projects / apple / ipsec.git / blame
| Commit | Line | Data |
|---|---|---|
| e8d9021d A |
1 | ;; OriginatingProject: ipsec |
| 2 | (version 1) | |
| 3 | (deny default) | |
| 85f41bec A |
4 | |
| 5 | (import "system.sb") | |
| 6 | ||
| e8d9021d A |
7 | (allow system-socket sysctl-read sysctl-write) |
| 8 | ||
| 65c25746 A |
9 | (allow system-info (info-type "net.link.addr")) |
| 10 | ||
| 886926c0 | 11 | (allow file-read*) |
| e8d9021d | 12 | |
| 886926c0 | 13 | (allow file-write*) |
| e8d9021d | 14 | |
| 886926c0 | 15 | (allow ipc-posix* (ipc-posix-name "com.apple.securityd")) |
| e8d9021d | 16 | |
| 886926c0 A |
17 | (allow ipc-posix-shm |
| 18 | (ipc-posix-name "apple.shm.notification_center") | |
| 19 | (ipc-posix-name "com.apple.AppleDatabaseChanged")) | |
| e8d9021d | 20 | |
| d9c572c0 | 21 | (allow ipc-posix-shm-read* |
| 886926c0 | 22 | (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\.")) |
| e8d9021d | 23 | |
| 886926c0 A |
24 | (allow iokit-open |
| 25 | (iokit-user-client-class "RootDomainUserClient")) | |
| e8d9021d | 26 | |
| 886926c0 A |
27 | (allow mach-lookup |
| 28 | (global-name "com.apple.PowerManagement.control") | |
| 29 | (global-name "com.apple.SecurityServer") | |
| 30 | (global-name "com.apple.SystemConfiguration.configd") | |
| 31 | (global-name "com.apple.nehelper") | |
| 32 | (global-name "com.apple.securityd.xpc") | |
| 33 | (global-name "com.apple.ocspd") | |
| 34 | (global-name "com.apple.aggregated") | |
| 35 | (global-name "com.apple.cfprefsd.daemon") | |
| 36 | (global-name "com.apple.cfprefsd.agent") | |
| 37 | (local-name "com.apple.cfprefsd.agent") | |
| 38 | (global-name "com.apple.securityd") | |
| 39 | (global-name "com.apple.bsd.dirhelper") | |
| 40 | (global-name "com.apple.system.logger") | |
| 41 | (global-name "com.apple.system.notification_center") | |
| 42 | (global-name "com.apple.system.libinfo.muser")) | |
| e8d9021d | 43 | |
| 886926c0 A |
44 | (allow network* |
| 45 | (local udp "*:500" "*:4500") | |
| 46 | (remote udp "*:*")) | |
| e8d9021d | 47 | |
| 886926c0 A |
48 | (allow network-inbound |
| 49 | (path "/private/var/run/vpncontrol.sock")) | |
| e8d9021d | 50 | |
| 886926c0 | 51 | ;;; Allow read access to standard system paths. |
| e8d9021d | 52 | (allow network-outbound |
| 886926c0 A |
53 | (literal "/private/var/run/asl_input") |
| 54 | (literal "/private/var/run/syslog") | |
| 55 | (subpath "/private/var/tmp/launchd")) | |
| e8d9021d | 56 | |
| 886926c0 A |
57 | (allow sysctl-write |
| 58 | (sysctl-name "kern.ipc.maxsockbuf") | |
| 59 | (sysctl-name "net.inet.ipsec.esp_port")) | |
| 65c25746 A |
60 | |
| 61 | ;;; Allow racoon to check entitlements | |
| 886926c0 A |
62 | (allow iokit-open |
| 63 | (iokit-user-client-class "AppleMobileFileIntegrityUserClient")) |