forked from anna328p/securityd-racer2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecurityd_sandbox_profile
493 lines (493 loc) · 25.5 KB
/
securityd_sandbox_profile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
(version 1)
(deny default)
(allow dynamic-code-generation)
(allow file-link)
(allow file-read*
(regex #"^/private/var/containers/Data/System/[^/]+/")
(regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$")
(require-any (literal "/dev/zero")
(literal "/dev/null"))
(require-any (subpath "/private/var/db/datadetectors/sys")
(subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.icloud.findmydevice.managed/Library"))
(require-any (subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/PublicInfo")
(subpath-prefix "${FRONT_USER_HOME}/Library/ConfigurationProfiles/PublicInfo")
(subpath-prefix "${FRONT_USER_HOME}/Library/UserConfigurationProfiles/PublicInfo"))
(literal "/dev/dtracehelper")
(require-any (literal "/dev/urandom")
(literal "/dev/random"))
(literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist")
(literal "/dev/ptmx")
(literal "/dev/aes_0")
(subpath-prefix "${HOME}/Library/Logs/com.apple.StoreServices")
(subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.iTunesStore.NSURLCache")
(subpath-prefix "${HOME}/Media/iTunes_Control/iTunes")
(literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored")
(require-any (literal "/private/var/preferences/com.apple.NetworkStatistics.plist")
(literal "/private/var/preferences/com.apple.networkd.plist"))
(require-any (subpath "/System/Library/Frameworks")
(subpath "/System/Library/PrivateFrameworks"))
(literal "/usr/libexec")
(subpath "/private/var/Keychains")
(subpath-prefix "${PROCESS_TEMP_DIR}")
(subpath "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.nsurlstoragedresources/Library/dafsaData.bin")
(literal "/private/var/preferences/com.apple.security.plist")
(literal "/private/var/Managed Preferences/mobile/com.apple.SystemConfiguration.plist")
(extension "com.apple.app-sandbox.read")
(subpath "/Developer")
(literal "/private/var/Managed Preferences/mobile/.GlobalPreferences.plist")
(literal-prefix "${FRONT_USER_HOME}/Library/Preferences/.GlobalPreferences.plist")
(subpath "/private/var/preferences/Logging")
(subpath "/System/Library")
(subpath "/usr/lib")
(subpath "/usr/share")
(subpath "/private/var/db/timezone")
(extension "com.apple.app-sandbox.read-write")
(extension "com.apple.sandbox.executable")
(extension "com.apple.security.exception.files.absolute-path.read-write")
(extension "com.apple.security.exception.files.home-relative-path.read-write")
(extension "com.apple.security.exception.files.absolute-path.read-only")
(extension "com.apple.security.exception.files.home-relative-path.read-only")
(require-all
(uid 0)
(literal "/private/etc/master.passwd"))
(require-all
(extension "com.apple.sandbox.system-container")
(require-entitlement "com.apple.security.system-container"))
(require-all
(extension "com.apple.sandbox.system-group")
(require-any
(require-entitlement "com.apple.security.system-groups"
(require-any
(regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")
(regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))
(require-entitlement "com.apple.security.system-group-containers"
(require-any
(regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")
(regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")))))
(require-all
(subpath "/private/var/db/diagnostics")
(extension "com.apple.logd.read-only")
(require-any
(require-entitlement "com.apple.private.logging.diagnostic")
(require-entitlement "com.apple.diagnosticd.diagnostic")))
(require-all
(require-any (subpath "/private/var/db/timesync")
(subpath "/private/var/userdata/diagnostics"))
(extension "com.apple.logd.read-only")
(require-any
(require-entitlement "com.apple.private.logging.diagnostic")
(require-entitlement "com.apple.diagnosticd.diagnostic")))
(require-all
(subpath "/private/var/db/uuidtext")
(extension "com.apple.logd.read-only")
(require-any
(require-entitlement "com.apple.private.logging.diagnostic")
(require-entitlement "com.apple.diagnosticd.diagnostic")))
(require-all
(regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+")
(extension "com.apple.sandbox.pty"))
(require-all
(vnode-type TTY)
(require-any (regex #"/dev/ttyp[a-f0-9]")
(regex #"/dev/ptyp[a-f0-9]")))
(require-all
(vnode-type BLOCK-DEVICE)
(vnode-type CHARACTER-DEVICE)
(require-any
(literal "/private/etc/hosts")
(require-any (literal "/private/etc/group")
(literal "/private/etc/passwd")
(literal "/private/etc/protocols")
(literal "/private/etc/services"))
(literal "/")
(require-entitlement "com.apple.itunesstored.private")
(require-all
(subpath-prefix "${HOME}/Library/Assets")
(extension "com.apple.assets.read")
(require-entitlement "com.apple.private.assets.accessible-asset-types"))
(require-all
(subpath "/private/var/MobileAsset")
(extension "com.apple.assets.read")
(require-entitlement "com.apple.private.assets.accessible-asset-types"))
(require-all
(require-any (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/CloudConfigurationSetAsideDetails.plist")
(literal-prefix "${FRONT_USER_HOME}/Library/ConfigurationProfiles/CloudConfigurationSetAsideDetails.plist")
(literal-prefix "${FRONT_USER_HOME}/Library/UserConfigurationProfiles/CloudConfigurationSetAsideDetails.plist")
(literal-prefix "${FRONT_USER_HOME}/Library/"))
(process-attribute 4)
(require-entitlement "com.apple.private.amfi.can-execute-cdhash"))
(require-all
(require-any (literal "/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/CloudConfigurationDetails.plist")
(literal-prefix "${FRONT_USER_HOME}/Library/ConfigurationProfiles/CloudConfigurationDetails.plist")
(literal-prefix "${FRONT_USER_HOME}/Library/UserConfigurationProfiles/CloudConfigurationDetails.plist")
(literal-prefix "${FRONT_USER_HOME}"))
(process-attribute 4)
(require-entitlement "com.apple.private.amfi.can-execute-cdhash"))
(require-all
(literal-prefix "${HOME}/Library/Caches/PassKit/cache.plist")
(require-entitlement "com.apple.private.contactsui"))
(require-all
(literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist")
(require-entitlement "com.apple.private.contactsui"))
(require-all
(require-any (literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db")
(literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-wal")
(literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-journal")
(literal-prefix "${HOME}/Library/CoreDuet/People"))
(require-entitlement "com.apple.coreduetd.people"))
(require-all
(literal-prefix "${HOME}/Library/CoreDuet/People/interactionC.db-shm")
(require-entitlement "com.apple.coreduetd.people"))))
(require-all
(extension "com.apple.assets.read")
(require-any
(subpath-prefix "${HOME}/Library/Assets")
(subpath "/private/var/MobileAsset")))
(require-all
(subpath "/AppleInternal")
(debug-mode))
(require-all
(subpath "/usr/local/lib")
(debug-mode))
(require-all
(subpath-prefix "${FRONT_USER_HOME}/XcodeBuiltProducts")
(debug-mode)))
(allow file-read-metadata
(regex #"^/private/var/containers/Data/System/[^/]+/")
(vnode-type DIRECTORY)
(vnode-type SYMLINK)
(literal-prefix "${HOME}/Library/Preferences")
(literal-prefix "${HOME}")
(literal-prefix "${HOME}/Library/Caches/powerlog.launchd")
(literal "/private/var/run/syslog")
(extension "com.apple.app-sandbox.read-write")
(extension "com.apple.security.exception.files.absolute-path.read-write")
(extension "com.apple.security.exception.files.home-relative-path.read-write")
(extension "com.apple.app-sandbox.read")
(require-all
(extension "com.apple.sandbox.system-group")
(require-any
(require-entitlement "com.apple.security.system-groups")
(regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")
(require-entitlement "com.apple.security.system-group-containers")
(regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))
(require-all
(literal-prefix "${HOME}")
(require-any
(require-entitlement "com.apple.private.assets.accessible-asset-types")
(require-entitlement "com.apple.itunesstored.private")
(require-entitlement "com.apple.bulletinboard.dataprovider")
(require-entitlement "com.apple.itunesstored.private")
(require-entitlement "com.apple.coreduetd.allow")))
(require-all
(literal-prefix "${HOME}/Library/Preferences")
(require-any
(require-entitlement "com.apple.private.assets.accessible-asset-types")
(require-entitlement "com.apple.itunesstored.private")
(require-entitlement "com.apple.bulletinboard.dataprovider")
(require-entitlement "com.apple.itunesstored.private")
(require-entitlement "com.apple.coreduetd.allow")))
(require-all
(subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.iTunesStore.NSURLCache")
(require-entitlement "com.apple.itunesstored.private"))
(require-all
(vnode-type DIRECTORY)
(literal-prefix "${HOME}/Library/Caches/sharedCaches")
(require-entitlement "com.apple.itunesstored.private"))
(require-all
(literal-prefix "${HOME}/Library/Caches/sharedCaches")
(require-entitlement "com.apple.itunesstored.private"))
(require-all
(process-attribute 4)
(require-any
(literal-prefix "${HOME}")
(literal-prefix "${HOME}/Library/Preferences")
(vnode-type DIRECTORY)))
(require-all
(debug-mode)
(require-entitlement "platform-application"))
(require-all
(extension "com.apple.sandbox.system-container")
(require-entitlement "com.apple.security.system-container")))
(allow file-test-existence)
(allow file-write*
(subpath-prefix "${PROCESS_TEMP_DIR}")
(subpath-prefix "${HOME}/Library/Logs/com.apple.StoreServices")
(subpath-prefix "${HOME}/Library/Caches/sharedCaches/com.apple.iTunesStore.NSURLCache")
(subpath-prefix "${HOME}/Media/iTunes_Control/iTunes")
(literal-prefix "${HOME}/Library/Cookies/com.apple.itunesstored")
(subpath "/private/var/Keychains")
(extension "com.apple.security.exception.files.absolute-path.read-write")
(extension "com.apple.security.exception.files.home-relative-path.read-write")
(extension "com.apple.app-sandbox.read-write")
(require-all
(extension "com.apple.sandbox.system-container")
(require-entitlement "com.apple.security.system-container"))
(require-all
(regex #"^/private/var/containers/Data/System/[^/]+/[.]com[.]apple[.]")
(regex #"^/private/var/containers/Data/System/[^/]+/"))
(require-all
(extension "com.apple.sandbox.system-group")
(require-any
(require-entitlement "com.apple.security.system-groups")
(regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")
(require-entitlement "com.apple.security.system-group-containers")
(regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/")))
(require-all
(vnode-type BLOCK-DEVICE)
(vnode-type CHARACTER-DEVICE)
(require-any
(require-entitlement "com.apple.itunesstored.private")
(require-all
(literal-prefix "${HOME}/Library/Preferences/com.apple.mobilephone.speeddial.plist")
(require-entitlement "com.apple.private.contactsui")))))
(allow file-write-create
(require-all
(require-not (literal-prefix "${HOME}/Library/Logs/CrashReporter/CFNetwork_"))
(vnode-type DIRECTORY)
(literal-prefix "${HOME}/Library/Caches/sharedCaches")
(require-entitlement "com.apple.itunesstored.private")))
(allow file-write-data
(literal "/dev/ptmx")
(literal "/dev/aes_0")
(require-all
(regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+")
(extension "com.apple.sandbox.pty"))
(require-all
(vnode-type TTY)
(require-any (regex #"/dev/ttyp[a-f0-9]")
(regex #"/dev/ptyp[a-f0-9]")))
(require-all
(require-all (require-not (literal "/dev/urandom"))
(require-not (literal "/dev/random")))
(require-any
(literal "/dev/dtracehelper")
(require-any (literal "/dev/zero")
(literal "/dev/null")))))
(allow file-write-mode
(require-all
(extension "com.apple.sandbox.pty")
(regex #"^/dev/ttys[0-9]" #"^/dev/ttys[0-9]+")))
(allow file-write-xattr
(regex #"^/private/var/containers/Data/System/[^/]+/" #"^/private/var/containers/Data/System/[^/]+$")
(require-all
(xattr "com.apple.metadata:com_apple_backup_excludeItem")
(require-any
(require-all
(extension "com.apple.sandbox.system-container")
(require-entitlement "com.apple.security.system-container"))
(require-all
(extension "com.apple.sandbox.system-group")
(require-any
(require-entitlement "com.apple.security.system-groups")
(regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$")
(require-entitlement "com.apple.security.system-group-containers")
(regex #"^/private/var/containers/Shared/SystemGroup/[^/]+/" #"^/private/var/containers/Shared/SystemGroup/[^/]+$"))))))
(allow iokit-open
(iokit-user-client-class "AppleCredentialManagerUserClient"))
(allow iokit-get-properties)
(allow mach-cross-domain-lookup)
(allow mach-lookup
(require-any (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
(global-name "com.apple.SystemConfiguration.DNSConfiguration")
(global-name "com.apple.SystemConfiguration.NetworkInformation"))
(require-any (global-name "com.apple.SystemConfiguration.helper")
(global-name "com.apple.SystemConfiguration.PPPController"))
(global-name "com.apple.nesessionmanager")
(global-name "com.apple.coreduetd")
(global-name "com.apple.coreduetd.people")
(global-name "com.apple.suggestd.PersonalizationPortrait.DeletionTracking")
(global-name "com.apple.system.libinfo.muser")
(require-any (global-name "com.apple.ctkd.token-client")
(global-name "com.apple.CoreAuthentication.daemon.libxpc")
(global-name "com.apple.managedconfiguration.profiled.public"))
(34 a6d4 a3bf 9cd4)
(local-name "com.apple.cfprefsd.agent")
(global-name "com.apple.diagnosticd")
(global-name "com.apple.distributed_notifications@1v3")
(global-name "com.apple.system.notification_center")
(global-name "com.apple.system.logger")
(require-any (global-name "com.apple.assertiond.processassertionconnection")
(global-name "com.apple.coreservices.lsuseractivitymanager.xpc")
(global-name "com.apple.lsd.icons"))
(require-any (global-name "com.apple.lsd.advertisingidentifiers")
(global-name "com.apple.lsd.openurl"))
(global-name "com.apple.logd.events")
(global-name "com.apple.aggregated")
(require-any (global-name "com.apple.appsupport.cplogd")
(global-name "com.apple.xpcd")
(global-name "com.apple.dyld.closured"))
(global-name "com.apple.lsd.mapdb")
(require-any (global-name "com.apple.lsd.open")
(global-name "com.apple.lsd")
(global-name "com.apple.duetknowledged.activity"))
(global-name "com.apple.tccd")
(global-name "com.apple.logd")
(global-name "com.apple.containermanagerd")
(global-name "com.apple.mobilegestalt.xpc")
(require-any (global-name "com.apple.cfprefsd.daemon")
(global-name "com.apple.cfprefsd.agent"))
(require-any (global-name "com.apple.security.swcagent")
(global-name "com.apple.security.cloudkeychainproxy3")
(global-name "com.apple.security.keychainsyncingoveridsproxy"))
(global-name "com.apple.hangtracerd")
(global-name "com.apple.ReportCrash.SimulateCrash")
(global-name "com.apple.pluginkit.pkd")
(global-name "com.apple.SystemConfiguration.configd")
(global-name "com.apple.SharedWebCredentials")
(extension "com.apple.pluginkit.plugin-service")
(global-name "com.apple.awdd")
(global-name "com.apple.cloudd")
(global-name "com.apple.apsd")
(global-name "com.apple.commcenter.cupolicy.xpc")
(global-name "com.apple.iokit.powerdxpc")
(global-name "com.apple.powerlog.plxpclogger.xpc")
(global-name "com.apple.nehelper")
(global-name "com.apple.GSSCred")
(global-name "com.apple.accountsd.accountmanager")
(require-any (global-name "com.apple.cookied")
(global-name "com.apple.cfnetwork.AuthBrokerAgent")
(global-name "com.apple.cfnetwork.cfnetworkagent")
(global-name "com.apple.nsurlstorage-cache"))
(global-name "com.apple.PowerManagement.control")
(global-name "com.apple.commcenter.xpc")
(global-name "com.apple.trustd")
(global-name "com.apple.nsurlsessiond")
(global-name "com.apple.networkd")
(global-name "com.apple.usymptomsd")
(require-any (global-name "com.apple.symptomsd")
(global-name "com.apple.symptoms.symptomsd.managed_events"))
(global-name "com.apple.securityd")
(require-any (global-name "com.apple.mobileassetd")
(global-name "com.apple.mobileassetd.v2"))
(require-entitlement "com.apple.itunesstored.private"
(require-any
(require-any (global-name "com.apple.appstored.xpc.jobmanager")
(global-name "com.apple.appstored.xpc.request"))
(global-name "com.apple.itunesstored.xpc")
(global-name "com.apple.appstored.xpc.updates")))
(require-entitlement "com.apple.coreduetd.allow")
(require-all
(require-any (global-name "com.apple.mobileassetd")
(global-name "com.apple.mobileassetd.v2"))
(require-entitlement "com.apple.private.assets.accessible-asset-types"))
(require-all
(global-name "com.apple.rtcreportingd")
(require-entitlement "com.apple.private.rtcreportingd"))
(require-all
(global-name "com.apple.nfcd.service.corenfc")
(require-entitlement "com.apple.developer.nfc.readersession.formats"))
(require-all
(global-name "com.apple.ibooks.BLService")
(require-entitlement "com.apple.itunesstored.private"))
(require-all
(global-name "com.apple.corecaptured")
(require-entitlement "com.apple.corecapture.manager-access"))
(require-all
(global-name "com.apple.adid")
(require-entitlement "adi-client"))
(require-all
(global-name "com.apple.absd")
(require-entitlement "abs-client"))
(require-all
(require-any (global-name "com.apple.absd")
(global-name "com.apple.absinthed"))
(require-entitlement "absinthe-client"))
(require-all
(global-name "com.apple.contactsd.launch-services-proxy")
(require-entitlement "com.apple.private.contactsui"))
(require-all
(global-name "com.apple.biometrickitd")
(require-entitlement "com.apple.private.bmk.allow"))
(require-all
(global-name "com.apple.pearld")
(require-entitlement "com.apple.private.bmk.allow"))
(require-all
(global-name "com.apple.dprivacyd")
(require-entitlement "com.apple.private.dprivacyd.allow"))
(require-all
(global-name "com.apple.telephonyutilities.callservicesdaemon.callprovidermanager")
(require-entitlement "com.apple.telephonyutilities.callservicesd"))
(require-all
(global-name "com.apple.logd.admin")
(require-any
(require-entitlement "com.apple.private.logging.diagnostic")
(require-entitlement "com.apple.diagnosticd.diagnostic")))
(require-all
(global-name "com.apple.springboard.statusbarservices")
(require-entitlement "com.apple.springboard.statusbarstyleoverrides"))
(require-all
(global-name "com.apple.passd.trusted-device-enrollment-info-provider")
(require-entitlement "com.apple.private.passkit.trusted-device-enrollment-info"))
(require-all
(global-name "com.apple.bulletinboard.dataproviderconnection")
(require-entitlement "com.apple.bulletinboard.dataprovider"))
(require-all
(global-name "com.apple.appstored.xpc.updates")
(require-entitlement "com.apple.appstored.update-apps"))
(require-all
(require-any (global-name "com.apple.appstored.xpc.jobmanager")
(global-name "com.apple.appstored.xpc.request"))
(require-entitlement "com.apple.appstored.install-apps"))
(require-all
(global-name "com.apple.coreduetd.people")
(require-entitlement "com.apple.coreduetd.people"))
(require-all
(global-name "com.apple.symptom_diagnostics")
(require-entitlement "com.apple.symptom_diagnostics.report"))
(require-all
(process-attribute 4)
(require-any
(global-name "com.apple.analyticsd")
(global-name "com.apple.Honeybee.event-notify")))
(require-all
(debug-mode)
(require-entitlement "platform-application"))
(require-all
(extension "com.apple.security.exception.mach-lookup.local-name")
(local-name-regex #".+"))
(require-all
(extension "com.apple.security.exception.mach-lookup.global-name")
(global-name-regex #".+"))
(require-all
(global-name "com.apple.ak.anisette.xpc")
(require-any
(require-entitlement "com.apple.authkit.client")
(require-entitlement "com.apple.authkit.client.private")
(require-entitlement "com.apple.authkit.client.internal")
(require-all
(process-attribute 4)
(require-entitlement "com.apple.private.amfi.can-execute-cdhash"))))
(require-all
(global-name "com.apple.ak.auth.xpc")
(require-any
(require-entitlement "com.apple.authkit.client")
(require-entitlement "com.apple.authkit.client.private")
(require-entitlement "com.apple.authkit.client.internal")
(require-all
(process-attribute 4)
(require-entitlement "com.apple.private.amfi.can-execute-cdhash"))))
(require-all
(global-name "com.apple.networkd_privileged")
(require-any
(require-entitlement "com.apple.networkd.advisory_socket")
(require-entitlement "com.apple.networkd.disable_opportunistic")
(require-entitlement "com.apple.networkd.modify_settings")
(require-entitlement "com.apple.networkd.persistent_interface")
(require-entitlement "com.apple.networkd_privileged"))))
(allow nvram*)
(allow nvram-delete)
(allow nvram-get)
(allow nvram-set)
(allow process-info*)
(allow process-info-codesignature)
(allow process-info-dirtycontrol)
(allow process-info-listpids)
(allow process-info-rusage)
(allow process-info-pidinfo)
(allow process-info-pidfdinfo)
(allow process-info-pidfileportinfo)
(allow process-info-setcontrol)
(allow pseudo-tty)
(allow socket-ioctl)
(allow system-privilege)