racoon.sb

   1 ;; OriginatingProject: ipsec
   2 (version 1)
   3 (deny default)
   4
   5 (import "system.sb")
   6
   7 (allow system-socket sysctl-read sysctl-write)
   8
   9 (allow system-info (info-type "net.link.addr"))
  10
  11 (allow file-read*)
  12
  13 (allow file-write*)
  14
  15 (allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
  16
  17 (allow ipc-posix-shm
  18         (ipc-posix-name "apple.shm.notification_center")
  19         (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  20
  21 (allow ipc-posix-shm-read*
  22         (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))
  23
  24 (allow iokit-open
  25         (iokit-user-client-class "RootDomainUserClient"))
  26
  27 (allow mach-lookup
  28         (global-name "com.apple.PowerManagement.control")
  29         (global-name "com.apple.SecurityServer")
  30         (global-name "com.apple.SystemConfiguration.configd")
  31         (global-name "com.apple.nehelper")
  32         (global-name "com.apple.securityd.xpc")
  33         (global-name "com.apple.ocspd")
  34         (global-name "com.apple.aggregated")
  35         (global-name "com.apple.cfprefsd.daemon")
  36         (global-name "com.apple.cfprefsd.agent")
  37         (local-name "com.apple.cfprefsd.agent")
  38         (global-name "com.apple.securityd")
  39         (global-name "com.apple.bsd.dirhelper")
  40         (global-name "com.apple.system.logger")
  41         (global-name "com.apple.system.notification_center")
  42         (global-name "com.apple.system.libinfo.muser"))
  43
  44 (allow network*
  45         (local udp "*:500" "*:4500")
  46         (remote udp "*:*"))
  47
  48 (allow network-inbound
  49         (path "/private/var/run/vpncontrol.sock"))
  50
  51 ;;; Allow read access to standard system paths.
  52 (allow network-outbound
  53         (literal "/private/var/run/asl_input")
  54         (literal "/private/var/run/syslog")
  55         (subpath "/private/var/tmp/launchd"))
  56
  57 (allow sysctl-write
  58         (sysctl-name "kern.ipc.maxsockbuf")
  59         (sysctl-name "net.inet.ipsec.esp_port"))
  60
  61 ;;; Allow racoon to check entitlements
  62 (allow iokit-open
  63         (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))