[apple/security.git] / keychain / TrustedPeersHelper / com.apple.TrustedPeersHelper.sb

(version 1)

(define (home-subpath home-relative-subpath)
    (subpath (string-append (param "HOME") home-relative-subpath)))

(deny default)
(deny file-map-executable iokit-get-properties process-info* nvram*)
(deny dynamic-code-generation)

(deny mach-priv-host-port)
(import "system.sb")
(import "com.apple.corefoundation.sb")
(corefoundation)

(allow distributed-notification-post)

(allow process-info* (target self))
(allow process-info-codesignature)

(allow file-read-metadata)

(allow file-read* file-write*
    (home-subpath "/Library/Keychains/"))

(allow mach-lookup
    (global-name "com.apple.cloudd")
    (global-name "com.apple.apsd")
    (global-name "com.apple.securityd.xpc")
    (global-name "com.apple.security.sfkeychainserver")
    (global-name "com.apple.SecurityServer")
    (global-name "com.apple.lsd.mapdb")
)

(allow user-preference-read
    (preference-domain "kCFPreferencesAnyApplication")
)

(allow file-read* file-write*
    (subpath "/private/var/db/mds/")
    (subpath "/Library/Keychains/")
)
Commit	Line	Data
d64be36e A	1	(version 1)
	2
	3	(define (home-subpath home-relative-subpath)
	4	(subpath (string-append (param "HOME") home-relative-subpath)))
	5
	6	(deny default)
	7	(deny file-map-executable iokit-get-properties process-info* nvram*)
	8	(deny dynamic-code-generation)
	9
	10	(deny mach-priv-host-port)
	11	(import "system.sb")
	12	(import "com.apple.corefoundation.sb")
	13	(corefoundation)
	14
	15	(allow distributed-notification-post)
	16
	17	(allow process-info* (target self))
	18	(allow process-info-codesignature)
	19
	20	(allow file-read-metadata)
	21
	22	(allow file-read* file-write*
	23	(home-subpath "/Library/Keychains/"))
	24
	25	(allow mach-lookup
	26	(global-name "com.apple.cloudd")
	27	(global-name "com.apple.apsd")
	28	(global-name "com.apple.securityd.xpc")
	29	(global-name "com.apple.security.sfkeychainserver")
	30	(global-name "com.apple.SecurityServer")
	31	(global-name "com.apple.lsd.mapdb")
	32	)
	33
	34	(allow user-preference-read
	35	(preference-domain "kCFPreferencesAnyApplication")
	36	)
	37
	38	(allow file-read* file-write*
	39	(subpath "/private/var/db/mds/")
	40	(subpath "/Library/Keychains/")
	41	)