</array>
<key>com.apple.private.nehelper.privileged</key>
<true/>
+ <key>com.apple.private.system-keychain</key>
+ <true/>
</dict>
</plist>
#include <errno.h>
#include <stdio.h>
#include <fcntl.h>
+#include <ifaddrs.h>
#include "var.h"
#include "ipsec_strerror.h"
u_int32_t l_alloc, u_int32_t l_bytes, u_int32_t l_addtime, u_int32_t l_usetime, u_int32_t seq, u_int16_t port,
u_int always_expire)
{
- struct sadb_msg *newmsg;
+ struct sadb_msg *newmsg = NULL;
+ struct ifaddrs *ifap = NULL;
+ struct ifaddrs *ifa = NULL;
int len;
+ int ret = -1;
caddr_t p;
int plen;
caddr_t ep;
return -1;
}
+ if (getifaddrs(&ifap) < 0) {
+ return -1;
+ }
+
+ for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
+ if (ifa->ifa_addr == NULL || ifa->ifa_addr->sa_family != src->ss_family)
+ continue;
+
+ if (src->ss_family == AF_INET) {
+ if (memcmp(&((struct sockaddr_in *)(ifa->ifa_addr))->sin_addr, &((struct sockaddr_in *)src)->sin_addr, sizeof(struct in_addr)) != 0)
+ continue;
+ } else if (src->ss_family == AF_INET6) {
+ if (memcmp(&((struct sockaddr_in6 *)(ifa->ifa_addr))->sin6_addr, &((struct sockaddr_in6 *)src)->sin6_addr, sizeof(struct in6_addr)) != 0)
+ continue;
+ }
+
+ break;
+ }
+
/* create new sadb_msg to reply. */
len = sizeof(struct sadb_msg)
+ sizeof(struct sadb_sa_2)
+ sizeof(struct sadb_address)
+ PFKEY_ALIGN8(sysdep_sa_len((struct sockaddr *)dst))
+ sizeof(struct sadb_lifetime)
- + sizeof(struct sadb_lifetime);
+ + sizeof(struct sadb_lifetime)
+ + ((ifa != NULL && ifa->ifa_name != NULL) ? sizeof(struct sadb_x_ipsecif) : 0);
if (e_type != SADB_EALG_NONE && satype != SADB_X_SATYPE_IPCOMP)
len += (sizeof(struct sadb_key) + PFKEY_ALIGN8(e_keylen));
if ((newmsg = CALLOC((size_t)len, struct sadb_msg *)) == NULL) {
__ipsec_set_strerror(strerror(errno));
- return -1;
+ goto err;
}
ep = ((caddr_t)(void *)newmsg) + len;
satype, seq, getpid());
if (!p) {
free(newmsg);
+ freeifaddrs(ifap);
return -1;
}
p = pfkey_setsadbsa(p, ep, spi, wsize, a_type, e_type, flags, port);
if (!p) {
- free(newmsg);
- return -1;
+ goto err;
}
p = pfkey_setsadbxsa2(p, ep, mode, reqid, always_expire);
if (!p) {
- free(newmsg);
- return -1;
+ goto err;
}
p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_SRC, src, (u_int)plen,
IPSEC_ULPROTO_ANY);
if (!p) {
- free(newmsg);
- return -1;
+ goto err;
}
p = pfkey_setsadbaddr(p, ep, SADB_EXT_ADDRESS_DST, dst, (u_int)plen,
IPSEC_ULPROTO_ANY);
if (!p) {
- free(newmsg);
- return -1;
+ goto err;
+ }
+
+ if (ifa != NULL && ifa->ifa_name != NULL) {
+ p = pfkey_setsadbipsecif(p, ep, NULL, ifa->ifa_name, NULL, 0);
+ if (!p) {
+ goto err;
+ }
}
if (e_type != SADB_EALG_NONE && satype != SADB_X_SATYPE_IPCOMP) {
p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_ENCRYPT,
keymat, e_keylen);
if (!p) {
- free(newmsg);
- return -1;
+ goto err;
}
}
if (a_type != SADB_AALG_NONE) {
p = pfkey_setsadbkey(p, ep, SADB_EXT_KEY_AUTH,
keymat + e_keylen, a_keylen);
if (!p) {
- free(newmsg);
- return -1;
+ goto err;
}
}
p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_HARD,
l_alloc, l_bytes, l_addtime, l_usetime);
if (!p) {
- free(newmsg);
- return -1;
+ goto err;
}
p = pfkey_setsadblifetime(p, ep, SADB_EXT_LIFETIME_SOFT,
l_alloc, l_bytes, l_addtime, l_usetime);
if (!p) {
- free(newmsg);
- return -1;
+ goto err;
}
if (p != ep) {
- free(newmsg);
- return -1;
+ goto err;
}
/* send message */
len = pfkey_send(so, newmsg, len);
- free(newmsg);
-
- if (len < 0)
- return -1;
+ if (len < 0) {
+ goto err;
+ }
__ipsec_errcode = EIPSEC_NO_ERROR;
- return len;
+ ret = len;
+
+err:
+ if (ifap != NULL) {
+ freeifaddrs(ifap);
+ }
+
+ if (newmsg != NULL) {
+ free(newmsg);
+ }
+
+ return ret;
}
#include <Security/SecIdentity.h>
#include <Security/SecItem.h>
#include <TargetConditionals.h>
+#include <Security/SecItemPriv.h>
#if TARGET_OS_EMBEDDED
#include <Security/SecTrustPriv.h>
#include <Security/SecPolicyPriv.h>
CFDictionaryRef persistFind = NULL;
- const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef, kSecClass};
- const void *values_persist[] = { kCFBooleanTrue, persistentCertRef, kSecClassIdentity};
+ const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef, kSecClass,
+#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
+ kSecUseSystemKeychain,
+#endif
+ };
+ const void *values_persist[] = { kCFBooleanTrue, persistentCertRef, kSecClassIdentity,
+#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
+ kCFBooleanTrue,
+#endif
+ };
#define SIG_BUF_SIZE 1024
size_t dataLen;
CFDataRef certData = NULL;
SecIdentityRef identityRef = NULL;
- const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef, kSecClass };
- const void *values_persist[] = { kCFBooleanTrue, persistentCertRef, kSecClassIdentity };
+ const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef, kSecClass,
+#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
+ kSecUseSystemKeychain,
+#endif
+ };
+ const void *values_persist[] = { kCFBooleanTrue, persistentCertRef, kSecClassIdentity,
+#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE
+ kCFBooleanTrue,
+#endif
+ };
/* find identity by persistent ref */
persistFind = CFDictionaryCreate(NULL, keys_persist, values_persist,
if (persistFind == NULL)
goto end;
- status = SecItemCopyMatching(persistFind, (CFTypeRef *)&identityRef);
+ status = SecItemCopyMatching(persistFind, (CFTypeRef *)&identityRef);
if (status != noErr)
goto end;
#include "crypto_openssl.h"
#include "vendorid.h"
+#if !TARGET_OS_EMBEDDED
+#include <sandbox.h>
+#endif // !TARGET_OS_EMBEDDED
+
+
#include <CoreFoundation/CoreFoundation.h>
#include "power_mgmt.h"
#include "preferences.h"
{
int error;
+#if !TARGET_OS_EMBEDDED
+ char *errorbuf;
+ if (sandbox_init("racoon", SANDBOX_NAMED, &errorbuf) == -1) {
+ plog(ASL_LEVEL_ERR, "initializing sandbox failed %s", errorbuf);
+ sandbox_free_error(errorbuf);
+ return -1;
+ }
+#endif // !TARGET_OS_EMBEDDED
+
/*
* Check IPSec plist
*/
prefsinit();
ploginit();
- /*
- * racoon is not sandboxed on Mac OS.
- * On embedded, racoon is sandboxed with a seatbelt-profiles entitlement.
- */
-
if (geteuid() != 0) {
errx(1, "must be root to invoke this program.");
/* NOTREACHED*/
static void close_session (int);
static int init_signal (void);
static int set_signal (int sig, RETSIGTYPE (*func) (int, siginfo_t *, void *));
-static void check_sigreq (void);
static void check_flushsa_stub (void *);
static void check_flushsa (void);
static void auto_exit_do (void *);
static volatile sig_atomic_t sigreq[NSIG + 1];
int terminated = 0;
+int pending_signal_handle = 0;
static int64_t racoon_keepalive = -1;
};
-static void
+void
check_sigreq()
{
int sig;
if ( sig == SIGTERM ){
terminated = 1;
}
+
+ pending_signal_handle = 1;
dispatch_async(main_queue,
^{
- check_sigreq();
+ if (pending_signal_handle) {
+ check_sigreq();
+ pending_signal_handle = 0;
+ }
});
}
#include "handler.h"
+extern int pending_signal_handle;
+
extern void session (void);
+extern void check_sigreq(void);
extern RETSIGTYPE signal_handler (int, siginfo_t *, void *);
extern void check_auto_exit (void);
extern void dying (void);
}
int
-vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt)
+vpn_start_ph2(struct bound_addr *addr, struct vpnctl_cmd_start_ph2 *pkt, size_t pkt_len)
{
struct vpnctl_sa_selector *selector_ptr;
struct vpnctl_algo *algo_ptr, *next_algo;
}
selector_ptr = (struct vpnctl_sa_selector *)(pkt + 1);
+ size_t total_selector_len = (sizeof(struct vpnctl_sa_selector) * ntohs(pkt->selector_count));
+ if (pkt_len < (sizeof(struct vpnctl_cmd_start_ph2) + total_selector_len)) {
+ plog(ASL_LEVEL_ERR, "invalid length for vpn ph2 selector - len=%ld - expected %ld\n", pkt_len, (sizeof(struct vpnctl_cmd_start_ph2) + total_selector_len));
+ return -1;
+ }
+
algo_ptr = (struct vpnctl_algo *)(selector_ptr + ntohs(pkt->selector_count));
+ size_t total_algo_len = (sizeof(struct vpnctl_algo) * ntohs(pkt->algo_count));
+ if (pkt_len < (sizeof(struct vpnctl_cmd_start_ph2) + total_selector_len + total_algo_len)) {
+ plog(ASL_LEVEL_ERR, "invalid length for vpn ph2 algo - len=%ld - expected %ld\n", pkt_len, (sizeof(struct vpnctl_cmd_start_ph2) + total_selector_len + total_algo_len));
+ return -1;
+ }
for (i = 0; i < ntohs(pkt->selector_count); i++, selector_ptr++) {
new_sainfo = create_sainfo();
mode_t vpncontrolsock_mode = 0600;
static struct sockaddr_un sunaddr;
-static int vpncontrol_process (struct vpnctl_socket_elem *, char *);
+static int vpncontrol_process (struct vpnctl_socket_elem *, char *, size_t);
static int vpncontrol_reply (int, char *);
static void vpncontrol_close_comm (struct vpnctl_socket_elem *);
static int checklaunchd (void);
goto end;
}
- (void)vpncontrol_process(elem, combuf);
+ if (len < (sizeof(hdr) + ntohs(hdr.len))) {
+ plog(ASL_LEVEL_ERR,
+ "invalid length of vpn_control command - len=%ld - expected %ld\n", len, (sizeof(hdr) + ntohs(hdr.len)));
+ goto end;
+ }
+
+ (void)vpncontrol_process(elem, combuf, len);
end:
if (combuf)
}
static int
-vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf)
+vpncontrol_process(struct vpnctl_socket_elem *elem, char *combuf, size_t combuf_len)
{
u_int16_t error = 0;
struct vpnctl_hdr *hdr = ALIGNED_CAST(struct vpnctl_hdr *)combuf;
case VPNCTL_CMD_BIND:
{
+ if (combuf_len < sizeof(struct vpnctl_cmd_bind)) {
+ plog(ASL_LEVEL_ERR, "invalid header length for vpnctl bind cmd - len=%ld - expected %ld\n", combuf_len, sizeof(struct vpnctl_cmd_bind));
+ error = -1;
+ break;
+ }
+
struct vpnctl_cmd_bind *pkt = ALIGNED_CAST(struct vpnctl_cmd_bind *)combuf;
struct bound_addr *addr;
+
+ if (combuf_len < (sizeof(struct vpnctl_cmd_bind) + ntohs(pkt->vers_len))) {
+ plog(ASL_LEVEL_ERR, "invalid length for vpnctl bind cmd - len=%ld - expected %ld\n", combuf_len, (sizeof(struct vpnctl_cmd_bind) + ntohs(pkt->vers_len)));
+ error = -1;
+ break;
+ }
plog(ASL_LEVEL_DEBUG,
"received bind command on vpn control socket.\n");
case VPNCTL_CMD_UNBIND:
{
+ if (combuf_len < sizeof(struct vpnctl_cmd_unbind)) {
+ plog(ASL_LEVEL_ERR, "invalid header length for vpnctl unbind cmd - len=%ld - expected %ld\n", combuf_len, sizeof(struct vpnctl_cmd_unbind));
+ error = -1;
+ break;
+ }
+
struct vpnctl_cmd_unbind *pkt = ALIGNED_CAST(struct vpnctl_cmd_unbind *)combuf;
struct bound_addr *addr;
struct bound_addr *t_addr;
case VPNCTL_CMD_REDIRECT:
{
+ if (combuf_len < sizeof(struct vpnctl_cmd_redirect)) {
+ plog(ASL_LEVEL_ERR, "invalid header length for vpnctl redirect cmd - len=%ld - expected %ld\n", combuf_len, sizeof(struct vpnctl_cmd_redirect));
+ error = -1;
+ break;
+ }
+
struct vpnctl_cmd_redirect *redirect_msg = ALIGNED_CAST(struct vpnctl_cmd_redirect *)combuf;
struct redirect *raddr;
struct redirect *t_raddr;
case VPNCTL_CMD_XAUTH_INFO:
{
+ if (combuf_len < sizeof(struct vpnctl_cmd_xauth_info)) {
+ plog(ASL_LEVEL_ERR, "invalid header length for vpnctl xauth info cmd - len=%ld - expected %ld\n", combuf_len, sizeof(struct vpnctl_cmd_xauth_info));
+ error = -1;
+ break;
+ }
+
struct vpnctl_cmd_xauth_info *pkt = ALIGNED_CAST(struct vpnctl_cmd_xauth_info *)combuf;
struct bound_addr *addr;
struct bound_addr *t_addr;
void *attr_list;
- plog(ASL_LEVEL_DEBUG,
+ if (combuf_len < (sizeof(struct vpnctl_cmd_xauth_info) + ntohs(pkt->hdr.len) - sizeof(u_int32_t))) {
+ plog(ASL_LEVEL_ERR, "invalid length for vpnctl xauth info cmd - len=%ld - expected %ld\n", combuf_len, (sizeof(struct vpnctl_cmd_xauth_info) + ntohs(pkt->hdr.len) - sizeof(u_int32_t)));
+ error = -1;
+ break;
+ }
+
+ plog(ASL_LEVEL_DEBUG,
"received xauth info command vpn control socket.\n");
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
if (pkt->address == addr->address) {
case VPNCTL_CMD_SET_NAT64_PREFIX:
{
+ if (combuf_len < sizeof(struct vpnctl_cmd_set_nat64_prefix)) {
+ plog(ASL_LEVEL_ERR, "invalid header length for vpnctl nat64 prefix cmd - len=%ld - expected %ld\n", combuf_len, sizeof(struct vpnctl_cmd_set_nat64_prefix));
+ error = -1;
+ break;
+ }
+
struct vpnctl_cmd_set_nat64_prefix *pkt = ALIGNED_CAST(struct vpnctl_cmd_set_nat64_prefix *)combuf;
struct bound_addr *addr;
struct bound_addr *t_addr;
case VPNCTL_CMD_CONNECT:
{
+ if (combuf_len < sizeof(struct vpnctl_cmd_connect)) {
+ plog(ASL_LEVEL_ERR, "invalid header length for vpnctl connect cmd - len=%ld - expected %ld\n", combuf_len, sizeof(struct vpnctl_cmd_connect));
+ error = -1;
+ break;
+ }
+
struct vpnctl_cmd_connect *pkt = ALIGNED_CAST(struct vpnctl_cmd_connect *)combuf;
struct bound_addr *addr;
struct bound_addr *t_addr;
+ if (pending_signal_handle) {
+ /*
+ * This check is done to ensure that a SIGUSR1 signal to re-read the configuration file
+ * is completed before calling a connect. This is to fix the issue seen in (rdar://problem/25641686)
+ */
+ check_sigreq();
+ pending_signal_handle = 0;
+ }
+
plog(ASL_LEVEL_DEBUG,
"received connect command on vpn control socket.\n");
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
case VPNCTL_CMD_DISCONNECT:
{
+ if (combuf_len < sizeof(struct vpnctl_cmd_connect)) {
+ plog(ASL_LEVEL_ERR, "invalid header length for vpnctl disconnect cmd - len=%ld - expected %ld\n", combuf_len, sizeof(struct vpnctl_cmd_connect));
+ error = -1;
+ break;
+ }
+
struct vpnctl_cmd_connect *pkt = ALIGNED_CAST(struct vpnctl_cmd_connect *)combuf;
struct bound_addr *addr;
struct bound_addr *t_addr;
case VPNCTL_CMD_START_PH2:
{
+ if (combuf_len < sizeof(struct vpnctl_cmd_start_ph2)) {
+ plog(ASL_LEVEL_ERR, "invalid header length for vpnctl start ph2 cmd - len=%ld - expected %ld\n", combuf_len, sizeof(struct vpnctl_cmd_start_ph2));
+ error = -1;
+ break;
+ }
+
struct vpnctl_cmd_start_ph2 *pkt = ALIGNED_CAST(struct vpnctl_cmd_start_ph2 *)combuf;
struct bound_addr *addr;
struct bound_addr *t_addr;
LIST_FOREACH_SAFE(addr, &elem->bound_addresses, chain, t_addr) {
if (pkt->address == addr->address) {
/* start the connection */
- error = vpn_start_ph2(addr, pkt);
+ error = vpn_start_ph2(addr, pkt, combuf_len);
break;
}
}
case VPNCTL_CMD_START_DPD:
{
+ if (combuf_len < sizeof(struct vpnctl_cmd_start_dpd)) {
+ plog(ASL_LEVEL_ERR, "invalid header length for vpnctl start dpd cmd - len=%ld - expected %ld\n", combuf_len, sizeof(struct vpnctl_cmd_start_dpd));
+ error = -1;
+ break;
+ }
+
struct vpnctl_cmd_start_dpd *pkt = ALIGNED_CAST(struct vpnctl_cmd_start_dpd *)combuf;
struct bound_addr *srv;
struct bound_addr *t_addr;
case VPNCTL_CMD_ASSERT:
{
+ if (combuf_len < sizeof(struct vpnctl_cmd_assert)) {
+ plog(ASL_LEVEL_ERR, "invalid header length for vpnctl assert cmd - len=%ld - expected %ld\n", combuf_len, sizeof(struct vpnctl_cmd_assert));
+ error = -1;
+ break;
+ }
+
struct vpnctl_cmd_assert *pkt = ALIGNED_CAST(struct vpnctl_cmd_assert *)combuf;
// struct bound_addr *addr;
// struct bound_addr *t_addr;
case VPNCTL_CMD_RECONNECT:
{
+ if (combuf_len < sizeof(struct vpnctl_cmd_connect)) {
+ plog(ASL_LEVEL_ERR, "invalid header length for vpnctl reconnect cmd - len=%ld - expected %ld\n", combuf_len, sizeof(struct vpnctl_cmd_connect));
+ error = -1;
+ break;
+ }
+
struct vpnctl_cmd_connect *pkt = ALIGNED_CAST(struct vpnctl_cmd_connect *)combuf;
struct bound_addr *addr;
struct bound_addr *t_addr;
extern int vpn_connect (struct bound_addr *, int);
extern int vpn_disconnect (struct bound_addr *, const char *);
extern void vpncontrol_disconnect_all (struct vpnctl_socket_elem *, const char *);
-extern int vpn_start_ph2 (struct bound_addr *, struct vpnctl_cmd_start_ph2 *);
+extern int vpn_start_ph2 (struct bound_addr *, struct vpnctl_cmd_start_ph2 *, size_t);
extern int vpncontrol_notify_need_authinfo (phase1_handle_t *, void*, size_t);
extern int vpncontrol_notify_peer_resp_ph1 (u_int16_t, phase1_handle_t*);
extern int vpncontrol_notify_peer_resp_ph2 (u_int16_t, phase2_handle_t*);
(allow system-info (info-type "net.link.addr"))
-(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
-(allow ipc-posix-shm
- (ipc-posix-name "apple.shm.notification_center")
- (ipc-posix-name "com.apple.AppleDatabaseChanged"))
-
-(allow file-read* file-ioctl
- (subpath "/private/etc/master.passwd")
- (subpath "/private/var/run/racoon")
- (literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist")
- (subpath "/private/etc/racoon"))
-
-(allow file-read*
- (subpath "/Library/Managed\ Preferences")
- (subpath "/Library/Preferences")
- (subpath "/private/var/root")
- (literal "/private/var/mobile/Library/Caches/com.apple.MobileGestalt.plist")
- (literal "/private/var/db/mds/messages/se_SecurityMessages")
- (literal "/private/var/db/icu"))
-
-(allow file-write*
- (literal "/private/var/run/racoon.sock")
- (literal "/private/var/run/racoon.pid"))
+(allow file-read*)
-(allow file*
- (literal "/var/log/racoon.log")
- (literal "/private/var/log/racoon.log"))
+(allow file-write*)
-(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
-
-(allow network-outbound (subpath "/private/var/tmp/launchd"))
-(allow network*
- (local udp "*:500" "*:4500")
- (remote udp "*:*")
- (literal "/private/var/run/racoon.sock"))
+(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
-(allow file*
- (literal "/Library/Keychains/System.keychain")
- (literal "/private/var/db/mds/system/mdsObject.db")
- (literal "/private/var/db/mds/system/mds.lock")
- (literal "/private/var/db/mds/system/mdsDirectory.db"))
+(allow ipc-posix-shm
+ (ipc-posix-name "apple.shm.notification_center")
+ (ipc-posix-name "com.apple.AppleDatabaseChanged"))
-(allow mach-lookup
- (global-name "com.apple.SecurityServer")
- (global-name "com.apple.SystemConfiguration.configd")
- (global-name "com.apple.ocspd")
- (global-name "com.apple.commcenter.xpc")
- (global-name "com.apple.aggregated")
- (global-name "com.apple.cfprefsd.daemon")
- (global-name "com.apple.cfprefsd.agent")
- (local-name "com.apple.cfprefsd.agent")
- (global-name "com.apple.nehelper"))
-
(allow ipc-posix-shm-read*
- (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))
+ (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))
-;;;;;; Common system sandbox rules
-;;;;;;
-;;;;;; Copyright (c) 2008-2010 Apple Inc. All Rights reserved.
-;;;;;;
-;;;;;; WARNING: The sandbox rules in this file currently constitute
-;;;;;; Apple System Private Interface and are subject to change at any time and
-;;;;;; without notice. The contents of this file are also auto-generated and
-;;;;;; not user editable; it may be overwritten at any time.
+(allow iokit-open
+ (iokit-user-client-class "RootDomainUserClient"))
-;;; Allow read access to standard system paths.
-
-(allow file-read*
- (require-all (file-mode #o0004)
- (require-any (subpath "/System")
- (subpath "/usr/lib")
- (subpath "/usr/sbin")
- (subpath "/usr/share"))))
-
-(allow file-read-metadata
- (literal "/etc")
- (literal "/tmp")
- (literal "/var"))
-
-;;; Allow access to standard special files.
-
-(allow file-read*
- (subpath "/usr/share")
- (subpath "/private/var/db/timezone")
- (literal "/dev/random")
- (literal "/dev/urandom"))
+(allow mach-lookup
+ (global-name "com.apple.PowerManagement.control")
+ (global-name "com.apple.SecurityServer")
+ (global-name "com.apple.SystemConfiguration.configd")
+ (global-name "com.apple.nehelper")
+ (global-name "com.apple.securityd.xpc")
+ (global-name "com.apple.ocspd")
+ (global-name "com.apple.aggregated")
+ (global-name "com.apple.cfprefsd.daemon")
+ (global-name "com.apple.cfprefsd.agent")
+ (local-name "com.apple.cfprefsd.agent")
+ (global-name "com.apple.securityd")
+ (global-name "com.apple.bsd.dirhelper")
+ (global-name "com.apple.system.logger")
+ (global-name "com.apple.system.notification_center")
+ (global-name "com.apple.system.libinfo.muser"))
-(allow file-read*
- file-write-data
- (literal "/dev/null")
- (literal "/dev/zero"))
+(allow network*
+ (local udp "*:500" "*:4500")
+ (remote udp "*:*"))
-(allow file-read*
- file-write-data
- file-ioctl
- (literal "/dev/aes_0")
- (literal "/dev/sha1_0")
- (literal "/dev/dtracehelper"))
+(allow network-inbound
+ (path "/private/var/run/vpncontrol.sock"))
+;;; Allow read access to standard system paths.
(allow network-outbound
- (literal "/private/var/run/asl_input")
- (literal "/private/var/run/syslog"))
+ (literal "/private/var/run/asl_input")
+ (literal "/private/var/run/syslog")
+ (subpath "/private/var/tmp/launchd"))
-;;; Allow IPC to standard system agents.
-
-(allow mach-lookup
- (global-name "com.apple.securityd")
- (global-name "com.apple.bsd.dirhelper")
- (global-name "com.apple.system.logger")
- (global-name "com.apple.system.notification_center"))
-
-;;; Allow creating an ipsec interface
- (allow network-outbound
- (control-name "com.apple.net.ipsec_control"))
+(allow sysctl-write
+ (sysctl-name "kern.ipc.maxsockbuf")
+ (sysctl-name "net.inet.ipsec.esp_port"))
;;; Allow racoon to check entitlements
- (allow iokit-open
- (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))
+(allow iokit-open
+ (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))
\ No newline at end of file
projects / apple / ipsec.git / commitdiff
