OSX/sec/securityd/com.apple.secd.sb

   1 (version 1)
   2
   3 (deny default)
   4
   5 (import "system.sb")
   6
   7 (allow file-read* file-write*
   8     (subpath "/private/var/db/mds")
   9     (regex #"^/private/var/folders/[^/]+/[^/]+/T(/|$)")
  10     (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Keychains(/|$)")))
  11
  12
  13 ;;;;;; will be fully fixed in 29465717
  14 (allow file-read* (subpath "/"))
  15
  16 (allow user-preference-read
  17     (preference-domain ".GlobalPreferences"))
  18 (allow user-preference-read
  19     (preference-domain "com.apple.security"))
  20
  21 (allow file-read*
  22     (literal "/usr/libexec/secd")
  23     (literal "/Library/Preferences/com.apple.security.plist")
  24     (literal "/Library/Preferences/.GlobalPreferences.plist")
  25     (literal "/AppleInternal")
  26     (literal "/usr/libexec"))
  27
  28
  29 (allow mach-lookup
  30         (global-name "com.apple.system.opendirectoryd.api")
  31         (global-name "com.apple.SystemConfiguration.configd")
  32         (global-name "com.apple.security.cloudkeychainproxy3")
  33         (global-name "com.apple.security.keychainsyncingoveridsproxy")
  34         (global-name "com.apple.cloudd")
  35         (global-name "com.apple.apsd")
  36         (global-name "com.apple.windowserver.active"))
  37
  38 (allow iokit-open
  39     (iokit-user-client-class "AppleKeyStoreUserClient"))
  40
  41 (allow iokit-get-properties (iokit-registry-entry-class "IOPlatformExpertDevice"))
  42
  43 (allow ipc-posix-shm
  44     (ipc-posix-name "com.apple.AppleDatabaseChanged"))
  45
  46 (allow network-outbound)
  47 (allow system-socket)