ipsec-332.tar.gz

[apple/ipsec.git] / racoon.sb

diff --git a/racoon.sb b/racoon.sb
index 8aefd9cb9f8bed66c2a49cb061f873d140dd5690..34e24592def1cb2fe7e394706138a234f0b35578 100644 (file)
--- a/racoon.sb
+++ b/racoon.sb
@@ -8,109 +8,56 @@
 
 (allow system-info (info-type "net.link.addr"))
 
 
 (allow system-info (info-type "net.link.addr"))
 

-(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
-(allow ipc-posix-shm
-    (ipc-posix-name "apple.shm.notification_center")
-    (ipc-posix-name "com.apple.AppleDatabaseChanged"))
-
-(allow file-read* file-ioctl
-    (subpath "/private/etc/master.passwd")
-    (subpath "/private/var/run/racoon")
-    (literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist")
-    (subpath "/private/etc/racoon"))
+(allow file-read*)

 
 

-(allow file-read*
-    (subpath "/Library/Managed\ Preferences")
-    (subpath "/Library/Preferences")
-    (subpath "/private/var/root")
-    (literal "/private/var/db/mds/messages/se_SecurityMessages"))
+(allow file-write*)

 
 

-(allow file-write*
-    (literal "/private/var/run/racoon.sock")
-    (literal "/private/var/run/racoon.pid"))
-
-(allow file*
-    (literal "/var/log/racoon.log")
-    (literal "/private/var/log/racoon.log"))
+(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))

 
 

-(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
+(allow ipc-posix-shm
+       (ipc-posix-name "apple.shm.notification_center")
+       (ipc-posix-name "com.apple.AppleDatabaseChanged"))

 
 

-(allow network-outbound (subpath "/private/var/tmp/launchd"))
-(allow network*
-    (local udp "*:500" "*:4500")
-    (remote udp "*:*")
-    (literal "/private/var/run/racoon.sock"))
+(allow ipc-posix-shm-read*
+       (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))

 
 

-(allow file*
-    (literal "/Library/Keychains/System.keychain")
-    (literal "/private/var/db/mds/system/mdsObject.db")
-    (literal "/private/var/db/mds/system/mds.lock")
-    (literal "/private/var/db/mds/system/mdsDirectory.db"))
+(allow iokit-open
+       (iokit-user-client-class "RootDomainUserClient"))

 
 (allow mach-lookup
 
 (allow mach-lookup

-    (global-name "com.apple.SecurityServer")
-    (global-name "com.apple.SystemConfiguration.configd")
-    (global-name "com.apple.ocspd"))
-
-;;;;;; Common system sandbox rules
-;;;;;;
-;;;;;; Copyright (c) 2008-2010 Apple Inc.  All Rights reserved.
-;;;;;;
-;;;;;; WARNING: The sandbox rules in this file currently constitute
-;;;;;; Apple System Private Interface and are subject to change at any time and
-;;;;;; without notice. The contents of this file are also auto-generated and
-;;;;;; not user editable; it may be overwritten at any time.
-
-;;; Allow read access to standard system paths.
-
-(allow file-read*
-       (require-all (file-mode #o0004)
-                    (require-any (subpath "/System")
-                                 (subpath "/usr/lib")
-                                 (subpath "/usr/sbin")
-                                 (subpath "/usr/share"))))
-
-(allow file-read-metadata
-       (literal "/etc")
-       (literal "/tmp")
-       (literal "/var"))
-
-;;; Allow access to standard special files.
-
-(allow file-read*
-       (subpath "/usr/share")
-       (subpath "/private/var/db/timezone")
-       (literal "/dev/random")
-       (literal "/dev/urandom"))
+       (global-name "com.apple.PowerManagement.control")
+       (global-name "com.apple.SecurityServer")
+       (global-name "com.apple.SystemConfiguration.configd")
+       (global-name "com.apple.nehelper")
+       (global-name "com.apple.securityd.xpc")
+       (global-name "com.apple.ocspd")
+       (global-name "com.apple.aggregated")
+       (global-name "com.apple.cfprefsd.daemon")
+       (global-name "com.apple.cfprefsd.agent")
+       (local-name "com.apple.cfprefsd.agent")
+       (global-name "com.apple.securityd")
+       (global-name "com.apple.bsd.dirhelper")
+       (global-name "com.apple.system.logger")
+       (global-name "com.apple.system.notification_center")
+       (global-name "com.apple.system.libinfo.muser"))

 
 

-(allow file-read*
-       file-write-data
-       (literal "/dev/null")
-       (literal "/dev/zero"))
+(allow network*
+       (local udp "*:500" "*:4500")
+       (remote udp "*:*"))

 
 

-(allow file-read*
-       file-write-data
-       file-ioctl
-       (literal "/dev/aes_0")
-       (literal "/dev/sha1_0")
-       (literal "/dev/dtracehelper"))
+(allow network-inbound
+       (path "/private/var/run/vpncontrol.sock"))

 
 

+;;; Allow read access to standard system paths.

 (allow network-outbound
 (allow network-outbound

-       (literal "/private/var/run/asl_input")
-       (literal "/private/var/run/syslog"))
+       (literal "/private/var/run/asl_input")
+       (literal "/private/var/run/syslog")
+       (subpath "/private/var/tmp/launchd"))

 
 

-;;; Allow IPC to standard system agents.
-
-(allow mach-lookup
-       (global-name "com.apple.securityd")
-       (global-name "com.apple.bsd.dirhelper")
-       (global-name "com.apple.system.logger")
-       (global-name "com.apple.system.notification_center"))
-       
-;;; Allow creating an ipsec interface
-       (allow network-outbound
-       (control-name "com.apple.net.ipsec_control"))
+(allow sysctl-write
+       (sysctl-name "kern.ipc.maxsockbuf")
+       (sysctl-name "net.inet.ipsec.esp_port"))

 
 ;;; Allow racoon to check entitlements
 
 ;;; Allow racoon to check entitlements

-       (allow iokit-open
-       (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))
+(allow iokit-open
+       (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))
\ No newline at end of file