2 ; Copyright (c) 2012-2019 Apple Inc. All rights reserved.
4 ; Redistribution and use in source and binary forms, with or without
5 ; modification, are permitted provided that the following conditions are met:
7 ; 1. Redistributions of source code must retain the above copyright notice,
8 ; this list of conditions and the following disclaimer.
9 ; 2. Redistributions in binary form must reproduce the above copyright notice,
10 ; this list of conditions and the following disclaimer in the documentation
11 ; and/or other materials provided with the distribution.
12 ; 3. Neither the name of Apple Inc. ("Apple") nor the names of its
13 ; contributors may be used to endorse or promote products derived from this
14 ; software without specific prior written permission.
16 ; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
17 ; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18 ; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
19 ; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
20 ; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21 ; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22 ; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
23 ; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 ; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
25 ; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 ;############################################################################
30 ; WARNING: The sandbox rule capabilities and syntax used in this file are currently an
31 ; Apple SPI (System Private Interface) and are subject to change at any time without notice.
34 ; When mDNSResponder is denied access, we want to avoid symoblification of mDNSResponder
35 ; to get the stack trace as that can get into deadlock. no-callout will prevent
37 (deny default (with no-callout))
42 (allow file-read-metadata ipc-posix-shm)
45 ; These are needed for things like getpwnam, hostname changes, & keychain
47 (global-name "com.apple.analyticsd")
48 (global-name "com.apple.awdd")
49 (global-name "com.apple.bsd.dirhelper")
50 (global-name "com.apple.CoreServices.coreservicesd")
51 (global-name "com.apple.coreservices.quarantine-resolver")
52 (global-name "com.apple.distributed_notifications.2")
53 (global-name "com.apple.distributed_notifications@1v3")
54 (global-name "com.apple.lsd.mapdb")
55 (global-name "com.apple.ocspd")
56 (global-name "com.apple.PowerManagement.control")
57 (global-name "com.apple.mDNSResponderHelper")
58 (global-name "com.apple.mDNSResponder_Helper")
59 (global-name "com.apple.SecurityServer")
60 (global-name "com.apple.SystemConfiguration.configd")
61 (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
62 (global-name "com.apple.SystemConfiguration.DNSConfiguration")
63 (global-name "com.apple.SystemConfiguration.NetworkInformation")
64 (global-name "com.apple.system.notification_center")
65 (global-name "com.apple.system.logger")
66 (global-name "com.apple.trustd")
67 (global-name "com.apple.usymptomsd")
68 (global-name "com.apple.webcontentfilter.dns")
69 (global-name "com.apple.server.bluetooth")
70 (global-name "com.apple.server.bluetooth.le.att.xpc")
71 (global-name "com.apple.awacs")
72 (global-name "com.apple.networkd")
73 (global-name "com.apple.securityd")
74 (global-name "com.apple.wifi.manager")
75 (global-name "com.apple.wifip2pd")
76 ; "com.apple.blued" is the name used in pre Lobo builds,
77 ; leave it in place while still running roots on pre Lobo targets
78 (global-name "com.apple.blued")
79 (global-name "com.apple.bluetoothd")
80 (global-name "com.apple.mobilegestalt.xpc")
81 (global-name "com.apple.ReportCrash.SimulateCrash")
82 (global-name "com.apple.snhelper")
83 (global-name "com.apple.networkd_privileged"))
86 (global-name "com.apple.d2d.ipc"))
88 ; Networking, including Unix Domain Sockets
92 (if (defined? 'system-socket)
93 (allow system-socket))
95 ; Hardware model information
98 ; Syslog early in the boot process
99 (allow file-read-data file-write-data (literal "/dev/console"))
101 (allow file-read-data
103 (literal "/private/etc/hosts")
104 (literal "/private/etc"))
107 (allow file-read* file-write* (literal "/private/var/run/mDNSResponder"))
109 ; BPF control for sleep proxy server
110 (allow file-ioctl (prefix "/dev/bpf"))
112 ; Used by CoreCrypto AES routines.
113 (allow file-read* file-write-data file-ioctl
114 (literal "/dev/aes_0"))
116 ; System version, settings, and other miscellaneous necessary file system accesses
117 (allow file-read-data
118 ; Needed for CFCopyVersionDictionary()
119 (literal "/usr/sbin")
120 (literal "/usr/sbin/mDNSResponder")
122 (literal "/Library/Preferences/com.apple.mDNSResponder.plist")
123 (literal "/Library/Preferences/SystemConfiguration/preferences.plist")
124 (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist")
125 (regex #"^/Library/Preferences/(ByHost/)?\.GlobalPreferences\.")
126 (literal "/Library/Preferences/com.apple.crypto.plist")
127 (literal "/Library/Security/Trust Settings/Admin.plist")
128 (regex #"^/Library/Preferences/com\.apple\.security\.")
129 (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
130 (literal "/private/var/preferences/SystemConfiguration/preferences.plist")
131 (subpath "/System/Library/Preferences/Logging")
132 (subpath "/AppleInternal/Library/Preferences/Logging")
133 (subpath "/private/var/preferences/Logging")
134 (subpath "/private/var/db/timezone")
135 (subpath "/Library/Preferences/Logging"))
139 (allow system-info (info-type "net.link.addr"))
141 ; We just need access to System.keychain. But we don't want errors logged if other keychains are
142 ; accessed under /Library/Keychains. Other keychains may be accessed as part of setting up an SSL
143 ; connection. Instead of adding access to it here (to things which we don't need), we disable any
144 ; logging that might happen during the access
145 (deny file-read-data (regex #"^/Library/Keychains/") (with no-log))
146 (allow file-read-data (literal "/Library/Keychains/System.keychain"))
149 ; Our Module Directory Services cache
150 (allow file-read-data
151 (subpath "/private/var/tmp/mds")
152 (subpath "/private/var/db/mds"))
154 (allow file-read* file-write*
155 (regex #"^/private/var/tmp/mds/[0-9]+(/|$)")
156 (regex #"^/private/var/db/mds/[0-9]+(/|$)")
157 (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)")
159 ; Required on 10.5 and 10.6
160 (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)"))
162 ; CRL Cache for SSL/TLS connections
163 (allow file-read-data (literal "/private/var/db/crls/crlcache.db"))
165 ; For mDNS sleep proxy offload and IOPMConnectionCreate
166 (if (defined? 'iokit-open)
169 (iokit-user-client-class "NVEthernetUserClientMDNS")
170 (iokit-user-client-class "mDNSOffloadUserClient")
171 (iokit-user-client-class "wlDNSOffloadUserClient")
172 (iokit-user-client-class "RootDomainUserClient")
173 (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))))
175 ; Internal builds only
176 (with-filter (system-attribute apple-internal)
177 (allow sysctl-read sysctl-write
178 (sysctl-name "vm.footprint_suspend"))) ; dyld performance reporting
180 ; Used to dump internal state
181 ; Allows directory lookup, and creating, reading and writing files under /private/var/log/mDNSResponder
182 ; We know that this sandbox rule seems to give the broader access to mDNSResponder, but given the fact that the directory
183 ; "/private/var/log/mDNSResponder" is owned by user "_mdnsresponder" who is in "wheel" group, no one else would have the
184 ; access to this directory, so there is not much security concern.
185 (allow file-read* file-write* (subpath "/private/var/log/mDNSResponder"))
projects / apple / mdnsresponder.git / blob