mDNSMacOSX/mDNSResponder.sb

   1 ; -*- Mode: Scheme; tab-width: 4 -*-
   2 ;
   3 ; Copyright (c) 2012 Apple Inc. All rights reserved.
   4 ;
   5 ; Redistribution and use in source and binary forms, with or without
   6 ; modification, are permitted provided that the following conditions are met:
   7 ;
   8 ; 1.  Redistributions of source code must retain the above copyright notice,
   9 ;     this list of conditions and the following disclaimer.
  10 ; 2.  Redistributions in binary form must reproduce the above copyright notice,
  11 ;     this list of conditions and the following disclaimer in the documentation
  12 ;     and/or other materials provided with the distribution.
  13 ; 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of its
  14 ;     contributors may be used to endorse or promote products derived from this
  15 ;     software without specific prior written permission.
  16 ;
  17 ; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
  18 ; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  19 ; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  20 ; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
  21 ; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  22 ; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  23 ; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
  24 ; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  25 ; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  26 ; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  27 ;
  28 ;############################################################################
  29
  30
  31 ; WARNING: The sandbox rule capabilities and syntax used in this file are currently an
  32 ; Apple SPI (System Private Interface) and are subject to change at any time without notice.
  33
  34 (version 1)
  35 ; When mDNSResponder is denied access, we want to avoid symoblification of mDNSResponder
  36 ; to get the stack trace as that can get into deadlock. no-callout will prevent
  37 ; symbolification.
  38 (deny default (with no-callout))
  39
  40 (import "system.sb")
  41
  42 ; Baseline
  43 (allow file-read-metadata ipc-posix-shm)
  44
  45 ; Mach communications
  46 ; These are needed for things like getpwnam, hostname changes, & keychain
  47 (allow mach-lookup
  48        (global-name "com.apple.bsd.dirhelper")
  49        (global-name "com.apple.CoreServices.coreservicesd")
  50        (global-name "com.apple.distributed_notifications.2")
  51        (global-name "com.apple.ocspd")
  52        (global-name "com.apple.PowerManagement.control")
  53        (global-name "com.apple.mDNSResponderHelper")
  54        (global-name "com.apple.SecurityServer")
  55        (global-name "com.apple.SystemConfiguration.configd")
  56        (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
  57        (global-name "com.apple.SystemConfiguration.DNSConfiguration")
  58        (global-name "com.apple.SystemConfiguration.NetworkInformation")
  59        (global-name "com.apple.system.notification_center")
  60        (global-name "com.apple.system.logger")
  61        (global-name "com.apple.webcontentfilter.dns")
  62        (global-name "com.apple.server.bluetooth")
  63        (global-name "com.apple.awacs")
  64        (global-name "com.apple.networkd")
  65        (global-name "com.apple.securityd")
  66        (global-name "com.apple.wifi.manager")
  67        (global-name "com.apple.commcenter.cupolicy.xpc")
  68        (global-name "com.apple.blued")
  69        (global-name "com.apple.mobilegestalt.xpc")
  70        (global-name "com.apple.snhelper"))
  71
  72 (allow mach-register
  73        (global-name "com.apple.d2d.ipc"))
  74
  75 ; Networking, including Unix Domain Sockets
  76 (allow network*)
  77
  78 ; Raw sockets
  79 (if (defined? 'system-socket)
  80     (allow system-socket))
  81
  82 ; Hardware model information
  83 (allow sysctl-read)
  84
  85 ; Syslog early in the boot process
  86 (allow file-read-data file-write-data (literal "/dev/console"))
  87
  88 (allow file-read-data
  89        ; /etc/hosts support
  90        (literal "/private/etc/hosts")
  91        (literal "/private/etc"))
  92
  93 ; Our socket
  94 (allow file-read* file-write* (literal "/private/var/run/mDNSResponder"))
  95
  96 ; System version, settings, and other miscellaneous necessary file system accesses
  97 (allow file-read-data
  98        ; Needed for CFCopyVersionDictionary()
  99        (literal "/usr/sbin")
 100        (literal "/usr/sbin/mDNSResponder")
 101
 102        (literal "/Library/Preferences/SystemConfiguration/preferences.plist")
 103        (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist")
 104        (regex #"^/Library/Preferences/(ByHost/)?\.GlobalPreferences\.")
 105        (literal "/Library/Preferences/com.apple.crypto.plist")
 106        (literal "/Library/Security/Trust Settings/Admin.plist")
 107        (regex #"^/Library/Preferences/com\.apple\.security\.")
 108        (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
 109        (literal "/private/var/preferences/SystemConfiguration/preferences.plist"))
 110
 111 ; For MAC Address
 112 (allow system-info (info-type "net.link.addr"))
 113
 114 ; We just need access to System.keychain. But we don't want errors logged if other keychains are
 115 ; accessed under /Library/Keychains. Other keychains may be accessed as part of setting up an SSL
 116 ; connection. Instead of adding access to it here (to things which we don't need), we disable any
 117 ; logging that might happen during the access
 118 (deny file-read-data (regex #"^/Library/Keychains/") (with no-log))
 119 (allow file-read-data (literal "/Library/Keychains/System.keychain"))
 120
 121 ; Access to mDNSResponder Managed Preferences profile
 122 ; instead of using (mobile-preferences-read "com.apple.mDNSResponder") we use the lines below for OSX compatibility
 123 (allow file-read* (literal "/private/var/Managed Preferences/mobile"))
 124 (allow file-read* (literal "/private/var/Library/Preferences/"))
 125 (allow file-read* (literal "/Library/Managed Preferences"))
 126 (allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.mDNSResponder.plist"))
 127
 128 ; Our Module Directory Services cache
 129 (allow file-read-data
 130        (subpath "/private/var/tmp/mds")
 131        (subpath "/private/var/db/mds"))
 132
 133 (allow file-read* file-write*
 134        (regex #"^/private/var/tmp/mds/[0-9]+(/|$)")
 135        (regex #"^/private/var/db/mds/[0-9]+(/|$)")
 136        (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)")
 137
 138        ; Required on 10.5 and 10.6
 139        (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)")
 140
 141        ; Required on 10.10.4
 142        (regex #"^/private/var/folders/[^/]+/[^/]+/[0-9]+(/|$)"))
 143
 144 ; CRL Cache for SSL/TLS connections
 145 (allow file-read-data (literal "/private/var/db/crls/crlcache.db"))
 146
 147 ; For mDNS sleep proxy offload and IOPMConnectionCreate
 148 (if (defined? 'iokit-open)
 149    (begin
 150      (allow iokit-open
 151         (iokit-user-client-class "NVEthernetUserClientMDNS")
 152         (iokit-user-client-class "mDNSOffloadUserClient")
 153         (iokit-user-client-class "wlDNSOffloadUserClient")
 154         (iokit-user-client-class "RootDomainUserClient")
 155         (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))))