projects / apple / syslog.git / blame
| Commit | Line | Data |
|---|---|---|
| 5dd30d76 A |
1 | ;; |
| 2 | ;; syslogd - sandbox profile | |
| 3 | ;; Copyright (c) 2007 Apple Inc. All Rights reserved. | |
| 4 | ;; | |
| 5 | ;; WARNING: The sandbox rules in this file currently constitute | |
| 6 | ;; Apple System Private Interface and are subject to change at any time and | |
| 7 | ;; without notice. The contents of this file are also auto-generated and not | |
| 8 | ;; user editable; it may be overwritten at any time. | |
| 9 | ;; | |
| 10 | (version 1) | |
| 11 | (debug deny) | |
| 12 | ||
| 13 | (import "bsd.sb") | |
| 14 | ||
| 15 | (deny default) | |
| 16 | (allow process*) | |
| 17 | (deny signal) | |
| 18 | (allow sysctl-read) | |
| 19 | (allow network*) | |
| 20 | ||
| 21 | ;;; Allow syslogd specific files | |
| 22 | ||
| 23 | (allow file-write* file-read-data file-read-metadata | |
| 24 | (regex #"^(/private)?/var/run/syslog$" | |
| 25 | #"^(/private)?/var/run/syslog\.pid$" | |
| 26 | #"^(/private)?/var/run/asl_input$")) | |
| 27 | ||
| 28 | (allow file-write* file-read-data file-read-metadata | |
| 29 | (regex #"^(/private)?/dev/console$" | |
| 30 | #"^(/private)?/var/log/.*\.log$" | |
| 31 | #"^(/private)?/var/log/asl\.db$")) | |
| 32 | ||
| 33 | (allow file-read-data file-read-metadata | |
| 34 | (regex #"^(/private)?/dev/klog$" | |
| 35 | #"^(/private)?/etc/asl\.conf$" | |
| 36 | #"^(/private)?/etc/syslog\.conf$" | |
| 37 | #"^/usr/lib/asl/.*\.so$")) | |
| 38 | (allow mach-lookup (global-name "com.apple.system.notification_center")) |