sb dec adds mach-lookup deny camera rule

[retsl]

What happened?

The profile

(version 1)
(deny default)
(allow mach-lookup)

contains the following mach-lookup rules after compiling and decompiling:

(deny mach-lookup
        (global-name "com.apple.webkit.camera")
)
(allow mach-lookup)

How can we reproduce this?

bash -c 'export IPSW=ipsw
export OPS=./ops.txt
export DARWIN="25.5.0"
cat > orig.sb <<"EOF"
(version 1)
(deny default)
(allow mach-lookup)
EOF
cat > degr.sb <<"EOF"
(version 1)
(deny default)
(deny mach-lookup (global-name "com.apple.webkit.camera"))
(allow mach-lookup)
EOF
"$IPSW" sb cmpl orig.sb -o orig
"$IPSW" sb cmpl degr.sb -o degr
"$IPSW" sb dec --type profile -i orig/profile.bin --operations "$OPS" --darwin-version "$DARWIN" -O orig.dec.sb
"$IPSW" sb cmpl orig.dec.sb -o rt
shasum orig/profile.bin degr/profile.bin rt/profile.bin
cat orig.dec.sb | grep mach-lookup -A 3
$IPSW version'
   • Compiling profile to orig/profile.bin
   • Compiling profile to degr/profile.bin
   • Parsing sandbox profile data
   • Compiling profile to rt/profile.bin
b975354fce3d0505284d01ce3361a63c27404809  orig/profile.bin
5515f7ad9986bcc0660ac6eaae6db34d7fa0d524  degr/profile.bin
5515f7ad9986bcc0660ac6eaae6db34d7fa0d524  rt/profile.bin
(deny mach-lookup
(allow mach-lookup)
Version: 3.1.697, BuildCommit: 0418c424f9dc6c4bb8f821dfd4c45eaf40d95b05

ipsw version

Version: 3.1.697, BuildCommit: 0418c424f9dc6c4bb8f821dfd4c45eaf40d95b05

Search

• I did search for other open and closed issues before opening this

AI assistance

Codex generated the script to test all action and modifier combinations for issues.

Code of Conduct

• I agree to follow this project's Code of Conduct

AI Policy

• I understand and agree to follow this project's AI Usage Policy

Additional context

No response

[blacktop]

please see if https://github.com/blacktop/ipsw/releases/tag/v3.1.698 fixes this issue