projects / apple / ipsec.git / blame
| Commit | Line | Data |
|---|---|---|
| e8d9021d A |
1 | ;; OriginatingProject: ipsec |
| 2 | (version 1) | |
| 3 | (deny default) | |
| 85f41bec A |
4 | |
| 5 | (import "system.sb") | |
| 6 | ||
| e8d9021d A |
7 | (allow system-socket sysctl-read sysctl-write) |
| 8 | ||
| 9 | (allow ipc-posix* (ipc-posix-name "com.apple.securityd")) | |
| 10 | (allow ipc-posix-shm | |
| 11 | (ipc-posix-name "apple.shm.notification_center") | |
| 12 | (ipc-posix-name "com.apple.AppleDatabaseChanged")) | |
| 13 | ||
| 14 | (allow file-read* file-ioctl | |
| 15 | (subpath "/private/etc/master.passwd") | |
| 16 | (subpath "/private/var/run/racoon") | |
| 17 | (literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist") | |
| 18 | (subpath "/private/etc/racoon")) | |
| 19 | ||
| 20 | (allow file-read* | |
| 21 | (subpath "/Library/Managed\ Preferences") | |
| 22 | (subpath "/Library/Preferences") | |
| 23 | (subpath "/private/var/root") | |
| 24 | (literal "/private/var/db/mds/messages/se_SecurityMessages")) | |
| 25 | ||
| 26 | (allow file-write* | |
| 27 | (literal "/private/var/run/racoon.sock") | |
| 28 | (literal "/private/var/run/racoon.pid")) | |
| 29 | ||
| 30 | (allow file* | |
| 31 | (literal "/var/log/racoon.log") | |
| 32 | (literal "/private/var/log/racoon.log")) | |
| 33 | ||
| 34 | (allow iokit-open (iokit-user-client-class "RootDomainUserClient")) | |
| 35 | ||
| 36 | (allow network-outbound (subpath "/private/var/tmp/launchd")) | |
| 37 | (allow network* | |
| 38 | (local udp "*:500" "*:4500") | |
| 39 | (remote udp "*:*") | |
| 40 | (literal "/private/var/run/racoon.sock")) | |
| 41 | ||
| 42 | (allow file* | |
| 43 | (literal "/Library/Keychains/System.keychain") | |
| 44 | (literal "/private/var/db/mds/system/mdsObject.db") | |
| 45 | (literal "/private/var/db/mds/system/mds.lock") | |
| 46 | (literal "/private/var/db/mds/system/mdsDirectory.db")) | |
| 47 | ||
| 48 | (allow mach-lookup | |
| 49 | (global-name "com.apple.SecurityServer") | |
| 50 | (global-name "com.apple.ocspd")) | |
| 51 | ||
| 52 | ;;;;;; Common system sandbox rules | |
| 53 | ;;;;;; | |
| 54 | ;;;;;; Copyright (c) 2008-2010 Apple Inc. All Rights reserved. | |
| 55 | ;;;;;; | |
| 56 | ;;;;;; WARNING: The sandbox rules in this file currently constitute | |
| 57 | ;;;;;; Apple System Private Interface and are subject to change at any time and | |
| 58 | ;;;;;; without notice. The contents of this file are also auto-generated and | |
| 59 | ;;;;;; not user editable; it may be overwritten at any time. | |
| 60 | ||
| 61 | ;;; Allow read access to standard system paths. | |
| 62 | ||
| 63 | (allow file-read* | |
| 64 | (require-all (file-mode #o0004) | |
| 65 | (require-any (subpath "/System") | |
| 66 | (subpath "/usr/lib") | |
| 67 | (subpath "/usr/sbin") | |
| 68 | (subpath "/usr/share")))) | |
| 69 | ||
| 70 | (allow file-read-metadata | |
| 71 | (literal "/etc") | |
| 72 | (literal "/tmp") | |
| 73 | (literal "/var")) | |
| 74 | ||
| 75 | ;;; Allow access to standard special files. | |
| 76 | ||
| 77 | (allow file-read* | |
| 78 | (literal "/private/var/db/timezone/localtime") | |
| 79 | (literal "/dev/random") | |
| 80 | (literal "/dev/urandom")) | |
| 81 | ||
| 82 | (allow file-read* | |
| 83 | file-write-data | |
| 84 | (literal "/dev/null") | |
| 85 | (literal "/dev/zero")) | |
| 86 | ||
| 87 | (allow file-read* | |
| 88 | file-write-data | |
| 89 | file-ioctl | |
| 90 | (literal "/dev/aes_0") | |
| 91 | (literal "/dev/sha1_0") | |
| 92 | (literal "/dev/dtracehelper")) | |
| 93 | ||
| 94 | (allow network-outbound | |
| 95 | (literal "/private/var/run/asl_input") | |
| 96 | (literal "/private/var/run/syslog")) | |
| 97 | ||
| 98 | ;;; Allow IPC to standard system agents. | |
| 99 | ||
| 100 | (allow mach-lookup | |
| 101 | (global-name "com.apple.securityd") | |
| 102 | (global-name "com.apple.bsd.dirhelper") | |
| e8d9021d A |
103 | (global-name "com.apple.system.logger") |
| 104 | (global-name "com.apple.system.notification_center")) |