[apple/ipsec.git] / racoon.sb

;; OriginatingProject: ipsec
(version 1)
(deny default)

(import "system.sb")

(allow system-socket sysctl-read sysctl-write)

(allow system-info (info-type "net.link.addr"))

(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
(allow ipc-posix-shm
    (ipc-posix-name "apple.shm.notification_center")
    (ipc-posix-name "com.apple.AppleDatabaseChanged"))

(allow file-read* file-ioctl
    (subpath "/private/etc/master.passwd")
    (subpath "/private/var/run/racoon")
    (literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist")
    (subpath "/private/etc/racoon"))

(allow file-read*
    (subpath "/Library/Managed\ Preferences")
    (subpath "/Library/Preferences")
    (subpath "/private/var/root")
    (literal "/private/var/mobile/Library/Caches/com.apple.MobileGestalt.plist")
    (literal "/private/var/db/mds/messages/se_SecurityMessages")
    (literal "/private/var/db/icu"))

(allow file-write*
    (literal "/private/var/run/racoon.sock")
    (literal "/private/var/run/racoon.pid"))

(allow file*
    (literal "/var/log/racoon.log")
    (literal "/private/var/log/racoon.log"))

(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))

(allow network-outbound (subpath "/private/var/tmp/launchd"))
(allow network*
    (local udp "*:500" "*:4500")
    (remote udp "*:*")
    (literal "/private/var/run/racoon.sock"))

(allow file*
    (literal "/Library/Keychains/System.keychain")
    (literal "/private/var/db/mds/system/mdsObject.db")
    (literal "/private/var/db/mds/system/mds.lock")
    (literal "/private/var/db/mds/system/mdsDirectory.db"))

(allow mach-lookup
    (global-name "com.apple.SecurityServer")
    (global-name "com.apple.SystemConfiguration.configd")
    (global-name "com.apple.ocspd")
    (global-name "com.apple.commcenter.xpc")
    (global-name "com.apple.aggregated")
    (global-name "com.apple.cfprefsd.daemon")
    (global-name "com.apple.cfprefsd.agent")
    (local-name "com.apple.cfprefsd.agent")
    (global-name "com.apple.nehelper"))
	
(allow ipc-posix-shm-read*
    (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))

;;;;;; Common system sandbox rules
;;;;;;
;;;;;; Copyright (c) 2008-2010 Apple Inc.  All Rights reserved.
;;;;;;
;;;;;; WARNING: The sandbox rules in this file currently constitute
;;;;;; Apple System Private Interface and are subject to change at any time and
;;;;;; without notice. The contents of this file are also auto-generated and
;;;;;; not user editable; it may be overwritten at any time.

;;; Allow read access to standard system paths.

(allow file-read*
       (require-all (file-mode #o0004)
                    (require-any (subpath "/System")
                                 (subpath "/usr/lib")
                                 (subpath "/usr/sbin")
                                 (subpath "/usr/share"))))

(allow file-read-metadata
       (literal "/etc")
       (literal "/tmp")
       (literal "/var"))

;;; Allow access to standard special files.

(allow file-read*
       (subpath "/usr/share")
       (subpath "/private/var/db/timezone")
       (literal "/dev/random")
       (literal "/dev/urandom"))

(allow file-read*
       file-write-data
       (literal "/dev/null")
       (literal "/dev/zero"))

(allow file-read*
       file-write-data
       file-ioctl
       (literal "/dev/aes_0")
       (literal "/dev/sha1_0")
       (literal "/dev/dtracehelper"))

(allow network-outbound
       (literal "/private/var/run/asl_input")
       (literal "/private/var/run/syslog"))

;;; Allow IPC to standard system agents.

(allow mach-lookup
       (global-name "com.apple.securityd")
       (global-name "com.apple.bsd.dirhelper")
       (global-name "com.apple.system.logger")
       (global-name "com.apple.system.notification_center"))
       
;;; Allow creating an ipsec interface
       (allow network-outbound
       (control-name "com.apple.net.ipsec_control"))

;;; Allow racoon to check entitlements
       (allow iokit-open
       (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))
Commit	Line	Data
e8d9021d A	1	;; OriginatingProject: ipsec
	2	(version 1)
	3	(deny default)
85f41bec A	4
	5	(import "system.sb")
	6
e8d9021d A	7	(allow system-socket sysctl-read sysctl-write)
e8d9021d A	8
65c25746 A	9	(allow system-info (info-type "net.link.addr"))
65c25746 A	10
e8d9021d A	11	(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
	12	(allow ipc-posix-shm
	13	(ipc-posix-name "apple.shm.notification_center")
	14	(ipc-posix-name "com.apple.AppleDatabaseChanged"))
	15
	16	(allow file-read* file-ioctl
	17	(subpath "/private/etc/master.passwd")
	18	(subpath "/private/var/run/racoon")
	19	(literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist")
	20	(subpath "/private/etc/racoon"))
	21
	22	(allow file-read*
	23	(subpath "/Library/Managed\ Preferences")
	24	(subpath "/Library/Preferences")
	25	(subpath "/private/var/root")
d9c572c0 A	26	(literal "/private/var/mobile/Library/Caches/com.apple.MobileGestalt.plist")
	27	(literal "/private/var/db/mds/messages/se_SecurityMessages")
	28	(literal "/private/var/db/icu"))
e8d9021d A	29
	30	(allow file-write*
	31	(literal "/private/var/run/racoon.sock")
	32	(literal "/private/var/run/racoon.pid"))
	33
	34	(allow file*
	35	(literal "/var/log/racoon.log")
	36	(literal "/private/var/log/racoon.log"))
	37
	38	(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
	39
	40	(allow network-outbound (subpath "/private/var/tmp/launchd"))
	41	(allow network*
	42	(local udp ":500" ":4500")
	43	(remote udp ":")
	44	(literal "/private/var/run/racoon.sock"))
	45
	46	(allow file*
	47	(literal "/Library/Keychains/System.keychain")
	48	(literal "/private/var/db/mds/system/mdsObject.db")
	49	(literal "/private/var/db/mds/system/mds.lock")
	50	(literal "/private/var/db/mds/system/mdsDirectory.db"))
	51
	52	(allow mach-lookup
	53	(global-name "com.apple.SecurityServer")
65c25746	54	(global-name "com.apple.SystemConfiguration.configd")
d9c572c0 A	55	(global-name "com.apple.ocspd")
	56	(global-name "com.apple.commcenter.xpc")
	57	(global-name "com.apple.aggregated")
	58	(global-name "com.apple.cfprefsd.daemon")
	59	(global-name "com.apple.cfprefsd.agent")
	60	(local-name "com.apple.cfprefsd.agent")
	61	(global-name "com.apple.nehelper"))
	62
	63	(allow ipc-posix-shm-read*
	64	(ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))
e8d9021d A	65
	66	;;;;;; Common system sandbox rules
	67	;;;;;;
	68	;;;;;; Copyright (c) 2008-2010 Apple Inc. All Rights reserved.
	69	;;;;;;
	70	;;;;;; WARNING: The sandbox rules in this file currently constitute
	71	;;;;;; Apple System Private Interface and are subject to change at any time and
	72	;;;;;; without notice. The contents of this file are also auto-generated and
	73	;;;;;; not user editable; it may be overwritten at any time.
	74
	75	;;; Allow read access to standard system paths.
	76
	77	(allow file-read*
	78	(require-all (file-mode #o0004)
	79	(require-any (subpath "/System")
	80	(subpath "/usr/lib")
	81	(subpath "/usr/sbin")
	82	(subpath "/usr/share"))))
	83
	84	(allow file-read-metadata
	85	(literal "/etc")
	86	(literal "/tmp")
	87	(literal "/var"))
	88
	89	;;; Allow access to standard special files.
	90
	91	(allow file-read*
65c25746 A	92	(subpath "/usr/share")
65c25746 A	93	(subpath "/private/var/db/timezone")
e8d9021d A	94	(literal "/dev/random")
	95	(literal "/dev/urandom"))
	96
	97	(allow file-read*
	98	file-write-data
	99	(literal "/dev/null")
	100	(literal "/dev/zero"))
	101
	102	(allow file-read*
	103	file-write-data
	104	file-ioctl
	105	(literal "/dev/aes_0")
	106	(literal "/dev/sha1_0")
	107	(literal "/dev/dtracehelper"))
	108
	109	(allow network-outbound
	110	(literal "/private/var/run/asl_input")
	111	(literal "/private/var/run/syslog"))
	112
	113	;;; Allow IPC to standard system agents.
	114
	115	(allow mach-lookup
	116	(global-name "com.apple.securityd")
	117	(global-name "com.apple.bsd.dirhelper")
e8d9021d A	118	(global-name "com.apple.system.logger")
e8d9021d A	119	(global-name "com.apple.system.notification_center"))
65c25746 A	120
	121	;;; Allow creating an ipsec interface
	122	(allow network-outbound
	123	(control-name "com.apple.net.ipsec_control"))
	124
	125	;;; Allow racoon to check entitlements
	126	(allow iokit-open
	127	(iokit-user-client-class "AppleMobileFileIntegrityUserClient"))