(allow system-info (info-type "net.link.addr"))
-(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
-(allow ipc-posix-shm
- (ipc-posix-name "apple.shm.notification_center")
- (ipc-posix-name "com.apple.AppleDatabaseChanged"))
-
-(allow file-read* file-ioctl
- (subpath "/private/etc/master.passwd")
- (subpath "/private/var/run/racoon")
- (literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist")
- (subpath "/private/etc/racoon"))
+(allow file-read*)
-(allow file-read*
- (subpath "/Library/Managed\ Preferences")
- (subpath "/Library/Preferences")
- (subpath "/private/var/root")
- (literal "/private/var/db/mds/messages/se_SecurityMessages"))
+(allow file-write*)
-(allow file-write*
- (literal "/private/var/run/racoon.sock")
- (literal "/private/var/run/racoon.pid"))
-
-(allow file*
- (literal "/var/log/racoon.log")
- (literal "/private/var/log/racoon.log"))
+(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
-(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
+(allow ipc-posix-shm
+ (ipc-posix-name "apple.shm.notification_center")
+ (ipc-posix-name "com.apple.AppleDatabaseChanged"))
-(allow network-outbound (subpath "/private/var/tmp/launchd"))
-(allow network*
- (local udp "*:500" "*:4500")
- (remote udp "*:*")
- (literal "/private/var/run/racoon.sock"))
+(allow ipc-posix-shm-read*
+ (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))
-(allow file*
- (literal "/Library/Keychains/System.keychain")
- (literal "/private/var/db/mds/system/mdsObject.db")
- (literal "/private/var/db/mds/system/mds.lock")
- (literal "/private/var/db/mds/system/mdsDirectory.db"))
+(allow iokit-open
+ (iokit-user-client-class "RootDomainUserClient"))
(allow mach-lookup
- (global-name "com.apple.SecurityServer")
- (global-name "com.apple.SystemConfiguration.configd")
- (global-name "com.apple.ocspd"))
-
-;;;;;; Common system sandbox rules
-;;;;;;
-;;;;;; Copyright (c) 2008-2010 Apple Inc. All Rights reserved.
-;;;;;;
-;;;;;; WARNING: The sandbox rules in this file currently constitute
-;;;;;; Apple System Private Interface and are subject to change at any time and
-;;;;;; without notice. The contents of this file are also auto-generated and
-;;;;;; not user editable; it may be overwritten at any time.
-
-;;; Allow read access to standard system paths.
-
-(allow file-read*
- (require-all (file-mode #o0004)
- (require-any (subpath "/System")
- (subpath "/usr/lib")
- (subpath "/usr/sbin")
- (subpath "/usr/share"))))
-
-(allow file-read-metadata
- (literal "/etc")
- (literal "/tmp")
- (literal "/var"))
-
-;;; Allow access to standard special files.
-
-(allow file-read*
- (subpath "/usr/share")
- (subpath "/private/var/db/timezone")
- (literal "/dev/random")
- (literal "/dev/urandom"))
+ (global-name "com.apple.PowerManagement.control")
+ (global-name "com.apple.SecurityServer")
+ (global-name "com.apple.SystemConfiguration.configd")
+ (global-name "com.apple.nehelper")
+ (global-name "com.apple.securityd.xpc")
+ (global-name "com.apple.ocspd")
+ (global-name "com.apple.aggregated")
+ (global-name "com.apple.cfprefsd.daemon")
+ (global-name "com.apple.cfprefsd.agent")
+ (local-name "com.apple.cfprefsd.agent")
+ (global-name "com.apple.securityd")
+ (global-name "com.apple.bsd.dirhelper")
+ (global-name "com.apple.system.logger")
+ (global-name "com.apple.system.notification_center")
+ (global-name "com.apple.system.libinfo.muser"))
-(allow file-read*
- file-write-data
- (literal "/dev/null")
- (literal "/dev/zero"))
+(allow network*
+ (local udp "*:500" "*:4500")
+ (remote udp "*:*"))
-(allow file-read*
- file-write-data
- file-ioctl
- (literal "/dev/aes_0")
- (literal "/dev/sha1_0")
- (literal "/dev/dtracehelper"))
+(allow network-inbound
+ (path "/private/var/run/vpncontrol.sock"))
+;;; Allow read access to standard system paths.
(allow network-outbound
- (literal "/private/var/run/asl_input")
- (literal "/private/var/run/syslog"))
+ (literal "/private/var/run/asl_input")
+ (literal "/private/var/run/syslog")
+ (subpath "/private/var/tmp/launchd"))
-;;; Allow IPC to standard system agents.
-
-(allow mach-lookup
- (global-name "com.apple.securityd")
- (global-name "com.apple.bsd.dirhelper")
- (global-name "com.apple.system.logger")
- (global-name "com.apple.system.notification_center"))
-
-;;; Allow creating an ipsec interface
- (allow network-outbound
- (control-name "com.apple.net.ipsec_control"))
+(allow sysctl-write
+ (sysctl-name "kern.ipc.maxsockbuf")
+ (sysctl-name "net.inet.ipsec.esp_port"))
;;; Allow racoon to check entitlements
- (allow iokit-open
- (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))
+(allow iokit-open
+ (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))
\ No newline at end of file