1 ; -*- Mode: Scheme; tab-width: 4 -*-
3 ; Copyright (c) 2007 Apple Inc. All rights reserved.
5 ; Redistribution and use in source and binary forms, with or without
6 ; modification, are permitted provided that the following conditions are met:
8 ; 1. Redistributions of source code must retain the above copyright notice,
9 ; this list of conditions and the following disclaimer.
10 ; 2. Redistributions in binary form must reproduce the above copyright notice,
11 ; this list of conditions and the following disclaimer in the documentation
12 ; and/or other materials provided with the distribution.
13 ; 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of its
14 ; contributors may be used to endorse or promote products derived from this
15 ; software without specific prior written permission.
17 ; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18 ; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 ; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 ; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21 ; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 ; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 ; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24 ; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 ; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
26 ; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 ; $Log: mDNSResponder.sb,v $
29 ; Revision 1.25.2.1 2008/07/29 20:48:34 mcguire
30 ; <rdar://problem/6090007> Should use randomized source ports and transaction IDs to avoid DNS cache poisoning
31 ; merge r1.27 from <rdar://problem/3988320>
33 ; Revision 1.25 2008/03/17 18:04:41 mcguire
34 ; <rdar://problem/5800476> SC now reads preference file
36 ; Revision 1.24 2007/09/20 22:33:17 cheshire
37 ; Tidied up inconsistent and error-prone naming -- used to be mDNSResponderHelper in
38 ; some places and mDNSResponder.helper in others; now mDNSResponderHelper everywhere
40 ; Revision 1.23 2007/09/04 22:26:18 mcguire
41 ; <rdar://problem/5442826> Seatbelt: mDNSResponder needs to be allowed to access "/Library/Security/Trust Settings/" etc.
43 ; Revision 1.22 2007/08/24 22:01:56 mcguire
44 ; <rdar://problem/5141606> BTMM: Task: Change mDNSResponder Seatbelt settings to "deny default" instead of "signal FPE" just prior to GM candidate
46 ; Revision 1.21 2007/08/18 01:02:03 mcguire
47 ; <rdar://problem/5415593> No Bonjour services are getting registered at boot
49 ; Revision 1.20 2007/08/08 22:34:59 mcguire
50 ; <rdar://problem/5197869> Security: Run mDNSResponder as user id mdnsresponder instead of root
52 ; Revision 1.19 2007/07/02 23:37:50 cheshire
53 ; <rdar://problem/5267615> Need to list of allowed mach-lookup operations explicitly in mDNSResponder.sb
55 ; Revision 1.18 2007/06/28 20:43:35 cheshire
56 ; <rdar://problem/5298202> Seatbelt: mDNSResponder needs to be able to access /dev/autofs_nowait
58 ; Revision 1.17 2007/06/28 20:34:45 cheshire
59 ; Updated comments to reflect new seatbelt language syntax
61 ; Revision 1.16 2007/05/29 23:32:46 cheshire
62 ; Rearrange file so SPI warning isn't deleted when CVS history is trimmed from installed copy
64 ; Revision 1.15 2007/05/25 22:45:17 jvidrine
65 ; <rdar://problem/5227658> Update mDNSResponder.sb to Seatbelt Profile Language version 1
67 ; Revision 1.14 2007/05/23 17:40:08 cheshire
68 ; <rdar://problem/5221397> Seatbelt killed mDNSResponder trying to read X509Anchors and X509Certificates
70 ; Revision 1.13 2007/05/23 01:47:59 cheshire
71 ; Need to list fs_read_data permission explicitly --
72 ; unlike fs_read/fs_write, fs_read_data does NOT automatically inherit from fs_write_data
74 ; Revision 1.12 2007/05/21 23:52:27 cheshire
75 ; <rdar://problem/5216638> Seatbelt killed mDNSResponder generating Module Directory Services cache
77 ; Revision 1.11 2007/05/20 16:29:06 cheshire
78 ; <rdar://problem/5213725> Seatbelt killed mDNSResponder trying to access /usr/share/icu/icudt36l.dat
80 ; Revision 1.10 2007/05/15 00:21:39 cheshire
81 ; <rdar://problem/5202374> Seatbelt killed mDNSResponder reading /private/var/root/Library/Preferences/com.apple.security.plist
83 ; Revision 1.9 2007/05/14 22:08:26 cheshire
84 ; <rdar://problem/5200986> Seatbelt: Need to escape literal dots in filename patterns
86 ; Revision 1.8 2007/05/14 19:39:31 cheshire
87 ; <rdar://problem/5198345> Seatbelt killed mDNSResponder in CFTimeZoneCopyDefault
88 ; <rdar://problem/5199456> Seatbelt killed mDNSResponder in SecKeychainOpen
90 ; Revision 1.7 2007/05/12 01:57:56 cheshire
91 ; <rdar://problem/5197938> Seatbelt: mDNSResponder needs to be able to access preferences.plist-lock
93 ; Revision 1.6 2007/05/10 21:12:14 cheshire
94 ; <rdar://problem/5149833> Start using "debug deny" mode in Seatbelt
96 ; Revision 1.5 2007/05/10 19:41:25 cheshire
97 ; <rdar://problem/5182549> Have to use "deny mach_lookup_default" because "signal" doesn't work
99 ; Revision 1.4 2007/04/27 20:46:31 cheshire
100 ; Additional requirements: allow mDNSResponder to read /dev/random and /System/Library/Keychains/System.*
102 ; Revision 1.3 2007/04/20 19:42:14 cheshire
103 ; Condense rules a bit to bring file under Seatbelt's 4K limit
105 ; Revision 1.2 2007/04/19 01:47:49 cheshire
106 ; Refinements to sandbox profile, e.g. allow writing to /dev/console early in the boot process
108 ; Revision 1.1 2007/04/18 00:50:47 cheshire
109 ; <rdar://problem/5141540> Sandbox mDNSResponder
111 ;############################################################################
113 ; WARNING! SEATBELT CURRENTLY CAN'T HANDLE PROFILES LARGER THAN 16K
114 ; MAKE SURE THE SIZE OF THIS FILE FROM "version" TO THE END DOESN'T EXCEED 16K
118 ; WARNING: The sandbox rule capabilities and syntax used in this file are currently an
119 ; Apple SPI (System Private Interface) and are subject to change at any time without notice.
120 ; Apple may in future announce an official public supported sandbox API, but until then Developers
121 ; are cautioned not to build products that use or depend on the sandbox facilities illustrated here.
123 ; Use "debug all" to log all operations examined by seatbelt, whether allowed or not.
124 ; Use "debug deny" to log only operations that are denied by seatbelt
125 ; to discover what specific attempted operation is causing an exception.
130 ; To help debugging, "with send-signal SIGFPE" will trigger a fake floating-point exception,
131 ; which will crash the process and show the call stack leading to the offending operation.
132 ; For the shipping version "deny" is probably better because it vetoes the operation
133 ; without killing the process.
136 ;(deny default (with send-signal SIGFPE))
138 ; Special exception: "send-signal" command does not apply to the mach-* operations,
139 ; so for those we have to use a plain unadorned "deny" instead
140 ; (which means we may not get any notification of unintentional mach-* denials)
142 (deny mach-priv-host-port)
144 ; Mach communications
145 ; These are needed for things like getpwnam, hostname changes, & keychain
146 (allow mach-lookup (global-name
147 "com.apple.bsd.dirhelper"
148 "com.apple.distributed_notifications.2"
150 "com.apple.mDNSResponderHelper"
151 "com.apple.SecurityServer"
152 "com.apple.SystemConfiguration.configd"
153 "com.apple.system.DirectoryService.libinfo_v1"
154 "com.apple.system.notification_center"))
156 ; Rules to allow the operations mDNSResponder needs start here
158 (allow network*) ; Allow networking, including Unix Domain Sockets
159 (allow sysctl-read) ; To get hardware model information
160 (allow file-read-metadata) ; Needed for dyld to work
161 (allow ipc-posix-shm) ; Needed for POSIX shared memory
163 (allow file-read-data (regex "^/dev/random\$"))
164 (allow file-read-data file-write-data (regex "^/dev/console\$")) ; Needed for syslog early in the boot process
165 (allow file-read-data (regex "^/dev/autofs_nowait\$")) ; Used by CF to circumvent automount triggers
167 ; Allow us to read and write our socket
168 (allow file-read* file-write* (regex "^/private/var/run/mDNSResponder\$"))
170 ; Allow us to read system version, settings, and other miscellaneous necessary file system accesses
171 (allow file-read-data (regex "^/dev/urandom$"))
172 (allow file-read-data (regex "^/usr/sbin(/mDNSResponder)?\$")) ; Needed for CFCopyVersionDictionary()
173 (allow file-read-data (regex "^/usr/share/icu/.*\$"))
174 (allow file-read-data (regex "^/usr/share/zoneinfo/.*\$"))
175 (allow file-read-data (regex "^/Library/Preferences/SystemConfiguration/preferences\.plist\$"))
176 (allow file-read-data (regex "^/Library/Preferences/(ByHost/)?\.GlobalPreferences.*\.plist\$"))
177 (allow file-read-data (regex "^/Library/Preferences/com\.apple\.security.*\.plist\$"))
178 (allow file-read-data (regex "^/Library/Preferences/com\.apple\.crypto\.plist\$"))
179 (allow file-read-data (regex "^/Library/Security/Trust Settings/Admin\.plist\$"))
180 (allow file-read-data (regex "^/System/Library/CoreServices/SystemVersion.*\$"))
181 (allow file-read-data (regex "^/System/Library/Preferences/com\.apple\.security.*\.plist\$"))
182 (allow file-read-data (regex "^/System/Library/Preferences/com\.apple\.crypto\.plist\$"))
184 ; Allow access to System Keychain
185 (allow file-read-data (regex "^/System/Library/Security\$"))
186 (allow file-read-data (regex "^/System/Library/Keychains/.*\$"))
187 (allow file-read-data (regex "^/Library/Keychains/System\.keychain\$"))
188 ; Our Module Directory Services cache
189 (allow file-read-data (regex "^/private/var/tmp/mds/"))
190 (allow file-read* file-write* (regex "^/private/var/tmp/mds/[0-9]+(/|\$)"))
projects / apple / mdnsresponder.git / blob