syslogd.tproj/syslogd.sb

   1 ;;
   2 ;; syslogd - sandbox profile
   3 ;; Copyright (c) 2007 Apple Inc.  All Rights reserved.
   4 ;;
   5 ;; WARNING: The sandbox rules in this file currently constitute
   6 ;; Apple System Private Interface and are subject to change at any time and
   7 ;; without notice. The contents of this file are also auto-generated and not
   8 ;; user editable; it may be overwritten at any time.
   9 ;;
  10 (version 1)
  11 (debug deny)
  12
  13 (import "bsd.sb")
  14
  15 (deny default)
  16 (allow process*)
  17 (deny signal)
  18 (allow sysctl-read)
  19 (allow network*)
  20
  21 ;;; Allow syslogd specific files
  22
  23 (allow file-write* file-read-data file-read-metadata
  24     (regex #"^(/private)?/var/run/syslog$"
  25            #"^(/private)?/var/run/syslog\.pid$"
  26            #"^(/private)?/var/run/asl_input$"))
  27
  28 (allow file-write* file-read-data file-read-metadata
  29     (regex #"^(/private)?/dev/console$"
  30            #"^(/private)?/var/log/.*\.log$"
  31            #"^(/private)?/var/log/asl\.db$"))
  32
  33 (allow file-read-data file-read-metadata
  34     (regex #"^(/private)?/dev/klog$"
  35            #"^(/private)?/etc/asl\.conf$"
  36            #"^(/private)?/etc/syslog\.conf$"
  37            #"^/usr/lib/asl/.*\.so$"))
  38 (allow mach-lookup (global-name "com.apple.system.notification_center"))