sb dec drops a (deny X) when X is allowed by sbpl1.scm

[retsl]

What happened?

When decompiling the compiled profile blob of the profile below, ipsw drops the explicit (deny file-link) deny:

(version 1)
(deny default)
(deny file-link)

That deny is not redundant because the version 1 preamble contains (allow file-link):

$ head -n 5 _sbpl1_scm
(allow consume-extension)
(allow darwin-notification-post)
(allow dynamic-code-generation)
(allow file-clone)
(allow file-link)

How can we reproduce this?

$ bash -c 'export IPSW=./ipsw
export OPS=./ops.txt
export DARWIN="25.5.0"
cat > orig.sb <<"EOF"
(version 1)
(deny default)
(deny file-link)
EOF
cat > degr.sb <<"EOF"
(version 1)
(deny default)
EOF
"$IPSW" sb cmpl orig.sb -o orig
"$IPSW" sb cmpl degr.sb -o degr
"$IPSW" sb dec --type profile -i orig/profile.bin --operations "$OPS" --darwin-version "$DARWIN" -O orig.dec.sb
"$IPSW" sb cmpl orig.dec.sb -o rt
shasum orig/profile.bin degr/profile.bin rt/profile.bin
cat orig.dec.sb | grep deny'
   • Compiling profile to orig/profile.bin
   • Compiling profile to degr/profile.bin
   • Parsing sandbox profile data
   • Compiling profile to rt/profile.bin
fb561834a8c173800125331c125d10e4d9215fe0  orig/profile.bin
eea4d9ed24c8a63dda117c0fdffa578c65909b9e  degr/profile.bin
eea4d9ed24c8a63dda117c0fdffa578c65909b9e  rt/profile.bin
(deny default)
(deny mach-lookup

ipsw version

Version: 3.1.696, BuildCommit: 343f09c8580f1774e7c0308e3ab798915c380b10

Search

• I did search for other open and closed issues before opening this

AI assistance

Claude Code helped with creating code for roundtrip testing ipsw which identified this issue.

Code of Conduct

• I agree to follow this project's Code of Conduct

AI Policy

• I understand and agree to follow this project's AI Usage Policy

Additional context

No response

[blacktop]

Should be fixed in latest release; please test and let me know AND thank you so much for reporting. Please keep these coming ❤️

[retsl]

Hey, nice! :)
I just had codex write up a script to run through all the ops allowed in the 23B85 sbpl1.scm and it found that it still applies to syscall-mig and syscall-unix, which I then confirmed manually:

bash -c 'export IPSW=ipsw
export OPS=./ops.txt
export DARWIN="25.5.0"
cat > orig.sb <<"EOF"
(version 1)
(deny default)
(deny syscall-mig)
EOF
cat > degr.sb <<"EOF"
(version 1)
(deny default)
EOF
"$IPSW" sb cmpl orig.sb -o orig
"$IPSW" sb cmpl degr.sb -o degr
"$IPSW" sb dec --type profile -i orig/profile.bin --operations "$OPS" --darwin-version "$DARWIN" -O orig.dec.sb
"$IPSW" sb cmpl orig.dec.sb -o rt
shasum orig/profile.bin degr/profile.bin rt/profile.bin
cat orig.dec.sb | grep mig -A 5
$IPSW version'
   • Compiling profile to orig/profile.bin
   • Compiling profile to degr/profile.bin
   • Parsing sandbox profile data
   • Compiling profile to rt/profile.bin
76ac49ebdef8a2d504694b685edd156dc8cf1042  orig/profile.bin
eea4d9ed24c8a63dda117c0fdffa578c65909b9e  degr/profile.bin
eea4d9ed24c8a63dda117c0fdffa578c65909b9e  rt/profile.bin
(allow syscall-mig
        (kernel-mig-routine
                mach_exception_raise
                mach_exception_raise_state
                mach_exception_raise_state_identity)
)

Version: 3.1.697, BuildCommit: 0418c424f9dc6c4bb8f821dfd4c45eaf40d95b05

bash -c 'export IPSW=ipsw
export OPS=./ops.txt
export DARWIN="25.5.0"
cat > orig.sb <<"EOF"
(version 1)
(deny default)
(deny syscall-unix)
EOF
cat > degr.sb <<"EOF"
(version 1)
(deny default)
EOF
"$IPSW" sb cmpl orig.sb -o orig
"$IPSW" sb cmpl degr.sb -o degr
"$IPSW" sb dec --type profile -i orig/profile.bin --operations "$OPS" --darwin-version "$DARWIN" -O orig.dec.sb
"$IPSW" sb cmpl orig.dec.sb -o rt
shasum orig/profile.bin degr/profile.bin rt/profile.bin
cat orig.dec.sb | grep unix -A 10
$IPSW version'
   • Compiling profile to orig/profile.bin
   • Compiling profile to degr/profile.bin
   • Parsing sandbox profile data
   • Compiling profile to rt/profile.bin
770dbe3a65137204e624af89a6635af230f0822f  orig/profile.bin
eea4d9ed24c8a63dda117c0fdffa578c65909b9e  degr/profile.bin
eea4d9ed24c8a63dda117c0fdffa578c65909b9e  rt/profile.bin
(allow syscall-unix
        (syscall-number
                SYS_exit
                SYS_link
                SYS_getpid
                SYS_getuid
                SYS_kill
                SYS_getgid
                SYS_ioctl
                SYS_umask
                SYS_quotactl
Version: 3.1.697, BuildCommit: 0418c424f9dc6c4bb8f821dfd4c45eaf40d95b05

Edit: Sorry, I didn't pay enough attention, this is a different but related issue, as these are explicit allow rules instead of deny omissions. It's also present in Version: 3.1.696, BuildCommit: 343f09c8580f1774e7c0308e3ab798915c380b10:

bash -c 'export IPSW=./ipsw
export OPS=./ops.txt
export DARWIN="25.5.0"
cat > orig.sb <<"EOF"
(version 1)
(deny default)
(deny syscall-mig)
EOF
cat > degr.sb <<"EOF"
(version 1)
(deny default)
EOF
"$IPSW" sb cmpl orig.sb -o orig
"$IPSW" sb cmpl degr.sb -o degr
"$IPSW" sb dec --type profile -i orig/profile.bin --operations "$OPS" --darwin-version "$DARWIN" -O orig.dec.sb
"$IPSW" sb cmpl orig.dec.sb -o rt
shasum orig/profile.bin degr/profile.bin rt/profile.bin
cat orig.dec.sb | grep mig -A 5
$IPSW version'
   • Compiling profile to orig/profile.bin
   • Compiling profile to degr/profile.bin
   • Parsing sandbox profile data
   • Compiling profile to rt/profile.bin
76ac49ebdef8a2d504694b685edd156dc8cf1042  orig/profile.bin
eea4d9ed24c8a63dda117c0fdffa578c65909b9e  degr/profile.bin
eea4d9ed24c8a63dda117c0fdffa578c65909b9e  rt/profile.bin
(allow syscall-mig
        (kernel-mig-routine
                mach_exception_raise
                mach_exception_raise_state
                mach_exception_raise_state_identity)
)

Version: 3.1.696, BuildCommit: 343f09c8580f1774e7c0308e3ab798915c380b10

bash -c 'export IPSW=./ipsw
export OPS=./ops.txt
export DARWIN="25.5.0"
cat > orig.sb <<"EOF"
(version 1)
(deny default)
(deny syscall-unix)
EOF
cat > degr.sb <<"EOF"
(version 1)
(deny default)
EOF
"$IPSW" sb cmpl orig.sb -o orig
"$IPSW" sb cmpl degr.sb -o degr
"$IPSW" sb dec --type profile -i orig/profile.bin --operations "$OPS" --darwin-version "$DARWIN" -O orig.dec.sb
"$IPSW" sb cmpl orig.dec.sb -o rt
shasum orig/profile.bin degr/profile.bin rt/profile.bin
cat orig.dec.sb | grep unix -A 10
$IPSW version'
   • Compiling profile to orig/profile.bin
   • Compiling profile to degr/profile.bin
   • Parsing sandbox profile data
   • Compiling profile to rt/profile.bin
770dbe3a65137204e624af89a6635af230f0822f  orig/profile.bin
eea4d9ed24c8a63dda117c0fdffa578c65909b9e  degr/profile.bin
eea4d9ed24c8a63dda117c0fdffa578c65909b9e  rt/profile.bin
(allow syscall-unix
        (syscall-number
                SYS_exit
                SYS_link
                SYS_getpid
                SYS_getuid
                SYS_kill
                SYS_getgid
                SYS_ioctl
                SYS_umask
                SYS_quotactl
Version: 3.1.696, BuildCommit: 343f09c8580f1774e7c0308e3ab798915c380b10

Should I open a new issue?

[blacktop]

https://github.com/blacktop/ipsw/releases/tag/v3.1.697

[blacktop]

That's the version with the fix

[retsl]

Yes, I ran it with syscall-mig and syscall-unix on 3.1.697 (first two code blocks) and then again with 3.1.696 (last two code blocks) to find out whether it's a new or old issue. I printed ipsw version at the end of each code block.

[blacktop]

ah I see; let me check it out

[blacktop]

can you try again with https://github.com/blacktop/ipsw/releases/tag/v3.1.698 please