racoon.sb

   1 ;; OriginatingProject: ipsec
   2 (version 1)
   3 (deny default)
   4 (allow system-socket sysctl-read sysctl-write)
   5
   6 (allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
   7 (allow ipc-posix-shm
   8     (ipc-posix-name "apple.shm.notification_center")
   9     (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  10
  11 (allow file-read* file-ioctl
  12     (subpath "/private/etc/master.passwd")
  13     (subpath "/private/var/run/racoon")
  14     (literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist")
  15     (subpath "/private/etc/racoon"))
  16
  17 (allow file-read*
  18     (subpath "/Library/Managed\ Preferences")
  19     (subpath "/Library/Preferences")
  20     (subpath "/private/var/root")
  21     (literal "/private/var/db/mds/messages/se_SecurityMessages"))
  22
  23 (allow file-write*
  24     (literal "/private/var/run/racoon.sock")
  25     (literal "/private/var/run/racoon.pid"))
  26
  27 (allow file*
  28     (literal "/var/log/racoon.log")
  29     (literal "/private/var/log/racoon.log"))
  30
  31 (allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
  32
  33 (allow network-outbound (subpath "/private/var/tmp/launchd"))
  34 (allow network*
  35     (local udp "*:500" "*:4500")
  36     (remote udp "*:*")
  37     (literal "/private/var/run/racoon.sock"))
  38
  39 (allow file*
  40     (literal "/Library/Keychains/System.keychain")
  41     (literal "/private/var/db/mds/system/mdsObject.db")
  42     (literal "/private/var/db/mds/system/mds.lock")
  43     (literal "/private/var/db/mds/system/mdsDirectory.db"))
  44
  45 (allow mach-lookup
  46     (global-name "com.apple.SecurityServer")
  47     (global-name "com.apple.ocspd"))
  48
  49 ;;;;;; Common system sandbox rules
  50 ;;;;;;
  51 ;;;;;; Copyright (c) 2008-2010 Apple Inc.  All Rights reserved.
  52 ;;;;;;
  53 ;;;;;; WARNING: The sandbox rules in this file currently constitute
  54 ;;;;;; Apple System Private Interface and are subject to change at any time and
  55 ;;;;;; without notice. The contents of this file are also auto-generated and
  56 ;;;;;; not user editable; it may be overwritten at any time.
  57
  58 ;;; Allow read access to standard system paths.
  59
  60 (allow file-read*
  61        (require-all (file-mode #o0004)
  62                     (require-any (subpath "/System")
  63                                  (subpath "/usr/lib")
  64                                  (subpath "/usr/sbin")
  65                                  (subpath "/usr/share"))))
  66
  67 (allow file-read-metadata
  68        (literal "/etc")
  69        (literal "/tmp")
  70        (literal "/var"))
  71
  72 ;;; Allow access to standard special files.
  73
  74 (allow file-read*
  75        (literal "/private/var/db/timezone/localtime")
  76        (literal "/dev/random")
  77        (literal "/dev/urandom"))
  78
  79 (allow file-read*
  80        file-write-data
  81        (literal "/dev/null")
  82        (literal "/dev/zero"))
  83
  84 (allow file-read*
  85        file-write-data
  86        file-ioctl
  87        (literal "/dev/aes_0")
  88        (literal "/dev/sha1_0")
  89        (literal "/dev/dtracehelper"))
  90
  91 (allow network-outbound
  92        (literal "/private/var/run/asl_input")
  93        (literal "/private/var/run/syslog"))
  94
  95 ;;; Allow IPC to standard system agents.
  96
  97 (allow mach-lookup
  98        (global-name "com.apple.securityd")
  99        (global-name "com.apple.bsd.dirhelper")
 100        (global-name "com.apple.system.DirectoryService.libinfo_v1")
 101        (global-name "com.apple.system.DirectoryService.membership_v1")
 102        (global-name "com.apple.system.logger")
 103        (global-name "com.apple.system.notification_center"))