]> git.saurik.com Git - apple/ipsec.git/blob - racoon.sb
ipsec-317.tar.gz
[apple/ipsec.git] / racoon.sb
1 ;; OriginatingProject: ipsec
2 (version 1)
3 (deny default)
4
5 (import "system.sb")
6
7 (allow system-socket sysctl-read sysctl-write)
8
9 (allow system-info (info-type "net.link.addr"))
10
11 (allow file-read*)
12
13 (allow file-write*)
14
15 (allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
16
17 (allow ipc-posix-shm
18 (ipc-posix-name "apple.shm.notification_center")
19 (ipc-posix-name "com.apple.AppleDatabaseChanged"))
20
21 (allow ipc-posix-shm-read*
22 (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))
23
24 (allow iokit-open
25 (iokit-user-client-class "RootDomainUserClient"))
26
27 (allow mach-lookup
28 (global-name "com.apple.PowerManagement.control")
29 (global-name "com.apple.SecurityServer")
30 (global-name "com.apple.SystemConfiguration.configd")
31 (global-name "com.apple.nehelper")
32 (global-name "com.apple.securityd.xpc")
33 (global-name "com.apple.ocspd")
34 (global-name "com.apple.aggregated")
35 (global-name "com.apple.cfprefsd.daemon")
36 (global-name "com.apple.cfprefsd.agent")
37 (local-name "com.apple.cfprefsd.agent")
38 (global-name "com.apple.securityd")
39 (global-name "com.apple.bsd.dirhelper")
40 (global-name "com.apple.system.logger")
41 (global-name "com.apple.system.notification_center")
42 (global-name "com.apple.system.libinfo.muser"))
43
44 (allow network*
45 (local udp "*:500" "*:4500")
46 (remote udp "*:*"))
47
48 (allow network-inbound
49 (path "/private/var/run/vpncontrol.sock"))
50
51 ;;; Allow read access to standard system paths.
52 (allow network-outbound
53 (literal "/private/var/run/asl_input")
54 (literal "/private/var/run/syslog")
55 (subpath "/private/var/tmp/launchd"))
56
57 (allow sysctl-write
58 (sysctl-name "kern.ipc.maxsockbuf")
59 (sysctl-name "net.inet.ipsec.esp_port"))
60
61 ;;; Allow racoon to check entitlements
62 (allow iokit-open
63 (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))