X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/65c257469f746e64364e5df94f3ed8c6698a9d0a..6b88cae0d0da46a0b1b6418a44da86af3e4527c3:/racoon.sb

diff --git a/racoon.sb b/racoon.sb
index 8aefd9c..34e2459 100644
--- a/racoon.sb
+++ b/racoon.sb
@@ -8,109 +8,56 @@
 
 (allow system-info (info-type "net.link.addr"))
 
-(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
-(allow ipc-posix-shm
-    (ipc-posix-name "apple.shm.notification_center")
-    (ipc-posix-name "com.apple.AppleDatabaseChanged"))
-
-(allow file-read* file-ioctl
-    (subpath "/private/etc/master.passwd")
-    (subpath "/private/var/run/racoon")
-    (literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist")
-    (subpath "/private/etc/racoon"))
+(allow file-read*)
 
-(allow file-read*
-    (subpath "/Library/Managed\ Preferences")
-    (subpath "/Library/Preferences")
-    (subpath "/private/var/root")
-    (literal "/private/var/db/mds/messages/se_SecurityMessages"))
+(allow file-write*)
 
-(allow file-write*
-    (literal "/private/var/run/racoon.sock")
-    (literal "/private/var/run/racoon.pid"))
-
-(allow file*
-    (literal "/var/log/racoon.log")
-    (literal "/private/var/log/racoon.log"))
+(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
 
-(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
+(allow ipc-posix-shm
+	(ipc-posix-name "apple.shm.notification_center")
+	(ipc-posix-name "com.apple.AppleDatabaseChanged"))
 
-(allow network-outbound (subpath "/private/var/tmp/launchd"))
-(allow network*
-    (local udp "*:500" "*:4500")
-    (remote udp "*:*")
-    (literal "/private/var/run/racoon.sock"))
+(allow ipc-posix-shm-read*
+	(ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))
 
-(allow file*
-    (literal "/Library/Keychains/System.keychain")
-    (literal "/private/var/db/mds/system/mdsObject.db")
-    (literal "/private/var/db/mds/system/mds.lock")
-    (literal "/private/var/db/mds/system/mdsDirectory.db"))
+(allow iokit-open
+	(iokit-user-client-class "RootDomainUserClient"))
 
 (allow mach-lookup
-    (global-name "com.apple.SecurityServer")
-    (global-name "com.apple.SystemConfiguration.configd")
-    (global-name "com.apple.ocspd"))
-
-;;;;;; Common system sandbox rules
-;;;;;;
-;;;;;; Copyright (c) 2008-2010 Apple Inc.  All Rights reserved.
-;;;;;;
-;;;;;; WARNING: The sandbox rules in this file currently constitute
-;;;;;; Apple System Private Interface and are subject to change at any time and
-;;;;;; without notice. The contents of this file are also auto-generated and
-;;;;;; not user editable; it may be overwritten at any time.
-
-;;; Allow read access to standard system paths.
-
-(allow file-read*
-       (require-all (file-mode #o0004)
-                    (require-any (subpath "/System")
-                                 (subpath "/usr/lib")
-                                 (subpath "/usr/sbin")
-                                 (subpath "/usr/share"))))
-
-(allow file-read-metadata
-       (literal "/etc")
-       (literal "/tmp")
-       (literal "/var"))
-
-;;; Allow access to standard special files.
-
-(allow file-read*
-       (subpath "/usr/share")
-       (subpath "/private/var/db/timezone")
-       (literal "/dev/random")
-       (literal "/dev/urandom"))
+	(global-name "com.apple.PowerManagement.control")
+	(global-name "com.apple.SecurityServer")
+	(global-name "com.apple.SystemConfiguration.configd")
+	(global-name "com.apple.nehelper")
+	(global-name "com.apple.securityd.xpc")
+	(global-name "com.apple.ocspd")
+	(global-name "com.apple.aggregated")
+	(global-name "com.apple.cfprefsd.daemon")
+	(global-name "com.apple.cfprefsd.agent")
+	(local-name "com.apple.cfprefsd.agent")
+	(global-name "com.apple.securityd")
+	(global-name "com.apple.bsd.dirhelper")
+	(global-name "com.apple.system.logger")
+	(global-name "com.apple.system.notification_center")
+	(global-name "com.apple.system.libinfo.muser"))
 
-(allow file-read*
-       file-write-data
-       (literal "/dev/null")
-       (literal "/dev/zero"))
+(allow network*
+	(local udp "*:500" "*:4500")
+	(remote udp "*:*"))
 
-(allow file-read*
-       file-write-data
-       file-ioctl
-       (literal "/dev/aes_0")
-       (literal "/dev/sha1_0")
-       (literal "/dev/dtracehelper"))
+(allow network-inbound
+	(path "/private/var/run/vpncontrol.sock"))
 
+;;; Allow read access to standard system paths.
 (allow network-outbound
-       (literal "/private/var/run/asl_input")
-       (literal "/private/var/run/syslog"))
+	(literal "/private/var/run/asl_input")
+	(literal "/private/var/run/syslog")
+	(subpath "/private/var/tmp/launchd"))
 
-;;; Allow IPC to standard system agents.
-
-(allow mach-lookup
-       (global-name "com.apple.securityd")
-       (global-name "com.apple.bsd.dirhelper")
-       (global-name "com.apple.system.logger")
-       (global-name "com.apple.system.notification_center"))
-       
-;;; Allow creating an ipsec interface
-       (allow network-outbound
-       (control-name "com.apple.net.ipsec_control"))
+(allow sysctl-write
+	(sysctl-name "kern.ipc.maxsockbuf")
+	(sysctl-name "net.inet.ipsec.esp_port"))
 
 ;;; Allow racoon to check entitlements
-       (allow iokit-open
-       (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))
+(allow iokit-open
+	(iokit-user-client-class "AppleMobileFileIntegrityUserClient"))
\ No newline at end of file