--- /dev/null
+;; OriginatingProject: ipsec
+(version 1)
+(deny default)
+(allow system-socket sysctl-read sysctl-write)
+
+(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
+(allow ipc-posix-shm
+ (ipc-posix-name "apple.shm.notification_center")
+ (ipc-posix-name "com.apple.AppleDatabaseChanged"))
+
+(allow file-read* file-ioctl
+ (subpath "/private/etc/master.passwd")
+ (subpath "/private/var/run/racoon")
+ (literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist")
+ (subpath "/private/etc/racoon"))
+
+(allow file-read*
+ (subpath "/Library/Managed\ Preferences")
+ (subpath "/Library/Preferences")
+ (subpath "/private/var/root")
+ (literal "/private/var/db/mds/messages/se_SecurityMessages"))
+
+(allow file-write*
+ (literal "/private/var/run/racoon.sock")
+ (literal "/private/var/run/racoon.pid"))
+
+(allow file*
+ (literal "/var/log/racoon.log")
+ (literal "/private/var/log/racoon.log"))
+
+(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
+
+(allow network-outbound (subpath "/private/var/tmp/launchd"))
+(allow network*
+ (local udp "*:500" "*:4500")
+ (remote udp "*:*")
+ (literal "/private/var/run/racoon.sock"))
+
+(allow file*
+ (literal "/Library/Keychains/System.keychain")
+ (literal "/private/var/db/mds/system/mdsObject.db")
+ (literal "/private/var/db/mds/system/mds.lock")
+ (literal "/private/var/db/mds/system/mdsDirectory.db"))
+
+(allow mach-lookup
+ (global-name "com.apple.SecurityServer")
+ (global-name "com.apple.ocspd"))
+
+;;;;;; Common system sandbox rules
+;;;;;;
+;;;;;; Copyright (c) 2008-2010 Apple Inc. All Rights reserved.
+;;;;;;
+;;;;;; WARNING: The sandbox rules in this file currently constitute
+;;;;;; Apple System Private Interface and are subject to change at any time and
+;;;;;; without notice. The contents of this file are also auto-generated and
+;;;;;; not user editable; it may be overwritten at any time.
+
+;;; Allow read access to standard system paths.
+
+(allow file-read*
+ (require-all (file-mode #o0004)
+ (require-any (subpath "/System")
+ (subpath "/usr/lib")
+ (subpath "/usr/sbin")
+ (subpath "/usr/share"))))
+
+(allow file-read-metadata
+ (literal "/etc")
+ (literal "/tmp")
+ (literal "/var"))
+
+;;; Allow access to standard special files.
+
+(allow file-read*
+ (literal "/private/var/db/timezone/localtime")
+ (literal "/dev/random")
+ (literal "/dev/urandom"))
+
+(allow file-read*
+ file-write-data
+ (literal "/dev/null")
+ (literal "/dev/zero"))
+
+(allow file-read*
+ file-write-data
+ file-ioctl
+ (literal "/dev/aes_0")
+ (literal "/dev/sha1_0")
+ (literal "/dev/dtracehelper"))
+
+(allow network-outbound
+ (literal "/private/var/run/asl_input")
+ (literal "/private/var/run/syslog"))
+
+;;; Allow IPC to standard system agents.
+
+(allow mach-lookup
+ (global-name "com.apple.securityd")
+ (global-name "com.apple.bsd.dirhelper")
+ (global-name "com.apple.system.DirectoryService.libinfo_v1")
+ (global-name "com.apple.system.DirectoryService.membership_v1")
+ (global-name "com.apple.system.logger")
+ (global-name "com.apple.system.notification_center"))
projects / apple / ipsec.git / blobdiff