System Integrity Protection Goodies

Real easter eggs are long gone from the macOS. But here’s some interesting goodies I found while poking around in /System/Library/Sandbox. You have the rootless.conf which points to an easy list of files protected by SIP.

Then you have the Profiles folder that since the 10.14 days has grown from 123 files to 159 files in 10.15. You’d think that it would have just straight increased with 36 more things protected by SIP. But there’s a number of files that do not exist in 10.15 that exist in 10.14. Here’s the 6 files not in 10.15.

com.apple.AppleMediaServices.sb
com.apple.ModernizerXPC.sb
com.apple.pictd.sb
com.apple.qtkitserver.sb
com.apple.qtkittrustedmoviesservice.sb
com.apple.ReportPanicService.sbiosmac.sb

These existed in 10.14 but not 10.15. It looks like, maybe the things that these files protected, 10.15 does in a different way.

But as expected there’s quite a few new files and protections. So here’s that list. Here’s the list of 43 new in 10.15.

com.apple.amp.mediasharingd.sb
com.apple.analyticsd.sb
com.apple.ap.adservicesd.sb
com.apple.AppSSOAgent.sb
com.apple.appstoreagent.sb
com.apple.appstored.sb
com.apple.audio.carpd.sb
com.apple.ContextStoreAgent.sb
com.apple.coredatad.sb
com.apple.corespeechd.sb
com.apple.dprivacyagentd.sb
com.apple.email.maild.sb
com.apple.endpointsecurity.endpointsecurityd.sb
com.apple.fileproviderd.sb
com.apple.heard.sb
com.apple.imagent.sb
com.apple.IMAutomaticHistoryDeletionAgent.sb
com.apple.imdpersistence.IMDPersistenceAgent.sb
com.apple.iMessage.addressbook.sb
com.apple.iMessage.shared.sb
com.apple.imtranscoding.IMTranscoderAgent.sb
com.apple.imtransferservices.IMTransferAgent.sb
com.apple.KeyboardAccessAgent.sb
com.apple.lockoutagent.sb
com.apple.lskdd.sb
com.apple.metrickitd.sb
com.apple.normalizerd.sb
com.apple.passd.sb
com.apple.photolibraryd.sb
com.apple.replayd.sb
com.apple.rpcbind.sb
com.apple.securityd.sb
com.apple.securitydservice.sb
com.apple.sysextd.sb
com.apple.transparencyd.sb
com.apple.usermanagerhelper.sb
nfcd.sb
nfrestore_service.sb
quicklook-preview.sb
quicklook-thumbnail.sb
recoverylogd.sb
seld.sb
usernoted.sb

In part, this makes sense since some things like endpoint security framework and the single sign on extension didn’t exist in 10.14. But I’m surprised SIP protection to the App Store, email, iMessage was added in 10.15.

Some of the sandbox files are just straight up empty with no real content like com.apple.PIPAgent.sb.

The fun though is the comments in these sandbox files.

There are 56 comments with rdar://problem/(8 digits) and many more with just 8 digit numbers, probably referencing radars. Some of these radar links exist in the 10.14 versions of these files. It’s hard to know if these were fixed and the comments never updated or if these potential bugs still exist.

Then there’s a reference to an internal Apple wiki in.

Line 7–8

;;; For instructions on how to sandbox a daemon, check out the core os wiki.
;;; https://confluence.sd.apple.com/display/OSSEC/Sandbox+Manual

The radars and the link to confluence.sd.apple.com are probably the more interesting comments at least to me. Some comments explain how SIP works for that part of the OS. I’m not going to list all the interesting comments and what’s probably meant to be internal notes. These are plain text files, but to give an idea, below are some of the comments in these files. My favorites are in com.apple.UIKitSystemApp.sb, com.apple.email.maild.sb, and com.apple.diagnosticd.sb.

Line 38 -

“Always allow stat’ing of path components of firmlink targets.”

Line 89 and 90 -

“; 2. os_log() custom formatters may be read + mapped in-process.

; Only allow on internal builds, otherwise this would be “inject code here (TM)”

Line 9 -

;; We call LaunchServies to resolve which app can open a given activity type. LaunchServices reads the filesystem to make sure that app still exists. Furthermore, apps can exist anywhere on the filesystem on a Mac. Hence, this is necessary.

Line 68 -

;; Things needed for debugging, only if it’s a debug server

Line 5 -

;;; Created by rbishopjr on 4/25/18.

Line 42–49

;; Security.framework
; mds: mds.lock, mdsDirectory.db, mdsObject.db
; 1. extension “mds”
; uid == 0: r+w /private/var/db/mds/system
; uid > 0: r+w <_DARWIN_USER_CACHE_DIR>/mds
; 2. /private/var/db/mds/system/{mdsDirectory.db,mdsObject.db}
; uid == 0: r+w (already covered by (extension “UIKitSystemApp:mds”))
; uid > 0: r

Line 54–56

; 3. se_SecurityMessages:
; uid < 500: /private/var/db/mds/messages/se_SecurityMessages
; uid >= 500: /private/var/db/mds/messages/<uid>/se_SecurityMessages

Line 87

;; AuthKit needs some weird things

Line 21–23

;; TODO: as a daemon, we don’t actually have a home directory.
;; Perhaps we should remove these boilerplate rules
;;; Homedir-relative path filters

Line 75

;; Talking to our friend daemons that start and manage the various kinds of extensions

Line 90–9

;; Check AMFITrustedKeys for validating “anchor apple” signatures
;; Copied from Security’s framework.sb (why don’t we get it automatically?)
;; On internal builds, allow clients to read the AMFITrustedKeys NVRAM variable

Line 75–77

; Files received from teachers need to be moved to a hidden folder inside the Downloads
; folder so the AirDrop UI can see them. Once the user accepts the transfer, the files
; need to be moved from the hidden folder to the top level of the Downloads folder.

Line 28

;TODO: Check if we need this

Line 7–8

;; lockerctl enters this sandbox when it does a dry run migration to prevent it
;; from inadvertently modifying the system partition.

Line 37–41

;; File access
;; FIXME:
;; 1. Does replayd get sandbox extensions for filesystem locations?
;; 2. Or does it need (allow file-read*)?
;; 3. Alternatively, could this reasonably be restricted to a few locations?

Line 13–16

;; Debugging lines. Enable these and disable the three lines above if you need to make changes or otherwise tinker with this.
;(allow default (with report))
;(allow file-map-executable iokit-get-properties process-info* nvram* (with report))
;(allow dynamic-code-generation (with report))

Line 43–44

;; Your preference domain
;; TODO: Replace ${PRODUCT_BUNDLE_IDENTIFIER} with the actual bundle identifier.

Line 39–44

;;; UUID of the form: XXXXXXXX-XXXX-XXXX — XXXX-XXXXXXXXXXXX
;;; That’s 8X-4X-4X-4X-12X; where X = “[0–9A-F]”, length(X) = 8
;;; Return a regex string which matches capital hex digit patterns
;;; pattern descriptor is an list of integers where the element specifies the repeat
;;; count of the hex digit; 0 means insert a dash
;;; You can paste these functions into: https://repl.it/languages/Scheme

Line 8

; FIXME: maild shouldn’t need file-link, but we didn’t log for it. Too risky for macOSJazz GM.

Line 10

;; Cargo-culted from “How To Sandbox a Daemon on macOS”

Line 44–45

; The calls we make to Security.framework require a bunch of sandbox exceptions. Someday they’ll make a security.sb file that
; we can just import, but until then, I need all of this to be included here.

Line 15–22

; Synchronize preferences for current user
; 1. Stat any user’s home dir (e.g. /private/var/root, /Users/<username>)
; 2. .*/Library/Preferences/com.apple.CoreBrightness.plist
; CFPreferencesSynchronize(“com.apple.CoreBrightness”, kCFPreferencesCurrentUser, kCFPreferencesAnyHost)
; ==> -[_CFXPreferences synchronizeIdentifier:user:host:container:]
; ==> -[_CFXPreferences(SourceAdditions) withSourceForIdentifier:user:byHost:container:cloud:perform:]
; ==> -[_CFXPreferences(SourceAdditions) withSources:] (block from withSourceForIdentifier:user:byHost:container:cloud:perform:)
; ==> __useVolatileDomainsForUser ==> __URLExists ==> _CFGetFileProperties ==> stat

Line 56–57

;; Above is from the template.
;; Below are customizations. To debug: (trace “/tmp/Sandbox.trace”)

These views are my own and not the views of my employer. If you have any questions or you’re Mr. Bishop from Apple, feel free to contact me on the MacAdmins Slack(boberito), Linkedin(linkedin.com/in/bob-gendler-8702014) or Email(bobgendler@gmail.com)

IT Specialist in the Apple world. Jamf guru, wizard of Mac Management, and mastermind of Apple trivia. The views are my own and not the views of my employer.