What happened?
Decompiled profiles are missing the delegate and autobox terminals/actions. For example, the baseline profile on iOS 23B85 has autobox actions that are guarded by (profile-flag "autobox-client") but those are mapped to allow by ipsw sb dec. autobox without restrictive-default turns into allow, autobox with restrictive-default turns into deny. Sandbox.kext treats autobox terminals the way you do during evaluation if a process does not have an autobox profile. But for healthd there's "/System/Library/Frameworks/HealthKit.framework/healthd" in the autobox collection, which, from my testing on vphone 26.1-23B85, is assigned to healthd at runtime and used in the delegation handler.
This also causes ipsw sb query and ipsw sb reach to produce inaccurate results, I think.
How can we reproduce this?
ipsw download ipsw --device iPhone17,3 --build 23B85 --kernel --confirm && ipsw sb dec 23B85__iPhone17,3/kernelcache.release.iphone17 baseline | grep autobox | grep -v profile-flag
Or minimal reproducers:
(autobox device*) turns into (allow device*):
$ bash -c 'export IPSW=./ipsw
export OPS=./ops.txt
export DARWIN="25.5.0"
cat > orig.sb <<"EOF"
(version 1)
(extends "foo")
(deny default)
(autobox device*)
EOF
cat > degr.sb <<"EOF"
(version 1)
(extends "foo")
(deny default)
(allow device*)
EOF
"$IPSW" sb cmpl orig.sb -o orig
"$IPSW" sb cmpl degr.sb -o degr
"$IPSW" sb dec --type profile -i orig/profile.bin --operations "$OPS" --darwin-version "$DARWIN" -O orig.dec.sb
"$IPSW" sb cmpl orig.dec.sb -o rt
shasum orig/profile.bin degr/profile.bin rt/profile.bin'
• Compiling profile to orig/profile.bin
• Compiling profile to degr/profile.bin
• Parsing sandbox profile data
• Compiling profile to rt/profile.bin
4c278c2c5ded6eb7525c7092e76bbd79d401585a orig/profile.bin
5f4cb917787bfc1d77375e863d4408c9239e6464 degr/profile.bin
5f4cb917787bfc1d77375e863d4408c9239e6464 rt/profile.bin
(autobox device* (with restrictive-default)) turns into (deny default)
$ bash -c 'export IPSW=./ipsw
export OPS=./ops.txt
export DARWIN="25.5.0"
cat > orig.sb <<"EOF"
(version 1)
(extends "foo")
(deny default)
(autobox device* (with restrictive-default))
EOF
cat > degr.sb <<"EOF"
(version 1)
(extends "foo")
(deny default)
EOF
"$IPSW" sb cmpl orig.sb -o orig
"$IPSW" sb cmpl degr.sb -o degr
"$IPSW" sb dec --type profile -i orig/profile.bin --operations "$OPS" --darwin-version "$DARWIN" -O orig.dec.sb
"$IPSW" sb cmpl orig.dec.sb -o rt
shasum orig/profile.bin degr/profile.bin rt/profile.bin'
• Compiling profile to orig/profile.bin
• Compiling profile to degr/profile.bin
• Parsing sandbox profile data
• Compiling profile to rt/profile.bin
10fd38c3157271ea243b4df12776b0019edb5b1c orig/profile.bin
3290f9f615a6b3da4a8e69ad3601660d45f3d1c0 degr/profile.bin
3290f9f615a6b3da4a8e69ad3601660d45f3d1c0 rt/profile.bin
Below, (delegate device*) is dropped.
$ bash -c 'export IPSW=./ipsw
export OPS=./ops.txt
export DARWIN="25.5.0"
cat > orig.sb <<"EOF"
(version 1)
(extends "foo")
(deny default)
(delegate device*)
EOF
cat > degr.sb <<\'EOF\'
(version 1)
(extends "foo")
(deny default)
EOF
"$IPSW" sb cmpl orig.sb -o orig
"$IPSW" sb cmpl degr.sb -o degr
"$IPSW" sb dec --type profile -i orig/profile.bin --operations "$OPS" --darwin-version "$DARWIN" -O orig.dec.sb
"$IPSW" sb cmpl orig.dec.sb -o rt
shasum orig/profile.bin degr/profile.bin rt/profile.bin'
• Compiling profile to orig/profile.bin
• Compiling profile to degr/profile.bin
• Parsing sandbox profile data
• Compiling profile to rt/profile.bin
c1b7aeddba30bb6dfca86d294792e61d6a46b0c4 orig/profile.bin
3290f9f615a6b3da4a8e69ad3601660d45f3d1c0 degr/profile.bin
3290f9f615a6b3da4a8e69ad3601660d45f3d1c0 rt/profile.bin
Or decompile e.g. healthd on 23B85 ipsw download ipsw --device iPhone17,3 --build 23B85 --kernel --confirm && ipsw sb dec 23B85__iPhone17,3/kernelcache .release.iphone17 healthd | grep delegate. Although for healthd ;; (default) inherited from parent profile "baseline" is printed.
ipsw version
Version: 3.1.696, BuildCommit: 343f09c8580f1774e7c0308e3ab798915c380b10
Search
AI assistance
Claude Code helped in Sandbox.kext reversing, double-checking results, and assembling the bash command listings above from my pocs.
Code of Conduct
AI Policy
Additional context
No response
What happened?
Decompiled profiles are missing the
delegateandautoboxterminals/actions. For example, the baseline profile on iOS 23B85 has autobox actions that are guarded by(profile-flag "autobox-client")but those are mapped toallowbyipsw sb dec.autoboxwithoutrestrictive-defaultturns intoallow,autoboxwithrestrictive-defaultturns intodeny. Sandbox.kext treatsautoboxterminals the way you do during evaluation if a process does not have an autobox profile. But for healthd there's "/System/Library/Frameworks/HealthKit.framework/healthd" in the autobox collection, which, from my testing on vphone 26.1-23B85, is assigned to healthd at runtime and used in the delegation handler.This also causes
ipsw sb queryandipsw sb reachto produce inaccurate results, I think.How can we reproduce this?
ipsw download ipsw --device iPhone17,3 --build 23B85 --kernel --confirm && ipsw sb dec 23B85__iPhone17,3/kernelcache.release.iphone17 baseline | grep autobox | grep -v profile-flagOr minimal reproducers:
(autobox device*)turns into(allow device*):(autobox device* (with restrictive-default))turns into(deny default)Below,
(delegate device*)is dropped.Or decompile e.g. healthd on 23B85
ipsw download ipsw --device iPhone17,3 --build 23B85 --kernel --confirm && ipsw sb dec 23B85__iPhone17,3/kernelcache .release.iphone17 healthd | grep delegate. Although for healthd;; (default) inherited from parent profile "baseline"is printed.ipsw version
Search
AI assistance
Claude Code helped in Sandbox.kext reversing, double-checking results, and assembling the bash command listings above from my pocs.
Code of Conduct
AI Policy
Additional context
No response