preference-domain "com.apple.Maps") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.accountsd") + (preference-domain "com.apple.VoiceOverTouch") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.conference") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.skyhookwireless.wps") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (preference-domain "com.apple.avfoundation") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coreaudio") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coremedia") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.itunesstored") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.mobileipod") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.corevideo") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Maps") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.assistant.backedup") + (preference-domain "com.apple.assistant") + (preference-domain "com.apple.internal.Voltaire") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.GMM") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.skyhookwireless.wps") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.itunesstored")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) +(allow system-socket + (socket-domain 39) + (socket-domain AF_ROUTE) + (require-all + (socket-domain AF_SYSTEM) + (socket-protocol 2))) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileMaps.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileMaps.sb.xml new file mode 100644 index 00000000..31b4e67c --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileMaps.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileSlideShow.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileSlideShow.sb new file mode 100644 index 00000000..b21aeb1a --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileSlideShow.sb @@ -0,0 +1,1154 @@ +(version 1) +(deny default) +(allow file-issue-extension + (extension-class "com.apple.quicklook.readonly") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (subpath "/private/var/tmp")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (subpath "/private/var/tmp")) + (require-all + (subpath-prefix "${HOME}/Media/Debug") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Media/Photos") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (subpath-prefix "${HOME}/Media/DCIM") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath "/private/var/tmp") + (require-any + (extension-class "com.apple.app-sandbox.read") + (extension-class "com.apple.app-sandbox.read-write") + (extension-class "com.apple.mediaserverd.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobileslideshow/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobileslideshow$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]camera/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]camera$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.](mobileslideshow|camera)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.](mobileslideshow|camera)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Media/PhotoStreamsData")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (subpath-prefix "${HOME}/Media")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath "/private/var/tmp/MediaCache") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Media/Memories") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (subpath-prefix "${HOME}/Media/Photos") + (subpath-prefix "${HOME}/Media/PhotoData") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Memories") + (subpath-prefix "${HOME}/Media/DCIM"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobileslideshow/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobileslideshow$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]camera/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]camera$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.](mobileslideshow|camera)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.](mobileslideshow|camera)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobileslideshow/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobileslideshow$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]camera/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]camera$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.](mobileslideshow|camera)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.](mobileslideshow|camera)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (subpath-prefix "${HOME}/Media/Photos") + (subpath-prefix "${HOME}/Media/PhotoData") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Memories") + (subpath-prefix "${HOME}/Media/DCIM"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (literal-prefix "${HOME}/Library/SpringBoard")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos"))))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.accountsd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.legacycamera.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (literal-prefix "${HOME}/Library/Logs/MobileSlideShow.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (subpath-prefix "${HOME}/Library/Application Support/MobileSlideShow") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.act.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.airplay.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mmcs.plist") + (subpath-prefix "${HOME}/Library/Application Support/iLifePageLayout") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (subpath "/usr/lib") + (literal "/AppleInternal/Library/Preferences/com.apple.airplay.dashboard.plist") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanocamera.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.medialibrary.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (subpath-prefix "${HOME}/Media/iTunes_Control/iTunes") + (literal-prefix "${HOME}/Library/Logs/awd/awd-Camera.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (subpath-prefix "${HOME}/Media/iTunes_Control/Artwork") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (subpath "/Developer") + (literal-prefix "${HOME}/Library/Caches/com.apple.pep.configuration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ImageCaptureFramework.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.cloud.quota.plist") + (subpath-prefix "${HOME}/Library/SMS") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.videouploadplugins.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileSMS.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.camera.plist") + (subpath-prefix "${HOME}/Library/Siri") + (literal-prefix "${HOME}/Library/Logs/awd/awdComponent0x19.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${HOME}/Library/Logs/awd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imessage.bag.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobilemail.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/Photos") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.notbackedup.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath "/private/var/db/timezone") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.springboard.sharedimagecache/Wallpaper") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GMM.plist") + (literal-prefix "${HOME}/Library/SpringBoard") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaanalysis.plist") + (literal-prefix "${HOME}/Library/Logs/awd/awd-MobileSlideShow.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.homesharing.plist") + (extension "com.apple.sandbox.executable") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mms_override.plist") + (subpath-prefix "${HOME}/Library/Caches/Snapshots/com.apple.camera") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CloudPhotoLibrary.aslgroup") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.compass.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.legacycamera") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ConfigServer.plist") + (require-all + (regex #"^/private/var/mobile/Library/SpringBoard/Lock.+" #"^/private/var/mobile/Library/SpringBoard/.+Lock.+" #"^/private/var/mobile/Library/SpringBoard/Home.+" #"^/private/var/mobile/Library/SpringBoard/.+Home.+" #"^/private/var/euser[0-9]+/Library/SpringBoard/((.*Lock|Home)|.+Home).+") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.linkedin.plist") + (subpath-prefix "${HOME}/Library/VoiceServices/Assets") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreanimation.plist") + (extension "com.apple.app-sandbox.read") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.InputModePreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mt.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIStatusBar") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath-prefix "${HOME}/Library/Fonts") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VoiceOverTouch.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebUI.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.keyboard.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.facebook.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.telephonyutilities.dialassist.plist") + (subpath "/Library/Dictionaries") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath-prefix "${HOME}/Library/Dictionaries") + (literal "/private/var/preferences/SystemConfiguration/com.apple.twitter.plist") + (subpath-prefix "${HOME}/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.SpeakSelection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (subpath-prefix "${HOME}/Library/Caches/com.apple.IconsCache") + (literal "/com.apple.xpc.launchd.bootstrap.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voiceservices.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapKit.internal.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.sinaweibo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreMotion.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (literal-prefix "${HOME}/Library/Caches/DateFormats.plist") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences.sounds.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (require-not (subpath "/System/Library/Carrier Bundles")) + (require-not (subpath-prefix "${HOME}/Library/Carrier Bundles")) + (require-any + (literal "/private/var/preferences/com.apple.security.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${HOME}/Media/Vibrations/UserGeneratedVibrationPatterns.plist") + (subpath-prefix "${HOME}/Media/Debug") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/Ringtones.plist") + (subpath "/Library/Ringtones") + (subpath-prefix "${HOME}/Media/Photos") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (subpath "/AppleInternal/Library/Frameworks/RadarCompose.framework") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.aggregated.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (subpath-prefix "${HOME}/Media/PhotoData") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Media/DCIM") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.](mobileslideshow|camera).plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebKit.plist") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Media/Safari") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.camera.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (subpath-prefix "${HOME}/Media/Purchases") + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/WebKit") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataAccess.BehaviorOptions.plist") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath-prefix "${HOME}/Library/WebClips") + (subpath-prefix "${HOME}/Media/Memories") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.videos.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.springboard.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-shm") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/syncInfo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-journal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-wal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Sync/FaceAlbumThumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobileslideshow/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobileslideshow$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]camera/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]camera$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.](mobileslideshow|camera)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.](mobileslideshow|camera)$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Metadata") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (require-not (subpath-prefix "${HOME}/Library/FairPlay")) + (require-not (literal "/usr/sbin/fairplayd")) + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal "/dev/random") + (literal "/dev/urandom") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal "/dev/ptmx") + (literal "/dev/null") + (literal "/dev/zero") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE)) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (require-not (regex #"^/private/var/mobile/Containers/$" #"^/private/var/mobile/Containers/.+$" #"^/private/var/euser[0-9]+/Containers/.*$")) + (require-not (subpath "/private/var/containers")) + (require-not (regex #"^/private/var/mobile/Library/" #"^/private/var/euser[0-9]+/Library/"))) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle/Info[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj/" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")))) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobileslideshow/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobileslideshow$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]camera/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]camera$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.](mobileslideshow|camera)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.](mobileslideshow|camera)$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]mobileslideshow[.]savedState/" #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]camera[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.](mobileslideshow|camera)[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]mobileslideshow[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]mobileslideshow[.]settings/" #"^/private/var/mobile/Documents/com[.]apple[.]camera[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]camera[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.](mobileslideshow|camera)[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.](mobileslideshow|camera)[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]mobileslideshow-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]mobileslideshow/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]mobileslideshow$" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]camera-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]camera/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]camera$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.](mobileslideshow|camera)-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.](mobileslideshow|camera)/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.](mobileslideshow|camera)$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]mobileslideshow[.]plist" #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]mobileslideshow-.+[.]plist" #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]camera-.*[.]plist" #"^/private/var/euser[0-9]+/Library/SyncedPreferences/com[.]apple[.](mobileslideshow|camera)-.*[.]plist") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobileslideshow/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobileslideshow$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]camera/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]camera$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.](mobileslideshow|camera)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.](mobileslideshow|camera)$") + (subpath-prefix "${HOME}")))))) + (require-all + (debug-mode) + (regex #"^/private/var/mobile/Media/Pano_[0-9]" #"^/private/var/euser[0-9]+/Media/Pano_[0-9]") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook"))) +(allow file-read-metadata) +(allow file-read-xattr + (literal-prefix "${HOME}/Library/Caches")) +(allow file-write* + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Application Support/MobileSlideShow") + (literal-prefix "${HOME}/Library/Logs/awd/awdComponent0x19.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${HOME}/Library/SpringBoard") + (literal-prefix "${HOME}/Library/Logs/MobileSlideShow.log") + (literal-prefix "${HOME}/Library/Logs/awd/awd-MobileSlideShow.log") + (subpath-prefix "${HOME}/Library/Siri") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/Photos") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${HOME}/Library/Logs/awd/awd-Camera.log") + (subpath-prefix "${HOME}/Library/Application Support/iLifePageLayout") + (subpath-prefix "${HOME}/Library/SMS") + (subpath-prefix "${HOME}/Library/Caches/Snapshots/com.apple.camera") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CloudPhotoLibrary.aslgroup") + (subpath-prefix "${HOME}/Library/Caches/com.apple.legacycamera") + (subpath-prefix "${HOME}/Library/Caches/com.apple.springboard.sharedimagecache/Wallpaper") + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/SpringBoard/Lock.+" #"^/private/var/mobile/Library/SpringBoard/.+Lock.+" #"^/private/var/mobile/Library/SpringBoard/Home.+" #"^/private/var/mobile/Library/SpringBoard/.+Home.+" #"^/private/var/euser[0-9]+/Library/SpringBoard/((.*Lock|Home)|.+Home).+") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/Camera-latest.log" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/Camera-latest.log") + (subpath-prefix "${HOME}")) + (require-all + (debug-mode) + (regex #"^/private/var/mobile/Media/Pano_[0-9]" #"^/private/var/euser[0-9]+/Media/Pano_[0-9]") + (subpath-prefix "${HOME}")) + (require-all + (require-not (regex #"^/private/var/mobile/Library/Preferences/com.apple.mobileipod.plist" #"^/private/var/euser[0-9]+/Library/Preferences/com.apple.mobileipod.plist")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanocamera.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/kCFPreferencesAnyApplication.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.videouploadplugins.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-wal") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.legacycamera.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.camera.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.notbackedup.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.pep.configuration.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-shm") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-journal") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.cloud.quota.plist") + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.springboard.plist")) + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-not (literal-prefix "${HOME}/Library/Caches/DateFormats.plist")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/Memories") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Photos") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (subpath-prefix "${HOME}/Media/PhotoData") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (subpath-prefix "${HOME}/Media/DCIM") + (subpath-prefix "${HOME}/Library/WebKit") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (subpath-prefix "${HOME}/Library/WebClips") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.](mobileslideshow|camera).plist") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (subpath-prefix "${HOME}/Media/Safari") + (require-all + (subpath-prefix "${HOME}/Media") + (require-any + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")))) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobileslideshow/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobileslideshow$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]camera/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]camera$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.](mobileslideshow|camera)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.](mobileslideshow|camera)$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]mobileslideshow[.]savedState/" #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]camera[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.](mobileslideshow|camera)[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/WebKit/LocalStorage")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobileslideshow/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mobileslideshow$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]camera/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]camera$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.](mobileslideshow|camera)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.](mobileslideshow|camera)$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]mobileslideshow[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]mobileslideshow[.]settings/" #"^/private/var/mobile/Documents/com[.]apple[.]camera[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]camera[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.](mobileslideshow|camera)[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.](mobileslideshow|camera)[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobileslideshow/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mobileslideshow$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]camera/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]camera$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.](mobileslideshow|camera)/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.](mobileslideshow|camera)$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]mobileslideshow-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]mobileslideshow/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]mobileslideshow$" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]camera-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]camera/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]camera$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.](mobileslideshow|camera)-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.](mobileslideshow|camera)/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.](mobileslideshow|camera)$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/WebKit/Databases")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes")))) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook"))) +(allow file-write-create + (literal-prefix "${HOME}/Library/Logs/awd") + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.Accessibility.plist")) + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.UIKit.plist")) + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${HOME}/Media/Memories"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]mobileslideshow[.]savedState" #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]camera[.]savedState" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.](mobileslideshow|camera)[.]savedState") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Saved Application State")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/Snapshots")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CloudPhotoLibrary.aslgroup")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Siri")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Logs/CrashReporter") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")))) +(allow file-write-data + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (literal-prefix "${HOME}/Library/WebKit/Databases/Databases.db") + (literal-prefix "${HOME}/Library/WebKit/LocalStorage/StorageTracker.db") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (subpath "/private/var/mnt") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open) +(allow iokit-set-properties) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.homesharing") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.mt") + (preference-domain "com.apple.aggregated") + (preference-domain "com.apple.ConfigServer") + (preference-domain "com.apple.telephonyutilities.dialassist") + (preference-domain "com.apple.VoiceOverTouch") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.MobileSMS") + (preference-domain "com.apple.da") + (preference-domain "com.apple.mobilemail") + (preference-domain "com.apple.assistant") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.InputModePreferences") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.Accessibility") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.videouploadplugins") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.avfoundation") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.keyboard") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.mediaaccessibility") + (preference-domain "com.apple.assistant.logging") + (preference-domain "com.apple.youtubeframework") + (preference-domain ".GlobalPreferences") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.Sharing") + (preference-domain "com.apple.DataAccess.BehaviorOptions") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.springboard") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.act") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.videos") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (preference-domain "com.apple.airplay") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.accountsd") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.cloud.quota") + (preference-domain "com.apple.medialibrary") + (preference-domain "com.apple.coreanimation") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.mmcs") + (preference-domain "com.apple.camera") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.WebKit") + (preference-domain "com.apple.SpeakSelection") + (preference-domain "com.apple.GMM") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.voiceservices") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.WebUI") + (preference-domain "com.apple.youtubeframework.notbackedup") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.ImageCaptureFramework") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.legacycamera") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.imessage.bag") + (preference-domain "com.apple.MapKit.internal") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.iapd") + (preference-domain "com.apple.compass") + (preference-domain "com.apple.CoreMotion") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.mediaanalysis") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.mms_override") + (preference-domain "com.apple.preferences.sounds") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.nanocamera") + (require-all + (preference-domain "com.apple.corevideo") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (preference-domain "com.apple.mobileipod") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coremedia") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.itunesstored") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coreaudio") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.avfoundation") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.legacycamera") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.videouploadplugins") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.youtubeframework") + (preference-domain "com.apple.nanocamera") + (preference-domain "com.apple.camera") + (preference-domain "com.apple.youtubeframework.notbackedup") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.cloud.quota")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileSlideShow.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileSlideShow.sb.xml new file mode 100644 index 00000000..5885e3b4 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/MobileSlideShow.sb.xml @@ -0,0 +1,43 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/PasteBoard.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/PasteBoard.sb new file mode 100644 index 00000000..4054433c --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/PasteBoard.sb @@ -0,0 +1,178 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (require-not (literal "/dev/random")) + (subpath "/Developer") + (require-not (literal "/dev/urandom")) + (require-not (literal "/dev/ptmx")) + (require-not (regex #"^/private/var/containers/Data/System/[^/]+/")) + (subpath "/System/Library") + (require-not (literal "/dev/aes_0")) + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIKit.pboard") + (require-not (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$")) + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (require-not (literal "/dev/null")) + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (require-not (literal "/dev/zero")) + (subpath "/usr/lib") + (require-not (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist")) + (require-not (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library")) + (subpath "/usr/share") + (require-not (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")) + (subpath "/private/var/db/timezone") + (require-not (literal "/dev/dtracehelper")) + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath "/private/var/tmp") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (require-not (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")) + (require-entitlement "com.apple.security.system-groups") + (require-not (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (require-not (extension "com.apple.sandbox.pty"))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (require-not (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")) + (require-entitlement "com.apple.security.system-groups") + (require-not (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (require-not (subpath-prefix "${FRONT_USER_HOME}"))) + (require-all + (vnode-type TTY) + (require-not (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIKit.pboard") + (subpath "/private/var/tmp") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open) +(allow iokit-set-properties) +(allow iokit-get-properties) +(allow ipc-posix-shm*) +(allow ipc-posix-shm-read*) +(allow ipc-posix-shm-read-data) +(allow ipc-posix-shm-read-metadata) +(allow ipc-posix-shm-write*) +(allow ipc-posix-shm-write-create) +(allow ipc-posix-shm-write-data) +(allow ipc-posix-shm-write-unlink) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-exec* + (literal "/System/Library/Frameworks/UIKit.framework/Support/pasteboardd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/PasteBoard.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/PasteBoard.sb.xml new file mode 100644 index 00000000..4162129c --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/PasteBoard.sb.xml @@ -0,0 +1,51 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/SafariSafeBrowsing.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/SafariSafeBrowsing.sb new file mode 100644 index 00000000..877e74ef --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/SafariSafeBrowsing.sb @@ -0,0 +1,192 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal "/dev/urandom") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (literal "/dev/random") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/private/var/preferences/com.apple.security.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal "/private/etc/master.passwd") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (literal "/private/var/db/icu") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.Safari.SafeBrowsing") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (subpath "/System") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.Safari.SafeBrowsing") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/SafariSafeBrowsing.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/SafariSafeBrowsing.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/SafariSafeBrowsing.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ScreenshotService.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ScreenshotService.sb new file mode 100644 index 00000000..b7c8ef3d --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ScreenshotService.sb @@ -0,0 +1,195 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath "/Developer") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "IOSurfaceSendRight") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ScreenshotService.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ScreenshotService.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ScreenshotService.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/StreamingUnzipService.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/StreamingUnzipService.sb new file mode 100644 index 00000000..bfcb1089 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/StreamingUnzipService.sb @@ -0,0 +1,201 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.StreamingUnzipService.plist") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (literal "/private/etc/master.passwd") + (extension "com.apple.StreamingUnzipService") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath "/Developer") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath "/private/var/tmp") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.StreamingUnzipService") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.StreamingUnzipService.plist") + (subpath "/private/var/tmp") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.StreamingUnzipService") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.StreamingUnzipService")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/StreamingUnzipService.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/StreamingUnzipService.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/StreamingUnzipService.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/WebSheet.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/WebSheet.sb new file mode 100644 index 00000000..b27ec1b1 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/WebSheet.sb @@ -0,0 +1,1118 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension-class "com.apple.quicklook.readonly") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]WebSheet/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]WebSheet$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]WebSheet/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]WebSheet$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (subpath "/private/var/tmp/MediaCache") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (subpath "/private/var/tmp") + (require-any + (extension-class "com.apple.app-sandbox.read") + (extension-class "com.apple.app-sandbox.read-write") + (extension-class "com.apple.mediaserverd.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]WebSheet/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]WebSheet$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]WebSheet/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]WebSheet$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]WebSheet/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]WebSheet$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]WebSheet/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]WebSheet$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write"))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (subpath "/System/Library") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/Caches/com.apple.WebAppCache") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/usr/share") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (require-not (regex #"^/private/var/mobile/Library/Preferences/com.apple.mobilemail.plist$" #"^/private/var/euser[0-9]+/Library/Preferences/com.apple.mobilemail.plist$")) + (require-not (regex #"^/private/var/mobile/Library/Preferences/com.apple.accountsettings.plist$" #"^/private/var/euser[0-9]+/Library/Preferences/com.apple.accountsettings.plist$")) + (require-not (regex #"^/private/var/mobile/Library/Preferences/com.apple.OTASyncAgent.plist$" #"^/private/var/euser[0-9]+/Library/Preferences/com.apple.OTASyncAgent.plist$")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebSheet.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.linkedin.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreanimation.plist") + (extension "com.apple.app-sandbox.read") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.InputModePreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIStatusBar") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (subpath-prefix "${HOME}/Library/Fonts") + (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VoiceOverTouch.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebUI.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.keyboard.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal "/private/var/preferences/SystemConfiguration/com.apple.facebook.plist") + (literal "/com.apple.xpc.launchd.bootstrap.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (subpath-prefix "${HOME}/Library/VoiceServices/Assets") + (subpath "/Library/Dictionaries") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath-prefix "${HOME}/Library/Dictionaries") + (literal "/private/var/preferences/SystemConfiguration/com.apple.twitter.plist") + (subpath-prefix "${HOME}/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.SpeakSelection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (subpath-prefix "${HOME}/Library/Caches/com.apple.IconsCache") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.telephonyutilities.dialassist.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voiceservices.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapKit.internal.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.sinaweibo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreMotion.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mt.plist") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal-prefix "${HOME}/Library/Caches/DateFormats.plist") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences.sounds.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (require-not (subpath "/System/Library/Carrier Bundles")) + (require-not (subpath-prefix "${HOME}/Library/Carrier Bundles")) + (require-any + (literal "/private/var/preferences/com.apple.security.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath "/Library/Ringtones") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (subpath "/AppleInternal/Library/Frameworks/RadarCompose.framework") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]WebSheet.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.aggregated.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebKit.plist") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Media/Vibrations/UserGeneratedVibrationPatterns.plist") + (subpath-prefix "${HOME}/Media/Safari") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.camera.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/WebKit") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataAccess.BehaviorOptions.plist") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath-prefix "${HOME}/Library/WebClips") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.videos.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]WebSheet-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]WebSheet/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]WebSheet$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]WebSheet-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]WebSheet/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]WebSheet$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]WebSheet[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]WebSheet[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]WebSheet[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]WebSheet[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-shm") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]WebSheet/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]WebSheet$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]WebSheet/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]WebSheet$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Metadata") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Sync/FaceAlbumThumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-journal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]WebSheet[.]plist" #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]WebSheet-.+[.]plist" #"^/private/var/euser[0-9]+/Library/SyncedPreferences/com[.]apple[.]WebSheet-.*[.]plist") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/syncInfo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]WebSheet[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]WebSheet[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/FairPlay") + (literal "/usr/sbin/fairplayd") + (subpath-prefix "${HOME}/Media") + (require-any + (literal "/dev/random") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/null") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")))) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-wal") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}"))))) +(allow file-read-metadata) +(allow file-read-xattr + (literal-prefix "${HOME}/Library/Caches")) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Caches/com.apple.WebAppCache") + (require-all + (require-not (regex #"^/private/var/mobile/Library/Preferences/com.apple.accountsettings.plist$" #"^/private/var/euser[0-9]+/Library/Preferences/com.apple.accountsettings.plist$")) + (require-not (regex #"^/private/var/mobile/Library/Mail/AutoFetchEnabled$" #"^/private/var/euser[0-9]+/Library/Mail/AutoFetchEnabled$")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebSheet.plist") + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.springboard.plist")) + (require-not (literal-prefix "${HOME}/Library/Caches/DateFormats.plist")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]WebSheet.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (subpath-prefix "${HOME}/Library/WebKit") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (subpath-prefix "${HOME}/Library/WebClips") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (subpath-prefix "${HOME}/Media/Safari") + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]WebSheet[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]WebSheet[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]WebSheet[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]WebSheet[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Media") + (require-any + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]WebSheet-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]WebSheet/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]WebSheet$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]WebSheet-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]WebSheet/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]WebSheet$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/WebKit/Databases")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]WebSheet/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]WebSheet$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]WebSheet/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]WebSheet$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]WebSheet[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]WebSheet[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]WebSheet$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/WebKit/LocalStorage")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging"))))))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.Accessibility.plist")) + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.UIKit.plist")) + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/Snapshots")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]WebSheet[.]savedState" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]WebSheet[.]savedState") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Saved Application State")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices"))) +(allow file-write-data + (literal-prefix "${HOME}/Library/WebKit/Databases/Databases.db") + (literal-prefix "${HOME}/Library/WebKit/LocalStorage/StorageTracker.db") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "IOAccelContext") + (iokit-user-client-class "IOAccelDevice") + (iokit-user-client-class "IOSurfaceSendRight") + (iokit-user-client-class "IOAccelSharedUserClient2") + (iokit-user-client-class "IOAccelSharedUserClient") + (iokit-user-client-class "IOAccelDevice2") + (iokit-user-client-class "IOSurfaceAcceleratorClient") + (iokit-user-client-class "IOAccelContext2") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "IOAccelSubmitter2") + (iokit-user-client-class "AppleJPEGDriverUserClient") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.UIKit.KeyboardManagement") + (global-name "com.apple.mobilemail") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.audio.AudioSession") + (global-name "PurpleSystemEventPort") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.tccd") + (global-name "com.apple.frontboard.workspace") + (global-name "com.apple.UIKit.statusbarserver") + (global-name-regex #"^com[.]apple[.]uikit[.]viewservice[.].+") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.FileProvider") + (global-name "com.apple.backboard.animation-fence-arbiter") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.mobilesafari-settings") + (global-name "com.apple.marco") + (global-name "ScripterServer") + (global-name "com.apple.audio.AURemoteIOServer") + (global-name "com.apple.networking.captivenetworksupport") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "PurpleSystemAppPort") + (global-name "com.apple.UIKit.KeyboardManagement.hosted") + (global-name "com.apple.librariand") + (global-name "com.apple.fig.movie") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.lsd.openurl") + (global-name "UIASTNotificationCenter") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.assetsd.changehub") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.uikit.GestureServer") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.MediaRemote.isrunning") + (global-name "com.apple.webfilterd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.managedconfiguration.profiled") + (local-name-regex #"^com[.]apple[.]assistant[.]contextprovider[.]") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.iphone.axserver-systemwide") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.springboard.services") + (global-name "com.apple.TextInput.lexicon-server") + (global-name "com.apple.cookied") + (global-name "com.apple.MediaRemote.nowplayingserver") + (global-name "com.apple.accessibility.AXBackBoardServer") + (global-name "com.apple.airplaydiagnostics.server") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.mobilemail.services.xpc") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.webinspector") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.PersistentURLTranslator.Gatekeeper") + (global-name "com.apple.nehelper") + (global-name "com.apple.mobilecheckpoint.checkpointd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.TextInput") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.aggregated") + (global-name "com.apple.TextInput.rdt") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.certui.relay") + (global-name "com.apple.ondemandd.client") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.audio.AudioQueueServer") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.gpumemd.source") + (global-name "com.apple.mobilemail.messageuiservices") + (global-name "com.apple.TextInput.shortcuts") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.bird.token") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.backboard.hid.services") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.dictationd.recognition") + (global-name "com.apple.eventpump") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.accessibility.gax.backboard") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.backboard.TouchDeliveryPolicyServer") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.securityd") + (global-name "com.apple.voiceservices.keepalive") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.bird") + (global-name "com.apple.safarifetcherd") + (global-name "com.apple.revisiond") + (global-name "com.apple.voiceservices.tts") + (global-name "com.apple.assistant.settings") + (global-name "com.apple.pegasus") + (global-name "com.apple.assertiond.expiration") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.networkd") + (global-name "com.apple.iohideventsystem") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.lsd") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.pluginkit.pkd") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.quicklook.ThumbnailsAgent") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.backboard.display.services") + (global-name "com.apple.GSSCred") + (global-name "com.apple.system.logger") + (global-name "com.apple.sharingd.nsxpc") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.MediaRemote.daemon") + (global-name "com.apple.assistant.dictation") + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.vibrationmanagerd") + (global-name "com.apple.cvmsServ") + (global-name "com.apple.audio.SystemSoundServer-iOS") + (global-name "com.apple.springboard.processinvalidation") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.assertiond.extension") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.WebBookmarks.webbookmarksd") + (global-name "com.apple.sharingd") + (global-name "com.apple.UIKit.pasteboardd") + (require-all + (global-name "com.apple.coremedia.capturesession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.itunescloudd.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.springboard.backgroundappservices") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.coremedia.capturesource") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.coremedia.remaker") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.pegasus") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.fig.movie") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.admin") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.springboard.statusbarservices") + (require-entitlement "com.apple.springboard.statusbarstyleoverrides")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.coremedia.assetimagegenerator") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.recorder") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.coremedia.videocompositor") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.audio.AudioSession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.mediaserverd") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coremedia.endpoint.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.sandboxserver") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.asset") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.WebUI") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.coreanimation") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.mt") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.MapKit.internal") + (preference-domain "com.apple.voiceservices") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.WebSheet") + (preference-domain "com.apple.telephonyutilities.dialassist") + (preference-domain "com.apple.iapd") + (preference-domain "com.apple.mediaaccessibility") + (preference-domain "com.apple.SpeakSelection") + (preference-domain "com.apple.youtubeframework") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.CoreMotion") + (preference-domain ".GlobalPreferences") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.Sharing") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.da") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.keyboard") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.DataAccess.BehaviorOptions") + (preference-domain "com.apple.assistant") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.InputModePreferences") + (preference-domain "com.apple.preferences.sounds") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.WebKit") + (preference-domain "com.apple.videos") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (preference-domain "com.apple.camera") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.aggregated") + (preference-domain "com.apple.VoiceOverTouch") + (preference-domain "kCFPreferencesAnyApplication") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Accessibility") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (preference-domain "com.apple.coreaudio") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coremedia") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.itunesstored") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.avfoundation") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.mobileipod") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.corevideo") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.WebSheet") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.youtubeframework") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.mediaaccessibility.public")) +(allow process-exec* + (literal "/Applications/WebSheet.app/WebSheet")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/WebSheet.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/WebSheet.sb.xml new file mode 100644 index 00000000..c3c699a4 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/WebSheet.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/accessoryd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/accessoryd.sb new file mode 100644 index 00000000..122443c2 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/accessoryd.sb @@ -0,0 +1,202 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (regex #"^/private/var/mobile" #"^/private/var/euser[0-9]+") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open) +(allow iokit-set-properties) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.iapd") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.iapd")) +(allow process-exec* + (literal "/usr/sbin/accessoryd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/accessoryd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/accessoryd.sb.xml new file mode 100644 index 00000000..7f2c4ab6 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/accessoryd.sb.xml @@ -0,0 +1,43 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/afcd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/afcd.sb new file mode 100644 index 00000000..50b45630 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/afcd.sb @@ -0,0 +1,416 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.afc.root") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]afc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]afc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]afc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]afc$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]afc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]afc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]afc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]afc$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]afc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]afc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]afc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]afc$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (subpath "/Developer") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (require-all + (require-not (subpath "/usr/libexec/Contents")) + (require-any + (literal "/AFCDEBUG") + (literal "/usr/libexec") + (literal "/dev/random") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/Library/Preferences/SystemConfiguration/com.apple.afc.DeviceInfo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.afc.plist") + (literal "/usr/libexec/afcd") + (literal "/dev/null") + (literal "/dev/zero") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (extension "com.apple.afc.root") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]afc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]afc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]afc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]afc$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/Library/Preferences") + (literal "/Library/Preferences/SystemConfiguration") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches") + (vnode-type SYMLINK) + (literal "/private/var") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private") + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.afc.root") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]afc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]afc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]afc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]afc$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]afc$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.securityd") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.xpchelper") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.lockdown.host_watcher") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (regex #"^/private/var/run/lockdown/checkin") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.afc") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/afcd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/afcd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/afcd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/appconduitd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/appconduitd.sb new file mode 100644 index 00000000..c53cb0ac --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/appconduitd.sb @@ -0,0 +1,433 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.StreamingUnzipService") + (subpath-prefix "${HOME}/Library/Caches/com.apple.AppConduit.staging")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/Applications") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/Caches/com.apple.AppConduit.staging") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal "/dev/random") + (subpath-prefix "${HOME}/Library/Logs/AppConduit") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (subpath "/private/var/db/timezone") + (subpath "/private/var/db/MobileIdentityData") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/EffectiveUserSettings.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (subpath-prefix "${HOME}/Library/AppConduit") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (subpath "/Developer") + (subpath "/private/var/containers/Bundle/Application") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Library/Logs/AirTraffic") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]appconduitd[.]gizmostate" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]companionappd" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]sockpuppet[.]activeComplications" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]appconduitd[.]gizmostate" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]companionappd" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]sockpuppet[.]activeComplications") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (debug-mode) + (require-any + (subpath "/AppleInternal/Applications") + (subpath "/private/var/mobile/XcodeBuiltProducts"))) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]nano-complications$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]nano-complications$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/EffectiveUserSettings.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (vnode-type DIRECTORY) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Logs/AppConduit") + (subpath-prefix "${HOME}/Library/Caches/com.apple.AppConduit.staging") + (subpath-prefix "${HOME}/Library/AppConduit") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Library/Logs/AirTraffic") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]appconduitd[.]gizmostate" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]companionappd" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]sockpuppet[.]activeComplications" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]appconduitd[.]gizmostate" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]companionappd" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]sockpuppet[.]activeComplications") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.atc.xpc") + (global-name "com.apple.aggregated") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.mobile.installd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.lsd") + (global-name "com.apple.securityd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.misagent") + (global-name "com.apple.marco") + (global-name "com.apple.system.logger") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.lsd.modifydb") + (global-name "com.apple.xpcd") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.lsd.xpc") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.lsd.open") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.ProgressReporting") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.cache_delete") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.logging") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.marco") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/appconduitd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/appconduitd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/appconduitd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/apsd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/apsd.sb new file mode 100644 index 00000000..1d73ed57 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/apsd.sb @@ -0,0 +1,381 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]apsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]apsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]apsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]apsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]apsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]apsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]apsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]apsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]apsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]apsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]apsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]apsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/urandom") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (regex #"^/System/Library/CoreServices/SystemVersion$" #"^/System/Library/CoreServices/SystemVersion.+$") + (literal "/dev/zero") + (subpath "/private/etc") + (literal "/dev/ptmx") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicEffectiveUserSettings.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (subpath "/System/Library") + (subpath-prefix "${HOME}/Library/ApplePushService") + (subpath "/private/var/Keychains") + (subpath "/private/var/preferences") + (subpath "/private/var/db/timezone") + (subpath-prefix "${HOME}/Library/Managed Preferences") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath-prefix "${HOME}/Library/Preferences") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal "/Library/Keychains") + (literal "/Library/Managed Preferences/mobile") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal "/Library/Preferences") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/usr") + (subpath "/private/var/tmp") + (literal "/dev/random") + (subpath-prefix "${HOME}/Library/Logs") + (literal "/dev/dtracehelper") + (extension "com.apple.sandbox.executable") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath "/private/var/Managed Preferences/mobile") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle/Info[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj/" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]apsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]apsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]apsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]apsd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicEffectiveUserSettings.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicEffectiveUserSettings.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicEffectiveUserSettings.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection") + (subpath-prefix "${HOME}/Library/Logs") + (subpath-prefix "${HOME}/Library/ApplePushService") + (subpath-prefix "${HOME}/Library/Preferences") + (subpath "/private/var/tmp") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]apsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]apsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]apsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]apsd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]apsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open) +(allow iokit-set-properties) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow network-inbound + (subpath "/")) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.WebFoundation") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-exec* + (literal "/System/Library/PrivateFrameworks/ApplePushService.framework/apsd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/apsd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/apsd.sb.xml new file mode 100644 index 00000000..f81f602e --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/apsd.sb.xml @@ -0,0 +1,44 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/assertiond.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/assertiond.sb new file mode 100644 index 00000000..81c89a6a --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/assertiond.sb @@ -0,0 +1,241 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/private/var/containers/Bundle") + (literal "/dev/random") + (subpath "/Applications") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/usr/libexec") + (literal "/dev/dtracehelper") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/private/etc/master.passwd") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assertiond.plist") + (subpath "/Developer") + (literal "/dev/null") + (literal "/dev/zero") + (subpath "/usr/lib") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (debug-mode) + (require-any + (subpath "/AppleInternal/Applications") + (subpath "/private/var/mobile/XcodeBuiltProducts"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assertiond.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "RootDomainUserClient") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.lsd") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow mach-task-name) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.assertiond") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.assertiond")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow signal) +(allow sysctl* + (sysctl-name "kern.ipc.throttle_best_effort") + (sysctl-name "kern.memorystatus_vm_pressure_send")) +(allow sysctl-read) +(allow system-privilege) +(allow system-suspend-resume) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/assertiond.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/assertiond.sb.xml new file mode 100644 index 00000000..972d53f1 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/assertiond.sb.xml @@ -0,0 +1,43 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/cloudphotod.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/cloudphotod.sb new file mode 100644 index 00000000..1f564bcf --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/cloudphotod.sb @@ -0,0 +1,19 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow iokit-get-properties) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/cloudphotod.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/cloudphotod.sb.xml new file mode 100644 index 00000000..c5c1c883 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/cloudphotod.sb.xml @@ -0,0 +1,37 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.AssetCacheLocatorService.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.AssetCacheLocatorService.sb new file mode 100644 index 00000000..b5abbb97 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.AssetCacheLocatorService.sb @@ -0,0 +1,455 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssetCacheLocatorService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssetCacheLocatorService$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssetCacheLocatorService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssetCacheLocatorService$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssetCacheLocatorService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssetCacheLocatorService$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AssetCacheLocatorService.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssetCacheLocatorService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssetCacheLocatorService$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches") + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssetCacheLocatorService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssetCacheLocatorService$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssetCacheLocatorService$") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.open") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.AssetCacheC") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.cookied") + (global-name "com.apple.networkd") + (global-name "com.apple.lsd") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.securityd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.system.logger") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.nehelper") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private"))) +(allow network-inbound + (local udp "*:*")) +(allow network-bind + (local udp "*:*")) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (remote tcp "*:*") + (remote udp "*:53") + (literal "/private/var/run/syslog") + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.netsrc") + (control-name "com.apple.network.statistics")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.AssetCacheLocatorService") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.AssetCacheLocatorService.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.AssetCacheLocatorService.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.AssetCacheLocatorService.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.GSSCred.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.GSSCred.sb new file mode 100644 index 00000000..aa5d5999 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.GSSCred.sb @@ -0,0 +1,185 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal "/private/var/db/heim-credential-store.archive") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal "/private/var/db/heim-credential-store.archive") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.GSSCred.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.GSSCred.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.GSSCred.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Databases.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Databases.sb new file mode 100644 index 00000000..e42d3fa1 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Databases.sb @@ -0,0 +1,114 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (extension "com.apple.app-sandbox.read-write") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-audit) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Databases.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Databases.sb.xml new file mode 100644 index 00000000..857bf1d4 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Databases.sb.xml @@ -0,0 +1,42 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Networking.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Networking.sb new file mode 100644 index 00000000..270e1527 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Networking.sb @@ -0,0 +1,327 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.app-sandbox.read-write") + (extension-class "com.apple.nsurlstorage.extension-cache")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (extension "com.apple.app-sandbox.read") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (extension "com.apple.app-sandbox.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient") + (iokit-user-client-class "RootDomainUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.ocspd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.open") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.securityd") + (global-name "com.apple.networkd") + (global-name "com.apple.lsd") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.system.logger") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.nehelper") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.symptomsd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-audit) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Networking.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Networking.sb.xml new file mode 100644 index 00000000..857bf1d4 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.Networking.sb.xml @@ -0,0 +1,42 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.WebContent.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.WebContent.sb new file mode 100644 index 00000000..342a2f41 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.WebContent.sb @@ -0,0 +1,764 @@ +(version 1) +(deny default) +(allow file-issue-extension + (extension-class "com.apple.quicklook.readonly") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension "com.apple.app-sandbox.read-write") + (extension-class "com.apple.nsurlstorage.extension-cache")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (subpath "/System/Library") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.keyboard.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (subpath "/Library/Dictionaries") + (literal "/private/var/preferences/SystemConfiguration/com.apple.linkedin.plist") + (extension "com.apple.app-sandbox.read-write") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.IconsCache") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences.sounds.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.twitter.plist") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.SpeakSelection.plist") + (subpath-prefix "${HOME}/Library/Fonts") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix "${HOME}/Library/Caches/DateFormats.plist") + (extension "com.apple.app-sandbox.read") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath-prefix "${HOME}/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal "/com.apple.xpc.launchd.bootstrap.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapKit.internal.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreMotion.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mt.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.facebook.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreanimation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (subpath-prefix "${HOME}/Library/VoiceServices/Assets") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (subpath-prefix "${HOME}/Library/Dictionaries") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (literal "/dev/aes_0") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.telephonyutilities.dialassist.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voiceservices.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal "/dev/random") + (subpath "/Developer") + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIStatusBar") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.LaunchServices.plist") + (literal "/dev/dtracehelper") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.InputModePreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebUI.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${HOME}/Library/Logs/awd/awd-com.apple.WebKit.WebContent.log") + (literal "/private/var/preferences/SystemConfiguration/com.apple.sinaweibo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VoiceOverTouch.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read"))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Logs/awd/awd-com.apple.WebKit.WebContent.log") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.springboard.plist")) + (require-not (literal-prefix "${HOME}/Library/Caches/DateFormats.plist")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (extension "com.apple.app-sandbox.read-write") + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (require-not (vnode-type SYMLINK)) + (require-any + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.Accessibility.plist")) + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.UIKit.plist")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices"))))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.UIKit.KeyboardManagement") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.audio.AudioSession") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.tccd") + (global-name "com.apple.frontboard.workspace") + (global-name "com.apple.UIKit.statusbarserver") + (global-name-regex #"^com[.]apple[.]uikit[.]viewservice[.].+") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.FileProvider") + (global-name "com.apple.backboard.animation-fence-arbiter") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.marco") + (global-name "ScripterServer") + (global-name "com.apple.librariand") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "UIASTNotificationCenter") + (global-name "com.apple.UIKit.KeyboardManagement.hosted") + (global-name "com.apple.fig.movie") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.uikit.GestureServer") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.MediaRemote.isrunning") + (global-name "com.apple.symptomsd") + (global-name "com.apple.coremedia.assetimagegenerator") + (local-name-regex #"^com[.]apple[.]assistant[.]contextprovider[.]") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.GSSCred") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.springboard.services") + (global-name "com.apple.TextInput.lexicon-server") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.MediaRemote.nowplayingserver") + (global-name "com.apple.airplaydiagnostics.server") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.iohideventsystem") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.nehelper") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.TextInput") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.quicklook.ThumbnailsAgent") + (global-name "com.apple.TextInput.rdt") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.aggregated") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.lsd.open") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.lsd") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.audio.AudioQueueServer") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.gpumemd.source") + (global-name "com.apple.TextInput.shortcuts") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.bird.token") + (global-name "com.apple.backboard.hid.services") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.revisiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.accessibility.gax.backboard") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.backboard.TouchDeliveryPolicyServer") + (global-name "com.apple.dictationd.recognition") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.securityd") + (global-name "com.apple.ondemandd.client") + (global-name "com.apple.voiceservices.keepalive") + (global-name "com.apple.cvmsServ") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.bird") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.voiceservices.tts") + (global-name "com.apple.pegasus") + (global-name "com.apple.assertiond.expiration") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.networkd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.webinspector") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.pluginkit.pkd") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.accessibility.AXBackBoardServer") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.backboard.display.services") + (global-name "com.apple.system.logger") + (global-name "com.apple.sharingd.nsxpc") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.MediaRemote.daemon") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.audio.SystemSoundServer-iOS") + (global-name "com.apple.iphone.axserver-systemwide") + (global-name "com.apple.audio.AURemoteIOServer") + (global-name "com.apple.awdd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.xpcd") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.assistant.dictation") + (global-name "com.apple.sharingd") + (global-name "com.apple.UIKit.pasteboardd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.springboard.statusbarservices") + (require-entitlement "com.apple.springboard.statusbarstyleoverrides")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.keyboard") + (preference-domain "com.apple.mt") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.MapKit.internal") + (preference-domain "com.apple.voiceservices") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.mediaaccessibility") + (preference-domain "com.apple.telephonyutilities.dialassist") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.SpeakSelection") + (preference-domain ".GlobalPreferences") + (preference-domain "com.apple.CoreMotion") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.Sharing") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.coreanimation") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.iapd") + (preference-domain "com.apple.da") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.WebUI") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.InputModePreferences") + (preference-domain "com.apple.LaunchServices") + (preference-domain "com.apple.preferences.sounds") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.VoiceOverTouch") + (preference-domain "kCFPreferencesAnyApplication") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Accessibility") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.Preferences")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-audit) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.WebContent.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.WebContent.sb.xml new file mode 100644 index 00000000..857bf1d4 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.WebKit.WebContent.sb.xml @@ -0,0 +1,42 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.assistant.assistantd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.assistant.assistantd.sb new file mode 100644 index 00000000..c4c6054a --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.assistant.assistantd.sb @@ -0,0 +1,683 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]assistantd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]assistantd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]assistantd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]assistantd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssistantServices/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssistantServices$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssistantServices/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssistantServices$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssistantServices/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssistantServices$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssistantServices/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssistantServices$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]assistantd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]assistantd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]assistantd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]assistantd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssistantServices/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssistantServices$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssistantServices/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssistantServices$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]assistantd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]assistantd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]assistantd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]assistantd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voicetrigger.plist") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.token.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.avvc.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.weather.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${HOME}/Library/Logs/awd/awd-assistantd.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.logging.plist") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/Assistant") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath "/private/var/db/timezone") + (subpath-prefix "${HOME}/siri_recordings") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.backedup.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.siri.backedup.encrypted.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (subpath-prefix "${HOME}/Library/Assistant") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.springboard.plist") + (subpath "/Library/Audio/Tunings") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AssistantServices.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.siri.") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/usr/local/lib") + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal "/dev/null") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssistantServices/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssistantServices$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssistantServices/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssistantServices$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle/Info[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj/" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]assistantd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]assistantd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]assistantd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]assistantd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (literal-prefix "${HOME}/Library/Caches") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/Logs/awd") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}"))))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Library/Caches/com.apple.siri.") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.weather.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.token.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AssistantServices.plist") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/Assistant") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.siri.backedup.encrypted.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.logging.plist") + (subpath-prefix "${HOME}/Library/Assistant") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voicetrigger.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.backedup.plist") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Logs/awd/awd-assistantd.log") + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssistantServices/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]AssistantServices$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssistantServices/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]AssistantServices$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]assistantd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]assistantd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]assistantd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]assistantd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]AssistantServices$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]assistantd$") + (subpath-prefix "${HOME}"))))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "RootDomainUserClient") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.geod") + (global-name "com.apple.audio.AudioSession") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.tccd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.MediaRemote.daemon") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.marco") + (local-name-regex #"^com[.]apple[.]assistant[.]contextprovider[.]") + (global-name "com.apple.BTLEAudioController.xpc") + (global-name "com.apple.imagent.embedded.auth") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.coreduetd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.nanomaps.xpc.GeoServices") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.assistant_service") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.cookied") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.GSSCred") + (global-name "com.apple.absd") + (global-name "com.apple.springboard.services") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.MediaRemote.nowplayingserver") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.MediaRemote.isrunning") + (global-name "com.apple.nehelper") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.open") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.networkd") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.accountsd.oauthsigner") + (global-name "com.apple.audio.AudioQueueServer") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.securityd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.voiceservices.tts") + (global-name "com.apple.absinthed") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.lsd") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.system.logger") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.awdd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.springboard") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.weather") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.voicetrigger") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.avfoundation.avvc") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.assistant") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.assistant.backedup") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.AssistantServices") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.assistant.token") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.assistant.logging") + (preference-domain "com.apple.siri.backedup.encrypted") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.AssistantServices") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.assistant.logging") + (preference-domain "com.apple.assistant.token") + (preference-domain "com.apple.assistant") + (preference-domain "com.apple.siri.backedup.encrypted") + (preference-domain "com.apple.weather") + (preference-domain "com.apple.voicetrigger") + (preference-domain "com.apple.assistant.backedup")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.assistant.assistantd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.assistant.assistantd.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.assistant.assistantd.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.bird.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.bird.sb new file mode 100644 index 00000000..915b2819 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.bird.sb @@ -0,0 +1,629 @@ +(version 1) +(deny default) +(allow distributed-notification-post) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension-class "com.apple.librarian.ubiquity-revision")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (literal-prefix "${HOME}/Library/Mobile Documents/")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension-class "com.apple.librarian.ubiquity-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]bird/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]bird$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]bird/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]bird$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]bird/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]bird$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]bird/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]bird$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension-class "com.apple.app-sandbox.read") + (extension-class "com.apple.quicklook.readonly"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]bird/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]bird$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]bird/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]bird$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.clouddocs.version") + (vnode-type REGULAR-FILE) + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CloudKit.BehaviorOptions.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/Ubiquity") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ubd.plist") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CloudDocs") + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity") + (subpath-prefix "${HOME}/Library/Caches/CloudKit/com.apple.bird") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${HOME}/Library/Mobile Documents.") + (literal "/dev/ptmx") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.accountsd.plist") + (subpath-prefix "${HOME}/Library/Caches/CloudKit/com.apple.clouddocs") + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iCloudDriveApp.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bird.plist") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal "/dev/random") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (literal "/dev/dtracehelper") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mmcs.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath-prefix "${HOME}/Library/Caches/CloudKit/tmp") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath-prefix "${HOME}/Library/Logs/CloudDocs") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]bird" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]bird" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]bird") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles$" #"^/private/var/mobile/Library/ConfigurationProfiles/" #"^/private/var/mobile/Library/UserConfigurationProfiles$" #"^/private/var/mobile/Library/UserConfigurationProfiles/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]bird/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]bird$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]bird/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]bird$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Caches/CloudKit/com.apple.clouddocs") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (literal-prefix "${HOME}/Library/Mobile Documents.") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ubd.plist") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CloudDocs") + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iCloudDriveApp.plist") + (subpath-prefix "${HOME}/Library/Caches/CloudKit/com.apple.bird") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/Ubiquity") + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bird.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (subpath-prefix "${HOME}/Library/Caches/CloudKit/tmp") + (subpath-prefix "${HOME}/Library/Logs/CloudDocs") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]bird$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]bird/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]bird$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]bird/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]bird$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]bird" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]bird" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]bird") + (subpath-prefix "${FRONT_USER_HOME}"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Application Support")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/CloudKit")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Logs/CrashReporter") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.securityd") + (global-name "com.apple.tccd") + (global-name "com.apple.quicklook.ThumbnailsAgent") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.librariand") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.coreduetd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.GSSCred") + (global-name "com.apple.FSEvents") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.lsd.modifydb") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.symptomsd") + (global-name "com.apple.nehelper") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.coresymbolicationd") + (global-name "com.apple.ProgressReporting") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.mobile.keybagd.UserManager.xpc") + (global-name "com.apple.lsd") + (global-name "com.apple.apsd") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.revisiond") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.cache_delete") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.bird.ContainerMetadataExtractor") + (global-name "com.apple.networkd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.ubd") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.lsd.xpc") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.cloudd") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.CloudKit.BehaviorOptions") + (preference-domain "com.apple.ubd") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.accountsd") + (preference-domain "com.apple.mmcs") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.bird") + (preference-domain "com.apple.iCloudDriveApp") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.ubd") + (preference-domain "com.apple.bird") + (preference-domain "com.apple.iCloudDriveApp") + (preference-domain "com.apple.appleaccount")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-fsctl + (fsctl-command (_IO "h" 24)) + (fsctl-command (_IO "h" 30)) + (fsctl-command (_IO "h" 32)) + (fsctl-command (_IO "h" 31))) +(allow system-info + (info-type "hw.uuid")) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.bird.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.bird.sb.xml new file mode 100644 index 00000000..82828b2d --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.bird.sb.xml @@ -0,0 +1,42 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.cloudd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.cloudd.sb new file mode 100644 index 00000000..0a47bd14 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.cloudd.sb @@ -0,0 +1,600 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (regex #"^/private/var/mobile/Containers/[^/]+/[^/]+/[^/]+/Library/Caches/CloudKit" #"^/private/var/euser[0-9]+/Containers/[^/]+/[^/]+/[^/]+/Library/Caches/CloudKit") + (subpath-prefix "${HOME}") + (require-any + (extension-class "com.apple.nsurlstorage.extension-cache") + (extension-class "com.apple.app-sandbox.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Containers/[^/]+/Data/Library/Caches/CloudKit" #"^/private/var/euser[0-9]+/Library/Containers/[^/]+/Data/Library/Caches/CloudKit") + (subpath-prefix "${HOME}") + (require-any + (extension-class "com.apple.nsurlstorage.extension-cache") + (extension-class "com.apple.app-sandbox.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"/private/var/containers/[^/]+/[^/]+/[^/]+/Library/Caches/CloudKit" #".+/private/var/containers/[^/]+/[^/]+/[^/]+/Library/Caches/CloudKit") + (require-any + (extension-class "com.apple.nsurlstorage.extension-cache") + (extension-class "com.apple.app-sandbox.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/CloudKit/[^/]+/[^/]+" #"^/private/var/euser[0-9]+/Library/Caches/CloudKit/[^/]+/[^/]+") + (subpath-prefix "${HOME}") + (require-any + (extension-class "com.apple.nsurlstorage.extension-cache") + (extension-class "com.apple.app-sandbox.read-write")))) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal "/dev/urandom") + (literal "/private/var/db/mds/messages/se_SecurityMessages") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (mount-relative-regex #"^/[.]DocumentRevisions-V100-bad-[0-9]+$" #"^/[.]DocumentRevisions-V100-bad-[0-9]+/") + (subpath-prefix "${HOME}/Library/Logs/awd") + (literal "/Library/Preferences/com.apple.security.plist") + (literal "/") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (regex #"^/private/var/tmp/CKTraffic$" #"^/private/var/tmp/CKTraffic[^/]+$") + (mount-relative-regex #"^/[.]DocumentRevisions-V100$" #"^/[.]DocumentRevisions-V100/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (regex #"^/Library/Keychains/System.keychain") + (subpath-prefix "${HOME}/Library/Keychains") + (literal-prefix "${HOME}/Library/Logs/ProtectedCloudStorage.log") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (mount-relative-regex #"^/[.]TemporaryItems$" #"^/[.]TemporaryItems/") + (extension "com.apple.sandbox.executable") + (literal "/private/var/db/DetachedSignatures") + (literal-prefix "${HOME}/Library/Caches") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.migration.plist") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/var/tmp$" #"^/var/tmp/" #"^/private/var/tmp$" #"^/private/var/tmp/") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath-prefix "${HOME}/Library/Caches/CloudKit") + (literal "/private/var/preferences/com.apple.networkd.plist") + (subpath-prefix "${HOME}/Library/Logs/Ubiquity") + (subpath "/usr/share") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal "/private/var/run/diagnosticd/dyld_shared_cache_x86_64") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Caches/com.apple.nsurlsessiond") + (literal "/private/var/logs/Ubiquity") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/CloudConfigurationDetails.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath-prefix "${HOME}/Library/Caches/com.apple.cloudd") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (literal "/private/var/db/mds/system/mdsDirectory.db") + (subpath "/usr/lib") + (literal "/Library/Preferences/SystemConfiguration/preferences.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.purplebuddy.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/CloudConfigurationDetails.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/CloudConfigurationDetails.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/CloudConfigurationDetails.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/CloudKit" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/CloudKit") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE)) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/CFNetwork_com[.]apple[.]cloudd_log" #"^/private/var/mobile/Library/Logs/CrashReporter/CFNetwork_com[.]apple[.]cloudd_.+log" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/CFNetwork_com[.]apple[.]cloudd_.*log") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/CloudKit" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/CloudKit") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]cloudd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]cloudd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]cloudd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (regex #"^/var/tmp$" #"^/private/var/tmp$") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library") + (literal "/AppleInternal") + (literal "/etc") + (literal "/tmp") + (literal-prefix "${HOME}/Library/Caches") + (literal "/private/etc/localtime") + (literal "/Library/Keychains") + (literal "/private/var/run/systemkeychaincheck.done") + (literal "/Library/Logs") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/Preferences") + (regex #"^/var$" #"^/private/var$") + (literal "/Library") + (literal "/Library/Security/Trust Settings/Admin.plist") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection")))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Caches/com.apple.cloudd") + (subpath-prefix "${HOME}/Library/Caches/com.apple.nsurlsessiond") + (regex #"^/var/tmp$" #"^/var/tmp/" #"^/private/var/tmp$" #"^/private/var/tmp/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (mount-relative-regex #"^/[.]TemporaryItems$" #"^/[.]TemporaryItems/") + (subpath-prefix "${HOME}/Library/Logs/awd") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath-prefix "${HOME}/Library/Caches/CloudKit") + (literal "/") + (regex #"^/Library/Keychains/System.keychain") + (subpath-prefix "${HOME}/Library/Logs/Ubiquity") + (literal-prefix "${HOME}/Library/Caches") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (subpath-prefix "${HOME}/Library/Keychains") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.purplebuddy.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (regex #"^/private/var/tmp/CKTraffic$" #"^/private/var/tmp/CKTraffic[^/]+$") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal "/private/var/logs/Ubiquity") + (literal-prefix "${HOME}/Library/Logs/ProtectedCloudStorage.log") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/CFNetwork_com[.]apple[.]cloudd_log" #"^/private/var/mobile/Library/Logs/CrashReporter/CFNetwork_com[.]apple[.]cloudd_.+log" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/CFNetwork_com[.]apple[.]cloudd_.*log") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/CloudKit" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/CloudKit") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]cloudd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]cloudd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]cloudd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/CloudKit" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/CloudKit") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE)) + (require-any + (require-all + (regex #"^/cores/") + (require-not (file-mode #o0000))) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people"))))) +(allow file-write-create + (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_com.apple.cloudd") + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection")))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow file-write-xattr + (mount-relative-regex #"^/[.]DocumentRevisions-V100$" #"^/[.]DocumentRevisions-V100/") + (mount-relative-regex #"^/[.]DocumentRevisions-V100-bad-[0-9]+$" #"^/[.]DocumentRevisions-V100-bad-[0-9]+/")) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient") + (iokit-user-client-class "IOMobileFramebufferUserClient")) +(allow iokit-get-properties) +(allow ipc-posix-shm-read-data + (ipc-posix-name-regex #"^/tmp/com[.]apple[.]csseed[.][0-9]+$") + (ipc-posix-name "FNetwork.defaultStorageSession") + (ipc-posix-name "com.apple.AppleDatabaseChanged")) +(allow ipc-posix-shm-write-data + (ipc-posix-name-regex #"^gdt-[0-9A-Za-z]+-c$" #"^gdt-[0-9A-Za-z]+-s$") + (ipc-posix-name "com.apple.AppleDatabaseChanged")) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.fairplayd.versioned") + (global-name "com.apple.securityd") + (global-name "com.apple.tccd") + (global-name "com.apple.coreservices.quarantine-resolver") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.coreduetd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.datamigrator") + (global-name "com.apple.GSSCred") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.nehelper") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.system.DirectoryService.libinfo_v1") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.mobile.keybagd.UserManager.xpc") + (global-name "com.apple.lsd") + (global-name "com.apple.apsd") + (global-name "com.apple.SecurityServer") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.fairplayd") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.AssetCacheLocatorService") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.awdd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.networkd") + (global-name "com.apple.CoreServices.coreservicesd") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.pluginkit.pkd") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.windowserver.active") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.ocspd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (remote tcp "*:*") + (literal "/private/var/run/mDNSResponder") + (literal "/private/var/run/syslog") + (literal "/private/var/run/asl_input") + (control-name "com.apple.network.statistics") + (control-name "com.apple.netsrc")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.keyboard") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.CloudKit.BehaviorOptions") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.mmcs") + (preference-domain "com.apple.cloudd") + (preference-domain "com.apple.purplebuddy") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.springboard") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.migration") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.mmcs") + (preference-domain "com.apple.cloudd") + (preference-domain "com.apple.CloudKit.BehaviorOptions") + (preference-domain "com.apple.purplebuddy") + (preference-domain "com.apple.PeoplePicker")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.cloudd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.cloudd.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.cloudd.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.datadetectors.AddToRecentsService.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.datadetectors.AddToRecentsService.sb new file mode 100644 index 00000000..63d6d8ff --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.datadetectors.AddToRecentsService.sb @@ -0,0 +1,210 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/private/var/containers/Bundle") + (subpath "/Applications") + (literal "/dev/urandom") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (literal "/dev/random") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (subpath "/System/Library") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobilephone.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (extension "com.apple.sandbox.executable") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.telephonyutilities.dialassist.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.message.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (debug-mode) + (require-any + (subpath "/AppleInternal/Applications") + (subpath "/private/var/mobile/XcodeBuiltProducts"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.corerecents.recentsd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.message") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.mobilephone") + (preference-domain "com.apple.telephonyutilities.dialassist") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.datadetectors.AddToRecentsService.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.datadetectors.AddToRecentsService.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.datadetectors.AddToRecentsService.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.homed.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.homed.sb new file mode 100644 index 00000000..f99f488e --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.homed.sb @@ -0,0 +1,724 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]homed/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]homed$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]homed/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]homed$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]homed/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]homed$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]homed/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]homed$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]homed/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]homed$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]homed/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]homed$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write")))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (subpath-prefix "${HOME}/Library/HomeConfiguration") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/dev/zero") + (subpath-prefix "${HOME}/Library/homed") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal "/dev/ptmx") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (subpath "/System/Library") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (subpath "/private/var/db/timezone") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal "/private/var/preferences/com.apple.security.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.homed.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Logs/awd/awd-homed.log") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]homed" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]homed" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]homed") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/HomeKit" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/HomeKit") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]homed/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]homed$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]homed/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]homed$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (literal-prefix "${HOME}/Library/Logs/CrashReporter") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (literal-prefix "${HOME}/Library") + (literal-prefix "${HOME}/Library/PPTDevice") + (vnode-type SYMLINK) + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches") + (literal-prefix "${HOME}/Library/Mobile Documents") + (literal-prefix "${HOME}/Library/Logs/awd") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Logs/awd/awd-homed.log") + (subpath-prefix "${HOME}/Library/HomeConfiguration") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.homed.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (subpath-prefix "${HOME}/Library/homed") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]homed/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]homed$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]homed/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]homed$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]homed" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]homed" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]homed") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/HomeKit" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/HomeKit") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]homed$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.audio.AudioSession") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.corefollowup.agent") + (global-name "com.apple.fairplayd.versioned") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.tccd") + (global-name "com.apple.quicklook.ThumbnailsAgent") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.marco") + (global-name "com.apple.librariand") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.server.bluetooth.le.att.xpc") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.fig.movie") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.FileProvider") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.GSSCred") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.symptomsd") + (global-name "com.apple.nehelper") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.lsd.open") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.apsd") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.wirelessproxd") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.bird.token") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.mobile.keybagd.UserManager.xpc") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.securityd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.bird") + (global-name "com.apple.pegasus") + (global-name "com.apple.revisiond") + (global-name "com.apple.networkd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.lsd") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.system.logger") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.lsd.xpc") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.coreduetd.knowledge") + (global-name "com.apple.awdd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.cloudd") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.avfoundation") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.homed") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.homed")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.homed.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.homed.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.homed.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nehelper.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nehelper.sb new file mode 100644 index 00000000..86468d4b --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nehelper.sb @@ -0,0 +1,491 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/root/Library/Caches/nehelper/" #"^/private/var/root/Library/Caches/nehelper$")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/private/var/root/Library/Cookies")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/root/Library/Caches/nehelper/" #"^/private/var/root/Library/Caches/nehelper$")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/root/Library/Caches/nehelper/" #"^/private/var/root/Library/Caches/nehelper$")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath "/private/var/root/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/Applications") + (subpath "/System/Library") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (regex #"^/private/var/preferences/SystemConfiguration/VPN-[^/]+[.]plist") + (literal "/usr/local/bin/network_test") + (literal "/dev/random") + (literal "/dev/ptmx") + (subpath "/usr/libexec") + (subpath "/private/var/root/Library/Cookies") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/preferences/com[.]apple[.]networkextension[.]plist" #"^/private/var/preferences/com[.]apple[.]networkextension[.]necp[.]plist" #"^/private/var/preferences/com[.]apple[.]networkextension[.]control[.]plist" #"^/private/var/preferences/com[.]apple[.]networkextension[.]cache[.]plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal "/private/etc/master.passwd") + (extension "com.apple.sandbox.executable") + (subpath "/usr/share") + (regex #"^/private/var/root/Library/Caches/nehelper/" #"^/private/var/root/Library/Caches/nehelper$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/containers/Bundle/Application") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/CloudConfigurationDetails.plist") + (subpath "/usr/sbin") + (subpath "/Developer") + (regex #"^/private/var/preferences/SystemConfiguration/preferences[.]plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/CloudConfigurationDetails.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/CloudConfigurationDetails.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/CloudConfigurationDetails.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nehelper/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nehelper$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nehelper/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nehelper$")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/root/Library/Caches") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal "/private/var/root/Library/Caches")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/preferences/SystemConfiguration/VPN-[^/]+[.]plist") + (regex #"^/private/var/root/Library/Caches/nehelper/" #"^/private/var/root/Library/Caches/nehelper$") + (regex #"^/private/var/preferences/com[.]apple[.]networkextension[.]plist" #"^/private/var/preferences/com[.]apple[.]networkextension[.]necp[.]plist" #"^/private/var/preferences/com[.]apple[.]networkextension[.]control[.]plist" #"^/private/var/preferences/com[.]apple[.]networkextension[.]cache[.]plist") + (regex #"^/private/var/preferences/SystemConfiguration/preferences[.]plist") + (subpath "/private/var/root/Library/Cookies") + (subpath "/private/var/tmp") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nehelper/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nehelper$")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nehelper/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nehelper$"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal "/private/var/root/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.system.logger") + (global-name "com.apple.CoreServices.coreservicesd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.managedconfiguration.profiled") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.cookied") + (global-name "com.apple.networkd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.lsd") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.securityd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.networking.captivenetworksupport") + (global-name "com.apple.aggregated") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.CoreAuthentication.daemon") + (global-name "com.apple.nehelper") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.assertiond.processassertionconnection") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private"))) +(allow mach-register + (global-name "com.apple.nehelper") + (require-all + (extension "com.apple.security.exception.mach-register.local-name") + (local-name-regex #".+")) + (require-all + (extension "com.apple.security.exception.mach-register.global-name") + (global-name-regex #".+"))) +(allow network* + (local udp "*:500") + (local udp "*:4500") + (literal "/private/var/run/racoon.sock")) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (remote udp "*:*") + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.net.utun_control") + (literal "/private/var/run/syslog") + (control-name "com.apple.network.statistics") + (remote tcp "*:*") + (control-name "com.apple.netsrc") + (control-name "com.apple.content-filter") + (control-name "com.apple.flow-divert") + (control-name "com.apple.net.necp_control") + (control-name "com.apple.net.ipsec_control")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.WebFoundation") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl* + (sysctl-name-regex #"^net[.]inet[.]ipsec[.].+") + (sysctl-name-regex #"^net[.]necp[.].+")) +(allow sysctl-read) +(allow system-privilege) +(allow system-socket) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nehelper.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nehelper.sb.xml new file mode 100644 index 00000000..c8ed3bf5 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nehelper.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nesessionmanager.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nesessionmanager.sb new file mode 100644 index 00000000..3c3cae9c --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nesessionmanager.sb @@ -0,0 +1,466 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/root/Library/Caches/nesessionmanager/" #"^/private/var/root/Library/Caches/nesessionmanager$")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/root/Library/Caches/nesessionmanager/" #"^/private/var/root/Library/Caches/nesessionmanager$")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/root/Library/Caches/nesessionmanager/" #"^/private/var/root/Library/Caches/nesessionmanager$")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (regex #"^/private/var/preferences/SystemConfiguration/VPN-[^/]+[.]plist") + (literal "/dev/random") + (subpath "/usr/libexec") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal "/private/var/run/racoon.pid") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.networkextension.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/preferences/com[.]apple[.]networkextension[.]plist" #"^/private/var/preferences/com[.]apple[.]networkextension[.]necp[.]plist" #"^/private/var/preferences/com[.]apple[.]networkextension[.]control[.]plist" #"^/private/var/preferences/com[.]apple[.]networkextension[.]cache[.]plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal "/private/etc/master.passwd") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (regex #"^/private/var/root/Library/Caches/nesessionmanager/" #"^/private/var/root/Library/Caches/nesessionmanager$") + (subpath "/private/etc/ppp") + (subpath "/usr/sbin") + (subpath "/private/var/containers/Bundle/VPNPlugin") + (regex #"^/private/var/preferences/SystemConfiguration/preferences[.]plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (subpath "/private/var/run/racoon") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (regex #"^/private/var/run/ppp[0-9]+[.]pid$") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nesessionmanager/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nesessionmanager$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nesessionmanager/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nesessionmanager$")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/root/Library/Caches") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal "/private/var/root/Library/Caches")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/private/var/run/racoon") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal "/private/var/log/ppp.log") + (regex #"^/private/var/preferences/SystemConfiguration/preferences[.]plist") + (subpath "/private/var/tmp") + (regex #"^/private/var/preferences/SystemConfiguration/VPN-[^/]+[.]plist") + (regex #"^/private/var/root/Library/Caches/nesessionmanager/" #"^/private/var/root/Library/Caches/nesessionmanager$") + (regex #"^/private/var/run/ppp[0-9]+[.]pid$") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nesessionmanager/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nesessionmanager$")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nesessionmanager/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/nesessionmanager$"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal "/private/var/root/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.tccd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.UNCUserNotification") + (global-name "com.apple.GSSCred") + (global-name "com.apple.symptom_analytics") + (global-name "com.apple.springboard.services") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.nehelper") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.neagent") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.lsd") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.securityd") + (global-name "com.apple.networkd") + (global-name "com.apple.CoreServices.coreservicesd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.pluginkit.pkd") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.ocspd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow network*) +(allow network-inbound) +(allow network-bind) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.networkextension") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-exec* + (literal "/usr/sbin/pppd")) +(allow process-fork) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow signal) +(allow sysctl* + (sysctl-name "net.key.natt_keepalive_interval")) +(allow sysctl-read) +(allow system-privilege) +(allow system-socket) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nesessionmanager.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nesessionmanager.sb.xml new file mode 100644 index 00000000..aa4f26ab --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.nesessionmanager.sb.xml @@ -0,0 +1,46 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.quicklook.QLThumbnailsService.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.quicklook.QLThumbnailsService.sb new file mode 100644 index 00000000..3a766d1c --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.quicklook.QLThumbnailsService.sb @@ -0,0 +1,466 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.quicklook.readonly") + (extension-class "com.apple.mediaserverd.read"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal "/dev/zero") + (subpath "/usr/share") + (literal-prefix "${HOME}/Library/Application Support/Quick Look/cloudthumbnails.db") + (literal "/dev/random") + (literal "/dev/ptmx") + (literal-prefix "${HOME}/Library/Application Support/Quick Look/cloudthumbnails.db-shm") + (extension "com.apple.sandbox.executable") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (extension "com.apple.quicklook.readonly") + (subpath "/Developer") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Library/Application Support/Quick Look") + (literal-prefix "${HOME}/Library/Application Support/Quick Look/cloudthumbnails.db-wal") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal-prefix "${HOME}/Library/Application Support/Quick Look/cloudthumbnails.db-journal") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (subpath-prefix "${HOME}/Media") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Application Support/Documents" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Application Support/Documents") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Documents") + (subpath-prefix "${HOME}"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Application Support/Quick Look/cloudthumbnails.db-shm") + (literal-prefix "${HOME}/Library/Application Support/Quick Look") + (literal-prefix "${HOME}/Library/Application Support/Quick Look/cloudthumbnails.db-wal") + (literal-prefix "${HOME}/Library/Application Support/Quick Look/cloudthumbnails.db") + (literal-prefix "${HOME}/Library/Application Support/Quick Look/cloudthumbnails.db-journal") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Application Support/Quick Look")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal-prefix "${HOME}/Library/Application Support/Quick Look/cloudthumbnails.db") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "AppleMobileFileIntegrityUserClient") + (iokit-user-client-class "IOMobileFramebufferUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.lsd.open") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.audio.AudioSession") + (global-name "com.apple.pegasus") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.xpcd") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.system.logger") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.revisiond") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.fig.movie") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.ctkd.token-client") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.bird") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.coremedia") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.Accessibility") + (preference-domain "com.apple.corevideo") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-fsctl + (fsctl-command (_IO "h" 31))) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.quicklook.QLThumbnailsService.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.quicklook.QLThumbnailsService.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.quicklook.QLThumbnailsService.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.rtcreportingd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.rtcreportingd.sb new file mode 100644 index 00000000..1a731fe5 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.rtcreportingd.sb @@ -0,0 +1,494 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/rtcreportingd/" #"^/private/var/mobile/Library/Caches/rtcreportingd$" #"^/private/var/euser[0-9]+/Library/Caches/rtcreportingd/" #"^/private/var/euser[0-9]+/Library/Caches/rtcreportingd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/rtcreportingd/" #"^/private/var/mobile/Library/Caches/rtcreportingd$" #"^/private/var/euser[0-9]+/Library/Caches/rtcreportingd/" #"^/private/var/euser[0-9]+/Library/Caches/rtcreportingd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/rtcreportingd/" #"^/private/var/mobile/Library/Caches/rtcreportingd$" #"^/private/var/euser[0-9]+/Library/Caches/rtcreportingd/" #"^/private/var/euser[0-9]+/Library/Caches/rtcreportingd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${HOME}/Library/Logs/CrashReporter/Retired/rtcreportingd_") + (literal "/usr/libexec") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/rtcreportingd.plist") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VideoConference.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.rtcreporting.plist") + (literal "/dev/random") + (literal-prefix "${HOME}/Library/Logs/awd/awd-rtcreportingd.log") + (subpath "/System/Library") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.timed.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath "/private/var/tmp") + (extension "com.apple.rtcreporting.upload") + (subpath "/Developer") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/rtcreportingd") + (literal "/usr/libexec/rtcreportingd") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/rtcreportingd/" #"^/private/var/mobile/Library/Caches/rtcreportingd$" #"^/private/var/euser[0-9]+/Library/Caches/rtcreportingd/" #"^/private/var/euser[0-9]+/Library/Caches/rtcreportingd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-data + (literal-prefix "${HOME}/Library/Logs/CrashReporter/Retired")) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Logs/CrashReporter") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/Retired") + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Caches") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/Retired")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/Retired/rtcreportingd_") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/rtcreportingd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/rtcreportingd.plist") + (literal-prefix "${HOME}/Library/Logs/awd/awd-rtcreportingd.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.rtcreporting.plist") + (subpath "/private/var/tmp") + (require-all + (regex #"^/private/var/mobile/Library/Caches/rtcreportingd/" #"^/private/var/mobile/Library/Caches/rtcreportingd$" #"^/private/var/euser[0-9]+/Library/Caches/rtcreportingd/" #"^/private/var/euser[0-9]+/Library/Caches/rtcreportingd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/rtcreportingd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/Retired")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (extension "com.apple.rtcreporting.upload") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.networkd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.securityd") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.lsd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.nehelper") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.system.logger") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.aggregated") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.tccd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.awdd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.powerlogd") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "rtcreportingd") + (preference-domain "com.apple.timed") + (preference-domain "com.apple.VideoConference") + (preference-domain "com.apple.WebFoundation") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.rtcreporting") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.rtcreporting") + (preference-domain "rtcreportingd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.rtcreportingd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.rtcreportingd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.rtcreportingd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.sandboxd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.sandboxd.sb new file mode 100644 index 00000000..a9984379 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.sandboxd.sb @@ -0,0 +1,67 @@ +(version 1) +(deny default) +(allow file-ioctl + (literal "/dev/dtracehelper")) +(allow file-link) +(allow file-map-executable) +(allow file-read*) +(allow file-read-data) +(allow file-read-metadata) +(allow file-read-xattr) +(allow file-write* + (extension "com.apple.sandbox.system-group") + (subpath "/private/var/tmp") + (regex #"^/private/var/logs/CrashReporter/Sandbox-.+[.]ips" #"^/private/var/logs/CrashReporter/[.]Sandbox-.+[.]ips") + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/Sandbox-.+[.]ips" #"^/private/var/mobile/Library/Logs/CrashReporter/[.]Sandbox-.+[.]ips") + (require-all + (regex #"^/cores/") + (require-not (file-mode #o0000)))) +(allow file-write-data + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero")) +(allow iokit-open + (iokit-user-client-class "AppleMobileFileIntegrityUserClient")) +(allow iokit-get-properties) +(allow ipc-posix-shm* + (ipc-posix-name "apple.shm.notification_center")) +(allow ipc-posix-shm-read* + (ipc-posix-name-regex #"^apple[.]shm[.]cfprefsd[.]")) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.system.logger") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.system.DirectoryService.libinfo_v1") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.mobile.keybagd.UserManager.xpc") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.system.libinfo.muser") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coresymbolicationd")) +(allow network* + (regex #"^/private/var/tmp/sandbox[.]")) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (regex #"^/private/tmp/[.]webdavUDS[.][^/]+$") + (literal "/private/var/run/asl_input")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.sandboxd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.sandboxd.sb.xml new file mode 100644 index 00000000..3cfb47db --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.sandboxd.sb.xml @@ -0,0 +1,43 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.siri.ClientFlow.ClientScripter.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.siri.ClientFlow.ClientScripter.sb new file mode 100644 index 00000000..943abf2e --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.siri.ClientFlow.ClientScripter.sb @@ -0,0 +1,207 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/Assistant") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.siri.ClientFlow.ClientScripter.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath "/Developer") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.logging.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/Logs/CrashReporter") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/Assistant") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.siri.ClientFlow.ClientScripter.plist") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.assistant.logging") + (preference-domain "com.apple.siri.ClientFlow.ClientScripter") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.siri.ClientFlow.ClientScripter")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.siri.ClientFlow.ClientScripter.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.siri.ClientFlow.ClientScripter.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.siri.ClientFlow.ClientScripter.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.snhelper.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.snhelper.sb new file mode 100644 index 00000000..7203d9c9 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.snhelper.sb @@ -0,0 +1,139 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/var/mobile/Library/Caches") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath "/Developer") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-register + (global-name "com.apple.snhelper") + (require-all + (extension "com.apple.security.exception.mach-register.local-name") + (local-name-regex #".+")) + (require-all + (extension "com.apple.security.exception.mach-register.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.snhelper.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.snhelper.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.snhelper.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tccd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tccd.sb new file mode 100644 index 00000000..0084590a --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tccd.sb @@ -0,0 +1,450 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension-class-regex #"^com[.]apple[.]tcc[.]") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-wal") + (literal-prefix "${HOME}/Library/Logs/awd/awd-tccd.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.companionsync.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-journal") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync/TransportLogs") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db") + (literal "/dev/null") + (literal "/dev/random") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/aes_0") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (subpath-prefix "${HOME}/Library/Logs/CompanionSync/TransportLogs") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-shm") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/com[.]apple[.]private[.]alloy[.]tccd[.]sync" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/nms[.]com[.]apple[.]private[.]alloy[.]tccd[.]sync" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/(nms[.])?com[.]apple[.]private[.]alloy[.]tccd[.]sync") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (literal-prefix "${HOME}/Library/Logs/awd") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync"))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-wal") + (literal-prefix "${HOME}/Library/Logs/awd/awd-tccd.log") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-journal") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync/TransportLogs") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db") + (subpath-prefix "${HOME}/Library/TCC") + (subpath-prefix "${HOME}/Library/Logs/CompanionSync/TransportLogs") + (subpath "/private/var/tmp/com.apple.tccd") + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-shm") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/com[.]apple[.]private[.]alloy[.]tccd[.]sync" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/nms[.]com[.]apple[.]private[.]alloy[.]tccd[.]sync" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/(nms[.])?com[.]apple[.]private[.]alloy[.]tccd[.]sync") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CompanionSync")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync"))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}"))) +(allow file-write-data + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-owner + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.aggregated") + (global-name "com.apple.appconduitd.device-connection") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.mobile.keybagd.UserManager.xpc") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.backboard.systemservices") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.lsd") + (global-name "com.apple.springboard.services") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.marco") + (global-name "com.apple.system.logger") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.xpcd") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.librariand") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.pluginkit.pkd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.awdd") + (global-name "com.apple.companionappd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.companionsync") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.conference") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow signal) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tccd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tccd.sb.xml new file mode 100644 index 00000000..14606502 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tccd.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tzlinkd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tzlinkd.sb new file mode 100644 index 00000000..c05eaded --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tzlinkd.sb @@ -0,0 +1,140 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write-create + (literal "/private/var/db/timezone/localtime") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-unlink + (literal "/private/var/db/timezone/localtime") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tzlinkd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tzlinkd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.tzlinkd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.ubd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.ubd.sb new file mode 100644 index 00000000..ab9d58d6 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.ubd.sb @@ -0,0 +1,527 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension-class "com.apple.librarian.ubiquity-revision")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal "/dev/urandom") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/Ubiquity") + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity") + (literal "/") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ubd.plist") + (literal "/dev/ptmx") + (literal-prefix "${HOME}/Library/Mobile Documents") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.accountsd.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal-prefix "${HOME}/Library/processed-Mobile Documents.delete") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/private/var/preferences/com.apple.security.plist") + (literal "/dev/aes_0") + (literal-prefix "${HOME}/Library/Logs/awd/awd-ubd.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${HOME}/Library/Application Support") + (literal-prefix "${HOME}/Library") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (subpath "/usr/share") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bird.plist") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Library/Collections") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mmcs.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/private/var/preferences/SystemConfiguration/com.apple.mobilegestalt.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/ubiquity[.]log" #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/ubiquity.+[.]log" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/ubiquity.*[.]log") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]ubd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]ubd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]ubd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-data + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs"))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Library/Collections") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Mobile Documents") + (literal-prefix "${HOME}/Library/Logs/awd/awd-ubd.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ubd.plist") + (literal-prefix "${HOME}/Library/Application Support") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/Ubiquity") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${HOME}/Library/processed-Mobile Documents.delete") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mmcs.plist") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/ubiquity[.]log" #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/ubiquity.+[.]log" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/ubiquity.*[.]log") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]ubd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]ubd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]ubd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]ubd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]ubd$") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.securityd") + (global-name "com.apple.tccd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.absd") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.GSSCred") + (global-name "com.apple.FSEvents") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.nehelper") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.lsd") + (global-name "com.apple.apsd") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.awdd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.bird") + (global-name "com.apple.absinthed") + (global-name "com.apple.networkd") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.coreservices.appleid.authentication") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/lockdown.sock") + (remote tcp "*:*") + (literal "/private/var/run/syslog") + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.netsrc") + (control-name "com.apple.network.statistics")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.ubd") + (preference-domain "com.apple.accountsd") + (preference-domain "com.apple.WebFoundation") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.bird") + (preference-domain "com.apple.mmcs") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.ubd") + (preference-domain "com.apple.mmcs")) +(allow process-exec* + (literal "/System/Library/PrivateFrameworks/Ubiquity.framework/Versions/A/Support/ubd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl*) +(allow sysctl-read) +(allow sysctl-write) +(allow system-fsctl + (fsctl-command (_IO "h" 24)) + (fsctl-command (_IO "h" 30))) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.ubd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.ubd.sb.xml new file mode 100644 index 00000000..f9ff07cc --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/com.apple.ubd.sb.xml @@ -0,0 +1,43 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/container.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/container.sb new file mode 100644 index 00000000..8e41b0f9 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/container.sb @@ -0,0 +1,3520 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension-class "com.apple.quicklook.readonly") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.absolute-path.read-write"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.iTunesStore.NSURLCache") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (subpath-prefix "${HOME}/Library/Mail") + (extension-class "com.apple.mediaserverd.read") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (subpath-prefix "${HOME}/Media/Books") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (subpath-prefix "${HOME}/Library/Mail") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mail") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$") + (subpath-prefix "${HOME}")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.Radio.RadioRequestURLCache") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))) + (require-all + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.Radio.RadioImageCache") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.Radio.RadioImageCache") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))) + (require-all + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.Radio.RadioRequestURLCache") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (subpath-prefix "${HOME}/Library/ReplayKit") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.ReplayKit.RPVideoEditorExtension"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mail") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webbookmarksd") + (entitlement-value "com.apple.safarifetcherd") + (entitlement-value "com.apple.Safari.SocialHelper")))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.iTunesStore.NSURLCache") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.Radio.RadioRequestURLCache") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))) + (require-all + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.Radio.RadioImageCache") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))))) + (require-all + (subpath-prefix "${HOME}/Media/Podcasts") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-only") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.iTunesStore.NSURLCache") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webbookmarksd") + (entitlement-value "com.apple.safarifetcherd") + (entitlement-value "com.apple.Safari.SocialHelper")))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Media/DCIM") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webapp")))) + (require-all + (subpath-prefix "${HOME}/Media/Purchases") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/") + (subpath-prefix "${HOME}"))) +(allow file-map-executable) +(allow file-read* + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (subpath "/System/Library") + (literal "/private/var/preferences/com.apple.networkd.plist") + (subpath "/Developer") + (subpath "/usr/share") + (subpath "/usr/lib") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal "/private/var/preferences/com.apple.security.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.iTunesStore.NSURLCache") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.system.get-wallpaper") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-shm") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]mobilemail" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]mobilemail" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]mobilemail") + (subpath-prefix "${FRONT_USER_HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (subpath-prefix "${HOME}/Media/Books") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/SpringBoard/OriginalLockVideo.mov") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.system.get-wallpaper"))) + (require-all + (literal-prefix "${HOME}/Library/SpringBoard/HomeBackground.cpbitmap") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.system.get-wallpaper"))) + (require-all + (literal-prefix "${HOME}/Library/Caches/com.apple.storeservices/AppPurchaseHistory.6.sqlitedb-journal") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.ios.StoreKitUIService"))) + (require-all + (subpath-prefix "${HOME}/Media") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (subpath-prefix "${HOME}/Media/Safari") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari"))) + (require-all + (literal-prefix "${HOME}/Library/SpringBoard/OriginalHomeVideo.mov") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.system.get-wallpaper"))) + (require-all + (literal "/private/var/preferences/SystemConfiguration/com.apple.wifi.plist") + (require-entitlement "platform-application")) + (require-all + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Library/Cookies") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-shm") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (literal-prefix "${HOME}/Library/Caches/com.apple.storeservices") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.ios.StoreKitUIService"))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.AOSNotification.launchd") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webbookmarksd") + (entitlement-value "com.apple.safarifetcherd") + (entitlement-value "com.apple.Safari.SocialHelper")))) + (require-all + (subpath-prefix "${HOME}/Library/Cookies") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webbookmarksd") + (entitlement-value "com.apple.safarifetcherd") + (entitlement-value "com.apple.Safari.SocialHelper")))) + (require-all + (subpath-prefix "${HOME}/Media/DCIM") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webapp")))) + (require-all + (subpath-prefix "${HOME}/Library/SMS") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (subpath-prefix "${HOME}/Library/Calendar") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (subpath "/Library/Application Support/Mail/Plugins") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-wal") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari"))) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.container2"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "platform-application")) + (require-all + (subpath-prefix "${HOME}/Library/DataAccess") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Library/SpringBoard/LockBackgroundThumbnail.jpg") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.system.get-wallpaper"))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMail$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMail/" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/(NanoMail|PairedSyncServiceRestrictions)$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/(NanoMail|PairedSyncServiceRestrictions)/") + (subpath-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/CloudConfigurationDetails.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/CloudConfigurationDetails.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/CloudConfigurationDetails.plist$") + (subpath-prefix "${FRONT_USER_HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.Maps") + (entitlement-value "com.apple.SafariViewService") + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webapp")))) + (require-all + (subpath-prefix "${HOME}/Library/Caches/DataAccess") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (subpath-prefix "${HOME}/Media/Purchases") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-journal") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (require-entitlement "com.apple.media.ringtones.read-write")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/SpringBoard/LockVideo.mov") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.system.get-wallpaper"))) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Library/Caches/com.apple.storeservices/AppPurchaseHistory.6.sqlitedb-shm") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.ios.StoreKitUIService"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles$" #"^/private/var/mobile/Library/ConfigurationProfiles/" #"^/private/var/mobile/Library/UserConfigurationProfiles$" #"^/private/var/mobile/Library/UserConfigurationProfiles/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/") + (subpath-prefix "${FRONT_USER_HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath-prefix "${HOME}/Library/WebClips") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webapp")))) + (require-all + (literal-prefix "${HOME}/Library/SpringBoard/HomeBackgroundThumbnail.jpg") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.system.get-wallpaper"))) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-wal") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (literal-prefix "${HOME}/Library/Caches/com.apple.storeservices/AppPurchaseHistory.6.sqlitedb") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.ios.StoreKitUIService"))) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (literal-prefix "${HOME}/Library/SpringBoard/.LockBackground.cpbitmap") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.system.get-wallpaper"))) + (require-all + (regex #"^/private/var/containers/Bundle/[^/]+/[-0-9A-Z]+/GeoJSON") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (subpath-prefix "${HOME}/Library/Safari") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webbookmarksd") + (entitlement-value "com.apple.mobilemail") + (entitlement-value "com.apple.mobilenotes") + (entitlement-value "com.apple.safarifetcherd") + (entitlement-value "com.apple.Safari.SocialHelper")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-any + (require-entitlement "com.apple.media.ringtones.read-only") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail")))) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-journal") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.container2"))) + (require-all + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail")) + (require-entitlement "com.apple.security.exception.carrier-bundle.read"))) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/Ringtones.plist") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail")) + (require-entitlement "com.apple.media.ringtones.read-only"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (literal "/System/Library/PairedSyncServices/com.apple.pairedsync.mail.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (literal-prefix "${HOME}/Library/SpringBoard/LockBackground.cpbitmap") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.system.get-wallpaper"))) + (require-all + (literal-prefix "${HOME}/Library/Caches/com.apple.storeservices/AppPurchaseHistory.6.sqlitedb-wal") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.ios.StoreKitUIService"))) + (require-all + (subpath-prefix "${HOME}/Library/Logs/Mail") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-shm") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (subpath-prefix "${HOME}/Media/iTunes_Control") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (literal-prefix "${HOME}/Library/Cookies") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (subpath-prefix "${HOME}/Media/Podcasts") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.system.set-alert-tone")) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/Ringtones.plist") + (require-entitlement "com.apple.media.ringtones.read-write")) + (require-all + (subpath-prefix "${HOME}/Library/Mail") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-wal") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (subpath-prefix "${HOME}/Library/Notes") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilemail") + (entitlement-value "com.apple.mobilenotes")))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.stocks.watchkitextension"))) + (require-all + (literal-prefix "${HOME}/Library/SpringBoard/.HomeBackground.cpbitmap") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.system.get-wallpaper"))) + (require-all + (subpath-prefix "${HOME}/Media/Purchases") + (require-entitlement "com.apple.media.ringtones.read-write")) + (require-all + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.Radio.RadioRequestURLCache") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))) + (require-all + (require-not (regex #"^/private/var/mobile/Library/Preferences/com.apple.apsalerts.plist" #"^/private/var/euser[0-9]+/Library/Preferences/com.apple.apsalerts.plist")) + (require-any + (subpath "/AppleInternal") + (subpath "/Applications") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Media/iTunes_Control/iTunes") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath-prefix "${HOME}/Media/iTunes_Control/Artwork") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/") + (subpath-prefix "${HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.facebook.plist") + (literal-prefix "${HOME}/Media/Vibrations/UserGeneratedVibrationPatterns.plist") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (subpath "/Library/Ringtones") + (extension "com.apple.app-sandbox.read") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal "/private/var/preferences/SystemConfiguration/com.apple.linkedin.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIStatusBar") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath-prefix "${HOME}/Library/Fonts") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (literal-prefix "${HOME}/Library/Caches/DateFormats.plist") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (subpath-prefix "${HOME}/Library/VoiceServices/Assets") + (subpath "/Library/Dictionaries") + (subpath-prefix "${HOME}/Library/Dictionaries") + (subpath-prefix "${HOME}/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.IconsCache") + (literal "/com.apple.xpc.launchd.bootstrap.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.sinaweibo.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.twitter.plist") + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/syncInfo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-journal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-shm") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-wal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Sync/FaceAlbumThumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Metadata") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (require-not (subpath-prefix "${HOME}/Library/FairPlay")) + (require-not (literal "/usr/sbin/fairplayd")) + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (literal "/dev/random") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/dev/null") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal "/dev/zero") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal "/dev/dtracehelper") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))))) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/GameKit/Data/[^/]+.gcdata$" #"^/private/var/euser[0-9]+/Library/GameKit/Data/[^/]+.gcdata$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")))) + (require-all + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")))) + (require-all + (literal-prefix "${HOME}/Library/Caches/com.apple.notes.objectcreation.lock") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilemail") + (entitlement-value "com.apple.mobilenotes")))) + (require-all + (literal-prefix "${HOME}/Library/SpringBoard/HomeVideo.mov") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.system.get-wallpaper"))) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-journal") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail")) + (require-entitlement "com.apple.media.ringtones.read-only"))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]stocks[.]bridge$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]stocks[.]bridge$") + (subpath-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.stocks.watchkitextension"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (literal "/private/var/preferences/SystemConfiguration/com.apple.AutoWake.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.iCloudDriveApp"))) + (require-all + (regex #"^/private/var/mobile/Library/Preferences/com.apple.restrictionspassword.plist" #"^/private/var/euser[0-9]+/Library/Preferences/com.apple.restrictionspassword.plist") + (subpath-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.WebContentFilter.remoteUI.WebContentAnalysisUI"))) + (require-all + (literal-prefix "${HOME}/Library/Caches/com.apple.notes.sharedstore.lock") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilemail") + (entitlement-value "com.apple.mobilenotes")))) + (require-all + (subpath-prefix "${HOME}/Media/iTunes_Control/iTunes") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps/") + (subpath-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/CloudConfigurationDetails.plist") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.Maps") + (entitlement-value "com.apple.SafariViewService") + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webapp")))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]NanoMail" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]NanoMail") + (subpath-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (subpath-prefix "${HOME}/Media/Purchases") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail")) + (require-entitlement "com.apple.media.ringtones.read-only"))) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.container2"))) + (require-all + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.Radio.RadioImageCache") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision"))) +(allow file-read-data + (require-all + (regex #"^/private/var/mobile/Library/ExternalAccessory/ea[.0-9]+$" #"^/private/var/euser[0-9]+/Library/ExternalAccessory/ea[.0-9]+$") + (subpath-prefix "${FRONT_USER_HOME}"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library") + (literal "/private/var") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal "/private/var/run/printd") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/GameKit/Data") + (literal-prefix "${HOME}/Media") + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices") + (literal-prefix "${HOME}/Library/Mobile Documents") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}") + (vnode-type SYMLINK) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.stocks.watchkitextension"))) + (require-all + (literal-prefix "${HOME}/Library/com.apple.iTunesStore") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "platform-application")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari"))) + (require-all + (literal-prefix "${HOME}/Library/Caches/com.apple.storeservices") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.ios.StoreKitUIService"))) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-any + (require-entitlement "com.apple.media.ringtones.read-only") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail")))) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.system.set-alert-tone")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "platform-application")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (literal-prefix "${HOME}/Library/Caches/sharedCaches") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))) + (require-all + (literal-prefix "${HOME}/Media/PhotoData") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.storeservices") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.ios.StoreKitUIService"))) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesMetadata[.]plist$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesMetadata[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Caches") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilemail") + (entitlement-value "com.apple.mobilenotes")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.system.set-alert-tone")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.iCloudDriveApp"))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari"))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.system.get-wallpaper"))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/sharedCaches") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webbookmarksd") + (entitlement-value "com.apple.safarifetcherd") + (entitlement-value "com.apple.Safari.SocialHelper")))) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webbookmarksd") + (entitlement-value "com.apple.safarifetcherd") + (entitlement-value "com.apple.Safari.SocialHelper")))) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Library/com.apple.iTunesStore/LocalStorage") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (require-any + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Library/Caches/sharedCaches") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (literal-prefix "${HOME}") + (require-any + (require-entitlement "com.apple.media.ringtones.read-only") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices")) + (require-all + (literal-prefix "${HOME}") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.system.get-wallpaper"))) + (require-all + (literal-prefix "${HOME}") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (literal-prefix "${HOME}") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilemail") + (entitlement-value "com.apple.mobilenotes")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.stocks.watchkitextension"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/sharedCaches") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.iCloudDriveApp"))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (require-any + (require-all + (literal-prefix "${HOME}/Library/com.apple.iTunesStore/LocalStorage") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (literal-prefix "${HOME}/Library/com.apple.iTunesStore") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2")))) +(allow file-write* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.iTunesStore.NSURLCache") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/Ringtones.plist") + (require-entitlement "com.apple.media.ringtones.read-write")) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-shm") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (subpath-prefix "${HOME}/Media/Books") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtube.dp.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari"))) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Caches/com.apple.storeservices/AppPurchaseHistory.6.sqlitedb-journal") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.ios.StoreKitUIService"))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.OTASyncState.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Library/Cookies") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-shm") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (subpath-prefix "${HOME}/Media/Purchases") + (require-entitlement "com.apple.media.ringtones.read-write")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]mobilemail" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]mobilemail" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]mobilemail") + (subpath-prefix "${FRONT_USER_HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-journal") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.container2"))) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-journal") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mail.composition.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Library/Cookies") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.Radio.RadioRequestURLCache") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (subpath-prefix "${HOME}/Media/iTunes_Control/iTunes") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (literal-prefix "${HOME}/Library/Caches/com.apple.notes.sharedstore.lock") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilemail") + (entitlement-value "com.apple.mobilenotes")))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps/") + (subpath-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (literal-prefix "${HOME}/Library/Caches/com.apple.notes.objectcreation.lock") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilemail") + (entitlement-value "com.apple.mobilenotes")))) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-wal") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-journal") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.internal.Voltaire.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Logs/Mail") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (require-entitlement "com.apple.media.ringtones.read-write")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.springboard.plist")) + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-not (literal-prefix "${HOME}/Library/Caches/DateFormats.plist")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (extension "com.apple.app-sandbox.read-write") + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (subpath-prefix "${HOME}/Media") + (require-any + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.OTASyncAgent.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (subpath-prefix "${HOME}/Library/WebClips") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webapp")))) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoMailKit.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (subpath-prefix "${HOME}/Library/Notes") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilemail") + (entitlement-value "com.apple.mobilenotes")))) + (require-all + (regex #"^/private/var/mobile/Library/Preferences/com.apple.restrictionspassword.plist" #"^/private/var/euser[0-9]+/Library/Preferences/com.apple.restrictionspassword.plist") + (subpath-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.WebContentFilter.remoteUI.WebContentAnalysisUI"))) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMail$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMail/" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/(NanoMail|PairedSyncServiceRestrictions)$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/(NanoMail|PairedSyncServiceRestrictions)/") + (subpath-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MailAccount-ExtProperties.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.skyhookwireless.wps.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.springboard.plist") + (require-entitlement "com.apple.system.set-alert-tone")) + (require-all + (regex #"^/private/var/containers/Bundle/[^/]+/[-0-9A-Z]+/GeoJSON") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.cloud.quota.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (subpath-prefix "${HOME}/Library/Cookies") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webbookmarksd") + (entitlement-value "com.apple.safarifetcherd") + (entitlement-value "com.apple.Safari.SocialHelper")))) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-wal") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.cloud.quota.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.iCloudDriveApp"))) + (require-all + (subpath-prefix "${HOME}/Library/Safari") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webbookmarksd") + (entitlement-value "com.apple.mobilemail") + (entitlement-value "com.apple.mobilenotes") + (entitlement-value "com.apple.safarifetcherd") + (entitlement-value "com.apple.Safari.SocialHelper")))) + (require-all + (subpath-prefix "${HOME}/Library/SMS") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Cookies") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (subpath-prefix "${HOME}/Library/Mail") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (subpath-prefix "${HOME}/Library/Calendar") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.Radio.RadioImageCache") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb-wal") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-shm") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (subpath-prefix "${HOME}/Media/iTunes_Control") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GMM.plist") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (subpath-prefix "${HOME}/Library/DataAccess") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Cookies") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]NanoMail" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]NanoMail") + (subpath-prefix "${HOME}") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail")))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.storeservices") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.ios.StoreKitUIService"))) + (require-all + (vnode-type DIRECTORY) + (require-any + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilemail") + (entitlement-value "com.apple.mobilenotes")))) + (require-all + (vnode-type DIRECTORY) + (require-any + (require-all + (literal-prefix "${HOME}/Library/com.apple.iTunesStore") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (literal-prefix "${HOME}/Library/com.apple.iTunesStore/LocalStorage") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.AOSNotification.launchd") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/sharedCaches") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.Accessibility.plist")) + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.UIKit.plist")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/sharedCaches") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices")))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (literal-prefix "${HOME}/Library/Caches/com.apple.storeservices/AppPurchaseHistory.6.sqlitedb") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.ios.StoreKitUIService"))) + (require-all + (literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored.2.sqlitedb") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (regex #"^/private/var/mobile/Library/ExternalAccessory/ea[.0-9]+$" #"^/private/var/euser[0-9]+/Library/ExternalAccessory/ea[.0-9]+$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (subpath-prefix "${HOME}/Media/Podcasts") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.AOSNotification.launchd") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (subpath-prefix "${HOME}/Media/Purchases") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2")))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "IOHIDLibUserClient") + (iokit-user-client-class "IOSurfaceSendRight") + (iokit-user-client-class "IOAccelSharedUserClient2") + (iokit-user-client-class "IOAccelDevice2") + (iokit-user-client-class "IOAccelContext2") + (iokit-user-client-class "IOSurfaceAcceleratorClient") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOAccelContext") + (iokit-user-client-class "IOAccelDevice") + (iokit-user-client-class "AppleJPEGDriverUserClient") + (iokit-user-client-class "IOAccelSharedUserClient") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "IOAccelSubmitter2") + (require-all + (iokit-user-client-class "RootDomainUserClient") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (iokit-user-client-class "com_apple_driver_FairPlayIOKitUserClient") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2")))) +(allow iokit-get-properties + (iokit-property "compass-calibration") + (iokit-property "gyro-interrupt-calibration") + (require-not (iokit-property-regex #"-mac-address" #"mac-address-" #".+-mac-address" #".+mac-address-")) + (require-entitlement "com.apple.system.get-hardware-identifiers") + (require-entitlement "fairplay-client") + (require-not (require-entitlement "com.apple.private.MobileGestalt.AllowedProtectedKeys")) + (require-entitlement "com.apple.wifi.manager-access")) +(allow ipc-posix-sem + (semaphore-owner self) + (extension "com.apple.sandbox.application-group")) +(allow ipc-posix-shm* + (ipc-posix-name-regex #"^stack-logs") + (ipc-posix-name-regex #"^OA-") + (extension "com.apple.sandbox.application-group") + (ipc-posix-name-regex #"^/FSM-")) +(allow ipc-posix-shm-read* + (ipc-posix-name-regex #"^gdt-[0-9A-Za-z]+-c$" #"^gdt-[0-9A-Za-z]+-s$") + (ipc-posix-name-regex #"^apple[.]shm[.]cfprefsd[.]") + (ipc-posix-name "apple.shm.notification_center") + (ipc-posix-name-regex #"^Apple MIDI in [0-9]+$" #"^Apple MIDI out [0-9]+$") + (require-all + (ipc-posix-name-regex #"^AppleABL[.]." #"^AppleABL[.].+") + (require-entitlement "inter-app-audio"))) +(allow ipc-posix-shm-write-create + (ipc-posix-name-regex #"^/mono[.][0-9]+$")) +(allow ipc-posix-shm-write-data + (ipc-posix-name-regex #"^gdt-[0-9A-Za-z]+-c$" #"^gdt-[0-9A-Za-z]+-s$") + (ipc-posix-name-regex #"^Apple MIDI in [0-9]+$" #"^Apple MIDI out [0-9]+$") + (require-all + (ipc-posix-name-regex #"^AppleABL[.]." #"^AppleABL[.].+") + (require-entitlement "inter-app-audio"))) +(allow ipc-posix-shm-write-unlink + (ipc-posix-name-regex #"^gdt-[0-9A-Za-z]+-c$" #"^gdt-[0-9A-Za-z]+-s$")) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.telephonyutilities.callservicesdaemon.voip") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.backboard.animation-fence-arbiter") + (global-name "com.apple.MediaRemote.daemon") + (global-name "com.apple.imagent.embedded.auth") + (global-name "com.apple.appleprofilepolicyd") + (global-name "com.apple.audio.AURemoteIOServer") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.imavagent.embedded.auth") + (global-name "PurpleSystemAppPort") + (global-name "com.apple.UIKit.KeyboardManagement.hosted") + (global-name "com.apple.iTunesStore.daemon") + (global-name "com.apple.symptomsd") + (global-name "com.apple.calaccessd.xpc") + (global-name "com.apple.watchconnectivity.complication") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.mobileipod.MPMusicPlayerMigServerExists") + (global-name "com.apple.iapd") + (global-name "com.apple.coremedia.videoqueue") + (global-name "com.apple.FSEvents") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.airplaydiagnostics.server") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.AdSheetPhone.server") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.gamed") + (global-name "com.apple.ExternalAccessory.distributednotification.server") + (global-name "com.apple.CoreAuthentication.daemon") + (global-name "com.apple.coremedia.wirelessdisplayserver") + (global-name "com.apple.TextInput") + (global-name "com.apple.mobileipod.MPMusicPlayerMigServer") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.lsd.open") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.cloudd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.accountsd.oauthsigner") + (global-name "com.apple.PersistentURLTranslator.Gatekeeper") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.commcenter.dm-helper") + (global-name "com.apple.notificationcenter.widgetcontrollerconnection") + (global-name "com.apple.videoconference.camera") + (global-name "com.apple.wcd") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.accessibility.gax.backboard") + (global-name "com.apple.cvmsServ") + (global-name "com.apple.ProgressReporting") + (global-name "com.apple.voiceservices.keepalive") + (global-name "com.apple.Music.MPMusicPlayerControllerInternal") + (global-name "com.apple.bird") + (global-name "com.apple.pegasus") + (global-name "com.apple.assertiond.expiration") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.wapi.client") + (global-name "com.apple.sharingd.nsxpc") + (global-name "com.apple.iaptransportd") + (global-name "com.apple.coreservices.appleid.authentication") + (global-name "com.apple.FileProvider") + (global-name "com.apple.midiserver.io") + (global-name "com.apple.Music.MPMusicPlayerMigServerExists") + (global-name "com.apple.awdd") + (global-name "com.apple.springboard.blockableservices") + (global-name "com.apple.mobilecheckpoint.checkpointd") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.UIKit.KeyboardManagement") + (global-name "com.apple.telephonyutilities.remotelogdaemon") + (global-name "com.apple.homed.xpc") + (global-name "com.apple.server.bluetooth.le.pipe.xpc") + (global-name "com.apple.xpcd") + (global-name "com.apple.diagnosticd") + (global-name-regex #"^com[.]apple[.]uikit[.]viewservice[.].+") + (global-name "com.apple.marco") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.cvmsCompAgent_armv7") + (global-name "com.apple.Music.MPMusicPlayerMigServer") + (global-name "com.apple.certui.relay") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.weibod.server") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.server.bluetooth.le.att.xpc") + (global-name "com.apple.webfilterd") + (global-name "com.apple.gizmoappd") + (global-name "com.apple.passd.assertions") + (global-name "com.apple.backboard.watchdog") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.ReportCrash") + (global-name "com.apple.atc") + (extension "com.apple.sandbox.application-group") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.dataaccess.dataaccessd") + (global-name "com.apple.nehelper") + (global-name "com.apple.backboard.workspaceserverconnection") + (global-name "com.apple.scrod") + (global-name "com.apple.syncdefaultsd") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.TextInput.rdt") + (global-name "com.apple.coremedia.mutablecomposition") + (global-name "com.apple.MobileInternetSharing") + (global-name "com.apple.testmanagerd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.calaccessd") + (global-name "com.apple.lsd") + (global-name "com.apple.nanomaps.xpc.GeoServices") + (global-name "com.apple.mobile.installd") + (global-name "com.apple.assetsd.notificationServer") + (global-name "com.apple.audio.AudioQueueServer") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.coremedia.decompressionsession") + (global-name "com.apple.MobileFileIntegrity") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.twitterd.server") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.dictationd.recognition") + (global-name "com.apple.prdaily") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.iaptransportd.xpc") + (global-name "com.apple.mediastream.sharing") + (global-name "com.apple.audio.AudioConverterServer") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.springboard.watchdogserver") + (global-name "com.apple.frontboard.workspace") + (global-name "com.apple.pluginkit.pkd") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.accountsd.authmanager") + (global-name "com.apple.audio.AudioUnitServer") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.AdSheetPad.server") + (global-name "com.apple.ondemandd.client") + (global-name "com.apple.dataaccess.dataaccessd.active") + (global-name "com.apple.ReportCrash.StackShot") + (global-name "com.apple.mDNSResponder") + (global-name "com.apple.corerecents.recentsd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.springboard.remotenotifications") + (global-name "PurpleSystemEventPort") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.fairplayd.versioned") + (global-name "com.apple.securityd") + (global-name "com.apple.tccd") + (global-name "com.apple.UIKit.statusbarserver") + (global-name "com.apple.audio.AudioFileServer") + (global-name "com.apple.networking.captivenetworksupport") + (global-name "com.apple.iap2d.distributednotification.server") + (global-name "UIASTNotificationCenter") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.fig.movie") + (global-name "com.apple.iapauthd.xpc") + (global-name "com.apple.assetsd.changehub") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.coremedia.formatreader") + (global-name "com.apple.springboard.icongeneration") + (global-name "com.apple.itunesstored.xpc") + (global-name "PurplePPTServer") + (global-name "com.apple.librariand") + (global-name "com.apple.assertiond.extension") + (global-name "com.apple.springboard.services") + (global-name "com.apple.TextInput.lexicon-server") + (global-name "com.apple.mobilemail.services.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.accessibility.AXBackBoardServer") + (global-name "com.apple.MediaRemote.nowplayingserver") + (global-name "com.apple.midiserver") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.videoconference.avconference") + (global-name "com.apple.iap2d.xpc") + (global-name "com.apple.assetsd.messagingServer") + (global-name "com.apple.NPKCompanionAgent.library") + (global-name "com.apple.managedconfiguration.mdmdpush-prod") + (global-name "com.apple.coremedia.cpeprotector") + (global-name "com.apple.MobileAccessoryUpdater") + (global-name "com.apple.iap2d") + (global-name "com.apple.aggregated") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.itdbprep.server") + (global-name "com.apple.assistant.dictation") + (global-name "com.apple.healthd.server") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.springboard") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.airplay.sender.xpc") + (global-name "com.apple.coremedia.wirelessdisplay") + (global-name "com.apple.uikit.GestureServer") + (global-name "com.apple.gamecenter") + (global-name "com.apple.fairplayd") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.gpumemd.source") + (global-name "com.apple.iapd.distributednotification.server") + (global-name "com.apple.mediastream.sharing-nowake") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.bird.token") + (global-name "com.apple.datamigrator.dz") + (global-name "com.apple.managedconfiguration.mdmdpush-dev") + (global-name "com.apple.coremedia.compressionsession") + (global-name "com.apple.accountsd.accessmanager") + (global-name "com.apple.server.bluetooth") + (global-name "com.apple.safarifetcherd") + (global-name "com.apple.vibrationmanagerd") + (global-name "com.apple.iohideventsystem") + (global-name "com.apple.distributed_notifications@0v3") + (global-name "com.apple.VoiceOverTouch") + (global-name "com.apple.managedconfiguration.mdmdservice") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.mobile.softwareupdated") + (global-name "com.apple.coremedia.audioprocessingtap") + (global-name "com.apple.iTunesStore.daemon.notifications.public") + (global-name "com.apple.iphone.axserver-systemwide") + (global-name "com.apple.vsassetd") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.gamed.note") + (global-name "com.apple.WebBookmarks.webbookmarksd") + (global-name "com.apple.sharingd") + (global-name "com.apple.quicklook.ThumbnailsAgent") + (global-name "com.apple.iapd.xpc") + (global-name "com.apple.medialibraryd.xpc") + (global-name "com.apple.audio.AudioSession") + (global-name "com.apple.iTunesStore.daemon.deatchwatch") + (global-name "com.apple.springboard.alerts") + (global-name "com.apple.passd.library") + (local-name-regex #"^com[.]apple[.]assistant[.]contextprovider[.]") + (global-name "com.apple.backboard.checkin") + (global-name "ScripterServer") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.coremedia.audiodeviceclock") + (global-name "com.apple.clouddbd") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.MediaRemote.isrunning") + (global-name "com.apple.networkd") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.GSSCred") + (global-name "com.apple.assetsd.keepDaemonAlive") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.MediaControl.daemon") + (global-name "com.apple.iTunesStore.daemon-notifications") + (global-name "com.apple.springboard.UIKit.migserver") + (global-name "com.apple.iTunesStore.daemon.public") + (global-name "com.apple.instruments.server.mig") + (global-name "com.apple.ReportCrash.SafetyNet") + (global-name "com.apple.system.logger") + (global-name "com.apple.healthd.restriction") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.iaptransportd.ExternalAccessory.distributednotification.server") + (global-name "com.apple.iap2d.ExternalAccessory.distributednotification.server") + (global-name "com.apple.mobileipod.MPMusicPlayerControllerInternal") + (global-name "com.apple.coresymbolicationd") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.mDNSResponderHelper") + (global-name "com.apple.GameController.gamecontrollerd") + (global-name "com.apple.sandboxd") + (global-name "com.apple.VoiceOverTouch.xpc") + (global-name "com.apple.apsd") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.ReportCrash.Jetsam") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.backboard.hid.services") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.revisiond") + (global-name "com.apple.geod") + (global-name "com.apple.backboard.TouchDeliveryPolicyServer") + (global-name "com.apple.ait.client") + (global-name "com.apple.coremedia.cpe") + (global-name "com.apple.commcenter.mobile-helper") + (global-name "com.apple.bypassBasebandAutoBooter.msgport") + (global-name "com.apple.webinspector") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.passd.in-app-payment") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.ReportCrash.DirectoryService") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.voiceservices.tts") + (global-name "com.apple.backboard.display.services") + (global-name "com.apple.audio.SystemSoundServer-iOS") + (global-name "com.apple.springboard.processinvalidation") + (global-name "com.apple.iapauthd") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.TextInput.shortcuts") + (global-name "com.apple.UIKit.pasteboardd") + (require-all + (global-name "com.apple.mediaserverd") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.rtcreportingd") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari"))) + (require-all + (global-name "com.apple.mobilemail") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.siri.vocabularyupdates") + (require-entitlement "com.apple.siri.synapse")) + (require-all + (global-name "com.apple.parsec.subscriptionservice.internal") + (require-entitlement "com.apple.private.subscriptionservice.internal")) + (require-all + (global-name "com.apple.coremedia.capturesource") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.endpoint.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.remaker") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.bulletinboard.observerconnection") + (require-entitlement "com.apple.bulletinboard.observer")) + (require-all + (global-name "com.apple.pegasus") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.coremedia.sandboxserver") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.FileCoordination") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.identityservicesd.embedded.auth") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.itunescloudd.xpc") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (global-name "com.apple.mobile.keybagd.UserManager.xpc") + (require-entitlement "platform-application")) + (require-all + (global-name "com.apple.coremedia.recorder") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.coremedia.videocompositor") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.assistant.analytics") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (global-name "com.apple.lskdd") + (require-entitlement "platform-application")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal"))) + (require-all + (global-name "com.apple.adid") + (require-entitlement "adi-client" + (entitlement-value-regex #".+"))) + (require-all + (global-name "com.apple.coreduetd") + (require-entitlement "com.apple.coreduetd.allow")) + (require-all + (global-name "com.apple.coremedia.assetimagegenerator") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.cache_delete") + (require-any + (require-entitlement "com.apple.mobile.deleted.AllowFreeSpace") + (require-entitlement "com.apple.private.CacheDelete"))) + (require-all + (global-name "com.apple.mediaserverd") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.coremedia.endpoint.xpc") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.fig.movie") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.sandboxserver") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.bulletinboard.utilitiesconnection") + (require-entitlement "com.apple.bulletinboard.utilities")) + (require-all + (global-name "com.apple.backupd") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.coreduetd") + (require-entitlement "platform-application")) + (require-all + (global-name "com.apple.nanoprefsync") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.stocks.watchkitextension"))) + (require-all + (global-name "com.apple.parsec.subscriptionservice") + (require-entitlement "com.apple.smoot.subscriptionservice")) + (require-all + (global-name "com.apple.Maps.SpringBoard") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (global-name "com.apple.springboard.backgroundappservices") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.coremedia.asset") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (local-name "com.apple.iphone.axserver") + (require-entitlement "com.apple.accessibility.api")) + (require-all + (global-name "com.apple.absd") + (require-entitlement "abs-client" + (entitlement-value-regex #".+"))) + (require-all + (global-name "com.apple.suggestd.events") + (require-entitlement "com.apple.private.suggestions")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.mobilestoredemod") + (require-entitlement "com.apple.private.mobilestoredemo.enabledemo")) + (require-all + (global-name "com.apple.coremedia.admin") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.bulletinboard.settingsconnection") + (require-entitlement "com.apple.bulletinboard.settings")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.coremedia.capturesession") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.pegasus") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.springboard.backgroundappservices") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.capturesource") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.harvestd.manager") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.icfcallserver") + (require-entitlement "com.apple.private.icfcallserver")) + (require-all + (global-name "com.apple.familycircle.agent") + (require-entitlement "com.apple.private.familycircle")) + (require-all + (global-name "com.apple.bulletinboard.systemstateconnection") + (require-entitlement "com.apple.bulletinboard.systemstate")) + (require-all + (global-name "com.apple.biometrickitd") + (require-entitlement "com.apple.private.bmk.allow")) + (require-all + (global-name "com.apple.coremedia.asset") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.nanomaps.xpc.Maps") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal"))) + (require-all + (global-name "com.apple.safarifetcherd") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari"))) + (require-all + (global-name "com.apple.absd") + (require-entitlement "absinthe-client" + (entitlement-value-regex #".+"))) + (require-all + (global-name "com.apple.routined.registration") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (global-name "com.apple.coremedia.assetimagegenerator") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.routined.registration") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.suggestd.mail") + (require-entitlement "com.apple.private.suggestions")) + (require-all + (global-name "com.apple.AOSNotification") + (require-entitlement "com.apple.aosnotification.aosnotifyd-access")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.coremedia.recorder") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.allow")) + (require-all + (global-name "com.apple.coremedia.admin") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.suggestd.contacts") + (require-entitlement "com.apple.private.suggestions")) + (require-all + (global-name "com.apple.mobilesafari-settings") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.WebSheet"))) + (require-all + (global-name "com.apple.absinthed") + (require-entitlement "absinthe-client" + (entitlement-value-regex #".+"))) + (require-all + (global-name "com.apple.coremedia.capturesession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.itunescloudd.xpc") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.medialibraryd.xpc") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (global-name "com.apple.spotlight.SearchAgent") + (require-entitlement "com.apple.spotlight.search")) + (require-all + (global-name "com.apple.audio.AudioSession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.videocompositor") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.FileCoordination") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.stocks.watchkitextension"))) + (require-all + (global-name "com.apple.managedconfiguration.profiled") + (require-entitlement "com.apple.managedconfiguration.profiled-access")) + (require-all + (global-name "com.apple.nanoprefsync") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.itunescloudd.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.fig.movie") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.springboard.statusbarservices") + (require-entitlement "com.apple.springboard.statusbarstyleoverrides")) + (require-all + (global-name "com.apple.suggestd.suggestionmanager") + (require-entitlement "com.apple.private.suggestions")) + (require-all + (global-name "com.apple.coremedia.remaker") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.suggestd.spotlight") + (require-entitlement "com.apple.private.suggestions")) + (require-all + (global-name "com.apple.unfreed") + (require-entitlement "platform-application")) + (require-all + (global-name "com.apple.Maps.mapspushd") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (global-name "com.apple.audio.AudioSession") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.mobile.keybagd.xpc") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.WebContentFilter.remoteUI.WebContentAnalysisUI"))) + (require-all + (global-name "com.apple.bulletindistributord.server") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (global-name "com.apple.replayd") + (require-not (process-attribute is-plugin))) + (require-all + (global-name "com.apple.aps.alertprovider.xpc") + (require-entitlement "platform-application")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.mobile.keybagd.xpc") + (require-entitlement "platform-application")) + (require-all + (global-name "com.apple.icloud.findmydeviced") + (require-any + (require-entitlement "com.apple.aosnotification.aosnotifyd-access") + (require-entitlement "com.apple.icloud.findmydeviced.access"))) + (require-all + (global-name "com.apple.SystemConfiguration.PPPController-priv") + (require-entitlement "com.apple.networking.vpn.configuration")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow mach-register + (require-all + (extension "com.apple.security.exception.mach-register.local-name") + (local-name-regex #".+")) + (require-all + (require-not (global-name-regex #"-idswake$" #".+-idswake$")) + (require-any + (local-name "com.apple.accessibility.gax.client") + (local-name-regex #"^com[.]apple[.]assistant[.]contextprovider[.]") + (extension "com.apple.sandbox.application-group") + (local-name "com.apple.iphone.axserver") + (require-all + (global-name "com.apple.Music.MPMusicPlayerMigServerExists") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))) + (require-all + (global-name "com.apple.Music.MPMusicPlayerControllerInternal") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Music"))))) + (require-all + (extension "com.apple.security.exception.mach-register.global-name") + (global-name-regex #".+"))) +(allow network-inbound + (local ip "*:*") + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/") + (subpath-prefix "${HOME}"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (require-all + (require-not (remote tcp "localhost:22")) + (require-not (remote tcp "localhost:23")) + (require-not (remote tcp "localhost:873")) + (require-not (remote tcp "localhost:62078")) + (require-any + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.network.statistics") + (literal "/private/var/run/printd") + (remote ip "*:*") + (control-name "com.apple.netsrc") + (literal "/private/var/run/syslog") + (require-all + (regex #"^/private/var/mobile/Library/ExternalAccessory/ea[.0-9]+$" #"^/private/var/euser[0-9]+/Library/ExternalAccessory/ea[.0-9]+$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/") + (subpath-prefix "${HOME}")))) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (literal "/private/var/run/lockdown.sock") + (require-entitlement "platform-application"))))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.adtracking") + (preference-domain "com.apple.dataaccess.dataaccessd") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.mobile.SyncMigrator") + (preference-domain "com.apple.mt") + (preference-domain "com.apple.aggregated") + (preference-domain "com.apple.gamekit") + (preference-domain "com.apple.telephonyutilities.dialassist") + (preference-domain "com.apple.mediaaccessibility") + (preference-domain "com.apple.VoiceOverTouch") + (preference-domain "com.apple.managedconfiguration.janitor") + (preference-domain "com.apple.preferences.sounds") + (preference-domain "com.apple.da") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.certui") + (preference-domain "com.apple.voicemail") + (preference-domain "com.apple.preferences-sounds") + (preference-domain "com.apple.GMM") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.gamed") + (preference-domain "com.apple.youtubeframework") + (preference-domain "com.apple.mobilecal.alarmengine") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.ubd") + (preference-domain "com.apple.madrid") + (preference-domain "com.apple.softwareupdateservicesd") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.Accessibility") + (preference-domain "com.apple.atc") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.keyboard") + (preference-domain "com.apple.compass") + (preference-domain "com.apple.mobileme.fmf.assistant") + (preference-domain "itdbprepserver") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.mms_override") + (preference-domain "com.apple.InputModePreferences") + (preference-domain "com.apple.mediaremote") + (preference-domain ".GlobalPreferences") + (preference-domain "com.apple.apsd") + (preference-domain "com.apple.Sharing") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.SpeakSelection") + (preference-domain "com.apple.LaunchServices") + (preference-domain "com.apple.ConfigServer") + (preference-domain "com.apple.OTASyncState") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.videos") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (preference-domain "com.apple.mobilenotes") + (preference-domain "com.apple.XCTest") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.network.eapclient.tls.TrustExceptions") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.mmcs") + (preference-domain "com.apple.camera") + (preference-domain "com.apple.voiceservices") + (preference-domain "com.apple.assistant.backedup") + (preference-domain "com.apple.WebUI") + (preference-domain "com.apple.AdLib") + (preference-domain "com.apple.mobilecal") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.mobilevpn") + (preference-domain "com.apple.iapd") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.itdbprep.server") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.coreanimation") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.imdsmsrecordstore") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.MapKit.internal") + (preference-domain "com.apple.persistentconnection-mcc") + (preference-domain "com.apple.mobiletimer") + (preference-domain "com.apple.imessage") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.CoreMotion") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.celestial") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.messagesbadgecontroller") + (preference-domain "com.apple.preferences.datetime") + (preference-domain "com.apple.iqagent") + (preference-domain "mediaremote") + (preference-domain "com.apple.MobileAddressBook") + (preference-domain "com.apple.nike") + (preference-domain "com.apple.imagent") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.VoiceMemos") + (preference-domain "com.apple.preferences.network") + (preference-domain "com.apple.twitterd") + (preference-domain "com.apple.mobilestoresettings") + (require-all + (preference-domain "com.apple.internal.Voltaire") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (preference-domain "com.apple.homesharing") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (preference-domain "com.apple.weather") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (preference-domain "com.apple.books") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (preference-domain "com.apple.nanoprefsyncd") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.coremedia") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.assistant") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (preference-domain "com.apple.avfoundation") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.AppStore") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (preference-domain "com.apple.NanoMailKit") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (preference-domain "com.apple.itunesstored") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (preference-domain "com.apple.coreaudio") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.corevideo") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.springboard") + (require-any + (require-entitlement "com.apple.system.get-wallpaper") + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (preference-domain "com.apple.itunesstored") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.youtube.dp") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari"))) + (require-all + (preference-domain "com.apple.MobileStore") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (preference-domain "com.apple.DataAccess.BehaviorOptions") + (require-entitlement "platform-application")) + (require-all + (preference-domain "com.apple.coreaudio") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.itunesstored") + (require-any + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (preference-domain "com.apple.springboard") + (require-entitlement "com.apple.system.set-alert-tone")) + (require-all + (preference-domain "com.apple.mobileipod") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.nanoprefsyncd") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.stocks.watchkitextension"))) + (require-all + (preference-domain "com.apple.demo-settings") + (require-entitlement "platform-application")) + (require-all + (preference-domain "com.skyhookwireless.wps") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (preference-domain "com.apple.cloud.quota") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.iCloudDriveApp"))) + (require-all + (preference-domain "com.apple.cloud.quota") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.medialibrary") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (preference-domain "com.apple.GMM") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (preference-domain "com.apple.mobileipod") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")))) + (require-all + (preference-domain "com.apple.OTASyncState") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.springboard") + (require-any + (require-entitlement "com.apple.media.ringtones.read-only") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail")))) + (require-all + (preference-domain "com.apple.MailAccount-ExtProperties") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.itunesstored") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.WebFoundation") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.mobilesafari") + (entitlement-value "com.apple.webbookmarksd") + (entitlement-value "com.apple.Safari.SocialHelper") + (entitlement-value "com.apple.safarifetcherd")))) + (require-all + (preference-domain "com.apple.avfoundation") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.mail.composition") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.coremedia") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.OTASyncAgent") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.mobileipod") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.corevideo") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.mediaaccessibility.public") + (require-all + (preference-domain "com.apple.springboard") + (require-entitlement "com.apple.system.set-alert-tone")) + (require-all + (preference-domain "com.apple.internal.Voltaire") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (preference-domain "com.apple.cloud.quota") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.iCloudDriveApp"))) + (require-all + (preference-domain "com.apple.youtube.dp") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari"))) + (require-all + (preference-domain "com.apple.mail.composition") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.OTASyncAgent") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.mobileipod") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))) + (require-entitlement "com.apple.container2"))) + (require-all + (preference-domain "com.apple.GMM") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (preference-domain "com.apple.itunesstored") + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilesafari")) + (require-entitlement "com.apple.container2") + (require-entitlement "com.apple.private.signing-identifier" + (require-any + (entitlement-value "com.apple.iBooks") + (entitlement-value "com.apple.itunesu"))))) + (require-all + (preference-domain "com.apple.assistant") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (preference-domain "com.apple.NanoMailKit") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (preference-domain "com.apple.MailAccount-ExtProperties") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.OTASyncState") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail"))) + (require-all + (preference-domain "com.apple.itunesstored") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (preference-domain "com.skyhookwireless.wps") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps"))) + (require-all + (preference-domain "com.apple.cloud.quota") + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.mobilemail")))) +(allow process-info-pidinfo + (target self) + (require-entitlement "com.apple.security.exception.process-info") + (require-all + (target others) + (require-entitlement "com.apple.DiagnosticExtensions.extension"))) +(allow process-info-pidfdinfo + (target self) + (require-entitlement "com.apple.security.exception.process-info")) +(allow process-info-setcontrol + (target self)) +(allow pseudo-tty) +(allow signal + (target self) + (require-all + (target others) + (require-entitlement "com.apple.DiagnosticExtensions.extension")) + (require-all + (target others) + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.webbookmarksd")))) +(allow sysctl-read + (require-all + (sysctl-name-regex #"^kern[.]proc[.]") + (require-entitlement "com.apple.security.exception.process-info")) + (require-all + (require-not (sysctl-name "kern.proc.pid.1")) + (require-any + (require-not (sysctl-name-regex #"^kern[.]proc[.]")) + (require-entitlement "com.apple.DiagnosticExtensions.extension")))) +(allow system-info + (require-all + (info-type "net.link.addr") + (require-entitlement "fairplay-client") + (require-not (require-entitlement "com.apple.private.MobileGestalt.AllowedProtectedKeys")))) +(allow system-privilege) +(allow system-socket + (socket-domain AF_ROUTE) + (require-all + (socket-domain AF_SYSTEM) + (socket-protocol 2)) + (require-all + (socket-domain 39) + (require-any + (require-entitlement "com.apple.private.signing-identifier" + (entitlement-value "com.apple.Maps")) + (require-entitlement "com.apple.network.multipath-tcp")))) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/container.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/container.sb.xml new file mode 100644 index 00000000..d3f890fe --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/container.sb.xml @@ -0,0 +1,29 @@ + + + + + + + + + +]> + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/containermanagerd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/containermanagerd.sb new file mode 100644 index 00000000..1cd194de --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/containermanagerd.sb @@ -0,0 +1,411 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]containermanagerd/" #"^/private/var/root/Library/Caches/com[.]apple[.]containermanagerd$")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]containermanagerd/" #"^/private/var/root/Library/Caches/com[.]apple[.]containermanagerd$")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]containermanagerd/" #"^/private/var/root/Library/Caches/com[.]apple[.]containermanagerd$")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (subpath "/private/var/mobile/Library/MobileContainerManager") + (regex #"^/private/var/mobile/Library/Backup/SystemContainers" #"^/private/var/euser[0-9]+/Library/Backup/SystemContainers") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (literal "/private/var/root/Library/Preferences/com.apple.containermanagerd.plist") + (literal "/private/var/root/Library/MobileContainerManager.") + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]containermanagerd/" #"^/private/var/root/Library/Caches/com[.]apple[.]containermanagerd$") + (subpath "/private/var/db/timezone") + (literal "/private/var/mobile/Library/MobileContainerManager.") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (subpath "/private/var/installd/Library/Caches") + (literal "/private/etc/master.passwd") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/mobile/Library/Caches/com.apple.containermanagerd" #"^/private/var/euser[0-9]+/Library/Caches/com.apple.containermanagerd") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (subpath "/private/var/mobile/Library/Logs/MobileContainerManager") + (subpath "/private/var/root/Library/Logs/MobileContainerManager") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath "/private/var/containers") + (literal "/dev/aes_0") + (subpath "/private/var/root/Library/MobileContainerManager") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (regex #"^/private/var/mobile/Containers" #"^/private/var/euser[0-9]+/Containers") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]containermanagerd/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]containermanagerd$")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]containermanagerd/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]containermanagerd$")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal "/private/var/installd/Library") + (literal "/private/var/mobile/Library"))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/root/Library/Caches") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal "/private/var/root/Library/Caches")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/mobile/Library/Caches/com.apple.containermanagerd" #"^/private/var/euser[0-9]+/Library/Caches/com.apple.containermanagerd") + (literal "/private/var/root/Library/MobileContainerManager.") + (subpath "/private/var/mobile/Library/MobileContainerManager") + (regex #"^/private/var/mobile/Library/Backup/SystemContainers" #"^/private/var/euser[0-9]+/Library/Backup/SystemContainers") + (subpath "/private/var/mobile/Library/Logs/MobileContainerManager") + (literal "/private/var/root/Library/Preferences/com.apple.containermanagerd.plist") + (subpath "/private/var/root/Library/Logs/MobileContainerManager") + (subpath "/private/var/containers") + (literal "/private/var/mobile/Library/MobileContainerManager.") + (subpath "/private/var/root/Library/MobileContainerManager") + (subpath "/private/var/installd/Library/Caches") + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]containermanagerd/" #"^/private/var/root/Library/Caches/com[.]apple[.]containermanagerd$") + (regex #"^/private/var/mobile/Containers" #"^/private/var/euser[0-9]+/Containers") + (subpath "/private/var/tmp") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal "/private/var/installd/Library") + (literal "/private/var/mobile/Library"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]containermanagerd/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]containermanagerd$")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]containermanagerd/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]containermanagerd$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal "/private/var/root/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow ipc-posix-sem + (ipc-posix-name "containermanagerd.fb_check")) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.mobile.keybagd.UserManager.xpc") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/containermanagerd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/containermanagerd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/containermanagerd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/coresymbolicationd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/coresymbolicationd.sb new file mode 100644 index 00000000..8bccf5ee --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/coresymbolicationd.sb @@ -0,0 +1,170 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE)) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/root/Library/Caches") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal "/private/var/root/Library/Caches")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/private/var/root/Library/Caches/com.apple.coresymbolicationd") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library/Caches/com.apple.coresymbolicationd") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal "/private/var/root/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/coresymbolicationd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/coresymbolicationd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/coresymbolicationd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/cplogd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/cplogd.sb new file mode 100644 index 00000000..787a2cf5 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/cplogd.sb @@ -0,0 +1,173 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath-prefix "${HOME}/Library/Logs") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (subpath "/private/var/logs/WirelessLibraryLogs") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (subpath "/private/var/logs/MobileLibraryLogs") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath "/Developer") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/private/var/logs/MobileMediaFactoryLogs") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Logs") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/logs/WirelessLibraryLogs") + (subpath "/private/var/logs/MobileLibraryLogs") + (subpath "/private/var/logs/MobileMediaFactoryLogs") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/cplogd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/cplogd.sb.xml new file mode 100644 index 00000000..e8f17749 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/cplogd.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/dataaccessd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/dataaccessd.sb new file mode 100644 index 00000000..19b1a642 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/dataaccessd.sb @@ -0,0 +1,512 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${HOME}/Library/Safari/com.apple.Bookmarks.lock") + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db-shm") + (literal "/dev/urandom") + (subpath-prefix "${HOME}/Library/Logs/DataMigration") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (subpath-prefix "${HOME}/Library/Mail") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${HOME}/Library/Logs") + (subpath "/AppleInternal/Library/Frameworks") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.accountsd.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${HOME}/Library/Caches/com.apple.notes.objectcreation.lock") + (extension "com.apple.sandbox.executable") + (literal-prefix "${HOME}/Library/Caches/com.apple.notes.autoincrement.lock") + (subpath "/System/Library") + (literal-prefix "${HOME}/Library/Caches") + (subpath-prefix "${HOME}/Library/DataAccess") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db-journal") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Caches/com.apple.dataaccess.dataaccessd") + (subpath-prefix "${HOME}/Library/Logs/DataAccess") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter") + (subpath-prefix "${HOME}/Library/Notes") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath-prefix "${HOME}/Library/Preferences") + (literal "/private/var/preferences/com.apple.networkd.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Library/Logs/Message") + (literal-prefix "${HOME}/Library/Caches/com.apple.notes.sharedstore.lock") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal "/dev/aes_0") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db-wal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (subpath-prefix "${HOME}/Library/Caches/DataAccess") + (literal "/dev/random") + (subpath-prefix "${HOME}/Library/Caches/com.apple.mobilesafari/ReadingListArchives") + (subpath "/private/var/Managed Preferences/mobile") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath-prefix "${HOME}/Library/Logs/ManagedConfiguration") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath-prefix "${HOME}/Library/Calendar") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal-prefix "${HOME}/Library/Safari") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles$" #"^/private/var/mobile/Library/ConfigurationProfiles/" #"^/private/var/mobile/Library/UserConfigurationProfiles$" #"^/private/var/mobile/Library/UserConfigurationProfiles/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle/Info[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj/" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE)) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (require-not (regex #"^/private/var/mobile/Library/" #"^/private/var/euser[0-9]+/Library/")) + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/Cookies/com.apple.dataaccessd.binarycookies" #"^/private/var/mobile/Library/Cookies/com.apple.dataaccessd..+binarycookies" #"^/private/var/euser[0-9]+/Library/Cookies/com.apple.dataaccessd..*binarycookies") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/Caches") + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Logs/DataMigration") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Safari/com.apple.Bookmarks.lock") + (subpath-prefix "${HOME}/Library/Caches/com.apple.dataaccess.dataaccessd") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath "/private/var/Managed Preferences/mobile") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (subpath-prefix "${HOME}/Library/Logs/DataAccess") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter") + (subpath-prefix "${HOME}/Library/Notes") + (subpath-prefix "${HOME}/Library/Mail") + (literal-prefix "${HOME}/Library/Caches/com.apple.notes.sharedstore.lock") + (subpath-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (subpath-prefix "${HOME}/Library/Logs/Message") + (subpath-prefix "${HOME}/Library/Logs/ManagedConfiguration") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles") + (literal-prefix "${HOME}/Library/Caches/com.apple.notes.objectcreation.lock") + (literal-prefix "${HOME}/Library/Caches/com.apple.notes.autoincrement.lock") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Caches/DataAccess") + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db-shm") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db-wal") + (subpath-prefix "${HOME}/Library/DataAccess") + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db-journal") + (subpath-prefix "${HOME}/Library/Calendar") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db") + (literal-prefix "${HOME}/Library/Safari") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]dataaccess[.]dataaccessd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles$" #"^/private/var/mobile/Library/ConfigurationProfiles/" #"^/private/var/mobile/Library/UserConfigurationProfiles$" #"^/private/var/mobile/Library/UserConfigurationProfiles/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]dataaccess[.]dataaccessd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Cookies/com.apple.dataaccessd.binarycookies" #"^/private/var/mobile/Library/Cookies/com.apple.dataaccessd..+binarycookies" #"^/private/var/euser[0-9]+/Library/Cookies/com.apple.dataaccessd..*binarycookies") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Safari")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection")))))) +(allow file-write-data + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (subpath-prefix "${HOME}/Library/Caches/com.apple.mobilesafari/ReadingListArchives") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open) +(allow iokit-set-properties) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.accountsd") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.WebFoundation") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (preference-domain "com.apple.DataMigration") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.PeoplePicker")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow signal) +(allow sysctl-read) +(allow system-privilege) +(allow system-sched) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/dataaccessd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/dataaccessd.sb.xml new file mode 100644 index 00000000..b7536db8 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/dataaccessd.sb.xml @@ -0,0 +1,44 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/debugserver.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/debugserver.sb new file mode 100644 index 00000000..7f7e9393 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/debugserver.sb @@ -0,0 +1,166 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/private/var/containers/Bundle") + (subpath "/Applications") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal "/dev/random") + (subpath "/System/Library") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (debug-mode) + (require-any + (subpath "/AppleInternal/Applications") + (subpath "/private/var/mobile/XcodeBuiltProducts"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (regex #"^/private/var/mobile" #"^/private/var/euser[0-9]+") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow iokit-open) +(allow iokit-set-properties) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow mach-priv-task-port) +(allow network-inbound + (local tcp "localhost:*") + (remote tcp "localhost:*")) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (regex #"^/private/var/run/lockdown/checkin") + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.netsrc") + (control-name "com.apple.network.statistics") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-exec* + (require-all + (require-not (subpath-prefix "${FRONT_USER_HOME}/Containers")) + (require-not (subpath "/private/var/containers")) + (debug-mode))) +(allow process-fork + (debug-mode)) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow signal) +(allow sysctl-read) +(allow system-debug) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/debugserver.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/debugserver.sb.xml new file mode 100644 index 00000000..c2f49fe7 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/debugserver.sb.xml @@ -0,0 +1,46 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/deleted.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/deleted.sb new file mode 100644 index 00000000..da7daa3a --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/deleted.sb @@ -0,0 +1,251 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.cache_delete.plist") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (subpath "/AppleInternal/Library/CacheDelete") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/Developer") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath-prefix "${HOME}/Library/Logs/CacheDelete") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath "/private/var/tmp") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/AppleInternal/Library/CacheDelete") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.cache_delete.plist") + (subpath-prefix "${HOME}/Library/Logs/CacheDelete") + (subpath "/private/var/tmp") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name-regex #"^com[.]apple[.]mobile[.]cache_delete_") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.tccd") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name-regex #"^com[.]apple[.].+cache-delete$") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name-regex #"^com[.]apple[.].+[Cc]ache[Dd]elete$") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.cache_delete") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.cache_delete")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-fsctl + (fsctl-command (_IO "h" 24))) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/deleted.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/deleted.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/deleted.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/duetexpertd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/duetexpertd.sb new file mode 100644 index 00000000..37135f0e --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/duetexpertd.sb @@ -0,0 +1,337 @@ +(version 1) +(deny default) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (subpath "/System/Library") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${HOME}/Library/Logs/coreduetd.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath-prefix "${HOME}/Library/CallHistoryDB") + (literal "/dev/zero") + (subpath "/usr/share") + (literal-prefix "${HOME}/Library/Logs/duetexpertd.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (subpath-prefix "${HOME}/Library/CoreDuet") + (subpath "/usr/libexec") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath-prefix "${HOME}/Library/DuetExpertCenter") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (subpath "/private/var/db/timezone") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/EffectiveUserSettings.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.spotlightui.plist") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.message.plist") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DuetExpertCenter.AppPredictionExpert.plist") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath-prefix "${HOME}/Library/AddressBook") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.duetexpertd.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (subpath-prefix "${HOME}/Library/Logs/CallHistory") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/EffectiveUserSettings.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/PPTDevice") + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/CallHistoryDB") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (subpath-prefix "${HOME}/Library/CoreDuet") + (subpath-prefix "${HOME}/Library/DuetExpertCenter") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DuetExpertCenter.AppPredictionExpert.plist") + (literal-prefix "${HOME}/Library/Logs/coreduetd.log") + (subpath-prefix "${HOME}/Library/AddressBook") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.duetexpertd.plist") + (subpath-prefix "${HOME}/Library/Logs/CallHistory") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Logs/duetexpertd.log") + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.calaccessd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.coreduetd.batterysaver") + (global-name "com.apple.routined.registration") + (global-name "com.apple.lsd") + (global-name "com.apple.springboard.services") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.aggregated") + (global-name "com.apple.CallHistorySyncHelper") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.imagent.embedded.auth") + (global-name "com.apple.marco") + (global-name "com.apple.system.logger") + (global-name "com.apple.duet.expertcenter") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.xpcd") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.coreduetd.knowledge") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.corerecents.recentsd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.coreduetd.knowledgebase") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.DuetExpertCenter.AppPredictionExpert") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (preference-domain "com.apple.message") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.duetexpertd") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.spotlightui") + (preference-domain "com.apple.MobileAsset") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.DuetExpertCenter.AppPredictionExpert") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.duetexpertd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/duetexpertd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/duetexpertd.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/duetexpertd.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/findmydeviced.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/findmydeviced.sb new file mode 100644 index 00000000..78f0f673 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/findmydeviced.sb @@ -0,0 +1,654 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]findmydeviced$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]findmydeviced$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]findmydeviced$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]findmydeviced$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]findmydeviced$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]findmydeviced$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voicetrigger.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal "/usr/libexec") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.notbackedup.plist") + (literal "/dev/null") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.FMIPAccounts.notbackedup.plist") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.migration.plist") + (extension "com.apple.sandbox.executable") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal "/private/var/empty") + (subpath "/private/var/db/timezone") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (subpath-prefix "${HOME}/Library/VoiceTrigger") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/EffectiveUserSettings.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/MDM.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.FMIPAccounts.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.backedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.purplebuddy.notbackedup.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/CloudConfigurationDetails.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal "/dev/random") + (literal "/usr/libexec/findmydeviced") + (literal "/dev/dtracehelper") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.watch.notbackedup.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.managedconfiguration.notbackedup.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.purplebuddy.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/CloudConfigurationDetails.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/CloudConfigurationDetails.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/CloudConfigurationDetails.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]findmydeviced$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]findmydeviced$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]icloud[.]findmydeviced" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]icloud[.]findmydeviced" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]icloud[.]findmydeviced") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/EffectiveUserSettings.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]icloud[.]findmydeviced[.]watch" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]icloud[.]findmydeviced[.]watch") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/MDM.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/MDM.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/MDM.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/Caches") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}"))))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.FMIPAccounts.notbackedup.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.watch.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.purplebuddy.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.notbackedup.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.FMIPAccounts.plist") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]icloud[.]findmydeviced[.]watch" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]icloud[.]findmydeviced[.]watch") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]icloud[.]findmydeviced" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]icloud[.]findmydeviced" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]icloud[.]findmydeviced") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]findmydeviced$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]findmydeviced$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]findmydeviced/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]findmydeviced$") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (regex #"^/private/var/mobile/Library/VoiceTrigger/SAT/[^/]+/audio/enrollment_completed$" #"^/private/var/euser[0-9]+/Library/VoiceTrigger/SAT/[^/]+/audio/enrollment_completed$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "ProvInfoIOKitUserClient") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "RootDomainUserClient")) +(allow iokit-get-properties) +(allow ipc-posix-sem + (ipc-posix-name "findmydeviced.boot_check")) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.tccd") + (global-name "com.apple.mobileactivationd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.marco") + (global-name "com.apple.absd") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.assistant.settings") + (global-name "com.apple.mobile.obliteration") + (global-name "com.apple.fig.movie") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.nfcd.hwmanager") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.managedconfiguration.profiled") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.GSSCred") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.springboard.services") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.symptomsd") + (global-name "com.apple.nehelper") + (global-name "com.apple.ak.anisette.xpc") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.lsd.open") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.apsd") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.adid") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.securityd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.absinthed") + (global-name "com.apple.networkd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.system.logger") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (remote tcp "*:*") + (literal "/private/var/run/mDNSResponder") + (literal "/private/var/run/lockdown.sock") + (literal "/private/var/run/syslog") + (control-name "com.apple.network.statistics") + (control-name "com.apple.netsrc")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.icloud.findmydeviced.FMIPAccounts.notbackedup") + (preference-domain "com.apple.icloud.findmydeviced") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.icloud.findmydeviced.FMIPAccounts") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.migration") + (preference-domain "com.apple.icloud.findmydeviced.watch.notbackedup") + (preference-domain "com.apple.purplebuddy") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.voicetrigger") + (preference-domain "com.apple.purplebuddy.notbackedup") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.managedconfiguration.notbackedup") + (preference-domain "com.apple.icloud.findmydeviced.notbackedup") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.assistant.backedup") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.AOSNotification.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.purplebuddy") + (preference-domain "com.apple.icloud.findmydeviced.notbackedup") + (preference-domain "com.apple.icloud.findmydeviced.FMIPAccounts") + (preference-domain "com.apple.icloud.findmydeviced.FMIPAccounts.notbackedup") + (preference-domain "com.apple.icloud.findmydeviced") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.icloud.findmydeviced.watch.notbackedup") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/findmydeviced.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/findmydeviced.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/findmydeviced.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/fmfd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/fmfd.sb new file mode 100644 index 00000000..736460d8 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/fmfd.sb @@ -0,0 +1,592 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]fmfd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]fmfd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]fmfd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]fmfd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]fmfd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]fmfd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal "/usr/libexec") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.fmfd.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.fmfd.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal "/usr/libexec/fmfd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (extension "com.apple.sandbox.executable") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal "/private/var/empty") + (subpath "/private/var/db/timezone") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/private/var/tmp") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal "/dev/aes_0") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal "/dev/null") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (literal "/dev/dtracehelper") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]icloud[.]fmfd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]icloud[.]fmfd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]icloud[.]fmfd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]fmfd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]fmfd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd$") + (subpath-prefix "${HOME}")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/Caches") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}"))))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.fmfd.notbackedup.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.fmfd.plist") + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]icloud[.]fmfd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]icloud[.]fmfd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]icloud[.]fmfd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]icloud[.]fmfd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]icloud[.]fmfd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]icloud[.]fmfd$") + (subpath-prefix "${HOME}"))))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.geod") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.tccd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.icloud.fmfd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.GSSCred") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.nehelper") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.lsd.open") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.lsd") + (global-name "com.apple.nanomaps.xpc.GeoServices") + (global-name "com.apple.apsd") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.securityd") + (global-name "com.apple.networkd") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.marco") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.icloud.fmfd") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.icloud.fmfd.notbackedup") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.da") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.icloud.fmfd") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.icloud.fmfd.notbackedup")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/fmfd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/fmfd.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/fmfd.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ftp-proxy-embedded.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ftp-proxy-embedded.sb new file mode 100644 index 00000000..71ca0f97 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ftp-proxy-embedded.sb @@ -0,0 +1,137 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.networkd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.xpcd") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.securityd") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.lsd") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.nehelper") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.system.logger") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.MobileInternetSharing") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.aggregated") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.pfd") + (global-name "com.apple.tccd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private"))) +(allow network-inbound) +(allow network-bind) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.network.statistics") + (local ip "*:*") + (control-name "com.apple.netsrc") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ftp-proxy-embedded.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ftp-proxy-embedded.sb.xml new file mode 100644 index 00000000..cf8816c7 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ftp-proxy-embedded.sb.xml @@ -0,0 +1,42 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gamed.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gamed.sb new file mode 100644 index 00000000..d78ceb2b --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gamed.sb @@ -0,0 +1,591 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath-prefix "${HOME}/Library/GameKit") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-map-executable) +(allow file-read* + (subpath "/Applications") + (subpath "/System/Library") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal "/usr/libexec") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist") + (literal "/usr/libexec/gamed") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VideoConference.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/gamed") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.accountsd.plist") + (subpath-prefix "${HOME}/Library/GameKit") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (extension "com.apple.sandbox.executable") + (subpath-prefix "${HOME}/Library/Logs/awd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/private/var/containers/Bundle") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (subpath-prefix "${HOME}/Library/Logs/GameKit") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.gamed.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Caches/com.apple.VideoConference") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal "/dev/dtracehelper") + (subpath-prefix "${HOME}/Library/Caches/GameKit") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.gamecenter.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.springboard.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath-prefix "${HOME}/Library/Caches/com.apple.gamed") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]gamed" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]gamed" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]gamed") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (debug-mode) + (require-any + (subpath "/AppleInternal/Applications") + (subpath "/private/var/mobile/XcodeBuiltProducts"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles$" #"^/private/var/mobile/Library/ConfigurationProfiles/" #"^/private/var/mobile/Library/UserConfigurationProfiles$" #"^/private/var/mobile/Library/UserConfigurationProfiles/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Cookies") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (subpath-prefix "${HOME}/Library/Caches/GameKit") + (subpath-prefix "${HOME}/Library/Logs/awd") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.gamecenter.plist") + (subpath-prefix "${HOME}/Library/GameKit") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/gamed") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (subpath-prefix "${HOME}/Library/Logs/GameKit") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (subpath-prefix "${HOME}/Library/Caches/com.apple.gamed") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.VideoConference") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.gamed.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]gamed" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]gamed" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]gamed") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.audio.AudioSession") + (global-name "PurpleSystemEventPort") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.fairplayd.versioned") + (global-name "com.apple.securityd") + (global-name "com.apple.tccd") + (global-name "com.apple.iTunesStore.daemon.deatchwatch") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.marco") + (global-name "com.apple.iTunesStore.daemon-notifications") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "PurpleSystemAppPort") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.iTunesStore.daemon") + (global-name "com.apple.fig.movie") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.mobilemail.services.xpc") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.authkit.xpc") + (global-name "com.apple.symptomsd") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.springboard.services") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.nehelper") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.coremedia.mutablecomposition") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.springboard.processinvalidation") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.lsd.open") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.apsd") + (global-name "com.apple.GameController.gamecontrollerd") + (global-name "com.apple.lsd") + (global-name "com.apple.mobile.installd") + (global-name "com.apple.gamecenter") + (global-name "com.apple.fairplayd") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.pegasus") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.networkd") + (global-name "com.apple.gamecenter.gsEvents") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.system.logger") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.awdd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/lockdown.sock") + (literal "/private/var/run/mDNSResponder") + (literal "/private/var/run/syslog") + (remote ip "*:*") + (control-name "com.apple.network.statistics") + (control-name "com.apple.netsrc")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.VideoConference") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.gamecenter") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.gamed") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.springboard") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.accountsd") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.gamecenter") + (preference-domain "com.apple.gamed") + (preference-domain "com.apple.PeoplePicker")) +(allow process-exec* + (literal "/usr/libexec/gamed")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gamed.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gamed.sb.xml new file mode 100644 index 00000000..c3c699a4 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gamed.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/geocorrectiond.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/geocorrectiond.sb new file mode 100644 index 00000000..1f564bcf --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/geocorrectiond.sb @@ -0,0 +1,19 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow iokit-get-properties) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/geocorrectiond.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/geocorrectiond.sb.xml new file mode 100644 index 00000000..c5c1c883 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/geocorrectiond.sb.xml @@ -0,0 +1,37 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/geod.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/geod.sb new file mode 100644 index 00000000..f7430a72 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/geod.sb @@ -0,0 +1,483 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal "/dev/urandom") + (literal-prefix "${HOME}/Library/Caches/MapTiles/MapTiles.sqlitedb-journal") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GMM.plist") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (subpath-prefix "${HOME}/Library/Caches/GeoServices") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${HOME}/Library/Caches/MapTiles") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.GeoServices") + (literal "/dev/ptmx") + (literal-prefix "${HOME}/Library/Caches/Maps/MapTiles") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${HOME}/Library/Caches/Maps/MapTiles/MapTiles.sqlitedb-wal") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${HOME}/Library/Caches/Maps/MapTiles/MapTiles.sqlitedb-journal") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (literal-prefix "${HOME}/Library/Caches/MapTiles/MapTiles.sqlitedb-wal") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (subpath-prefix "${HOME}/Library/GeoServices") + (literal-prefix "${HOME}/Library/Caches/Maps/MapTiles/MapTiles.sqlitedb-shm") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${HOME}/Library/Caches/MapTiles/MapTiles.sqlitedb-shm") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath "/private/var/tmp") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/CloudConfigurationDetails.plist") + (literal "/dev/random") + (literal-prefix "${HOME}/Library/Caches/Maps/MapTiles/MapTiles.sqlitedb") + (literal-prefix "${HOME}/Library/Caches/MapTiles/MapTiles.sqlitedb") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/dtracehelper") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ConfigServer.plist") + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/CloudConfigurationDetails.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/CloudConfigurationDetails.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/CloudConfigurationDetails.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Library/Caches/MapTiles/MapTiles.sqlitedb-journal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GMM.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Caches/MapTiles/MapTiles.sqlitedb") + (subpath-prefix "${HOME}/Library/Caches/com.apple.GeoServices") + (literal-prefix "${HOME}/Library/Caches/Maps/MapTiles/MapTiles.sqlitedb") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/kCFPreferencesAnyApplication.plist") + (literal-prefix "${HOME}/Library/Caches/Maps/MapTiles/MapTiles.sqlitedb-shm") + (literal-prefix "${HOME}/Library/Caches/Maps/MapTiles/MapTiles.sqlitedb-journal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${HOME}/Library/Caches/Maps/MapTiles/MapTiles.sqlitedb-wal") + (subpath-prefix "${HOME}/Library/GeoServices") + (subpath-prefix "${HOME}/Library/Caches/GeoServices") + (literal-prefix "${HOME}/Library/Caches/MapTiles") + (literal-prefix "${HOME}/Library/Caches/MapTiles/MapTiles.sqlitedb-shm") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/MapTiles/MapTiles.sqlitedb-wal") + (literal-prefix "${HOME}/Library/Caches/Maps/MapTiles") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/Maps/MapTiles")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/MapTiles"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal-prefix "${HOME}/Library/Caches/MapTiles/MapTiles.sqlitedb") + (literal-prefix "${HOME}/Library/Caches/Maps/MapTiles/MapTiles.sqlitedb") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.open") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.networkd") + (global-name "com.apple.marco") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.lsd") + (global-name "com.apple.securityd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.system.logger") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.gmmd.cookie") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.nehelper") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/lockdown.sock") + (remote ip "*:*") + (literal "/private/var/run/syslog") + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.netsrc") + (control-name "com.apple.network.statistics")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.GMM") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.ConfigServer") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.GMM")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/geod.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/geod.sb.xml new file mode 100644 index 00000000..e8f17749 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/geod.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gizmoappd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gizmoappd.sb new file mode 100644 index 00000000..473c7975 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gizmoappd.sb @@ -0,0 +1,483 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]gizmoappd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]gizmoappd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]gizmoappd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]gizmoappd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]gizmoappd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]gizmoappd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]gizmoappd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]gizmoappd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.StreamingUnzipService") + (subpath-prefix "${HOME}/Library/Caches/com.apple.AppConduit.staging")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]gizmoappd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]gizmoappd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]gizmoappd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]gizmoappd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/Applications") + (subpath "/System/Library") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (literal "/dev/zero") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/null") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.gizmoappd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath-prefix "${HOME}/Library/Caches/com.apple.watchkit.imagecache") + (subpath "/private/var/containers/Bundle/Application") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal "/dev/random") + (subpath-prefix "${HOME}/Library/Caches/com.apple.AppConduit.staging") + (literal "/dev/dtracehelper") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (debug-mode) + (require-any + (subpath "/AppleInternal/Applications") + (subpath "/private/var/mobile/XcodeBuiltProducts"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]gizmoappd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]gizmoappd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]gizmoappd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]gizmoappd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]nano-complications$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]nano-complications$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Preferences/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Preferences/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Caches") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}"))))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Caches/com.apple.watchkit.imagecache") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Caches/com.apple.AppConduit.staging") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.gizmoappd.plist") + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]gizmoappd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]gizmoappd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]gizmoappd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]gizmoappd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Preferences/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Preferences/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gizmoappd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.carousel.tilenavigation") + (global-name "com.apple.mobile.installd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.lsd") + (global-name "com.apple.securityd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.aggregated") + (global-name "com.apple.pluginkit.pkd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.misagent") + (global-name "com.apple.marco") + (global-name "com.apple.system.logger") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.carousel.glanceservice") + (global-name "com.apple.xpcd") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.lsd.xpc") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.lsd.modifydb") + (global-name "com.apple.lsd.open") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.ProgressReporting") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.cache_delete") + (global-name "com.apple.carousel.backlightxpc") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.gizmoappd") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.coremedia") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.marco") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.gizmoappd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow signal) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gizmoappd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gizmoappd.sb.xml new file mode 100644 index 00000000..14606502 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gizmoappd.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gputoolsd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gputoolsd.sb new file mode 100644 index 00000000..abce2511 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gputoolsd.sb @@ -0,0 +1,394 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]gputoolsd/" #"^/private/var/root/Library/Caches/com[.]apple[.]gputoolsd$")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]gputoolsd/" #"^/private/var/root/Library/Caches/com[.]apple[.]gputoolsd$")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]gputoolsd/" #"^/private/var/root/Library/Caches/com[.]apple[.]gputoolsd$")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]gputoolsd/" #"^/private/var/root/Library/Caches/com[.]apple[.]gputoolsd$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE)) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gputoolsd/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gputoolsd$")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gputoolsd/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gputoolsd$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/root/Library/Caches") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal "/private/var/root/Library/Caches")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/private/var/root/Library/Caches/com.apple.opengl") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${FRONT_USER_HOME}/Library/GPUTools") + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]gputoolsd/" #"^/private/var/root/Library/Caches/com[.]apple[.]gputoolsd$") + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gputoolsd/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gputoolsd$")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gputoolsd/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]gputoolsd$"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal "/private/var/root/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "IOAccelSharedUserClient2") + (iokit-user-client-class "IOAccelSharedUserClient") + (iokit-user-client-class "IOAccelDevice2") + (iokit-user-client-class "IOAccelDevice") + (iokit-user-client-class "IOAccelSubmitter2") + (iokit-user-client-class "IOAccelContext2") + (iokit-user-client-class "IOAccelContext")) +(allow iokit-get-properties) +(allow ipc-posix-shm*) +(allow ipc-posix-shm-read*) +(allow ipc-posix-shm-read-data) +(allow ipc-posix-shm-read-metadata) +(allow ipc-posix-shm-write*) +(allow ipc-posix-shm-write-create) +(allow ipc-posix-shm-write-data) +(allow ipc-posix-shm-write-unlink) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.springboard.services") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.securityd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.gpumemd.source") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.coresymbolicationd") + (global-name "com.apple.system.logger") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.appwatchdog") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.cvmsServ") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.springboard.icongeneration") + (global-name "com.apple.lockdown.host_watcher") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow mach-priv-task-port) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/gputoolsdhelper.sock") + (local tcp "localhost:*") + (regex #"^/private/var/run/lockdown/checkin") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-exec* + (literal "/Developer/usr/libexec/gputoolsd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow signal) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gputoolsd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gputoolsd.sb.xml new file mode 100644 index 00000000..46d08f31 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/gputoolsd.sb.xml @@ -0,0 +1,50 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/healthd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/healthd.sb new file mode 100644 index 00000000..c7a16cd8 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/healthd.sb @@ -0,0 +1,515 @@ +(version 1) +(deny default) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-wal") + (subpath "/System/Library") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-journal") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync/TransportLogs") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/awd/awd-healthd.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/dev/zero") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Fitness.plist") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanolifestyle.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.companionsync.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanolifestyle.privacy.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.healthlite.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreMotion.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/null") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.healthd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (subpath "/Developer") + (subpath-prefix "${HOME}/Library/Logs/CompanionSync/TransportLogs") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${HOME}/Library/CompanionSyncCaches/com.apple.private.alloy.health.sync.low") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/Applications/Fitness.app") + (subpath "/private/var/tmp") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${HOME}/Library/CompanionSyncCaches/com.apple.private.alloy.health.sync.low-wal") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath-prefix "${HOME}/Library/Health") + (literal-prefix "${HOME}/Library/CompanionSyncCaches/com.apple.private.alloy.health.sync.low-journal") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/Applications/Health.app") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${HOME}/Library/CompanionSyncCaches/com.apple.private.alloy.health.sync.low-shm") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-shm") + (literal-prefix "${HOME}/Library/CompanionSyncCaches") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]pairedsync[.]healthd[.]syncCoordinator" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]pairedsync[.]healthd[.]syncCoordinator") + (subpath-prefix "${HOME}")) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/com[.]apple[.]private[.]alloy[.]health[.]sync" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/nms[.]com[.]apple[.]private[.]alloy[.]health[.]sync" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/(nms[.])?com[.]apple[.]private[.]alloy[.]health[.]sync") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]healthd" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]nanolifestyle" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]nanolifestyle[.]privacy" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]healthd" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]nanolifestyle" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]nanolifestyle[.]privacy") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/com[.]apple[.]private[.]alloy[.]health[.]sync[.]low" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/com[.]apple[.]private[.]alloy[.]health[.]sync[.]low") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions/com[.]apple[.]pairedsync[.]healthd[.]" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions/com[.]apple[.]pairedsync[.]healthd[.]") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/HealthKit" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/HealthKit") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/Health$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/Health/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/Health$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/Health/") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Logs/CrashReporter") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/awd") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync"))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-wal") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanolifestyle.plist") + (literal-prefix "${HOME}/Library/CompanionSyncCaches/com.apple.private.alloy.health.sync.low-journal") + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Fitness.plist") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync/TransportLogs") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db") + (literal-prefix "${HOME}/Library/CompanionSyncCaches") + (literal-prefix "${HOME}/Library/CompanionSyncCaches/com.apple.private.alloy.health.sync.low-wal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.healthd.plist") + (subpath-prefix "${HOME}/Library/Health") + (literal-prefix "${HOME}/Library/CompanionSyncCaches/com.apple.private.alloy.health.sync.low-shm") + (literal-prefix "${HOME}/Library/Logs/awd/awd-healthd.log") + (subpath-prefix "${HOME}/Library/Logs/CompanionSync/TransportLogs") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanolifestyle.privacy.plist") + (literal-prefix "${HOME}/Library/CompanionSyncCaches/com.apple.private.alloy.health.sync.low") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-shm") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-journal") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]pairedsync[.]healthd[.]syncCoordinator" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]pairedsync[.]healthd[.]syncCoordinator") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]healthd" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]nanolifestyle" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]nanolifestyle[.]privacy" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]healthd" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]nanolifestyle" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]nanolifestyle[.]privacy") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions/com[.]apple[.]pairedsync[.]healthd[.]" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions/com[.]apple[.]pairedsync[.]healthd[.]") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CompanionSync")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/com[.]apple[.]private[.]alloy[.]health[.]sync" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/nms[.]com[.]apple[.]private[.]alloy[.]health[.]sync" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/(nms[.])?com[.]apple[.]private[.]alloy[.]health[.]sync") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/HealthKit" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/HealthKit") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/Health$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/Health/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/Health$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/Health/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/com[.]apple[.]private[.]alloy[.]health[.]sync[.]low" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/com[.]apple[.]private[.]alloy[.]health[.]sync[.]low") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/CompanionSyncCaches"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync"))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}"))) +(allow file-write-data + (literal-prefix "${HOME}/Library/CompanionSyncCaches/com.apple.private.alloy.health.sync.low") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-mode + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-owner + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.system.logger") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.server.bluetooth.le.att.xpc") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.springboard.services") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.iohideventsystem") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.routined.registration") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.lsd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.marco") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.xpcd") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.coreduetd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.awdd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.system.libinfo.muser") + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.healthlite") + (preference-domain "com.apple.Fitness") + (preference-domain "com.apple.CoreMotion") + (preference-domain "com.apple.nanolifestyle") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.nanolifestyle.privacy") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.companionsync") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.healthd") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Fitness") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.healthd") + (preference-domain "com.apple.nanolifestyle") + (preference-domain "com.apple.nanolifestyle.privacy")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/healthd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/healthd.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/healthd.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/iapd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/iapd.sb new file mode 100644 index 00000000..fd7d8775 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/iapd.sb @@ -0,0 +1,559 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]iapd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]iapd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]iapd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]iapd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]iapd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]iapd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]iapd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]iapd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]iapd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]iapd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]iapd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]iapd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-map-executable) +(allow file-read* + (subpath-prefix "${HOME}/Media/Radio") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.TelephonyUtilities.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles") + (subpath-prefix "${HOME}/Library/CallHistoryDB") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.medialibrary.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.iap2d") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.logging.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.assistivetouchd.enabled.launchd") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/iapd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.suggestions.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.mobilegestalt.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal "/private/var/preferences/SystemConfiguration/com.apple.wifi.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/haywire") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.backedup.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/tmp") + (subpath "/usr/sbin") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/mp") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/iap2d") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/Panics") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath-prefix "${HOME}/Media/iTunes_Control") + (literal-prefix "${FRONT_USER_HOME}/Library/ExternalAccessory") + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal "/dev/urandom") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iaptransportd.plist") + (literal "/dev/aes_0") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal "/dev/null") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.homesharing.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.videos.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iap2d.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]iapd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]iapd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]iapd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]iapd$") + (subpath-prefix "${HOME}")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles$" #"^/private/var/mobile/Library/ConfigurationProfiles/" #"^/private/var/mobile/Library/UserConfigurationProfiles$" #"^/private/var/mobile/Library/UserConfigurationProfiles/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ExternalAccessory/ea[.0-9]+$" #"^/private/var/euser[0-9]+/Library/ExternalAccessory/ea[.0-9]+$") + (subpath-prefix "${FRONT_USER_HOME}"))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Library/Preferences/com.apple.assistivetouchd.enabled.launchd") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Media/Radio") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/mp") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/haywire") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/iapd") + (subpath-prefix "${HOME}/Library/CallHistoryDB") + (subpath-prefix "${HOME}/Media/iTunes_Control") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/Panics") + (subpath-prefix "${HOME}/Library/Caches/com.apple.iap2d") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/iap2d") + (subpath "/private/var/tmp") + (require-all + (regex #"^/private/var/mobile/Library/ExternalAccessory/ea[.0-9]+$" #"^/private/var/euser[0-9]+/Library/ExternalAccessory/ea[.0-9]+$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.videos.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iap2d.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iaptransportd.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]iapd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]iapd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]iapd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]iapd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]iapd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${FRONT_USER_HOME}/Library/ExternalAccessory")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open) +(allow iokit-set-properties) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow mach-register + (global-name "com.apple.iaptransportd.ExternalAccessory.distributednotification.server") + (global-name "com.apple.iap2d.ExternalAccessory.distributednotification.server") + (global-name "com.apple.ExternalAccessory.distributednotification.server") + (require-all + (extension "com.apple.security.exception.mach-register.local-name") + (local-name-regex #".+")) + (require-all + (extension "com.apple.security.exception.mach-register.global-name") + (global-name-regex #".+"))) +(allow network-bind + (require-all + (regex #"^/private/var/mobile/Library/ExternalAccessory/ea[.0-9]+$" #"^/private/var/euser[0-9]+/Library/ExternalAccessory/ea[.0-9]+$") + (subpath-prefix "${FRONT_USER_HOME}"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (remote udp "*:*") + (remote tcp "*:*") + (literal "/private/var/run/lockdown.sock") + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.netsrc") + (control-name "com.apple.network.statistics") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.iaptransportd") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.medialibrary") + (preference-domain "com.apple.suggestions") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.homesharing") + (preference-domain "com.apple.iapd") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.iap2d") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.da") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.assistant.backedup") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.TelephonyUtilities") + (preference-domain "com.apple.videos") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.assistant.logging") + (preference-domain "com.apple.logging") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.Accessibility") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Accessibility") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.iap2d") + (preference-domain "com.apple.iaptransportd") + (preference-domain "com.apple.videos") + (preference-domain "com.apple.iapd") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.mediaremote")) +(allow process-exec* + (literal "/System/Library/PrivateFrameworks/IAP.framework/Support/iap2d") + (literal "/System/Library/PrivateFrameworks/IAP.framework/Support/iapd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-kext-load + (kext-bundle-id "com.apple.driver.AppleUSBAudio") + (kext-bundle-id "com.apple.driver.AppleUSBDeviceAudioController") + (kext-bundle-id "com.apple.driver.usb.IOUSBHostHIDDevice") + (kext-bundle-id "com.apple.driver.usb.cdc.ecm") + (kext-bundle-id "com.apple.driver.usb.networking") + (kext-bundle-id "com.apple.driver.usb.cdc.ncm") + (kext-bundle-id "com.apple.driver.usb.cdc")) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/iapd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/iapd.sb.xml new file mode 100644 index 00000000..5885e3b4 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/iapd.sb.xml @@ -0,0 +1,43 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/identityservicesd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/identityservicesd.sb new file mode 100644 index 00000000..e44936e8 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/identityservicesd.sb @@ -0,0 +1,576 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.identityservices.deliver") + (subpath-prefix "${HOME}/Library/IdentityServices")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal "/bin/sh") + (literal "/dev/null") + (literal "/dev/urandom") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.deviceproperties.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imessage.plist") + (literal-prefix "${HOME}/Library/Logs/awd/awd-identityservicesd.log") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (extension "com.apple.identityservices.send") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.facetime.bag.plist") + (subpath "/AppleInternal") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.identityservices.idstatuscache.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.setmme") + (extension "com.apple.sandbox.executable") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.registration.plist") + (subpath "/private/var/db/timezone") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/EffectiveUserSettings.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.migration.plist") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.purplebuddy.notbackedup.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal "/private/var/preferences/SystemConfiguration/preferences.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imessage.bag.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.ids.service.") + (subpath "/Developer") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.subservices.plist") + (literal "/dev/random") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal "/dev/dtracehelper") + (subpath-prefix "${HOME}/Library/IdentityServices") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.identityservicesd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/usr/local/bin/figplaySS") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.purplebuddy.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]identityservicesd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]identityservicesd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]identityservicesd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/EffectiveUserSettings.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle/Info[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj/" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (literal-prefix "${HOME}/Library/PPTDevice") + (vnode-type SYMLINK) + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd") + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.identityservices.idstatuscache.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter") + (subpath-prefix "${HOME}/Library/IdentityServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.identityservicesd.plist") + (literal-prefix "${HOME}/Library/Logs/awd/awd-identityservicesd.log") + (extension "com.apple.identityservices.send") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.deviceproperties.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.subservices.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${HOME}/Library/Preferences/com.apple.ids.service.") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imessage.bag.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.facetime.bag.plist") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]identityservicesd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]identityservicesd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]identityservicesd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection")))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.server.bluetooth.le.pipe.xpc") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.fairplayd.versioned") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.tccd") + (global-name "com.apple.mobileactivationd") + (global-name "com.apple.server.bluetooth") + (global-name "com.apple.marco") + (global-name "com.apple.absd") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.server.bluetooth.le.att.xpc") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.idsremoteurlconnectionagent.embedded.auth") + (global-name "com.apple.coreduetd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.WirelessCoexManager") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.datamigrator") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.nehelper") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.apsd") + (global-name "com.apple.mobile.keybagd.UserManager.xpc") + (global-name "com.apple.lsd") + (global-name "com.apple.imtransferservices.IMTransferAgent") + (global-name "com.apple.wirelessproxd") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.awdd") + (global-name "com.apple.securityd") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.absinthed") + (global-name "com.apple.networkd") + (global-name "com.apple.idscredentialsagent.embedded.auth") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name-regex #"-idswake$" #".+-idswake$") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow network-inbound + (local ip "*:*")) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.network.statistics") + (literal "/private/var/run/lockdown.sock") + (literal "/private/var/run/syslog") + (remote ip "*:*") + (control-name "com.apple.netsrc")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.migration") + (preference-domain "com.apple.imessage") + (preference-domain "com.apple.ids.subservices") + (preference-domain "com.apple.purplebuddy") + (preference-domain "com.apple.facetime.bag") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.imessage.bag") + (preference-domain "com.apple.da") + (preference-domain "com.apple.registration") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.purplebuddy.notbackedup") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.identityservicesd") + (preference-domain "com.apple.identityservices.idstatuscache") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.ids.deviceproperties") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.conference") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.ids.deviceproperties") + (preference-domain "com.apple.imessage.bag") + (preference-domain "com.apple.ids.subservices") + (preference-domain "com.apple.identityservicesd") + (preference-domain "com.apple.facetime.bag") + (preference-domain "com.apple.identityservices.idstatuscache") + (preference-domain "com.apple.conference")) +(allow process-exec* + (literal "/bin/sh") + (literal "/usr/local/bin/figplaySS")) +(allow process-fork) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/identityservicesd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/identityservicesd.sb.xml new file mode 100644 index 00000000..78d52661 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/identityservicesd.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/itunesstored.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/itunesstored.sb new file mode 100644 index 00000000..73ea0ee5 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/itunesstored.sb @@ -0,0 +1,569 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (subpath-prefix "${HOME}/Library/Caches/sharedCaches")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Caches/sharedCaches")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]itunesstored/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]itunesstored$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]itunesstored/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]itunesstored$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]itunesstored/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]itunesstored$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]itunesstored/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]itunesstored$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]itunesstored/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]itunesstored$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]itunesstored/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]itunesstored$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.StreamingUnzipService") + (subpath-prefix "${HOME}/Media/Downloads")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Caches/sharedCaches")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/Applications") + (subpath "/System/Library") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.medialibrary.plist") + (literal "/usr/libexec") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.homesharing.plist") + (subpath-prefix "${HOME}/Library/Caches/Snapshots") + (subpath-prefix "${HOME}/Library/Logs/com.apple.itunesstored") + (literal "/dev/ptmx") + (subpath-prefix "${HOME}/Media") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.storeServices.analytics") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.iTunesStore") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/EffectiveUserSettings.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/private/var/containers/Bundle") + (subpath-prefix "${HOME}/Library/Cookies") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal "/dev/aes_0") + (subpath-prefix "${HOME}/Library/MusicLibrary") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (subpath "/usr/share") + (subpath "/Developer") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Library/com.apple.itunesstored") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal "/dev/random") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal "/dev/dtracehelper") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (subpath-prefix "${HOME}/Library/Caches/sharedCaches") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]itunesstored/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]itunesstored$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]itunesstored/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]itunesstored$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (debug-mode) + (require-any + (subpath "/AppleInternal/Applications") + (subpath "/private/var/mobile/XcodeBuiltProducts"))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]itunesstored" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]itunesstored" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]itunesstored") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/StoreKit/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/StoreKit$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/StoreKit/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/StoreKit$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/EffectiveUserSettings.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (vnode-type SYMLINK) + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Cookies") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (subpath-prefix "${HOME}/Media") + (subpath-prefix "${HOME}/Library/Logs/com.apple.itunesstored") + (subpath-prefix "${HOME}/Library/MusicLibrary") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.storeServices.analytics") + (subpath-prefix "${HOME}/Library/Caches/sharedCaches") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (subpath-prefix "${HOME}/Library/Caches/com.apple.iTunesStore") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Library/com.apple.itunesstored") + (subpath-prefix "${HOME}/Library/Caches/Snapshots") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]itunesstored/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]itunesstored$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]itunesstored/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]itunesstored$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]itunesstored" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]itunesstored" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]itunesstored") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/StoreKit/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/StoreKit$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/StoreKit/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/StoreKit$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]itunesstored$") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "com_apple_driver_FairPlayIOKitUserClient") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "AppleKeyStoreUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.medialibraryd.xpc") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.fairplayd.versioned") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.tccd") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.absd") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.cookied") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.GSSCred") + (global-name "com.apple.springboard.services") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.lsd.modifydb") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.nehelper") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.ProgressReporting") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.apsd") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.mobile.installd") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.adid") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.biometrickitd") + (global-name "com.apple.AssetCacheLocatorService") + (global-name "com.apple.mediaartworkd.xpc") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.securityd") + (global-name "com.apple.cache_delete") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.absinthed") + (global-name "com.apple.networkd") + (global-name "com.apple.ondemandd.itunesstored") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.lsd.xpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.xpcd") + (global-name "com.apple.mobilecheckpoint.checkpointd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.homesharing") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.medialibrary") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.itunesstored")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/itunesstored.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/itunesstored.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/itunesstored.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/keyboard.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/keyboard.sb new file mode 100644 index 00000000..4f5d5d43 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/keyboard.sb @@ -0,0 +1,419 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$") + (subpath-prefix "${HOME}")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (literal "/dev/random") + (extension "com.apple.sandbox.executable") + (subpath "/System/Library") + (literal "/com.apple.xpc.launchd.bootstrap.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIStatusBar") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesMetadata[.]plist$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesMetadata[.]plist$") + (subpath-prefix "${HOME}"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE)) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox$") + (subpath-prefix "${HOME}"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleJPEGDriverUserClient") + (iokit-user-client-class "IOAccelDevice2") + (iokit-user-client-class "IOAccelDevice") + (iokit-user-client-class "IOSurfaceSendRight") + (iokit-user-client-class "IOAccelSharedUserClient2") + (iokit-user-client-class "IOAccelContext") + (iokit-user-client-class "IOAccelSharedUserClient") + (iokit-user-client-class "IOSurfaceAcceleratorClient") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "IOAccelSubmitter2") + (iokit-user-client-class "IOAccelContext2")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.open") + (global-name "com.apple.assertiond.expiration") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.iohideventsystem") + (global-name "PurpleSystemEventPort") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.xpcd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.iphone.axserver-systemwide") + (global-name "com.apple.lsd") + (global-name "com.apple.springboard.services") + (global-name "com.apple.frontboard.workspace") + (global-name "com.apple.UIKit.statusbarserver") + (global-name "com.apple.gpumemd.source") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.backboard.animation-fence-arbiter") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.backboard.hid.services") + (global-name "com.apple.system.logger") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.backboard.display.services") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.aggregated") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.TextInput.lexicon-server") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.UIKit.KeyboardManagement.hosted") + (global-name "com.apple.audio.SystemSoundServer-iOS") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.fig.movie") + (global-name "com.apple.backboard.TouchDeliveryPolicyServer") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.cvmsServ") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.uikit.GestureServer") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private"))) +(allow mach-register + (local-name "com.apple.iphone.axserver") + (require-all + (extension "com.apple.security.exception.mach-register.local-name") + (local-name-regex #".+")) + (require-all + (extension "com.apple.security.exception.mach-register.global-name") + (global-name-regex #".+"))) +(allow network-inbound + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/syslog") + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}"))))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.Accessibility") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info-pidinfo + (require-entitlement "com.apple.security.exception.process-info")) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/keyboard.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/keyboard.sb.xml new file mode 100644 index 00000000..bc9a832f --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/keyboard.sb.xml @@ -0,0 +1,32 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/librariand.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/librariand.sb new file mode 100644 index 00000000..787af27d --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/librariand.sb @@ -0,0 +1,353 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension-class "com.apple.app-sandbox.read") + (extension-class "com.apple.librarian.ubiquity-container"))) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension-class "com.apple.librarian.ubiquity-revision")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (literal "/dev/random") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${HOME}/Library/Application Support") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (subpath "/Developer") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath "/private/var/db/timezone") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.librariand.plist") + (subpath-prefix "${HOME}/Library/Application Support/Librarian") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/librariand.log" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/librariand.log") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.librariand.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (literal-prefix "${HOME}/Library/Application Support") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Library/Application Support/Librarian") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/librariand.log" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/librariand.log") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.mobile.installd") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.ubd") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.librariand") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.librariand")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/librariand.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/librariand.sb.xml new file mode 100644 index 00000000..e8f17749 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/librariand.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/limitadtrackingd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/limitadtrackingd.sb new file mode 100644 index 00000000..d4d54c6f --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/limitadtrackingd.sb @@ -0,0 +1,170 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (literal "/usr/libexec") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath "/Developer") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AdLib.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/usr/libexec/limitadtrackingd") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.AdSheetPhone.management") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.AdLib") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/limitadtrackingd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/limitadtrackingd.sb.xml new file mode 100644 index 00000000..e8f17749 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/limitadtrackingd.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/lockdownd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/lockdownd.sb new file mode 100644 index 00000000..4343b3ca --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/lockdownd.sb @@ -0,0 +1,347 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/private/var/run/lockdown") + (literal "/dev/urandom") + (literal "/usr/libexec") + (literal "/private/var/run/lockdown.sock") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (subpath "/Applications/Preferences.app") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/AppleInternal/Lockdown") + (literal "/usr/libexec/lockdownd") + (literal "/dev/ptmx") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (extension "com.apple.sandbox.executable") + (subpath "/System/Library") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/private/var/root/Library/Lockdown") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (subpath-prefix "${FRONT_USER_HOME}/Media") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal "/private/etc/master.passwd") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath "/Developer") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/private/var/logs") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/private/var/preferences/SystemConfiguration") + (literal "/dev/random") + (literal "/dev/dtracehelper") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/private/var/db/launchd.db/com.apple.launchd/overrides.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (regex #"^/private/var/root/Library/Preferences/com[.]apple[.]mobile[.]lockdownd[.]plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.purplebuddy.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (subpath-prefix "${FRONT_USER_HOME}/Library/Notes") + (vnode-type DIRECTORY)) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${FRONT_USER_HOME}/Library/Calendar") + (vnode-type DIRECTORY)) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/Info[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/[.]bundle/[^/]+[.]lproj$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj/" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]bundle/[^/]+[.]lproj$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]bundle/Info[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj/" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/((.*[.]bundle/|[.]bundle/[^/]+)|.+[.]bundle/[^/]+)[.]lproj$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.WebAppCache") + (vnode-type DIRECTORY)) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal "/private/var/run/lockdown_first_run") + (vnode-type REGULAR-FILE)) + (require-all + (subpath "/private/var/tmp/MediaCache") + (vnode-type DIRECTORY)) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${FRONT_USER_HOME}/Library/Voicemail") + (vnode-type DIRECTORY)) + (require-all + (subpath-prefix "${FRONT_USER_HOME}/Applications") + (vnode-type DIRECTORY)) + (require-all + (subpath "/private/var/containers") + (vnode-type DIRECTORY)) + (require-all + (subpath-prefix "${FRONT_USER_HOME}/Containers") + (vnode-type DIRECTORY)) + (require-all + (subpath-prefix "${FRONT_USER_HOME}/Media") + (vnode-type DIRECTORY)) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/private/var/run/lockdown") + (subpath "/private/var/logs") + (subpath "/private/var/root/Library/Lockdown") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal "/private/var/run/lockdown.sock") + (regex #"^/private/var/root/Library/Preferences/com[.]apple[.]mobile[.]lockdownd[.]plist") + (subpath-prefix "${FRONT_USER_HOME}/Media") + (subpath "/private/var/preferences/SystemConfiguration") + (require-all + (literal "/private/var/run/lockdown_first_run") + (vnode-type REGULAR-FILE)) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (literal "/private/var/db/timezone") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleEffaceableStorageUserClient") + (iokit-user-client-class "com_apple_driver_FairPlayIOKitUserClient") + (iokit-user-client-class "AppleNANDFTLUserClient") + (iokit-user-client-class "AppleKeyStoreUserClient")) +(allow iokit-set-properties + (iokit-property "auto-boot")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.AOSNotification") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.securityd") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.mobile.notification_proxy") + (global-name "com.apple.mobile.installation_proxy") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.mobile.installd") + (global-name "com.apple.timed.xpc") + (global-name "com.apple.lsd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.syslog_relay") + (global-name "com.apple.aggregated") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.mobileactivationd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.atc2") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.fairplayd.versioned") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.crash_mover") + (global-name "com.apple.system.logger") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.mobile.insecure_notification_proxy") + (global-name "com.apple.ait.client") + (global-name "com.apple.webinspector") + (global-name "com.apple.xpcd") + (global-name "com.apple.mobile.assertion_agent") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.lockdown.host_watcher") + (global-name "com.apple.lsd.open") + (global-name "com.apple.PersistentURLTranslator.Gatekeeper") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.mobilecheckpoint.checkpointd") + (global-name "com.apple.streaming_zip_conduit") + (global-name "com.apple.symptomsd") + (global-name-regex #"^lockdown[.]") + (global-name "com.apple.afcd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.crashreportcopymobile") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.atc") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow network-inbound + (local tcp "*:*") + (literal "/private/var/run/lockdown.sock") + (subpath "/private/var/run/lockdown")) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/lockbot") + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.netsrc") + (control-name "com.apple.network.statistics") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.purplebuddy") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/lockdownd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/lockdownd.sb.xml new file mode 100644 index 00000000..e8f17749 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/lockdownd.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/lsuseractivityd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/lsuseractivityd.sb new file mode 100644 index 00000000..660e72f3 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/lsuseractivityd.sb @@ -0,0 +1,293 @@ +(version 1) +(deny default) +(allow distributed-notification-post) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreservices.useractivityd.plist") + (subpath-prefix "${HOME}/Library/Logs/Handoff") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (subpath-prefix "${HOME}/Library/Logs/useractivityd") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreservices.useractivityd.dynamicuseractivites.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (literal "/dev/ptmx") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/System/Library") + (subpath "/private/var/db/timezone") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/EffectiveUserSettings.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (subpath-prefix "${HOME}/Library/Logs/Transport") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (subpath "/Developer") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/EffectiveUserSettings.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/PPTDevice") + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Logs/Transport") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (subpath-prefix "${HOME}/Library/Logs/Handoff") + (subpath-prefix "${HOME}/Library/Logs/useractivityd") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreservices.useractivityd.dynamicuseractivites.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreservices.useractivityd.plist") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.open") + (global-name "com.apple.xpcd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.SharedWebCredentials") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.lsd") + (global-name "com.apple.securityd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.MediaRemote.daemon") + (global-name "com.apple.MediaRemote.isrunning") + (global-name "com.apple.marco") + (global-name "com.apple.system.logger") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.sharingd.nsxpc") + (global-name "com.apple.MediaRemote.nowplayingserver") + (global-name "com.apple.backboard.hid.services") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.server.bluetooth") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.awdd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.ctkd.token-client") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.bird") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.coreservices.useractivityd.dynamicuseractivites") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.coreservices.useractivityd") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.Sharing") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Sharing") + (preference-domain "com.apple.coreservices.useractivityd.dynamicuseractivites") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.coreservices.useractivityd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/lsuseractivityd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/lsuseractivityd.sb.xml new file mode 100644 index 00000000..4627e68a --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/lsuseractivityd.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mDNSResponder.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mDNSResponder.sb new file mode 100644 index 00000000..29a0adc1 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mDNSResponder.sb @@ -0,0 +1,131 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (regex #"^/private/var/tmp/mds/[0-9]+/" #"^/private/var/tmp/mds/[0-9]+$") + (regex #"^/private/var/db/mds/[0-9]+/" #"^/private/var/db/mds/[0-9]+$") + (literal "/dev/dtracehelper") + (literal "/Library/Managed Preferences") + (literal "/private/var/run/mDNSResponder") + (literal "/private/var/Managed Preferences/mobile") + (literal "/private/var/Managed Preferences/mobile/com.apple.mDNSResponder.plist") + (literal "/dev/null") + (literal "/dev/urandom") + (literal "/private/var/Library/Preferences/") + (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds/" #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds$") + (literal "/dev/random") + (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/" #"^/private/var/folders/[^/]+/[^/]+/C/mds$") + (literal "/dev/zero") + (require-all + (file-mode #o0004) + (require-any + (subpath "/System") + (subpath "/usr/lib") + (subpath "/usr/share") + (subpath "/private/var/db/dyld")))) +(allow file-read-data + (literal "/private/var/db/crls/crlcache.db") + (subpath "/private/var/tmp/mds") + (subpath "/private/var/db/mds") + (literal "/Library/Keychains/System.keychain") + (require-all + (require-not (regex #"^/Library/Keychains/")) + (require-any + (literal "/usr/sbin") + (literal "/usr/sbin/mDNSResponder") + (regex #"^/Library/Preferences/[.]GlobalPreferences[.]" #"^/Library/Preferences/ByHost/[.]GlobalPreferences[.]") + (literal "/private/etc") + (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist") + (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist") + (literal "/dev/console") + (literal "/Library/Preferences/com.apple.crypto.plist") + (literal "/private/var/preferences/SystemConfiguration/preferences.plist") + (literal "/Library/Preferences/com.apple.mDNSResponder.plist") + (literal "/private/etc/hosts") + (literal "/Library/Preferences/SystemConfiguration/preferences.plist") + (regex #"^/Library/Preferences/com[.]apple[.]security[.]") + (literal "/Library/Security/Trust Settings/Admin.plist")))) +(allow file-read-metadata) +(allow file-write* + (regex #"^/private/var/tmp/mds/[0-9]+/" #"^/private/var/tmp/mds/[0-9]+$") + (regex #"^/private/var/db/mds/[0-9]+/" #"^/private/var/db/mds/[0-9]+$") + (literal "/private/var/run/mDNSResponder") + (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds/" #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds$") + (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/" #"^/private/var/folders/[^/]+/[^/]+/C/mds$") + (require-all + (regex #"^/cores/") + (require-not (file-mode #o0000)))) +(allow file-write-data + (literal "/dev/console") + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero")) +(allow iokit-open + (iokit-user-client-class "NVEthernetUserClientMDNS") + (iokit-user-client-class "mDNSOffloadUserClient") + (iokit-user-client-class "RootDomainUserClient") + (iokit-user-client-class "wlDNSOffloadUserClient")) +(allow iokit-get-properties) +(allow ipc-posix-shm*) +(allow ipc-posix-shm-read*) +(allow ipc-posix-shm-read-data) +(allow ipc-posix-shm-read-metadata) +(allow ipc-posix-shm-write*) +(allow ipc-posix-shm-write-create) +(allow ipc-posix-shm-write-data) +(allow ipc-posix-shm-write-unlink) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.awdd") + (global-name "com.apple.bsd.dirhelper") + (global-name "com.apple.server.bluetooth") + (global-name "com.apple.snhelper") + (global-name "com.apple.ocspd") + (global-name "com.apple.system.DirectoryService.libinfo_v1") + (global-name "com.apple.mDNSResponderHelper") + (global-name "com.apple.securityd") + (global-name "com.apple.networkd") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.CoreServices.coreservicesd") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SecurityServer") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.coreservices.quarantine-resolver") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.system.logger") + (global-name "com.apple.awacs") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.distributed_notifications.2") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.webcontentfilter.dns") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.blued")) +(allow mach-register + (global-name "com.apple.d2d.ipc")) +(allow network*) +(allow network-inbound) +(allow network-bind) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow sysctl-read) +(allow system-privilege) +(allow system-socket) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mDNSResponder.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mDNSResponder.sb.xml new file mode 100644 index 00000000..fdb457a2 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mDNSResponder.sb.xml @@ -0,0 +1,52 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaanalysisd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaanalysisd.sb new file mode 100644 index 00000000..5e3f9eac --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaanalysisd.sb @@ -0,0 +1,612 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (subpath-prefix "${HOME}/Media/DCIM") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (subpath-prefix "${HOME}/Media/PhotoData") + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (subpath-prefix "${HOME}/Media/DCIM"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (subpath "/private/var/db/timezone") + (subpath "/Library/Audio/Tunings/Generic/AU") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (subpath-prefix "${HOME}/Media/PhotoData") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VideoProcessing.plist") + (extension "com.apple.sandbox.executable") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath-prefix "${HOME}/Media/Memories/MediaAnalysis") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (subpath-prefix "${HOME}/Media/DCIM") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaanalysis.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/usr/share") + (subpath "/usr/local/lib") + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (require-not (subpath-prefix "${HOME}/Library/FairPlay")) + (require-not (literal "/usr/sbin/fairplayd")) + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (literal "/dev/urandom") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/ptmx") + (literal "/dev/null") + (literal "/dev/zero") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/com.apple.photos" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/com.apple.photos") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Sync/FaceAlbumThumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Metadata") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-journal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-shm") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/syncInfo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-wal") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Logs/CrashReporter") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${HOME}/Media/Memories") + (literal-prefix "${HOME}/Media") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${HOME}/Media/Memories"))) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaanalysis.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VideoProcessing.plist") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/Memories/MediaAnalysis") + (subpath "/private/var/tmp") + (require-all + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/com.apple.photos" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/com.apple.photos") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people"))))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${HOME}/Media/Memories"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (literal-prefix "${HOME}/Media/Memories") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleJPEGDriverUserClient") + (iokit-user-client-class "IOSurfaceSendRight") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "IOSurfaceAcceleratorClient") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOMobileFramebufferUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.lsd.open") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.mobilecheckpoint.checkpointd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.coremedia.mutablecomposition") + (global-name "com.apple.xpc.activity.unmanaged") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.PersistentURLTranslator.Gatekeeper") + (global-name "com.apple.xpcd") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.pluginkit.pkd") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.coremedia.compressionsession") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.assetsd.changehub") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.ctkd.token-client") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coremedia.assetimagegenerator") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.mediaserverd") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.pegasus") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.audio.AudioSession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.asset") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.springboard.backgroundappservices") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.coremedia.recorder") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.sandboxserver") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.itunescloudd.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.coremedia.videocompositor") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.capturesession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.capturesource") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.endpoint.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.fig.movie") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.coremedia.admin") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.remaker") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.mediaanalysis") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.VideoProcessing") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (preference-domain "com.apple.mobileipod") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.avfoundation") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coremedia") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.itunesstored") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coreaudio") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.corevideo") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.VideoProcessing") + (preference-domain "com.apple.mediaanalysis")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaanalysisd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaanalysisd.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaanalysisd.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaserverd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaserverd.sb new file mode 100644 index 00000000..bbcc4f01 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaserverd.sb @@ -0,0 +1,852 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mediaserverd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mediaserverd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mediaserverd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mediaserverd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mediaserverd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mediaserverd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mediaserverd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mediaserverd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.rtcreporting.upload") + (subpath-prefix "${HOME}/Library/Caches/com.apple.VideoConference/logs/mediaserverd")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mediaserverd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mediaserverd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mediaserverd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mediaserverd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.settings.bluetooth.audio-route.plist") + (subpath-prefix "${HOME}/Library/Logs/awd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/VoiceTrigger") + (subpath "/Library") + (subpath-prefix "${HOME}/Media/DCIM") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal "/AppleInternal/Library/Conference/Environments.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voicetrigger.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voicetrigger.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.bag.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (subpath "/private/var/wireless/Library/Logs/awd") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.rtcreporting.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.facetime.bag.plist") + (subpath-prefix "${HOME}/Media/Purchases") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (extension "com.apple.mediaserverd.read") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences.sounds.plist") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/mediaserverd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (literal-prefix "${HOME}/Library/Logs/AirPlay.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VideoConference.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences-sounds.plist") + (subpath-prefix "${HOME}/Library/Fonts") + (subpath "/usr/local/share/firmware/isp") + (extension "com.apple.mediaserverd.read-write") + (subpath-prefix "${HOME}/Media/Downloads") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (subpath "/private/var/logs/mediaserverd") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.audio.virtualaudio.plist") + (subpath-prefix "${HOME}/Library/VoiceTrigger") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreMotion.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${HOME}/Library/Caches/CoreMotion/CoreMotion.log") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.facetime.plist") + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.airplay.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imessage.bag.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreanimation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (subpath-prefix "${HOME}/Media/Podcasts") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.backedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.celestial.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VideoProcessing.plist") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (subpath-prefix "${HOME}/Media/PhotoData/Sync") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Caches/com.apple.VideoConference") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (subpath-prefix "${HOME}/Media/PhotoData/CPLAssets") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.audio.penguin.plist") + (subpath "/usr/sbin") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (subpath-prefix "${HOME}/Media/PhotoData/Mutations") + (literal "/AppleInternal/Library/Preferences/com.apple.airplay.dashboard.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.springboard.plist") + (subpath-prefix "${HOME}/Media/PhotoData/OutboundSharingTmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (subpath "/usr/local/lib") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath-prefix "${HOME}/Media/Recordings") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/private/var/preferences/SystemConfiguration/com.apple.mobilegestalt.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (subpath-prefix "${HOME}/Media/iTunes_Control/Music") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal "/dev/null") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mediaserverd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mediaserverd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mediaserverd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mediaserverd$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]mediaserverd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]mediaserverd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]mediaserverd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")))) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read"))) +(allow file-read-data + (require-all + (regex #"^/private/var/mobile/Library/ExternalAccessory/ea[.0-9]+$" #"^/private/var/euser[0-9]+/Library/ExternalAccessory/ea[.0-9]+$") + (subpath-prefix "${FRONT_USER_HOME}"))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.facetime.plist") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/mediaserverd") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Media/Downloads") + (subpath-prefix "${HOME}/Media/PhotoData/Mutations") + (literal-prefix "${HOME}/Library/Logs/AirPlay.log") + (subpath-prefix "${HOME}/Library/Logs/awd") + (subpath-prefix "${HOME}/Library/VoiceTrigger") + (subpath-prefix "${HOME}/Media/Podcasts") + (subpath-prefix "${HOME}/Media/iTunes_Control/Music") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/VoiceTrigger") + (extension "com.apple.mediaserverd.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (subpath-prefix "${HOME}/Media/Recordings") + (subpath-prefix "${HOME}/Media/PhotoData/OutboundSharingTmp") + (subpath-prefix "${HOME}/Media/DCIM") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.celestial.plist") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${HOME}/Library/Caches/CoreMotion/CoreMotion.log") + (subpath-prefix "${HOME}/Media/PhotoData/Sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.audio.penguin.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.bag.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voicetrigger.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voicetrigger.notbackedup.plist") + (subpath "/private/var/logs/mediaserverd") + (subpath "/private/var/wireless/Library/Logs/awd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.audio.virtualaudio.plist") + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.imessage.bag.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.VideoConference") + (subpath-prefix "${HOME}/Media/Purchases") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (subpath-prefix "${HOME}/Media/PhotoData/CPLAssets") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.airplay.plist") + (extension "com.apple.mediaserverd.read") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.facetime.bag.plist") + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]mediaserverd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]mediaserverd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mediaserverd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]mediaserverd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]mediaserverd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]mediaserverd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]mediaserverd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]mediaserverd$") + (subpath-prefix "${HOME}"))))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/CoreMotion")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (regex #"^/private/var/mobile/Library/ExternalAccessory/ea[.0-9]+$" #"^/private/var/euser[0-9]+/Library/ExternalAccessory/ea[.0-9]+$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOAccelDevice") + (iokit-user-client-class "IOSurfaceSendRight") + (iokit-user-client-class "IOAudio2DeviceUserClient") + (iokit-user-client-class "com_apple_audio_IOBorealisOwlUserClient") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "AppleD5500UserClient") + (iokit-user-client-class "AppleVXD375UserClient") + (iokit-user-client-class "IOAccelContext2") + (iokit-user-client-class "AppleH2CamInUserClient") + (iokit-user-client-class "AppleVXE380UserClient") + (iokit-user-client-class "IOReportUserClient") + (iokit-user-client-class "AppleVXD390UserClient") + (iokit-user-client-class "IOAccelSharedUserClient") + (iokit-user-client-class "AppleH4CamInUserClient") + (iokit-user-client-class "IOSurfaceAcceleratorClient") + (iokit-user-client-class "AppleVXD393UserClient") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "AppleH6CamInUserClient") + (iokit-user-client-class "H3H264VideoEncoderDriverUserClient") + (iokit-user-client-class "RootDomainUserClient") + (iokit-user-client-class "AppleSPUHIDDriverUserClient") + (iokit-user-client-class "IOAccessoryManagerUserClient") + (iokit-user-client-class "IOAccelContext") + (iokit-user-client-class "AppleSRSDriverUserClient") + (iokit-user-client-class "IOAudioCodecsUserClient") + (iokit-user-client-class "AppleH3CamInUserClient") + (iokit-user-client-class "AppleUSBHostInterfaceUserClient") + (iokit-user-client-class "AppleAVEUserClient") + (iokit-user-client-class "IOAudio2TransformerUserClient") + (iokit-user-client-class "IOAccelSubmitter2") + (iokit-user-client-class "IOAccelSharedUserClient2") + (iokit-user-client-class "com_apple_driver_FairPlayIOKitUserClient") + (iokit-user-client-class "IOAccelDevice2") + (iokit-user-client-class "IOStreamAudioUserClient") + (iokit-user-client-class "IOUSBDeviceInterfaceUserClient") + (iokit-user-client-class "IOHIDResourceDeviceUserClient") + (iokit-user-client-class "AppleJPEGDriverUserClient") + (iokit-user-client-class "IOHIDLibUserClient")) +(allow iokit-set-properties) +(allow iokit-get-properties) +(allow ipc-posix-shm* + (ipc-posix-name-regex #"^stack-logs") + (ipc-posix-name-regex #"^OA-") + (ipc-posix-name "shm_pcm_audio_acl") + (ipc-posix-name-regex #"^AppleAURemoteIO[.]." #"^AppleAURemoteIO[.].+") + (ipc-posix-name "shm_pcm_audio_sco_write") + (ipc-posix-name-regex #"^[0-9A-F][0-9A-F]:+[0-9A-F][0-9A-F]-tacl$") + (ipc-posix-name-regex #"^shm_notif[.][^.]+[.][RW]$") + (ipc-posix-name-regex #"^com[.]apple[.]audio[.]abl[.]") + (ipc-posix-name-regex #"^AppleAudioQueue[.]." #"^AppleAudioQueue[.].+") + (ipc-posix-name "shm_pcm_audio_sco_read") + (ipc-posix-name-regex #"^AppleABL[.]." #"^AppleABL[.].+") + (ipc-posix-name-regex #"^/FSM-")) +(allow ipc-posix-shm-read* + (ipc-posix-name-regex #"^gdt-[0-9A-Za-z]+-c$" #"^gdt-[0-9A-Za-z]+-s$") + (ipc-posix-name "apple.shm.notification_center") + (ipc-posix-name-regex #"^apple[.]shm[.]cfprefsd[.]")) +(allow ipc-posix-shm-write-data + (ipc-posix-name-regex #"^gdt-[0-9A-Za-z]+-c$" #"^gdt-[0-9A-Za-z]+-s$")) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coremedia.virtualdisplayserver") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.audio.SystemSoundServer-iOS") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.commcenter.xpc") + (global-name "PurpleSystemEventPort") + (global-name "com.apple.rtcreportingd") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.fairplayd.versioned") + (global-name "com.apple.securityd") + (global-name "com.apple.tccd") + (global-name "com.apple.mobileactivationd") + (global-name "com.apple.iTunesStore.daemon.deatchwatch") + (global-name "com.apple.backboard.animation-fence-arbiter") + (global-name "com.apple.MediaRemote.daemon") + (global-name "com.apple.coresymbolicationd") + (global-name "com.apple.marco") + (global-name "com.apple.iTunesStore.daemon-notifications") + (global-name "com.apple.audio.AURemoteIOServer") + (global-name "PurpleSystemAppPort") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.iap2d.distributednotification.server") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.idsremoteurlconnectionagent.embedded.auth") + (global-name "com.apple.coreduetd") + (global-name "com.apple.iTunesStore.daemon") + (global-name "com.apple.symptomsd") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.MediaRemote.isrunning") + (global-name "com.apple.GSSCred") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.springboard.services") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.gpumemd.source") + (global-name "com.apple.iap2d.ExternalAccessory.distributednotification.server") + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.MediaRemote.nowplayingserver") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.iaptransportd.ExternalAccessory.distributednotification.server") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.nehelper") + (global-name "com.apple.iap2d.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.b184_monitord") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.lsd.open") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.networkd") + (global-name "com.apple.WirelessCoexManager") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.nanomaps.xpc.GeoServices") + (global-name "com.apple.apsd") + (global-name "com.apple.carkit.service") + (global-name "com.apple.audio.AudioQueueServer") + (global-name "com.apple.securekeyvaultd") + (global-name "com.apple.lskdd") + (global-name "com.apple.wirelessproxd") + (global-name "com.apple.PersistentURLTranslator.Gatekeeper") + (global-name "com.apple.iapd.distributednotification.server") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.iapd.xpc") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.backboard.hid.services") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.geod") + (global-name "com.apple.awdd") + (global-name "com.apple.NetworkLinkConditioner") + (global-name "com.apple.iaptransportd.xpc") + (global-name "com.apple.lskdmsed") + (global-name "com.apple.cvmsServ") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.server.bluetooth") + (global-name "com.apple.pegasus") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.filesystems.userfsd") + (global-name "com.apple.iohideventsystem") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.audio.AUPBRegistrar") + (global-name "com.apple.BTServer.le") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.backboard.display.services") + (global-name "com.apple.system.logger") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.timed.xpc") + (global-name "com.apple.internal.mediaserverdtracerd") + (global-name "com.apple.springboard.processinvalidation") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.b184_mcu_commd") + (global-name "com.apple.xpcd") + (global-name "com.apple.ExternalAccessory.distributednotification.server") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow mach-register + (global-name "com.apple.midiserver.io") + (global-name-regex #"^com[.]apple[.]coremedia[.]") + (require-all + (extension "com.apple.security.exception.mach-register.local-name") + (local-name-regex #".+")) + (require-all + (extension "com.apple.security.exception.mach-register.global-name") + (global-name-regex #".+"))) +(allow network-inbound + (local tcp "*:*")) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/lockdown.sock") + (literal "/private/var/run/mDNSResponder") + (remote udp "*:*") + (remote tcp "*:*") + (control-name "com.apple.network.statistics") + (control-name "com.apple.netsrc") + (literal "/private/var/run/syslog") + (require-all + (regex #"^/private/var/mobile/Library/ExternalAccessory/ea[.0-9]+$" #"^/private/var/euser[0-9]+/Library/ExternalAccessory/ea[.0-9]+$") + (subpath-prefix "${FRONT_USER_HOME}"))))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.avfoundation") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.VideoConference") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.audio.penguin") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.audio.virtualaudio") + (preference-domain "com.apple.mediaaccessibility") + (preference-domain "com.apple.VideoProcessing") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.facetime.bag") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.voicetrigger") + (preference-domain "com.apple.celestial") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.imessage.bag") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.coreanimation") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.da") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.assistant") + (preference-domain "com.apple.preferences-sounds") + (preference-domain "com.apple.springboard") + (preference-domain "com.apple.voicetrigger.notbackedup") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.rtcreporting") + (preference-domain "com.apple.assistant.backedup") + (preference-domain "com.apple.preferences.sounds") + (preference-domain "com.apple.coremedia.bag") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.settings.bluetooth.audio-route") + (preference-domain "com.apple.airplay") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.CoreMotion") + (preference-domain "com.apple.facetime") + (preference-domain "com.apple.MobileAsset") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Accessibility") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.airplay") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.facetime.bag") + (preference-domain "com.apple.coremedia.bag") + (preference-domain "com.apple.voicetrigger.notbackedup") + (preference-domain "com.apple.celestial") + (preference-domain "com.apple.audio.virtualaudio") + (preference-domain "com.apple.facetime") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.voicetrigger") + (preference-domain "com.apple.audio.penguin") + (preference-domain "com.apple.imessage.bag")) +(allow process-exec* + (literal "/usr/sbin/mediaserverd") + (require-all + (literal "/usr/bin/syslog") + (debug-mode)) + (require-all + (literal "/usr/bin/trace") + (debug-mode))) +(allow process-fork + (debug-mode)) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) +(allow system-suspend-resume) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaserverd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaserverd.sb.xml new file mode 100644 index 00000000..889d903e --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mediaserverd.sb.xml @@ -0,0 +1,43 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobile-house-arrest.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobile-house-arrest.sb new file mode 100644 index 00000000..3f500282 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobile-house-arrest.sb @@ -0,0 +1,435 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$") + (subpath-prefix "${HOME}")))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/usr/share") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (require-all + (require-not (subpath "/usr/libexec/Contents")) + (require-any + (literal "/Library/Preferences/SystemConfiguration/com.apple.afc.DeviceInfo.plist") + (literal "/private/etc/master.passwd") + (literal "/dev/random") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/aes_0") + (literal "/usr/libexec") + (literal "/dev/dtracehelper") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.afc.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal "/dev/null") + (literal "/dev/zero") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/usr/libexec/mobile_house_arrest") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode))) +(allow file-read-data + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/GeoJSON$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/GeoJSON$") + (subpath-prefix "${HOME}"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesMetadata[.]plist$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesMetadata[.]plist$") + (subpath-prefix "${HOME}"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox$") + (subpath-prefix "${HOME}"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobile-house-arrest.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobile-house-arrest.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobile-house-arrest.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobileassetd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobileassetd.sb new file mode 100644 index 00000000..ae1cfc58 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobileassetd.sb @@ -0,0 +1,507 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/mobileassetd/" #"^/private/var/mobile/Library/Caches/mobileassetd$" #"^/private/var/euser[0-9]+/Library/Caches/mobileassetd/" #"^/private/var/euser[0-9]+/Library/Caches/mobileassetd$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/mobileassetd/" #"^/private/var/mobile/Library/Caches/mobileassetd$" #"^/private/var/euser[0-9]+/Library/Caches/mobileassetd/" #"^/private/var/euser[0-9]+/Library/Caches/mobileassetd$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/root/Library/Caches/mobileassetd/" #"^/private/var/root/Library/Caches/mobileassetd$")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/root/Library/Caches/mobileassetd/" #"^/private/var/root/Library/Caches/mobileassetd$")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/mobileassetd/" #"^/private/var/mobile/Library/Caches/mobileassetd$" #"^/private/var/euser[0-9]+/Library/Caches/mobileassetd/" #"^/private/var/euser[0-9]+/Library/Caches/mobileassetd$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.assets.read") + (require-any + (subpath-prefix "${FRONT_USER_HOME}/Library/Assets") + (literal-prefix "${FRONT_USER_HOME}/Library/VoiceServices") + (subpath-prefix "${FRONT_USER_HOME}/Library/VoiceServices/Assets") + (subpath "/private/var/MobileAsset"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/root/Library/Caches/mobileassetd/" #"^/private/var/root/Library/Caches/mobileassetd$")) + (require-all + (extension-class "com.apple.StreamingUnzipService") + (require-any + (subpath-prefix "${FRONT_USER_HOME}/Library/Assets") + (literal-prefix "${FRONT_USER_HOME}/Library/VoiceServices") + (subpath-prefix "${FRONT_USER_HOME}/Library/VoiceServices/Assets") + (subpath "/private/var/MobileAsset")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (subpath "/System/Library") + (literal "/dev/urandom") + (literal "/usr/libexec/mobileassetd") + (literal "/usr/libexec") + (regex #"^/private/var/root/Library/Cookies$" #"^/private/var/root/Library/Cookies/Cookies[.]binarycookies") + (literal "/") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/private/var/MobileAsset") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/ptmx") + (literal "/private/var/root/Library/Preferences/com.apple.WebFoundation.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath-prefix "${FRONT_USER_HOME}/Library/VoiceServices/Assets") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AssetCacheLocator.plist") + (subpath-prefix "${FRONT_USER_HOME}/Library/Assets") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/root/Library/Caches/mobileassetd/" #"^/private/var/root/Library/Caches/mobileassetd$") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal "/private/etc/master.passwd") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/VoiceServices") + (subpath "/AppleInternal/Library/PreinstalledAssets") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath "/private/var/tmp") + (literal "/dev/random") + (literal "/dev/dtracehelper") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/private/var/preferences/SystemConfiguration/com.apple.mobilegestalt.plist") + (regex #"^/private/var/root/Library/Preferences/com[.]apple[.]MobileAsset[.]plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+") + (subpath-prefix "${HOME}") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd$")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/mobileassetd/" #"^/private/var/mobile/Library/Caches/mobileassetd$" #"^/private/var/euser[0-9]+/Library/Caches/mobileassetd/" #"^/private/var/euser[0-9]+/Library/Caches/mobileassetd$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd$")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Cookies") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/VoiceServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (regex #"^/private/var/root/Library/Caches/mobileassetd/" #"^/private/var/root/Library/Caches/mobileassetd$") + (regex #"^/private/var/root/Library/Cookies$" #"^/private/var/root/Library/Cookies/Cookies[.]binarycookies") + (subpath "/private/var/MobileAsset") + (subpath-prefix "${FRONT_USER_HOME}/Library/VoiceServices/Assets") + (regex #"^/private/var/root/Library/Preferences/com[.]apple[.]MobileAsset[.]plist") + (subpath "/private/var/tmp") + (subpath-prefix "${FRONT_USER_HOME}/Library/Assets") + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd$")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/mobileassetd/" #"^/private/var/mobile/Library/Caches/mobileassetd$" #"^/private/var/euser[0-9]+/Library/Caches/mobileassetd/" #"^/private/var/euser[0-9]+/Library/Caches/mobileassetd$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+") + (subpath-prefix "${HOME}") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd/" #"^/private/var/root/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/mobileassetd$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal "/private/var/root/Library/Caches")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${FRONT_USER_HOME}/Library/Caches"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.open") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.securityd") + (global-name "com.apple.networkd") + (global-name "com.apple.lsd") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.system.logger") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.AssetCacheLocatorService") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.nehelper") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.symptomsd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.cache_delete") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.AssetCacheLocator") + (preference-domain "com.apple.WebFoundation") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.MobileAsset")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) +(allow system-sched) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobileassetd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobileassetd.sb.xml new file mode 100644 index 00000000..feb04958 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/mobileassetd.sb.xml @@ -0,0 +1,42 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomaild.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomaild.sb new file mode 100644 index 00000000..0a12bdf9 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomaild.sb @@ -0,0 +1,422 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nanomaild/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nanomaild$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nanomaild/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nanomaild$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nanomaild/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nanomaild$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nanomaild/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nanomaild$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nanomaild/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nanomaild$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nanomaild/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nanomaild$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoMailKitClient.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal "/dev/random") + (literal "/dev/ptmx") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (subpath-prefix "${HOME}/Library/NanoMailKit") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal "/dev/urandom") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoMail.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nanomaild/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nanomaild$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nanomaild/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nanomaild$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/PPTDevice") + (literal-prefix "${HOME}/Library/Caches") + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoMailKitClient.plist") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Library/NanoMailKit") + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nanomaild/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nanomaild$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nanomaild/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nanomaild$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nanomaild$") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.lsd") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.marco") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.da") + (preference-domain "com.apple.NanoMailKitClient") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.Accessibility") + (preference-domain "com.apple.NanoMail") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.NanoMailKitClient")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomaild.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomaild.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomaild.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapscd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapscd.sb new file mode 100644 index 00000000..2519f062 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapscd.sb @@ -0,0 +1,616 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${HOME}/Library/Logs/awd/awd-nanomapscd.log") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (subpath "/private/var/db/timezone") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (extension "com.apple.sandbox.executable") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapsSupport.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Maps/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Maps$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Maps/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Maps$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps/" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/(NanoMap|PairedSyncServiceRestriction)s$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/(NanoMap|PairedSyncServiceRestriction)s/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-wal") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.companionsync.plist") + (literal "/dev/aes_0") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-journal") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync/TransportLogs") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db") + (literal "/dev/random") + (literal "/private/var/preferences/com.apple.networkd.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/dev/null") + (subpath-prefix "${HOME}/Library/Logs/CompanionSync/TransportLogs") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-shm") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/com[.]apple[.]private[.]alloy[.]maps[.]sync" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/nms[.]com[.]apple[.]private[.]alloy[.]maps[.]sync" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/(nms[.])?com[.]apple[.]private[.]alloy[.]maps[.]sync") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]private[.]alloy[.]maps[.]sync[.]syncCoordinator" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]private[.]alloy[.]maps[.]sync[.]syncCoordinator") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (literal-prefix "${HOME}/Library/Caches") + (literal-prefix "${HOME}/Library/Logs/awd") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync"))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapsSupport.plist") + (literal-prefix "${HOME}/Library/Logs/awd/awd-nanomapscd.log") + (subpath "/private/var/tmp") + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Maps/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Maps$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Maps/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Maps$") + (subpath-prefix "${HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (subpath-prefix "${HOME}/Library/Logs/CompanionSync/TransportLogs") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync/TransportLogs") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-wal") + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-shm") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-journal") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/com[.]apple[.]private[.]alloy[.]maps[.]sync" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/nms[.]com[.]apple[.]private[.]alloy[.]maps[.]sync" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/(nms[.])?com[.]apple[.]private[.]alloy[.]maps[.]sync") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CompanionSync")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]private[.]alloy[.]maps[.]sync[.]syncCoordinator" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]private[.]alloy[.]maps[.]sync[.]syncCoordinator") + (subpath-prefix "${HOME}")))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps/" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/(NanoMap|PairedSyncServiceRestriction)s$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/(NanoMap|PairedSyncServiceRestriction)s/") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync"))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))) +(allow file-write-data + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-owner + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.Maps.SpringBoard") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.securityd") + (global-name "com.apple.tccd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.marco") + (global-name "com.apple.Maps.gsEvents") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.Maps.IPC") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.GSSCred") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.nehelper") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.lsd.open") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.lsd") + (global-name "com.apple.nanomaps.xpc.GeoServices") + (global-name "com.apple.routined.registration") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.geod") + (global-name "com.apple.awdd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.networkd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.MapsSupport") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.AppSupport") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.companionsync") + (preference-domain "com.apple.marco") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.MapsSupport")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapscd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapscd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapscd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapsgd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapsgd.sb new file mode 100644 index 00000000..7bfa8ea4 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapsgd.sb @@ -0,0 +1,543 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]NanoMaps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]NanoMaps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]NanoMaps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]NanoMaps$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]NanoMaps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]NanoMaps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]NanoMaps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]NanoMaps$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]NanoMaps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]NanoMaps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]NanoMaps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]NanoMaps$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${HOME}/Library/Logs/awd/awd-nanomapsgd.log") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath-prefix "${HOME}/Library/Maps") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (subpath "/Developer") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (subpath "/Applications/NanoMaps.app") + (literal-prefix "${HOME}/Library/MapsHistory.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoMaps.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps/" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/(NanoMap|PairedSyncServiceRestriction)s$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/(NanoMap|PairedSyncServiceRestriction)s/") + (subpath-prefix "${HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-wal") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.companionsync.plist") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-journal") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync/TransportLogs") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db") + (literal "/dev/random") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal "/dev/null") + (subpath-prefix "${HOME}/Library/Logs/CompanionSync/TransportLogs") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-shm") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]NanoMaps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]NanoMaps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]NanoMaps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]NanoMaps$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/com[.]apple[.]private[.]alloy[.]maps[.]sync" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/nms[.]com[.]apple[.]private[.]alloy[.]maps[.]sync" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/(nms[.])?com[.]apple[.]private[.]alloy[.]maps[.]sync") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (literal-prefix "${HOME}/Library/Caches") + (literal-prefix "${HOME}/Library/Logs/awd") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync"))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Maps") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Logs/awd/awd-nanomapsgd.log") + (literal-prefix "${HOME}/Library/MapsHistory.plist") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoMaps.plist") + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (subpath-prefix "${HOME}/Library/Logs/CompanionSync/TransportLogs") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync/TransportLogs") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-wal") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db") + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-shm") + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db-journal") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/com[.]apple[.]private[.]alloy[.]maps[.]sync" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/nms[.]com[.]apple[.]private[.]alloy[.]maps[.]sync" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync/(nms[.])?com[.]apple[.]private[.]alloy[.]maps[.]sync") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]NanoMaps$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]NanoMaps/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]NanoMaps$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]NanoMaps/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]NanoMaps$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CompanionSync")))) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoMaps/" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/PairedSyncServiceRestrictions/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/(NanoMap|PairedSyncServiceRestriction)s$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/(NanoMap|PairedSyncServiceRestriction)s/") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Logs/CompanionSync") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/CompanionSync"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))) +(allow file-write-data + (literal-prefix "${HOME}/Library/Logs/CompanionSync/statistics.db") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-owner + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/CompanionSync$") + (subpath-prefix "${HOME}"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.audio.SystemSoundServer-iOS") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.nanomaps.xpc.GeoServices") + (global-name "com.apple.lsd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.marco") + (global-name "com.apple.system.logger") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.idsremoteurlconnectionagent.embedded.auth") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.geod") + (global-name "com.apple.awdd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.companionsync") + (preference-domain "com.apple.coremedia") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.NanoMaps") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.NanoMaps")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapsgd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapsgd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nanomapsgd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/navd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/navd.sb new file mode 100644 index 00000000..cd3fc633 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/navd.sb @@ -0,0 +1,532 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal "/dev/null") + (literal "/dev/urandom") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (subpath-prefix "${HOME}/Library/Caches/GeoServices") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal "/dev/ptmx") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (subpath "/Developer") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal "/dev/dtracehelper") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapsSupport.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]MapsSupport" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]MapsSupport" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]MapsSupport") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/Caches") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}"))))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapsSupport.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (subpath-prefix "${HOME}/Library/Caches/GeoServices") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (subpath "/private/var/tmp") + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]MapsSupport" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]MapsSupport" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]MapsSupport") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]MapsSupport$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.geod") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.tccd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.GSSCred") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.nehelper") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.routined.registration") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.lsd.open") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.lsd") + (global-name "com.apple.nanomaps.xpc.GeoServices") + (global-name "com.apple.apsd") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.securityd") + (global-name "com.apple.networkd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.MapsSupport") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.AppSupport") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/navd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/navd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/navd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/network-filter.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/network-filter.sb new file mode 100644 index 00000000..56d89a0e --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/network-filter.sb @@ -0,0 +1,296 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$") + (subpath-prefix "${HOME}")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.executable"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal "/dev/urandom") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (literal "/com.apple.xpc.launchd.bootstrap.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (extension "com.apple.sandbox.application-group") + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesMetadata[.]plist$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesMetadata[.]plist$") + (subpath-prefix "${HOME}"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE)) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "PurpleSystemEventPort") + (global-name "com.apple.lsd") + (global-name "com.apple.xpcd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.assertiond.expiration") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/network-filter.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/network-filter.sb.xml new file mode 100644 index 00000000..bc9a832f --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/network-filter.sb.xml @@ -0,0 +1,32 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nfcd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nfcd.sb new file mode 100644 index 00000000..05f9ca0c --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nfcd.sb @@ -0,0 +1,314 @@ +(version 1) +(deny default) +(allow file-ioctl + (literal "/dev/tty.stockholm") + (literal "/dev/ptmx") + (literal "/dev/aes_0")) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/usr/libexec") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Library/Logs/awd/awd-nfcd.log") + (literal "/dev/zero") + (subpath "/usr/share") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.stockholm.awd.plist") + (subpath "/System/Library") + (literal "/dev/tty.stockholm") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Duet.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.stockholm.plist") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Logs/AppleSSE.log") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/usr/libexec/nfcd") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/nfcd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/NearField" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/NearField") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Logs/CrashReporter") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd") + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Library/Logs/AppleSSE.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.stockholm.awd.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/nfcd.plist") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Logs/awd/awd-nfcd.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.stockholm.plist") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/NearField" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/NearField") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd"))) +(allow file-write-data + (literal "/dev/tty.stockholm") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleCredentialManagerUserClient") + (iokit-user-client-class "AppleStockholmControlUserClient") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "RootDomainUserClient") + (iokit-user-client-class "AppleSSEUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.securityd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.xpcd") + (global-name "com.apple.lsd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.coreduetd") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.awdd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (control-name "com.apple.uart.stockholm") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.Duet") + (preference-domain "com.apple.stockholm.awd") + (preference-domain "com.apple.stockholm") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "nfcd") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.stockholm") + (preference-domain "nfcd") + (preference-domain "com.apple.stockholm.awd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) +(allow system-socket + (socket-domain AF_SYSTEM)) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nfcd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nfcd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nfcd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nlcd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nlcd.sb new file mode 100644 index 00000000..4a4afac1 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nlcd.sb @@ -0,0 +1,68 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.pfd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) +(allow system-socket) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nlcd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nlcd.sb.xml new file mode 100644 index 00000000..c8ed3bf5 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nlcd.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nointernet.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nointernet.sb new file mode 100644 index 00000000..600155c5 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nointernet.sb @@ -0,0 +1,6 @@ +(version 1) +(allow default) +(deny network* + (local ip "*:*")) +(deny network-outbound + (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nointernet.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nointernet.sb.xml new file mode 100644 index 00000000..fa56c88d --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nointernet.sb.xml @@ -0,0 +1,20 @@ + + + + + + + + + +]> + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlsessiond.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlsessiond.sb new file mode 100644 index 00000000..8cea1cdb --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlsessiond.sb @@ -0,0 +1,569 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (subpath-prefix "${HOME}/Library/Caches/com.apple.nsurlsessiond") + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/com[.]apple[.]nsurlsessiond" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/com[.]apple[.]nsurlsessiond") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/Library/Caches/com[.]apple[.]nsurlsessiond" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/Library/Caches/com[.]apple[.]nsurlsessiond") + (subpath-prefix "${HOME}")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/usr/share") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath "/private/var/db/timezone") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (require-all + (require-not (subpath "/private/var/logs/MobileLibraryLogs")) + (require-not (subpath "/private/var/logs/MobileMediaFactoryLogs")) + (require-not (subpath "/private/var/logs/WirelessLibraryLogs")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mt.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath-prefix "${HOME}/Library/com.apple.nsurlsessiond") + (subpath-prefix "${HOME}/Media/Downloads") + (literal "/usr/libexec") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (subpath-prefix "${HOME}/Library/Logs/com.apple.nsurlsessiond") + (literal "/private/var/preferences/com.apple.networkd.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Duet.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Caches/com.apple.nsurlsessiond") + (subpath "/private/var/tmp") + (literal "/usr/libexec/nsurlsessiond") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nsurlsessiond.plist") + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/com[.]apple[.]nsurlsessiond" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/com[.]apple[.]nsurlsessiond") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (require-any + (extension "com.apple.nsurlsessiond.readonly") + (require-all + (regex #"^/private/var/mobile/Library/com[.]apple[.]nsurlsessiond/[^/]+/[^/]+/Uploads/" #"^/private/var/euser[0-9]+/Library/com[.]apple[.]nsurlsessiond/[^/]+/[^/]+/Uploads/") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/com.apple.nsurlsessiond" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/com.apple.nsurlsessiond") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles$" #"^/private/var/mobile/Library/ConfigurationProfiles/" #"^/private/var/mobile/Library/UserConfigurationProfiles$" #"^/private/var/mobile/Library/UserConfigurationProfiles/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond$") + (subpath-prefix "${HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.coremedia")) + (require-any + (literal "/dev/random") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/null") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/Library/Caches/com[.]apple[.]nsurlsessiond" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/Library/Caches/com[.]apple[.]nsurlsessiond") + (subpath-prefix "${HOME}")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Logs/CrashReporter") + (literal-prefix "${HOME}/Library/Caches") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (require-not (subpath "/private/var/logs/MobileLibraryLogs")) + (require-not (subpath "/private/var/logs/MobileMediaFactoryLogs")) + (require-not (subpath "/private/var/logs/WirelessLibraryLogs")) + (require-any + (subpath-prefix "${HOME}/Media/Downloads") + (subpath-prefix "${HOME}/Library/Caches/com.apple.nsurlsessiond") + (subpath-prefix "${HOME}/Library/Logs/com.apple.nsurlsessiond") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nsurlsessiond.plist") + (subpath-prefix "${HOME}/Library/com.apple.nsurlsessiond") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Containers/Shared/AppGroup/[-0-9A-Z]+/Library/Caches/com[.]apple[.]nsurlsessiond" #"^/private/var/euser[0-9]+/Containers/Shared/AppGroup/[-0-9A-Z]+/Library/Caches/com[.]apple[.]nsurlsessiond") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/com[.]apple[.]nsurlsessiond" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/com[.]apple[.]nsurlsessiond") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]nsurlsessiond$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/com.apple.nsurlsessiond" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/com.apple.nsurlsessiond") + (subpath-prefix "${HOME}"))))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (require-any + (extension "com.apple.nsurlsessiond.readonly") + (require-all + (regex #"^/private/var/mobile/Library/com[.]apple[.]nsurlsessiond/[^/]+/[^/]+/Uploads/" #"^/private/var/euser[0-9]+/Library/com[.]apple[.]nsurlsessiond/[^/]+/[^/]+/Uploads/") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (require-any + (extension "com.apple.nsurlsessiond.readonly") + (require-all + (regex #"^/private/var/mobile/Library/com[.]apple[.]nsurlsessiond/[^/]+/[^/]+/Uploads/" #"^/private/var/euser[0-9]+/Library/com[.]apple[.]nsurlsessiond/[^/]+/[^/]+/Uploads/") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.securityd") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.coreduetd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.cookied") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.GSSCred") + (global-name "com.apple.fig.movie") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.nehelper") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.ocspd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.mobile.keybagd.UserManager.xpc") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.awdd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.networkd") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.lsd.xpc") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.coremedia.assetdownloader") + (global-name "com.apple.trustd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (require-not (global-name "com.apple.CARenderServer")) + (require-any + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.system.logger") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.mt") + (preference-domain "com.apple.Duet") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.nsurlsessiond") + (preference-domain "com.apple.coremedia") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.nsurlsessiond")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlsessiond.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlsessiond.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlsessiond.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlstoraged.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlstoraged.sb new file mode 100644 index 00000000..679836f5 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlstoraged.sb @@ -0,0 +1,384 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (subpath "/System/Library") + (literal "/dev/urandom") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nsurlstoraged.plist") + (literal-prefix "${HOME}/Containers") + (subpath "/usr/libexec") + (literal-prefix "${HOME}") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Applications") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal "/private/etc/master.passwd") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath "/private/var/tmp") + (literal "/dev/random") + (extension "com.apple.nsurlstorage.extension-cache") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath "/private/var/containers") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.nsurlstorage.extension-cache") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nsurlstoraged.plist") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.open") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.securityd") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.trustd") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.network.statistics") + (control-name "com.apple.netsrc") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.nsurlstoraged") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.WebFoundation") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.nsurlstoraged")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlstoraged.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlstoraged.sb.xml new file mode 100644 index 00000000..e8f17749 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/nsurlstoraged.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/online-auth-agent.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/online-auth-agent.sb new file mode 100644 index 00000000..2ce04dff --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/online-auth-agent.sb @@ -0,0 +1,304 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/private/var/containers/Bundle") + (subpath "/System/Library") + (literal "/dev/urandom") + (literal "/usr/libexec") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal "/dev/random") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/private/etc/master.passwd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (subpath "/private/var/MobileDevice") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/private/var/MobileDevice") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOAESAcceleratorUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.open") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.cookied") + (global-name "com.apple.networkd") + (global-name "com.apple.lsd") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.securityd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.system.logger") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.nehelper") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (remote ip "*:*") + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.netsrc") + (control-name "com.apple.network.statistics") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.MobileAsset") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/online-auth-agent.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/online-auth-agent.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/online-auth-agent.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/passd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/passd.sb new file mode 100644 index 00000000..1e7ab80c --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/passd.sb @@ -0,0 +1,786 @@ +(version 1) +(deny default) +(allow distributed-notification-post) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]passd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]passd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]passd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]passd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]passd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]passd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]passd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]passd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]passd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]passd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]passd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]passd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.keyboard.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.biometrickitd.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Passbook.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (subpath-prefix "${HOME}/Library/Passes") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal "/dev/random") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (subpath-prefix "${HOME}/Library/Fonts") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.accountsd.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (subpath-prefix "${HOME}/Library/Cookies") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.stockholm.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.pep.configuration.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AdLib.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Library/Caches/PassKit") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal "/dev/dtracehelper") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.passd.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.LocalAuthentication.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal "/dev/null") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.purplebuddy.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ConfigServer.plist") + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]passd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]passd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]passd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]passd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]passd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]passd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]passd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.stockholm.plist") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.passd.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Passbook.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/kCFPreferencesAnyApplication.plist") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Passes") + (literal-prefix "${HOME}/Library/Caches/com.apple.pep.configuration.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (subpath-prefix "${HOME}/Library/Caches/PassKit") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]passd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]passd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]passd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]passd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]passd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]passd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]passd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]passd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOSurfaceAcceleratorClient") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "AppleJPEGDriverUserClient")) +(allow iokit-set-properties + (iokit-property "reportStatusMessages")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.geod") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.securityd") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.seld.tsmmanager") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.nfcd.hwmanager") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.symptomsd") + (global-name "com.apple.GSSCred") + (global-name "com.apple.springboard.services") + (global-name "com.apple.cookied") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.CoreAuthentication.daemon") + (global-name "com.apple.nehelper") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.seld") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.nfcd") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.nanomaps.xpc.GeoServices") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.networkd") + (global-name "com.apple.iohideventsystem") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.biometrickitd") + (global-name "com.apple.trustd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (require-not (global-name "com.apple.pluginkit.pkd")) + (require-any + (global-name "com.apple.AdSheetPhone.analytics") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.passes.usage") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.securityd") + (global-name "com.apple.icloud.findmydeviced") + (global-name "com.apple.cloudd") + (global-name "com.apple.quicklook.ThumbnailsAgent") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.librariand") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.fig.movie") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.FileProvider") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.GSSCred") + (global-name "com.apple.FSEvents") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.symptomsd") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.nehelper") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.tccd") + (global-name "com.apple.aggregated") + (global-name "com.apple.coremedia.sandboxserver") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.system.logger") + (global-name "com.apple.lsd.open") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.apsd") + (global-name "com.apple.springboard.carditemscontroller") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.lsd") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.bird.token") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.revisiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.bird") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.pegasus") + (global-name "com.apple.audio.AudioSession") + (global-name "com.apple.networkd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.lsd.xpc") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.corerecents.recentsd") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.AdLib") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.ConfigServer") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.purplebuddy") + (preference-domain "com.apple.stockholm") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.passd") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.Passbook") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.keyboard") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.accountsd") + (preference-domain "com.apple.biometrickitd") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.LocalAuthentication") + (preference-domain "com.apple.Accessibility") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.stockholm") + (preference-domain "com.apple.Passbook") + (preference-domain "com.apple.passd") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.PeoplePicker")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/passd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/passd.sb.xml new file mode 100644 index 00000000..b8d494ee --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/passd.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/pfd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/pfd.sb new file mode 100644 index 00000000..a2d5429e --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/pfd.sb @@ -0,0 +1,160 @@ +(version 1) +(deny default) +(allow file-ioctl + (literal "/dev/pfm") + (literal "/dev/ptmx") + (literal "/dev/aes_0")) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (literal "/dev/pfm") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write-data + (literal "/dev/pfm") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (literal "/dev/random") + (literal "/dev/urandom") + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow iokit-get-properties) +(allow ipc-posix-shm-read-data + (ipc-posix-name "apple.shm.notification_center")) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/pfd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/pfd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/pfd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/printd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/printd.sb new file mode 100644 index 00000000..35e4d9c7 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/printd.sb @@ -0,0 +1,459 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]printd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]printd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]printd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]printd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]printd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]printd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]printd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]printd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]printd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]printd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]printd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]printd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal "/dev/random") + (subpath "/System/Library") + (subpath-prefix "${HOME}/Library/com.apple.printd") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.printd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (subpath-prefix "${HOME}/Library/Fonts") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath "/private/var/run/printd") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]printd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]printd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]printd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]printd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/run/printd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.printd.plist") + (subpath-prefix "${HOME}/Library/com.apple.printd") + (subpath "/private/var/tmp") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]printd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]printd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]printd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]printd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]printd$") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "IOSurfaceAcceleratorClient") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "AppleJPEGDriverUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.networkd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.springboard.services") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.lsd") + (global-name "com.apple.securityd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.system.logger") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.notificationcenter.widgetcontrollerconnection") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.aggregated") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.PersistentURLTranslator.Gatekeeper") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.tccd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.nehelper") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.lsd.advertisingidentifiers") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "platform-application"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private"))) +(allow network-inbound + (local tcp "*:*")) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/lockdown.sock") + (literal "/private/var/run/mDNSResponder") + (literal "/private/var/run/syslog") + (remote tcp "*:*") + (control-name "com.apple.network.statistics") + (control-name "com.apple.netsrc")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.printd") + (preference-domain "com.apple.coremedia") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.printd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/printd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/printd.sb.xml new file mode 100644 index 00000000..e8f17749 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/printd.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ptpd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ptpd.sb new file mode 100644 index 00000000..154e16e3 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ptpd.sb @@ -0,0 +1,239 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/zero") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (subpath-prefix "${HOME}/Media") + (literal-prefix "${HOME}/Library/Logs/ptpd.log") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/Photos") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ImageCaptureFramework.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal "/dev/dtracehelper") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (regex #"^/private/var/mobile" #"^/private/var/euser[0-9]+") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Logs/CrashReporter") + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Logs/CrashReporter"))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ImageCaptureFramework.plist") + (subpath-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs/Photos") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Media") + (literal-prefix "${HOME}/Library/Logs/ptpd.log") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Logs/CrashReporter"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open) +(allow iokit-set-properties) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/lockdown.sock") + (literal "/private/var/run/syslog")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.ImageCaptureFramework") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.coremedia") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.Accessibility") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.ImageCaptureFramework") + (preference-domain "com.apple.mobileslideshow")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ptpd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ptpd.sb.xml new file mode 100644 index 00000000..7f2c4ab6 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/ptpd.sb.xml @@ -0,0 +1,43 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/quicklookd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/quicklookd.sb new file mode 100644 index 00000000..70f9b816 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/quicklookd.sb @@ -0,0 +1,1151 @@ +(version 1) +(deny default) +(allow file-issue-extension + (extension-class "com.apple.quicklook.readonly") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath "/private/var/tmp/MediaCache") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (subpath "/private/var/tmp") + (require-any + (extension-class "com.apple.app-sandbox.read") + (extension-class "com.apple.app-sandbox.read-write") + (extension-class "com.apple.mediaserverd.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.quicklook.readonly") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]quicklook[.]quicklookd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]quicklook[.]quicklookd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]quicklook[.]quicklookd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]quicklook[.]quicklookd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]quicklook[.]quicklookd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]quicklook[.]quicklookd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write"))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.medialibrary.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-journal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.quicklook.quicklookd.plist") + (subpath "/private/var/db/timezone") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-wal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.homesharing.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (extension "com.apple.sandbox.executable") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/AppleInternal/Library/Frameworks/TypologyRecording.framework") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (extension "com.apple.quicklook.readonly") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-shm") + (subpath "/usr/lib") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (require-all + (require-not (subpath "/System/Library/Carrier Bundles")) + (require-not (subpath-prefix "${HOME}/Library/Carrier Bundles")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (subpath "/private/var/tmp/MediaCache") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-shm") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Metadata") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/syncInfo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Sync/FaceAlbumThumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-journal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (require-not (subpath-prefix "${HOME}/Library/FairPlay")) + (require-not (literal "/usr/sbin/fairplayd")) + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.plist") + (subpath-prefix "${HOME}/Library/WebClips") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.keyboard.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.accounts.exists.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/Library/Dictionaries") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebKit.plist") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (subpath-prefix "${HOME}/Media/Safari") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.IconsCache") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.preferences.sounds.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.twitter.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.radios.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.SpeakSelection.plist") + (subpath-prefix "${HOME}/Library/Fonts") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]quicklook[.]quicklookd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.aggregated.plist") + (literal-prefix "${HOME}/Library/Caches/DateFormats.plist") + (extension "com.apple.app-sandbox.read") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath-prefix "${HOME}/Library/Assets/com_apple_MobileAsset_VoiceServicesVocalizerVoice") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal "/com.apple.xpc.launchd.bootstrap.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MapKit.internal.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreMotion.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iapd.plist") + (subpath-prefix "${HOME}/Library/WebKit") + (subpath-prefix "${HOME}/Library/Caches/com.apple.UIStatusBar") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.assistant.support.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mt.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.facebook.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (subpath "/AppleInternal/Library/Frameworks/RadarCompose.framework") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreanimation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.da.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.itunesstored/url-resolution.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.app-sandbox.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (subpath-prefix "${HOME}/Library/VoiceServices/Assets") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (subpath-prefix "${HOME}/Library/Dictionaries") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.telephonyutilities.dialassist.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.voiceservices.plist") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataAccess.BehaviorOptions.plist") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.videos.plist") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (literal "/dev/dtracehelper") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.InputModePreferences.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.linkedin.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebUI.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal "/dev/null") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal "/private/var/preferences/SystemConfiguration/com.apple.sinaweibo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.VoiceOverTouch.plist") + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]quicklook[.]quicklookd[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]quicklook[.]quicklookd[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]quicklook[.]quicklookd[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]quicklook[.]quicklookd[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]quicklook[.]quicklookd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]quicklook[.]quicklookd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]quicklook[.]quicklookd[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]quicklook[.]quicklookd[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath "/private/var/containers/Data/System/com.apple.ondemandd/Library/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]quicklook[.]quicklookd-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]quicklook[.]quicklookd$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]quicklook[.]quicklookd-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]quicklook[.]quicklookd$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]quicklook[.]quicklookd[.]plist" #"^/private/var/mobile/Library/SyncedPreferences/com[.]apple[.]quicklook[.]quicklookd-.+[.]plist" #"^/private/var/euser[0-9]+/Library/SyncedPreferences/com[.]apple[.]quicklook[.]quicklookd-.*[.]plist") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/OnDemandResources/AssetPacks") + (extension "com.apple.odr-assets")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/[.]GlobalPreferences$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-wal") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook"))) +(allow file-read-metadata) +(allow file-read-xattr + (literal-prefix "${HOME}/Library/Caches")) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-shm") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-wal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.quicklook.quicklookd.plist") + (subpath "/private/var/tmp/MediaCache") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb-journal") + (require-all + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (subpath-prefix "${HOME}/Library/WebKit") + (subpath-prefix "${HOME}/Library/WebClips") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.youtubeframework.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (subpath-prefix "${HOME}/Media/Safari") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/WebKit/LocalStorage")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.springboard.plist")) + (require-not (literal-prefix "${HOME}/Library/Caches/DateFormats.plist")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.EmojiPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Preferences.plist") + (subpath-prefix "${HOME}/Library/Caches/com.apple.keyboards") + (literal-prefix "${HOME}/Library/Preferences/com.apple.dataaccess.launchd") + (literal-prefix-regex "${HOME}/Library/Preferences/com[.]apple[.]quicklook[.]quicklookd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaaccessibility.public.plist") + (extension "com.apple.app-sandbox.read-write") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Keyboard/LocalDictionary") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]quicklook[.]quicklookd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]quicklook[.]quicklookd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]quicklook[.]quicklookd[.]savedState/" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]quicklook[.]quicklookd[.]savedState/") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (regex #"^/private/var/mobile/Documents/com[.]apple[.]quicklook[.]quicklookd[.]settings$" #"^/private/var/mobile/Documents/com[.]apple[.]quicklook[.]quicklookd[.]settings/" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]quicklook[.]quicklookd[.]settings$" #"^/private/var/euser[0-9]+/Documents/com[.]apple[.]quicklook[.]quicklookd[.]settings/") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]quicklook[.]quicklookd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]quicklook[.]quicklookd-" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/mobile/Library/Caches/Snapshots/com[.]apple[.]quicklook[.]quicklookd$" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]quicklook[.]quicklookd-" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]quicklook[.]quicklookd/" #"^/private/var/euser[0-9]+/Library/Caches/Snapshots/com[.]apple[.]quicklook[.]quicklookd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/WebKit/Databases")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.Accessibility.plist")) + (require-not (literal-prefix "${HOME}/Library/Preferences/com.apple.UIKit.plist")) + (require-any + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/Snapshots")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Saved Application State/com[.]apple[.]quicklook[.]quicklookd[.]savedState" #"^/private/var/euser[0-9]+/Library/Saved Application State/com[.]apple[.]quicklook[.]quicklookd[.]savedState") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Saved Application State")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches/com.apple.DictionaryServices"))) +(allow file-write-data + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/MediaLibrary.sqlitedb") + (literal-prefix "${HOME}/Library/WebKit/Databases/Databases.db") + (literal-prefix "${HOME}/Library/WebKit/LocalStorage/StorageTracker.db") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "IOAccelDevice2") + (iokit-user-client-class "IOAccelSharedUserClient2") + (iokit-user-client-class "IOSurfaceSendRight") + (iokit-user-client-class "IOAccelContext") + (iokit-user-client-class "IOAccelSharedUserClient") + (iokit-user-client-class "IOSurfaceAcceleratorClient") + (iokit-user-client-class "IOAccelDevice") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "IOAccelSubmitter2") + (iokit-user-client-class "AppleJPEGDriverUserClient") + (iokit-user-client-class "IOAccelContext2")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.audio.AudioSession") + (global-name "PurpleSystemEventPort") + (global-name "com.apple.medialibraryd.xpc") + (global-name "com.apple.mediaserverd") + (global-name "PurpleSystemAppPort") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.fig.movie") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.calaccessd") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.springboard.services") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.coremedia.mutablecomposition") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.pegasus") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.usernotification.notificationscheduler") + (local-name "com.apple.iphone.axserver") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.coremedia.asset") + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (require-not (global-name "com.apple.networkd")) + (require-any + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.WebBookmarks.webbookmarksd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.UIKit.KeyboardManagement") + (global-name "com.apple.audio.SystemSoundServer-iOS") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.audio.AudioSession") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.tccd") + (global-name "com.apple.frontboard.workspace") + (global-name "com.apple.UIKit.statusbarserver") + (global-name-regex #"^com[.]apple[.]uikit[.]viewservice[.].+") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.FileProvider") + (global-name "com.apple.backboard.animation-fence-arbiter") + (global-name "com.apple.MediaRemote.daemon") + (global-name "com.apple.marco") + (global-name "com.apple.UIKit.pasteboardd") + (global-name "ScripterServer") + (global-name "com.apple.librariand") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "UIASTNotificationCenter") + (global-name "com.apple.UIKit.KeyboardManagement.hosted") + (global-name "com.apple.symptomsd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.assetsd.changehub") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.uikit.GestureServer") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.webfilterd") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.assertiond.extension") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.springboard.services") + (global-name "com.apple.TextInput.lexicon-server") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.MediaRemote.nowplayingserver") + (global-name "com.apple.airplaydiagnostics.server") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.iohideventsystem") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.backboard.display.services") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.TextInput") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.quicklook.ThumbnailsAgent") + (global-name "com.apple.TextInput.rdt") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.ondemandd.client") + (local-name-regex #"^com[.]apple[.]assistant[.]contextprovider[.]") + (global-name "com.apple.aggregated") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.assistant.dictation") + (global-name "com.apple.lsd.open") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.audio.AudioQueueServer") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.gpumemd.source") + (global-name "com.apple.PersistentURLTranslator.Gatekeeper") + (global-name "com.apple.TextInput.shortcuts") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.MediaRemote.isrunning") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.bird.token") + (global-name "com.apple.backboard.hid.services") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.dictationd.recognition") + (global-name "com.apple.revisiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.accessibility.gax.backboard") + (global-name "com.apple.backboard.TouchDeliveryPolicyServer") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.securityd") + (global-name "com.apple.voiceservices.keepalive") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.bird") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.safarifetcherd") + (global-name "com.apple.voiceservices.tts") + (global-name "com.apple.assistant.settings") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.pegasus") + (global-name "com.apple.assertiond.expiration") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.webinspector") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.lsd") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.pluginkit.pkd") + (global-name "com.apple.fig.movie") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.accessibility.AXBackBoardServer") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.sharingd.nsxpc") + (global-name "com.apple.cvmsServ") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.iphone.axserver-systemwide") + (global-name "com.apple.audio.AURemoteIOServer") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.xpcd") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.sharingd") + (global-name "com.apple.mobilecheckpoint.checkpointd") + (require-all + (global-name "com.apple.springboard.statusbarservices") + (require-entitlement "com.apple.springboard.statusbarstyleoverrides")) + (require-all + (global-name "com.apple.springboard.backgroundappservices") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.capturesession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.endpoint.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.remaker") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.pegasus") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.itunescloudd.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.coremedia.admin") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.assetimagegenerator") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.audio.AudioSession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.videocompositor") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.capturesource") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.mediaserverd") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.asset") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.fig.movie") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.sandboxserver") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.recorder") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/lockdown.sock") + (literal "/private/var/run/mDNSResponder") + (literal "/private/var/run/printd") + (literal "/private/var/run/syslog") + (control-name "com.apple.network.statistics") + (control-name "com.apple.netsrc")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.homesharing") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.keyboard") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.mt") + (preference-domain "com.apple.assistant.support") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.MapKit.internal") + (preference-domain "com.apple.voiceservices") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.WebKit") + (preference-domain ".GlobalPreferences") + (preference-domain "com.apple.preferences.sounds") + (preference-domain "com.apple.mediaaccessibility") + (preference-domain "com.apple.telephonyutilities.dialassist") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.SpeakSelection") + (preference-domain "com.apple.youtubeframework") + (preference-domain "com.apple.CoreMotion") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.Sharing") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.coreanimation") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.iapd") + (preference-domain "com.apple.da") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.WebUI") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.medialibrary") + (preference-domain "com.apple.DataAccess.BehaviorOptions") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.assistant") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.InputModePreferences") + (preference-domain "com.apple.quicklook.quicklookd") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.videos") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.aggregated") + (preference-domain "com.apple.VoiceOverTouch") + (preference-domain "kCFPreferencesAnyApplication") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Accessibility") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (preference-domain "com.apple.itunesstored") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.avfoundation") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coremedia") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.mobileipod") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coreaudio") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.corevideo") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.quicklook.quicklookd") + (preference-domain "com.apple.mediaaccessibility.public") + (preference-domain "com.apple.Preferences") + (preference-domain "com.apple.EmojiPreferences") + (preference-domain "com.apple.youtubeframework") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.PeoplePicker")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/quicklookd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/quicklookd.sb.xml new file mode 100644 index 00000000..c3c699a4 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/quicklookd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/racoon.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/racoon.sb new file mode 100644 index 00000000..1289c178 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/racoon.sb @@ -0,0 +1,120 @@ +(version 1) +(deny default) +(allow file-ioctl + (literal "/dev/aes_0") + (literal "/dev/sha1_0") + (literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist") + (subpath "/private/etc/racoon") + (subpath "/private/var/run/racoon") + (literal "/dev/dtracehelper") + (literal "/private/etc/master.passwd")) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/aes_0") + (literal "/dev/sha1_0") + (literal "/dev/random") + (literal "/dev/urandom") + (subpath "/private/var/Managed Preferences/mobile") + (literal "/dev/dtracehelper") + (subpath "/private/var/root") + (literal "/Library/Managed Preferences/mobile") + (literal "/private/var/db/icu") + (literal "/private/var/run/racoon.sock") + (literal "/private/etc/master.passwd") + (subpath "/usr/share") + (subpath "/private/etc/racoon") + (literal "/private/var/run/racoon.pid") + (subpath "/private/var/preferences") + (literal "/dev/null") + (subpath "/private/var/run/racoon") + (literal "/dev/zero") + (literal "/Library/Preferences") + (subpath "/private/var/db/timezone") + (literal "/private/var/log/racoon.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal "/Library/Managed Preferences") + (require-all + (file-mode #o0004) + (require-any + (subpath "/System") + (subpath "/usr/lib") + (subpath "/usr/sbin") + (subpath "/usr/share"))) + (require-all + (file-mode #o0004) + (require-any + (subpath "/System") + (subpath "/usr/lib") + (subpath "/usr/share") + (subpath "/private/var/db/dyld")))) +(allow file-read-metadata + (literal "/etc") + (literal "/tmp") + (literal "/var") + (literal "/private/etc/localtime")) +(allow file-write* + (literal "/private/var/run/racoon.sock") + (literal "/private/var/run/racoon.pid") + (literal "/private/var/log/racoon.log") + (require-all + (regex #"^/cores/") + (require-not (file-mode #o0000)))) +(allow file-write-data + (literal "/dev/aes_0") + (literal "/dev/sha1_0") + (literal "/dev/zero") + (literal "/dev/dtracehelper") + (literal "/dev/null")) +(allow iokit-open + (iokit-user-client-class "AppleMobileFileIntegrityUserClient") + (iokit-user-client-class "RootDomainUserClient")) +(allow iokit-get-properties) +(allow ipc-posix-shm-read* + (ipc-posix-name-regex #"^apple[.]shm[.]cfprefsd[.]")) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.securityd") + (global-name "com.apple.system.logger") + (global-name "com.apple.nehelper") + (global-name "com.apple.system.DirectoryService.libinfo_v1") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.ocspd") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.aggregated") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (local-name "com.apple.cfprefsd.agent")) +(allow network* + (local udp "*:500") + (local udp "*:4500") + (remote udp "*:*") + (literal "/private/var/run/racoon.sock")) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (control-name "com.apple.net.ipsec_control") + (literal "/private/var/run/syslog") + (literal "/private/var/run/asl_input")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow sysctl*) +(allow sysctl-read) +(allow sysctl-write) +(allow system-privilege) +(allow system-socket) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/racoon.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/racoon.sb.xml new file mode 100644 index 00000000..7c41e086 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/racoon.sb.xml @@ -0,0 +1,42 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/replayd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/replayd.sb new file mode 100644 index 00000000..5bab0d0a --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/replayd.sb @@ -0,0 +1,355 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/Applications") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (literal "/dev/random") + (subpath "/usr/libexec") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/containers/Bundle/Application") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (debug-mode) + (require-any + (subpath "/AppleInternal/Applications") + (subpath "/private/var/mobile/XcodeBuiltProducts"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "IOSurfaceRootUserClient") + (iokit-user-client-class "IOSurfaceSendRight")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.aggregated") + (global-name "com.apple.lsd.open") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.audio.AudioQueueServer") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.audio.AudioSession") + (global-name "com.apple.pegasus") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.xpcd") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.system.logger") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.backboard.display.services") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.coremedia.virtualdisplaysession") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.fig.movie") + (global-name "com.apple.coremedia.audiodeviceclock") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.ctkd.token-client") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.system.libinfo.muser") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.coremedia") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.corevideo") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/replayd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/replayd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/replayd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/reversetemplated.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/reversetemplated.sb new file mode 100644 index 00000000..d2c4918a --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/reversetemplated.sb @@ -0,0 +1,197 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (subpath "/System/Library") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.suggestions.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreSuggestions.MobileAssets.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.webinspector") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.CoreSuggestions.MobileAssets") + (preference-domain "com.apple.suggestions") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/reversetemplated.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/reversetemplated.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/reversetemplated.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/revisiond.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/revisiond.sb new file mode 100644 index 00000000..6babb37b --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/revisiond.sb @@ -0,0 +1,271 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.revisiond.staging") + (regex #"^/private/var/[.]DocumentRevisions-V100/" #"^/private/var/[.]DocumentRevisions-V100$" #"^/private/var/[.]DocumentRevisions-V100-bad-[0-9]+/" #"^/private/var/[.]DocumentRevisions-V100-bad-[0-9]+$")) + (require-all + (extension-class "com.apple.revisiond.revision") + (regex #"^/private/var/[.]DocumentRevisions-V100/" #"^/private/var/[.]DocumentRevisions-V100$" #"^/private/var/[.]DocumentRevisions-V100-bad-[0-9]+/" #"^/private/var/[.]DocumentRevisions-V100-bad-[0-9]+$")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/[.]DocumentRevisions-V100/" #"^/private/var/[.]DocumentRevisions-V100$" #"^/private/var/[.]DocumentRevisions-V100-bad-[0-9]+/" #"^/private/var/[.]DocumentRevisions-V100-bad-[0-9]+$") + (subpath "/private/var/log/com.apple.revisiond") + (subpath "/private/var/tmp") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.CoreServices.coreservicesd") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.FSEvents") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.revisiond") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-fsctl + (fsctl-command (_IO "h" 13)) + (fsctl-command (_IO "h" 24)) + (fsctl-command (_IO "h" 31)) + (fsctl-command (_IO "h" 32)) + (fsctl-command (_IO "h" 30))) +(allow system-privilege) +(allow system-sched) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/revisiond.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/revisiond.sb.xml new file mode 100644 index 00000000..e93d2bb4 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/revisiond.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/routined.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/routined.sb new file mode 100644 index 00000000..e679cb79 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/routined.sb @@ -0,0 +1,654 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]routined/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]routined$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]routined/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]routined$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]routined/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]routined$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]routined/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]routined$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]routined/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]routined$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]routined/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]routined$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${HOME}/Library/DuetKnowledgeCollector/Internal/cache.db") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (subpath "/Applications") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal "/usr/libexec") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (subpath-prefix "${HOME}/Library/CoreDuet") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/CoreRoutineDiagnosticFiles") + (literal-prefix "${HOME}/Library/DuetKnowledgeCollector/Internal/cache.db-journal") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (subpath "/System") + (literal-prefix "${HOME}/Library/Logs/awd/awd-routined.log") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.]routined[.]plist") + (literal "/usr/libexec/routined") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath "/private/var/containers/Bundle") + (literal-prefix "${HOME}/Library/DuetKnowledgeCollector/Internal") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Logs/com.apple.routined") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${HOME}/Library/DuetKnowledgeCollector/Internal/cache.db-shm") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.stockholm.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (literal-prefix "${HOME}/Library/DuetKnowledgeCollector/Internal/cache.db-wal") + (subpath "/Developer") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (subpath "/Library/Audio/Plug-Ins") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (subpath-prefix "${HOME}/Library/Assets") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.routined.plist") + (require-all + (subpath "/AppleInternal/Library") + (debug-mode)) + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal "/dev/urandom") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/aes_0") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal "/dev/ptmx") + (literal "/dev/null") + (literal "/dev/zero") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal "/dev/dtracehelper") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]routined/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]routined$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]routined/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]routined$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined$") + (subpath-prefix "${HOME}")))) + (require-all + (debug-mode) + (require-any + (subpath "/AppleInternal/Applications") + (subpath "/private/var/mobile/XcodeBuiltProducts"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (literal-prefix "${HOME}/Library/Caches") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal "/private/var/run/syslog") + (literal-prefix "${HOME}/Library/Logs/awd") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}"))))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.routined.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath-prefix "${HOME}/Library/Logs/com.apple.routined") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/CoreRoutineDiagnosticFiles") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.]routined[.]plist") + (literal-prefix "${HOME}/Library/DuetKnowledgeCollector/Internal/cache.db-journal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${HOME}/Library/Logs/awd/awd-routined.log") + (subpath "/private/var/tmp") + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]routined/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]routined$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]routined/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]routined$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]routined$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))))) +(allow file-write-data + (literal-prefix "${HOME}/Library/DuetKnowledgeCollector/Internal/cache.db") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.securityd") + (global-name "com.apple.tccd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.MediaRemote.daemon") + (global-name "com.apple.server.bluetooth") + (global-name "com.apple.marco") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.symptomsd") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.MediaRemote.isrunning") + (global-name "com.apple.managedconfiguration.profiled") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.GSSCred") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.MediaRemote.nowplayingserver") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.navigationListener") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.nehelper") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.lsd.open") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.calaccessd") + (global-name "com.apple.Maps.mapspushd") + (global-name "com.apple.passd.usage") + (global-name "com.apple.nanomaps.xpc.GeoServices") + (global-name "com.apple.carkit.service") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.geod") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.networkd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.lsd") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.locationd.routine") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.coreduetd.knowledge") + (global-name "com.apple.awdd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.coreduetd.knowledgebase") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (remote tcp "*:443") + (remote tcp "*:80") + (literal "/private/var/run/syslog") + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.netsrc") + (control-name "com.apple.network.statistics")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.avfoundation") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.routined") + (preference-domain "com.apple.stockholm") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.conference") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.routined") + (preference-domain "com.apple.PeoplePicker")) +(allow process-exec* + (literal "/usr/bin/ditto")) +(allow process-fork) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) +(allow system-socket) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/routined.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/routined.sb.xml new file mode 100644 index 00000000..49a8a1b2 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/routined.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/seld.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/seld.sb new file mode 100644 index 00000000..4b18125b --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/seld.sb @@ -0,0 +1,547 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]seld/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]seld$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]seld/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]seld$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]seld/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]seld$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]seld/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]seld$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]seld/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]seld$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]seld/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]seld$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/usr/libexec") + (literal "/dev/null") + (literal "/dev/urandom") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/usr/libexec/seld") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.stockholm.awd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.passbook.plist") + (subpath "/System/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.stockholm.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.stockholm.tsmreg.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Caches/com.apple.seld.seinfo.plist") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/dtracehelper") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.seld.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal-prefix "${HOME}/Library/Logs/awd/awd-seld.log") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/NearField" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/NearField") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]seld/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]seld$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]seld/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]seld$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]seld" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]seld" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]seld") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Logs/CrashReporter") + (literal-prefix "${HOME}/Library/Caches") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${HOME}/Library/Logs/awd") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection")))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.seld.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.stockholm.tsmreg.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.stockholm.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.stockholm.awd.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.seld.seinfo.plist") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Logs/awd/awd-seld.log") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]seld/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]seld$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]seld/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]seld$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]seld" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]seld" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]seld") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]seld$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs/NearField" #"^/private/var/euser[0-9]+/Library/Logs/CrashReporter/DiagnosticLogs/NearField") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter/DiagnosticLogs")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/awd")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Logs/CrashReporter")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection")))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "AppleSSEUserClient") + (iokit-user-client-class "RootDomainUserClient") + (iokit-user-client-class "AppleCredentialManagerUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nfcd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.cookied") + (global-name "com.apple.networkd") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.apsd") + (global-name "com.apple.lsd") + (global-name "com.apple.securityd") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.aggregated") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.system.logger") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.nehelper") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.symptomsd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.nfcd.hwmanager") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.trustd") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.awdd") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged"))) +(allow mach-register + (global-name "com.apple.seld.aps") + (require-all + (extension "com.apple.security.exception.mach-register.local-name") + (local-name-regex #".+")) + (require-all + (extension "com.apple.security.exception.mach-register.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.stockholm") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.passbook") + (preference-domain "com.apple.stockholm.awd") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.seld") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.stockholm.tsmreg") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.seld") + (preference-domain "com.apple.stockholm.awd") + (preference-domain "com.apple.stockholm.tsmreg") + (preference-domain "com.apple.stockholm")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/seld.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/seld.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/seld.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/sharingd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/sharingd.sb new file mode 100644 index 00000000..1de1fc5b --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/sharingd.sb @@ -0,0 +1,895 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (extension "com.apple.librarian.ubiquity-container") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (subpath-prefix "${HOME}/Media")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (subpath-prefix "${HOME}/Media/Photos") + (subpath-prefix "${HOME}/Media/PhotoData") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Memories") + (subpath-prefix "${HOME}/Media/DCIM"))) + (require-all + (subpath-prefix "${HOME}/Media/Debug") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Media/PhotoStreamsData")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]sharingd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]sharingd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]sharingd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]sharingd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]sharingd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]sharingd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]sharingd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]sharingd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]sharingd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]sharingd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]sharingd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]sharingd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.app-sandbox.read-write")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${HOME}/Media/Memories") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (subpath-prefix "${HOME}/Media/DCIM") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${HOME}/Media/Photos") + (require-any + (extension-class "com.apple.mediaserverd.read-write") + (extension-class "com.apple.mediaserverd.read"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (subpath-prefix "${HOME}/Downloads/com.apple.AirDrop") + (extension-class "com.apple.mediaserverd.read")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (subpath-prefix "${HOME}/Media/Photos") + (subpath-prefix "${HOME}/Media/PhotoData") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Memories") + (subpath-prefix "${HOME}/Media/DCIM"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (extension-class "com.apple.mediaserverd.read"))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (subpath "/System/Library") + (literal "/usr/libexec") + (subpath-prefix "${HOME}/Media/Debug") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (subpath-prefix "${HOME}/Media/Photos") + (subpath-prefix "${HOME}/Media/DCIM") + (subpath-prefix "${HOME}/Media/PhotoData") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.UIKit.plist") + (subpath-prefix "${HOME}/Library/Logs/com.apple.sharingd") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobilenotes.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal-prefix "${HOME}/Media/Vibrations/UserGeneratedVibrationPatterns.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath-prefix "${HOME}/Media/Purchases") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (subpath "/AppleInternal/Applications/Sharing.app") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/Ringtones.plist") + (subpath-prefix "${HOME}/Library/Fonts") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.iokit.IOMobileGraphicsFamily.plist") + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/EffectiveUserSettings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.springboard.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (subpath-prefix "${HOME}/Media/PhotoStreamsData") + (subpath-prefix "${HOME}/Library/Notes") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (extension "com.apple.sharing.airdrop.readonly") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Media/Memories") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (subpath "/Developer") + (subpath "/usr/share") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.sharingd.plist") + (subpath-prefix "${HOME}/Downloads/com.apple.AirDrop") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath "/Library/Ringtones") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.eventkit.plist") + (subpath-prefix "${HOME}/Media/Recordings") + (require-all + (subpath-prefix "${HOME}/Library/Application Support/Ubiquity/genstore") + (extension "com.apple.librarian.ubiquity-revision")) + (require-all + (subpath-prefix "${HOME}/Library/Application Support/CloudDocs/session/r") + (vnode-type REGULAR-FILE) + (extension "com.apple.clouddocs.version")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com.apple.notes..+.lock$" #"^/private/var/euser[0-9]+/Library/Caches/com.apple.notes..+.lock$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/mobile/Library/UserConfigurationProfiles/EffectiveUserSettings.plist$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/EffectiveUserSettings.plist$") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/tmp") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision")) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (require-not (subpath-prefix "${HOME}/Library/FairPlay")) + (require-not (literal "/usr/sbin/fairplayd")) + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (literal "/private/var/preferences/com.apple.security.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.marco.plist") + (literal "/dev/dtracehelper") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal "/dev/null") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.ids.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.conference.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (literal "/dev/aes_0") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]sharingd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]sharingd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]sharingd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]sharingd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]sharingd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]sharingd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]sharingd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/com[.]apple[.]sharing$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/com[.]apple[.]sharing/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/com[.]apple[.]sharing$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/com[.]apple[.]sharing/") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/PerUID") + (extension "com.apple.revisiond.revision"))) +(allow file-read-metadata + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (literal-prefix "${HOME}/Downloads") + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library") + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/PPTDevice") + (literal-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${HOME}/Media/Memories") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (literal-prefix "${HOME}/Media") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches") + (literal-prefix "${HOME}/Library/Mobile Documents") + (literal "/private/var/run/syslog") + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Downloads")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${HOME}/Media/Memories"))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Sharing.plist") + (subpath-prefix "${HOME}/Media/Memories") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Media/Debug") + (subpath-prefix "${HOME}/Media/Photos") + (subpath-prefix "${HOME}/Downloads/com.apple.AirDrop") + (subpath-prefix "${HOME}/Media/PhotoData") + (subpath-prefix "${HOME}/Library/Notes") + (subpath-prefix "${HOME}/Library/Logs/com.apple.sharingd") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.sharingd.plist") + (subpath-prefix "${HOME}/Media/Recordings") + (subpath-prefix "${HOME}/Media/DCIM") + (subpath "/private/var/tmp") + (require-all + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]sharingd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]sharingd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]sharingd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]sharingd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]sharingd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]sharingd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]sharingd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]sharingd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/com[.]apple[.]sharing$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/com[.]apple[.]sharing/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/com[.]apple[.]sharing$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/com[.]apple[.]sharing/") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")))) + (require-all + (subpath-prefix "${HOME}/Library/Mobile Documents") + (require-any + (extension "com.apple.librarian.ubiquity-container") + (require-entitlement "com.apple.private.librarian.container-proxy"))) + (require-all + (vnode-type DIRECTORY) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type SYMLINK) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (vnode-type REGULAR-FILE) + (subpath "/private/var/.DocumentRevisions-V100/staging") + (extension "com.apple.revisiond.staging")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com.apple.notes..+.lock$" #"^/private/var/euser[0-9]+/Library/Caches/com.apple.notes..+.lock$") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Media/MediaAnalysis") + (literal-prefix "${HOME}/Media/Memories"))) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Downloads"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-flags + (literal-prefix "${HOME}/Downloads")) +(allow file-write-mode + (literal-prefix "${HOME}/Downloads") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "IOMobileFramebufferUserClient") + (iokit-user-client-class "AppleKeyStoreUserClient") + (iokit-user-client-class "RootDomainUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.audio.AudioSession") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.tccd") + (global-name "com.apple.quicklook.ThumbnailsAgent") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.server.bluetooth") + (global-name "com.apple.marco") + (global-name "com.apple.librariand") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.fig.movie") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.assetsd.changehub") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.FileProvider") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.MediaRemote.isrunning") + (global-name "com.apple.calaccessd") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.managedconfiguration.profiled") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.GSSCred") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.springboard.services") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.MediaRemote.nowplayingserver") + (global-name "com.apple.bulletinboard.settingsconnection") + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.lsd.modifydb") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.identityservicesd.embedded.auth") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.symptomsd") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.nehelper") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.NPKCompanionAgent.library") + (global-name "com.apple.ProgressReporting") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.MobileInternetSharing") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.lsd.open") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.apsd") + (global-name "com.apple.CARenderServer") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.wirelessproxd") + (global-name "com.apple.PersistentURLTranslator.Gatekeeper") + (global-name "com.apple.wifi.manager") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.bird.token") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.passd.assertions") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.revisiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.securityd") + (global-name "com.apple.voicememod.xpc") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.bird") + (global-name "com.apple.pegasus") + (global-name "com.apple.vibrationmanagerd") + (global-name "com.apple.networkd") + (global-name "com.apple.lsd") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.system.logger") + (global-name "com.apple.coreservices.appleid.authentication") + (global-name "com.apple.MediaRemote.daemon") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.audio.SystemSoundServer-iOS") + (global-name "com.apple.passd.library") + (global-name "com.apple.awdd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.xpcd") + (global-name "com.apple.mobilecheckpoint.checkpointd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people"))) +(allow network-outbound + (require-all + (require-not (regex #"^/private/tmp/launchd-[0-9]+[.][^/]+/sock$")) + (require-any + (literal "/private/var/run/mDNSResponder") + (control-name "com.apple.network.statistics") + (literal "/private/var/run/syslog") + (remote udp "*:*") + (remote tcp "*:*") + (control-name "com.apple.netsrc")))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.ids") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.iokit.IOMobileGraphicsFamily") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.marco") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.eventkit") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.Sharing") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.UIKit") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.springboard") + (preference-domain "com.apple.sharingd") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.mobilenotes") + (preference-domain "com.apple.logging") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.conference") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Accessibility") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.Sharing") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.sharingd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/sharingd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/sharingd.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/sharingd.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/social-services.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/social-services.sb new file mode 100644 index 00000000..589f2531 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/social-services.sb @@ -0,0 +1,821 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]facebook[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]facebook[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]flickr[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]flickr[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]tencentweibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]tencentweibo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]twitter[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]twitter[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]vimeo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]vimeo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]weibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]weibo[.]xpc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]facebook[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]facebook[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]flickr[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]flickr[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]tencentweibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]tencentweibo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]twitter[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]twitter[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]vimeo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]vimeo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]weibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]weibo[.]xpc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]facebook[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]facebook[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]flickr[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]flickr[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]tencentweibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]tencentweibo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]twitter[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]twitter[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]vimeo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]vimeo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]weibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]weibo[.]xpc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (require-all + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.tcc.kTCCServicePhotos")))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.logging.plist") + (subpath "/System/Library") + (subpath-prefix "${HOME}/Library/Social") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${HOME}/Media/iTunes_Control/iTunes/Ringtones.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.tencentweibo.xpc.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.weibo.xpc.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.vimeo.xpc.plist") + (literal-prefix "${HOME}/Library/Caches/Checkpoint.plist") + (literal "/private/var/preferences/com.apple.security.plist") + (literal-prefix "${HOME}/Media/Vibrations/UserGeneratedVibrationPatterns.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (subpath-prefix "${HOME}/Media/Purchases") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.demo-settings.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.camera.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.accountsd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.flickr.xpc.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.NanoRegistry.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.twitter.xpc.plist") + (subpath "/private/var/db/timezone") + (subpath-prefix "${HOME}/Media/iTunes_Control/Ringtones") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.pairedsync.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.facebook.xpc.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (literal "/private/etc/master.passwd") + (extension "com.apple.sandbox.executable") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.nanoprefsyncd.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath "/private/var/tmp") + (subpath "/Developer") + (subpath "/Library/Ringtones") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.springboard.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath-prefix "${HOME}/Library/AddressBook") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.twitterd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileslideshow.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/usr/share") + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media") + (extension "com.apple.avasset.read-only") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]facebook[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]facebook[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]flickr[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]flickr[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]tencentweibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]tencentweibo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]twitter[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]twitter[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]vimeo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]vimeo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]weibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]weibo[.]xpc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/syncInfo.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Sync/FaceAlbumThumbnails") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]facebook[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]facebook[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]flickr[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]flickr[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]tencentweibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]tencentweibo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]twitter[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]twitter[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]vimeo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]vimeo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]weibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]weibo[.]xpc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (subpath-prefix "${HOME}/Media/PhotoData/Metadata") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/NanoPreferencesSync/NanoDomains/com[.]apple[.]ToneLibrary$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-journal") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]facebook[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]facebook[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]flickr[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]flickr[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]tencentweibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]tencentweibo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]twitter[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]twitter[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]vimeo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]vimeo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]weibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]weibo[.]xpc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-shm") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (require-not (subpath-prefix "${HOME}/Library/FairPlay")) + (require-not (literal "/usr/sbin/fairplayd")) + (require-not (subpath-prefix "${HOME}/Media")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (require-all + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (subpath-prefix "${FRONT_USER_HOME}/Library/Caches/GeoServices") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/private/var/containers/Data/System/com.apple.geod") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/dev/zero") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+/GeoServices/") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")))) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")))) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Photos.sqlite-wal") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow file-read-metadata + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (literal-prefix "${HOME}/Library/DeviceRegistry") + (literal-prefix "${HOME}/Media") + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Caches") + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (literal-prefix "${HOME}") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Media/PhotoData/Thumbnails") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.twitter.xpc.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.twitterd.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.vimeo.xpc.plist") + (subpath-prefix "${HOME}/Library/AddressBook") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.facebook.xpc.plist") + (subpath-prefix "${HOME}/Library/Social") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.tencentweibo.xpc.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.weibo.xpc.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.flickr.xpc.plist") + (subpath "/private/var/tmp") + (require-all + (require-not (subpath-prefix "${HOME}/Media")) + (require-not (literal-prefix "${HOME}/Library/Caches/GeoServices/tguid.bin")) + (require-any + (subpath-prefix "${HOME}/Library/Cookies") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))))) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]facebook[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]facebook[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]flickr[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]flickr[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]tencentweibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]tencentweibo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]twitter[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]twitter[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]vimeo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]vimeo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]weibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]weibo[.]xpc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]facebook[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]facebook[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]flickr[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]flickr[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]tencentweibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]tencentweibo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]twitter[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]twitter[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]vimeo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]vimeo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]weibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]weibo[.]xpc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]facebook[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]facebook[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]flickr[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]flickr[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]tencentweibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]tencentweibo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]twitter[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]twitter[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]vimeo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]vimeo[.]xpc$" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]weibo[.]xpc/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]weibo[.]xpc$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]((((f(acebook|lickr)|tencentweibo)|twitter)|vimeo)|weibo)[.]xpc$") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${HOME}/Library/DeviceRegistry") + (require-all + (regex #"^/private/var/mobile/Library/DeviceRegistry/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Library/DeviceRegistry/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")))) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.pairedsyncd.syncstate") + (global-name "com.apple.nano.nanoregistry.paireddeviceregistry") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.audio.AudioSession") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.tccd") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.trustd") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.nanomaps.xpc.GeoServices") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.assetsd.changehub") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.GSSCred") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.nanoprefsync") + (global-name "com.apple.springboard.services") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.fig.movie") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.symptomsd") + (global-name "com.apple.nehelper") + (global-name "com.apple.FileCoordination") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SBUserNotification") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.lsd.open") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.accountsd.oauthsigner") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.PersistentURLTranslator.Gatekeeper") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.geod") + (global-name "com.apple.securityd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.pegasus") + (global-name "com.apple.networkd") + (global-name "com.apple.lsd") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.system.logger") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.vibrationmanagerd") + (global-name "com.apple.audio.SystemSoundServer-iOS") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.xpcd") + (global-name "com.apple.mobilecheckpoint.checkpointd") + (require-all + (global-name "com.apple.itunescloudd.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.springboard.backgroundappservices") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.videocompositor") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.fig.movie") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (global-name "com.apple.pegasus") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.admin") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.capturesession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application") + (require-entitlement "com.apple.authkit.client.private"))) + (require-all + (global-name "com.apple.coremedia.sandboxserver") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coremedia.remaker") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.audio.AudioSession") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.assetimagegenerator") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.capturesource") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.endpoint.xpc") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.mediaserverd") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coremedia.recorder") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.coremedia.asset") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (preference-domain "com.apple.NanoRegistry") + (preference-domain "com.apple.demo-settings") + (preference-domain "com.apple.WebFoundation") + (preference-domain "com.apple.twitterd") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.camera") + (preference-domain "com.apple.corevideo") + (preference-domain "com.apple.logging") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.weibo.xpc") + (preference-domain "com.apple.pairedsync") + (preference-domain "com.apple.CoreDuet") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.flickr.xpc") + (preference-domain "com.apple.mobileslideshow") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.facebook.xpc") + (preference-domain "com.apple.coremedia") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.springboard") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.tencentweibo.xpc") + (preference-domain "com.apple.twitter.xpc") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.accountsd") + (preference-domain "com.apple.vimeo.xpc") + (preference-domain "com.apple.nanoprefsyncd") + (preference-domain "com.apple.itunesstored") + (preference-domain "kCFPreferencesAnyApplication") + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.itunesstored") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coremedia") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.coreaudio") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.avfoundation") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.mobileipod") + (extension "com.apple.tcc.kTCCServicePhotos")) + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (preference-domain "com.apple.corevideo") + (extension "com.apple.tcc.kTCCServicePhotos"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.twitterd") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.tencentweibo.xpc") + (preference-domain "com.apple.twitter.xpc") + (preference-domain "com.apple.facebook.xpc") + (preference-domain "com.apple.vimeo.xpc") + (preference-domain "com.apple.weibo.xpc") + (preference-domain "com.apple.flickr.xpc")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/social-services.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/social-services.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/social-services.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/softwareupdated.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/softwareupdated.sb new file mode 100644 index 00000000..b90ab2d4 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/softwareupdated.sb @@ -0,0 +1,222 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal "/dev/random") + (subpath "/System/Library") + (subpath "/private/var/db/UpdateMetrics") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileSoftwareUpdate.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (literal-prefix "${HOME}/MobileSoftwareUpdate/restore.log") + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/MobileSoftwareUpdate") + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/MobileSoftwareUpdate")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/MobileSoftwareUpdate/restore.log") + (subpath "/private/var/db/UpdateMetrics") + (literal-prefix "${HOME}/Library/Logs/CrashReporter/OTAUpdate-") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/MobileSoftwareUpdate")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-set-properties + (iokit-property "IONVRAM-DELETE-PROPERTY")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.MobileSoftwareUpdate") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/softwareupdated.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/softwareupdated.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/softwareupdated.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/streaming_zip_conduit.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/streaming_zip_conduit.sb new file mode 100644 index 00000000..3a4aa8cf --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/streaming_zip_conduit.sb @@ -0,0 +1,367 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.StreamingUnzipService") + (subpath-prefix "${HOME}/Media")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/private/var/containers/Bundle") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.StreamingUnzipService.plist") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/usr/libexec") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath "/Developer") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (literal "/usr/libexec/streaming_zip_conduit") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-data + (require-all + (vnode-type DIRECTORY) + (subpath-prefix "${HOME}/Media"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type REGULAR-FILE) + (subpath-prefix "${HOME}/Media")) + (require-all + (vnode-type DIRECTORY) + (subpath-prefix "${HOME}/Media")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (subpath-prefix "${HOME}/Media")) + (require-all + (vnode-type DIRECTORY) + (subpath-prefix "${HOME}/Media")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (subpath-prefix "${HOME}/Media")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (literal "/dev/random") + (literal "/dev/urandom") + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (subpath-prefix "${HOME}/Media")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type SYMLINK) + (subpath-prefix "${HOME}/Media")) + (require-all + (vnode-type REGULAR-FILE) + (subpath-prefix "${HOME}/Media")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (subpath-prefix "${HOME}/Media"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.mobile.installd") + (global-name "com.apple.mobile.keybagd.UserManager.xpc") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.lsd") + (global-name "com.apple.springboard.services") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.lsd.modifydb") + (global-name "com.apple.xpcd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.lsd.xpc") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.tccd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.securityd") + (global-name "com.apple.springboard.blockableservices") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.lockdown.host_watcher") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/streaming_zip_conduit.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/streaming_zip_conduit.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/streaming_zip_conduit.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/studentd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/studentd.sb new file mode 100644 index 00000000..a266fa61 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/studentd.sb @@ -0,0 +1,501 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath-prefix "${HOME}/Library/studentd") + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db-shm") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.Accessibility.plist") + (literal "/usr/libexec") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.avfoundation.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobileipod.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.studentd.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles") + (literal-prefix "${HOME}/Library/Preferences/com.apple.carrier.plist") + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db-wal") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.corevideo.plist") + (literal "/dev/ptmx") + (regex #"^/System/Library/Carrier Bundles/[.]png$" #"^/System/Library/Carrier Bundles/.+[.]png$") + (subpath "/System/Library") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coreaudio.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.itunesstored.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db-journal") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/aes_0") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (regex #"^/System/Library/Carrier Bundles//carrier[.]plist$" #"^/System/Library/Carrier Bundles/.+/carrier[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.locationd.plist") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal-prefix "${HOME}/Library/Safari") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.GEO.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Carrier Bundles/Overlay") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.coremedia.plist") + (literal "/dev/random") + (literal "/dev/dtracehelper") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mediaremote.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (regex #"^/private/var/containers/Bundle/[^/]+/[-0-9A-Z]+/Classroom.app") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles//carrier[.]plist$" #"^/private/var/mobile/Library/Carrier Bundles/.+/carrier[.]plist$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*/carrier[.]plist$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles$" #"^/private/var/mobile/Library/ConfigurationProfiles/" #"^/private/var/mobile/Library/UserConfigurationProfiles$" #"^/private/var/mobile/Library/UserConfigurationProfiles/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Carrier Bundles/[.]png$" #"^/private/var/mobile/Library/Carrier Bundles/.+[.]png$" #"^/private/var/euser[0-9]+/Library/Carrier Bundles/.*[.]png$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (subpath-prefix "${HOME}/Library/Carrier Bundles") + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/studentd") + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db-journal") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.studentd.plist") + (subpath "/private/var/tmp") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal-prefix "${HOME}/Library/Safari/Bookmarks.db") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.audio.AudioSession") + (global-name "PurpleSystemEventPort") + (global-name "com.apple.SystemConfiguration.SCNetworkReachability") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.tccd") + (global-name "com.apple.UIKit.statusbarserver") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.coremedia.capturesource") + (global-name "com.apple.coremedia.asset") + (global-name "com.apple.nesessionmanager") + (global-name "com.apple.PowerManagement.control") + (global-name "com.apple.server.bluetooth.le.att.xpc") + (global-name "com.apple.fig.movie") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.cfnetwork.AuthBrokerAgent") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.accessibility.AXSpringBoardServer") + (global-name "com.apple.springboard.icongeneration") + (global-name "com.apple.managedconfiguration.profiled") + (global-name "com.apple.SystemConfiguration.helper") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.powerlog.plxpclogger.xpc") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.GSSCred") + (global-name "com.apple.springboard.services") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cookied") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.accessibility.AXBackBoardServer") + (global-name "com.apple.coremedia.admin") + (global-name "com.apple.commcenter.cupolicy.xpc") + (global-name "com.apple.cfnetwork.cfnetworkagent") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.locationd.registration") + (global-name "com.apple.coremedia.capturesession") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.symptomsd") + (global-name "com.apple.nehelper") + (global-name "com.apple.itunesstored.xpc") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.SystemConfiguration.DNSConfiguration") + (global-name "com.apple.usernotification.notificationregistrar") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.coremedia.sandboxserver") + (global-name "com.apple.SystemConfiguration.NetworkInformation") + (global-name "com.apple.lsd.open") + (global-name "com.apple.itunescloudd.xpc") + (global-name "com.apple.locationd.synchronous") + (global-name "com.apple.networkd") + (global-name "com.apple.mobile.keybagd.UserManager.xpc") + (global-name "com.apple.lsd") + (global-name "com.apple.mediaremoted.xpc") + (global-name "com.apple.wirelessproxd") + (global-name "com.apple.coremedia.assetimagegenerator") + (global-name "com.apple.coremedia.videocompositor") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.SystemConfiguration.configd") + (global-name "com.apple.nsurlsessiond") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.coremedia.endpoint.xpc") + (global-name "com.apple.usymptomsd") + (global-name "com.apple.usernotification.notificationscheduler") + (global-name "com.apple.securityd") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.logind.client.machService") + (global-name "com.apple.lsd.icons") + (global-name "com.apple.pegasus") + (global-name "com.apple.mediaserverd") + (global-name "com.apple.frontboard.systemappservices") + (global-name "com.apple.coremedia.recorder") + (global-name "com.apple.pluginkit.pkd") + (global-name "com.apple.mobile.keybagd.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.SystemConfiguration.PPPController") + (global-name "com.apple.locationd.spi") + (global-name "com.apple.system.logger") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.nsurlstorage-cache") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.trustd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.coremedia.remaker") + (global-name "com.apple.xpcd") + (require-all + (global-name "com.apple.ak.auth.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.ak.anisette.xpc") + (require-any + (require-entitlement "com.apple.authkit.client") + (require-entitlement "com.apple.authkit.client.private") + (require-entitlement "com.apple.authkit.client.internal") + (require-entitlement "platform-application"))) + (require-all + (global-name "com.apple.networkd_privileged") + (require-entitlement "com.apple.networkd_privileged")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.mobileipod") + (preference-domain "com.apple.mediaremote") + (preference-domain "com.apple.locationd") + (preference-domain "com.apple.avfoundation") + (preference-domain "com.apple.GEO") + (preference-domain "com.apple.studentd") + (preference-domain "com.apple.coreaudio") + (preference-domain "com.apple.itunesstored") + (preference-domain "com.apple.carrier") + (preference-domain "com.apple.coremedia") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.Accessibility") + (preference-domain "com.apple.corevideo") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.studentd")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/studentd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/studentd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/studentd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/suggestd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/suggestd.sb new file mode 100644 index 00000000..b1fe9903 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/suggestd.sb @@ -0,0 +1,310 @@ +(version 1) +(deny default) +(allow file-map-executable) +(allow file-read* + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.MobileAsset.plist") + (subpath "/System/Library") + (subpath-prefix "${HOME}/Library/Suggestions") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreSuggestions.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath-prefix "${HOME}/Library/CallHistoryDB") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal "/dev/zero") + (subpath "/usr/share") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.suggestions.plist") + (literal-prefix "${HOME}/Library/SyncedPreferences/com.apple.CoreSuggestions.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.mobilecal.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.message.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal "/dev/dtracehelper") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreSuggestions.MobileAssets.plist") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath-prefix "${HOME}/Library/Calendar") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (subpath "/private/var/MobileAsset") + (extension "com.apple.assets.read")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/Library/Assets") + (extension "com.apple.assets.read")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Suggestions") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.suggestions.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (subpath-prefix "${HOME}/Library/Calendar") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreSuggestions.plist") + (subpath "/private/var/tmp") + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.mobileassetd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.syncdefaultsd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.rtcreportingd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.lsd") + (global-name "com.apple.securityd") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.CallHistorySyncHelper") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.commcenter.xpc") + (global-name "com.apple.reversetemplated") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.system.logger") + (global-name "com.apple.calaccessd") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.xpcd") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.corerecents.recentsd") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.suggestions") + (preference-domain "com.apple.CoreSuggestions.MobileAssets") + (preference-domain "com.apple.message") + (preference-domain "com.apple.MobileAsset") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.CoreSuggestions") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.mobilecal") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow user-preference-write + (extension "com.apple.security.exception.shared-preference.read-write") + (preference-domain "com.apple.CoreSuggestions") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.suggestions")) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/suggestd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/suggestd.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/suggestd.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/syncdefaultsd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/syncdefaultsd.sb new file mode 100644 index 00000000..a67682eb --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/syncdefaultsd.sb @@ -0,0 +1,416 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]syncdefaultsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]syncdefaultsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]syncdefaultsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]syncdefaultsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]syncdefaultsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]syncdefaultsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]syncdefaultsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]syncdefaultsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]syncdefaultsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]syncdefaultsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]syncdefaultsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]syncdefaultsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (subpath-prefix "${HOME}/Library/Cookies")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal "/dev/urandom") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal-prefix "${HOME}/Library/Caches") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.accountsd.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (subpath "/private/var/db/timezone") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.persistentconnection.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (subpath-prefix "${HOME}/Library/Preferences") + (subpath-prefix "${HOME}/Library/SyncedPreferences") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebFoundation.plist") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.appleaccount.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath-prefix "${HOME}/Library/Cookies") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (literal "/dev/dtracehelper") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (subpath "/private/var/Managed Preferences/mobile") + (literal "/dev/null") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]syncdefaultsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]syncdefaultsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]syncdefaultsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]syncdefaultsd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]syncdefaultsd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]syncdefaultsd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]syncdefaultsd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles$" #"^/private/var/mobile/Library/ConfigurationProfiles/" #"^/private/var/mobile/Library/UserConfigurationProfiles$" #"^/private/var/mobile/Library/UserConfigurationProfiles/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE)) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-not (literal-prefix "${HOME}/Library/")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/SyncedPreferences/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/SyncedPreferences$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/SyncedPreferences/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/SyncedPreferences$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection") + (vnode-type SYMLINK) + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches") + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (subpath-prefix "${HOME}/Library/Cookies") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/Managed Preferences/mobile") + (subpath-prefix "${HOME}/Library/SyncedPreferences") + (subpath-prefix "${HOME}/Library/Preferences") + (literal-prefix "${HOME}/Library/Caches/.com.apple.persistentconnection.settings.lock.lock") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist") + (subpath "/private/var/tmp") + (literal-prefix "${HOME}/Library/Caches/com.apple.persistentconnection.intervalcache.plist.lock") + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]syncdefaultsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]syncdefaultsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]syncdefaultsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]syncdefaultsd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/Logs/PersistentConnection/com[.]apple[.]syncdefaultsd" #"^/private/var/mobile/Library/Logs/CrashReporter/PersistentConnection/com[.]apple[.]syncdefaultsd" #"^/private/var/euser[0-9]+/Library/Logs/(CrashReporter/)?PersistentConnection/com[.]apple[.]syncdefaultsd") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]syncdefaultsd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/SyncedPreferences/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/SyncedPreferences$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/SyncedPreferences/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/SyncedPreferences$") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (require-any + (require-all + (vnode-type DIRECTORY) + (require-any + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/PersistentConnection") + (literal-prefix "${FRONT_USER_HOME}/Library/Logs/CrashReporter/PersistentConnection"))) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches"))))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open) +(allow iokit-set-properties) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.appleaccount") + (preference-domain "com.apple.persistentconnection") + (preference-domain "com.apple.accountsd") + (preference-domain "com.apple.WebFoundation") + (preference-domain "kCFPreferencesAnyApplication") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow signal) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/syncdefaultsd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/syncdefaultsd.sb.xml new file mode 100644 index 00000000..ce5746c0 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/syncdefaultsd.sb.xml @@ -0,0 +1,44 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/syslog_relay.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/syslog_relay.sb new file mode 100644 index 00000000..43a1e55b --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/syslog_relay.sb @@ -0,0 +1,135 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (extension "com.apple.sandbox.executable") + (literal "/private/etc/master.passwd") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (vnode-type REGULAR-FILE) + (file-mode #o0001))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-priv-task-port) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/syslog_relay.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/syslog_relay.sb.xml new file mode 100644 index 00000000..c45fc8bc --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/syslog_relay.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/test-common.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/test-common.sb new file mode 100644 index 00000000..da7dd712 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/test-common.sb @@ -0,0 +1,131 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/Developer") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (literal "/private/etc/master.passwd") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/test-common.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/test-common.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/test-common.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/transitd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/transitd.sb new file mode 100644 index 00000000..8560e1ca --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/transitd.sb @@ -0,0 +1,83 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (require-not (regex #"^/private/var/containers/Data/System/[^/]+/")) + (subpath "/private/var/spool/mdt") + (literal-prefix "${HOME}/Library/Application Support") + (subpath-prefix "${HOME}/Library/Application Support/Containers") + (subpath-prefix "${HOME}/Library/Inboxes") + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (require-not (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")) + (require-entitlement "com.apple.security.system-group-containers") + (require-not (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) + (require-all + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox") + (subpath-prefix "${HOME}")) + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE)) + (require-not (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal")) + (require-not (require-entitlement "com.apple.coreduetd.people")))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (subpath-prefix "${HOME}/Downloads") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/transitd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/transitd.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/transitd.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfs_helper.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfs_helper.sb new file mode 100644 index 00000000..1d900151 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfs_helper.sb @@ -0,0 +1,344 @@ +(version 1) +(deny default) +(allow file-ioctl + (regex #"^/dev/disk[0-9]+" #"^/dev/rdisk[0-9]+") + (literal "/dev/ptmx") + (literal "/dev/aes_0")) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfs_helper/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfs_helper$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfs_helper/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfs_helper$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfs_helper/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfs_helper$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfs_helper/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfs_helper$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfs_helper/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfs_helper$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfs_helper/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfs_helper$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/dev/disk[0-9]+" #"^/dev/rdisk[0-9]+") + (literal "/private/etc/master.passwd") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfs_helper/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfs_helper$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfs_helper/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfs_helper$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches") + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfs_helper/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfs_helper$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfs_helper/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfs_helper$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfs_helper$") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (regex #"^/dev/disk[0-9]+" #"^/dev/rdisk[0-9]+") + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfs_helper.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfs_helper.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfs_helper.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfsd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfsd.sb new file mode 100644 index 00000000..73c6b662 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfsd.sb @@ -0,0 +1,386 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (literal "/dev/urandom") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/random") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfsd$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd$") + (subpath-prefix "${HOME}")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches") + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (vnode-type DIRECTORY) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]userfsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]userfsd$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type REGULAR-FILE) + (regex #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd/" #"^/private/var/mobile/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd$" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd/" #"^/private/var/euser[0-9]+/Library/Caches/com[.]apple[.]nsurlsessiond/Downloads/com[.]apple[.]userfsd$") + (subpath-prefix "${HOME}"))) +(allow file-write-create + (require-all + (vnode-type DIRECTORY) + (literal-prefix "${HOME}/Library/Caches")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.filesystems.userfs_helper") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-exec* + (literal "/System/Library/Filesystems/exfat.fs/Contents/Resources/fsck_exfat") + (literal "/System/Library/Filesystems/msdos.fs/Contents/Resources/fsck_msdos")) +(allow process-fork) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfsd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfsd.sb.xml new file mode 100644 index 00000000..78d52661 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/userfsd.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/vibrationmanagerd.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/vibrationmanagerd.sb new file mode 100644 index 00000000..badad35e --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/vibrationmanagerd.sb @@ -0,0 +1,276 @@ +(version 1) +(deny default) +(allow file-map-executable) +(allow file-read* + (subpath "/System/Library") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.public.notbackedup.plist") + (literal "/dev/random") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.icloud.findmydeviced.postwipe.plist") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal "/dev/aes_0") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AOSNotification.public.notbackedup.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (subpath-prefix "${HOME}/Media/Vibrations") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/private/var/tmp") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.CoreDuet.plist") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.DataMigration.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.AppSupport.plist") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var") + (literal-prefix "${HOME}/Media") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${HOME}/Media/com.apple.itunes.lock_sync") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.PeoplePicker.plist") + (subpath "/private/var/tmp") + (subpath-prefix "${HOME}/Media/Vibrations") + (require-all + (literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (subpath-prefix "${HOME}/Library/AddressBook") + (extension "com.apple.tcc.kTCCServiceAddressBook")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people"))) +(allow file-write-create + (literal-prefix "${HOME}/Media") + (literal-prefix "${HOME}/Media/Vibrations") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.telephonyutilities.callservicesdaemon.callcapabilities") + (global-name "com.apple.ABDatabaseDoctor") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.accountsd.accountmanager") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.identityservicesd.idquery.embedded.auth") + (global-name "com.apple.spotlight.IndexAgent") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.tccd") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (global-name "com.apple.cmfsyncagent.embedded.auth") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.AppSupport") + (preference-domain "com.apple.PeoplePicker") + (preference-domain "com.apple.CoreDuet") + (preference-domain "com.apple.icloud.findmydeviced.postwipe") + (preference-domain "com.apple.DataMigration") + (preference-domain "com.apple.icloud.findmydeviced.public.notbackedup") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.AOSNotification.public.notbackedup") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/vibrationmanagerd.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/vibrationmanagerd.sb.xml new file mode 100644 index 00000000..c9d99090 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/vibrationmanagerd.sb.xml @@ -0,0 +1,39 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/vpn-plugins.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/vpn-plugins.sb new file mode 100644 index 00000000..fd5e6629 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/vpn-plugins.sb @@ -0,0 +1,417 @@ +(version 1) +(deny default) +(allow file-issue-extension + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-only"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.executable")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.executable") + (extension-class "com.apple.nsurlsessiond.readonly")) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.sharing.airdrop.readonly") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (require-any + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$") + (subpath-prefix "${HOME}")))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension-class "com.apple.app-sandbox.read-write") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (extension-class "com.apple.nsurlstorage.extension-cache") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Library/Caches$") + (subpath-prefix "${HOME}")) + (require-all + (extension-class "com.apple.app-sandbox.read") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.nsurlsessiond.readonly") + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension-class "com.apple.mediaserverd.read") + (subpath "/System/Library")) + (require-all + (extension-class "com.apple.mediaserverd.read-write") + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}"))) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/urandom") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (literal "/dev/dtracehelper") + (extension "com.apple.app-sandbox.read-write") + (literal "/dev/zero") + (literal "/private/var/preferences/com.apple.security.plist") + (subpath "/usr/share") + (literal "/dev/random") + (subpath "/System/Library") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (literal "/private/var/preferences/com.apple.NetworkStatistics.plist") + (literal "/private/var/preferences/com.apple.networkd.plist") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (extension "com.apple.app-sandbox.read") + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/StoreKit$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesArtwork$") + (subpath-prefix "${HOME}")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+$") + (subpath-prefix "${HOME}")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (require-not (vnode-type BLOCK-DEVICE)) + (require-not (vnode-type CHARACTER-DEVICE)) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (require-not (subpath-prefix "${FRONT_USER_HOME}/Library/ExternalAccessory")) + (require-not (subpath "/private/var/logs")) + (require-not (regex #"^/private/var/mobile/Library" #"^/private/var/euser[0-9]+/Library")) + (require-not (subpath "/private/var/tmp")) + (require-not (regex #"^/private/var/mobile/Containers" #"^/private/var/euser[0-9]+/Containers")) + (require-not (subpath "/private/var/containers"))) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (subpath "/private/var/containers/Bundle/VPNPlugin") + (extension "com.apple.vpn-plugin")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal-prefix "${HOME}/Library/Preferences") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal "/private/var/run/syslog") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesMetadata[.]plist$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/iTunesMetadata[.]plist$") + (subpath-prefix "${HOME}"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.app-sandbox.read-write") + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/tmp$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Library$" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/((tmp|Library)|Documents)$") + (subpath-prefix "${HOME}")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people"))) +(allow file-write-create + (require-all + (require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_")) + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (extension "com.apple.sandbox.container") + (regex #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox/" #"^/private/var/mobile/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox$" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox/" #"^/private/var/euser[0-9]+/Containers/Data/[^/]+/[-0-9A-Z]+/Documents/Inbox$") + (subpath-prefix "${HOME}"))) +(allow iokit-get-properties) +(allow ipc-posix-sem) +(allow ipc-posix-shm*) +(allow ipc-posix-shm-read*) +(allow ipc-posix-shm-read-data) +(allow ipc-posix-shm-read-metadata) +(allow ipc-posix-shm-write*) +(allow ipc-posix-shm-write-create) +(allow ipc-posix-shm-write-data) +(allow ipc-posix-shm-write-unlink) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup) +(allow mach-register + (global-name-regex #"^com[.]f5[.]f5_sslvpn_plugin") + (require-all + (extension "com.apple.security.exception.mach-register.local-name") + (local-name-regex #".+")) + (require-all + (extension "com.apple.security.exception.mach-register.global-name") + (global-name-regex #".+"))) +(allow network*) +(allow network-inbound) +(allow network-bind) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/vpn-plugins.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/vpn-plugins.sb.xml new file mode 100644 index 00000000..e1b6e67c --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/vpn-plugins.sb.xml @@ -0,0 +1,53 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/webinspectord.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/webinspectord.sb new file mode 100644 index 00000000..63868925 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/webinspectord.sb @@ -0,0 +1,251 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (subpath "/private/var/containers/Bundle") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.webinspectord.plist") + (subpath "/Applications") + (literal "/usr/libexec") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (literal "/dev/dtracehelper") + (literal "/dev/zero") + (subpath "/usr/share") + (literal "/dev/random") + (literal "/private/var/tmp/webinspectord.log") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.WebInspector.plist") + (subpath "/System") + (subpath "/private/var/db/timezone") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/dev/urandom") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (literal "/dev/ptmx") + (subpath "/Developer") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (literal "/dev/aes_0") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$")) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (debug-mode) + (require-any + (subpath "/AppleInternal/Applications") + (subpath "/private/var/mobile/XcodeBuiltProducts"))) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))) +(allow file-read-metadata + (literal-prefix "${HOME}/Library/Caches/powerlog.launchd") + (literal-prefix "${HOME}") + (literal "/private/var/run/syslog") + (vnode-type DIRECTORY) + (vnode-type SYMLINK) + (literal-prefix "${HOME}/Library/Preferences") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (literal-prefix "${HOME}") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive")) + (require-all + (literal-prefix "${HOME}/Library/Preferences") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/private/var/tmp/webinspectord.log") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.assertiond.applicationstateconnection") + (global-name "PurpleSystemEventPort") + (global-name "com.apple.springboard.backgroundappservices") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow user-preference-read + (extension "com.apple.security.exception.shared-preference.read-write") + (extension "com.apple.security.exception.shared-preference.read-only") + (preference-domain "com.apple.WebInspector") + (preference-domain "kCFPreferencesAnyApplication") + (preference-domain "com.apple.webinspectord") + (require-all + (preference-domain "com.apple.bulletinboard") + (require-entitlement "com.apple.bulletinboard.dataprovider"))) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/webinspectord.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/webinspectord.sb.xml new file mode 100644 index 00000000..defba171 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/webinspectord.sb.xml @@ -0,0 +1,40 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/wifiFirmwareLoader.sb b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/wifiFirmwareLoader.sb new file mode 100644 index 00000000..90586afc --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/wifiFirmwareLoader.sb @@ -0,0 +1,217 @@ +(version 1) +(deny default) +(allow file-link) +(allow file-map-executable) +(allow file-read* + (literal "/dev/random") + (subpath "/AppleInternal") + (literal "/dev/urandom") + (literal "/dev/ptmx") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (subpath "/System/Library") + (literal "/dev/aes_0") + (literal "/dev/dtracehelper") + (regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$") + (extension "com.apple.sandbox.executable") + (literal "/private/var/logs/wifiFirmwareLoader.log") + (extension "com.apple.security.exception.files.home-relative-path.read-only") + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist") + (subpath "/Developer") + (literal "/dev/null") + (literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist") + (literal "/dev/zero") + (subpath "/usr/lib") + (literal-prefix "${FRONT_USER_HOME}/Library/Caches/com.apple.MobileGestalt.plist") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library") + (subpath "/usr/share") + (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo") + (subpath "/private/var/db/timezone") + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.absolute-path.read-only") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/private/var/preferences/SystemConfiguration/com.apple.wifi.plist") + (require-all + (subpath-prefix "${HOME}/XcodeBuiltProducts") + (debug-mode)) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (regex #"^/private/var/Managed Preferences/mobile/com[.]apple[.].+[.]plist$") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (require-any + (literal "/private/etc/hosts") + (literal "/private/etc/group") + (literal "/private/etc/passwd") + (literal "/") + (literal "/private/etc/protocols") + (literal "/private/etc/services") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container")) + (require-all + (literal-prefix "${FRONT_USER_HOME}/Library/Preferences/com.apple.bulletinboard.plist") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))) + (require-all + (regex #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/ConfigurationProfiles/PublicInfo/" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo$" #"^/private/var/mobile/Library/UserConfigurationProfiles/PublicInfo/" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo$" #"^/private/var/euser[0-9]+/Library/(User)?ConfigurationProfiles/PublicInfo/") + (subpath-prefix "${FRONT_USER_HOME}")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-read-metadata) +(allow file-write* + (extension "com.apple.security.exception.files.absolute-path.read-write") + (extension "com.apple.security.exception.files.home-relative-path.read-write") + (literal "/private/var/logs/wifiFirmwareLoader.log") + (regex #"^/private/var/containers/Data/System/[^/]+/") + (require-all + (vnode-type BLOCK-DEVICE) + (vnode-type CHARACTER-DEVICE) + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (extension "com.apple.sandbox.system-group") + (require-any + (require-entitlement "com.apple.security.system-group-containers") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/") + (require-entitlement "com.apple.security.system-groups") + (regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/"))) + (require-all + (extension "com.apple.sandbox.system-container") + (require-entitlement "com.apple.security.system-container"))) +(allow file-write-create + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send"))) +(allow file-write-data + (literal "/dev/ptmx") + (literal "/dev/aes_0") + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.send")) + (require-all + (require-not (literal "/dev/random")) + (require-not (literal "/dev/urandom")) + (require-any + (literal "/dev/dtracehelper") + (literal "/dev/null") + (literal "/dev/zero") + (require-all + (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db") + (require-entitlement "com.apple.coreduetd.people")))) + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty")) + (require-all + (vnode-type TTY) + (regex #"^/dev/ttyp[0-9a-f]$" #"^/dev/ptyp[0-9a-f]$"))) +(allow file-write-mode + (require-all + (regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+") + (extension "com.apple.sandbox.pty"))) +(allow file-write-unlink + (require-all + (vnode-type REGULAR-FILE) + (extension "com.apple.private.safe-move.receive"))) +(allow iokit-open + (extension "com.apple.security.exception.iokit-user-client-class") + (iokit-user-client-class "AppleBCMWLANUserClient")) +(allow iokit-get-properties) +(allow mach-bootstrap) +(allow mach-cross-domain-lookup) +(allow mach-lookup + (global-name "com.apple.ReportCrash.SimulateCrash") + (global-name "com.apple.hangtracerd") + (global-name "com.apple.lsd.open") + (global-name "com.apple.cfprefsd.daemon") + (global-name "com.apple.diagnosticd") + (global-name "com.apple.cfprefsd.agent") + (global-name "com.apple.lsd") + (global-name "com.apple.lsd.advertisingidentifiers") + (global-name "com.apple.tccd") + (global-name "com.apple.distributed_notifications@1v3") + (global-name "com.apple.coreservices.lsuseractivitymanager.xpc") + (global-name "com.apple.ctkd.token-client") + (global-name "com.apple.system.logger") + (global-name "com.apple.corecaptured") + (global-name "com.apple.system.notification_center") + (global-name "com.apple.lsd.mapdb") + (global-name "com.apple.xpcd") + (global-name "com.apple.CoreAuthentication.daemon.libxpc") + (global-name "com.apple.assertiond.processassertionconnection") + (global-name "com.apple.duetknowledged.activity") + (global-name "com.apple.lsd.openurl") + (global-name "com.apple.managedconfiguration.profiled.public") + (global-name "com.apple.containermanagerd") + (global-name "com.apple.mobilegestalt.xpc") + (global-name "com.apple.appsupport.cplogd") + (global-name "com.apple.aggregated") + (local-name "com.apple.cfprefsd.agent") + (global-name "com.apple.system.libinfo.muser") + (global-name "com.apple.lsd.icons") + (require-all + (global-name "com.apple.coreduetd.people") + (require-entitlement "com.apple.coreduetd.people")) + (require-all + (global-name "com.apple.itunesstored.xpc") + (require-entitlement "com.apple.itunesstored.private")) + (require-all + (extension "com.apple.security.exception.mach-lookup.local-name") + (local-name-regex #".+")) + (require-all + (global-name "com.apple.bulletinboard.dataproviderconnection") + (require-entitlement "com.apple.bulletinboard.dataprovider")) + (require-all + (extension "com.apple.security.exception.mach-lookup.global-name") + (global-name-regex #".+"))) +(allow nvram*) +(allow nvram-delete) +(allow nvram-get) +(allow nvram-set) +(allow process-info*) +(allow process-info-listpids) +(allow process-info-pidinfo) +(allow process-info-pidfdinfo) +(allow process-info-pidfileportinfo) +(allow process-info-setcontrol) +(allow process-info-dirtycontrol) +(allow process-info-rusage) +(allow pseudo-tty) +(allow sysctl-read) +(allow system-privilege) diff --git a/tests/iPhone5__1_9.3_13E237/references/rev_profiles/wifiFirmwareLoader.sb.xml b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/wifiFirmwareLoader.sb.xml new file mode 100644 index 00000000..e8f17749 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/rev_profiles/wifiFirmwareLoader.sb.xml @@ -0,0 +1,41 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/iPhone5__1_9.3_13E237/references/sandbox_bundle b/tests/iPhone5__1_9.3_13E237/references/sandbox_bundle new file mode 100644 index 0000000000000000000000000000000000000000..61b6772019da120e3ed531eeef96dabe72d53ebf GIT binary patch literal 425970 zcmdR%2Y6IP`?q(IE}Cq5vZ43hd+*YF4M-6L0qHfAO#!K*2#6?%D5%)cM3JI`APAy@ zARsDO5wRgQEaba?bN1|RWCJ8G@BjMV>s-T~XJ*dKJZIYT%sB~;q?bLToHHD*B!?s2 z^Y3f3XRIfU%Zhh<+@6~Vmh{Va4I?|IDm9>o0K#+bgd<1zJC>Rn#Yb?F=LszR?Jv2<6bU1KHZx`t+(T%e5ql+ zp9;*d^-D^;F#YH0c3wNy&-0}D%d+zQ~G&wAIsW{n9-dk_o zX|<-6npSsO34*R-1iQ@^MKh-YDKkoyzzh3j+)_(CdX#d*O*QTaJtQA8wqxsEk26;zoGroEVK_?^OsFsHZ_%C>6SEg&eX9}lctU#=o&@H ztbNYc{HDH={C$754O2EuN%L%&V%;-l z%I#BnPZ=|%$CU2;J7!8(f?b+Lt1Wh1c1FHkW4fokDYNaAwo?K}e(fpQ-SL92`PIBF zp0qspy#HwOvB`E@icc=i&&4KN`g}3zok`m#eKBb(LDv?7t*OOL$o9S3@2`Ew^WWv) z@zzbU`#9Y*bW%Uc?lY;6slkr7d3oQ@OT6-`cjL<7+6RvOwv*aUszb1Jt2wFaq@t5* zPAW{$o|w3wVBNEK;_iuQ z6ZcMhk)Z1Zf?b-$oUeL=eI@y|?>EubFWu95Vn<&NJJ!!@*WO<98)cz=9aE>JO~}NM ziGNH8@z#50!l?=GO*k{*AVJpw!u8UAy04_*+K-xWyDx`dYx}3{YyW2!+K=`4t)1o* znop=nuyialq11$k31udP5p;zTGHYK5**}A`v+5liZOT4{A^6 z_kZo*|DA>Q=STVd`$D4%jY{*}ILgxP&>h?E*mTFCJDwou+DOQ(ea`*+4@TN0`K_J( zBkkU$*GEqD<*;M@yu9zPX6=+*<8b)z5B}4Hk=A9U+LFz&qz1q5%CW)5Zm>K2mTs`r z|17RL+S||D&&{6VBmI5fc0}6|X`Z$ttn}y+H;lM&d-RC&1YJKu|DF2j`dYev?bAJv z-2TArc3qe2o&COVyEeG?9d7q)-+Oq^;c1@U!>xJ?4F7J}@nHpqe@M`E1lldK_}|k$ zW!RKqc3uC8_7l9NeEM*3?Q;+FYrlBt;-P7tMMJH6%MUFu^tU19hyFs)bspL+vS_u- zj?2!P@82o>^FFZe?;Vmf#4h(g(cWJ3d#?|!eV~^!ZpgSHLkL#A1BWCG=`dvAkah%J zZ3%XZEN0gJ->uA?*P8uyoL~Fk`@MCx(`HB;YW#P(X`ahR{?)vkky&UT=;c%&Qhi7X zg4M>NL*j=N8d7vfL4vOQ1iSSXb8hPeJJ|}f^{)5H*0e0N5A6Ft2LCbmTY{zA_NiO1 zaz=y@FCIK|@ZE!F z5Ohr=*ri$g?^!$J2aomDbv;J@!&zuwbg4P zYtz6d2Cf>oY2ZqNuH^)~%@(b8*>Tw!`TqG5eB>_~xQMzI4qSMR+Fxze`zQK4!FQ=%pmBRMzGs#G3VMh_Lbzor1V?XTa+-;uB*A<)`MOHkjxl<*QY+9Sfx zYv1o}Yv;}l!TUaN$6J%ICSfVT(s6OZ!h{(KixZ|1bWI^-)_$UCn;n;(dEeSs(i6Tn z$bo&|B%zTnhhJ;|PYvj$2EH6>K~_7SHLF(y)n50hOk0EOGduTQEw8Oz=2qCTHq(u* zmpRYBrGM9Se^Bi=drI*X?YspO3MO3aU(owZf9ij(|H=M8^*=$-b&Qa?mYmyqi+m+n z^L}Cf1^tuy`}LdA|N5+Y_Q*e*h4z6X|Bn85^iLpII`-|~yMLShefzf}=xRZ@UfTa( zpY2@Okjs&|?UFK|Y}M#rgXdqvtK)z3E#~#p-X6DE&3jAd-?PxZxEXI&o}2pLgmjZn z`y2aT`5kUPa@w_L?@agAes)jzcf6c=Id=WQwYNw9r7W~h>gS*Lh58jjy3yORU;Ccv zd#vxTeUB1!ebD!CU%Sl~bAGx}%~z7&(hb!9QlCHj*mc>ffuDgpo~8ZOEZvBW!FRlq zef;lolKUk08Ah<`ZPBN0pR#>g^eIiyRgz%0$YK#>``Kr&@1N>zm*nsJ!2N!1?-{-v zey#1F0=2ix3Eubi*-q`pGiz_Pdb6iPZ!^Z}yb#p7?A*q-xxjv?q8)pMjb#Y#{23`4e`oYnV3dLHF_wc~RJ^}O;IYk&5z%kXRe za}Qg;bkE5iM}0Z$SU)ejit>-?=Hc_JKQIdXMxTj}xqxUHx?9B-UtV?e)Fl zwS28O)2EwX`#@W7e2?q1-`mePDGTje^zirnneJ!0?eT(fkzAO;F%bZ<) z>-=?RXO}Mtx;}$;X%=%n^6%?xmt<+bu>ZpTfqg%}^ITt!z&^KrzI@(aZOt$Jj5COx zpGqBm?d^K3md)-wyK^ET@Uq)%afZ3uj+@?jnz^QTwk|u~roWza&nTa6O1-1AuHl_C z*B^MFonn=7ZQ9%Si~XMoKJo*1ydIr(j{$eNli3ZO5>-8?jE_*>1 z+MnxWjV9&W*J)p;#|YLv%R9~OG^x|_PUAY=$-m1xjV9QoS5z;Co2o&Noe_J42WU+=!Jk%jhOb@ccB zOC2{Oz0}dtepSbX9cOf0)o~g@*A#-4V*i`-zAx%4$=~uj6YHls}<|0cFQ z3;p%!r}x|N7LuTAW1IDD9yHhbHmlpLXtUfK@4v(Ul+!&6TG{b4%}Q-?m91gA zXL8HdE$tkwTDEH0q-8^{23!qWrg>_TR>_yHeDe~^XOcB9}O!jQ(MZ;$hYTO z;MWU*tKRp`&NZ{kwO4~cUdxWBI_%SpQLkKm{vf9@B6EHxF=r?u6;&hf8VDyPHVi9VCm**JgM<*jXjNr5OfV9WY#|Ceedv<^A{>tb1=Ync4EmUe|t+FF!=iaO3we`zfza48cCtol8 z5LA1q_@@ZP3w|!;bYcSl?fH;1g`NA>sD|GfS_g08m+ znYBMT$G_%hZ^xVOE6J~YpqDeH{v=-xzt;Yr0_(Nf6kL0|y?e9Jen@?lY31rvzf=82 z1WT$_zgqob^=s8HLeLdYuuHQThHT$!%^-jK{PFfZ{(90qAJ?;DZCg*$hxP2c?N#q+ zy`$u_V*?pjuT|2OwZD0L@V*cHZN%C2X4mUZu*xe_FT9?!UYUCT)cvb&8F-O@trYv; zoUeMD>)K@m@B3wS7yEJqYHj^|?IYi=W#x|G+TU5%zvdUHTcB>5r+~NKuj+hMXMdfq z>g*%vdW&F}X3=Vk9hV(z$3HS&H)SsDzoSlC9a~SnQLW=4es-PN{A}DeC=ZdT}KJFrWSMl7ITcRB&+X7*B)K_ zw%WFS>7F*V8oC^+2r` zYTZxJwSwR;Uq9W0?C-_w^nGbxN&b-^XzRt+iuUCQ)Z6+wnD$rR@6TkR{jQoS(b8&a z%?ULJ*PL3@l3LfSTeDQn)-_8IbVU;~Yo8z4zBhYo{=OP^NpG5;-l*|Ljjc6oJ^7Zb zhW|ucIiIVcYt5WBbDkqtFzv6r>YdF(`!%Lct1WYD%te~(ZP|<(lWN>nV@8c31YLs& zcAG8ceATPwE6LyYfjeHg8l`}TRDuir_D1lLA9$`8ULzds!@c!h{d6Pe z`~8{fcDsUWf4aKA@BLcaKLykN%6(t?8noY3eN*)`&n9on9eI;4iSF2vFdU?vSE>5Det^Jkf{gHoZZ?!t}x0<=C=c<08S}t$P z&Q?29?O3(5)s7N$eL%1^wV3mfzuH$)@V;MEZJsZO{Y?DKe&1K!dG$Bg6RQoXmgbr0 zt+#KrzSVjX0hF`}DxNB7p5!W)cI~Rvtx~#5yDB9Kx{4EQy)FJx*?(`k z=ex>h&GlX7?<#-8l{v4~hjv_dUusA5Q~S#8D>pTzStS;ze6dox=hsTVR{EvVwP}BO z-&?kx)jPND4zB%MrgW=S8!D}@bZ?~%)T=9{(&S3RDy38!O3>AZV7K04&e#0PzLKoI z|Mz}>y?-ldMi$!V3DEw7iXT)=^L$Xz(rsJCw2B)lZmakxLDwUM%-ZLC)$8Uf$v^S~ zZN0V?Tl;ccTi;*4%CCn#|oz^T&VB~LDxw_ zX69B)|57*3Q}r5BYNBRC|ql`+6V??dMhSYu~s+;|dW3>z?1se^vfS`QOXG zU;bVG{k{A<1iLhgIq&fRl<<=6em-ZulCHb`v?E7BjdiZkuC)(TXeLf5A8<+EIpRZiL za%aot^VWN!?7^}-%AP2@jiBpQf?b-$oO`%Kd?op{5A6GHWv_4FAIw7gs%8D!hnBsu z?4M;qy)8Re=4_b{%bY87grMs%A+z>5ANiYnCHb`v?EAp)c2wto>f^m1RQru(0==At zWfqp1NU(GqS!QsVE@eiR=|s@gfsk4IR><~>nLQ6T(pQpSdsi8IjPu1#nOwdccC4Sl zY`x3Ze64y;Zz(I6$4cAJ(XV}0eec)W{^{DaxBI3S+S_;k z|HcnX>-wPdf3IDAvgrGCQ>WDvvr5k@J)B@k9ZNSYUA1(_(v=Ci$`b4zvzYUFf1s3I zlE3c*y`0xdZTIE4{Fz*P-`hK0m3_fS{YZ9v!_={|9Sq`CB80^ z=J~pWb;r&U=_NLn*jeH+g0A(1%-TO#Vm0~gxa@ei=Zf2R1=oI8@$J4G_A~MG@{xbF z-^+=4JJ`tIQao_Yf3o)3A&~e>^57p+GEFMXXN{znZNHR2WUUC*l=H6ey#1Ff@vRo-rH@Pm4)_E#r$6> z*DYGNXqu-^QR|*Ri<~KPq{yE|4ij{}Pq0g~xD(m0M|S?o*l&gHlKj7g{6k?|yL8Wn z!fSjv>{vf9*Zykre)#@i^L{0Ds8p*hlM7ESJf2`lqYIBNd^;iVvfFHNn7P{@H?*)W zznu9ee?94*o|$rWEv&0UfcAlR`n9%x(zhG-PyT$D_r20=&E^EvezT{JsnaUOUD#dt zCW0kh{cT2pOxkB>szmbz6BIuA=?W>#Y5QS!mxq-ajJsg?g)a`wR7^@r~mv$2X0yNYGWDU_VQXIk$BGcH1Qd z@B2Ux_unHw*opSjJdfZ1MY8|GJX(esABScH2L%=1%Kc;rl7@Y-et)#}^-{ zxApV2Yj5xOH@p*E`}(o9W9?SG9P@I_-2|&$gJZhHG>vHz(~vNjP@iD8*zVGE8a>gM!;baya_z6SBA@r=@M~@Vbh-9fjeNWB-#Zw*?*o0jm60nW z=Mt=z&54{5c}L`&$Polx!wGhqZS99e=B)37`FMfa4~V=zJD#om-&ttiiT2wX)Q_wi zSthc+SI6yBi$_L9`n{YGe$K3Y&Ud_%5q3%bz7PESdgHJ2-_^|XZt%X}9pTshzKHuG zQVCYeW=AAO+z~N5Vgy0gaDv@ti#cEOe-5`x@@pU1_ou=?@#V0`yPw$~`37s6f$dyrsBcZJOf8yj|4*cgJYQ3Sg*i&kswxa?TEc8yv6PS)VCE6sb| z?JvQq|8i@`dV_7H?#n{^KufoCSm&^21nZ8g+xa=~d;4@F@H^eWzR#|$m(`kY_soH7 z(7sw&wXhO|Yt=sItDdcWVBh~YwLf?b+Gn=&?{}xpH z4A(iAf8HN)9dW%$uyotzdd2m)Yny8WLD!>%|5fd)zZZPRTNuld%zk9WnJ*4b;l&FruFGqTV=aL04F9Il^29p09m3H>7U zgU~afhX}gfBV^V-=d0c$zLJ7#zdZCxzlWQB?dN8p{oGLh$ajZEh2{x$ds~((^g_t# zkX)gk5_Ek4v)1137e6!S)gI;FrTjm=8)Bto{$B5Tt@*a4yDjD%fa6zmP7VLuoH2f$c32*$x-&<#hxcsLpshT~F-gcJ*L6iG-f zDi(FpZkTs!O7W1A#3!bd5KTPH>*2mqFcp>#apap1%OEd?W#Lj-4&DdL!~0gOG-#=S45*j3T}foREBePGdL;Hi0q3H-%HVzZskk zo5OX!hHwO=Z`rK=b@zbAss>-ar*WFI**dx z(VM@MH-BeXoA@rUG3*N4z;5I}2D`)4um^hNccgiGB6mUV1^hQ2rh`FvJmm5Z(&kApan^8xDqtQ-+xSN=P0W*k5M+52HUd z{)baeM)K_;BfR4uGX6(~+~FPnFmLMOG|wowWl5T6G#rLJ25LUs2{j+aLd}P9Q1f9t z)O?r#H6JEI&4)=)^IhhMEs^ zpyq=Ij!Q`jNip*wSv36(nGdNU^UQphE1Gy{=EGf3^I^VsJ}f}id{_uI9~ME)hs99y zVF_HFa<_LrEDe0VjH`RuAFOc?8Q1q2S>qa+^c5j1N!Pf8q~9O13R&sUjQa=7xL+Oe zpm*FuGwvUP8ux3U#{F8TasM#XxL*e~?jM2clGm$V#{HwB(buYfgK3ZIM>gaBaj0?s z1ov(8j{6r$--NscJ_WbJr)gI%N1Epum{CX2=e(i=&qURpC8NLOj_g?t?sx;3&(~h@84j}h=EX}hYCP2yKHl%sp zfrkUhQH0{VbY(hR$h=&d>RU@^d-<2>I3M_glyx)N|VLyJ*@8N&h?K zqDlWV-!B*<2*OKnddmSlEbNS zo|pSH&htTy^ZeYeab5swoEIejqGxXmy@`5GItq!@!~PF7{%d<i@(qcX_akIF*LmvT_^r99MpsQ@2B z--_^2SP4D_D^sqXV->jiF7|)o4?a~bv^w%#%qMZtvo%6%QO`j~P0>6zNPO+ky2KxM z)DcZQB)(o~1LEIt)E7-WB)(y2W8x1u8i^(zMt4tY655>S*(a%~$n$I_CgK=^sbVVWrso1yNC8N={-YxnDm~KlVwjpX9(k?H!KYM5MRL2H?$veYh>{j z*dKOFP6!>y{RznfL^Ez6{da5VU=u$`H1UvmJtTA}^=n>3r|hZQ7?&9t!$OCXu6Yg3 zyuKYyAm0c$366xC*LOh8>rqhidNlXnfZk(ZZg?m0iNueEv*9?H1joZvI04Rw6X9Yw z2`)*V5;_?^4X4rW<;hb;({AWol{`H((ZtUXO*~{hnH4${J`U%Y^x2|Ght5UsrF%SZ z$Q$XNB=j5Uy2fxL7Be=K+nKw?5Re z^B$$XjO52cH-uV#4#dve82Wgq<>$b>EwJyNfNkNE@a!V?f7k)}DcBu84g11ppzObA zq3plspzOcrq3pjGpzOcRQ1;)8Q1;(TQ1)LMl>L_uW&gblW&gbbW&dq~vj1L%vj4V1 z*?-%h?7!_$_TLUD`|mX<`|ou)F6E8TU1mP)6wUL1*ne+^?jb%gWw&VJp|Stog0lbi zhFbp6K4jT{Z$sIC`=RW=15ozgJ8*T%LG#>~C%+r`+*$YE=WNK@2O#tCu#wIFYW9UA zp+`yAz5q%8F!UI*(xI8B$IU!F5&9A7ny1jr)00s9@5fO4?~~P{ReJ=oYgV@Gen~&WS?}pa=EO15}JMT z2A8E@ZYcfoK+W&GQ1d$<)V$75e(jS5p!UgvE^D8>5n1!R5Y#?-6VyI=Gt@pA0`SaKz87^_^Su~)WF!}Nm2g?}9Wvibx=OjM`400A<-XET^SBJuJT410kIO;LUHIHjS&Ewio^SBPwJgy5h zkL$s4DfL|qO}{n}O}|3saU)j~;uBLEizXhLdE69g9yfDY^SC*(=5Y(CdE63e9=C#; z$F1S&ls264YM!(eO?i;<){YZyYy3gxX$K=~o+6Xp$<>*3jYmj&7gtwgr9(51yOA#= zqr0mI>6*vT%;TO=^SBq(JnjuOkNZH)>BC&Nnfr#hZl^sXoWn(9M@hcjIl`rRE4$X7zju(X`8x_~ z{*E^Hsr$na8ud`px$0HwS7Sd!XiV64X3SCcox!3e-GKMNiqgbCETV=RwWm zyP)Rre5iT6z_fFbYoXC^k!y*0UW-NZd?erQyj%0p$PjztUe`S?v;Vv9qkh>F%b=b= zGIqgo*Ggoya|Kj8k%_k-+6PI0(Djg4hB0MR*SH=w^{*98{gC<} zaji4?A92m}sD0~2lMZ?AkMX|B>IcYp-DqTuSIM_I+5e5+Pr5ddPyGYQ_mt~tWaWcq zTt7p;jErYp&ylWi4b8ZI9%@{_05z^RLyhYfp~m$~P~$ocu1ii={fz6EMbqDqalOU$ zD(M>6kall1?Nob6H_vrD)N|co(qDJIX6}34wUhP?cfKJSy(JHG?z(JT?-_Zj(Z*M4t1Y#u4Uyk-y^pMRLdretIs~`CBW7HG zAR0X(UZ3$-wCMk@)6W{ISDmRJ|@4$^(Ro{`cw4OxITrfadR4K zTz>{Nu0Mww*I&RJY2TORSATzH+I`0LwbA#C>#TWx--zb_Fv=td)IenoPF>5 zk@jeu{{Yn=$c)#YTt6eL-RGg&jZFLn*DuIwKV+Q$>iUg()LuyX@2)?*GGv@zbp2)O z|5G&WfsFHiTz{MV|Cn(;%y}troEyCyVb(ZxLY)`qf*Oac>&^@B;{S)Kzw+?*+Uh^Z zIL~KfjdNtu3xpLUUHu73zcH*3veKcM2RD%~Bje_<5Yjadps6nuY96?t=0O-#{ozpa zAOdP0M8b8+QL2}D5G|VVVbvdN+N1iB&2x4`J?D7p8|o|^R)qVtUW;W`JJysG~QT$9M{THaQU_|B)P))!^~kUBT_0+E zH$Y#F?}o@4FO8tacVnpW-2`fUH-#GCT9;*iHb<7eEui#m>D9NDSKrpeOW!s|zqVnw zP`~tr=-V!=J+kzL+}|;*gDI~g-@-`WPNLBlqHmY5u3mki(YG7-YkqWx>bD+H`u2p< zw-=PYy~!_q`#|a2*Q;+oWa--I#%EDT#je$6kj%m(~_IG_2n1V$m>4NH=~6n??`nS0>(@Lu=_Tt+!VocDz-N7i`` zq~4WbD@=Pn{D z2iu_L!FH&5umfryyashX`8w43;u_x>;Wc7=v z=dc&5pZ7ua^V?AUydRcdz&Z-m-|xUC4{-hu+roFD`u{zs{(m2;{|`~m5a;2r50F)l zSmeGm&k^%HKMXr+`r*T{0gWHyc2R>`Ayh4(w8QE8+I1%gvjQ+ z6O#U2*pDXthp_KW`VW%Lc_$?Or?3kq{pYarCjDp0=DZV{^UhzO&O3i4zJTMmu-}pO ze8gMeAFx~U#jwA)KOy-~(Tpp|c=$W)l8OIEH1Ux2CL_!dZml=atT)bZtv9*CZwR;6 z8)(*>+)(G8d7#ca^FpmR`JmRD{7~yn0q)m%XF;g*&KrqOB)$;TdFM?~=bbl0op*-7 z`7jjfywe4jB!`EG!KYzlxYn%*(X<Y^FXko>j6YnuGE!tqB) zuPvH%X!fhR;g0yx%)5Hfy@vfC>YS7P$D}u;9oo+t5wG{&jlKDsc=I=fIwx%gSL|p1 zht=YQg1)H%;&sB@kva9qmN@ac^2gyd}z-N^}4msLDrE4MwZ=z zO!}hm#iVQBgQPDBzZ+TU(5y2{%{p^W_`TkB2AXwd8I)afACz6Q9BQ3e0kzJogj#3r zhwGA8sb1EH2SlTuq%87j%EI=huSwDg*vx= z4C-8Q1KczB@$ijsZ0h6T*cX}3ZJ#7wcE%_=HWiLkoDtjsPozV@X#yl|FA9j-+_A02ce$xyHL;hJ@`EDLEneJrW_7G1P7-c z4*!7mUSu3Xa~^yI>OA-;)OqlSQ0KwNpw5AhL!ASkfaAO z&ARw0>r*}2W3Q8^sZZ+<2A+Ut;m7b> zcnY3_T3^3|6X5r7GW-EfgFnKMeb(w`3N5Y}QOPUABCf@ib)T8XFmKf2su9(RcQ39cns}JE81>bFC1Fii7S@8= z*J{JcunyEdSQplU^`(F>J{jVp~{?`kROX(fam*Hx#Z;xsBgY)BZ9{H043o>)Rt{M_B7OWPclJWbJRr z&a*GG|3@g_=!h}o)4C4HcW1;{WaWcq9~?)%jEwOS6G)eT56wO}5o#Zt1ho%NhS~?G zK<$H5q4vRPa9#3r)lWNTh^C!thrSz{Y1%Q%v`_6I-t32Sp!P!#`AV@qB*8CecQOn` zPJvpVZ9jT0vi7%mQ2X0ml&k%1KGgoUfcW$C`Th@TpIc<=T^zB5dbH0$p2yu0OOe$M zNICaL+yl43`%Hf>6HWUe``q$~6%p1x2hBdW(%b&~z3pEGwa+~Owa=}F+UFi5zxKI@ zp!T^nJYVf|Ymv3jJq)$at%KU<9)a5D*2B*1ACJNl^Vt7kKAy)0c#P+>5q<(6hk9O5 zK=t>N@Ey1b>iInd_57Zu-dmmQ|H!{T%Ki_xu-`ogTT{>Ta3}H$a6jA(KY%a7kKs#D zetH^|pPmlor@sv4m%l>!-5pyZUPYEaC?28Qt?(1L4QfB$4!?ps$RF=u|A%hJ>k)4d zFF#)lLEoLk$C17Z#yZ}N$o#(Mt%yAl@^jvb*vE60-?SHM93d0`cEkZ>^~Zjw{y--F zorr_T>KBOL^lrp^)Te%cq`x0=$ScE`(Mg9Rj*wsFe*jfJGWQ*gIDxG4KlG*_gR1Aa zH=okmBz+Wte`NeFX!g;Mna|osKOsFM`O}C~5thFJ*+)-Dd=_E(8_?`)pF{0yUqJ0^ zUqbC`U%^Dq1HXoI;2HQ0@!vr0qi5k#;=hGjug}2;kiUakPrrv+Pk(?~Pk)43Pk(}1 zPtQZGr$0ljrx&2s(_f(0(_f+1)8C-h)8C=i(?6ir(~D5+>7P*R>0eOm>EBT6=|52G z=_RQ3Gy{%HaYW{d)OzX^&HRI`r#D3AAwDrBw`k&_Sx@sqt*7}St@SiNvewfAQ0r+y zsP*(lsP(iET%B?gzX`2%>SocDr}Z?CBQ(+#iG9g9gsc*@|FuJx3sBW>lgK#^YXH!Yh5e{wJw%7_i_FYwJugP_f?LpWa2AFR`Hf6YMrcV z(yK*Qr+r!{A@$UVtm$n(q}n@&E!4Vs3)FYM z?O^J9_J64Lt^;(i9(IIU$E^3hT_QV2YTkE=>_)w6S68TZArs#{vL~|I*8{43$i(-G z?2W8;Le_&mk$ovw?SiEDi|p@}VNAWp5+Ze8qH$%Pmki{7+4;9dT6X>*`1?Wjf5}VP z|KZ`3p=O*WB;OV|PQxyc&%6KgcMGikg4+L$tnr0R|BZ?qO}fSjBz;WeoybauX8esM zUq;5b$noCs2hI4K0JZN=gxdEfLGAmKq4xbLQ2YK=xGs5`>SaDn7tMHpX5UXV<6>sy zEaWq^8`7@Xrk!dR`OI_oKt1;)@*O5$GW-svz+*5K2HFAhkTu@#f*SAhO+D=YP~&}} zkrzcSCSCQ~T!O6eez$4I(#U(LSK}Shu6rYwA*)@Ga+gQm2e-hLX1uQujed~veShRC z@A!shd_UmTXSG+K2cgE#Lr~*q4b-?-hoQ#zI`8;?1X<%~J=FMq6l#1w1~tAn zKs}$0P~-SUli{<<~w9KOz1Z_-o2@k;!7}oUqvnhx55f=8>|esqrd9e z0X6<#BVK;)>rnN+0afo#sCsun)%zw?y}P06-2+wcTTt)8_QGQ9Z~LJ9;cixg{R;#Z$20w zOZ~@TVR!<*P5B=|`Q0a>{O*sT{O(Vn{O(Vo-s_!$I@df6yTQ+(&NV-WI@kOH>Rj_n zsOS6@Je=~icYQb$xIW}PhQD~0eePrUE&Ppfa1P4u_>T5wB!3_IL!@PQK<(z`j`L7<$Ino9#|0?6;}D{&s#Sf4cyb zzg-ai1aE}*(!N4)YRb(~H^Cxz-y9VZW%WBmZ&y?(EOEChD$E-XDW_;uIP3=_U{4qc zyTT~g0Y<|%Fa|bpOz#_0LEat5b=KY=a7Kb_~C;@d&P!j5V zpcK^kKxwG+fih6%17)Gk2gW^1A7~DBKF|W{e4r)F#kg+;^YDCH!ve4k)VV=hsB?o` zpw122!MU(KoDVxdox690I(P2`b>7|?>b$)R)OmYXDEqh@lzrSC%0BJ^Wgqv1vX6T~ z*~h)1?BhOA_Hkb*`?w#JecT_)K2CtLj|V{6#{;44<6EKZ<3UjN@n9(XcnFkzJQT`4 zz738`85VUr{g9A6Tr~Xv8P6l4?jSxfWu$20p|OugLD|Qnqb&P)46^LwJE833u~7E$ zI4JvgJY1bJfxiW%{d}Tm%Cqc^$^4ZlYrllp6H|>WdjgsLb9&Sa(zSm=(i5X*A}bvl zdt(;)GBRdI%^_X(E;ROr2g=?^g0eS~q3n$mD0?Fn%HEg@*Co$Wy|nKx(X>zX=W;BF zT1@&7-UlzF{1T2uMwVYmJn2iK?j~LDi$$GFEH&-E$LOJUQ;xAmmO!Tj^%A(GZAA|AyzS#y?YhJo%Bh-7l$D!U2JOP#ONw{b3Q&F4X*wm+@0^Sdx z|1(j~6R+prt=4ui+cscxb*S-wAb&vkS^zdz12=j@?mv z$R~RZBEJ>27g_xVY2VvX``{LMz|52Vq8T61IhA_ffgX4eE`aaC``~-%E&t+uh^ zq7Fw{ehV~q-3Qbo|KJGJxHt-p{|{x?9fPv#j+0+@-3chW?jtCB?j)2w_c4?`_X(6e z_bJr)I;C{R*J-Hn^%>OnP@ls~#D4+vF@C;;q3|mh3%`aX;2Bs6egkX6v*!7ni~82| z%ekoU(QlyhJJIy3d6O;LJYXJ40tRd8UvPMwtZVdIltO?ZnvZheasTtfew?%YwI5xFK zwEPn9?@h$GlUhf&ik5%fI=U_Wq50SbYCa+pe@k?GWX;QVQ1cR*_zuw>ku^Ud{(7hA z&Xlit2}$n~-PJ2YzJur%-2=S`IJ=AH`9bRM72VV1?-kw0r1ut0I^?{tZ*+g^QM>v< zwF{a05~2qot6c-U=>wtKcdIua>D)g!`Zkk3G29Q z8GSo!j6A~RA8FE+pL~p)QPFo2Uo>^J$o*rCtaQb_-ZW(Sd()x(y%|vcULy6#-5P#=-TlD10>9Q6K_7 z2DhQ#2J&e?q#WbtJsxfOc~3z3c~3(5d7F6N8OcvYKOJrPc@RJEndoPuEk6$$Kkqpx zKks=cKko%7KW{UXo&6$g#P@J7!SYMk|KTE@Pdb$U_cD~f_X=!7zAdm8-@m*H3)9}M zQ15@YLB03g4xPw5U_tmAoI$?V;R?!q19qdFolx(2cfqH~_a@YN_im`~Z}vd>m2W}$ zm3yK5%6(9N<=aqx<$fr?@&MF(+;^b-%7ajT<-1UR<$F+m<@->6e(GmX ze&FX&{?!*y{?(UI{?%7d{?*q|{?!>M|LPkk|LQE1fAuYte{~MZzxoc!zxp1^zxn~n zzxol%-~0*6-#icH*Z&OVcV2+urQP#SOm%sEDGfZ7K8Ewi^E~C z1e70G63P!O1;?e7jw#D?Nk}dun&$$U2jyZa5TBS*UNrI0_< zdmTE{-(mlckzd%@#LF+V<01BZvzX@Ompu>3*CM7RvhqRWKei%YMn>zHHl)jcgvNht z3*|rF0_8upgYqBSL-~&#p!~;F4mplf>w**u9clbN>{@!>O98l90sF#4DEoCLdh~P7ikXcpJw$zXJqPN$YY)_S*Gc5->r9SGLDqX@NW137 zq?&fkjk$~TKF)cfDMxZ|=lqxjURjhsyb#KsTm<*bT@texj!j(>li43$8ncXe_4hrL zQ^Iktk<~ss{yr1GJZ1&?6fepjUJ2z7-w)*vuQKgp|2NN#{olwB#ymv2#*580$n&Xh zEnEa2Hu=`YtVh;3dIV}5+47@a`7x;9v)%wx;YM@c<1tSnYkWNcHNI?llUIJq~Vl2NJ8o&BA>XE(tI@EZ71IkX`31uJeg0kD+B)|OX z-B5n@9w__$EhxWwFO*-s56Z888@`W!vLEXEi36}U{?$8h5b{Bopzr@^UxM?!nD>#@ zzoO>XAt*ohFqEJB0hFJ61j^4n3gzd12<7J>T+-%Y-YF@KnR7i0b+U(fk}iqZWkPqO^qzoE_-{((AQ zxCC{+kO6hR;E1*SV`r@V<6N;fAnSRE@{e;vtv`97)}Opk>rXzY^(Q~n`cnXE{V50& z;Ehmzdm$+Q`X(s<`evy0DFn)&4~6pQT~Pjf813li43CXKRy#zUBSk`u_b90G9t}0# zW5}=Z9*eAT69@Gjj~m{CJrWPQ!ou)=`l|@kI#?8H9V`a54i=}JzRnV{C6P5gME(9r zsaQSlGO?v$E?ACyeVk=Q(>}?)o#kUIcx6%kctt3Gyb_c@UKz?CuL9+dSB3J&t3mnW z)uGnU8gS3tTCp|Z*wk9F0sc78txjycSlM}X`M(@Ap6ZF@vwy##VQhm~`I8M}8^>Dn zyb;tqM<%{WY%^rd_oh(u9hvy%u`Q4_?;(C`%h*=bulWv1ZynplD?|L|wz2KVuXW@W zsPd7yuYGK1WR>5+o8A$so=)C;q%&{3#CA3LIsZrgC#73#FVb_R_KfY0e)&^-NJhV& zBIUCGLw8c2*xs-@OfdKL70o>BXYT7S*~~M@eS=~Lz|nA^xo=SHt5?jJ*xEgTr7aI2?9`x5J)r1ndh(ney5Hq1q|goirwPG^`FMl27yJ zPN?}a7Ha;CgPK3%q2|v7sQIJ(38|A}Cwt2it0zr~ooeFQ|7mxdq-n9!iPt%TST=P= z>`XHb6GbyFA?=tQJImZZJ9Z|&N7CClN3_zt=L|`)j`+V1;Qzz+d)fbCCzuK|h?o7T z^MrZStMi1rh}U_-e0Y)c1yJ`dgt~tb)cuR0?q32+;D_A}bzZR)>b&9}sPl?@q5S=2 z@Nmj~8qe%^%e~{D zn_@ScdHGcA)86q1@xPvleby^O{IBO?pZCfT|LXchw|f2K>2YWLHThfq5Qay zq5QZ{;JB1eV^8yZ6OvDf=J`VWxX)t0AU-kWbJ4^@CF1Lenk z1Len^h4SORg{xD}nQ^>4`MXTxSbzWZhgi#R`w`Y*p8NzG!t+pm-OteP&;7#x5Ms9PKZ_j(Ne_t&MV5UGkzH}&$g-=$pzLa7^ovk^Mn6&eO%&9A6HUIk2iX6i?7mp| zC2|}r$@6r>$}k@OKzw1IUn6IcxT46iE5uF27c=#gh%0W|Q6jDs`Fc4^iYA}r9?sHn zWxTQ|`=Kn9{ZJ0dekf1Ap3Vw!`fghGgZ=$H?AJ>dY(4xoA?HC4T;xtwb{tTH;!vcyq<3psOM|T&Af7R zDF37d`JIlIajm@L4kEXXYvb()h#t4ZwS`+?d&WgVay!wC3y9y*A+BSb<##~icXaah zUuSRsb%C-Ix(F4lw=*e@Heb)vZ(Pj32J;z zh8kZ}$k)?3HEtTR#+NAj6#I~UJ~3`aoa}_exLG_$&6Al>^8}gr*>N6ZJ?}YC&l{Qe zq_|{cJ$H!xk`k9nxq8l!^to~KyfP%;U2*e?m)#+jO*bN`Y! z*&RKccZ()n9K&<7?TUNj9PxJ`FN5Cq8^+#PPJOaBRuC_HVFgElC@CvJPh^zVV&aPBk&+x5B0v`QKODnToTI>F+?NhV(*Bou&U$b0N}ToHVhhxJi&u%a-&5$l#I`ug4%*Ih z%t+o5_gb7~KSAuE*W=!Zv+O5m_V1lg`~EJdef~|jh5dauH0S?N?*-n1?MUAX^`2oL zOrTwFL%na<5B2+H2jC6q?Ei2O=?9_gm3N`uKfDL^-r;>1#_#zag1Mez|A)iK{{htd zfg@1opzO0>q3pBYpzNsMq0Zy~fI5%A z2q0Zy~g0j>8hO*QCf%<*uOHk+W8Bpi(4!3n4?}R#!&jocJe*@HaUb&&Z^U4GD zomXC{bN+l#=luEMTv!0khXtYRzZ;?Kzd}&<-%U_<-_1~VUkH@l7Yb$fxuER6Fetk( z9LnyCfU^4{q3pgWD7!Bj%I=GSvioA8?7lcCyUz_}_r=3;DTUod-I`}bMAKgoyRVqL z1o4R}#YGbjjonug%I+)Ww(P#r$g=y&K-qm|q3phLP7>`53+w& z=Ks00>^O*>R@KO|(~zA%?#KUkD_;$FP4dZ}gXF8_u8pjG(AaZz$d{2(*Ikcv*>lj? zbM>L@xdu?@@eQHuxkga-Tw^GEt_fV1+*I|`&Ss)%C&UhG;ciX3&SzUvehEh_BWu4S zp7b{EwxrAM5OwZ;i-~XNZjUUx1ENOcR+A+{Qz_f3m zdl2<>bKWYNeMoXw=U}(&H0fvCYePwwy>=Uvy*A9;&;Ac(uib9s5$;i>>p6`y&*=^$ zs~kIiw22?%zSCPD%k1#Hl!%yG}sPVEAYM$H=e}}7}#?J%Puko`QS>xwHsPXd<{E**6Ujy}b z>erg`A9g>2+~+a&f2hAxFIm68vL2S^zDJ?{Uj1Y6SLXEwsPpHIP~-7&DEsjVSf2b( zLfMI%pzN`ypw6eChLuTw2Ffmd7RoMt4$3Zl9_sJ9yg>U4I5xXqM3!A=$T)rpS?8E( zP`^)*4u4H~#r-lIocfA;3;l7C_Ca&r_$t(S<5sBi#%)mNjoYEl8+SmRH@*gS-uODy zJbDA}nY+uq6OK*Y<$jZLHIJbA&S*C*NqhG|eGl~()b~nzp}v3GNBi~t)7#MP*zZ0- zyyk(Z@1NcwUf(|*gt3ly-S2tRMV-&S4|P6!24jj58cOz zSNWp8i#iVVUDOFP4^Fy2GV|x8`xEkabABwE{F1vmKXqd-8`-j(KXadU%g+7G{RMi< zZvGr<{38?prTc4S&4aI?<^eMCXWZW)Yd%2i=Ckf^sYiA*B>kNGJFg7M_r3cE;$=6B z)sud7|3tc;E5wdI@4jH#_p@l)2eG4nb^l`W|LT?<-PQSVeKco7zX zf5M{hFIWt+|Cn>Jf7qXNE_R9bWF%*}9r2bu2(bs9@wwtHdk`AC;RdMhD00J=o7n$h z+b7unq4xKDQ2Tp+sQtYFlwDE~YM;LmYM(Czwa?!Kwa?!SwaeZB;;_W6=f`+O;=eZDl*K3@i|PASX(*{%JvoM_6k_W26@Z{F6r4B5Xc z8Cm-`GV64e_^PC9ora`Wi?5EXbZGYX8sy8!s2N|2bnWlZ?C-Uq_V+qa`+Hre{kzAtmm(MFM_(k7B*&61s>2+^X>%t@)V zC|k6sNJ|GY}+XI+i<1Fyk*IX~B;zrS=HZc6kG<)U}I-~Qzy+ zq3HcK487m(K<~HV=>0YVz27R)`z?;%Zwd5%t3vO$k?8$)Cwjk)LhrZHI3RIX+SqWv zjnQ!Zko#?1+W2t4-K}9dhWl*-dcRFf-EWhKz2ELZ@3+b5{Wb-?-|oe!iThIb+x`2W z*YF;|gP|PJ{-fpcp;WniI8`pEG2L=GJ(R;4X)`(BmP@2uK9V+z*m8-iKPPQ=*xsD9 z$HH+vs$u_;ylHOQ<7vsf2}9mAkM(Ugo4(f1EOLVu5D3;G`7R`fl@kJ0xKx1sMLeuBP-_$m4x;&${s#Lv)ihR@OW z5O<*OA%20rhxjG>9^y{)J;blj`|)e^e*6Z#AHPNK$M4Yl@q6@s`~kfme?;%cpV0g9 zXY_vj1-&14q4(pj=>7N`dO!Y--j9Ev_v4@F{kR*wAOAw{$2~Y8@psz4q1^tXq1+

3|F-mf|6 z{hG`2-miJ+{hFViyk855yNl!niZrI!=i-zY=-8^)Jm1$Lg# z_&@sIOEdKSh34pcFD=l1M@#g*msV)MBAK_gPCqW)_N;aK@$9e1(*`{rVy2&vej>5Q z)fPQ2Vy2&zeloGghqRBUq_<l1kD0kjR=c4z~dFc4r`S{PHwEyV%+J$I&?TsVwBDB4^I90wcA$C0RQuIFV zgWj)~;YH-ReBPb)BlQ2%BelL`KZ!&6y^3<|^Eu*>k6pw5U9*n%AI-zAL-Vk{Xdc!N z-T&+HJ-h*LW%>S`j|Gtd-ZwQPj_?@bm<+{o4^}`K`q6>|Y#R-}&x$6}sOe z(fz&?uX~O5AJaJBqj4D9xeNW>*D=@<$Kqg?ABSD|+`I9XS@i$W?^jL0583WS9LRE$ z!hYT3`3UZg(oW-G}fx=0A*XpY=jJI6Xa* z)`xfoI&MD`pTS44F8$A0=s5mte4goZa0jw}c<%5RvCkdmqR$;3$1>xBBI~dK!>ZAGCA!t5!D4LHQhUR03qxskoXg+o% znvWfY=3_^r`B(!qA8Ux_V~y}j_NOuWT%!s4T%#%aoG1+*zQlE$6dpYNz&!f&opGTdC zK94#d@5T#oB3_6-f9s7tf4c~M?szf!9PSdd{9cMahwFpp5tpIQ;Vws?!(D+shr1Ge z4tEv$9PVoLIovhq^RH|1e!LE+VqctocfX7qG9nps?!I0_K8oRf>yO@V1JL{JM)bMr zO}GdL;>uW%UtfOnw%sNuL9N8mqL zi4n>}9R2=T0{y;J75dz8B>MZHcjDnV3LD^P^m*c48IjTX5!!!Z`*CCOCLD)@@NOJ} zBM`9XP|lCOtk;@2-<&}h4$ZOqxs+*wEy-fns+{i=ACoV{@ded|7{-H ze|rM$zs*PcZwt`=+mmSjZ6Vr!TZH!Co}#W*1GOvZDRo8IwfHIy6V{#=sr z0@H^ip4TuPLw>sy&2L|%J{yh8i0!||hoS$r zG9&qZ+UsaPZWTU?tMPGs1LxzLxCqzaVqA;Q;W~T)*W*k07OudzaTUIU_6s-Q|K4-k znDICFyW=v*xafN!c3hM=`W(;4Hsg5K`vC974>Rl!ew49=_3RHK>ut^WnAr6&jHhm6 zx$5dqGCpO#Fwxv>SyS9>gQ-axdY9szd-ZqFL7pkr~AYC`bxw3LdHM8$@rf6 zJ_r1k?dL?k3$f29n9lqkGJa(KFy`xUo|pcFqwwc2|Cfwi#LqDwS^n3I-`P(0=x-Xv z`H|^=Wc*3IndOjpcgA1DJ|9HR!=7-yJP+(w=&${Q_SgPpx#QRI{2!-s9{S1X4b*}Rdq8D%uGHn!swA4cRlp|{)4c_ zU9|sL8|z~|JOnRbdxzo`co??8!!tduBQlR9zJVBtkIFoncp$O*yrcnUbN(7)-#d2= zZ-m9nZ;WoI3H#%F-A#$-&|gl&Comn`GCu?NCNeW~SkCWfWM%rkdA4!5uE_b!&&&;< zpP!kBwTKH@uj}Xn4d25s{*v=kg!9(Y{%1zwr$Nxu`;q#hjHVdEEJhLUsb&a;rupQ$r(N>v%4Nu1Ebw7^zK38pxK38pnK36>+eXe=} z>p8yImUv_3iJ2#5CdWZAjDwuaaoDdv1uZA-(EfaTv>)FA9Va-I<4oc+&~c9L=s3rj=r~6Ybe!WXbey9nI?i!6pP#va z=l{f`InU?dBs>=_$LFEt_|{#93HUd{gaTol7|&ucipX%X6gY#O;PvoF)V?&@>TeoSw| z{OhrCqRiK4)a+ov9f4yiu8> zQ!#R%-<3I*IJ0U@(9b32cRwa)j>F@|OwPO;+v0fafD^C_PQ>mw347r^*c+#$wvXZa zL-(TJAG#0y{?Pqs{qg`>zdVT6FH_O_w}lj z`}Jj<$@Jy80AIl+_$n^P75FB;hJJr&rv=_@2lI?iMu`}~a>{GQf^DDNqhwWf=C-c9?U+^3J6Tig>*Y`WDhu`B-_ycC(k61DKr_7(( zj^7hR+M!=Eeai&im+U4c`+qwjGP2^skH|V4 zY5%j1V!5u-BQHV_a?e! zoyqhXRo$~r&oaL{!)?gwPO3$o6|et2G3 z?}DuJu_^I|tY`gzl&juZmxTGW|6xAuKlWq)oL*RUY1U<-T=mgV&XDa~k##vX!=WQA zcUNkdk71nm>MXwBHjDm0I~)zyitD(2fy!q86|iT0E3MEgmj(044lH0-~hUn4R;Ya;Xge#-=`GmHLz*sn=pKiw~u3-{S%^gf%ya(*B4UbLRL z4_nNn|Bu&G4?TeE9-;lmn~2Se{at{Eh?nBS=<~&C;qz(#(dUaZLOe5T7W3VoN6`J* z7tc<`bI|kqXxPukvgWd1o?qmAKAts?*!@O6XMWZbxD=n{_c9??W7zeGt=|j;p6(I)?8<9E^^))knwM4nfD;4n@b?4nxP=4oAn^jzGuT zjzq`XjzY)Vjz-7Z8ldBC4bkzoM(B83V|2W&2|C`^6di9%L&w|F(ebtnbi6GS2PCqx zbJ*|R@oWwIjf}VDX6G|~NFq@%~I^$}8^w+XTJ zIWhIq3E6F#Z~cVKKQa3xV&`M1?@wmA>grRn+cDqz9z%WK9?p!NN!Xno%it?xUb z^?hfY8Smofa$H?C92bV~1$1NkH6o{HpF!++1+rh=!+yG7EEnqg9%y}k7Ry;r^~7VS zSI)+k*b6VgbHe)PWuF_idtUYh?04tr`5M}1<4(~Fv-ck-*;si|_Ql!BdKW{zdr9hZ zFHL=JAGF@R46S!BN9)}ySl)W~O0?d+itStPUQKMhdktFeUW?Yd*P-=pU$no|53Mh+ zNBeO%p#8Z1Xg_WMdb~HH$9ofcyaUmC`DScGd`md)LD{#4;~tcKdpPdfG#s~ar|979 z|C=8V%O09-9y2U^ILBlDdIx%*iJ3kkJ5KCzSE9#F%=AQd6|u*U}tUn=}Jc|9DsQdD&@SeqH+V933 z@8od2Q?l=6`<4@={N9&+Ke6Q(L-~Dx<*KV6%$~}8%P)rVyLeDC4|tf^JYX7{2TTv= zkM{bo7msVE|09jG?@wgU zPn9zaZv`HWuc7Y?>|6eI_Rscw zRciUwn8W-x(DxwTMBjs0gT4o`77t`Q>(J-x>(S@^Z=w0^+vw-NgXYB>ur|NQ(JOsmY{a?}N`oE#={O@Qx{|DO6 z|B1HqyU}+3FSMQCgSPX3qwV}ZSaaOo?0>QLguU6da%|`S%dSq9Tcn+j@>7ohoGA^No6} zF`5sSpwDefu?N#*=>OH0;W+lY9DNR3f&P!wF<8xZo8bYJ@8;<9%@*i;11)h7_hBpa zy@6xV{XGtSZ=f~$-as4ly@BJ=_XbWt-y3L)zBh0p`rg1v=z9Yvqwfuzg1$G<4t;N+ zJ^J222lTyxQ_<(F9nt5kozUm3ozds4UC`&OUD4` zpNW?19%#8f3oX|@(QBFjXFra@{-U zqEw8O>x*+PNySLHzSQ+X`9;e0WjR+cz3I5iHB84)uCGMP^;KxOz8Wpp*P!M4TC`kW zhnDNUXu0l(mh0=$a(x3@uKT0qdH`CkZ$!)WP3Ze81JUt1kJQ`y24r20xxjBzB-@F8wKQHGAV&`LMf9JDYb@hUr zCz)?vf}uTLi00Lc(7gI7w0(XW&8ruqdG#|mGybff%ke#@;rRUg8j<(cn~x*MvmzXy$HVqRzOoX{S6*j1 zzlXO9{T-FnXukReR&t)-#F4lL58*tn#jV8a@C#gzdlPTvY+!qiZ@e& zb-dL6#m367bH2$*_A4;td*8C0`QCTv`THKt_kKY0y&uth?1T>dZgdG8*ypYb=^&-e%JXZ(wUxE_1a=PUoA z*R>jbt`*5metr})BQDY* zHIMcmeePNxeeQaQG5d8Wj$ygOuqo3IN5`LzK+nsOIEDE~;WRuND@HfSZJ3*UeuCjS zP9yZWUSsrmP7}2M)D(T5lZHOeNyoj3jNEM2w>)O%S{}2ELwQ7=x8&sJ)?dEVnc)7t1YYxn85oG(2xH_PJsO`dsoD z^toa)&VO2j_8*%@TI9B5y7#sET(K3?n=t=aY#cc*w{>d1dVjP*?~mir`{M+b>lkgD zdm^#-hx+~GlhAT|&in0r^nN2|`h~d{5qsbDM(;afreB&b7JM6Z?7BrRMiVKeu0MIp$OD zZpgifxJK2Dx&1@A8(>ViyHVK=?LRiHyg7FuHpAP(dbemOueXNv1{sI)imW#@_jc@u zgTs15bBAD4;$f`k^AKcvcjOLddtO(hpFSct95z_l{4{u>TmIYfR#E9Phm+ zH*#QWelKP+pXYe*l-%Ta@4e`F?|n>9jq`?n)dRW7e$|6~ZgqTW?nAlBeihQMdN_Al zZn9s6A>W*i=9@Fnd~+t6Z$5(No3qe-b2gf9&O!6dN3rI(xw(&F?Fn;p7jYd1Rz03O zFLfP|eDjIi`KcJmHy7kSnTnBobD`^n<3{q$r*aoFz3I58HB85lZ$5+Oo6n;8=5uJi zxdhEOpGWh}7tnljDVlG-h~}Hi(0ubHG~av~%{P~$`Q|HVzWFNp{^klapL`9?Cs(5R z`P z#O8yXguD`fspxjz#-A49(Q3(Hkk@5=p^`R0ol^2OiKeDQZQU;G2j7ym@_ z#ocJW_!rKM@9}fV7ys69J}~5i|Azh88}`fnV0x&>s?mBZlE?da9M`_*XElf&H#-0w zH>;UvyGQ$vj+@nHy7yrn;%KC9-hp|^<459pc?S{uImr6;^9~N%tDkphp4agZ4f}`W zQHSLno|nv{Fyv83u)g)|k?8&%h1Rb}qxEV7v>tEB^5#*E(0rkBUNVnqLTtU>6wRa3 z&^#&~&7(5V_Ae7{|FY2bFB?4%IXK`^`v2(nit=#xY@Yw4-@`4yKN3ZGh1jR6D35k2 zyceR&DNiMNk+hy{$9{-$jQzDkH_UD>&Mn;{n&=-``3>rHee#B7U zv_tEg_Go?60j+ONMeCc6XnoTOt#3M`^-UMFzUhkAH>aWXO*gc@IUTKU&Oqy%?r42; zCR*S0KydZYEtMQD9< zFeqV-K5w7$6v2P7`fyE2s1D>R&cq`tW-?;55LNnEXAI)?h@TC~2oE-zW% z^d+{w>4(-g*Q52#4QPGSAEzb;gzG#de&hbvnfqs8-e|6m^$Aj6+!A8z3u5LE%DavE z-e1W4+w%q!J0C-RGKA%-tB2+dW4`qXhWg|Vv_2V*)+Zy-`lJ%APvU5OlE9hqDnFO{ zWTb}UO@98Uus?o2aYOIZyU_b|4C{5F+>b^31>>0BK2@)5tQ?;=A$6Z)xX&l1)}NGG z{~q){pN!t;Q_%bTUY7ShzYo37@8`JeFFio)ef}VNpHD^a^M}y;{9$ay=TAfTXF7U6 z&%pkV(EelR`LzFNeK!kFVENg2GR{HkiAT|T;xV+In2Xi}kK-SSC-UZDpQ5i|Xnyyu8L56`0Kftcw_@}4L5 zd?0z>3wcY~zQ>Que=%=aDn{a$^8VlaY&rEy3H!0HUV4@7Sud@y9>Ukq@6oNq&h+nI zN5|Dyq2ubS(Q)-R(Cxg5)>~_EQ(|qZ-deYRc@BBnTagH$amejxJ@*+#`2CL0(Q(NgXrA~5nkRmV=7~GeJn<_uPy8Cq6Td<8#BZ_Y zxbO46!`c(R&-;!0XJFM2c|WG^A0$uwDevc0jO2;GxKIb$rFFi`;+NS z$NiyUI)*%PH<~B@h1T19(E9psw7&iat*`$@>+8K}ef=L=Ust2`btFGoUq{jUx&~Tb zAAs}k-Zi`?T3^>f>+9NReO(8wuj``q^?_)8T@S6V4?^qfgVFlBK3ZQNg4WlEqV@G* zXnlP+T3;W5*4Ia(_4QF`eSI`qUpGMO>xMWW(I~%3zIjDs4d(}`ubbwlGkr)RO~Z5y z^>qeXUuWhg>+39H>+5W^zRp4G>s++H&cmsR{CwNxDe(dg+e7N(qWseQNW;0@FU9$h zc>8FHap*50^JDp^GvE3gsjtgJY<*44{A2Q)G2i+WncqCW1+nun)aNZ(uDZHa{;|xr zKF3g>ABWcGt|1V7MntvLx|XnuTcSfBPE&5!$rxL^MD%=f(Q^M)|JfBpcbd;a!$W0-zZ{y?UC{`Pq@ zvH9FB%#TKH%^$@1vm7DuZTYtodw!Aq7?M92m*TK+KMd7yosm5Ij{M>I$vhiF`#U0a zT`E)8C62Z`3AEj*Lfe~>EN}aJC))mw;=I`YjwZJKxeIN7$Dr-+ShW2ehhFEq(d#@O zz0MQR_s=J$wlj%%^Bau+qt}0OIKCF#lZ*^O5PB^7qSI!uZhpEN8!GGp>x#{^v*P z_M8%aHzVX1A5lM>Uu>IQ_`xb4_zC+uy@6q<`2edu=5pBAwmtg?ZO{Hi z+q1oBd-fkrO;o4avq-^y?b$(DoL}P5Z#|$O`MyR?^#43+;aRwEew~73{#cjk=8p%W z?^)DC^T&hG_dO0q*RPMRe+X_$9O~!NZXdS)=ZEWkL_zX;A6XEo*Ma4aD)_(s+6D#5 z>)nvguZ}k=Xk3uI-pKWCQqZ&@dA%{@k7;N=l#b?m8EC$ji9WB-Li53Fv|Qw%w@E%J|xjb!*mSg;smr@v@J;HIVTcZE>1$r#mQ*7 zI0Y>i?Qm+MeYh@D;vM$CE@2$3V?px&DmtP6SJ4?y!Y=6hiCxj($2krEH$HZH!L?i$ z+btx&=^kS98{+6D>ir%Cwr6J*^kg~PGi1553wjZ|9ELpT9G0uDKDXdJ=9>p$$b-&D z^PmgRJm^9+59*EPK^LKU(8V}2eu;$InEo<_NG7XB_4ojoWC2<|EstO zea^aX9PVaf^Nd^2Jmc1|AGH5yo^e}Z53&xkWW8c7sXaU5PRBpz9CC$Yzg?8oSWQMeSxgz|WohVzKz8Dk5^6(sWv40*=g zsq-^Fb$%wG?bAfGeVT-}OZTw6dB$Wk&zQn_G|#w~*mmkZG|#vn%`+ZA^Na`4=V(*W zJmR5n{vR%wM(p`l&;N9^yv@MfvuXeFZ{kPL>oNT-?jzfy1sqp({K~FQWC(GPE9g39WZtM(dsBXub0aTJOAy);lZE zdgnE?-dTy(JFnw_#HxZf!gXG);W{Jr&YJ~mL%p*`!*mSw&N{T-S)ZzR-XgZXc^j>7 z-a+e|4LCLNZmPc7xPN^^xqGkRd(M~T5UCF~huHeS>0=juSg?iZTO%JS*LleZWWB8g zA2Z+bimbP-;1gok!*Ja`Wx49=?FFAP-+BbYb^IKyM|Pm~$QS5!{SvK5cB1vjS2#2N zwfjRo@{NY$M?U|%u%CXu`)Pjm16nWqh%FcWRPYO*yDsvxhW*BdJu7z={Lc2ytNc~j z-ftSOMc#uA$5j4N@E7wZRPHYL6JJB(cn#)b`T@8HYhpdhsr{6H*uM40zi9ojm-#g~ z-v7}0qnhoGT^K2>Q5cDT9EobUU)1{GfI^R_W?`+uaXi99ok%rbA>1e%?fz}(D==Vpn*iOqu*@d~Rw=R;S zVLy@Sd4&Z`UlYmKaDI^EDl9B!`bUu>4bze7C517jzZEIfFddm*RyeIiB)&dUu3v13rqH~%Sz!y7^LU%1$4kugmW9U>d)%$i<0fYMafPjkJ$@vgZ&P?YpXc!+^G_&j zn~IU+II-~LaC|2zpTA@Tvfe3$9m4!}%5k>Wuz$#QPA%*l=66))chWE)`QN;*g>kd?85-6@rl0A2&PNXo(_MZ!^+HePJ1%*4VKT4mg}!%u z4*K5lx#)Yx=b`T%pO3!BdjWnpgYkbf5ABVczGv0`fGv0)bGY&+@8E;0%8E-+y8E-|$83$p_akm%VhP5Z$URcR} zH?V4O;gHmQhm120EgY7Lk#WX53Wuj+WSnt?>xJV+#u?*E}>yMhH=J`=s4q@ z=s4pjG>;yQjyK+g=GSA;@y4;}c;h&9yzy>yym34_-Z%k$J~R;>Z=8gVH{OH3KROwG ze{>4^{^-3p67NIb=e-|oA0I&5#|P2&aVpwAK7_W952NklG_-x3j<%08(DrdAnx{X4 z=IOK0_Hs7bUd}<=%SX}n@-ei%oQt-XkE8A7JhZ)h0tY1K7e2{($ zzPI=u`re|kS&`fp+S?}dM)J`XuRe-{2l?D^S^ zo}Yd3o>crd?ix+|AC~{Oa4)gvYoGrS+rC#bKN^V?MT?T<1&M1E9YE~)ME1W{QB7Qm zb&4$4wKZH%q}{GtbYM}k-Nw*v*JFL#v4ha-a4_0_)koW}L(q2XP?opdJ`8QQ4=+l# z+eZ-Fjva}%+ee}8_R(m&-2iKEW zNUW%g>0Vd$J-%|LH(`DSHjW%q)GRe$-ClF1o4>Tc%t*_kR;l^w`tFbrsxEgZy7ya!{-^dh_)@V-x5AQ{BFX@MJE;6KA&9Fj_crcIt9H>#7u8rbSkme zs{?wyh?(B8s1vc*4apli7j@xtyiUmcu0^M%Vr02)MW-{}@jxxCI-}^!us_{3><^Ov zoK@5#tbbM!<9_UKPYv@i^Meb~{Gd0Q zA6$e!zq}ZIet8M{`<|Dg+wFt?Kig&K|Fd0={{H9{X#Q{|mM-M|f83O~x+s}9T%+MW z*q1k4SCq^f`m%r3@qR_u7bWusByYH(sDDv1Z@`c@3_$aS8`1BR+=TW62cpk0Z^qBb zCvL%2#J8f)LkFS%zjYh>`-8Wm?c-pyeH?bDt1Z*o0sA2Gfv@`!OLZ^?Le(VSF_w2zO5gp$p7Bb&<6hk|@2yI87Lfg@&(ROq(+KxVhwxiGD%=mMDKJDld z4d(^9-(M(N#(dk4rEEVZ@?wa+&za8rmx^9yzT-Sdyu4@y@f!C36?DAlRXm7t&2;9! zR`fdCSru8S;d~&|R~4-$w*5fP-y7k4c--tqs6W=A^~YM48^Hav4y{Mm<7Dd5w{S4i z-)8%*qwf@LAa*}>4%6R7-$&nw53qlma0b4IPvHBw7&nLg`Jm`SVvj?;9v`LRE%+kw zRz9ay^y8v!#C{I4-=7wJ64w8;=riUYAKk8DzHyuA=SBZ-JN^apZO6Yv+wq-Yefs}s zJN|WuzbX2j`Cf-_*$%(|7h*qm-}E2C^dF0UN_`%3UVkq7h1lz}&t1g+|JSc!{%=Kp z5__D#qu1*X^m^@^zB@JjuhjHCVZFbL{^j#lMgGxne93rk(SNBJ`TXjlNOAJI?lVek zUQnah^L0RR&En*Jg2c6oYZH6jk@HcvxDGDGdd21i2WlvvNM3MI@xjH(yZ}R9P@nZ} zZw^7r%b{pHa~Rsr9FDdxN3gtk!I5ZQa8z-!Jv^G&_ND=v7c@lkf<|aw&=}1NnxJ_> zQ#3C~L-T@k^!Z%|`ur{vEw5SV?@MK4X#eq6rstyNHxDhp`RqsQXhCryvDa6JGrb7? zAFE>Yf2>N--{C4n%XJKG*UM7JQI46BisECK?sn96y&2lBH%IS-7U+G@61@*vq4&YD zXgNO)E&r|2a?*zFwu&BKd;+oCMan_j;uBM`Mkzlhh3k1r@yS>ta!PS~mODP$PQ!Y} zZK55D|8L&VskmdY?R=-=E?g(CV`ua_65IY4cO&+Co`zmeVy2&7d=9@`yAthZ$I-kZ zf#wxeXkIZA%`5IizwbH<9lscjj$hn`j$e#H$1ldB;}_%5@r%3B@r&{3_{9XQIc`$% zM65kwQt^Y-9|NoIDW06FKalZ@DaH4uVr2Z{zT*2+F*1Jffa`_xiHu)NEq<8kO~*Z? zVLFEKi)rZi#dLK1Vg@>XF%uoXcmy54n1zmC%tpsA=Ah#jkD}ujkD=oibJ6jO$Isd7KdJfIImY{jp z^Jw1n0-AR%Mf0u~(Y$LJns>c~=3Ou2fW-3RS2;hu+$NIvymSl)cf<*es6hkEOS;t$!5?GUouN5xx+T@FLuwUyiEYW zOpiwX4Clq;XMaLH{1;je?_s$`t9kzqZO8s$yRD=D7Vjl?|1f@B^uOZjRIHA3L`stF zRJ0@#KQ>yU3?NFT(_p@%vfy5r4dY$T};)Bq3>R`6pDq6qf z5MsBB9LHfLhlceJD>;JsEu)8Pm~Y%7dSuD}n~xpMeDkpeXg=03tWW!o=3|XR+@vI( z`Cgx$cBaV#iVP(7Y@^ELTucOziO%qSvzs zy`KA~m!zhbrl!ZjdSxXQeD119xrY5o#>bR2OU1~3G%smE>~-H~OJeh~R?Lq^jx9N^ zBzYepaqE&c#Fhu-yqr*SJTAo(OT6FPYAC-*UUpK+$tB6W3`1Ua3hUdRw?oTOdkp=5 z4E=w!{qD%}=4GAGysR_F<2XeZV%zhsXkK<2nwND$^Rm;?yzC4#FYAuxWoM#!Sr4?_ zo`sg%o@}>u^z4#e#9lX~+@4c%ZYoyuwe!$%n)A`|mq2xqrZ+ksa}n!19&<4^ zja*W4DbwAqIv&%9>5j)-hK(bamt2vWujX}EqIum_XkK?Un%7-}e%`gL=XtmeGb4RV z`Z3+@t9jk^XkK>%^N)@8FBy=UuO7#Z=zVq*dY=tM@3WiH`|K94sA zDtdd#U}8THDPKcMhNfaQ-y0Un$?%dpLirkAQps{Hqa!q|XWSwhFG-|gb=<289rqfE zj(a8FKO0>#s>Hl)bjcXXh2`chwA>IgeQe3y#Fn3NX!#*#`uLIw#Fir@51d#siS1f$ zkootNOisl}9yq1szOY~SYS>RC4}75H{;>Q5B~!!v2Q|z`w*OEG`Cu4#+LsqjE8%|{ zSO0JPXa>uf7tUn5dEq1I@6pV{dsuEZ`hPBS&^+-`bp6NBd~YtA?>&y@kMq#H?+NsG zZsy~r#DbD!-uI-2`)^;~x2PnU_dUgaRL7q#SzMCL`;ffvnUZHql6fD7-#2*<&Fhw+ zdEN79p7sKor!7VEju+9qV;P!vyoBZ*FQa+Kay0LF1NA~B}uz&6k^TYl1J9>Zp!E&Q1hkxQV zxErl6{|f8B_|#?7L8|9|aiHS=vxBc;jqG+OHZ(Emr<(*u}p zyH_(zuT@%`*!|pR9b((1y3CJ84lJ!#nmo@)d{F7Z#2yFIE*(-@AD7}`rM63lYB&$* z^Z(K#N>k7Oi8ph+N3y>4%Teg@AC1;44bXa}AzGg_V)^j=A8nVKlqT!rro`4SX&9dW zV|f0Lwo934JCud~K65tq;=JadzeA9V7Zc~9=Q|%g-vwy9P>8k*MQFQFjJ9tj=MUN@{zy0hMrOivN4_lPB;`luNmgw;lGyT}o*2JEN zg^b}FUbq@JTb3*+%!_+0DLu1?3(@OaKwH{8f_r>B-b1O2{GcifaXvou*h z_Rvrc_SKI)OOy5E*=)Bu-mCPS(q#RJ)Q{(uo>!WzA2B>%KOgU<|8)V{ue%UWdV=;J z?WbOZ_ERrL`>B_p{nSg*erg}IpL!YEPrV%Nr(S_I$6Zx=CDxvBRp||s+ksVAmtK=9 zw@5$r+S2P%G15=%TiP!bBmLCtT`wFT(ogMQdLz@DjvJt1I);AgO=v%LAlgs88SS6m zg7!~uMf<0N(EjOdX#ezfw0}An?Vk=o`=>+E{^>BZe|iVnP7Fuei4kZ!QHiz_akQOC zpzTBz+D?o_+lf2Tc48FTPK-v|iM!BtVhq|&j78gtacDbnH`-2&N85=BXge_xZ6_w- zfW$qeQ#dcZ%*;RJ@_%p+b(QF+l5cqzIpnm#MX=3(RSf8v|acdZ5MX1+%eHFN_P@>sQOaFc`|;T ze|4&!sY4#@n&V@IT7qp6{LX{_h@Y>b}ICg}NWik?sAH=4F8J(itXE+e&EW@@>t)N;&c|8iovEbnt` zZCaTh%fn_^z;d29Wd90d#o_!EX*fT~@};qouzYEZ_LB1#(=Z>y`@!Y0WcyaZ=T*m# zi8YHQ+c%_rYaVM6OSW$q##>vW^>!Q>+SYvz1;z=w@*du?T%=@-3hI?JL7;vm)L1B>+P-@>MNw) z?iM?P=|d8yYnYCq-tLap+h@j-^>z

+Q49db=lDZ=a3U+r4mV;+&ZI!j$;A8n%bL zM|ghhLaxJSkqeajb;$^1dhgi9Oy3^4NW*kw`X#YGOy3Z>RGCiuPx+5VE{i3YZ~c$d z?^lG_`kk2hSH-SozV#|H|C-pf#LmZ1|6j*))zy7t{g`k4kD>m*9;Ic@W_+NZ%W>YU;W+*L8j;&$w}$;66uX`6e-^n-!*L<=hs6em`9osEn7=hL zRKt8^er4>AFn@TglKI;sBQ(rMjxQdL*W=^!Lc39g-q$0;dUwV~v)(6>Q5x1m&gWgR zu}t3<8KYr3GJRZZJkvKs?$$6JnLZ&#y&iu%GEteHtml1S`5u|F z{>Xh{{rh7NvfYm(4`^6l?T1Va$MI0?VV3hcBF8l?Hl5hxLbf|IHUpR9qoLeBqTxIv z`#0M-UL2jHVf(tV^0C<5Sh9bDp&fdh<;~CMq37udwBDPK)_V)k`tC`Vw;fuDwnK~9 zzU|Oc#MXaLqwUaQv>kc|ZHJ!4U9)!$e-8J~Cf`Qeo9EH?;03&ldTuG!nM3=Z+U_zw zckIHKV#|r&j=ZelIFRYD#8xobq#KRl8$< zvV3p+i}L7njGjk1us&Q)eff7RlJ+LQOZ*R(&87XvHq76P{+`2s=zCDrxC0|)k+hST zAI0`q1K(l&1JLoVn&|sewXieuYhyR8gWog$T^D~wK0iEPtw-#**+J;|*um)Y)%s=0 z{W}EhFCNNt`-_L6`+K-C%N>C$@kn(4k3#qVXmtM@p!?qt-Ty}D|3)`PkE02C98J;V zNJEb!9X*Z=^f)rnx6vN` zeW4Cz$=??`75#moj%AVXe;b|fC61#r>)jCPQr4B_%@5UjnC;i~e>l38Me6Q&G+8dE zC(bDAUY5*ru;F8gGs}9ECG#9Diqig-yp&F)R z7+<&p!}EXi_oGK(U#vub?>dhD-gN>iu?nkjBp$=8$QeH=+|ATTD`u^e= zY{znAu|D(1q2tzfqyGy$9(|8-0v^HqiP!)q;YOz4gZ_{4Wb}WGr(jpMcQ5*V-TSZ! z%ioXJQ2rjkwd~)6n8oy|==k_U*phPeFrJ9h@Kl_RXWCdrs{rR-zMeed{I4dou`hiohRl<7kfpJ_# z*2AA!ZpZ8N|1pj0z6-PPSLT1s{NJ#UdhvHGz&|h_|HM4pjk!pD8@`{tr!4tB?7#6& zw)+nrPC5D)#}V(v3HTpQ#%jDDBju69AHpckz#8c9WgmdEiEH9qtcCNjHa>-Q@L8;j zFW`ar64t|4@gQ7<2jg0-k8k54xCsx%Ig4rk@t;Yw|M&sZkH9T>B>H>ZN1?yheKh*N z(GBnu<~PKbh#R5bJ8z7SViWX#s+*$!Q=Nv3FdY|T2KqnMndtviXW{?8ubxxhwLIB> zK>B%kA-11qd_$z5ys$jk-XZ;qqVi&vw|{{wUs7I5?D81;g)x?^t}ZJtXTJSH4E@3i zv|o4(+AnN|_6wV%{lXS#zpy3FjJI+>=ocQVp&TRqy4K|LbfU3q)rVt!{AnctzjBeCBzITih$2{F?%3&2Xte(Ci58o#|4Z7o`G%o{OxG?J?;N~``RC$;cpgs2^Ks-d#{cmQj{8FNcVv3wZ028tE0}&UK2CfI zK8cs&GuQ`Tz{{{V%UzBm7SaCW8^l-Q%gnzD9hbYB<6A*|4X(y(nckLibRDjwe(a0u zu^;w$o%SCuz#H%i?2nt--vKz0mli#Kwf??cBq??=ZuA3(=BA4JR9RQ!kE@p%Xx?|c~lNK7xE zhJC80m(Sqy_atcliT&T%nRq+feFS?@9%rHDaW+~W=b+{BQM5chhW^g^T=YHS$1(i= z4_YptK+ENPv|KJg%jJ`3xm<{r%SC9pdPow2>F)I20@{D9MZNJ3?q>Q1 z+`{yC(f=jhh@Z0lChRzp_8%R;ejk0_x*2^=`vLkp?;oQ7U;GjJKgC<{O7g_5=>N}t zj0f>K+tBB^pI|!Y=~K$_fsyUypAmcCsLyXdN8cmbfxg%C1^OP*m$(ymvR+z*@qcU@ z`MUfYrd!Xd?-6~=^d`*z4jV_lFaIGmUwt0@BRc;66MBFDjQ-#EFX(-~3;o<*S>OBY zH_VLuUj7Hu{T%guqCe61iFTv)!e3~;um`Od{${=%7GAioTpJmld#{7HS9OCd|E}*uzXqt<0l+fx`z1}#z`_OlKuNE>^Uo$M>&3y z!~Qrvk;`<)C-Tt$Z_P*lueAU>v0sJgdPTT#LUBb2>-j&sNPoYyB9@Agaf@Rr%5V#o z<2J0o?bs}}9EN^;bKI0@QIYJgx75(yW9SDTTaoMsAIEyt@zxb>Dw6$bq#t~I#R(P3 zel>>vT3ht@GfzZ+Kl3E?e}PWMozKwzV*~EHcIf{AwMTzfvjf)0Q?VV#+Y#;Wb;3#X zTRP*QMAwQgm@&R<#c8SIK>C-bS9HUi@uyduk(!S5hc2w>ju+sW*b94L4?GLIVNdLY zXJb3;g>CU1JQmNz=6D{Kmg~`e%MED1r9awl z8Gr*4H&zU+u-|f%hU<)+*PAPDW%`iBEgGg{=(h|)`z^OsB>OG56WebYjP_fGp#7Gi zXuo9`PEFhq%F~qi@cqkE=r>eWB=h|^nr|o2e7g$Gw@2bMyc5m0N8$hS<+~~#<9s{b zj?wMZ?_;?i>qN$d>E^*qCodUaF@fdG6Os87D<%;;A48se56e|oPp+84eDh=sdGftz zo_rsgC*P0e$q%4;@`GreJQZigAM$g_lONV_-u(O;k?9pPng22SHv`>IVx~V*F^kyu zc#(K^#T;VuVr0J`4aebrvz?IN&PD6L$62li_xn7Itfc)%+u`|GM!W!z!zVF~ap{E| zS7vlk#eVr$_??!gneTIt#prX7XTpBa{-e)5o(u7kiWivg{y&fI|Gs!>DtQ`0f}1>0E>w*OkiN@CB$K3@;hS5>TLy60n`ZxB1q z_a^hBku?=-*`C)QiPu%EC-!_H$Mbf@TeuWAgmV6lhUmi8K(EMngz*iAJSF=HmWd zuXT>c$M^Tw^YLD5pFQuj-h1tR&M}|-9zAZG(Bt+4b|v17=2=_NeC9Q*xBYD>DE_>oJl6UUyvM(MZ=hyx&{}Q*UI1qHX#0h&QR89O3GbUC|Jczk? z2urXM&&Eh1c?c%p1y}`3v07qm{W1Li^HG>ManZQyn2I&f^SUOQ-_%Ns?f=@?CZSH^ z|IH)nCDu)}->;Y0fcbiS>!Zh)nDT~+jfg$Y$DqfVnDWMn#}a$Iv01mWCW%d1p2rud zZ%`;3blm@k>A3$7(=q-}{ot~8i6^qWwq++I zw#QCr?EXZS-y!j2;=;#B4Hr-j&h;_3%h zguEk+%O)k#9}_2I$#dNQV-HNlt(2#s{YyIfJJuQKIA11?WBf7;yE1(?I-Z?_j$`Md zxy?g z&-;Hkj<_4zPjyd>^;12F?Pt%${;VhYOvA7E{P~HD=U`9VjJ?qDoZcAkXA(ZAybt@+ zcK<@O-S3OG`~5iIS|)J+k1guVa4Er;k&oeF|o*%h1k>ys4@Virtd?k!oLH|#E zIS#-(@d})XS2BI;gdJnAA|Ao`)YbS9@TnFaSlPNckz6br>6!dfVqMy4D{oMWNbFv4} z=XF!j=V%Y2&k-L&pNBn+>&qW;eaV|1)zF_{$d4c6{PH=`<1D{2`b6UN#8`fev##8 zpT3Ufr*EM7>6>VN`WBj>E=AjqWoUl-HkzL>^%*yV3k`58G2E!u>y*AMT^v z_w@IpdD(%mU;a(}kM(fBA^YiI;vr(!6PZsWsS=l9l_ZaEf`;uv^0KN))skX)8HT*< zsHE8TRY$k42HIcOMEmPnXg^(>>CMaPpn2KRNwK`3E^)a3N86YBX#3It&C43%hkXC; z7^d$UX_VBM*zpT>KOT$j$0q20Y>Mv3X1JNSIc~=m=(tKt+(ur~3LQ^64jo5ojgD8f zLC1aCqT`+9D`8xq9orG^|C8eP|LFfvpNKwh?||#eJ0`{2pH3R~8;0lUomqc>uli)> z`zh;l3fdl@niPAUej55by$j_YFFqHZmnRX|r#uR6X^em z=QCYToXqEX;fst*^u`w`zW`stKDZb!#78-Peen(Aez*cJ!uRoF`~*vJi}(NNIKU-n zJ9{bG&R&MLvzMdo>;SZ#y#j4#uSDC~tI&4#YP6jlh_cZD+4T+u6Zr zJ9|Ca&JID_*`a7VI}B}SZ@^*YHzwT_uEXIP&L^auy*cR?%14!t&`^${oxK%pXKzc2 ze>`sH zImI35^Ta#xi2MJfCpiyoXE5ObK6f|gKllHk+;*69+Mj!prZAoD4|@NfbRV(x7~1Lk znU4Gaq^Z=0`+v&)eccB!-2Y>^|3};DN6>cqQM8?&hTQ+VT<`xi?627Jr-$`%`NW}} zo`JSwGx?m?-7NIFn~f>>6zkC>f&QPkJMq)lfBD>`XTtW-{}T_O{8_vTZLimr%}bge zZ#OYvV;TK_e0dAv%X#Ybm;2%i`PhHgO&H$8vQ0R$y;@2m3F7H|f3jc4FAh zmFRZ9kJsP_I0Qe$y|cOh#~X=1#zqwzl0LzqGdCoy!V$|iB(28LxCYB`E#85j;#If~ zhrYHUX+7RU{29xy65;-z*#D8;i2phM&-xcdzDW9#*l}ugeEuuSTQU9D*fR1>(zo$? zb$tFi%3DzXJvNVQN;=~HG_?DhIS#h_TjK5hkC@5+`zf^dKgZkqUyi(PLi_w1*OmF^ zRz6=D{XOZAc>9dB&)bszjJMBNy%YQAFEqd0j^>enqwUfTv|ZYXwoCt@?b0r^UD}Pd zOMB3EX)oF??L*t8{b;*%0Bx84McbwS(01t{+AbYJ+oejhU5X^f+NA`vU8;h%OI2}L zd9~!~$>s+~X}F${cBw{kEy_og*VIssp#I{Ry(RQgG+Ah^c+oc9L zt-N6}?GM-OF&gHFTu+UYk4=u{AsDWwCdskuw<&u4Hbbwc=IHg*0==GEGQHPREA)Cg zE;)8RwI=p@YJ*-+ZPDxLc=UQ|hn~;vvHfz!|Iz;^KAazPNRG7ng?6wbwxZs4b1B<# z63g}c=}fuzJ157dJ0(8dskpxUw6L9}(Jn`BXE=|N*bkmZ$;_uRnv$HF9P8(i^C&Gj zJvr9TV|dRj13iy2(cfjsLi^op?9F{?4*FhJE_#0Dq32gVdVUq4=T{+meifnTS222i zm7wR>>FD`&26}#-iJo6)q374x==s$ZJ-^OD&#!Li`PCim_j;h`*SYBVbsi2YKR>xw zIKO&oIPS>#)jPRQIKM8?P>$jJx)43T`o_<%e#D+%7oq3Z#pwA}ik@Hnaa#E$@$>7_ zBlkP~(&fn`*}wK*NWXMNi0zk%slO`uYU=GbkotkigNUui&~IJCbd{CYCSOOr{T7CP zYcSexU61x#L(qO}DB5ogL;I~8a7Oe-m&^G-T*LOd{3?-~lSfeRxGWOil6)(1jal6P zhxNNHtgq|G^r2rHgQ z*mhMLEkE3^-I07}{5r&N9ZrZZ@2>drCZgBj-RN~V3B3*{Gria0J?M2fh2_|<-An9s zcprKl-j7~~51`lKRCN6x#C+aMc?ezqhtc(a1YQ3}(eo6zT+KcN2~xEbw_x8OGX5q*}>)&Ymx&v)bccSg- zKWKZp3vEw#qwVP)v_0L6wx|2h_H;iED?gC@UuaMN)zFS0?dief%Fv!3(ol|}J&mNq z+S7!TSbtrG*mkrk+KyI3+tH(NT6y&pjyLU84Gr`0JXytYuay#ej#wLgj#vkMj(9Zs z9I-C?eqKHF{k;0<`*{t}_wyQ}@8=zZzMt0!eLt@;dLMEu`uwp8#_vBkZ=0pG;CJMI zh%{Hu+ePD$@|G#bQNAhCN<%qP-a4f%Xy=j z^6w(uHIyUe=cb%b`L~htG?XLdJyUv9zBbZJLpf4@LCS@cua5Ll%DMliyjNM@l#AIP zeareO`{N=F|CfPHCzh3_TuS|vvP)9>;|e4W|CfQ`|1vJaBmXaB0P}a8?Fw|9?aHu! zxc^7T*{%-jGce^E=JQQtkcRb9+tF*8E+KMV%3!ARJVN5@Q-%<`|B(3(OBsqw@D|pq zGuOU;E=IvHe;(+8zD!S<8P1m{mHjSrtU zPieGjg!_N$Czd^(@+|dJ%AQG?iz|>goKHyob1Bb<`uQpILj8Q>XoSyWLVb?^0`&c} z7bve4S(x%7vE!S1Hok;Cqc5kt%I8a?uV^?gkmIu`<+V`0SVK9|-YiLZo#or!U}$gN z;JmA>d^6=O>TPc@v^Pu9=RV8O=RR+v?agwuy;*^_H>Kfs!rx1Im;Wb8Dtj;Gedh0Z zwGutAh$;Udv~Ux)fHmHMwV)FbtqQ@#oF*_`q%{#?E};>mg;l~%5+tf>8fft z|B>Y%m0BxIS6!K|hB94E4bxdav8;A#UFxTl9i3VSS0Hh?PLSo*OFbq`S6`W~VQPag zT|?t=y&%hLlxkivv8=H&U6a&f!*orI!*td!B`;}~8vCBz;kX6!H-BzPx%c6%a1Z(N zad-e*qxo|i>#;5RJ-y@6@5{Br_2uoua!aEpXt>@m^>dI zb33P=oEp1N$B^fqg66rWqIvFVXr9{z{hgXbyqodtB=k9CGJ4;hf=wA`NW~VIhJL>+ z9dBm(3=H@G*pl)1EcAD9veEoD2Yuf!7tM3?&~f^F9L47g(ErIU#3&ZwPt+Hq;|L|_ z|7V|$j-Q`_Te#0U6Hj10&qBxX&qluo*A@L9+&Sp?-@2jSf9sBZ|E&l5{kL<`@4uag z)h6{!Js+!2>6v;F$9H%|uhib*ykh*HxaOn_Qv1YXkng`; zoZ6rAmXk^~lw){*;S%&chfC4tBbTAiM=nR7j|@Pck6eL1AGs2JK5`ZMeB^5M`N%-@ z`N$yj`N%cs^O0-O=Ofpl-`g6DeqZW(^!{K7dVeq!y+0U+-XGk6-XGkE-X9D{?+Wf@o=2b|)_ehBC_lU`}rlmec zy?GW=|9I*X#MWcz7pF5_W#yBpGpM&;#LzF!MDy@jXdXTr?H8Xy`^7nEzxXuHh|YDn z>ic1PK1ltD`ePD4)G%M;h6x|1 z{{QbcuA<(&dNrC?uL+;$`9GRhe;VR-sT-(wzpY32+u``Lc)T%8_j&3U#O}w#eo1Wp z{T226|6l4i>_^WNB>pz_J7V`Uviwb{-{TV89M1b6G#p1HuildSV`?m~#*kP46hA&c z$B)l1Xx{THn)m#M_S0LL-n{yEG_U@H{b63cjoAF>Pc*Oo3(c#yqj~k;=<(iRImde^ zdc6NZkM}P0c<)A!_a5|k??sRIKJ<9+N00XbmfJYt-_-wzJ>I&I_qz{0@g&IKh;8?Kh;K` zKh;6+2aZO+k5dPiv4C`#uha?|C#t&%Azhcb867>D6)3Jp33_KeT&+jbO z*F5WN%FVO7;z075bI{)_=!X6tLU;7{AbQ}{i|GH+_bJZ9g|GAcAJdp`Pjvlyq3hQh zUB3&^_3MMK--YP<^+ngOAG&@Qq3d@swqrh}=zC-R(choA1bu((QZ&!I41J&Da$H|N zAdT&!AG|_Cdw^ja^(yy2q9M_~pYGtxr*HZ8E*6T1nuFC(E z|8IPBNLnm!9Lj#Hj1Eh?AuX0SB6;JDX~WZEc_UUYdWQZV&A)C&^T838b3NRG=7qPS zdEsqn9yk(v;VAU`@}tpw?{@6Oei?&)uYD|@Mm!EXGv6}w{fsD@$Cab+vsK_29FG-v z2b%BQiGDwQ0_*#Gg!_MD-;j5IJajsmhdznsp)=4t zbS74tG&^k;R-ZCEZC;vr=u>HP(qiWUl7~K>Ha8w4dFV4~&&FdU4}H$hh4Tij8_!^ooEH?fvIzJGfr#-;q4;%MhFA5!?T#eM7zdJyQQ|+IPg(W5@%)XFC4>H|+=N z%>yyyft%4ha0{9T{)py*KcRWx&uAX_3-bTJE|)y;Hx1kC^7;M$v_Gg1zyFVZ|9V>} z|1)hnvH8tkXnsS?`u-i(-}UA5p+DM*_DBCP-B{Z1T{seV<0RZe{R6m{cpUxuKD1xn zk9#OTfDx|mf3Y_HhsWSSY>kJ|?9O+xiCd(%BzAuy>vLRsD_nwY(miimYdBt* zu&%6a`tj+pd=Epu*N)Gd7qmx@!wG0Ua3Y!ybU^cfj!bX9*9pz{PGbL z`H)5I`H+oo^1e(Cng`^fc|aa|p5)_n;sWf-_niyT_iKu9F6G7O_r6Qe@7tb^eh>Bx zTuA+y_&T12zE62JzDwK{*Wx+o_lCQn-y80ZzHiwB$1H9st+yeQH?{SspHVD&wrODS&^ zq5sF0k;~Hu#Ou}fgsz~x1@%{A^T<`{|2Kaels+)sd~Z zd>M?MFT|7&Ngqn=d4uGS!_seHd7dXo{f+6v<1se7dD%_rHxqk)AfFqNPF@%CLOi}Z z<+r9sj_--LVLu#+{c#iyz|lAmZ^yxCK9h}OnQuuf4&!HK>9Oa_QGB2Lr5sbJufTL1 zkB*PsfxfqYC;FcL1U!o4dKV5MX8vJ*ceB3cg_9^ZFPx0#WA~tW;1o13yBE#N?!(1+ zKfa6)pwGFdqQAHGAf7pk{vY3={9!b&d;}fOdlXxe?@YrHoDYxTjg&u*J~w{?-LC2A zc0Gx1*9>&KW}@3Q3*D~S=ypAY8;R$jzZ>>6`nzLuaT7j+jw?Qkjwe2c=9BaAT%3>Q zv(IB6T!5wc0-7H$#DVxCy8m9n_2n<8vma@vUeVA_dE6G1FB-Rq^U*wXaeD0cw_d}> zd~ONH)4cTc^jKc{2AY??NqKnx599eLzxS{#ed5Kj>jZhezdU_KdMpn`p6|bt{%(3K z55@31O7Ee+le7~3-67V8cJ_nxpPAl%80lv}3bFkxG4-FMucF>|7^z>KzJ}O(4E^w0 zrmL*{G<_ZQ_QM$Z;q_=gyaDZpKSTTBjc7moIoc0@fit3Cx?K96?k?E#>)th_|HwNbL9mvK>E#?Q%PqZ@AunL9h2; zna=j~H|9SivNip8V%r~G$9w#L;7iPR8@`Eu;tKo=Kfvv{8vn)(xC2Mfe(%IW{0HBr zz1oFeQNJ7goq#=9m-BZoo<;t+5B=W2esnzN05+liUu=v2;hNd>|9BGdp|D+%jLNXR zk&G%Ck!byd1P$$^alM498P(#kHe`xmL+fE*f_NPtI{c^#G(JkR*%#FqvJ0bX#bpv{+>w|&Ywa5kNyru4*I+{7fYzm!z|3l%gG-K z(DSJf{oRS8`2H@&Hj$Ey(<%3QQGa*h4D@#=&cu3m(f_00t2i6|zC~B`_d3qOO>Ad3 z+=|_?JLNsl=f>xvzu$2l`a3G;qrW546a77vUg)?|Z*=_Vf()<23p4s)73|0Q)lcZF zVf~EjC0vwoaXeQ0`BKX5=lf&J$R!z<#_QF7{xZt#=P$?RkpUT3#OrkgpT82#SFXal z@M?Sr2cr4VAe@KS;9|TMJ&wyQR>Y^Ho^hxLuK%VZS5WGcn^XOhWP! z>hIQ2k0BqJoDpetC+EREI1#7dWV{#e!~5{a{NVwXYyL2ma`T4=(fr{dG=F#)%^w~? z^M^;#-{YKyjvGCO<;?eS{D|@=(B)4@m;WTX{2A!-XX0w6n}znvv(fzFDfD+X=b-)i z)9859Tyz}i8T5Z1pGEuo=g|Is9@^i}NBjHd(SCjbx}7iJ`tpStv3~wVJ>1WS=Zi0A z#KwtUVLwzxU(HyQ5$m6kaiYZ;uVuvgXAI*AOVDwI*U@pJH_-Ri-b8=r@h$ZE<5Kkb z<1+O5ae1(pWe2tEee1ndUe2b2ce20#Ye2_6jhJ;vfg z8I|$t7s<;anNDwB=5zzz;{G4~pRuZ$w!76bkD}iE2bsQlW{vpt81lH9OjlW1E3-EB z=5ZMExH@PacQl&E)kX8TdT1V3AI;+$;EZTP*MmIn7!CUeY400nHl^M??pWsEF482# z_Dhsg-z>8^^}ZjC#4R#g64#hT{~zL3nQe&uzqI4x)3rwbua9!3Z=2aJ?5E>3>?fqW zedYlc` zb>efFZ;ga*ncaz9j+#IAK>NpYapm~)Gta}J73XL6WIx(JVnQF*^YFM*Z(_%lE5ELX>oEk*4@ z$h!~z) zyN2rt$PK=Xj{Xx?!L)0>~)iRR}M*dFuqyNJz0 zCZhTI-DrM33C+(ZqxtzgXnsBg&Cl;e^YiBKY9@u^wp@5s$&KD85` z%A7;&eDq%O(x-6))6d24@frLLpT!;c9QvGd9_}uGK65@^Uh#b90`}j2+HDNKFZTkP zZ!bji$QRLk^(B^TzWOq@jJ%ThD&;O;%~uyuZoax0n@3*DToSKW$KhT_$I0HHzE;AU znQz7Gk?VYE=CXLKUgvM4*ZFevI$wca=kK7`@w@2t{T_OruVg+o65h}JfY|jy&gTy^ zKZ?id|4n|3=Fgv?`SU6?e_oB|&uh@Uc`ceZe~PvX>u}}x4Vmk4XvK!i&)9Fa3mDo3 z$Kh(RpAV0Re8KV^5BZY%s+50~8L4?a_iJBM-kJUM4dwB1kC0b=ml?~ezGuFb(M_2@ zWXAF;B(K_>xg|4}S7CTQ^&|Q{Sr{M`UTCSens=B-_U$%D;|22`+xNJssBLp zrfv8+<0pTj-y8S~{ocTKG>`ck&0}_;dCX2UkNF49V|Jl=%x*M~*@NaWd(k{*ADYMP zNAs8iXdd$~n#cTy<}nA+JmwIZ$5f(uOe8Co$0VS6OcfkfUN!5eEZdK28rlyekExzj zlk!pJH8hlC$YW}uc}(rBSRPY{*gWQFG>@r^<}vlqJf=QQD{qix9y~SLP{aH%ycg6c zEB5_?#_0D3jzzyW&;Xr6Ntn&)&z^PH2>Jm(ZN z&p8!mL{D?MY;PA0+w1bHM3S$DPjFwAL>Kv7oAiM@`_pgtjT zX4YA(hy4!{pPki}*!4u_+b!!HT!KBq`O{s)b|U@Hxmo9B#rhu%{m=RF?duuezFuhm z(;Mx7E~ z$NS@3Dfj;PHuU~@Bzk{53cWubjou&Mj*efCLC3GhqW8t)&~f%MbpBEF{<$2z&#gf3 zbI0TQ@;kzHS{l9c$m=w;t9Nl7`@OG;tXF09?yN~!v33<{S0`uPlND=MG2E|CLGM@Z zMc;e954~@_A8kh;K;L7Xii=pU2k{Mj2;ats(RTF_^gY%`(f3%V;j*W=|3}|neH{J$ z$|unK*6HYb2Tv;HGtm3rndtrNEDXQ@kKUg?g|^Rg(DwOhw0)k7w$IO??enu}`}`c* zKF>qj=lN*+{5;w|FF@Pp7tr>3A=*B_h_=r!q3!d_X#4yM+CIOE-e)dC+vmkNto*gC z*TeO-M8oxkw9jv3y%pN$H#L-FXrGs&?ensD`}{Vs?elW9eO`gK&+nk^^Sd~${JnVl zyz^>=;we7Np^M6dgwm@bd=>SyLtE#a4}Ux}TMj^lj%4b3OF;`7A6hxu*G z`Xel7Th?EEu4=-c8a`)SC1HD(?XvSZ+&=H1-u8JX+CKjiK2QITw$HmmyeDfv^={YR zuwDB??0gQF9|-0DX8jjmo_e2iFns<{Rwc39eb`8LtbI?&c0W|fu9_V?u1H)h`zT`f z3$k7{va90~td(tkP*cNxN5}uO>tx5r|A{xU|BmMKwxe~?{aFufKkK9IX9Kj|Y{>Ls z{2y)K8)e7Z_r}DwqsL+x|Hm-?kGAj4FpU3W82`sG{*Ph&A01~t4jpH1jULZ7%)eSf z+w9|s-GA!wY=<7t_UL<)Cxq=eF}oviUq06XeQ(lu0Cr+NcSTOh?o8}_)cb{#(ed|F za02r^70uI6L+>}bp!s@Y*w4w?NmwP4oSn-2swSjpn4fW#gtYAc`y4tmJ0shEB{Msl z{pbG8LiaB*Wi~W;xY0blL4_H`=dVfc9&B(0=Vgv|sCsK6mYhj@w>@TgbaFM(1CO&c8qUzetzh`tnP&%{NP< zmuWa}F+5)#z;<~*aRuAubJHucWAF7{MeOs{tFvRzR|lfcR|ipk{vgD^n*jPhi1q6K@9!iFti`M0e$c8M)du);pq71P3Ze;H>2;bjX>XDy9IrJ z?N;>twcD`Tq*2);vHFxz+2vf9!z)H--yXj%k@wfeWRH!<$op&KvdiKz^8Q-X&xQSg zyuVhFeFx<&Cym!oj^X{aJJI*~CZO;0-G%n66Vdni?nd9|n}oj4HyIsQz6X7uZwmT8 z-@WMjeD|U6^WBfW&-VcOKHpSyT>3#=N&FDnFF%a-=Z~QGWsjo$^fa`eehlrWA4mJ? zC(wR+I@(V^iT2Yo(0+O*+E33y`{~(eKm8QiPtQU7>8H_tdM?^eKZEwu&!YYGb7((3 z5ACPtTe!rFdCFh_0G|~?*3$gt$aY8fNrRA81D?&T;PWHP@ zZ+nkS|6cY=VyDN@Z@=TQEZWBi6*9!g~Fj{R?p$Vs*d$8jpX& z2E<$O1pFOO!9T+1wq^fGd~dWJmT+Vz*PDD18DpHFVowf{)hIb2U(8yONWSU?<>*%G?EkRPZQAov^MYG{9Y6xyFwNAIUaL89~~cSgdT^+=y5m}-Oo+X{ofQl9?j7G-W=WUEztei65Zde(EWd0j{CWF zP8(wPvrgu{x3-keh#a5O&goch^?w@LqsJlk+_po`i8=O<9dbJ5#Ll;l==nxW`AIn^ z6MGywqsM`m@>6n7CH8nA{q1QvU6`-?AE{5wNs7nFbjdj>l!y2Kv1M6WPHLDgEyw=U z_0dV}$HVu7nK`lhwk+(wi2fgcr9KDkFLTl7j)$kuXF2w>1(bXLScvPWFT!)M7&l@G zdf#|Ddf#{k`rgx-Xn%YbHhrG)fAoI~yQ24x=b-D+4PB4!=z8=(?{e55bxoSUj`z}J?>%SP+mzUAMfd{xzkmzT|J`^Ix3E1gq5tRiGWvghub}_u_bQtAEJB}?FGin} zzlJ^^UxGd#e;xbb8|e24-bC}Hx6u4(DViTGL-V7z(fnvRnjft|^P_jr{ODaYKY9<% zk5;1j(feqA^Z}Y5eTe2qAEEit$7p`^37Q|RLi3~5XnwQ?&5zdNu<}oH)^nbeM%QUL zPmtrbA!j4yqsl+iP>vx#`W(%VzQ~E?M_&?~AAN=9M_;4)(Kl#*^es*+|1Pu#Q={J> z*&dJ|{gAVt>(=}T$#=Gd*nEeW`k!)srrtaQssAPCS7PfiP|5a7N>#!=mfz|L` zJPKD~b@clJHPHU3Ci;B07Wy2gHm)3hbZ#9ST5)u4-Q3u791QPo*F)dmu8+RI-5@s- zO-N{%YrbRu8_Rnd z^EdA~j@W*;HJbOdLB|o=qIu8pXkOC}&1>4DdCdvvemoIW=o>zoZ_x$}^d7s|fu+wv3#e+m&+jDfKz!Ih41cz8f}=bkFS(uUGS`bJ6qWJoIIAMbEp-SigjX%X0@1yMNU04aD-jt8%Z*H9xy5cOdieyt^7b?}#ZMlzT0) z=ifEx`A1Cob-9CyJr9w5@A}*!%-8b{sUMm}D<>q@jxNLat&6K;mo6zME zGoKN;BZ*z!E%EwW(dFJ2pN@LYpHaD^!}Rq3*s^R)?(LX_N9K>dPd<+AHxDY~bLKzM z+*tloj^;lVxsmYw#qrc1ng86G8_Rztu-wY%UAYr;WBCt~|J6-xz1ih`{$R?{`qCJe|`n+pI=4$=S67$ zycq4DUqk!nC20TrI@&+Kf%eaDqW$w*X#czv?Vp#S{qx&s|GXUSpI4y$^E+t&{4VnQ z|GDq89sK^khV4N5=MQo}qMYCV*HDh3fBqQlpFhcs_0Ow_?Vnep{qq{Me_o6B&z~Z{ z|DS8V&hP(gn4kH&zkmN3=bz)^8_{v`&vWe$>HpDj@h{`&=U2ph|1b9&&O`fiB>pz{ zJ7W7s&}+I)L66{fn;mf9QSDL0n&cDD3CbXyuXnIXuTp$ctUqRr0*9 ztL9b9i(S{qb$wJ`^}N`1jbZ$<20DIO6TSXwq1Rt+^!lrVUVlfU*I!-q`m2XtfA!Jp zuK`w@bWC1DtUl$KycT(0e~t1Q=f#c-a{V2f*CZYz*I(1TX7L!g{+j!_a2%2AuVvnG zl((GJN<%q@>#sFBe%S_Xm)fH3((!1!)DCTz+N15#323`?BHAu>K-;B`XuH%2ZI@0$ z+ojHEyL2-8T=Nw4zU5Tx!*Mh35a+X#Ssr=Kr~9`;v#YFZpQuQh>HEg=qUygtjlmX!}xvwlAln?aLWx z`*J4QzMO@&FK46eOINggIR|ZDx}oh$ceH)!fwnK_qV3Ch$nXE=_2M{{Mtf>FPDuOG zJFgGrqslMPP>!K}xe#q%`sT&jmwv>yFBhTh%f)E>Qi`@O{gL1Q&5N}!mui?F(mq_C zH;(h$_5#W8uL!aEJu&rHq_`Tt-v|Gys1 z|A(OY|4=mlABN`tHz2?N>vC!ThHF?qm(TD2=G{uYelhAx?GMaDQ!}^n9=G{wdzJ;vM{dxC=^}IiC zD)p6-2Q=i9#)l#g=6OHh_Nx8C!_?a!Jc9NIkA~0F|D*lEV5%Ha*17 z=WzLqP(CwnR(yHtd!e(@=cP}D`OL|iOYDAq8r`pl<7eXWvthdD^5zk{pAS2q*u3d^ z>JuUh@?K#7c%C8g!n_xWJr2lryqxzEF2PsB_3(;@^8gtKUX-^uFLpnK;eO~fK5w45 z1U-JQqxs<*XkPdxnuor{^xh9GMem1}vEAMey-jRhx*WY9T7ljVy@TEly^D?mzlYu* ztVHh@-bcrQKS1x7K1A=AK0@!8K1R=@PjD39FJ6UvXVd@V4!&Q$2F>f&qIvzN==Ye` z;V$aeVo*^XXEf8)yWJM(tn(2AXT|8U&AjxbzDyU^=sH+miIVSU)6 zdHaaN{W5yrvOk#<_*T}C)?D>V z^LysU@=6SOWiK?Z?2QM>pDsXu2fPnfXZ{zWp^V7@F-%-3A&Cdql_vCF?;4r4U5_@o5uEP23=d01*zZrY&H`3^Ksz7x%pC!l%qU1**>5zUkDM)TxJXr4S7&6Dpz^W-ULo_sHw zC*OzWyZ57c@dIdHJQdB0A4K!nhtNFsVKk3@1kGa~Mf2EcXde3*n#Vql=CMzpdF*sF zk9`u&V`rdw>`XL|orUJHv(Y^EDKw9rgXXbMqj~IHG>?4-&10X%Vdc-|&u2fDM(1hR zk4PT-eEtiRk1AiFp&UaVyAaJ|U(Ao?u`dyu$G(i_v9F+c?5k)Vy9lS1FAmq~)aYwR zUZ+Pr!})1@=I^k-ksoRJ6!Dwr|7gC2PvBCFzYiTf7dk{OY|nacM}N=cZ?u2kf%fk^S>A!jKl!_e?cb60 z-IKpNY{#Dbebn!d?A5S7#`_}s^Y@L7$7r7XFZJfh|Dk#E!SH#;|Is|TGQ^RBss*wA zno!_=trB9l^Kf~!P<~WFb*8gi&5vuK`Etzy_iwF&I>hex+UR~i93LHz>xSv-71Ss8 zI2^VCvHe9u>JuWz6f`P`org%=xZqe~j}x*TO$(af5^P@J_0~+od4lB0Eecu|#PVbe zd2%a0Z=QS{dVE`>`Ai!$pJ|KcF~>8#d2%~6Pj1h4oBy3aY@U1~nkRQa^W=_bp4jZj+d)>cMh6&=i(URJoJ3dXZn951qFq~9#8ds#UeCs zEk^U!60FDX1e}g@`1~385}t`m@htoZ&qnj!uITR$or7Oc-VJ>&(j9#s(gXdSf^+dl z>d!;(AI?YbA9|wq553TQyf>QvUx4Q0eK3swqxpYdw!{3tAGVBKRB$onZjYM(mr`#2 z-yfStE-AP)UavlfxD4Af{pIL&H~_s4uRyQEEBV}k$W;Yb6MG!gJbPd`FRv*W6wc>s z3a(?i{gG=mEZ=xvWN^W$<6<#3Ygsn5U`T;^@z8=BINv-UhoR>qG37TF+(hhoIUGGN zi7CIiU<9$}Cz5C1QgAEF@q9$;Zz~uXkCEv{6^y3bJX;z6FStESH>O}L)49D!{ynZB z8rHK+!+ImrR}_?o=_?9Gk8?Z5YpBPNFW*@ZY1M|~Hvv1~U3eyW*+e{YoOBZFV_rR( za`WnY&~eHsn8f*fFZ#a8eb|!u+>g%p0d&4o(fK}z=HCyY`R&8F8XrOP>qpVNc^aBG zKZfSNkK;gm0$s1^xW4?!f<+$77i8c|4KrU4TuAU%;=JZXxuVUE|6_RmkKy@0nkT)9=1Fg%dD2oePg;iNNpGWh z(sDFUT7l+C@1S|oyJ(*D9-1euMDwKg(LCt`G*9{v&67St^Q4c_Jn0iOPg;fMNvm;K z`I>@HL%Y3J!~RF|q;&-wC?8e6UPC#CJn1tuPuf@z%acAQHc$Ej&6B=F^Q5oPJn3tk zR{l*m&Qqh`9(kPUPrfhshvR9UgXA$kgxEZWnEEXRKT>ahgVg_2@H4UX81kH7n69$& z*Mi@uH_yS4=WIpuoZrzr=MOZ`*@oshf1-KLUpOPW-Q|+!{Hn!z|HZHIKiq@|@h3clTd@-D4ZeCFX%`0ja+W#~DkLDG%DK|f;gZAr3Q=Sm1 zTUf6!w%?JseqjS*w-cGqF@+6r2{taYUvH#gzaahkv4u?vWBodYe!VH5w;gSU?w{sp z``H3*KU<>hW-F$*Uq24**IO6H`t>%%wxey)e*Ji~UvG!@>+SIs_R|UI^ZpaDCf9KX zbiAh{o{OFEEv7pOS7K-Mc$|zLk5ka&aVmN|PD77J7xZ`}qQ@f%&!XK(#_;=ptS7(! zSC~d@|DztSbhLlWK=X}E^n1ryxVt>3FdHwg$SKTa`}cD_VCbLo(EdFi?cWQ~{pafTrKcnz;99nTkA^li553qi-YyLNWa&}>))dJR^b~N-4=dfJc{ce=o z?st#Z_rUe#=N2*@$M-x9#}`BU+p{p%{`TVYmC@dX7Zk?YU!?u*Q+Q!vto_x!5&D1J zgZ*$fUc~2Z_bx`;y;8K@>yNg3m!R$5rD(f%8QSh$j<$OP(01<%wB5TBZTGH1+r6vN zc5fis?hQiQy=%~R?^?9oyAEyl2BYoX^*F42Na3(>UJuo<-AKE4L*a1BN0r~Gp&UcI zcN5y~-CP)J_eK!g?%jg6d$*$P-fd{RHxj3nj|%&DYIO9G`HO9M4-(7#q)f2OZCQm-6^HUie=9%ECykAuPxF*bjU_z5Dw^bbo&o-`^j{ z_xC69&#wymcXilIzVNfKzc*;u-^l*nSonE-e`DC+ zU+{U`|1Z(=LAqx*Xcy1#!!?@xY0 z?@xY4?@xX~-_QCrtj}+SzZ3g@)>icWEaPEwSnh~ed$^5u@5sFPFV@TUaeKUd{2LvY z-GPqF?nK{*{s(;@dKWrQyBp1)_n>+2UNrCBhvvQe(Y*Hnn)m*TF84oNUw$yO3#HLR zN45(Ibvd4qB9BKx(Q!qwgBX%4CiJKR-BzF9v1v>sf%yzX3+u{21`Eb6pM$eZvOy~8~7C&YCj>j*s9e#)H z!+cLDI+1u4vAQ2R#N&?mBXK7@;YIp?{EN6Vov^JFcVudzbtHz+1Lql@HEUt ze-}8SF5~#y4k7X7MFWUEKalmfvgit2 zf>(3?l}4}9HlBY-J2bFpP*JR%#n2926F;x6jh|Q7q3zIMv>m!0ZHI<1z3tCX_M7ef zFk;)E8_@RWMzsAIjErbO==nJkJ&#AB=kaLtJiZ-0 zPsgC=?^yJF9fzK;W$5|Jk0o=ymKRkJd%mje!+7+(y#qaO??jKo1oZs9%W|B^=ZhkD z7fmAe^XfRwWXc_}!Li6**==Jp)t{ne*(Gnb5@p{o4oM%2a)?Q_A7A@oa z?OXPia{eyW@V{?J{o6(Fg!<)5{R)j%<2WJp?-sou>fcl9S8Dj5H{^fWJ}CN_`YB}} z6@7>+kU0F$8&dyC(V9@dx@c9XUu_)qIzsB#7OfBU>xw=N_3MnI<}VojFL49Mc;+;Z#9%7{nhtHn^?a66^8!m z2aa!L<>sO-)Z1TS=&yc6|1a?;^#2lnM*FK@(EjRIw7>d|&sQa%+KT?4=YlT?@p&p|*us-zg&03ZnDmqx?c;TUpOFWm(jajeOOjlXirnoKj9&ZfC`*<`zX@}+~?a||X0(!hpM2~j|oDuElayd?&H0=&KU0XVR}s2i#prsKpzFnb z1^e}k;{Ghh{f_L{vqJ2CC8oY>@j2AH-AH}6;_k%OW7zLK!hS!u_`LXj$FSeeNB4VA zbiemP_j_-2zh8jv_dYlydZEi@zxUO!-(7x{$VJ5$Q$L3B6J&i#!}_^C)Q97633?nZ zWx9vi&dYE*9=?AZKx{s81)7gs8RpCVKbntR9pZt-gQ#~ohrNc_{NmcM-0O-5vmEym zvL4qL4_|D?k_zQ;rCz^o%Kha(2xXVOz+~sa`++`9v?lKu2cew{0cbS5YyWES8yWEG4 zyWEeCyF7r7yG%vLT^>ZoT^>TmT^>fqT^>QlT^>cpU8bSqE{~z(E|24|@+XR)4EuSy zhW(6;yUZw_Mfs@mnHtJ5jJwQ6$6cN(j*Yv_A$Hv5X>{CWE;{b=3_9-eEKVzbu9*8` z&dYfk=7&e!%lU*)3K273LxiC#Z%q1Vq+oDp5-a#_!}HLR!0uM$~N{0{Y=*U0+3 z8`jVDp*~zcE79xceWn{ally=CkMH?@$ol*p;r<`Dr84g6_>+tiieqR=U5vKdH_$!w8C(F}qc=&q$hUvYY zzeTU-@51!l|D)IQrV#&7yqS8p`>rQ};$Ml~FUWki7XOAz z@Q-kw{jOoZBG>b_;y>fpGluK=ulWAl9^apTqu28e^m^WjUeEt9z1QLs2pHA-p`dwgo5$H%x1^|jICREOyp_b)j*OkcO8UPUy%BiC9UEy zl5ZSW(mK9eWVvli+Jx!amXKG3^}#v~Bi#R&MC!DSv@bcKBvQ8uG1loAIkCj+d&{B@ zB^^s*#}`}gSkTGxwi~(sz;>UPcP@E+Y^3$Vmrf48{Lam{rY-&lQUe!oiNd}+)Y*D&~dZauvtk;eOSz$en zjjc!c-05L?xg~k=>G6p2f|9~`IWnK3l9Dk0Vh!`h!_(KR9@#OL^$FwqXO=|xzW-Sz zU77yX7tYo&J@PvO=ah7(d{lWi4dvJ>aaNC#^C;i3;9PCHj`c*I|DIpcH54tg9|Qn`Y>N)dHqT*3)5dza&i3g$mdH-E{T7>fBf^reEw3W z51+?Y2Ohk<K*n5&i$0;pqS2+=N?@{T{{#M-Z7>T|YItn-8Xl#eKV+S0AK1Uymr{XxSpQZF)W$1WhlyaZfl!xgn zO737ihgXdMe^lLdoE7C8_wiX`DUp;~NYn)p8eO>Yp7K38qasJU?T~h3 zBFEBB+rgKp?SPo?ah%%Q=V0ZQ%fE`8fV*%K_34=trPU+rZF1yPE1x2*94oh4J}vTV z`<&^KGu_Xb;eHM=pEFDK)*jg|W=GDo_H(3d$H@Nynisj)%I8Nepj_KAGXLL1=D5>c z=uVfI=`K=xn=bNyjFv>MwDwCQm%06s{<)Fgy8V~C{fX(nLhY?TvOTPd+-U7rN3L=E zBmLJ#u6O&dbNdt1e}mdve`Nh^iriuCzl+@L_DA|}iQMM)-|F@!rvG-exBkd}v@>$I zwcjOe`H}0{dm{H+`Ce(|`%uTJ@3A8OfK`xs=Ho!*A!~n7+V+7g-{Ht3R{o>3a%B5I z5qT7k;W0dk$MFoFvi2vXwMV|cvyrE<+N86QXK>TP9PzZ!W34-)@w{eF|SzhmVSQ?5ncu=4BD%8}3c zBl0gR|5H}qxQP5uxvuB`jl=OKw!nW-?>qY!b)WYw)celtFoXCmwq`tV z4lpnp2o|FIo$Db#yoO5>|o24Bar*kmmEANBuZ%VB4(^OncA zi7Vi0KCdEnC9Z_sF#+s@(o zKkEOFJ&DUHZ-Rx1o8n61X1E5MqkivcfjzM$>i40iP`?j7jrx7473%k)XHf6Udlvg* zYt;Qz&*2bkgJbb|oPd!y8KdxPj7I&Rl^9%v9#o$4;x_c5o_p})UJRh}S1ew{IJ|=K zcnuR!&&4KU3?||JVaZV`QBL{tTqi>I`_!m3H%9jN_EBx|7`DTc_yV567u|Nq?_C|D z$eWyBza;HAg`xNVM7i((q5YtR9iv_+-s`+3?K+bzG3bs14k_!~s5fBNhFIfJklb*K&;WC_vD{vC7#>u!Ir{H%u74?63 zr{PJQjyGBFGf?j{p2>3O1!qNl?XExMI>_v(Iqv#Hdp=?=>iLLysOKZ*qn?jgfVwa6 z8`Sd=3sKKUN7M17^-A z|Er$k-vQL~H3w1eaXO@OJdCmUBPQVy)O!?;Vq4;4_%a^HH}C{rXF4ZQ&)=Lvy>I$7 zzDxZX?1n#KPy87_#k1HOe?dJzbPltK&to=Tz(bT@#396&a3ub!dY1DtjwQaLdg7}% zk@z>%b1c8(1^QpZ5!7GDY1H4qukjC@kALD~{0ryN{%>4Hd=ppUKe!(MMZHh!7CuE@ z`42Z!ejB5R@8AyNyQuqB@8Le;JX}75{2$H!#Ci|I1C-~(!V0ReuqW&F8Pxs6&*DGW z8o#F9bGQ)O;4*w3^?tNST+j9qg{vu##)5nwF&Ks(EQ((Ij(Q&+XS#meN*ur)7>oLU z@^PsD7Z#8DfAR^KpWks4aX0Ofa6cyFF!s|F)c?&$MZKpj4Nnrc#k1HBFX0P#72D%q z_#)oM4j94wy@dJ5Q!is4<*#5t?zeswi(*GCj;~=Ud>!?i-y3+E<>`cH@l7mCeP^tY z`&RVZ(asZ&^L8|QPPr$CO9s_L5ePk^NmeUGe>(%K`x zD~yRAjcw+Pi5_e9UrMXT@GiOIqQ|S8?*qd>$(;~Ak@$<;ucWoZ@L=ww=qZ%<&z&r- z9K#3aPK};P`H0+U(bL^>tU5M#hRUrShEK|!6+PS9eJ!mV!>8rWiJnLKtlYWM$}xOF z?)>O)C|{bpKw3G5ugYB*y@>J+xjE9xF}%>E+~~zvZh3C>5{$s5SPhq9P5hRATXL66 z>xbbxb5}&KqI_TON@?ZD|4mpOy^it&xoe`=y5(5)DC>!Gey7+Fy&j!O8=^N+ekymP zwEoDr?Yroml;2pmIeJTU=zJZCw?=O#)^(U|sOvDqTnE^p_SPR6|Luz2Z|!$S?{WJh z{r5(H@Alv4_9v$Q4{C4yk>lEd=wsIYVDurkKhpnj^bxoJk8Xcr`X5z$>yP29W*m<` zY3)zQ>OZsG7=AAIbo41aKJ;|-PgZ|M+Vu$J`HP>Uf3fnj($4RZ^>IG>99A8AKKi27 zUyz~mf66-z{x$j%))@M0^cAbWEUg|HkNz8d72D%)n2Nt+B3{D)UdI@`fo<>)Y=wVf zGyDr1_X6Y30cC%>`o$U_mTo_2JU$k@wXUi7AXFmlugCX7xp-)g$Y*WXuDYhs81f@{%zR zVj(Pn#jv#XD<$nZ2(tf|iFwG%%gXBG7m@!dFEX@zOgSuw6|KI4wCf}oeuMA366!hP z2-I`Ll~KQSiwqY{m!Fb2z^Cnj`0=q2t-?86VxkG(K}=@^R{7>9i^9tU9p4#h+q zg-JLTlW`)Z;1o>7nV1&i^shyJYD@eW^VJUZ{L~BB7~5lWd=Xn=2ke#ka?DFub?D16 zukiiqx&pG_c8qxyYYgoe^O{?Z?62KoUdQ(M2Bu;sOvE=afSoZ0-@-QdHnzfduo=FK zjj;>X$F5ix-@`iC-TgeY|EK;w>i6>xP`{t|K>dFHA?o+@o~Yl?KSKR}-V62n`Nyc= z&p$!^e*P)y_w#hr@8_SPen0;l_51l3sNc_fqkcc{gZlkE13O_5_4|1y>i6?3?4H>- zra#+nhhRTx+b^y{sWL?a9T)Jev#jBTWaM$xj zS$gA=%`uyp&QbghkK+#JWAl7Ulzc`4czB&|hjDF<* zm?IqLHU9V!HU1!0{#U(yugLojj>nv|_9vv}A+-M=cMA3Y<4&Xgf7}_&!Jlvm{*3zn zac5EgKkgS?gXeG~p2sbC0e9d<+>MveeXj!7=`P1yjd6lMIaegt;g=I+?MrM%%9jN=dYMswmg5w{NpbFO?UZ;S^j@jZ_AHi=dy3d z{D%>XZ^zuVes`p;2jutodok&r(ESX^eI|}avFI*Q3X#WYhO`T@5DF(xsDp)sZ71Dqaw>)#Z#5#(|sGr za#!@HMLRq*F1u{zoriA{+dTo_t!jzQ-gK2 zJ~@s(E^R)M`z0EBp0M>>-_wxk|Kv1~wtkWNCZ0xC-`LZH`s2=%(&~}=7M`Y7-^|m3 z`ZG>*Y4u2bOHV6ey&vN#>T5VpTde!ARj%hIp0RdOo@a?um$ddo*?N1<^SrI+<$c=N zdS2d#nDrc~dggz5A7uK`o&fz8ERKhm{mB2;&#!u0ZlqtLCzgI~mc)DF zFo22HKS6SRd3hhCU6Lo&rk^aCeu}i~&q#fm=N0Ow3~c9Vi?fiJb}x9^(@wv)BJqo! zmx#69bwF)*#4OLtYH#y}Oz&0C8%$^Mz>boBuSwfaUdNM6kC=9yJa5yk;ponuH?aj0 z)BY`K?Nxs+`(4jF7_sEsslU3Yo1}ktY1=DO-_!E}-*1zg9-f|j zf2W-frG39h{YRc&#Gmv1%HDjRA7g*~g!(Y&Q`?WVeY3rV-Oc>W)0^q#y8+E61>l3m1BpQhsA$ zj%P97ySC3osO^)O?Q@Chtv!Z4H!jz+46|}_J*%wWa?c94-?wf*V*0IAz4gPeu$(oX z)z}NyS--W?_9F~CHEq3Tqm^%v+`o{Kj;x1Gp6{q%o4v)Hft!gZ;BITb)w7NE+Ru>X z*zVa$tmW8&S`K37XP4UB{2=*ZuV;@R+@#PmO*_SPT6JcCYo&RP4@o-@`zBOU4gljp4U z&q)8-`e&pQ)BhK>r+-E|vi+R*T($NWJQv;mNdHTo%WnT)-TuV%zoPcmA6dV@d46X) zZTem}cV%DqTqE9u|JZbHc>b{Ia{b@pKRtijbh-X-)8+cVP4}kS+j1e><1Np>Hr-nu z$E*4I&vV0iJbPOR^_AnJQ2 zrhg%|xBeIwKA?#A0c&4W+ICV5OS8QYhvkeZ?k!>U4@&AY(lM-NR!Q$eR$fY4ztX7t zL&~7;4=IbfKZN?Q6{E{}t62N;(%M&W+gEhkS904&pzh16j5?mvp67+Cd#hrt#nrvl zupZX5={+p1eGRugaqx&!%Ug$b(ZSl1_3?Q5q@+9}9m9$)Y3glm<;|p(V_2Cb zExb=zc}r>K7`AWX)81#Syp^j_`DDBN$f%Y2WkHy@l4+9 z&=cq3N7#z`UU)b2V{ba`l;1yL{tIV)s@V2NB)@;*{S5Qr=U5Q?(9f6MTUvfstmPZ| zdFVOIAaOS1i%cAZS*ZJ``=aij?nl2t3;TNquv{mcY-!7de9l1c5Mqr#2T@V=JKZJj zbcvbnGSyqZQ2XWH)z zM%7zCWd6SMZngQ_ESbM8(#8*=@@?K7R=!-~}X zDFeUv?!#F~%=CZo?x&r`6-a!*dx%);`5m+3@1ItGO4=S&P>Th}PSp9#}>TkRC#C-le?_K-+dtS$<>EuakhkQ<$ub@xoIr)A0 zumuv+u7I?5q549;aH}umD`NG9rPU*!Q_NQsS7LFie?Z#t82OwBeWj?sx~PO?`X!|u zmqX>HePyk@jI?rOy5)Qi*>ubKDp-AaY1jQRtOdUpSH#6UA6yA_KUIW%US(euVx2eL zw<@vTPgD(82OsuT$CX&a7rH)-VG9P<^3}u(SlcbfuwUr+28INW4=2C>r2~ikmG4XUt^!n_ZvyeAINhJPx_irevI>P`JU5M z{p@;%)N|F%DX+|RiWV5*wDdh?{WZF|KRc`Z#VOO)Gd|qo8?TfK?UP(KTFLa&OE5jOO`+R=pyE*5L7}Rqr0s7y~ zjP)f@t~?b-zrtDZif#HB_Dpu7FWJ^xk}Mxh|4^LfOR?`S&6kP=oitxN+WWHGO3Po! z`hL;(g0*|m*WTK_=zEEFso5Q5`4^d<9JKId->b~mUgs5Qc?&7;=zE>=qt0v6%8~Ln zd~Z^|$LS=k94YVYdzb(G;pxz7cDf3m>N%wuu zdglNCN?Xquws7(nzCKpoTUt5NKEszud2UWnS~+sQ-OrbW8?i60!hy6~mDAss?Y2Yq z-vKJO?FX6OAm1=+H`q7CZHKfQs&Z?GOn;0PZ}WjH*Vn#ptp9A^9Jd_lKi4YH$6K>kO9 z_Q~1p`@#C{@$GZ_?REPR)9-uLTR-G_#{u7d%*r|7J7WC~`VPDO4!Qk^>Gz}Rtsio| zpMrR?co>H_CU<% zo>zPOTnw9$eaUwbC*U>f_p9%+I~`;?SA4&@)4A$ShnVU7uJ$$^^YH!m)w#%aaQr5nh{{go@(!aRB zgxmi?w?8rcORBx~N4DQG{?gc{ZyA3j>sQwQkUJe@I_3No-075er$fwiDyqFr2ZK|c z2!Ca!6CJE#4w+lUU&H!Wl{Ox!hDZ6{tE0aEhf&unsONe{P5&d-zLvE5+HO5@SX@>e ze_gA8R9gLGZap#E*W>;ttiGPKdJHQ%puWGMl{b)9jz zV6xXuJ3g6ze&5uthdd3i{AEkCeF9`ZU0-?ZPMHRcdg$$ z()uCSce?oBv+}Oe%8~0V-TWWe^twxy^L=Uc$aR(;{*SEwLrHy4Y1=EZ{(AX8vGR|l zl_S?d(*2)O-_=R?e{S`kNvp@O_KSM^zra5+!|MA;8($;WNrL_?E6ANcMU5-h;orpT@eXdld|X%Bh!5Zk7p0wFDAxA$E8gLKQkU^T&J(Y&zREaP{l5`weIeib@BVA_(|t(Daq_zV z58`TBH%yfihuzHn&;KVjANZgDFKmT>VDMOkEOx=x)~`+AIgB8Fo_@OSj7-lLh{OO! z;rUEoAR6}&$Ix!jLQlZQ`uX1RO1AIieUSGo_yciPACSR)POP-;ADLcKARfD5f=w?e zkciufQ>|aJ?Ii79kk$^FzYc*HF@P`8PUqK1zn24VSie^S z9qG5nc~x3JWO-gwJ?HhWODjh{_su{j>;GopE!ye(?2P(8iJ9)(fp>}ZeZGVG9*HUM z66i{-&qwCxy+AjntMhuKzI)((H%8ih5a>a<-kT-sWPKR;l=_PcdrI==M}dz6q49Sw z)cBj2aqlOpx9=C3-_HW+HvP{6LF@myr2iLzK5qZsZhvC>XQZz!4^)%GDntHaM8G*0qS0iVpq~9!Q<1=KtogJ9Z_f=C#@aw zeJ=miW9@cH+U=Is4p|?213y^(KFK)gdujDZ|NVhOR)0WJ ze^6RIa{M9xTe~BHA8mR^0>`PpoOvv86gy=dQ*7f3WI0X*P7!N=J&D?1iJ6bnfwRQg zU(dMpKcV*9pWSxUGcGw7_ys#=oeNx`{8r|9Nq_GDqx^2>#lRKH^JQHQTw?te&iYj` z`@v;t?PNs8Z-J}W2ya-w-=!U&uUWtAif#Wv`u!dF1H0g#*6;7YUl>7rlYTlrBlZ6T z{v)oQaVzjIK8lJpen6&kJK)4>Ir9Q{tX*ESLX2ipJFV7nqFBvkoiz7(hMt#3d(QF^)N`tJP|vA8ih92EG1T+Dby5Fs?s3%ro2!R<4*3bx^T72{&pS3i zJulo4^?Yw5)bqWKQP1~2iF&@b3F`UYrl{w8o1vcXZH{`rw*?j${8Vg93?KGX?DMg@ z{`+)ntJu(bLZ0t^CiYo3MxO6&9s8UcBhUA?Q9oO+$n(9CvC))A433gkj`nF zc~H+idr{9j`%uq0`%%v~2T;#9$D*EZjzc})9FKawIRW*2b0X@w*d)~R2Fa-V;Zsoe z!>6L|hfhP@58oDbKYTmX{qQfK?uT!Wx*z^U)cx=sQ1`>Xgt{O8Wz_xfub}RSe-(8< zd`Hy%@UNlnhkqS)Kl~f0`{6sG?uUO9yJvQeeVg^tA^4WG^@7|F|4wWd%F{F7l~#^+ zKYUlz{qXO_hVF;&My&hcyQA)he;;)}{0FG};d|hO%nxmQA06!ZzuPuZZ`x*86{Ryf6JoXD>)uWAXd($p2uTN|S^%~!zjc%lWOl+$-GWUWv+Qt5A7tHEP_shW7ehX)XSQ>-cb=R^QR{gJ>b=Q3QSVLO zg<9{sQR{sVYQ678t@nMX_5M9-z5jq(@B5j*?aqPNgTz|zQt!t-gt{-~FrHz%_!0Ge z96@~_M^WF$G5T+Fj>n!L*7qUxp5>GFy_}9cW#7x`*q>-O!8s%Ca}ziw-No1ovC8KcV}E5mYkYADwfzxOemV9kvA&NhsPBVV`9Jn|Vtp@2 ze!UiZo$2a(K6MNv z8>i!I8EMBAWIuQ)u3TJbKS0|L%F|!#zXEFgS46G%N~rZ7fm+{{X|MgD3Ti*78W-9R zsu64bS4Zs!52N;j8mRq%@7u;VwU~~^F}34D=X%^Q! zE;Js&aJ|2z1?v4JEm7}*cnT-;xlf~>OKgR0IKDiCdSC0asP|g5#>&jkbExMF+h7gi z=dlh(qMj3s!u7O|Mm+}@gL&ZvC-7AjxAjT188vF~$q@ZJCY zKH1K@#*OBCQ@+OF7N?tH+wVg0`*9z*F_N!)SbODbwcGR!zyI6*@=;tbrlb7@Y4>s5 zC&X%pme)U}U0z;#+-KA)ucPJl&rx~(3she3jmqnNPHGJi9$Jl=ng>?~p(=e|ZA=VsgV$^WS1++2(2#eGA)*3W!f zKMO3@bnllhwDO#|MYK~nvK|)4Eg{x=yYEtB-Ji59^f_@Wh_xKcQS0$r)Ox&MzS1pU z<(99uerw{^+4@~8?ejwM`nU~lEOmU|NPFJ@ANL*WS=%WRZ;snStnUF??rm{faV74s z{b{?j?E^VJ?~L2!9-q;U&%534Z;$)^?L{4*_o0r@-=mJtKhR#s=l!VT^8w~t|9AB$>i?h}L;c^?w84D<6q-0yRi)8`>CC7=l^k6 z<1GKjU1NEbuYN~u&&1^Y>v4Y&YrWh+trud-|BU;KSnCIMT_Elz)7APw>i>!R*Nt)f zX2;IcdEeK6akt%kfxPeQPTXBLUtoAY=3nQ{%HMhP*LLm1hqmjmcx{io{|B{Q=cioT zM*-q6r(k?|d}#YX;zIF-iM4$o+egv(BDfMCh*$nDCT;sbwvXcR55|Y`H`?}5g8o_` zB~k066ly(`My-c3sO2w9du<;Np|+25@uBUbJh9eC1=RLY5w(3(LTw)r7-V_x=kY4> zPUTNR%WrwT8q-%^uTHtHPdtn<)5-sCyP9|)vsQd4PuG^VJjn9biGP;<+Fy|4@naV2 zcuY+FUiA@ zb-ZqlQ-dw^xg4)sN}E4@em>{v_*T>xnoj<=`FY0XPxC{)t@qZb_5K{~BEKg8V^`MC z{o`IFv9^yW)NwD`rc3@uZ66+sz41Qk^*Q(T6KlH(*yqN^$MHE@PsnKo0r|~ z<`rUXH?N|$n~tdM<~7uI^EzsMynze&-L?~U3~fhty{R+P(f?0-3%_&7|I}X@!}WjS zO~h;;HV)|$9~y6UMUB7SLyeQVVIS;{8fUy89~x(TK&){~57c|GK17Y1dg4p-xc?6| zZt8^^H}N_B^xXO<@uBC~iSIv$Y}?Cc%$K&8&r#dU7p#|oEMIS8ouBn#emBxT12p!A4dk84zcYo{n#I>vL5el!TnQ$H9Za0sg3P*lHR zsOx~k@j&JXcmEpszx$VsgGaNRx-K_{>E{K%j2{~x8V4ie;BoQe<3rTA?>y4k4f zbaPPG>E@!Y)6GL&r<;$uPPYJco$eddb-IOEVDO^&91I_}D1HUodylNe@k`w89l1`o zG=7;IBiHG2PkpJyC^-FwMLg=`K9KX+7 ztm8K^$FYm?m)H(<97F1VjlWE+dbH#F6{eGycQyVu>UDfaJHG#pI=){+9pA5`j_)^6 z`|BU5{q;|r8vIM2%klkhY0HgvUF{#HpU?R>{ub>tenjH`;%^h*WjT=ePW)YB9iNf- zUVI+0uBRc(;Uq9UTMnswoDY>3^7A=!nN9&*gavU0hNF%jg)l$cRbecKMQptkODKx@ zoMH*ZS#Rr|2c(UY6t8n0Oi+H&xaoeLDM`KZOes{JDQ*49|EN4u*5Zc}%2BW7yl;6c zuaHoYaxL$DD_MC&LS@Re-1n_w$kqUejA|jRzpsm2gZP(8b|1*R9kF$td zqrTtgP~UGG)c5;5>idnv^~6!Q1EX<2#^5pZpsoXYu_mA6v-K57@Y{M0B*fYGA1m$q zR=m!MPhdP|ap-zlQbJ;a#@hBBs1u!VAP&Ul zeZq@;j@A!S-yz{8H%8jMobU?ex}GK*WxSfu(VcJPy4h<9Z`l03E^Yph>t=5zbh7qu zCg{4^I;XR=dMr^b^m~})$9MP~<-vCoLV2(Y4(Ga0SJZp^-$Ork!^7Ae_1^yX@g#nL zdT)OZ)O(sg!~>Z<6Ue`8XCF!1&d~DX#|feQ_z9nz7yL9KJt34Ik^J~s!siL0{D}7Z z(-&BEDES|IF`s=<@8``xUC#-k-p`wfbukO|e%`*Q_w)9{X4oI~e%@@<`*{bT-p@M_ z^?u$#sQ2>@##9`FdOz<_dm4`;4^3X_B9vX$pL!(i7XbdV3eTm9LV^Mi% z94ZfuN9Cajs66x)Di2LW<)KNaJTw`Vho+$N&{R|&nuf|l(@}Y726oS!neesk-?OBx zcVxZIPMAx1dgdHyg?a=bnM%v}&ZA$o#dgUp!Jhd5>r?#N-)K*lU+J?$g+fjLH2Tl#{)aR3@c1c?= z$b9ax`O@bT+y1=|wSRw4KOJX&z*@}jeyooN?D%mo;Sh0vSZa9=yYY|Mg7}C{|9HYt zYkxf97#4JnTYm9npOAJR-~Bvuihjy7r%`$4jP>LE-}-U>PkA!aJ&SkwetyBq9M{gV zUe-G26D|-dZ((qab1~tP8%yPnUzrZS|0i5w`SiUY@zsRih_(F4=Uz+r9arKF+rF+# zTVF`t_#@#@H*cWjjlbOW_P4vAFH;v;U16}n{9Nqmgmxo^ac#zS@EY ziR2I3+jW~q%CcTKu7{Ocp#Rey<`j19&+}o|&GA5H3;kbj@;V)(FjiLWN={ON_n_KBh8M$VsJOzhys$obPti7&e` za{ly+`q_Fy&YwCazD{|>;Mb&;qn%H_fjXb;ggTFW6LlWh8Fe1{7V13mZPa<>JE-%> zcTwk&T~OzdT~X(e?_o#mhRS>0QF-ruRNnglmG^p}^4^E2yw?+z_dY`9yHx8h zy9ZJE>JTbl9Y*D=A5rV^2<^2Vj}q@<`HtaUJdQdKI)OS5I*B?DIz{_sv_DO(|5JB{ zSnK~M)cXIKau5B_Vm$tW2k{*0dpVCM@Pe(UONke4{a#A^mHzsEq`sd}9=e)%#q!40 z#NSz7<%!==+XFHAcULSabl=?rsQd1UQ(qPzBp$|k zEP(eh3F(Im!p3=6iBxg`|o}p}dCt-cczjA}N&D z(DD=Q?0l&Tv92dprCnaIT2ghlACeCrPO9PdL+e))m8WW<@>Fe9o_Yk8r|O{c)T5|8 z^%yEo)x`pX>m@yo;lt`BHAzyQdLpTQQfR#)d8$EDLpMh9RHLNEZj9uqC)Ll^Gm@v8 zCN-x#VsJBQ^44>xywwJkx1LAk ztw>bfibCbBXw?7dh(V1PJgD)37d1Zcp~eS(JWcxmuAf2vN9DUXRKANx<+}t_zDq>q zyChV;OGf3p6jZ)TMdiCRRK9DA%6IKh`R)Z&zH5)lcQ2yyT?bUYdkK~AUPk4+S5W!x zRqUSGG3j;IYlq-#($*`I@7_pylk)V;PSVQJ@?B?CzI!Vvl<(dqR=#@&mG9m~<-0DZ zeAg8xWWHzn&*)&c|J{E$-oBqSfbCDmUnHOPuvqzwnEIYcA5pL4F;d?v>0@Hmqvg9# zXqT7wX;M1%%6Dk_?lV-r`y7?;zCh)>-l%-n2bJ$KaB489&n4ewN?TsEeAk!h^ZS2N ze`4hkWWKU(J~dyov*X)9)bVW)?R0z|%>3y1Is|om9f~^s4x_#_(;05l8JRS~rav-i z6!lA~mrL+|o*P4Z<+(3Wd2Xz=C;y}J+<1#8Bz;A_=I_1}iFN##M17buIcW;>r}d1) zQ4>P5$2PDsZoisZsl;<$)a0b`^-Q}L^F84gt@q9k&c)kF2 z9RG&)%5w`*c`k?LQ=VHytmFD(RGwRc%5zImd2SghkL9BB*m6`J`xdo+S1=u|-<7EK zyNdE5bGiSIc&f7|X)UqtgOhrGavdtatw%p@K;^lO_}WbJKmGLmd`GPOxEXbQZwu=C z+G^`Jah>YV&$E@A)q!aG^BKh!S(kXZT zkalO1PFuS(Ny>+sZ?ydPGkH$`5AUq<9?PrzvX1@t9G|E2uk)1a_pJ-~I_)l^uIpVw zUDx{+bzSc=>bl+))OEe9sOx&aq5e`f45tx{}cEhYB_GBmg5fU{`$LkAoHG^$MgR8IAr-TEIE`P z^Cc@k=1(q=9LlRmek_$`hR2PQP(poU@yLxim2#-i{dgl|U^XvMk-{l&h&Yv5i#u<%JCbxED zWSsGw`q^;~8D~7797TD=;7DoZXyc4%)HovsHO}y$#u;9;`~Okn3_og|5kQSIVo~Fa zIMg^J9yQKLK#emJQR9px)Hovb}OdsQVh*VI|h<3#k9=&>r>w z#a=}He}@jJ|L^b;zJM>I#v!ku#v!kw#vvV1 zIOHwVIOJ{AIOHAFIOJW_IHU_|9MTmv4tWnX4(Wy(hjd4cL*B>knI9y7$a?P(>>+Kv zBinV)NXGS0}dSmO+0>iZ@4r(XFIsn1RxKy2fbvuw=-K69x#Con^GU~YkV#=o`Pb1dvfXMPqx8>FH@p+cFW}@=e zEZU7_y!$my#M!9)JBQ_5?95G`N383@@^0q*UZqa@f>c05Z zsQcpApze!b%X}_!)+Mhe)_4G!kB!M2Y(6$7e@A_evq{==C|>AnPS*JAe}AXlO1;Km z+fd`M?be_CZ_B~&{}%5`-c7x}r~B@)^1aFXDA)IO-|vZaU;huN_f77{8`*SPRHYFv1O^{#Q@AH*8>{D~SD{)HMB{*4+J-b8JW|Dd+Ve^J}xE&4BZ z{!6}1tnW=uXZyH=4YKbh-{W)j-UPJk_Iar5_D)LZx_ubxx_v&>b^H9N>-GikZf3!h z!YQHcIy^<&bs@#J9x&{g>>??}QndbxN_)>jD1I>I0m^yrUrKQ-h$U(7%Pt{pdq?_} zNhxLR%A}OGc4bl?qFrisS!vh#6>B_P4mBPwj~WkGz(XuYMLdO-Q11tcNC~|kq%uZ0 zRZ^-_uJt1IevoRES8~YzSkZYnrG{HCwg1&b-8Whbb>C=h)P19mpzb%VgNs-{kK*5% zbyFV0j#+h69%p`UalFN_kC=~o*c+d~0azcu#0EGY8{)Uv2(_O##;tvuq&$h;vYMnc zWqR7rF>DR<)eNy#M;lLo_}d&>-X7|XKejGoAMm(a-7!E z)`#MSPMZ|Q?-qx~@lh#}DH?Z2rNr?0+Mc6P+cPoco)jOkwrekHyC$aGpAsO}_Kl3= zV^iYz9Bt1?eSAuS8zaA?B&Hw0^HCw(S||*E!`4?1G)FU+0uJ zF@pFl`sq1b8I$pL$~%pxEkjqAT) z`gy_LDSc8x<9cLVpOF$w361N~#&4OZ|I3+$8ZY%ljhFhN#!LNCW9HC~#D z6EbJndL147`hVA}-9J5t?^pS7E-D|+v;B+ne>;AW|0!2K`v#S77TSK8ld_2Qu6%Gb-O~!Kobgw&I6uf7`Gy+sAfPe%XP# zzOd8gYgfu1;&wC1|JVT)cb~=iKkB%=kI${_aQ=@G&JQX3Dc5mX>bQJ>avhfsVnyfB z{~niYKlzdEUC)Id!8e$nqu729`5)gQK8`y7W&5}GCs}^&SEne~`TJ?C&hh*Vj;7sD zsQ(}TGithLQPceeHQjUAnfN?v`WI05=UhacS6@P%m;Z`7FTadBFTa91FTaY~kAFj* zpZ|`UziW6P^SZm=-uVBvuZ5Y*`~1oB>ptVZQbO0w|7QI>M8BIUq3i1ZpsuU`OS!hM zTd4bx@9+1w*?x7s`wq*W7rdKt&)x5l{XQ?nNe%7yXy@}`sPp-J*p>B=A9a3S0H0;K z3!<+3hNI473!#s=FvejK)bGDVF@?Ao+W9{^{GZq2sQ+*GAnJNS3DobwB~j3U&N`26g;?7Ipk?jXHimhdO?@K^?!JM;*T-QOEBn z)bTqSb^MM&9lt%Ob_ga)TffNh zJ2^F#^7PCUY2|3g?=;l$yKQRd_}z|J$L|+V$M5#26@MUS! zL%W}z{iL7%zg)*ur(jFg^U>Z;zi)_NCvHOghFgA^`-t|iAHA6x`oCnIaShwwTj<`8 zl{trg@1#1Jv$0>Qj_X}g(T?-T`SN=f>wGy>-#ztx>UG>l>OV;BL9BYT>-rxuoxHrB zsUK0V^J%p6>0YSw>5oz8)1RQur$0rVPp6~Kr$57~!O!)%EdLkMmLJ1vuzY<`=gk>> zPCh4?nnkShsZ7-Q6fw)u*XCRENk7Xo{ZV-)n|3;{8i40HP7Y-G=Q5vzhzoNadN3xD z7lz;i#6z(R4#P?~oaOr38Id}YSjT@1&Z7S)Vmo&V+>BC-$dd8w4a0zvAmN}9YWz9~V!}4o9E|W9nrY>Opw#%3&S-j)i0FP=SX{h8uC2G z;?!l-56f7Zx&${NvArJ+^}I&v3akG%b-C4ltJvO;hE?*DA68-kT*ds23$9LGOS{p* zHPXIsVJ!W4IDeviu!_C!{Suh85@gKZPamG?v0MxIg2k)SpvB z<0-W9)LEvh@zgJ{f9ap z-FA;hcc|C?co(%l-b3w=d8qx-Nek_dVQJbQ^QGk{*8YgLKNcX?{#cM$`(rq<_Qyh~ z{jo6RGn^u6McsbL{#Y#S0XIh5ABz)fe|!-2J5>qFr#dCmN)cb}0R zsQvaK)P7qIwcnPf{}iV}T18^@mpb3AggWnzK%IA2MxA$8L7jJ3MU7jlq0Yanqt3q{ zM(yu4aBJUMX*IE1R;{$!>7o4{IghK8_DGt} zK9eNWcsd#NUZ@m2keQms=deGgN!y>%&THGHg~qop@cDVc_GvGsh0be{@ok5+m(oJx zTeR`*%c$|~D>#Pn)vKuYH+4k4&*?SPxb$_@?^kc2#-*LmPyL&i&U|)8{Z923>UXQR zQNKsMgBlmVi~7B%3ntR9D{B1v9_qQiZm98FcO1lY-bejT^Z};Oz6WX?{2^)_+!Hkp z{s=V=?u8l$e~cOje}WnZe~JYLf0mYx;ln;l%SzKY`17*L1AI5;CM z=*Gx6I8*&>JtO1bzG?j_j~LufS~=P{I2$z%9)KDL4@8ZF2cgEngHhw)A*gZiP}Deh z7-}3m95oIeff@&oM2&+-p~k_ZQRCn-sPXTYsPXSuEX#H_4mGYFj~drbK#gm^LXB%D zqQ??m|KptJDzru zSmTNlsBr}`%YDk$gO;25u>5`ob=>}mcDjE4GxnIx`9I!eJ^zBA5}(7~cpkIx0uIKD zI0`S}1pF2C9;3_lc~{e}*!)~g`z zrTi~!f`8j||4qAT)BQK?A1vtnoAw{|zU*7luBRi*dnfI-wY!sckIx(L+?DqEiobO7 z(ww%TSSr7Uq4H}!RDR9h)(MVt3bZXqto$l#YP`YkLi;lcwJqE>G;Ts0Hx+3cTCYV> z>$Mmv4?cj(gT+z#??KvY+*ATJZYs&=XxvnaSoyFtYTQ%?HEt@48aF+J`ku<6zNhl2 z@2LXnd#Z@~o+_cfrwG*dR2lU>RY84ERaMS7s2ZP}>{M_2FtL_T>ietFR_m`;+nSgU zAEDg@r?#~9r+BPWr|qL|EcJe<$57v2UDW%q9!I@DsviD8`4e~o>!aQ;)xbWdaodLW zIgQ&k!h%lYwoRz_Wj`tH`$XoadE2Jeu6f&L)~DPAU+$T?XF-T0A!hE8N%lyoB-+znN_#5p8?8zy?b;Wl()?bp>pnd`{l0%a zAMdl>XSvR`o^$TZ)8kl8AAQmE(GN`@XRzGWQUA;V#GXI3{&gn$9kBE`!obY4Gp*kY z%shwvv|c?3O&`QeADlUq*mN=kO((=mKR0t2vFQb=FP)c}$#zX2$o#C#>^R0I-EYmw z%nQertBgm{{%3l-n*7YdaJ>pN93N6YN@Ny=?Ibcw!u(Hp6h!*X5+WdAP692d^_ zSPj3AYb5bV#oBaM{JcRni6g+h) zz;l+0NzYcd%xn z&n;bn9dQ=AAG6W@n1k-eTy#I?q5Cl(-H!$6eq4#}$3k>J7NO5oU4>nkz8HPJ>T2}) zs%y~x+$GqL_*(RNtn1L{r>;kzyIP9&+uneVn=C{7ZEr;TZI`3{wkyzn+ndmS+ndpT z+gs4{aVuJ1y$#o=ZqH2DPw&uB&iz|IU74A#pWelJtE;{{^PbFf{S>L6-kW(}X1acg z;X7XUqt87(fIh$UAdbL?a15@(3HUHJ<~%%teqVI8F+PgcS0BS#mU|q}r(XF4`drkL z*qrsALhGYXqt8PLz_19O?`s-_G{q=RU{`v-5e|;0JzrKamU)SNTv);~Jj}7O(o%vCw_1AYY-_1;) zSET;>UgrC8jMQI0$lMUeNd5Ig*9+GHslRT_{DkQlvp&{zJ%s74_`OYN{q<9{{`whO zf8C7MUq46duV0|`*Dulf>sM&~^=q{L`VCrt{T8jiZb9p>-=X!_@6mqnAJF!}k7zyi zC+vhj%&gplYj$5%7x1sHa?P&k+A87yY4z&OGPqhE{FSMTgH(F2L ziPn?tNXgxW~O4pO?q4nhYXgzrsw4S^xT2F3(){`5e_2k{qdU7MQp1eC+Pu>Hq zC+~^YllMaF$$O*qhbvpO-~`ZR|6bZ4|a zeGFQk?t<2*k45X#$D#G<<8fJaSAUn|=%(Q~{Qde-_pFnd?{~*eWc#h7lS15w^1$iV zlY4~adS;zM?DI6pdZ%WcMr?f=IgVc8xI7NF8_MZEXgPg4%lSQ=zIZ0~!}WLueuVw; z3mkwy;hDGt&%#~EZ_dW)MONWPeMAj(gdp$<7oz~I$A@+LwJAHJR zJ|^pe`1g?OF*a))vDfEcFC_MPr}5}G@Dhw4qC6Di`MJsq4oOt=y%)}pwHD@iGIgzA^IJ+MQFYD zDzsj^7_HY{ji$?M&~&*3tEgXGi-U=;!yLRGleiRz&7k~8zw5Nj>6C*v;#}&-%W*Wz zt-uDH-<#0qp>D>v@fMuO{9DoIqHeis_~w_5Xn$M*kn^5ww4FHOuvi9?g0zUQQinf1K&f zBg%iwh@Q-PDxR;7vp>!BX3T#En?`H0o{i_L{in~N{in~P{ikcu{?ixG{?ixH{?nJx z{?nJy`}7rDJN>n+S8;UBYgw<8KD#J{u^tmqUt&pzQWxdUQEQ;1^I9}r` zqj$32jbkJ|zn}G9SpNO24a{E{eV}1^;|0-&S^xiYOdn@$%(CA7an>gG!*u)!nvRK? z{%O``V$<_yXnH1Q`sZ0+5Sy-%_Q#i5U-3JpV`ToMDlvfQ^>TbOP=U%OO&m-RjK zJx-*a|3lVK;dp-3u)jz>{+Fzu!}7mm{TAl`s$o8|-tSr4!f|cYFdbR%kF4!sy+5+3 z_jBAkG|b1)4)`l8YQCBJ>fiVP?!xiwlN7?Cmdp)$?UOzj%{w`>Je^;hk z-*13!uOUvy-SBDZosH1?@a|~6dk?f8z9+83z0msm-e|pjAGF@SFZy1@erP>=f3%){ z0Q!E!foMJbAhh0oFjnCqXuZBM&c-I_cUGFB&vP`x#h8IhusJTpL-9szfj&Rg5?5j? zycZ8c&r@skJhj2c@Nj$*+v2l$1ipan@MUa|uj7&UHFm)7@F@HVkH+7yBd$+%%CqV2BnXglm8wEZ;!XXC{<4=1ASgiCNSPQoQP8JEtU zl0B8{aMSEdHCzV_?aFCryRr&xS5~9X=cMo+ticCyIyxS589t3O@OiAoSMYLNhcoeg zyaGSQS-2Tz<5xHbzsI>~`*I#`$NBgdF2IQ6z7idmS%|yiBDB4975co;V%#6E#zXKL z^gWOz+#j|-uO+tKdmWC&>(O@VQk;Z0U==RI>3Abvfy;3YuD~ntCR~g+<8^oo-hj8_ zO?VsLfw!aMKX;(-0o{qd2ec9&!@JP&ox9O-p?kP*4`)B`CANKbAKE^oX?XxG)_SutY`|K&SefBikK6?gj zpRGaLXV2o8)N|QuNjG`b&ud6G$o=p__Df8klzLIabPVmYm(ljwE7|Gx*{j61&t5~@ zXRo8}vp3N8*_*f|^;XCa7gn$PZ+=)apXV92W?SCBlZ~N1i?pxa3$g91^!yL9H!$D& zEi(VZ?2m|@kD>jwk?qvgeVqLX^KE}&Xn$=&+h3oe?XSu5`et*<%V_Sg4exgWBBB({E!v=>%Q`zcKSIr|r; z`~UPhmF0iM8TcFX>qWnZ{71umRd$8c@53hJI@d*KselXZ?O}w0^%2TEE{Ht>5pL6ZiiUud6yB=fIqF`vXJ! z;~@6KdfUP1aUX)#*BYbswI*mittrdf{%D4uVg_1YYmT-%4n^A?EzovHOSE0l3T;;$ zhPEqOqvy2^e#!Yc9A{HsZp-g@evd%^@3I}!tk3SKc zMknQ*9M4zV2R+dL5$%cokLW4r|A?N7{y*qxn8IFYd!#om!#=nYPsdf*7oWs__#&Qx zZ()D*`%we%b37Bj$FtD?8$BESztMr{|BVhp|8Mjh^#4W&qyINL1UukR^#4ZB#S?KD z_QCV;Y|KR4aamZ1*;t7=9Dj=_Hz$wS^P}^ao{#=7X#twv3(@~2Ey69S;+zB~Yl?G9 zxUT*$DTentN^xtdEGLPHnzEd7=I>xWhW{t6K>we#5+mB@!*LHBfd}D8Y=P&a|6e)^ zJJ*iR8N+sb4+pu=F37o%xIX(kHr!|9jKh6~^?KHh&zTVJw~I8qSCft}$+Po-QaRN*wp&s;(^=p9 ztp>f{h?#y_PA#$b-3;`;BWC*LIWvhv`=9u%sw;A4u^--d$o$zkbK)3TZf?#zrrS`+Y;a9P`6C&W&NaD{_{H^;YEE!v1ba-JEk1CTngs4(Y<_TT{2?+=_{s z+j8z;`i|7?%I{JBGoAPUa_(Vz{hGUTR)*_&moeA#ZVk(6M%8^e_hJ`(D6DtChIH^i zSnomOkPeXbR_Cn3k@#>}Z*|Tim_clN&wL3(yWz2%bi3hkwpUmEM9z~r>2?FsZg?u^ z>6~=C0mJj!&!F}1HE6rxS+xKDIkY|TJlc*}i?$7qV0&6(00Vjxa+J}b6&xQ zb6?GQo8uT)^IFd9@o^ySh&OWHjANu7@m9{dI7ZqL>s>D#H`0!HC+9t;XUuw6!*mSo zi1*QU#0O|QVguTK_z-PBe1x_iHlpo^kJ0wSCusX&6WV_G6m36zhPEFzqwR;!(RRZZ zXg%#qw4U}AT2K2Lt*3p1*3-U4>uFoidfInrJ?(q6p7sM;Px}$Ar~QQ1(|$(lX}_TL zv|rJB+HYt*?RT`EwiT_XZA0s6+i^_lkDNa_KY7(VG@Ku#p7vMHPNq*v{jFg-hI-mR zXg#eiCtXjAa?|y+dT2eZK3Y%P1+Ay;ic3-ra&5ORtZt}bdl>rB8|9|^(RWAt(f7cA z`_HZC?3J6Y2Th$|`Myu?zPai09YguPUvB#T-5s;^4Ho0w? zZoYCjx?jXhKO(n1vHRB!-9KWcADP>M*!@KA*Q0We=6BpLWPZooPH~JZ*E#nXrkf8U zzuzU7`#0o+$ay+0_xSicVK`4+S)q#|_3puFy?Y2+?;eWQyU)dC)x-Q<(%pF)(p~!Zv%>!P z`^4eAj~hA8 zWNsO;zk{q_ky{?NSCKoM{mQGZ)UaR3bsLd8GQMsYuG{(X{*8+FZ!~({#-P{j0`$6# zWqGgLIP|(*7+<&X#HOQ*(Can1ty*KHztyq4!ra=%Vud-mH+&Q15*O~Egie<`j{ zO%3;PUiGy9-pAoPUe)}b?;E9Zqwt-s8vLB~rn7zDJGv}4{oc_G^u426rhDGV2O4c= zxtY0Xi9I#oneY9J%>N{J6S4C#R?_8qKG^!DZFo`n%*)TQnRmrrZB)zkc*X?vKQd+ade)Q`k@U zi{(Q8^$VJR{mOEV7yTBN+nW1(SbuBocJ^;xv`s_%#&~Y@NACX}r~H%o=68Rg`Q6`P zecJzMe)ms^>vE&K^#1&7J!0?Y`g!i(E_u7=rOzu8H^^&9?EWI#ZIrhguEss`y#Bju zIBp~#+%s>lyr@~k?_tOX_hx;|uYJ(t+!xIU_e1l+{n32z0G2l&JP^$X56VlI^9K`~ z4<3T%gN@OAunC$EHbu+%W@tH|ftK^l(ers|IF6QiEwFynGVd_9J1=Ub;d~m;jauim ziDP}6`!8KDI3llYUMTI>}mi5lkP5m&I^ zC+9^+%tPyGmJ2=eqUJOH6Q9cOSx%hBbjNpk#q)dP`c$7h*5kUKuHm}=o3HoFOXurn zuzp>2|GWWt>3ki@*U!v5D=(d|W9Uyl8}08Mh}NeEq5Zk%p!wQhG+!Hn=4(UIeC=E` zUmJ$zYv-Z)S|*yWWuf_6Hkz;Hp!r%Zny=-d`C2}juN9#AS|OUR6`}cB0?pTo(R{50 z$D~U0%0jwMYB+u*Un|e6Wcs93g@)-E^0nb;zBVE+ov)1~HeWj*&DTbu`PyhSUmJr< zQWu2tys&!gf6sHMS6`Tyu1}B0f9uoy|8L$b&a?R)lAlcsvH2M>_vxg($;|gYMdnY* zyOh}Z81lQREXV)<=2bD@{0>8YSB>U(DKx*ULG!!mXnuDYn%~Vp{{PqCCBM5|!+A*m z{uN<={C(nZpUg(@lR2z+De2Gr%6i#6V)Lo_Xg;+d+?SO9Xg;-&>E=g^!f{=dx0vmC z+{kfWop%kfzk{rQZQhcwy=(KX57+HF4f}=UM@#c=i1Q;1`O&g?|89);Z#jDZu0ZeK zo6!6AW|lWUx&_UTZsolBT*Ga|-p9A2`OzI{esm|AAFV{+i@z)U?%jF!68m2KJ?MM! z#$z}i_o3h0yC1i&p!~=2Om91h{)hkEudCP}@7IUp`}GlYd~~%jK8lXRK8EX4kH`1# z6aP(D^-9y*u5T915HP7;@J zy|AC|7t4k8^#Pi`Hn5!e{D;_p#DxY`zlU97}C$z@$Y{V|NggV`q_e}pYPE0^F7O(Zhm09rkfv$O*cQG z>Evg8kM!^h^XEjr=KV(O^VI6`{Ei;aR`htbp~tfw55Yfh%6$6&u{rUdco_bL9`E1S z0e7PBU;cw#unv#MC_k#6&3@I(kLvX!u20-6+9iKiV*63me&_~FZ_aWJF(cY7zfn9N ztD7->cWfH%k-uj=9Z5%f=kJB}abM=oiuTd4UE?dF{qpyZWA%GF2jJG!LHP$_qUNCd zgY(n{cAuM0B2P5$9=jFiJ|^V@~}Jwn6&Bjxas`R&8q0eU=k3Lu36@5OV8~WVA3FvntyQANY zJP~~^;v`(3IypaGe)rIDU;SHtpOT+0zfa|N>#9%7@0Fh}zmf90cYdGzboq_pxrEcv z=aT!P@2mAg-;+B77tv1XkB^gn2cYHrnK*&tISYMX?rijZxqekkKZ@y- zQs--!j-j3~8m%Xc$xqi4E+Dp^Fcz&Rj6>@Q7ozoq@wg;)QMjH9t0(;TdUAhF%wNED zGapCt=}93rpC)Ghl>AGXZ+?l)pPE07*!dXp@hX<9tEGv#r0_YVrkeP`v1}T z#j+6Jn12)V-M{5w|5k+9{rh+N&0+d2`M0v1)79rPZ$s-Rw}<1nBmYkJ+v|WF*UJ36 zh&?Xk_wUKS8&~6fA-&wI;XEPrll$`@$WOPIFqAJ3#^>Xq_^>+mvK-+3h*$E*3T6Ix8!u5JH|1DzAr#eozj_H?2 z>+|1^r|V0Mm%qdG0nxkp?-5%rs^4XMAN?-d2k5wEx;*$O|HF{)ew6<)=g0D3BbuIw z$&WwD|CHGCxCuRv#7zGze>1V?6Dbcq&;Nq$dj634U*>-m$JnI%O<$XjhvWY@AODv1 z&BwQp|Jt7V4v*t_zYqEG4{?6{!bPTE@(cwE1HisK=aXtXg<0dnvXU@^U>YWd~^>qAKeqpNB2VW(Y?`pbRRSy-51SA z_ro!%{R<8(FdscY!+n9|qX!in!t_b0gEdUYkdHP-^U)>+>3p;)vH55-G#|}C^U>yL zK6)rFNwp}jTwGY)Qp5I;`}MGb?gi=l7s)5vgxGwNnE7oBj$pp`GcvzjL3?87W5`F3 zWVyP!4h2Us-+UB9K6*5ok9I`!(N1VS+8ND9k3sX%F1W1vSbvxOJ5Iy?`TO;wt_9tg zZ+#fqpA*9Vxj)Pg>HI`Aou7moSJ3_s%k?bi5!UZna4P#%8=a!zzB8T?omTLF^UdDO zH{a}o=9{O7^(p_+e6t_Zt#6)z9Y|mO@o1i-9)R6RcV~v>&nh^Z*!}(2fyAckLCmig zol`KF{WQNs;voe?i9H_VcZU_6i>om+q>J-3oDU?w%qqw(NavRr^2;37_kPbs&qE%1 zpXa0Zc>#KV7qYzhWf7WRCO8k~m&L^1?GX!9DzG=B){i%IG=bo&eN#)cSeWfy`W%BI8PT8j0@LgtcL4iJR`cWfcz}P>3nTM z!9@k;LlX)nvR#k!V)QtPnSM#ZWMYqZ5_-JEOrKJ4DY3_m~D(c?P_WYE(`lHUBiB0lZ>j`f*E1G+5+-D_VaQL^YuNBm-{KyYiAXtpOgJJp2POd zALlaN{Bd49e?G2HEeQ8zUiFp#=e}H2a0ly|PLTURbF>?#o*>q{H;@ z-yZhI-zN^&w7Kka|?zPg|3-X9Ny<9e{*A-3aj zBgeU_;9+8a2U&l0!6RXNs|y|r_s63e_6xZ`9xr$zzCSSBA5X^n_f))pPowGO88p4D zLDR{zEbsmC9D08|&w2CySW9fWc>%pYUPSMYm(cs;W%T)+jTiBJ(0|gwYh2&wiC;&b zuYLo4zWPn{dGfcg5&6bCwEu$i652m+6WjiI2W|hni?)B>V?UoH{k)H+rw^EJdfI^g z&WGsp(gXE^gEgdY4DHg!h3R%_6Wqpq z(G;yGHDf>Osxu0k7pB{_NImJ$!WM<;b}feIxLe`~+Mlh^=b#TmpM!3VRoDh=@Nis3 zx@wD#>m7kU=iLsUC2o)Y-_4QuJ$AsK@hIGeN8_Wc-w~g}PWTtoJEPBcAA>&M-35KV z`&jh(?&HwsyN^f58@r<8jor|8^9ks9V|R3%@kDf-@g#Jd@nm$Iu?ITN*b^ORJOv$R zJQW>hJPmDU_d=f^?~Oh`-UpY?KE1GCq0f)^)o}hX^y{C2J}2HEeNKD;`keTg=yT#{ zq0fn*jXozn5PeR35c-_>Ip}lZgVE>2hoH}i4@I97KNsy!7=}J4ejfUqcqaOscotf( z%|`nTa?o*wT=Y5dJoGv7eDpc-0`xiYLiG9mBAk$-{70YfFGip1FF~K{FGZj0PhvML zL!aj_N1x}fK%eKYM4#s$jy}&n0)3u;B>Fu6`RMcfqezc!Bl`b|eLj5*`h5BY==14g z(dX00q0gsZh(4b_9(_LjBJ}z63F!0b7o*RoPeh+jzXW|geG>Y7`egL^^eO1`>6fC< zr%y$nPoIW9pI(JNpI(hVpPu4AIh_5hA@(`2>FBupW$3v440K$+79E$r937XRiH^%( zfsV`1!d++0DV&WB=guj-igYxtW^UoUI2|G5^79K9#4$21e`VpqI7Y_h7r9 z;=*f~o-ylc4bw4<%P&E{?{qD`gV*7Qcs+iCOK~&afM4M<^gWOp(f2@>;|aI|eGlX& zw4du{{26b-`5f1+I3aa=;ceJr&h3SF#Q7eQudFP*6I;(&S$J1G9l8FG7T%3Hcn=Q4 zdvP${hiBpa*bg7TUicvPz=yCKuEJySVeEvDUPg|DHqJf6t@szqM%l?*;6OFQVg4Q>Cuj<)~aK-+(BqV2!8a7=1l;oDr-yz2EDt}Ak$-zj{L>623LYM73p{r5iF z{`;UX-TvD^Z2Rv+wEg!H+Wy;!w*NlHC8w((}w{xAX2O`V=QMiNHCE4wXiw(*K7;x`!(Qn7411&FIQxX<_AT0v_#u`<*4w}6K(=>TbbyBT1Ty`gqJxRw zWjQ21q^L2m?Mmc)G;#mJ`B2+M&CvRH2FuOo`%lf;ZYug^>Y+FtTQGg$3ZDN%-;-#C zz9(@Q`kq8<^gW3-Y{%!}4kz}x@wVu5<42(HNwmYAsrE%jv7FCuAIbS@RMWvYoG)bm zIu#uq_PbM2M{GcR4C@W3?X2NBZR0O^9=r?I=RJaBu^}FZd*Jby!|!#)QtTGCcS2Ej z;!(uNc{#D@B;s+z+J^l(8S9o){&U>ZqMk*k5PO}ldTMlP(P?pv)t5%Sih9Sf+Mm~l z?beI>7M&ip-?!)tmYWjw)36=m$x;8J0dcIp|GQvH`udzjZ2#ifX#e6sw106B+P`=X z>)WmvOuVjYNYT)ubbB5{d*xitkJob;dOgoW+bfx9dnF5PuVk~l?Ufv~y^@QzQ}WPu zN`M z6#70#4f;OEbo70W%h2~ZW}xqL)S~ZmT#mlaF%x~C;|lbBj#=pY9JA5)Ip(16bIe8G z=a`4K7w4nzb1XpL=eQDmpJO5Ct3|Y^=qh5*r`k`vnCtF+c{Td{?lnyJ{f;H*eR?f= zpI(PsQcH`j$7IdYq8nJ=_d76*GcH5l&$$u%avhhW@9C^S-_yAXeNX3R^gW$hkmvu4 zZbhE|FS?!W?O=Nt-V?e5e`dKm(f2}DqVI*=g}xVZH~L=4J?MKO_oDBG+=rcO?=O0Q z?fG5^lCL~i^f0mc%0nSvS!EpZ6|C2@_K~7T!~MBh!+Rm=_=%#&!u|S0(c{=4dZOql zmLE|2q=x(kxv$q0Jsp-?Q}j$&ZcWj1EH|w7Sq<-n7@IFWkG|)>7Qe4uHSGob1z$wd z=Syh%d>Kujub}7iRrEcm*SL<}=dTlczTZI4^PA{-ehWR%>(KMO9#_wJyXYPE!*(dL z{<}r*#WAw|_lrJ=V`O_9iav~EWV;^~ZH!}N`yUs56358zY%2ORjZ%f@0V@G<8T{#|7=I|r9aSoX$P7g{mJ<J^8&|u`f12^Y4aexw2a#s;-I}C3Yuv z`&d0K+9R=N9IM~e*o)~?qrDUR#M6=TX5Ykqajcd%`zK772PO`{`gkzQO^FWDuzlmn z(IJV(ajf66{U-P;Hbu*yX81R82JS;Wp*iav7#*5uLF|62`AETN`!f$qv`W|ydRU@O zB3<6JM#~#wrXQX-g4lAWEn4mnGre7+J+b8v(yw}Cq66Et+(G6al{h+%F}!EgF--5A z=oFUkoH&;GTT)#T$6&Iii*d-GkoSC!OLQf+{5u}qA7Xx|TjC^Q_veIoes^@gPK=jh zKKWFS#L1Yb>5({v={r(AmGvqAnZ7f1YN8L*>(}&7oR+ZO(#x3qrMHIVG^46-;&kkS z1HyX!G~`QXg!TFxhkOZHZ(!m~9EoRz^#&%+#th;?tY^Nh{i@DM3}(8|Ibyv7Ylb9- z61#sovg+JKCd;*|IxjH{+oQ4fC9+&rBA>WxRbC=HESHza!Jfpq*dCql^2q&NkVp`> ztSMC1FAA~qjWeoB62;gBOIhCZuZ^mciHb0t@;@v``Hv&nPp7x5sZ5Lr>2kP+^o4Bi z{KQD?f|IA2ZbxaDkD>o^OoDzy?xR(4JeK{lKXV+@?a#b0oCdY+4>=XtE>eLtUg>T=3| z;<@<8)b#U#3yJM7UxfCTUlsBN%73)K{A#A#Uw%zE&LxR!*^cJ{IqvHc*Ax4@$oe-V zmWJ)!khqck%&T6eVLy@j=kmmgM7sWoq5gRj>wEv*jPCC(=zVu9dcWO<-v76=y!FpJ z(E8S$oJY&MmBi);ccJyryU}{+J!n1jUi7)Y`_S`nKil&>JV0E79piNI5YtT;tKxL= zFxr3pNJtl}<8<-pf73KjG4$uHLHpaD zMf(Y!L;DGyNBarZqWuIfp#20dqWuIfq5T9eqx}T0p#21|qWuJ~q5TA}qx}SLp#21I zqWuJKq5TBw(0+pTXg|T*Xg|R_Xg|TbI41R8;)8Jg-q&#bkbZ&G#Jt{r<#s)9=qAz5bH;mFr^qMbhtYiQkD$zsUOA z5?jOewk7@u$G=^}aU$t=N8-;o{bESJf3d#l_ir@)?nKk?KWO@`L(^|moKC;>(DYls zIGuiXAvXQ)il*NNX!>o4rr+Jr_6zBh{oTE|WpR4{k$h&)5Sz~sGk@>meVFg@AoKSv z-jCS%81kY0S+1_`fZ_w0Z$5+}A36xlhYm*bp+nGos4(^($jzIIDc1)kdICy*X zIvyFe-=X*@w&!(3j{E51j>P^RvYpPwop3dFVL$V#kI}H7$aOrn__*S9K7`>q9v|;# z*LXj>VJQF6>)0K=jwiCb`Orz|bv!w~jy;IIjy=)qcnW$QPerfeY3OnHLi3~EIG(r< zTE9OXt>5=W>-SvmdPU4nmp}cB3;2DH7rCxyhS=*$%<-RHJdpVwKQez%@j1lK$8g;T zvs_)>km8~7b;oes&qc5MF!Z{ghhFzg^txxE*F77TRp~$|iuX~dH^SYOz*S(zSUhj%N_4z;Av)f> zh~ss<_bRj;T+DR0e>J-PHRygWLH{@6TJ*cV*WnPn9{sNGQuMpNH(&`aL&raF#8J2$ z9cNvEjyV3J=5B9-( z@kRFcKI}()Kc0yX;6Qv3f8u-i5254Nt8ggOA4dO2;}LAkb2qE83-cev*Z98XW7wSM z@E*r)On(CZ#3!*IK7~Fv{51O9@H6PR_Zr;HcAv$u#LuDijOWpD^0nwV`3vay_>1WH z_)F;c_{-?{_$%o6_^asn_-p9+`0MES_#5c>_?zhX_*-Z?S%;>R_2~Hc+vxcCJNPWV zi!b1N==k{i==k^tXu8^fj(2~Ej(2~Aj(2ZF$GbnqF#eD0=58wfl=Ni%AGzM26>pAX zK}1^>Zjs# zeg0={SuYCtX}u%4zQ2ZimtBLTtO6>CE4!WMAh0aU;&Va;iN)9J>oB@g3mb4@Oi1-NHgv5vP{a=qioNu+h)d4ME zj$*kT+>b|>Se|z*>CEq59Cgz0yLu4cAw340VHZ3MkHz+Q93F?qv)(09*OG3;o<}{I z=_g=s?2ez2AD+l^t)i1kPL7w;k@Sc3z*ktWC-!IgQ}7%-6*KWPw7uI4{oZbGv>&Ap zuASbuA_$Mpu&v3er?-N;Q*Y01F;qdf|4u4eM0$9{B9NHKj+i?X%TuqU4_MUH7svEXbD;m zx)!bfT!+?wu1D)XOVRqz4d{Kj40qy<;dhsp+{FG|9IeoBKGgg3X7v8N1-(CSMf0uO z(EIdu^gg`Jau2cBOT91eMeob|(EIX!^uBxmy)Pd``+Xlm zum39ae?=Zf|6k(~^gF$)(eLy=ihif}G4wmVkE8v_PoVwxPom%HeG0vk00ZF`~)4B*o6Hlk3U7ho-eT@ z=lv@*-}xG!}H5hmHeA zrRj0NdgwS{eRLdf7jztOS9Bb(0Xh!Y5FH2H4IKw;gpLF5j*bKFfsO<2iH-yAg^mO6 zjgABEgN_64i;iRLhmHg8kB$Q#fQ|zmh>imuRO&e3!KH@~d;Zk^`^Kf|{JaS|4%n3G zjsrGB^Y;uie{YUkQY}gk#biy3(v~dmI3R{`z*gwE)M03PZ;ht+HfVZ398K?S(e!=< zZcVi>ZHI}P_N7O%J;wntj01K+#{rK*#{rK<#{oN{#IN&kpxJwu8TzhQk zacs|VK%_i6zVrlQ%cHKPmPg%;LwSUZ19mSxsnmS^L=EGB>9}X<$xN>w^(^gy4e(T! zA5eRWhH?s7uXpKbVY%L=y~1+6OHXIHVYPiUi~|~5p7llZk$&hn(-~Zs<`LyTW<&!@ z&t$sSM;&K6i|Ngne>OIa29^$r=d0t0=b+<=gVFRo1Wn&V(e!;TdOe1r_v?9V$MPbR z*z1*rUZ-sII_03(DHpv?dANE;erW;6VLcyNzp%6@j*;yrN{izd*G)Vj*c_l!FCUf?krtN>~X01)Lm%(>29?CbPrm8x)-fK-G|nn?nmoS4`3cXh{w!a zHSHlh9#>)WnpM*t=68BUkCd(^_IK3l^(fQ5UXNi$^myqL@qG1qJ;`*h*HhRudb;$P zcs@2BTD7M1dGeR6s%Mq_!oioe{R*ArElOGB(AO>t(u0+Usw80nE!U^`Y``(<7(T*$ozLpKM3>RFMTh} zf8V&;@5^AleYx%%@KF4a>AOcCm2M>VeL?MyALEefPf9;!{k-Z;8uC#jU-+!_^Duq0 zhUrNA`HRvo`F-2Z7~0QYk*@0MzApWS`L>@iw4cAlu`IU*FU0TA_Vf2>`}qg7{rn^A z`@hXUq5s?bGt(zA{TI9xf5j^N4Qudsti`Q33%B9y>OV@i<4XLK{a#qTL&JU}{{#J3 z>CQ0yZw=Ftc6(jvKX@zFOS)c^#4sPL$Fe{5lhg-qTs3VM;tPnWAvDRTYM5-0bUd?R zvQaW!FW(KVmlHF6_vD_$*3b7q>*vHw-z&K{vGsIh+;yMizHHz6IWm90EPjH64vZy~F8SQ^zDbW1{AmK*Gpu)#hWf(EVZ9#4;rb%$^-7+CBk|O*Ua#b7m_gi| z^=uy_^ZO+G5x1)9n>-!cqp{@~vYj)MXA^g=IxE>fEO%CN0QMw46WgQnT^`A|1||m+ zx2zeYtbb03olnel9FiQy^e!C#Q1t(c&qc@Co!+kIykr*XaZHq{A>Tum%SmQq7t9Ou zb2ZFI(n)@@ApAb%KlZIDO%~z+EW&}9z`|Oiv5fWo{Umx_j5De#lI7S1N3opw zdL^2#4@dL$5oo?X63y4oNAq=;&#M`o920L(yHs6}oXmKN`91F0E~5RPjP~3gFT_^S z_$2*om0A zv4FCU!_TyfK_V+JF`}?m(`}?m!`}>#R5WE)c z@4pW1@4p`H?_Y}c_uqh?k7elpP2Y(2cP~f#*;kY&N73u|7j0+=kENpSTw7&wc?N*LV>f_jn1{&3!rfN_@W~zyE6TwKzuhvw!+ZysMq@D6^a`&=ye>hSuzaL`DW#duNhUACbUzYc3f8j^C5jQ4X z|KsE*{Eq$N$oiX-pAx%1hI0KgmaD7Vocx^mmg^YG^)JwV@h{PS@vqQw{cE&b{{}7B zzr|(MTih?o)$cUyKhh5SA^9`&?HB)%?YEA83bFM!r`xan3%_4K`Zf7GvHxHE8~Xpn z#7y6s+(vAFx7y#m9qsS_Bh25C{EK)V^Z&%fNX&YFC;uV7fp{n0jKoZ@OGahsesLtO zSGEi1adcE)L;i_O-?gj(vHjvm+^}pnV*ACB^V+D4;|u3iEpPWg%iBF!ZW8zRUg-b7 z?T!Bb+dgqw z#nCm*$};$U`>`VV<0ElrszX^vmb1Nn6zQN*&C$jo9U$lHn6ggcJRVcl85aWA%vWxU%D!Zu-zmNylB$e)4W;Kluq^JKf7pB(|SiP4_3o@yTdEc@I2; z{p*Q?@f2Lc^i%N_JS}XeS6Of3UYs}ezUdRkr{mkiebMvX55MEOoWXupM*YhM5WAmP zT@jsGc2*o?b$N7l*}ynf>uZDfy?W8$vU9@k4lWzYa%IsF4cjqJM(38GKH8r#3iCN{qtXAJ z8-uoMFTir9k45`K$Kgc05bZY_kN&USMQDHK1hn7sVzl3KBF<#~CFuP#3B7+Nqxa7g z&WHEUrNnm-PsO`&8rmOFh2B?OgwVg7Li?9%(EjD=X#etMX#esIw12r4?O(VY?H8Jf z_Ag(7rjuE?cKV#M**LmpPT5?}tM?^_`*I$7U(QGG%LVM`$mq(lg~VQG_5Y+7q5TtA zq5Tt!(f01uEN^@F8qA26lwHeo(~H{Py^iU&cdy5$(bBRT;`!=*z6{;ojm$T_EXS77 zin5#H<3$Yg~8p&DYU>+BcYPKkb`nKKd4#kFLWlskh74W3uM$vUgbCep(Fu zwC|$*e($0Eg72gKe;=Uze;d&LzYo#=zmITh>f^GFn5g-<>=U+UKP`rS+D&Lb?Wbrz z?Puuywi)fG{T%J5{Q~W${Sxih`U*SOeqHtr+q0h*$@jl4`<~c*e@n>szcUW`KGIM7 zL)lLu-}_NRKW#exwe07R5B^&A3pR*;E&HA22h{$ip*%qH%k5=b!*bipwuR-km+fG= zVYPo~=%+=>jX%r&V!G#FEjRu~$3J$W;~)Q^kqVpp`B zXn>Xj4bk#pH?+KHgx>GFqy2n)p#6M%qWSV(XnC=Bc~m_-+NXS9V)qXzKlUr%KaSP> z@BpS)LthDXk=1M1zA;tG@ z%R9y~l0G|?caCEuogP!(C61AH^0DQ|6Su56E@=ChnEvA);#N|cu}e@m*Qycm-;CB`A&LE8Vx@^WJLyA0iLV%DoDA4%+fSH|;)qx(N1 zUXJ=5nqqC_m`sW>l@Ja^)j^m`)_~8a$@^CR-pYIH=+F=bbszb_vdbOf9^s1EAB=6L+-=V@qX+={q6y@UH>3v zP)~da?bld^_G>(h_G>(X_G_$0`!ya#kMl9KpX710pX3R&pX5ojU*jpXpW|t?f8!an ze`5{Wzws>EzwsQ}zwtcUzp)nW-*^G--*^%2-*^e_-*_4A-*^S>-*^@6-*^q}-*_E8 z|8Jn@|4p=i<1Ms*V;$PRu^#Q;cpL54cn9s*co*%@cn|H*cpvT0_yFzC*nnQo57GXN zkI?>%jrbFOjP`4Mg7#x8L;Eu}qtEGmj_c-rQT}C|4w38pRr%L(jO@>M z<=@~2{1!Lj7Tkp2$IBu88b6e$`!#;laG$38HGVE{T#@eAK>8(q4YBgsls|H*v&Eim+3{Dt;g{EhZo>_q!5{z3aK>d=0RsKS1W zdKLU0{TB5#?4Q3+`@dp0=G$-4fc=owk zU9k_b&*354-M3uZ<2Y=K z7vm9Ve?dF6pP)V3PjDpKPtbwwn7U$QgLb=tM#bU!teF2=oNmicg5)}R~YrtupQ%qsBcBTI9AV}?Q`4V{fTYA3_$C9 zXQJ)!vslk|)!D@Bss>gJsz|rPF|@-$!E}^T(k502iR` z?6GJ&dmP%%z7TC^k4M|t7oqL!31~a}V)Qyp#I@5WRa}CjYbI4p=DeAXF|_Zep!J_i z(dWmeqV4->X!@=~(>ImwkiJuBy|0GzV!dxVGX7sNgXx|h4deezx88R-GX7t2MLb_^ zug^ly^K9mu4(4FXXl}*4cscbv&qvSm0xa>NyWyHuYFSSF*b-ksrZ!T2h?uTkdGqy?dKJrh2=i4*c_Jo zyy8oi8&>;;hW53w`R!NeefTxn-u(t`?|zHse_PP}_&cswN%Vci55!(CB!B*~;-@%P z+q*wAJrVs<@oPLC$)|s-_&tu*e0pox&+Qf4!hUYA*uipz(H|PNZ(I=lS@BmKtL@#t z(f006G{5)1N&oh9E6ABFl>Q&*ec#WhIVoKdjM@JTUXky zX;ayj`Ib+IqvaDZ(~qcZPi#5W4lSpMnSNwt2V%=Bqv9ePfBg=KJ zJcjAES2d&R*vc+pxnnDjW4SgQABOho@nL$m%C5-!|CJ{)e@m)+24hEW2D`6 zQe_Wf_xogYzlm9|XJs#9_xqH1{;BBxpB692eD3EymAx@h)2Fg8(|4p!SJtQf&-9(C zewAl3y?)Jr$}=jhxAZsWJ{+K7InAg#yYejTf`h|)12x>ggTi{}7>D~8S#Mb75FCj^ z!+OIi&&3Sl^H|UP4Y?08D|5np%KtE*@*i!lI=x*@Ze>2{u^`IRkY17P6jl~s7fgit zMH=QK>larh`JGl(rIjVv9*s?B$o`d8jv($@HN3JsEH}Ke0(%lyVtaJH%OmM^WaZ@0 zUOit~e^iL$_A1{?UNvnD%XOc(YT51?!pItM+Dx#)h*L))kG(e~*A zv^{zy+8$kqwnrDC?a`~y_UK}?J$g0T9=!%_k1j#mqt~MC(d*Fm==ErObSc^%y#Z~H zE0N01 z^ltQe-GjDI??v0E_o406`_cC41K1BAM7CeKDo$6(?>t=jNE{=-_ju)M+<=ebMtlr6 z;S=$47~WHR5`9nYDfB(Hr_prt436dZ)}Z|Y&!X+)=g{`?^Jx2cE!sYQ0c{_@i0e}? zRi@juFKf7;F?`qlRqivtYyTSQ`e3&EdS&|mBj3Q5#BVZvBIV0lxG(X#%JlzEt|#{W zTDB9u^ZHI@)Nmv1rgw20)89kC^ZGu=S6BT(<%Y`icMXv58hlv!QDyqO1{l8Uxe@&? z=f}8}`uHdKCvL(d-*fyF{SNGB=yzZ@qu+u39Q_XL7wC6jzeKgdm#GV*n`mT#vY7*H}(+pyRnVY z@5VMkzZ=^W{cdbC^g9+A=yzkAqu-4^6#Z^&3-r6OEz$4BwnD!bdl>q?*w*OxV%wnK zi#;4$U|XC({&)oXeb{#B_hH+k-vd4p{Z4EL^gFRfq2Gx;8vRaeNAx?fozU;Yc1FJs zdkhw0m*MH}!yZfQ_hFAizYlvn`hD20==Wi}q2Gr+0sTH~cl7(PC!*hnJqi6j?8)f& zVSAw8hwX_s;3??$VNXTB4|^K=eb`>;_hEaZ--qpkejoO9dq$}jRusOr?n4U2!SHpA+--XRbzYAM{eiyb7{Vr?~ zeu4?~yRgORcVSD=@4}X%--S)0--RthzYANAeiya^{Vr@JPDqUyJ{()j88Lk1@N_)@ z$zMhdKObAq88v)#JRP~-lZTJN9J~OB;aD7uuXN`!82w5*MQ1 ze_4cn|K%zilUh9d8m@C*_0<}#Gjjfy48M-)lTz1en2zE5FV~~re_1;G|50_{@jll7 zgrJ_iS1{p~tMH(d0PJ19q z=l6KL-fy?>=Xd_O-=5cXooipOdA+W8q{c*?OYHYw=Aqwzc@+Kr%VX&GUmnLkcd6uiFSUUCv=G%UYq5bwnwEgxawEgyFwEgxKwEcD&+J3tn=fz)jKiJ>bH0&?Z ze)`7PH<@qy?F!c4CbBZb*5jDY{8eLDGvD@ABwjOiEwSymYCG;*XglsYw7vK3u-y8w z?-1Lbi~Qe)vG20}5s{4=%GJp9O=I69wmlb#H;;Xv*zFn$I$ z+-CCWZD_mgM`-=^V_Y}>)3KjmwEWYt+gaZBE)4ai9bvsY$9@*Jw{z?+_G@V5a}E1t zJS6hP*xkukZO`3w`hCHcW8U=_elT$*q>O=_KCe* zhnnR-8i(tE9OtiNe-8We>)2ng8u9P^U*CzpX=sNqwte9bbbQaB==h$$(D6O{&~d~2 z(Q(5E!utLmdyv?1!^rtPH1;22#|^9X$bWG-=kYMdeNE)Qu@%H#e~b^0L{ciHBw~yY zi&Rdjl8n`MhpH*=fAy4V$oqdOHCb+Gq=ts|7!QfmN~xWU^+@}$*ZC-7+llLrbdS4um)?*u?_1DH|y}Jp^+fLjR zZRcx-*1wyh?ZhXb?Zhq6cH)-Uob9(l+i_dtK#sQ!{?2tck^Qp$^CWB*IXUGNrhDGh z_RqFVxBasnHi@)PIW;+7ZTCG59nX3?+U|P>b|CJ6w)dWiw)dWew)b{K+j~2q?Y(EC z?M$7~_TF=F-S{pk=VG+HOG;Oc+xs3vJMVeu^*$eM=k12J^L7u{uSd!S;rjJRxrqH8 z8o5xz@fZ(@^h~)p8LREEz0h{pOVD=MOVM`N-e^1QWoSEWAG95|FWL@!Iob}}4{e9N z0&R!wkG8vBiMG35g|@p6K-*mhqV2AO(013W(RSCtXuInWwB2QyK4%XPNbsgL>lfbi>9RGsPbq^jOA^2#nA4WfwsG5qV29( zXuE4R+U}Zzw!7w{?XG#audE;?A4irKq!h9~+g&lVyB4ACuEl7(YYE!!Iu31jy&Y|L zy#sA`Ek)a1<9O!8vXpYxXS*wsu8mKbNNl=xXNu|C1mlpdA?>brrQ99vuSpu(T@&%t zl*!?Ko0>8Ot3{@!OlSGN6Q^lN?~rumzLa~ya`&a&8t%ZK2(jmNHhMnipyzWgdOqi&=krlqKH;&H$Jw6kGsyqX zPkAC4BkO-MWkE7V*7sD()5#cF?=vY2lQFXXMJdlFV`Mwer7TXyNV>BmWhrsX^5=tY zmzegI_uGXqIWo7rjr}6S!83%yDrc1 zsOjV;rkhT_hfN}zQ{GR`SMR$I&~$4H+Md1@ZBPFY%_p{@`PWDM|Fw~iQ$8Vf{YZZH zY0CCwthT4`VEXXLXDK_A(~*4b^ORl5Sk2eI2>0Kfl-=R}+mrGY%MFcusbT%bLn2?N ze3OjT_VjPj_Vn-2eC~U+J^cr?J$)}aPV`5#J^d%NJ^g32J^dHf+aU65%5TIThnk)w z+MoYS`6I=4%0E-~aXoFv{R_?ah?%}WPSWfx= zZ)z*#`@g9thyQD%A-y{>{NG8&A-zNXuYKw%n2K$~|FutThx`t3>Z$yn`GNK>JuUTg zrrW-cj3+!JwF9yHr>Ui9rgmbvR;3+N&%$Vd#A`od4TT`|*+Q#$HRjoaIKK z-|xGQ{i@9VT#tUg?*^vZzIbCeu92xXu^x{bInJ9?Zy|O&$p4Q{9TnC$I`ua8Yef83 z4f}PCnr=jiL)6w?ld(d|Hd(n3I`_Ojs8ECsY#}UROK0xetA4K~z9zy#wW^z8m`+sPE z#=}ha_#Q#`Z#KG~IcWR*T(o_D9(p{FqV4mKq2JYe96e9-@lE0r==oZJp0B6S z^Yt`(zMetP*FyAsEke)Bv*>ww4m~f6(ettdJulCr=Vd8+US2@Y%Zq3~$xG;W`Cdl* z1zy2JxD4$-S&sIfyoxt7{WY{b|8=xI{|&T1X9e27vJ&lIc@yndS%vnitj6iM2JKf_ zi}tI$h4!ngL;F?UM*CIPqx~xHp#3Tva0zZiujjky_1uK^tGtKyt8B(K_&&akAE5mz zThQyi740AS5bYn?hW3kmgpSwz810|<1nr;r6t|XbPvt)0`P`x5`NYrIPsfqpu4E+UraX$b5Bhv>*$p49#690_08~(!opUm`MQzM}r|2M47cG%z0-|+{_ z+28Re+TZaPhTs2Xd;I=y>Vf3;(ck|~J(%1+hW7qLXnX%ZXnX&^XnX%*wBO=CwB5e~ z{k^zITB6;*658%x8EyBkg0}ltMce(Wq3!-fVJH4bw5S|2D@Koc9yZ_WKsthPWl#|I-TXw`q;G>$gGM^-o0G^-n_E z^-o6I^-n?D_1mKD`t8tm{q|@-)2V3t{%L6Y{^@uFo`H?H4?18|JQGjAv#>Y)K^@V4 zs7`1<)Y)i1RA(HA=U^$Gi}pu#!ISv^u4q5dd1yQ4`Ph!>-S7A4 zW4S9a2d~0H9Dw6+AeQ4G^!E|3#!1A3aS9GW`$LAJ{UO89cKhLIf7&%To#n2@88`xG z;&o|}8guY^;{Ggm1Afo?Z$#VqN22ZgH=*tPH>2(Rx8T<-Hws4+kH!?d6*KTQv^{+c z+MYfZZBI`@`{7d2ez-KWpDZ2iCyS!}WHFpGB_l11`*!}6Obz!fhJLbaw4W>o?I+7c z`^oaqezJVDpR54wCo4qz$%@c^vSPHKtOV^R8;ACj-H!H?-GTO#m7@J*akQVT4DBZ? zNBhafqy1!eqWz2$(EhTCXn)yVcsx!*`^)Z5OQdg;iS5Ulg7#ZYMfh^C`>h^A`>kf8{Z_NkeyfMkeyc}tCC*0st>&a9 z`mN>?f6sU1=Ar!_kD~oJkD>j$kE6ezHy`Z>c>?VRc@pghS%CI~JcagyJdO5)JcIUw zEJXW37NPwh&!YVx&!PPwi_w0NC1^j$^JqWFQnVlB1+*XJMYJE}CA1&pWwamU6^xZF zOM8|3W<-3shWiFd-(E|5gXu+OuWOi&p&w)g+7Ggl=fQrEH;L^BS%vn4tVa7k*5ItN zwQ1(3GvaS)SPzEp-@l!f_`SRJxN8>qKkmT|_ziBvz4$Kvf}8LUd=C%cX8Z@=#|Y2m z2Ur!iU`^bLb@4-dlzd|w9z*;Q`ultzqrcDh3HtkdpQ69dw;la`z8&cA^L>W?KHpCC z`~07yzst7^{awB<(C_!}Mt_%Y4<7k`|D}9?;;S_417D}LNl(-du+mr5-@i?>{_|a! zZvE%TbUl&w*1c);i_os|BRWp*r?8%%(|$=y)GLtx|26G5V*ejQ{poj>tEl)R?N8=g zf5K3I`U|Z;?L+HN`_cN-0kr<~H(Gx>i1Xry+%K-%KN_wZQvW%e7GeMF2l|iow~17Q z*!Bmf+pkk8ELSPoI#bzFlr!u*=)wTSI6Qu~W)qy0s7!u+Gs z>k<1sgSzPV42W58{q$pq{a(S*==TbUnSN|~Lt?*I&;b2j0Ws5$OFy32{w5@Dl-?vg z62CgqSVKDmGQDYfGh+LjkhppJ3B>k8AaRTIR>XeCwvYajsQ0Pu5+|bd z%ad5{BJPKiu@9bt?XWHO$96an+hcXk%c*z+@o6{;Pse&pKLf`Qcfc5)iMeG>*^RP9ZkEdWaJPo^JC%gddH|l|1 zi7&*9@glqed*Tqh7;nU0I2JF#Y`hfxen4+5A-)VJU>}^0eQ_pUj*nwMT!dHPOV}T) z@&8w%-wVD^n?>Y?M|K)nxK63-H?ejOH?einie!QEI@BgNcW;xrtZ{a!O`@hEFIYRD}G3mF4 z?T$&m4f+0WdJ6x?_kT6CYa4$>IU^Mv-=2n!Z%^mC4U9z7W5ixJj1P!pq-PTQ9IE4W zv(WLm+35J(oUpyz^gLpZQ%zs;lW_t1orgm7I}b(Zbt*>3@0OtBcgKbG+@5|1vEz2t z^rl=6^t+NV#;=G>O20c9tL>|k*gQx8Ma?> zCb9jBv(Wb9htYn;M_9k@DYJ>Ul+H0%tza4 zo?v;~X`V#eX%?XEGf$!IGf$)KGtZ#yGYipvibZHY#j|KX#dBynvKY-@mZ0g$^JqWC zQm1p?UqJgSUPSvVUPAjTUPk*XUP05JWoY`d98G^-MZcT-8k+vRj;23v;1d3C1)Bb> zMAM%)(e!5(n*OXt)1NhH`m+{If8IjVopqegL6Nu9*AsjHs^6n~2bVB^1N!}ojraob zyO_qfn@#BW^Y?HW(>J623h$%+QXk-Irf7U^5 z_$k_Nu^q$rf3Yg}?Pu7G^SKjEXFf;MnO$f)@&%f{>_*d@J<58%M8EU<6`Ia`jrJ>j zgN~p77VTgC4((t49_<(T0qqyri}t7di1v^C#CfxS)~W+TZ#&hVTEP{j7)3e%61`e%61{e%8ZiKkI*J zKWhcr&l-s)`dKTX{j8PIe%2~zKWkOApS2p=&srVrXRU$uv(`lWS!<#FthLd8);efE z>rrU`QC+m3wI15fS|9CaJsRz2Jtk^D>#@-W#GW6uU!-9)k!~M{_Ol+(bo*Hwq3L*I zG#zh(d&`Z$B&2U(h0Y0*)+i5pBtI`%5wOm$pLtOIxG;rESoD(i72s z(v#4B(v#8ts#EaHiEX3pSdaarNWRfNdOETB#;H;Bjnj-nzJc_Uo)JAWYI@i~LqBOE z?i4+X>6Ig$q8+gsc4qm$6VKL=pCJF&C3;R+u1oaXuw0kuc`P@0Vpk3Qq{iku=cD;f zH#Fbr&Uqaexggqu*ymRLuF8c>9}u}H+LPGxt>!-$qv?Myv>)ygG#|K><*$nLj$TIW z@<_hWC)zg|tNm}6GrfPLU-XLPbR>W1AH6aetNFuK;kX7y2ZZAq7`>Y1`b7q5SikY* zk-^a+$ym)FhNAhyFf@M{j^+>7p!vhKX#Ow)N8ok%FULjyTKMk44d{0dZbZL(Fp~2( zsPv|2N9sGnN^e%K+btTeM!O->Uvg`7G`|jG6(QKyMZ=}sibE3J-H@!#tjq;)eEa&#~(d`qn z-oofOVz*zEoL`LYM@e!y=ChvLqj!Ym$^WrqX=yah^byjO)0lp+Y^w5q)c=`&xNLfK z2Gc8--xs|nJTLbebKdXMu$(q4eIR;2cEnlX{~pxvoIMo&Z>Dj0&XE6`6MYy{@saR< zbE31c8Sz~H&+;E~|ILd&9_Ew(hxz3H=r|Imw=JI^eKOpCPiVLwk@Y+kU4R|&nK1up z4fC<_rqYGcMZ~^Wq?eX2jXsNg@j2{|i*W!h!NK@E4#yYyf4BbvdY+7%mA)K(2|MEJ zEa(0I3VQ!9L+}6P=>7jHdjG$M-v2H?qWq2MisbsVW9iChG40|$7wY$FSFxPmt6hx^ z+3p(j_aE1y^-Syi_OGmq^4>r9;gNVf=hOa{cbIN}%LcT+Wh2_(@-EunvI*^Pc@OPx z*^KtLypQ%be1IKs3;Ny1t>}1z57F&y!!6T3ihj)Y?9W8j|4H=IWQ=TQXLLJm#~rv6 zKf^EZ^W<_E`i*v>{T^SS{UN*2{*gVnwd~6%$49%$R~qgs4DImWL}?%6JblahD&pTo zzmF#R0g!h1AEJAsiGBbK?RP(-?d?C|@f^p`X#4UnXnXXpXnXW;XnXYUXnXV@XnXXZ zXgl;@Xgl;iv>kds+75jHZHN9FZHGRHwnHC6+oAtK+oAtO+o2Dm?a=?B?OhdUdsigp zepHTC!WL62$Ew5<=NZ|bYO$)=W@@!q_2hJ9Jq=tJs@3VUK* z?2h&DT&$0s@M!FS$Ka`WEVjjl$?aiik2?-+M?D^GmurN!%QZ&Z<(i=Fa!t{8xn^j) zTywNt?gX@5t_9jI*Ai`)YlXJUwMN_J+Mw-nC!+0gC!y_fC!_6hr=aa}ZP9kQc4)g? zdyJKx8aqAa{d1az`v*C{XT;8AdQn*i4bw5S%bkU`%XN$;+T}VC+b(xD+Ah}_ZPz~s zZJ#?AXO(q{d7sXRchw{JX=tB2KbC0c>V~#+bw}H`F2LE?18onx5R>g)lrMV5hH}0` z|9>p>|A#pA|HmwUTpH`m{Lud&=3f@;Lmc}5W6A!1mZSea){pt2|DWlmBUfPP|Hsh( zkD>n`L;pX9{(q$Z-|gD}ui?0m?GFk26Z-$zuKC|EH2)jU|5={625a-2`CWn+h({3n z9>8_zdjQw79^V7F0euhP#xVV+*vPQlO|hF=yhMM<=IaX#cwv%V{^d z4Si2^4B9_9Htc6gES2RwkH~(f#nOr0Z)87Wu_!Lb%y6G%XgE%!o|+ZQjwR};80x7x z{J+PWiym(tn$PE>`FjCcz9?jQ>#0S!8;iLP)_+TgEpLoN>#Mh;_0>Dj`f4d!|K#J! zq5fHh)<4V9`saAG{&^=_|D1rH?}_*h?Sgl)oxYJtvAc;aU#jm%O-8?0I0X-IUZjp?9D5`g zBl|l$HYXV)`SRS@qr@%C=LOv^G4I_y9eWJBOnN%@ICjVR*bAS)KKLYFi3@NrK7}Lj zndJI0lrtBi-`84%mNTD4%bCxi^|Qrjd&QFE^?9Dydfrmvo{<+~FA`h6R_l*1G2Qy( z%h)XPN^DtjzFL1=&UEXKuVRzPYq9_T`&%nwZ^X>^SH#|AKfRAuqW2Lo(^tjT5PLtZ zM(-zLrmu~?MeKcrjr*0Zi@nYEypNFi>tpXEV{DvSx*_&1%e(%K==zEIzfG|Zh+Y4C z$@!bn?Yy5{j``eATVh+o^5p+veILd?4$FTO+ZLAlD8ybbrnBBpVmq0BPU&Z{Ps4Jb z#kS)G#5=W@b85LN4S|p=phW+oAGAd^z(jlb(y-G&aWQ_E`SIelLjFJBL8vb8Mw~+q# zS{Zei-fVJh4bw67zaNE;L#&IwmrxIVFQGpAUc%96Iq4Ymy@X@Y_YxYQ;}IL8?IISpyh{_X!)TPT7GDamLJ-n z<%bi|^214J`Qc=={BR0derSu9AKIbihxTas;Z(Hza2i^EI2|oNoPm}fI-uo;Gtu(H zS!ns8BgV=)Wpw5|j)<;#a#}$^nBl>>q}H zs-djEa%5P>aANzVkocO65ybX0U5oZJ5i|X|jO&T*|3UWuhHyOYKkEzW)krkGx{2k6 zvA&zpc9dJtc9c=5T<) zxn)wu-5H5;3x;yb--pcogWX^ zd49$d#9n8$z3fRWVZ95&`FT3ysc>GO&R7_(_cI!$%@c*ka$p6^i)f(m>$q(0N@H@sF?^~Eo{&pl^e4Fi< zFRo|0`Qkh1dxsm){Ba|iKfa6RkDJi%NW6!xZ!`Mci1%?Iet<)83;NxNt#~Vbh;DZq zZY}#Lq*o*2AOCN974p$fNzcqjx3gar@f{hTWhC-ZBp=_zjHAJKf}Cp2IA z8O>LILGzVg(R}4MG++50%~$?F^OZl*eC01RU)hJ|EBn!Ww@MJU72n=eqK0F z=Vx|fzf8xG^VU7{0%G?Y`Tq+udxZ5}nAwx#91*`r!*L?%_{EvMG85@IhIIUruX9dCI9I^Oa|biCzA zbe!c)=s3%p(d%*xt{Xo(a}-9)M`x0rhwGx&7jDapH2;zP9fST(`&j%FkED~SoEOu{ zG^U$QrYDz=CYO()>176*US^`{WfoeW$VS(fgVrl@acfy#c)mu&^Z)nx3h7`W&!6dF z5!8IA@z!BnbVUoQm?ot^WJ2P)GO}u z|HA!<)GO}Ke30qQCO@EII)-}1LukEXCR(qUh1M$`M(Y)ip!JH`XuV<%TCbRk)+^?r z^@>N)dc|XCz2b4SUNIl7S3H5%C!R#}jRk0Z;wdzLcp6RjpFz|8g=o6J2u=5&MbrJ~ z&~$$>n(i+_)BWesbbl$D?!SPh`!AyD{!3`O|1z5Hzk;Uw%g}UxIhyXjil+Ooq3QnX z7%O`tb0z0*M0|yY^M|DSZ)UD$dQsUb4bw5C`)km2e{C||e~Z|3e;u0czm2B*>(O-o z9h_CRA(`%P{NMYM^k-A%ciexbM@YK8ImD*h#LWL7a|`oLpOE=mGe0DDK8AFC8_QKx ze3bcdGF``zu7852>z|_O`gSy3-+`vJjg3AYjdjFvZl zLCc%JqUFusIIc@0zi0kIY~-hVB2Axu5x$MD}SYpBeXx959~<@sWJuAoI;9 z4x#zPKjHt$|IvKnFw;#({|nPAGAm^zjyHlH?~%B2GOm*4@mI~NM(pt)u{yE&O%3Mr z`#)K=vJ%%9iEC%oA@=+r`%yRRC|r*9v%C-MX*mB#esgrzFqescnv-?Tt~N4h1B##ZQc zYK>ia&fB2%iWAX##Yt$r;$$?RIR(vU+M@M|c4$7-9;2-9RP;KZhF<5>(d&E$`*&%i zL)MwZUT3vlaaK5Qow7QH^W7<{Gs|5PIa|Z^HSQHTC+q*OPjt=dl4be7Yu5Rk56{g$R4~1 zXY~pDbD4(yL+TTkXY~#Le|eVmiC&R@8s;CVPxQ}DoDmizFFx1h4X;qo5fkd zNAt})(R_0Pnr}`-^Ub@^d~*_-Z{CgOo0HLea|)VoPDS&{X=pw<9nB~2LG#Ib(R}hg zG@qP-=9BlM`Q!s=KKUS;Pd_=D(cv3iC}@k@?HAmJ>T4Lq7Q` z%T-jomi0RGt^Z&p``_L`^T`!xKDiRjC*MT#$yI1Rxfq9z;dVad>_e=-X%6a+Jxpu?}hY@`ahZqYu#Ma7$SK)~pX% zpXUKN?rm8g5xYHPJ)dNKjLUI*xL%)X*iR%s*^%{GGC#qPpX^NT=jX}&+=Zr#U!dvY zZZtjI!}8`QU!wWRSDZ)dFJBXzK7NDdC*Pv^$#-ae@;$cZxPL(NjlF2T@gtgV{DkHk zKco4^FKE8;E1GYRu7~vJckU0%?|-mA74bi_{z|4lNcyucYkxBR!7z^S0Q%hijXqZg z(dX(A`ds~kK3D&u&(&e{x%v-%t}4*yDw3Uet}3C=Rb}+Ks)9aORnh0F8v0ySN1v-2 z=yO#QeXeSu&sA;oxvGP)vZJ!=W&2#!)o`7V=c<18F-$KiJ6gkZ4A0fE=yTN|JMmmK zB=)&F4t=hUN1v-k=yTN=XO%U{Hb0mVZ>nK^$oEkf*bL(KeE*{zxH z{e{eLlYJtw^D#VEC$U^b#mU*HFyH42!*kUZeXiP}&sBT$xjGenu1-UrtJ85_{0z6t z{&mo>e{R2WcfaI*Ux7Yv{n6*`O7wZVisgOY2B6Q|K+dnv+aO|}x2w_TZ7}-0 z4MCr`q3C(AJoF#Gt1_IpDlykP)XT5Ujx_&+=_7DIUWYY#?yko}#5bVhs&7QcDUU?Q zDc^*SKW05)y!kD}jyE5LmOn0vdr%qZ`0-41e0LW5dokJQcUp7M_SIbU`>lEC@#Uk(SAZU0A$oj8=Cj8LdUB;i;h=&4jr$y z7#HIbbiCU0=y|yz#r^1WjHF|) zhuCzCnCE&$_DbgaTqE<}%w9$8d<^N_YL=_0Sd+b$`KEIi(z&u(czKg9NjIoJBb|!hQyy|?;^Gyi^N}K?;&;^ z*lu(j7%}JR%W&R2PwaO{f4@f4-)~s%1?tJ);yw5s`rhpKxQzG*^m|Kt(eEw&h_5sK zCtQO+qu*cp1ve1?iktB_w7v0nY{2^dK)>_%CoblG{0kkowGWpO@5fbm03Gl2H#*+w zAhu_@L+E&?f7ox|cm0>x_v8D_uR+dnEZ05KP{VqRyG4%AX_SoB^VS%BFSZH#UTjnJz1U{xd$G;Y z_hL^#--~U5zK_!qH{Q?rqaDTjqBXJOiQ1s$vJ=tqL?@x+iB4ww=1->(Zz*k?(=I2G z?_tRI+H*dvho6exFQ=jT-sxz*cLtj8bzph(y))5#?<_RG>xkxeozVR5Y&5^?%yxT5 z&dE8K*z>8r7u1F6%_HRh*er5h&iTpt>U%-mnBJ86-LXmJf}9@7`D!`!LbRNE5n4{| ziQeBAqxW|&^!~mCy}vI-@9*B|{e2mFfA>M}@4o2$eK~r6_e1aRE70rIA3q|#5_jNL z==B^ z4jsR9JvvV426UXyjd+0hBhm3lH(`YP_hzhxx1jH3jY7xYj7G=b+=`CBxeXnEGX@=h zGZr1El!BJ;Q_*oaY3MkdbaWg}6di{XL&xD{pyO~d(f8xB&~Z4~=s27lbR14DIu0if z9fy;Tj>9QH$Ke#B<8X@5aX7{3IGhr69L_j&9M0|NIGj7saX6*uIGi{-4yTO!rA4GX zXFRd@n>r5XPVQgRlL_cJoQX_#9L`;6`Z5VkU+%`eWm9q{`H&CZ!eT$%lz6VkW2#vy$}#^pSk^LR*i9@8)`ClNoHGe4w5Pv$&<)gn*k zJjL>TCoa&C?jh;p!knkWatm{w3Ck_ad6wk{Ph6y7T#m8n<8x>~(_-{HcT3RmHP55z z=2Fi4MUfYBUL^LsBkAZ%IWH$;b$rb$Oz#m{ma{xL9Z64L&3P>utLf?MVgFX-yb<~kZYxfrVUAuMYckSLrziYQ1{jS|R=y&Zl zu)YS7jXCcUyZ>ssya`Q@-$T>m&1ic3KAIkXfFp1VI!*f9L$e za(l}Tr0zhUcng_`h1l;kiQouU>8)OvR(Z|JBQ_i_M7Z^M9rz z$bEWrZi6tN{6Ea6{U03% zy}#R|_xGvj{e2pGf4lsM@-uQfB-f`MOV7+L=Kl4*$2!ME$p3RAby`I_<({1zsau&C zi96?VU)QZfe58JRF6YmBXP4YWy|XJ`O+I!W+E08wW>P=th8?jxS}(l-M=-w!-iQ~X z-v_%0Zz1l9ey{9e9E-g$ikINlvP<0$+HrboxX#G_^~vqa{%G^ZzIacqdF*EvcExO_+mDok_9Nw@{YZJt?;Od`Eg-fZNq^`63z>d4|5t=vuoyc< zN^-{~m&5qEOuwDj{NWDbj*-&bcyhiz$9l@}1uVx`aXdcBcJE~Qv-tlBcqUF{`YTMo z3tz)YxB~CSRX7=!QU9KTYl)}g+c=H$FsO8T?tPrsVWsyd=k;C<<1LZ-Gjbmc^Y2&Y zKcMldY!@3%Dt##TVdhUOos~NiS0iz}GWB?5{v)|_!~8k9v%~y3#&PdcJfRB9&BLnr zDEswL{IT5mEH@+mxQ6SD@pB@4cc15UOX-uj3vv_XeGKLOr`V3^{L|=leFjb67ozF< zA~YX)mgOz)KZm<5Tj==q zb?9^XHfG{_Y|QxncklrFwE-RfzLD*8ioBbu-fvsb z`)w<}i664O_uDq~e*1{&-fthH_uD7v{q`w(zimhFw;kyH_8EG=?c_QPD*ZfnH`jMq z=`Q8^exc!hL+0egh5bVAw;ytUV*a$!A9MHO zY9tQ#BQpQz+~30dUvqy6^M5rC_aid@_uRk2{6BO52=o6mjz?HOR;thW+lMFMex}!o z9LW8f*z>D>@E{J1AIklg{~rFK;XS!J> zuWDW*-NcY?Rzt^&R!7H+)yj5PyJoDjJd2Kj;pX1i(b4<+i6Z1|c_IW-DeV&P#eo9_jVxMcIe9$hhJ=^m+ zM&_TIcUm$=mODM~45nK?#7Z0PJu|NZZbkBa$~PhZ59w=1_Rssh6MDa&&2rxFozeUK z9Q1xa7ro!Rp!a)M^nO1Nz2DDA--qmm_WyN9uaoK6Z07eMz6Xgzztcr|iGHV^>~BT< z;=EpYiF_OBce*6+(!4~ztsU5}-Yjpw(`9JCQy;Y7sV~~^bUE7Z)DP`W}t2 zU5WNPU4{1N4nX^z2BQ5=gV27btI>X^!DzqJ5VYTEDBABd4DELsj`llUgZ4XJi?Om1 zdDnCON5rqwaQ%^fryKG{GQFtmMh(+3^gG>z_B-92m*{u8h1h<&vKT#6YXc3z}<$f?doWB+5`SZGNDSb0-)0w9oxD5m3#>kEci#7$$E@-_d0!^aBl5n@S9xD2W8{6CZ}PrP#>o3N z-}!&xyd&@1{E+t})0<7+t6@5Z_icVc-?#Z0ec$F6H2wS)ec$Fc^nIJ((f4isK;O6d z6Mf(2FZ6wzedzl(`_cDp4xsPb{EfbEa}Z6B525MtKWKXVFPa`7M$_Z}(Db+hO^+k_ ziS)P(pE*UvXS zuBYMrAnEbZ`NuN7sO%UG(=nvS4bb$sVSXY#K91P*_;@ruZiJ@CjnVYD3C=2Onx9CI zn`u}dhUfW&{KWIz0uNAbZHfQ)T({2elAn04k>~cr5c}K`^IV^te+u(`o{;%%^V<$5fNKZfV} zoUk9~hW&Csm>!<%uIO`p9@{;G?H)**YPq9`-he8BHiqZDV$g1Ev5bPugFiN;~3JH z{>lBlGP%E3q3O#2G<_L}rZ0n7-t^^aG<_M&ahZ+}AvS#(il#5a(DY?En!a3vrZ3l` z>B|T-eYq}qUalwh`(!uZc)SsF*E%SH1o_gNmq@E$=%ex&)e>`x}%fLVAG zX5+1xgQ=K{8JLIvJ07cm_1Yd($aLRBD8e?h>lCB!FO;C~FN{OqU$`B858)2Ro>`S~I{hsv> z^m{p<;db_8C;C0|&(ZIZ??S)B^9AfdJ*#Zf`knVBGvZt{2oVKH#z+%Y(!iK8)I#3f~R9smaoJ0 zYlcT-b8LVo;PKc3n_x?9j;*j29w{fZDM*wPPDINIC*ePMGDcYL6!g2)ZSnug5A6$j z7bNmeq}1WMa4M< z=Q7`N1%`4(7qnc_6)jhshn6eON6Qu6&~in0oEN{q{h?gZL&JGS$^#b_^kTm6<@99z zZ6X(k*#0}G+s=JS*w0JD@wlJ-U&tRXL-WTzEVq*9qAzj1^2-aZU_GZr`f2Eo(McR{ zf3zL&O8kiBufp9p0H-s5AkM@=VZW{}7)<;av3lNyB;%pDgm@T!!~YM*U+|jnf7cd_ zAg;-L^*mpfjIYN7EO!GgXZnq}7DwV{ya~7C&G^KU)5Zg*c-ioB5vq%y9m*LhSiJGCe0u z&n?JfIj3t0`<0K5S1G_!;zAscMQFLE81u0Neb0IvTHd>z?N*B1QBcbD3hfgiju(^> zdwr4p9bZt6%W+Cb2kz8x-(V=`O+?>+xC{Nx>m+o$cca^#j78}3TS})EOe;u~2Qicf zr?WlFS@)p#(YOQo5H3KbI-Ouut2OmJogAZ~(EDt_JY&mNtS{|H*mIoh3%Y%=g z@AJ$?-{+ZwzRxokeV=C@T3&n@TD5 zYrKN3iI?H&xE#CSt9UWKhW+t%9ExwC@1L(g-%DAEBbojtdS9E9Mm zZYP}%<@azOe9!W>xBh^(x9&yLVe*sEulrMh{iHt^loloWb+N_vvR{qE^Mq|a=DcA& z`=>C}3y$~~`(gQhUqPaLzaM?C_yBIfztQ)L52EGzLuk4FAN2j=f6@BDVYEK*A6g%% zK;|S&N+J%Yocb&pW zt@-@_QH6>3XzLax-lMIDzDHZ13lrsZr2qIhw=%Jt0(n-?aQ$ME|%Ct!89(*p0IoYxZb*}qok?}oI- z`jUSa^?@#EeV{8^A2<)K51fzI2fAU^ z$rluM$LiBAD7>`L`aqAu3kwt13#kuWRM;~aBlUrc3wtGFq&{$o{}-+=QXlAD*oW!O zCSRsuI)?f{U$mZdIa*KZht`v>Kq&#qdeYTsJ!vpn zPa1;OlZK+-&m4w%JQu^!?`K|v)<>>I%kv}9a{hJbcQmg@>jgKU-_g7g{f_2H^gEh2 zq2JNG8U2ptE$DYNN1@-*9F2ZQ^H%gbnz!L6obNGceQ_*)&Gu7pCf6?&tuLgZ^@Vh_ zydOo&`!Te4W7SBprV=#Fn>- z!|y6QUg&c33!h*)%R|U=PZlm9b~y~`{ZlMgQSo%)Gt9SKjv@VDh?dJ2q2=;t(fr^! zv|PRzEtfCBdGY7nKIQVI8qTl#VY&N7)?YdDQsK+QzMqWj*DGOv-7l64`QCCg-+Pti z>ae}nui4AXa~0Vr?>h3;lhG zbz%GK3*QdQuP@xddfP?b(NIn>ZX4NH_--=BMuSQ>6~52$4J&<5Ilj#r`rVQF9~6EV z=5JBvZ`IK6j`WLfEBu7{(@H-s{0LVgap+e^=6_oFS(v}0aC?})!#MP-W9Wz8iS|Q( z&VD@<-&IJy%=!L8!}-SWz0f_(x4ix(T3-Ju94GaEw7mWe(=A7T8>W9(_&u@L<%mBJ zn}6+Pex=Bdg+H->-e*YsbKx(a@zZL$9%kdBPdqn(q4f}(Xm;WsMt1wYs#!z0~ z$NyW-*^gfD18Di?Z?t@K5G~gnVtLEU|DfgNe>oqPmk$$L&iM~5FIS-DPc_kUbS<z*yDnPJt%sI# z>!a^)AB~pNk3q}n$D-x*2533GA^Q6f$DzN!a6EedHbU>;#_0Xo1if#YqW5t#wA|Yq zEk~b#mVaBI?{&8f=|StFR#-XGy68lXt6ijxhWpvLZRDh)lan!Wzn)SQx!wD@t#ZBE zX}F(}cI4BFPA#$=d0NpKEbsL?9lc(}Oz%*17O~guO!T@DGreO`Ct|N3QZ7Bas59I3 zdLi@ADLOY9Bg=Iu>dJJ>rJ7oLUQsuuyS?+#?Gdw{?nM_7yS)pN^LwD%y)d~P^LY=U zXHlleZw>R2^UZx`{NF$g&poo;!9`bNM;soOAEGQjR9SwQhUJmtyr$^-u-vuEawC-GuG8?I z4zj)*if#_e-KZ=#Qd#aM4a+%yQt2&4w=#cP>FA&Kw zMftz9qSWwzX~rQvLXIm|6vd919hT2fmd`5649jO3hvkvu$|))c%jGJ|{;VM7?AZ`un(dV>g_P7vdD`g;UY?`)TMn!RhEY!F%va zycez4+=td{W}xF5??=Zovb|7`d63w8%tL5BW+qyXnZ@z1pq%kAT3>pE>Gp@r#*WON zgPn0Mx}WpV{d^SN&&SaHd>nh@d~|=FK>I14MEfZgp#2n2q5Tw3qx}@m;H|h2Jk-E70@35*?TMCOR&26|TY6_%^OV$7Qa?_wX(BdaOh1nQx=@ z%=KtJ^BuIFxdFY78`1Hb@1o;3H{q}N9y)$=Gw#Rt(fZ~GxMkXwqODvvzsHN5_YaG< zC1Yf}pB8BU99e(;p(rtKbT9F7#6K1#>bpOo z_1&MD?s(B(&~k#$&z!Q~iheIj)N_$~?jJ>eChNHvekb^^qDc6i;C)z|_3(e8-f^HP zQSbO0_p`o(Xg}8>)>9Gxr|940dXf6@;iCVN>%~y7tU&9Pk>W(XvJzUatc=zxtDyDD zs%X8k8d|Tcj#VeuEUtmor`0Szy4ZSUt>W6niSvWhE9(>=m5h;kW!>U>$r!0u*7yIy z`9$iK#}qeUdb7#LYM73pUfB?>S00DfE00I(m5tDPWn;8n*#xauHbv`|&Cq&fbF^N0 z0$Q(Zfz~TqqV>vFXuYyET7PVV*27Ok`?F3$`?F3)e~0%JEXB51j_q(Fw#O-WD%!qq z8rq(4I?lv1a5i?p$MH;DfM?+%?1)RT6E4HE@eS;ZYw#Rghv%a05?zWT6HeiN>`J_i z_&nT>=cB*3+YPOcc1PPGF2J9#2mXc^;(ojc?f2@5m8hp)jMcCg*2YV)9$t#}hxW#1 zcp2J1)(7n$>x=F2a`bm~`(Y=%0{vax{^;-OUWxXPU4{0K4M5vd2BQ6AgV6r5tBVu& z{a|8$e|HG_`@2KY-`^dE{{HT8^!InK!8`C;v|nxn+Ant<`g^?Bqrb;{16m)y5&b>h zk?8O7-h^|e+*~}0`*8l0TQuB<7}|qIqrb;{E53-gq5Y3z@J$?xZ($1hd%UUW@A0Og zzsH-7{vK}>zr+~&d%PLw@9}1$?Mqqc@9}1%zsH+{{vK~G+76Y6{vK~W`a8S@=(F+ox6yW~^=P}) zJ7~Mq2DDvjBib(YF4``&32m2p4{ev)jJ8X?kG4yFfVN9*LEELaqU};2VytXi@y9%m zBjO)vcpj1S{7Lb4rWcics$n{YcBvg`yVPf-9}{sWvF%cyqwP|=&~~XW&~~ZaIIC<= zvHARr_?H^ihoN2S>*C0rCvty$dV3=NHW`0coM@-|p4fIO=7;vEy~T-ks2|aO;-Ap( zK>Un;2jUm>I}pF(V*Cx4;_v8pApStV1Mw%?e)Sjn9f*DCcOdqo-+?%QwsZZB|JM(F zsQAp1M7smhZuM`7ZMPz>bUyX?|B4g!Fz1q(0uDEtPDj5lLCksW;BkiYs@B)fLhI`tS#BxE*9jeOdp0`Wwlg~3 z_8i=Z=i+=lmVl9Ee_dlIYnPw!-W8FnJ>gL`<6`f{FHMJ_MtN9=XdROVlS_M7)d`}eNIb>jz= zT!qo{0VM-De*5>ZlHao!g!W5bjegf+F#27KA?SB4hO)fxYY!uK-1%^H-1#-wo%z?| z;j$4WH?Uk~mb;Got7iH2#^L@#uER|wH-_W8sbnNpBff?I>pSsg4dc5penMna$!Ml~ zJnHWw-io$A-G;V5jS1@+TarR-yOY`um70vx(Dtcx^!ItA==z3 zC~`+hDY3_e@#7=$lCors@#7-pCF7H^dLP}%dKrjcG9j#gV#y?yYZ$pp!+MO5joe)_ zIT@?tWT&9xWT&FzWT&CyWT&I!WbZ-8$=-{O^S+Ps&-lNRe?vRl{mONFKtsC{hUe_l zupcu^9^wB?CuXtzHj#%z>~S5LK08dGQ!&O_UIA4PvJ>anms@_)3wcRtho zeWxeTdfSs>{(_RHh)r*f_%yNY!q4DDT!?q$qOkn4C5wqof1X3rpCj>-Wc++sZfVJj z#HL3tpy|<(_@!k0GQJjHR`Loi$K{+S>&wXRRlQd7Dt?QvC#PdLPj7_vuP9kbY`S*D zH^cN*C2Kf8ts|>7oS#Izw&bm3jNDJ_O5P?my*uLiF#Vm94NN!PLzdfEvWeJq?_D(A zI}*Q_j5p&~On)D(2YHP0# zI{ycn&i{#~^M9e~{5~|D-;bvA2heo>Z}j;*h`$gYLdRqNgAvk`f3X%G#$)k6^mmaf z(DXhsE|K0>LeulgXgXg7O_!=-X#YpQqf#AB?`w=Ry{|d07O~Hjn%>vOT&#n>|8W%h z{zqN({f~O+`ychu_dkwC-~TuUP5+L?b>kb3Yk<-6hU1PKm&hM5j6*#heP5*!`W>9c z>__tm`9C&`G#%HB>F$sE9h~M&Z_4}=ut}uFxR%NJYCh8n{~vX40v}mb<&WP^bhOJ| zL`76uMFlnWXb==Z?R3)JL^|D})7_w`u~PMt6se6`k`9ohn+5?DkR4?QS(;TqKomq| zM+BFdan#Xq935vIXPnKM(V74F`+m>8Z@aJZQdJ%JkHsf_c<#+9QStua@^kq$Z_uh zq`y=eknv(1K*ozX0FZWxm4KYT2Lf__9R$euG4BRs{Fs9Q89(L_K*o=G4T?0+8`z1^^j9=0oVeH>x9N*W;PvK*;zpgBVBd+ZzBG zKV~D|Gk(kvAoua30J)EE0{qpGi&XVsa@LA{-AmYuGW-GI# zZ)HM>H>00xv&Z9om#WQH0iO@pK>mT#>V(3N0HWNs*(u4lZFXAnZJRv-`8J<6Ln!fP z0C&7Woj7|E-n0J+$+ye`(vCIfaGI#0FqBR8Ib(TPC)WArvN?(cq-tN zfS&~X9^h$!lpjt9B%L?|kn8tTfaG634aoKV89=VnGf^+D)3X5gR%g$C7VlXLHyn6N;^dt9GK$QQ&?6u|@5csc~z1}Hyj>u_i)Y+N_?6i^0pD}R zS7yHicsSr)fPH{>10Df*58wvCF9U7{ych6Tz^@wofD%vVK0xx3_XCoT{2Czn$Oix! zC+q8gjGy%&AnEcq02wFiAwb5-dKi%Lu^s{B`hOIV@c$o2Fcz_%d(cL5n6>3e{TkMyU2+|U0Eko@bP zqx@^t_huynnU&%h?~B_kiGQe=_@5=9!TD=1*l^{cQHH zWnKMj_UFj=D)l#nf}hW?RKJ-0Tk}lFI7z<*WSpeG1LVB_dqBoZ`V}De^?v~5zW!@K z?(6>u$aqQr1ju+vzX9Go)IZPu3!d2yLej~91tj16Z-C^R{~eHg^KSvkH~$A9`R4xw zB;WjBfX4#<4v=w^eho&Z+8(Q zy_-<%tAI#<{@e>C{Z9yy{sKa=mjc3Gx_s`%NIz@)i{?^*4+7#@?4^K6f63g-CH-Y{ zFO~F{@mcJgfJlGE+^ZygkGWS$`W}21yCtB+KiCtH@ef{&_si95=3a|u#y=oD0&p+D zqjtP*?)4~t?2f$&h3*1k9lv32A9?>qLU|7ey~c{UH{tu#YXFK~ zaTr%b>H!G5@PTtH;Xkkv@ZG2n`O$*_$&cb0?+>1P51z@F9s)?d6wi47-nm2ZO#T!Q z_Tu-=9ft3aF9k&U;dAdd&w$AHfw>RjJ^cm3PHta4*N6P%?*JvH4bB~fXV!m%N#6*_ zb_|((NXI@sJhut(6FZ0Jw&4BmPTou?^#sKJx^?a&c;B`2!*fStJYTr;7(SyPKTIh3 z2>0Ip(Ya#*R|0-Q%6*Jb_T`UDxe-1~{{y02ZY~2j2{+!WwSz-`D+dP(@g9W!$$$$QBEk`MZSz)AEk-@kq5 z?A$!&^DEUHq0k#Z;M*~`9dIS!PDwwRP|^Y6*Ko?*sd#1_Ey6WBKRx$JzyZM100#k2 z2OI)C18_6orvQ%uJQL;l{m%e$p7D9_?Pt%O1-KIM0^}o|`z#>o+&O@xbLRq*&YcHH zI(I%G=^XPPyYs@iiwr)(mD?|#I}z)P^bZhz)t?WqEBGx){2uYE#yS)K01sY)ex{$m zm2=up;3~lHo_saSgMM5S#v}ILYtcWn_g;s31oqn-=620#`z;{sw>Pq!_$dR5UH0ZV z*l|D?ZbAAVcHBC5o5>FdyX+U|ZlBZn0Ywjg2O#zEcLGum|0O``;qL;Z9{z4X>f!GJ zq#pjufYig^3rIcuR{*Jp|0*E$@b>{y4}U)(_3&Qng=gyF zp9Z8J{uw~(;lB+?J^Xh7KX>wXrT@>{@x5^WiyrKa}H4|Iojj3+u;!GWYN3cj_4cLH~a$&!qo&27mptxxYa=^$vhY|M}c6@XT~T z*&qH^_J?22{T1S>4p6>#D5D?F@e*+@@`SUN7^cT$k ziKM@P&$535%6_*Tko#Q<>+zx;FJk|reJ>`I_5q5X?WKU!zr75Q`nQ*(To?NB6@b*c zy%O)azV^WLGWDwYJ@I{x7a*QrJ^va!vtIyFey{o03ckJO_r~{*-SIj?`5qwjJ+GgC z!@Sn_0E)injVRCkX&*rL=L$gXOK$??e)MKQ?x$}-e(HPn1*AOwR0|;fD0Fi#+{K1lb z5FygvO(^38i1b6|50&)y5F-7(gu;gbVw~PL|9+&Owf*q z=07OutN1MA2#EC6^J^r%f4)!B`}r(<7@+WBYXQlJt;74}>WKLPJd+P2Bp>!6z@v5? zIX{T<$L?59DB}T${@XA=B=0v8%6mYpv!muW;rm=?fU?epG2Vap!{+%dNas2Oly$Zh zkbKzDfaJrD0pvRSFd*02M*z9bjzxL$VIKwLy!;s6pMdut2V@+o5kSVF`UD{3P-Os5 z0~`fp9I7nfXLh*rIl!9$$5HR|c8n29y#X=LC+3fn_jy8j4~X?$n4bi^4)88XFNW8_ zYxmw>nJ-a4B0nx4-=5LmKy9kl*ruiEs z-%Wg$bpr@|w{ZMX?^|U)oVERn^S4R9FY;OP0m{6;1CaiicLH)=-!*S`1?&#bm+j$> z?O)h_-u9EWSGIq2`*AxmJN|xqddFYy_{okR?D)-&pYM3Z$$xV49Vhqfe8m}0o__1; z7oA=|{lllf`P5gR`ukJ<;gpfnj{oFgryhOEy=RP_@yw?lIWu$S)1Q9Z*&jap180BX z?1#^O{y8U|bN)HEpR?3r8;e(S z&#Oz`d&%vWeD0FDOGYpGi%VW|=|PwN?9#_Cz4OvbFFobby)PTMZ2jd2UB1ud%P;@e z%f5Zt-Ism-vhmArzx=N+uU`3yD_33l<|~(9`A=7T_lg%>anY4?SHAeFE3a~|KJw~A zuHNVB7hL_*tDd;(OIPi<`qHca>gtzW^Z9GWuX*U2Bfjw7FZ}A7OTKXD7hZI2&$WA9 z`=x6yx_0Ec!>@bc_5XO?b=U2>{@m+Nynf>PZ{2X^4Rbe4-mv+G-W%R?!y9k-pX>ka z`d?rFC%e?HH|~1puARGnvg_epSL}MtjpH{C-FV22``)W znK%9HruW^v-^~LzA9eGmZ~pbo-?}+>%aON?-n#MDLvQ`=E%)E@gx%JF1*1vfE7oYy(U0;0r?H|8=`u3-9-|LP&?s&-^|8@J{ z-Tuxy4!YyRUvlpH;a$JFtA6*J?ta?m6e4o-e=n-hcY? zjxW1k{`9>+zIWfRyznbmer3y7Kl|1ESD*Om559WH{ja$H_xD|QU**1i?|b=u7v2A_ z_y6E)$2{=J1G^qL_kn+X;JshJ{_96QxaPsbA3X5E`ybr(;8_pu`Hf@0vCl)@4=sE6 z_YeKsL%)9L7Y`ly@YuswK77){uY2S-5C8b#ryjoJ;Z=`JKJxiT-u3899{uGb-+AOq zj~x5xX^-Ci=#L*g=ds3PA9?IQAN$5*H$9ep{DH@>ef$kitbStdiM^lv-zWa|iKm{p z{fYi3uX^&nClC4N^S*ifH=q3GZQo2i^|`0!o*IAZy-&UIsmGrBz_(uYboJ>Qp8m|! z&piFRr~mNutDZUNnYGWH^UP(>aANO)zutAn^p%U1e8H^_yVa?D)>Udb6P=tp!c3;gM`LH`_qMOxoR+bu0CJxs)D5b!zF%Xsujm)ZLy+ralqI(A!%1iE`2Hsk((s zJwFvk0vs?)CDm6Q7D;ZWp5;+V*roE@oBsy= zUvzW%ObvtTR&&yQFGKP&XLzPocZ<&Y{Ae{(MJ<(jOQe`LWHrgxlP#C(nS6=kyKgj~ zH*T?v$jV=LLG9J$bXB^lUHPu5u1r_G%f&PQuL_v$DtDFeE`!t(QmS1wyzQ5K8T{XH z*9_jUOtH(^`+&5wNu>r964Fw%2$%u#N>>3{(tF~AZ{k-I+V4%kk1`+XxAj@6-<~RK z@PF)C!0&t*U9hLxKXtTH``|l4bFFb3ua+AXT@m(6D4#WMlCj2|+xZXr<%ACEJ=`@R zEBECJ@JT* zgKK7;W3uI(ySkAt)Q76&Tq9e@^-D-!=JdN$ZlO#9zlwOBN;N-~sk_cprs@o4N||vt zw_>R3j=5F0lyz%Pu{;X$?WETg%A=V=C?#Df@My=`;@}u~F-EVwm*SqSqk{<52+^AE}7u^%e zB~FC5;cw4`{#aiguQ?klZfV_mY^AstM+e6~<-W@i31Au0MLiF~n+m=)za-y7 z9mn$HjViYBa;Z`+3v=Lo$>|HHV&>}9p~h$-pB*TTl~DzCEC0bfxglwuIOi&CG~p?* z9%DR;Ny6=Frps~Gsje*;bk3VT*}KM&VH}i=S?c(I?q{4`Wy~%;kGP`^A;+jpm~7Vo za*TDAoii0?PM4GVv;w+@M!NR_hdS4))TJu*4qadMO28)bV$t=}m&s0GAqGP>C`)pk zTdQXZb$=PEe&BC)9R|oo8-;>f&zDBa8SoX}nr4;Xiob>O~O_Xb( zpYiv4QzqXX&94_I+iAV8mh0tg8CM$eC&VVQzRBHT{pn=LtN1xe9R%=VkFI+}wXa-t z`x|cE8FI_u&YgS-lp&MlqUuZMMti0+1@ezUKW9-OhXNR5DWTMRI>CEfxlt`;&}&k) zw(G@m8F4kna5+CIb{JNJT-^Q-qt{#)Jhk5@JS+{G!@efKG`6B$f--`F+*t6?h zJ%=4|XzxcdCpfQGspYDx$62AevRu)%6oeznM@q|_7|nF4T+ff?v$9`|WYId0;$Ug; z*S$aRhC~O{eFCJPV#OFpgys%v_^t>QC_worG(el&O1WC^t7d8w>EV2_0RhvMCuvqN zKognLxX8y<85K>Zg5)OSQpB9=DU{2TjY_&u&SnZdrA*Nc^`G;6_1ixzCx5};qT?LK zH!kd$MyQJ~i1&?54^>nI!8CZAJT}yHk@H3{Sn_7JKAB6`%ad-&%qrQ(0z9NZy^Z<= zM#PLxI+t;akoSRlTP3T~(eE0jBC`Ld4Fdq8BwM`H!|HcPz2hYi;C$BfJJ)xpJvnfp z)%++l3%QZ-T&b;EIYknpWW5IU)@%?4WPDsVoa;4&&!mS@MW!7|ayUO$np-8^MI)+Z zQ16=m25l|5LX%m<`c9#iOJ{PB=Ii+y_<8K4=*Y3WiwkV^&*}%}2j5+n^=Dl4|6@723mR!YdMuVw8Qd7 z4WM4nc1`xJ4Y4AK;wyra&m8Oc*4cip8PfCn}&g>G`^a`h15Uz!10ZIc9OeepurF{ z>RkZ79>e2zHn;-e{7+%4m zvqa?*T~_L5%CBfvUb9py`pely5zCsGxIYE;z-9==Y(7&;H%9YlbA2XI0wE)QY;Ta? z>-V6XPZ%+?$_Q5$)&F7nH&@Hcc*OJy&LGvuB2uo1d>7;;J-NBBZ&+_3LlY2HbiZ)E z`28lu@d7`NXHf6Vl=PUM@-k&P5B+l9IQC({^IF28o+N}o>%TyTK_6i}sJkU3?31ybfOtxAo@#4LF$9)22j-PI+^)K_T|ws0bmg3r zjI!?pzL-EcsJT-OOXR;&r7kieKjjLq{j56aviGcq!3p)UUboHC`yp$yJojNMy}xf@ zP{!GMFQe28Ic=tvuSMp)q~Pnta@7oj*p006{qAUEoP4A8Ug|qshxw;i^QzTEAEpVJM?}e^>P33{dXftCt!}P1Q_6Zuk`Hu*hkPg1w}Gamzau>8pmGn$8&o&rwGcL? z`Z~h5AyX=ElD)e+qtUGdo~WD~>}+9ml)sakCUKu^rQ8O$K3%R(4%Z>tk-hg?(du`x zg|WP^v^p4{jm?Xg@+`lZ?A|chJ!i|N^^(pCTlxmQPITsxKCq_Ma>3D$&L(tu9lBmq zVbU@GyG_ga1>`#sx~TIHVN08UaZd>D9$|dm{2m@0rX1~m$9o@ZpV^UzV4!U)|Abav zqs+c7mCI*5e)7Go=1;GO5KKvF$gLLhV(4IlTWc4-2VSL+AI){Pelud+o(wI$Rrq%M zbU@QK42QqwI>S?Si%_{k+Vk;rwr;)g=J;t;o%N502iB@C8P1J>~6!d4GP2{J*?IhY!z$s}Fs|4lVYH&rgufS;R9IKY6 zHY=yBy4GtUYPnNXsWGU%yN(d1%f$mYtdPCrOqDt%u$Qbugdv?lz6``7oiuPbiceY=X(HYE-Yr9u~3~l^4{@NeUCU!f_5YeJh zWjYGM2>Sj?=u4ZI@H^1QP3J4#Oafy3I-B2+Ux$tQ!qA-$16TX~(YtYYLr7Dc&=sB0 zS#4(-g3L+_EKT40p`QMF*ZX)dZM52mN|4DBGL5Ex{QTbj9TMh4v`{bliqQ00#dUL7 zy9IA3qjot{f2Aerzu?o+zS^Nu+jL)1zY^;w!#A&U%SPc* zbL!)bd@c>Eh_1i7&a~so#CCjYv3B&MUQ?KubWGWVzj6FO&1>R?a9B?dO<`~(N_~WL zVI4A*v88erdxdJwsm8xxr?p>Rrc&nz^MU++6aNBVgpM~^H<0{UoAUX%Th6Irlxv?J zh_Ny~uu=2T>#CW`1Vq2JnPR?RZ)u?=SOP*`F7K3si2N z9i4ir7~P3y6S;X|xpi2~W{?B}@0Ae2u4Z!ivZ>PAj{0RVQ#mqUPm3KNiW`sE1J^)D z_=MlfWND9rrLRDb+}+~qiDW*TW&gx9hMhCc%u#XxwwJR995-@IC2B?r~)K+JVS)@h%!~m3< zHNnR9-zgn|B{(zf=10RTjpNcOK5*%EaTzo`98s;=4SZubA23RrO=#lm4nCToAecrL z#`@i;9|#`SJT?b+8_0>j^oddYtz!GYTB!D@gu;*VX8ZJEO|g7jKE%ZbJ=2+-9!GUp zNA=3Xbg%1jL`UT{LC%!wY0tXs4f&BB;TtGb8udXqCC3`rj{k75PAAle+3J|jW%QyLr}{i{ZSr_dY={h}gT zlD|=@ACl|qj9!XX{JzonlThOSLn7K-4dUl~cjBQzPhBcXXR5<#|=6EP20VR;K&ovp(uRuDc~+F#3S3((2_-2Ob0 z+E9D4x!lN3_=DFmzTt|SnH&bQF5*-eUuS%DF5}_gx?M;f59m*LeL3)X!_hxEKNv8E zP3?V9CwlhY6-KYj1+GT+anbE9=F9PQ&zIwVC|jKSp@F+wR4ai$$L-c;`%{(r zzEQD|uWw=AhV0A6LQRJsZjO-c!yIX6`xlRw(#{dcHl5LDp{sh*8_mG`!|fZSxyTs2 zZTq*R8O2Pxc08nb&txYvVmI;7geO1BkA8o*UmxG3M|#yc9_=sQO8H2;eZ7_TcM7ph zVZxR^aIyYtA5ZiCYadVZ{%aeLQuGh-`_C&Mk^(|~19l;!bygl{iL&&^wa+;_eOjaK z*$t3I^2O+LlYDPOUcWwiUWs25Ep#}>QIdmZ-e!fov|IT3z4{wIwr|4CPFBiT*+GGb zzm=CCY8&WVfJyuP#_EZ59K)!PM`_|GHk=v5ikH$#ah|o$9|(^bCO;kG(G3Y&+o|0z za7*@Zb;d`bK5H#T)AUnk^88G>QE!a8V^tj0pnH*5J3Wt=Ib<;8_zaIh`C8|-UiO-^ zDU-`o`w)boTyxVt8r12ij>e6%QtQ~#tKEsrRK8r@C}9=+v0MebFSXByS?lYgI*7wZ z)5gtXKllfogjrv5_xBt4H1Ocp{dnSje#c__xhM4Ucy4pCxD~I9M+dg;sh)UfT*hL;O?Rp@wUAq=*SCmf~hG0)7g@=vG;7VHaCB4*Z)y2v= z4-G>roYXlu{(nxmIcHcr2-Xc2?P-7g2l^aO*0|mD%T0;>a)I41RAFSnkrknp zV8DmgT7J4|IW!(TbIVhqj1z%#WzJ4x-P#fEgGs9oZcwQ!OdtHv)ca2p>-{ym-nPkj z7~?mEs_+nbuVFW7r3()Kt`L6H3v{u#r!aU&@f4OeddSJL8WfQ^i+LT<>U>9~9@h>0 zN7KGvCbsW8i?uI0Uz^pwgrVSZ=YkAL4gcyx&kXs%QJ%&CQ8@+YXQZ{VY9BT|;DFJV zuof7FV42=)HTmZ%^`p?d?rdMnf=*X`*^*t?nf*<>T+|9s#ndLs(>_(y`>ntKYkpxX zg+9X4EnA994{;S_^mWA?--A z2YW^0In-d>cgBzc_wbqAo5SU7K5+9yqc~d1W%pG^LuP)&PU$Gw`B8yecIyF|%(T^ldIx1w1&t&WVGGorr8E)TiL3KkLacSnBy zs5fh?oHH;CPx;juqi~}CS*(1ZNQ-^&z?SoCB|m-h;lU~A*8T6;>n^m?C~x`sym_bl z0Vxagr|GBRQlKyNUDizQyL{((@I!CGr)CT*Wgg^{6+~o651nnJEPP ziD*q>{&v|Fk@I}I|K;ECxgx*cz4XwzqL%s)b zu-}`03-^a(`eifXM$pOKD=++!sJ&o}XC5~cGzR#ouT-1h0MK79!p0FzMAA!{KCqE} zQQ%2BobBZseGc8c_jn?{m+zVP^x|@JQIxM>CNI4)S`-f_Fc}h;Ci)$+9+B_s@5pN% zf5F3JeTO;Tz`~xRswntI8)G=xAFYj2d&V9_(a|72UCt69Q`u=g7E7;82pN-z;L0=7=&r8AAc*HcPUY_tYC11 z{Z(p(C|Vf2v7Q36PQ7}_;UhTU3ezE^8ki3?A7I59p#w>p|L8~$JS{3mV{^jkdoO`n z+7)aVB`>h7j9>76-SBW9##re%MZtT}PI2X8C=vNT6Bk6ss}1s*Gh?y1KG`v2eoHe- z&FU&5*;IQOdV_LbsNF$6|Np>!B0>l4s-b-0^XZ{e>9KeVkvNV-LI30so(y6xph6}X z3z9g0g61#{;hfSsk`s%*DIpypXC!7kw@lrkkLCvJ3>?l4Taz>#HQuB z7P7_1Ss%;QbRj^{sLd2B^>Wb*|03tkLlyRuMP3iedB=-$FK4BK_w{O{CITAe|ImBn zDC#g#ri2U0wxd>ubZ=Bs|M`wV-*5W?}ux(~l!GX=836sf*V ze*=0~CJm_N$0bU$*1_>}_%?IXy13dh>wW?OFu+8-o_^XYh3A~##~3-NYKbp*|+So^?uvFIIm<_BVQ+1FEg4niJX7CMD}e;@4o z&Ge^vQP_LY?qd6*9FK*)dQEW@=L!+?YQ2O)baNIz;N^3@e4Lf6r_~>NnddZVG;v-1 zxNgjE%}*J_f_PiaNWd-OpMv?V74g`xz3pWcm~QQNroZ%p=6t0*82V0=12%^j#L$|95;>Sn;a*8ZF}}_Z!C5JQT<9=-(&3cbLiOG-bY!1LI)raa zn?A7mS>}^I*skNZS$x|d1@TS#;JX)^jbF0qZ#ZAR1{HA0xY*HOBvh|(K7_lYDFGS1 zPC?e#{#C9Q$k3+;Kzz1IQ;5-yL)W{y9~6i}EWG|89Vp6)q3`Mdf%O@G;L`cr@eLRJ zx3xlTx>*!oZ{ca}to(xL+d|)IeZFKf70sgPqjuJO$yY>$mf7ZYjWsSIJuwI=#>exs zq)jJOpLo8W@HVgg#uM|Wb8e=dotWl7KrQlRKu@rP$O6X1u851xis<))bdQNJe2+yh zgM5^pCaUF9xlto3k$;2l$=ON1x8x9tREW1&<620E&ZXM?b#|&)8^#i}>A*Pl7#CZL zj*kZX!mkA1l>>bIt|gZlXTqF~&wHOP)nr?@>3*0VQdVr#Ml)4!a`HQA`~{zHp1nR( zaJ|rS(pe~D(YLDes(6NbjKIS2JVBW~ zXJV0tLDE9;Jgs{8ls<>UN0q#`53?UExk5YFYff>PtgmiZPk!Stb8CBDsN={Z>ys|x z+1>9Js9=~G63NBy6qK|0?4X=~{IF+?G5vco)ls-?RxLUaMLSXp)5A@t9xRiIRnoEDu9<KBG# zMiiVXPQPhn7M~tIsKYPVbgNQmzzLjlx-!Xa-;QhSnYsP&xv(P360+*y$6E7L4pu!h zf5F+U&7tZ{yz6_U2|!s*0%-y z9g+)jFaa5TT+?*6A;!Ok$}?TqUg&?cijMWP=yZ@D`yXkE5qIr)xbb`vxH2|hf_xxz z+Lct(TdN;~e4JL*K#sBIaX4Qw1ErV6rv>RI^uF%f*!&6diR&mj6oOtJjESYct01^6 zq77^RMs!#AkqgKr88{Kq#Yo2%r|TGFbn9D#+^%hSW+0)m#695c0aX*Rdj$s}7|+mr zI;!C|0#a_ZGkU;g(se7~)e&~xmPexb>h+q%_iLHZ)8Y3Xvl{exHRG8Mn+-|$i7f-Y z!<)kaX!^hd>mA0X|B(aJSadB&hatRL$0bx|BNo18I9ttE&=9Y&sGn62O*g%BdVv67>kSslm*(vXlxaKO{|lX#Ip(#xGyDs`yVDBJpJBM0(4 zWoBGULi&UI5(NDU%MYVuf*qW!rKjCd9_N+^ul^SQg^LT|dp?GHFeY&G7*JXAI8fl0 z7EBSZyw&eWhb&*gIWovJ{8{o*gl{rYUnQSK|Atr7{1IMal1rcK548`6n7C16`N3%g zwyaVOu|Uh!^g0N)qyiq>*IaLaMtTnY!T;)(S@j9{0qhzQh11l>qQ_I7ub|O~<}5jh z_J9&J6mS^SdIxKLMd=Ueg)t3CKgRr)s1VDQr%R9njArZwre4kS7oj`eUB+nzfQL0w?61a8KBPQ52;P?1J1FirMGJyK+XhqV}4uzAS_-wd{I=hfOGMF^8>sQ zDSq@@3$5411Gh0hepY{n9Z)2l{zf6Z2s|dQZ9dbN)2(@CVq}?f?g70_3Rol`u-3B` z$VbP?4%JJ>JF=*CHIwD_`2B14c=v|+3Zk^;wd}u5-eW)5GQjuNx+MSSOO8x`G5-nr zrC8@Peipr`_~Gv%a8SPW=!G@^n&_Fp=$k-5#A~es&T}0YhKcxD<40Ek(b!q*E99A> z%USY|?LcI&FK(!0_w0SESwIWvh7Q!~bgQ4F{vq|dJuicUY`VDI=NDQhSYJoV$v_+NvTik*WIUr4_@#-S;mb`jyt>f`4%3#$vQYmBu7#5*6EXzRcc0DV`ZL% z`6yjKb1$-Su#o#PtMI{558-VYPzrC56kF?G?m;T&@?$f`AFA}#$S$3!wsIM;LlseMPt2IgU3fdmt#>0Dgc)V~DN6z#CG#)$SRUCYW6N4b$ z7GDrdWc?lcz9}peov<8Wb;xf+_(i!dvXQ~%Nsu#iK5Ku7T~J9qb2OgDG_Hm~pV$23 zz~V)k!5yvqog)9L?zyD)I}`T0>NBdb1uoR)Ek#>YYCTqf7eq9t?_#!T&50^i}rDp&xjorJQAASH7SBgz2@@7M@6agx$d7pOrdvx9X$MbG2R%y`DPQ zFPe&P^ho{y>fb&-BQAM|2!Mm)R{MCY3FsS=0>nd0f*04)iGylzBy+=(;I*+TwSI~4 z;tHOi6M*xB9pUxXYJiG*$o9v{$D{2^-enWOMd7i1e4D*Euv`2%u!avIzo_r=9j#Bp zfWi40T^}J4)7%}@7xsPxZSZbj3r5?!=U49WmLSh!2M^ALdJUBOV7+)F{Iu*hK537M zlUkl=N{?9D_;oc+_mJv*+*e}f8-$KV&m&A^^HM<5L649p(P^iWFJ<8|2d}@eOrwA( zL~(lBF&>|uik-u2l9N;)-Cj*MJN>SXJEB_pUeosb^qX|6{c|d<(XHLb+njFgKHlbZ zYbo$Hqg(Cc^_F9lZtVu17~K;60jH_E8usN;7;tD{Fqa`?PKcdsVB--3{m_q#?Y3Wb zkZ3Mrw;I^U*K2ScF0MDzD9^-Q*q-h}!$dw+D3_cg@zZkC_#nP21~;;&>89FZEK5hRU3JE-|v z>Bo5bG_IExMYzz}KtDmIaB~@sftEb9db9Wl9MQXeNIV;ibQ048`TdZYs%9&wpT)2H z=>@HZx8*rM9nMxL9n&NE>6KBP!IF>k!XKb@7sKFd9b^8xM;oD_uk3EqR?(__E+&so z=X5_>avB&cI(HaJ4n-}wuqgHoxn@`UuUT^IG%gdy1->OX{^<`}{oPFeFBP=DJt{QQWKuL!f>w`g{NEVc<5ZQb_OHI%s-b>kpR+AH(n#+~;|AU(>lNf?c5u`M5qD z#_>EMqWv(HsrqsoGUE3h4Wyn9EmlQ8W$_T2F}S>9CxyF3|eaAivCWCI|Y3 zY$KTcO50_u{QUCa_zUJqxPSa!@3W&jP)Y9_Qgrp@{pPXN>n?dwsEcD5JJa{%kJl#%jF67L`QRe`-MpvE zmbujkNB6b}L)e%)V9nwJg&6^86QSdP!Z zI@UXN5mZ61cC3GUwSHNpZZj5;hfF)}Pi)8ai?qYpMk>Tx3JSQtQG0Qca?GH~S@V7b zv?H97#=bks=u2BcWb_SKMP$tbg#)I;eka*e4a=7E6_vVOTEhK3X+5s*9qwmS58yu$ zeM?9mD;mprx{Pv4f}?R_bPh|GJLwhwnkuyZjiwH!gu3`Au)H--vy3vslim zAW&SlUL;ChxEi|n(78l87b6y_%mi53SkVjkOzvSC|9gR{@7Yq{@b}}yZmrA|h6bG$ zzG4#JqDffu81b2v?i!1ga8T0*_z;iF;h1w4L*%mj6Vs_z}yRhp9iN>)U-a`jK2$5e@O<+~fa~dPy^beHc&5 zJRF%qSK8UEwCQhcYMn2IV!`Y0#QZ!w2HnyFG-J#JgXNcEZLG~{(!_~lMk=X~XyAkk=ek3$JWpd2Pi`{U|P$URpm7`amy za={ls4R|)>I0ybG4wCmzebMTXCspb}=@IHp7aHGiAa&}?V);TD4n%q^PLr7@e%!#2 z3^5HI0*-Qv-)s!;qUE$6IrhCU6U}%7sMAXP`Eu}}+|v*YbH1J%#kPlgnBcu(j;R~D zbOp+3{Zw9`c&$0n zulNWJi&}+zN%TJ4W%d{0RNxC%oyi@>JujW}ueu`N(P@2Za=1cQX-!9XtReKJDy>gS zoKNT+KQ8>jXw;*q7k=GePoxt!E=DK3V8HFhg-@c6h^LO=@Rth15@Km=VFw)SAmQBZk^LpnCh0@3 zg?(K&>=&k8f0fv-Cl+g0bUrm>5SPMlGNI+pBZk*_$Qr}HRH^TU=G`G^ufP9z=KCa~ zE3sGt!t~zO%WvG=ORb$4KO%IyeLHY-y4^k=y>r=gyL~(h6I|*MV*NXacs5RNqh4Oi zgLrF7bn-Ozif^0w_hjPy`_f|b@Bf!|WmD?MRO)NqR1^6lBF{4}ccxYt$@4BzTfWf) zgALxYqeeR#eP!86!viWkDgHhI;}A?7-OoDCLfF5hX1pi^{wVUoVYz7jXr0JWS*#d~ zupVn_*=l)u*v&RzO`qwdfkpJLG5%77+^CS+@1OkFiM*ALMnlgpIKoGI>v&N-x?ThQ z60{MAEOBI~rj3)G`P0#ly$LpdwJSxu?XR!J@xF8tQY%I8z!Z5Oll0 zPdwm{zLU8AzPi}@Tb%w=tyB|PNefbex+e`Osvl|-8i%NjrZGp~jYp+|Ru}|^Am702 zK)4g>@-BYHp^A3yr}e@%a2U*N#7<(^1qqmt{IA<~J8> zFuyl2xZw7_lzLKqlxd;6wDQ=ysR?biyAQU#w^LENC$tFmjkdm?^f0tLrXP~|iIYnX z{(2Vf6{r-){~G1->;6$9-vgoYIk%4wAO?DytdPCi{e?>5?iAsGK8{9qz;6`8)Mmly z<#QYGLpA&AD-!orY(L5U`CRR*OF37;M9EzJt+l7VbXn^8vZr#QQLc;0#ol~H8po*< zde!bYQEm$FbFB@uj=MN8C=qG0WdvK%yNXhuCBBH9i|w+Gn-pNObm(8~=FBOVbqJMR z!4`KTz4P}D(-%$J`CXX8&NQBH1q~b)WPF;iR3~;^slw9aAY@*osGx9Ok z3+wyA#PxmCBJxI7V6+X=bnH{c&XwKe~qSqHm{b4W7pE|DH*V0*%HpjJKit zBbUQ8R6s$56@%#-X|!*{BZikAK$mdWZptymV$JfP+KNu;gdWrxiwGkR2at4Z9{9bk z6!CX5k6XoW#YyBoEN7L|#RlTf77$!cM|$%NrWPL-?hwuoJI+_Wm{<{|UWhX5%hPo) z!Xx>Dh4`vo9?#g!9#QH%`B!zHnK&P(7nzUZ#FV@b(<8;hg@7{D>Z?Q-F`LmMmuYat~b{wQ#SB#2IoBX@p}CcukEug{?a&!ok}A=`iLgn3`S$C@DnZ_Z z3wEtXhlTPg*jYQ_js))kXrDba9ri!uO5B7o<((4pu_^U|j@qeDN#Rl?ec2aq^ml|O zLPJ8>RP;VqkM0TG>FuXsVOXU2+VKUPzYCx9C7p}W*@esb=Xw{m6Eyvvf39}_w!Vis zwNQS%=dUyUvF3dBVJY2>P3@1deWL;&ng~zrk3nbkka>o%Z-|Iy99~wTP3^BEg97`Y zH^ZJ`=YUV&&A2_!k)ArjT-p43ByP|5OuLrAKh5Izmczl0{-uyLmP2ybEE*Sz9dwb^ zuB!A)8#Xo+Iw6lkBxz=ok2J@Dk=4OJ%Tu?={uPl$e7(!TXxC!=fbW-6(2TM_*eLsD z(=T@W>p`@mb=5bCyb-MmIfQ60-*uXA!RR_U+qD{dXnS|GdTOAJucT z>VFfh{n^U-6dHiqIw^Rt;4dmaqRy9j)mE37dS8%OZ#Zg3`@L0vn@G)?c-Rb%xaOVN<`aCD!i-yME7xe@(nCEqK&?Ri*A=L!L8x>QdO3A}wvro=W+vefd6+ zzv!>tet9iZO1MZvOemK{`Q&=B;`Aa?UjuiznK-Dv2j=1ek@#gt^jNu3hiu~sh=_}$ zFL2G^liX7f<3pOENBv^*RcxQmuSaa^Vcf#xB7C_>X7O_}Y?lapULg)7T^=Y zpS9ngk#Lh?@+^F4`}mUOfDZ66^lD5FXdh3AZ>RsUB?s&lK1&XuT+u$hVv~E8HS10O zy?uP~bB^TS+s6|LYaN*%t2)9LsOdbuuR}ad<)-%Ax3JvQ+fn<1Fsfc>bvAy@<*)YJ zx3K)h!^S@Sis-YDfFJFU@pPrWA*rhSzQq0cy8k2lv(3TXt8n5%G%pg@pm%sE65IxD z6Fo8MxVxcuL;u>%>#YnDCmQ!HZH6NKg=%c- z+ds5GeW{nFU1~&@=15L1q8?d`1u=x%oCY=`3UQ=fw%^65vAmew(Hw!l_Cl^BG zOZ3lenyw9Va-SoynXo&euW6d!zrIT6hPEMcFwyd75Pyj*^yROKem~e4vK5y}D;7%E zm-aGllT>X%J5V?uPb`~;yk#N0UieLOZJd(Ct} zBYqD*Yd-q-qSD?G>R0W@n=X%1?-ks>7V8g_uV$<(2>A=H2Hk4M;nstKkh)%IRBPPr zbX>!e#s#*1*ed&ek!JZT`HH#pBi>H($`YdY<m;W>y*Q^|-hnp8}9M0*xl9^TLRgmA?n03%$ zq|;vszlH9@aaO88O#{8m6t1(Ufj5m!2%4Lai7q8G*}nfQbpM+KG0wpVAgeMir%*n? zC3U!hlJ{HXcykJ(Fuh3E&yLqcK}=F!%YTFRMGXT;vc@OEP_U@AzD@tc?k}?#t=M|- z72y^g4KeP9(dI|-v({%QpU>b+K5O0ih6T!vp>|t>i{S%;e!(sd*Ms4JAX@fhX`j(* zHv6ux@YM2ZZ(x|KIedV5m=s+}+)gzyoo+OAfN$1+a5LPsixv1n$PHF-eOD5vAu)~w ztwn<_P9{oqWE^??f{1tn8nzs^MsP95?K)fcO^JNn1&i@@QGHf3UE?6u105vjM!{e> zWoRsUU6elZPq&CF&JIhQ4d)zVwLaU@7TusyR~U_!wmVA~3d>Q-6ntqv2=BG{`S_v0 zvJ*NDTWgH-cqcl`i^0mxzI}bSCfDI3MC&@k!waD?E4?A~qzt8gYsT+4iR1T!-5HYX?Ss&eeAq1TXTz^iapzGgG?9Z<()}Ni~r`zeF zn?-wlvq~X~PlERPTPpQ%&|%*)?RzY-eQ>*s>Va)NYjnN0s=schb+;%7+Fq^Qz7E=L zh?Wt}G1>&3t2U;iP4}91-I>^~%j|Zws^4y-=1sKU7aNBF`%Elk((6qderD?bmx=X% z)ULlhE=zF^uHCk_pdJ5#N_|^5l=QECeTGobru6Tprr&;;*l!R2QS_UwwfMeD;VhG$ z;pmxOUZ1$wypGc8W*r}<^I3F%0q#rMpSfXC zT-ZrZ^`@i5&*+pNf-NQOnN~dh>O*L3`}lwf_YNceoqt-?!`E4SKe_2!Zl(4dU^?>` z@~@>zQ*nb8<;UBg+||S`q?>`Xh5aBgFQl!=gdgRl7#{J5IRbKQd2CE_>A18l^GA9b zb9g*8y}D21>ApL09$vZFJnWPoiqFn-h3kRc_|u78&z&lDBPZ*frvA4i*8if#>K|Q4 zt@1nZ+MlN!Ivs%0JE_lrtNDzz#!%<0WQ|>6>ixOIdhfLB-6}s5t63ASWzKLdaFUF0 zUKgs=nLZtO+|=_MiS-1l8vbHD^x9JJE#WT+C6hL_z@0pxQg?d|`jKhRZpOcj&X;C% zcPZqlSc@GT)Rwa-_gZ7-$G;_=?STK1ov<0*UbUO}JVMi1y%whbkD77Z?YKYQ{8@nr zXWH$GI*Q=*`U>&8; zruw3%ZJ)1z%?KAHU?1FCF5oaz=v*oF4ej8oP0mcfKibo8r>83(hoWoP+5L&@1_#X+ zO@Ewr>H}pXRQ((?jevIQ_RCMZ83t$$*n~ynP&U`Iu^z+vVp)TWe0_|s(Nj!1jP|Wq zy78-FHho%RvAD4$$R&|Ca4R3?4JQTxYma zGI^b?M+2UN`0Qq}+N2G!r|vOp^jXnI$$q*F4>mOiR!{6%XK z_l*PMil<+x4^ib1C@ha9ccX$P34e&axLb&a6Tw z?QOu{G41$fVmt0ytR2yL@oe$a-aLZ(TexW4&>P_`9#<*I3evQ*OuJ4`Y!?POd7ZB5 z+9sT1726QQTr-NUr~dK+)Vp1occ#-g5L{NNT%7PgCv#HJ-?U4&&)+Z1?@<5IKE60R z>9Go{b`zf`FOUywr(Uh_VeR14d{mSVYrlLz_?Jx2;;qom<(0(sZm)Jv&tmywv0)e? z@M`=gU}ex@d=c_5XfiNNxBQr56V%dA^LvJoWa*fHf?-&-{#DB@;&wf3+^*GKx>)yZ ziR<}ui>>EH>6C*b8)1@A!=h)HCu+PWz?4lROuQyO*vYb>2@FS%D+U-kK0=E?W3LI8 zy_`Rb@x{aWYF@WX?4&x5pBuB6TWpCj9e6G;xlCgay?@<{&w{ydVkgDBcO;$x*Rp+SzoO`oYu^8$eSx)E ze@CStJ5X?VR^*`;FP57_mw=%39_gO@%+*Wdwz|K3FW*DQh`_XGwPuPuB5TEB4moQl z-e%YJ^D1?Y)RlZ^`+9-qd}sT3TH`z0$Gb4!Nq(Sxd=_62;s?mbwvVqlAKN~jI3N4| zj_MPYA%H^S!L(l=;ff=1SZFVc$!j6GpYmxeeF@}Ko#B~aK9bRAY zb-EP$DSRTrABpWA!b8ONQ>^Ty-SkH)1>cHyh+kint`|#nG~Du23>LO@OYEFcXu|0X z)_Ifg#Fh+}9Y4M>&3E2L7zpG^gh5JJdOHXb8j+=!iwP{RhdyC`U z2lZ{GVat&Xw+RkUxHu$-Ux#);i{EM?F6YtU!bjmUFad}Vuuj9Us)*1TVb3i);1^g) z(9g>g=_ky!VbT_-pPlhJMR4#qvlZfVVnJ#zQ7QOhzC+z=>Ul$AJuNYAcj~Df#dW;# zI+W)vht<7SrEuq(XP>;m)cfkhdc#d~srq*#B6js+9%%i9f162CALGm$d@gm3Nmtrm zm)?vImf|76)3V+sUR-^}^xKyb`|a|@`pxTyHuW@J_GRIfX z2}=}NSJcdZr5Ox@5L z=m9d=0~sVe7u!hS!%z#&AJVz@`Gh#3df2q<|3F;1mgb?YNWdA#JJ>Cj9Dvvc^+q07 zk03aTw9w*zj6f|HwD#0YaC~Nz!44R}k}FDoS{kx2iy)f5c~jF~nYRD0*TFhofgE8s z2D_T$rO|%uKagLCz={ATZR$e#zzMM}C_E`#&?v`+3mHF3U|7n|>k>pe5L2q5dgOIcPR7Epw;pR7_dGVAHj zuuR%j$dBTpn5=`)19iq4*A*q-3j6)qzWz0rORCQ>Y_puFjNuQ^HNUrB^iaKs*;vhtjpe0< zq+>BWI-g%RWD)-$`@U^_&T}8AQQr}*wn9UFLV=9@b7jo&(ICf8J%BzqMe82N?mHG(g zUe^X}pLCdMF3fqXbdZlspBCY`2ps3l%bb6qHY;ZK1YRC((O&U6Y}^dYkprW|>YN}= zV5LMsFZ!@J2932MHPj(JG|pV=H_bm;Lp8EpllW{yK29!^7Ng+Gls>7b=H;n^^J0b6 zh%&MQPhXar_ioxTFY+P{EA=`pciNu2=-`13_b3E}| zfxlQf3A#Jfs7(YqO!@;x>GWWxgeja`5$0($tw&bFr+SLvh4a3p+4q}dZ+iYH^l9?x z(fS?f&SWQWA(m$3Wc~SkSdd13E+~gkHVzAg(AQCJr7X$RP+3-__OHEgu8(W zbdQ~3Y4|vt90aXt!M~r|$TG(}x21Vxf7pf)of2{Pd=D}c%PTZf(}Cpxp2?6#L=N(U zKI%AT(QysYG0ksC5BK8V_Vs-*%lP3XbtD7gXWMeUmsmna)?T z>H0*qT(1}0kx@j`8ga)EoDs4Yf8;Bb;SvDu@Irw}pK3^9qv>tw%2!H1jis#Co8+s0gDk1k0$RhNP&>RaFTx7X97Z@qR z_NB7?x&N5_a@y{LADBM)zQxCd{Bky8dbB_97n%=&+$w~u*#zq2gw*R)!-M5n=4rG1 z)`TNn53;QrmK)~rj{eb6eg*Q=gqtt+z<4JDRHo3QgShghSSVmvK+87)KB!h`z@(%# znyE3qJ?*}+^bNi?NA7D2WhiHB714<_EeG^{THBxw2i}-nK;$pa-#+%$pmg9)FZNHM z>OK_vQZsVSC6fi~&vSQm>{?XXhtJ@p&5lEPF!&TpO?t@ z&o0LI2WyzyVzY{8WW8%CjVw9@B_0zL%>W|jMC20KBTh36`SqrLS0&aDzKT)3y)7>; zUO!Eb!u5;LADoV6htM~4gr|lBGHKrtANPAzXDW!N8<2}m@8$A(C0#F1x}^}l&iumt zUN-w%;A!3&zRXnU-q_64l&6)`{ulnZvwKGL?b=WU2?NV>UPe#JJ29wzl#$nbug7Og z&~XP>ad^d|_bB?=yl&F>b;RaPOumrulJEUk{#D)IPh3wA?*4jO8orY}LU>K)9GHq^ z6~fCmLNnl-`%QlpD)kShoxezI=QIB|+POIG`KD?06IQE#rc#Iz2qhfPU$oDs#^X_t zuC$M*IbCTVPiu6geY`&HY)V&l2cNO`_>_utWq0s_v`5abbcSzXy7wloi-0j$y?Ol_ zAv)w^a7hkACTo4yLjG!yE+h)Fl^*-xUeWJZ1EBA}4b@|Tfk$6P@q{NDQ|$AuF#`QE zv3)_?A65j{mzevW67l--wcvfu^qZrg`_{?e2*Sgf)uRdj*X&#?YlTn6+hO)|sXFADkeSh+&MpW=)B3TKtwMb7<)_GN8ANl&^nqnYtsnpZDrV~Am^Y`>tj!)xF=1Y7$4L>BDBQW5fGFn|CB z?xojEkq#f`%wIS$GQ(CIw1Hi?Ws+w zsm@}hF#mTm4p3CD(Z6^>P@O{h&*zZm8j&Lde>Wi`pJydU@WHdF65@7JYiD|Q}}^*mDHM5gXFoWUG4 z|C>>%V_5s$s&nLi-C!Ot1es%LGyRBSqEc*H(Zf~hAXB?_Dun}{GSZt=YM_IPE>G!h zREqShWq+iwZP9FgT7T^^q9H?Phs@550Fk)<684a>M!Y63jg? z^yque?0m%>;(Njh1iNm{sktM=<^zM~9hxM5jLpjFd(0f5=tta65}BEFZd8djKa!tu z+k?2_IVU$$$c-?TzMC7#vYI2?-h0T%A@9~bnZ(ZqbfE;pRRQ{W$}gH=9jJ?Uzf1Ht zX*mDWHp}a8cx;w#J_E*HTXWuST&pP~tv2NjH|1;x?oGf$$01{<1?=hC+O@LlfUX0a z_ZU2E^A>|=WBYi3aTImTb@d=XkJGPGhbiYn1~tWb`Mr++M*0-U}Paw>In2b4Ct2M6&m&o}ixD`|WjT!$XD z_jF$GMK)NR&491*J0xxns@A<$>SgbLN1{11n4%MyDU6J3`Gzcqzg{H6p3U|8fm@4` zeu&TqUk_7ro>hM>AuC`#1Gi>wKlwsnJK+#5jXd9}zg944df>S>$HgidxI5Ank-nEa zR#8hjCKmBSUWK-`FRvE!4VzAJ1V3 z|4aRd|Lk}SjkCFm>nB$Xn*$n7Z?2dRTMLzzry}cze2ZpsAf1V4nOyCf&LOIuk&nFZ zI^1aaVeh;^MLRAzP=x8%a-Sgnw|k#Nx*zy|2|tMZZ%@pRZk2r^DEB;m&k6k6^m9-T z(U1G>L_ViL`y!*(OHDZs+n0mm^H9#0qyDcD`j?e$nXwmPi<2MYJH+&;P4u39YmKwT zNV8o_pZ^9b@qaL#vEW?O4n#ZxnI@-oh)VVN`|=xEEALzBoI93j6zYaq8rF;^bJ+J{ zisz)~F4BjqP2nLa`GhYIstkKaa|fz@nLEhWhkK!X+p}DDtIa3o)@5_=b&%hi;4C9o zAql@8q=!+Yk8fnE@acet0LuSbxxf-{h<<-Mk4tT)X|sW02dV?#PsXyVP`jXs7?lh7 z$+`=^s~1k%7Y$6C(y&AD0_Kq^@}2z2JxxJ5pCQ?UiNSlHV9N9f-iIb03+Q?T$*gA1 zCHq^h*3!MX+~)EoH%kSIsZfXU^tIXsu5u;UP;jeWp$xiSY-dofi82B%NW$4Vx%-Sn z{so8Eqx_4_P(<|_Ty912@(=tv8T6DfPICxvtS#cW*&$*P|D;OI`WA88{bKy%5vX=# zr`K^cV)=sRshdsvu1jnmjuj`j&)<&{H>2b@NJp3+5M7VG-5|y*VhO!N?qhCFmps2L zX`C-V(T}VBeOu%3Vh*y4zG?dDk;Hz2iJ`@QdUp41e=^zK_zji1SLV?7OnbhS*d82| zO>WQP^Li=#M*QYDcbc^UjeKNn`2P7E@Amh{_;_1%mvmb0158hr%F_imH?FtiX7`_u z!R%h1##LwfM2YU`mk~4}Fr=fw>yoQay=i-I)GwOnHGPJr4|l2L>Hnyylm16>cb-PGrV#CFq{GLEnH`fSA+vklbyq@99FWv!SBtip@&7dfx0>!tk> z^!Zcq591+SbEJ5r4kvJ)W7Xw&epjh4>T=yTcGR9`8w$rVP`J1zz&@9wKGAT3axPK0 z+Ct70P!y<$^JxLe5EVc;(s-w}$(%lg6e1n)l?iZ&NB(Xw^-hc%((?Rk-j13`f{^;q zBJDuNYUMDSsSTXQ{}%wMp`)B`&tb&gkU4y*)N}>^_4#X_BZ;mnDm<~Q^m&U^3;G(CvohnxZ{PZ>pcCp|OaXYnIrpcp+l zaC6?d0MRD~-^bKR;~Y^1T(Y0?r#0dV62S_++(#xH9@21=7&;XleM z2ddQmnmQneJ*7SJlL7sv99QA>_F`WQ-gEx3>%}TqbIkeLtwS4zB#Jfi%Q!AHpDOuW zJdP&iVm;qbT=b*u^FM}Cx!W))sKfWwAnMCRivGD{k^X6IzgepFo;0?+tcZJ<=5%G= zNBR?bdXA0Z7_EJO%Z5JMd^eQqc^u4^g|9n67JGOCo6X)@ceR;frCu(MU|JVuKssvi zbS*8vsNJG{iT;3|f)BMqZbePq&gE13dF#)w=BF(udK%KQqdb$lbA zoh*P?NFTL+^F*UKTB735ldaeiwzpaSs+)l#rJ#dqAkP~7#q1Z&{92CUCs(Y;Hysfc z>;7k9e(I@B6oCl8CBiqYTdnU^UV{1^S8njWJAK}5_wgy!)b5kqZ_+;pVSuT&{_vQ0L z7c3XOH)IoTZ-)rxM6itL`%0RBH(EYY4&P*a-uCy!t@)f=riR6>;*gA|TLLOMFV;Rj zs&zfjL1NK<3a#Raw8?DIot+~JW73G0#vTN1&{D@kUwE#!J!4f=#6S;=P$yT^mtHD5L&2}^0Zq8=aRGh@~sJ~?DLN@;fTu87l%K{WbJnrerpsB zQGG=XcdU<=w;`=1x@K)QHc4(tiRk3WXEP2mMZi()SKD|K#fd6aXF?ui9b1nwY)1EZ z(*7cHqg?-)q_%X{HvQtq7|lNPMd>#2kH!CWADsAI&mW-{X$H@Fa=x&9bNRz7mxk2K zFseC}pX%CzO=_4nleF_bm0Bq_6Z#(pbX|^P^cC_D@zz4pOzZze+}u2l`H6vG3-Y&0 zcUr|8NDbQmrqy-S34U?FXtf~PYR%)4r*|WNzRaOqrcDHa#!YJmUWxQ@$9e^+-wQrp z&w7#9-pc$KPuLZ)MaR|t+_)h{W90RZ`J3-&o_?FS{q0ly#$tS;rf0m1rv%|`c&3zv zfi+XAkrQDWzA=cu1cG?XE4ajFh zR9IE2Z$76|IHOM9pdWwj(?P6!z1C`2Yhkh{=l>U&7cH+db{*+eY`t#o>!V&Es!xJ1 zLC7c7qeS#K3lXSH5IPUW^r?K-?SURD6sgFvkMnG}zWh*Ij-eA_p_(11-tP!}KsW{~ zj=i7Gj$)NaPw|qmGI1Y!{e(ikG|7T5jlB2W-qpTL+xNsHHV&?t^=Y%vJC8o{3<5YK z=NkI0_@sK-H&qk zb>EXX?{PO#^1N?}H3A#J8zmRIXNISs@?FPc-b<(n=OXx5V)>^v7i2F9>prN*OgkP- zY{yM4x8vEhf69R`yG379Dcs2{4j4)u$@bXy9>n7rdH%bhI7VCbfl|ae@-IWcluH4f zugS&#zh0ibd2RUQbdX~g((&tV^Pcd|^)ogl4M}Fs8Ae5lh!_#F7`i9?AyeNr{e?TM zFSaEIF-nZXP&lrLWx-5UnJcEF;p<3Ce1GA~Ogq|)8{T0%P`6?1lRDg(_%%qgsE$6- zs-YD({0dXg&n2$6o%VX`yqLvpz&% z9s(k-FHEHGmYd!%yk*mR$)VdTet1Dv(9ROtK=P}h zcqV^q>F4vXjk&dkwz~!R{q=Yt(eQT!{@QHMrc5qhPRqZW+~XTC?uOcA+5HC_H67p8 zlE1aEQIj~;QV*+L)9xsCNTgW%Dc+Bw#l=i@QoEp8c0G-84ECo9SB}bC_6_g0m2x(p zDI6gYcjfcV?@=Cv^*|@v_xb4h7lU-_C1U-EQ^knWjT6tY_}hL;dee~TFxKSqm>@VH zrwvfD?+4@N(Nl5_#w^pLZwf$TZf&0VhX>oSuVBIrfL@CR%t62`F>+#JM>_3lm4a*oT21~nw0^vkYVNkID@Vo= z_P$yLUF{i_7|)2PpAr6jr)lSGVmrr|sGYIB<^+{GUh2OhT7QYvo`%nEPX-}Q>OFOF z`bHkg2SGcbUC(FIRcsy1P?J{mh*^_*mPPVS<18OIc>Q}1KunGs#{N_qmm9bo#KD_f z4JnCasFd@Kt?A<`B8pH>3%+OEZ^u!8s4fbX3qH0P(%kHe{ z`qsQVZH&F5UuNcRS;LI=<(Oxe z{|^&)9r?RpQ@f{B>Y)%FUd{H!xv|bz|VcpNc}%G{q)1cetOtm zFE)4Hj(&%M>^6vUr`$CNhyyat$>vNVLTag# zEMoF~m3rFivVSn`+|77g?X=Txgdd0e$MZA&VBFQd*6!}OJ z9`;Q3Kc(+!EYcHV(T9_-1!8`FrINl`q)if{R-Ru$)&Fb8|5t_M|JJzi&xGIklNQse zk$D_)_cN!IL5DA5aw}ktNYf%(`DIv({~472OEP_Gx0uc!c0ui8zp{sX0T(V}A0+pX zUpDjf&cb;@NYTT>6WRK}31*9;?%Q^K^r_Xq3QBJ_Lz+k*OIMTPex5|j^hz=DHy~-D ztqj6kkW-a>-bXRHHBm(3`^+T6*LGieMEj5_>4MDk;nOoULCd|LiX2%lxzqz@_#rxy zElQ>(v0roTh^=_^hL2dXoo+480fxk#+p8CC^AU+#mTAw>ZL3-FgPcnQ-=N&_{Wl3L z#r}tCKML0Hxq0)RAHHI7ZNs*6tTd~`cI|@P0)ily|IM5$!cbOJ?jvUmB=KtU{3Ch& z7*W5o^-@UZVL7FS)&e58eVhM21>dIv{+s&n4F1{m$-j%_q0;K?s=sMrdA4Vj=l!a% z{2HS4Hb8N`b|$XpwMRW`Mjv61r^1HP38~b&Ta7`hN*NNL8}TWuKcf2hcHM=Ty4?}g zXVjzQ%Sjw6HdFkAOoq$w-R1@k7Qtc8JUt5M56^rhKx>G|yAx8=dB7!s*I%}w~za>&V0{PzbX-d|$^^mFR8b5E=jO!WV!kN8{&RprnIM)?$g7^0s z?2ANzql#_y_M}{KdN^z67DY+`qZV_j9|+DOQ&Fivf&9<({UHwkMg@|nK^Zc1gcyQ= zX#j`8#5Q5J`8rc=cL*Ds(m?uS^bgPczc1X6ADL`FP9-M>kL_U{X_5C8{?5g61c7nU z39=yQ2(K0WPlgWV&?}3bv*gNI{SWbAc6h0rntHY=;S}oGF70_5zLG1GQPb*zWxhty zM6#XHlX~ar?S_uNu#k>E`>^Qf1LneS2I2dI5SmvH)$*~=QnQyJjPvT?Z>s?Q%J3EW zmGW^q7yj7uiY+*l^~_vpIiaky&k0u6POTh=P?)YzYC4+a>+B*Dco_jo7{8hZHR9j2 zv)}8K#Ve^d><;YLlK&|%7Dq6CZ#)9vw;@TTVz68j3str#aq80Rc&rCjGnrh<`&a2emGLllW8^AH2aD zI~N9JDvaS#0hKy3=`=B-D_Ce{ZE5}d3Q3LX)#(~rhK(kQmLVOyfbRt#pmHXNc4HeW zp>KGxz^NFXn2_SV*#DyaCkNpZgX@--YBgbA8X^Kp z{Ckv_COnxhs{b`eexG<4I4&b)nF#5Z_9LfN$Ou>ua1dRq+=hc)tjBp6zh7C?nyZr9 zi{Au4EdK}dSK_=>g)*6*9K$V9*x2R6Cj{Xm0vLOr2X#D-`7A>VO7hw{AW#3b7;Rjr*9Ys>2ueZ*%kk_U;`b6EMoVaiJv(yV zKp@76Qz`7=&lG7W8u8%D&`ky7A+B&2_#-6@O2|}}1bO@UE=Z1`jt@^P5h25ss9HOW zE~@ZC4<7AGDy!>aU$PEb3PPQ9dj-DT>eZOZ47b`?)Ohl;zqJ3%OKi=D^*$4nNGkAtIHLUX>w|vP_S9obp53_3#Ost67KHD*XK6mk8M*bJ6p;lK-XniBlc38o}GR z-aRgX4i@QZJhGfdsl|B`qt4a&@E{;e9I4}?EE&_$*kBTJcllcM`F6iZ7%Fjw6RZO; z+kxZHUs|4-&$yiCFYF06cOBT3{);JRQwJz~cLw})&M|abHL?F01 zkSWj2g}VopeG?ss8h!GVeM8E;eNfwN^_KuwZrYpGUTc>EW;~uh9XY``j#?$U%bdsQ zc+d*cuWb#XDc!VjyMOETyEhWv5AeUVyc{61Ui==9@R#m;*^xQ*q6)?9S}ozfjp6)G z+Hxd7%zQ`9cKsANwgL?+U=9YjL@Fx_tN-7!Zx9NqMz39{Y}|0a4h=WQ#-I zAlafb@l#L`EeZ{l2-oR)*!?g}0AN(|;8?4eUrX)4 z>~Tx`m=ABCqQ6xT>d5!6jK5D#1mO?Ub;o-p#N|x?qRIr_^Yai8p0xGY3_PS9P){&v z@KnM3S?1T{!_bekJ$A@DXBw^Qu0+nL)WJJP5s-}Yr+KjL`ECP$hb`=!zFEr(wk7)R z?bpU2+5#EsCJXM3zjge~#@RX?;do4P=-z&D-rM%D*SYhgCvgN`Fb%6)X+^E5i!9w` z+;2U;skl4{p{{<$E_P%+Zd9-${`n}h8&g%UwnPob8y*6dLD|Uu z5X6o7*$s1#-z@*9N4n$e_9BQq!FzlAJ#m2c=vKdGmh>quoW3P+KEFaSD$v+o0FU3W z%ZsIB%wJzU8g2t4fdIL#0vVRWhf}yW759I?dutkXE%z_wZ(b zGn(N!_lJW9?2IUx1`C9g0qRy}juK>t>uUG?_@z1Zbr|sc(#ocu+*?yTVCXf&MeC09 z_?cY>c)UA`?J-ONSH7*|u62D_D-sp74?B`>i1y z=O8vx7C2cu!0^s3x1jMEq;|yJWxl=c$ZDGBVpK$&* zH!e=N?z}2*kJ!4v^?k5x4S!u4we1-H^;}v2jI{spx@3xp91H#@iRe`55acCCgYbdD z-~B_90EP0d>J~(`M#M^a3;u@446Zl5=dXudm|^Lxsy6DymRUmX6=VBf}b3cDrr5(WS>O8_4hr67XObkr#nc)!zP4 zJ7EVY6pOD+4(EN%>|G>;^O&1U2_Quz{ zn$@k2j%?3#kmb|j{T6QNdA;-G`e}cVc^e{V+<6T=Pp$w?b08A;%0``e?d877qU4jU zc9UX#DW><~^u5lraVm~f@o@qhY@=IMb;OANiQ@9OaYdFMQa_WzO~cwMwa=Veuoe|T zs!y*nkzu@X!wCWu8QgrYzQZe75;;%wLum&f$KS;SMzNB_mjei|5tH9t5>M1kY~C;y z(L1E@roIt+{h>ca#WJJv@lJ{5> zh)D;1Id9T_H~SYOA!r^xa7u)K#o6(Av_|m( zcEy}mk%M}0YLI*m8-TNbj|HFd zDrGjHeTaW0WN)1)hmr=pbDQ6THO%_Yw#?z@%`a5AlAg@Rqs%?r>wl{n^&0Ge$A9NC z9502Y5sS!?`f}2WQ4l|1F4r=iJo}yoxZJGz3 zgy`*8>hZ5^K=2G?@v+dGsxe(#%<1U7Y{#1tx^NLv)CwD{Afj;P>8!tiPugCLMlB>= zX>_ZD3*|wr%VI)rE;h#|fq(p_@UHh7w6kX9T~bJq$xF zyb^u68Xq@KP6HxEa6M6COs`g6+V9}SrvG;o^*=;PP1k=S$37EEcE`L%?2Qux*`G7* zyt=TRrr*wK9F%l!p%KMC?1qlvH(E`KUpkcf`#3}gXtxFXB7d4Pky&3Aly+mo)OVTw zysfZ5m|1t+et(vvKTIXSknCKlmgD_2cJcgKgU|dM*vDs}f9^Ue=}T5oeK=&hEs;kd zUarPb#e?96arJelW~$zZdPkhN(O$dx^(r@K+H>N~kLj)6pWX2~_48Xro7}{1eMS7qShT|ZR(H2&m7cItUue74H1(p~?AWW?TQVU&FcJ~k)&QT&Z( z{)2_|>8&%+CmfIJfkA_;3a%mQ>p;4yX-w!)nD=cI!tFv18iadrNc{(b(t8YHCBKld z-&HSt84&rl5$`QiW8O$4)=T17MLF51dTHr2^7_Q(O-RM-CWUX@bcqL(^ygW5CrlU@(+!a3>z8p8xAq^QBXZ>=o=ko2IdQg8g*qpg{Qu~3dY7WD2l>u_!$)m6S$rESS&Yaskzp;FFQ$so?j2DSNp6|m)V=3xELwuZL!~(U5 zr1eL_`U&|k(#{2x%f~OfR3Pz|XNdR7V8EN&FXd5|(BAZZI<*X(Wx&A$yYT#Y!8SRw zvN6G7FainV(M7g@Q?9uL#Pc4{{4?_59S#3kP{LBuTAKFRG}pEOK>%kS(k(pm&n|=$ z8(s^j>y96fGO)aRvpoUQfZ)v#p)>EK$5J$7{>MZLI&2sg@))2`zs^kgW_n`a{P;|8 zjswoJjA%)WzbZgru)vX8Wa%4ifcqkYw@bLEn#df-IS@Rw-^!K)qsXT4ZXxfz-;Gh_ z4WbEN48Hm*L z;93(YuSLF{)p8!%d6pwz@Xlg-kMnRn_PVq-fhldL{M{h zckevQ&D7{6vC(%LJaO13z~# zXlu6lQaO`nzM9*_*_p=UnU~}&_J0FhJoDczq$6J*x6cm$UW1*G4Nx%QZt{1~p9dwx z%oEp;zc%CjUg3D}8#mtZ=iXt6F(({uc&|A-zv7*pe;Jg%W5!KA%JlqHF5OTEfgD`o z)Sf%Ub~=5i8@o<;CW#k+SmS6yl0$lWNbtte(?e<}mp+i59uj3@ zSdPy$p5w5!NMvEjSpZPM@A5y;xla`C`}dC9_qTy4DaU#aN{$9%u1Vrri5Rem$n6r3 z4gAE5$xl>;>1C#u5Nt?Wv?5H~!a#1+m~I*xrvXoD3` zfgXBg4HoNG5CFUqKO%>Ps=&5pV6+z*|H<|?k{4arGkOlx_wG3(7-5xnTKAz`0^uN# zwZI$#<=E5I_x$;C+q0XveggQJjfy%?aqATvoGh5JR~~ne2MSi7lD%{COlt3EyH~}_h6xyPZpbZ4&t^Ywit+4Va23xyxr>E}xR@lH>NBP!q!x&#)0zy*LrTJmehRPv^{a%O=IrTg1wNPO$ z;@$N3MAkL#YlcC3&dhM)45a{o=S%uy{tpZH_iv8d-$5@WQ?i$T z6yuqGzdX0qyjc zjcqtl<_GwnyI~YT`8^)m7w*uduGiCyYlagcUxM!wzJ&Hfnf-OL-q|oFq0~QQ-pBho zEhc_~qspb-v;YGxpPTW?=q(I<*zuo3@CaD5m|xQ1=t(~N8S5vBD~s$Q;%0N&PlBV< z-fQ~)s~^+2dYm8nSrn8@=O(9~K(1?MNr;hm_WNn||M) zTwXIYs027ka0mSUc7;3tmO?rWHoH*%?nRx;6M0c$eV0H{tEed4GyK!gGwf``N=$a`cq^r>J0n!W+e%22gfT;ou3k?S z6uELlIk=_6nQ^zVV?5U$<(5l2Ci}As1GP?5Jb3P6IotyWMeBGVJJlTo${j+ALu0ch zluA+9HIv^)!@noZ2lKykzqNlD7qsjce%p-Ux3vEO?FjSigN!L@cyj&xInFuHJ=dPJ z*q#-EaN9f041Ul%A3^O97K8zHWV>r@Cy~!Mdc@wa9qz;{t`V0ieG}#0zzq@huij+L zT}P6U)Iy(W*JOh3;I|-nm;4{hAJFc8D!t<=>{Z4D92~g-!3;w*hRD|7Zs6GN{yx*c z1Ll94s(*RMQdh*EainaT?4}8+X})B}1HEP+s(vJ;#&0wO*z*qnFaOgT#+NGz^KUBrnmIETSd)C*Ofzkz*k@xUOi_G1{M(@Py@Y$h8Hq{A@FS-rikD0f{dLv; z(f9)N!xN1Ga@)bbmI*>BkN4hdZGA2F$J6sGirh>H6(7XaIqA;)j~CiWEcU}^e<(ewxGWQgF+u(r)xIcJTqLV0Cq=FQfdfVT}wLvxOO z{8cYO4LVf?kffB1)sE~FfWtN2F;`kM5tvV7nx|hcx}i5EI`2N>RtTZ0?Z-@yeEP@SZn4oOlZu;RaxQMEf=W8-?`b7st_)M4p8k6TR*Fu#r8B z#p(hPn2m{93V2Up0Nqh}*R5k#^C~D%;Kzr zBWYoBMlWGHIiZXg&3z^*v;Ap$%v|ZANnG;3HS7Do3fK1=POB!0h}UxIJ?*}{GBvT^%hyxf2ku8YfN%UskhdS}*a1Egw*wS|GmVT;!aIcK3)U*Gfr4u z0-5qYIZ64Jy4M%@Rk{6N$33M6pP9+@TIjuoRTX=eqIJrjdN-_Ry8D7)Hhq-z$Kg-z zReYHLQXyV{{NQ+f7~+h0Z+z734XDW+e(sNg(r3)xcrL~@J)M&}z##uNJ)Gio zn+YDm@Y?G?TffxbFpiIB!=wJllH(dO%ys*MB_61yAWT|}-*{htNLFT&7hoKcbcX70}`24JjA1gIPE z$2`nKOmO0GQ7OqdF&i8%31SEu z~yCeUjy(o8YApo=scCAN;^Me|6B~NpaDcb9ri_aWOY~ajm^?u7k)~Ezl;9j zng7p)=jP|fotw$MH>?MRS6`;?>*3m??k#Fx%6n29|LV9I4a`j`Ut-2+Z(64z(v-eH zi=DHe+wiYJ-wGfsA(u(Knc=)D#GBdR<>L+Y-Lt{d(~o#JOMMqFit+B?@Ke0=?Q0{% z_e3C2(D7=sFR|m?2=7nB_-uOKk}&ZwQc3po%IY~rs>fGpR4vSjThAs;eB;L}^a*D~ ze%)@@J8IksLs9SC&Lb3rn2CSqA{u16DAO1WDX3*U!k8^^?c^l>NqD@o*KT&I5xDt4 z^kAdT8#{mMyIC0f{_TbP{-?+7`$_JB1E?Rlx%>Dhf*SlDg|9HYFH8>{-uD-S(i^RN z;Q~52YCIclgh52!9S;1N1?AFnQRXr})hl*LP2$(6cGCJ*8VZ!>Lp;vZlk?iDWvwIm zrA&Frs$?{k1d1p3UX~A1%HJdZ2lG?LeNfWN9K95zDQTX~j$$KOTgm-Csh{jOO~1cZ zh=(x2Ew*F0Wam#VGW(~_SA){$4G#Z>8Q-@H$M=Wh#y5VS9nQTpcX%Ok>58=m%t@TR z`i-FU6*JBSjx)ti=F5PuK@?RyB6bwTF4p%YAUvx)7#~==_NvG{NEWq>zcc%T*B+z3 zO48Qrc0naV34%}QkNJ-k&NEUhPl!i_OiZ!-o(i8h)*f&A@FPDeI^`W7Pd*ZqAj_x7 zX+}L;I&(3PxCmI&pVL`5o;))xpz|#9%x0t27*r#i#7Ga&*2rE@;Csi4A+J=%j>gHa zr%oyi-V_A1mubRUBEliZLs0dZPCPQ$SHvYW?nHro2eZ@@RPa{z6X)NXi|_@UD)kHl zsBBJKi^>3s`8vgXuGL04wJu=j#R!o1h#aEcBhuh_e6)5;<)Q94y1lxw$%O-dHY~oW zNO_v;_aAMA&FZjCi6?$dx2X9t?BE)V*t%A(XM&&}-i1RumUx~ww;R3wU=v@_|Hkbn zZlgGmDPPF5#}SqV?}#U!-r2fM8|5>~P;Qfn-xDt)-U)x_;+usnYJZv64<#S_p@d|J zgIfdM0zO6M&zR7>oS&j{2-JZqceVG7vE^VJ*teDi5!6BML_&b7BInO*$0CWs_lZ2m zu{*+IGyd;g9SKOhKwu(1THfA95O~JjXLwn#+Kz)B>2tsUYGu0RW$d0b&=?~atNGKW zuv-*DQ99qicQ?6xQ5Vf8_)csvF~VSWA6mmI%MKp!~ahzJdFRR@Db;ll9G%b zq()~DBr}0juGZ=9Yd2UgVF!SC9z>`)Ly?>Z<$FqR4OXTXwzU{kbKHC?A0`%|1*W znfJEANccLByq{#wSK(LX_9VFm*-)(>HmeN}~W=!d;wQojGh?EY3 zXYr@C4;iX-azs%2;3Qo$aF_L`#6b%^^?8WUDh#<8;v}a&KE(gb8UQEgXN5NfrR$he zTRB|m9ziV`c+V~54|>9#jU->wDw}OCG+f@GpiCTIa;ue?@-C7 zb*ec_7W1m?y66v*hkECA?o9q zzed*C=SE+Ed)YqD(hKGy4;(U_r0BhbKk8HH@2mp>$|;((Z_j1ANu5e&@s!WZTZ0_l z)Ix-Ibzm>Qhrj-~MsV5Ta{@##-#>B++lDfw5G?dbVJEgQ0nHK2IoS*K>mM`TT5rEQ z=x8^8jFW_U-^iW!5&gqTbUIObq%60hGU>5pmay%`9W@fisx~?vlquH zmngS}{7d}fly67ALhZl#91Jb=I@yq8{+8)D)T^N2hpg>UE4stgfNy=qDxL-_ftfBh!`%KcuARQ(HINI?KQWWDkommIDH@Ws#ekjQ6Q7`NFK*zy; zxCAD76*tOG+xk_s{+I&P%h)C4wC5}`>MV?`x7g^d%>F~&Mt3xQ=G0kY7=b~5cED}cb7+IY(oqSumE$!Jw3cG4l-s{2n0cF^) zf^y>5m7EJGt8y`k{~-1lqO%JjZfh~^QHUhJ=dkRW^C=^QZmGpJ`eZXs;j2V8E zcJzZFSeXf4br>}|6>QbP5P7uZ55v&R);|LRu6x44`=lLzjda55uUT{g^o<$FNHCRj?4;=F2Ft=;W;w?yiV;IH>)(= z+>{P(uB;v7fI*hl_L}aE>iYp#<@AfUEnBZBr_k?@-+c4+*IRG+0=U5cgdI9{!&0@i z()LPN?{6IQ{-!bSZ^?Tva(!ukWBoiWG{s;w?S$Mj_5Ilm|0TLE@^N`@tUQIQBfh3E zI7GRRO1azaIDX?ZZg$_g@0V|UW@e(?`p+8o{zf0Z$ZJmBc)$_rr93SO)n%tmftxg%?|Ks;+;M75$$qXR5XPa_M=uxfjfYG>8 zD{E&(HDbLo^)?2;$CmWMdWj*399T?mwR0nuMg3dg!@Sw8wG5V5YfY2S8|UG*ke@6j z(vZa?=fy3Kno&A9tsGf9QVE}m9649&3TqzloO%q;PG71QLXtvT1UN@I_2}P^XZ||0 zmnVfuV_i}@vjy3V%3&&|-cwPJPJ1mxy`=Xh?Gd++R30Ce!zW7Si^_Fp&)$A}lIVhb zJ06bjy6c~{ctZX=@+0A+g3?@IeNzS`%2u1E<^pS_jNuv0d3n0gz6gFfYLE*R)s%Pt zQv$bme*M^4lPKBfuVjCv@V1`*%$qh_wINhXtro9{z8ps0cO*}$+#o$Wx0JveVhX_w zZG!c73V2?>Abml~F(mqI^(#XZ+K%NUv}3Zy87J+o*c>wr2;wWR(7$vX%n#h^Lqy}< zpOF+CYB@+pcdJM-i4lxjcj7`1*pjjYy6&={)AmLk;QsvSI+%ljLzMlV!qNBkLBv9M zymd(D8H_aFd*hD}Y(LL+F+&PC4<|5@`--i%s1f;~l>a^6Rl-e|Qri#SX!`NG8T&DfhGf;+C5y=}Veo_0I_e{)KZSn!h4YeXIP7{nF!8_`hi1<|BseN0H*faE(dG6Iq6whdFdNrefEiy^P(I*jes} zXv-Mp)T4OEf7#6I=Zn@kgu|je+;RIkj{!TZ>AlBH?*~1a@VTJ$X+sk@B;M1C=3PbP z89#u`#M2IuPS!LP<00{OeDK`=arGG9fQ+aHCV`Q_WO4OolMkN32${k>L9-eCjbbR96g&R z-baWmR%gs^HKPn)ZNjAeQ~;xdG{Q+7duRiEAXQ(Qs)2!GXwE}34(tk{|EE$DIDkP{c+C7_kdORO*G<>zRu9&*Lab!w zcr_2b4C2*rmGa}tkyI1KEBM4Q<>KEs@na*`EX#8kGJlMwRcFabFhs1I!-qXxc>i1CC*w)1L>3@Z2}S2h7RpodYaT zSy^B58+8aALKkukI%`HB=h9qb6h~;86nOtS#Wv2u0Jl5JSw?_!Y6}H9u>;*OoWWGnz-qJ zAIR@x=Lq~R^A*y*Z!p-ez|XaI@j|EB3Z9L3MfacldnePnD$Y)H-wrQHT)Z7gBZZv))_Tkp|$%1(Lg5-NH zJnKDx|5=1U=t9#tP2rWC?;TaUuqn3R?hj$Wj>rOxU(Nb>zN$awzgWm;BI>q#?jPPg z;s7U_Pe9>&{d+OXFrz#ne_R`4U{5ttgqx76Gf#@Jk$2f7Pj4qEQLvx6DjnhwlQ{YB zG3)k@!ga%?%w0GCesF-Ug|9MP0U|m$I+nKurMu&05I!qKdj|tWtI%mT_c@e9I&bp0 znF7h<dgRZ&bJw9x$MJg7b9F>Z&iVLVwg%wD2{=EQKmr$2Aq z{T!dUgm)GHOBW_-OI(Ntbj7C)d%fqKa}Gd)NY5>GT8_`HgW!jO-B402E@B-SFbj%7AeX`7+2j=L5&Zoxrd#1TGxbX_Aq4^$Uy@M< zmr0($1gZRkG07A7H8Y+s7veVrBnQRsk+gq`^CKBf_%X9bpulzZ$QOeW&U{GcXOr9H zi~XntQA^jqqn)yu@W zaN^O3>mT+R+ZOw&6b?I%_yj|CO)!Icck8_C!*jU3Bhij3$SDQGK3K@r)FTGOG-D6u z5FCQ??Cf$jK1*fn#^QzX{T*eZS^fd|Fd6Ij@eh$3b+=pi^$LEEKF5|&Z{d6JOK&X1 z_u;|uT}{H6(=7@Seq6X4P<97fe=aD!%20Hkcka2x_!nu<7w|qqpRIL^hxlBSo1Xq^ zJ2s)a4{-3zA28q1rQs{>x&FABYfuPhuDyImoTnM~wM?@;Pmka%<*Wnc7TrNNW+Mde z6Fw`xf5?4;rBb=w>6!Yq!nAx#)$RaBq)BvVyPG06dD##Le-p3ne2z>_PZU(R`(O1 zxio4vr!kQD8sqLKFQSH~S$|R53F}wWpFdG>^M71OpFS~;KE(=oN_M6(S<9|W{%U<7 zI8r_uejq6Qa)9-;4BFgHhunw1uLSN3W?X+zI4&4LO~Yqw;LfS4Y4y8Cn26ka=cJ?h z^&osd1_ov+Ed5Gw4LJ!fi%OoRw>0Z- zBLhz#stZkI_X}R%KNOUZ^E0tq_%qZ0Zxr_bvwr{m{l9_vr>AptWFc{f;BIFM8%+_j z04*|I1=KJ)PmVR=>d08*)-0GlYkOZ%0j;+}-s>fi>^d@`;haDh=4#pCl+xt8xQBU%>KFZPh-6Y;8X1pu6Z z#vR!J-09EfCAbf63=xH(FYf9UmDwz+k-muEJinWw3LKuq*+l;uu};YIXGvZ`Sg(bo z7I-%OIseikJO?TA2{~=uX!piQ@O1HDys6ucJpIV^N3IVyai+jDol^HQLv(EhrQ3oK zw)=7^(D|2jP5H>UR}qwL)g4^9u13F7eBior-E%6KaU8`@I&(unCJkINI~clrv zUyh)L&|!|TgW)}N1Ro|NqWmVqKU3TIf_7)GS&zW}cACw44br?&eEJwbL*$c)5*jBX z1&o8iNz&DeUV8Taq#40Xh6QertSz69?09y*b<|uV|pAN3)RQ#}LmWU(6ckB8HJ(=`Jg~D{nEw`_1ku zJ5L^6MZjN?E=Ltp)H@f_l;@|B+mmsublLoPt1942#bl5(txL)8=l?k-$^B z8^*WO(oKjliM>Kfulx=NyW4Xm7 z{EfXXZ!qI|ZQ*#@{&@23!j5A`DYFsdq4PoMH1_+m%Vora_~&61ly1kLcn_Bff5X5B z{Z1VN`|tDfw)sK0VL~)RB+9N6uPii-Up9IXkjb*B;{AGhdapkGh+>|^-k$CJiDx`L zFMf-i2OfQ>aNghM&$};2o64Uhk6(7SLHHIU1bnk6Ao}&7^j=+`LppaZ8GUv(xsP^M ze$mT{FLo9Uyx0VMG37hSeJ`QEv+BFE`0Sr6G3lqCtKX?1n^~FRHJFx?cpuzt{NH}I z(Esga{!I{mI$&b)Jbd2i6)IX>dB@tL>p6CGvEI9Mc9RMpOlig__&Equ+e( zTS?C@sHhqMiIy^B4oTQlY_W!N3LHziYkui3X>D%`gp zpK9OcZlfvfe!@4+g|)fxmbvgBf)H+?c{_8|-v6rE`~P87wd~&iLVnS4dw*oLyuCl7 zaCYyHD45;*DCq3{Kbk9j#_avs?4I)X_4N0XEaG!tPY)-5Ur!Gwe_zi4r*L0S4=;aT z&j2U0uRVJ%d*fpzK-2hN%4nw@;rDpF`=C$Id^wmk!CIesD+_+IklyzRq9|XnJzzB8 zVHXiWRb64?2E#6i3CpRs3X!McycAd!3sxhKeJYwu_#ssrZFCfzmJS)#3qoCEVl$il zNFHE4x+p&^Y@hRir;JZVekO7uSN^O&yv%EW)*Jw&tp(XF)tmXmC2R%R8V@Jb)~&MC_SH7+9i}wBWwz+ z5u(OiSUa_~i8{-#cRj zD9Y)x{A#KaCSNx_ee9G4VTi z4`Ab&zu*1f;y@luL{7$Ph)qDdq-b(Kxa_+5>mLN)HsiUkX#a)?G2yBPeL2Y`lQ(Fb zlgy;}l83}^@w;YxmxUkJ=rtefhsEUh1>nw#Z4&?jD^$cN1c8V94R3Bzg@<~q#>R01|lXgjzdC6G*8WK zaWP({_&(v|a^91U?{?eeE^J*8Y*UCw%EqQ|P)weu;s2sIy~}VSWs;*LpuDMfhyI*D zTX-HIUtR&9;8XFnpmZYEtUbfPe>&jDvZd`KH$za%|2ILL`XEfZAWd!jMZ@+XteK!( z6vH0n*N~(QQ_vM-Gu@?X|35unjX=4u8&XKhpdLs6ribJ7D7|a|){{A2Cx0aKIJ)I& zj3D>SbU~d01mVdQ?2hxb#QWGoj^Gm}v(IVqf(|s!x6?ja>xbE*=6){i@La7QTUx#S z^x_%IH<#^r{ixw)UsJ!ANXE*2d$sA$0)B3HdRvVM*Hzr7ufX4=ujD~W_|SHjcun4g z=jp@oA%DX&m-i{kEGRGG(z9L85%&psdh-3ev+(}^1blc8e-b_m_|S%gc7`kXoW^Gr zpELNZ;Y0l9#r+ld*w2gb$4}t%Vtn}fOYqq=zgO{d3!ij(7=sxmX?=!bVajWAC+_o{ RVf!L1Bilb3f1UZ_{{tD0Lq7lj literal 0 HcmV?d00001 diff --git a/tests/iPhone5__1_9.3_13E237/references/sandbox_profiles.txt b/tests/iPhone5__1_9.3_13E237/references/sandbox_profiles.txt new file mode 100644 index 00000000..22a0812e --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/sandbox_profiles.txt @@ -0,0 +1,121 @@ +AGXCompilerService +AdSheet +AirTraffic +BTServer +BlueTool +CFNetworkAgent +CVMServer +CommCenter +DataActivation +EscrowSecurityAlert +IDSCredentialsAgent +IDSRemoteURLConnectionAgent +IMDPersistenceAgent +IMRemoteURLConnectionAgent +IMTranscoderAgent +Lowtide +MTLCompilerService +MailCompositionService +MobileBackup +MobileCal +MobileMaps +MobileSlideShow +PasteBoard +SafariSafeBrowsing +ScreenshotService +StreamingUnzipService +WebSheet +accessoryd +afcd +appconduitd +apsd +assertiond +cloudphotod +com.apple.AssetCacheLocatorService +com.apple.GSSCred +com.apple.WebKit.Databases +com.apple.WebKit.Networking +com.apple.WebKit.WebContent +com.apple.assistant.assistantd +com.apple.bird +com.apple.cloudd +com.apple.datadetectors.AddToRecentsService +com.apple.homed +com.apple.nehelper +com.apple.nesessionmanager +com.apple.quicklook.QLThumbnailsService +com.apple.rtcreportingd +com.apple.sandboxd +com.apple.siri.ClientFlow.ClientScripter +com.apple.snhelper +com.apple.tccd +com.apple.tzlinkd +com.apple.ubd +container +containermanagerd +coresymbolicationd +cplogd +dataaccessd +debugserver +deleted +duetexpertd +findmydeviced +fmfd +ftp-proxy-embedded +gamed +geocorrectiond +geod +gizmoappd +gputoolsd +healthd +iapd +identityservicesd +itunesstored +keyboard +librariand +limitadtrackingd +lockdownd +lsuseractivityd +mDNSResponder +mediaanalysisd +mediaserverd +mobile-house-arrest +mobileassetd +nanomaild +nanomapscd +nanomapsgd +navd +network-filter +nfcd +nlcd +nointernet +nsurlsessiond +nsurlstoraged +online-auth-agent +passd +pfd +printd +ptpd +quicklookd +racoon +replayd +reversetemplated +revisiond +routined +seld +sharingd +social-services +softwareupdated +streaming_zip_conduit +studentd +suggestd +syncdefaultsd +syslog_relay +test-common +transitd +userfs_helper +userfsd +vibrationmanagerd +vpn-plugins +webinspectord +wifiFirmwareLoader diff --git a/tests/iPhone5__1_9.3_13E237/references/sb_ops b/tests/iPhone5__1_9.3_13E237/references/sb_ops new file mode 100644 index 00000000..053e56d8 --- /dev/null +++ b/tests/iPhone5__1_9.3_13E237/references/sb_ops @@ -0,0 +1,125 @@ +default +appleevent-send +authorization-right-obtain +device* +device-camera +device-microphone +distributed-notification-post +file* +file-chroot +file-ioctl +file-issue-extension +file-link +file-map-executable +file-mknod +file-mount +file-mount-update +file-read* +file-read-data +file-read-metadata +file-read-xattr +file-revoke +file-search +file-unmount +file-write* +file-write-create +file-write-data +file-write-flags +file-write-mode +file-write-owner +file-write-setugid +file-write-times +file-write-unlink +file-write-xattr +generic-issue-extension +qtn-user +qtn-download +qtn-sandbox +hid-control +iokit* +iokit-issue-extension +iokit-open +iokit-set-properties +iokit-get-properties +ipc* +ipc-posix* +ipc-posix-issue-extension +ipc-posix-sem +ipc-posix-shm* +ipc-posix-shm-read* +ipc-posix-shm-read-data +ipc-posix-shm-read-metadata +ipc-posix-shm-write* +ipc-posix-shm-write-create +ipc-posix-shm-write-data +ipc-posix-shm-write-unlink +ipc-sysv* +ipc-sysv-msg +ipc-sysv-sem +ipc-sysv-shm +job-creation +load-unsigned-code +lsopen +mach* +mach-bootstrap +mach-cross-domain-lookup +mach-host* +mach-host-exception-port-set +mach-host-special-port-set +mach-issue-extension +mach-lookup +mach-per-user-lookup +mach-priv* +mach-priv-host-port +mach-priv-task-port +mach-register +mach-task-name +network* +network-inbound +network-bind +network-outbound +nvram* +nvram-delete +nvram-get +nvram-set +user-preference* +user-preference-read +user-preference-write +process* +process-exec* +process-exec-interpreter +process-fork +process-info* +process-info-listpids +process-info-pidinfo +process-info-pidfdinfo +process-info-pidfileportinfo +process-info-setcontrol +process-info-dirtycontrol +process-info-rusage +pseudo-tty +signal +sysctl* +sysctl-read +sysctl-write +system* +system-acct +system-audit +system-chud +system-debug +system-fsctl +system-info +system-kext* +system-kext-load +system-kext-unload +system-kext-query +system-mac-label +system-nfssvc +system-privilege +system-reboot +system-sched +system-set-time +system-socket +system-suspend-resume +system-swap +system-write-bootstrap diff --git a/tests/test.py b/tests/test.py new file mode 100755 index 00000000..98ddf25c --- /dev/null +++ b/tests/test.py @@ -0,0 +1,118 @@ +#!/usr/bin/env python3 + +from datetime import datetime +import pathlib +import os +import subprocess + +DIRNAME = os.path.dirname(os.path.abspath(__file__)) +MAINDIR = os.path.dirname(DIRNAME) + +def compare_directories(actual:pathlib.Path, expected: pathlib.Path): + actual_files = sorted(f.relative_to(actual) for f in actual.rglob("*") if f.is_file()) + expected_files = sorted(f.relative_to(expected) for f in expected.rglob("*") if f.is_file()) + + assert actual_files == expected_files, "Mismatch in file names/structure" + + for rel_path in actual_files: + actual_content = (actual / rel_path).read_bytes() + expected_content = (expected / rel_path).read_bytes() + assert actual_content == expected_content, f"Mismatch in file: {rel_path}" + + +def build_image(): + name = f'sandblaster-{datetime.now().strftime("%d_%m_%Y__%H_%M")}' + + subprocess.run([ + "docker", "build", "-t", name, MAINDIR + ]) + + return name + +def start_run(container_name): + run_name = f"run_{container_name}" + + subprocess.run([ + "docker", "run", + "-v", os.path.join(DIRNAME, "iPhone5__1_9.3_13E237") + ":" + "/test", + "--rm", "-dit", "--name", run_name, container_name + ]) + + return run_name + +def stop_run(container_name, run_name): + subprocess.run([ + "docker", "stop", run_name + ]) + + +def test_iphone5_13E237(run_name, update_refs = False): + print(f'Running extract_sandbox_data on firmware 9.3...') + + subprocess.run([ + "docker", "exec", run_name, + "rm", "-rf", "/test/outputs/*" + ]) + + subprocess.run([ #"echo", + "docker", "exec", run_name, + "/sandblaster/helpers/extract_sandbox_data.py", "-o", "/test/outputs/sb_ops", "/test/inputs/sandbox.kext", "9.3" + ]) + + subprocess.run([ #"echo", + "docker", "exec", run_name, + "/sandblaster/helpers/extract_sandbox_data.py", "-O", "/test/outputs", "/test/inputs/sandbox.kext", "9.3" + ]) + + subprocess.run([ #"echo", + "docker", "exec", run_name, + "mkdir", "/test/outputs/rev_profiles" + ]) + + subprocess.run([# "echo", + "docker", "exec", run_name, + "sh", "-c", "cd /sandblaster/reverse-sandbox/ && python2.7 reverse_sandbox.py -r 9.3 -o /test/outputs/sb_ops -d /test/outputs/rev_profiles/ /test/outputs/sandbox_bundle -psb > /test/outputs/sandbox_profiles.txt" + ]) + + subprocess.run([ #"echo", + "docker", "exec", run_name, + "sh", "-c", "cd /sandblaster/reverse-sandbox/ && python2.7 reverse_sandbox.py -r 9.3 -o /test/outputs/sb_ops -d /test/outputs/rev_profiles/ /test/outputs/sandbox_bundle" + ]) + + if update_refs: + subprocess.run([ + "docker", "exec", run_name, + "rm", "-rf", "/test/references" + ]) + + subprocess.run([ + "docker", "exec", run_name, + "cp", "-r", "/test/outputs", "/test/references" + ]) + + return + + print(f'Comparing results...') + + output_dir = pathlib.Path(DIRNAME, "iPhone5__1_9.3_13E237", "outputs") + reference_dir = pathlib.Path(DIRNAME, "iPhone5__1_9.3_13E237", "references") + + try: + compare_directories(output_dir, reference_dir) + + print("[PASS] iPhone5_13E237 :)") + except AssertionError as err: + print(f"[FAIL] iPhone5_13E237 - {err}") + + +def main(): + container_name = build_image() + + run_name = start_run(container_name) + + test_iphone5_13E237(run_name, True) + + stop_run(container_name, run_name) + + +main()