| ; -*- Mode: Scheme; tab-width: 4 -*- |
| ; |
| ; Copyright (c) 2012 Apple Inc. All rights reserved. |
| ; |
| ; Redistribution and use in source and binary forms, with or without |
| ; modification, are permitted provided that the following conditions are met: |
| ; |
| ; 1. Redistributions of source code must retain the above copyright notice, |
| ; this list of conditions and the following disclaimer. |
| ; 2. Redistributions in binary form must reproduce the above copyright notice, |
| ; this list of conditions and the following disclaimer in the documentation |
| ; and/or other materials provided with the distribution. |
| ; 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of its |
| ; contributors may be used to endorse or promote products derived from this |
| ; software without specific prior written permission. |
| ; |
| ; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY |
| ; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
| ; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
| ; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY |
| ; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
| ; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| ; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
| ; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| ; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
| ; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| ; |
| ;############################################################################ |
| |
| |
| ; WARNING: The sandbox rule capabilities and syntax used in this file are currently an |
| ; Apple SPI (System Private Interface) and are subject to change at any time without notice. |
| |
| (version 1) |
| ; When mDNSResponder is denied access, we want to avoid symoblification of mDNSResponder |
| ; to get the stack trace as that can get into deadlock. no-callout will prevent |
| ; symbolification. |
| (deny default (with no-callout)) |
| |
| (import "system.sb") |
| |
| ; Baseline |
| (allow file-read-metadata ipc-posix-shm) |
| |
| ; Mach communications |
| ; These are needed for things like getpwnam, hostname changes, & keychain |
| (allow mach-lookup |
| (global-name "com.apple.bsd.dirhelper") |
| (global-name "com.apple.distributed_notifications.2") |
| (global-name "com.apple.ocspd") |
| (global-name "com.apple.PowerManagement.control") |
| (global-name "com.apple.mDNSResponderHelper") |
| (global-name "com.apple.SecurityServer") |
| (global-name "com.apple.SystemConfiguration.configd") |
| (global-name "com.apple.SystemConfiguration.SCNetworkReachability") |
| (global-name "com.apple.system.notification_center") |
| (global-name "com.apple.system.logger") |
| (global-name "com.apple.webcontentfilter.dns") |
| (global-name "com.apple.server.bluetooth") |
| (global-name "com.apple.awacs") |
| (global-name "com.apple.networkd") |
| (global-name "com.apple.securityd") |
| (global-name "com.apple.wifi.manager") |
| (global-name "com.apple.blued")) |
| |
| ; Networking, including Unix Domain Sockets |
| (allow network*) |
| |
| ; Raw sockets |
| (if (defined? 'system-socket) |
| (allow system-socket)) |
| |
| ; Hardware model information |
| (allow sysctl-read) |
| |
| ; Syslog early in the boot process |
| (allow file-read-data file-write-data (literal "/dev/console")) |
| |
| (allow file-read-data |
| ; /etc/hosts support |
| (literal "/private/etc/hosts") |
| (literal "/private/etc")) |
| |
| ; Our socket |
| (allow file-read* file-write* (literal "/private/var/run/mDNSResponder")) |
| |
| ; System version, settings, and other miscellaneous necessary file system accesses |
| (allow file-read-data |
| ; Needed for CFCopyVersionDictionary() |
| (literal "/usr/sbin") |
| (literal "/usr/sbin/mDNSResponder") |
| |
| (literal "/Library/Preferences/SystemConfiguration/preferences.plist") |
| (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist") |
| (regex #"^/Library/Preferences/(ByHost/)?\.GlobalPreferences\.") |
| (literal "/Library/Preferences/com.apple.crypto.plist") |
| (literal "/Library/Security/Trust Settings/Admin.plist") |
| (regex #"^/Library/Preferences/com\.apple\.security\.") |
| (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist") |
| (literal "/private/var/preferences/SystemConfiguration/preferences.plist")) |
| |
| ; We just need access to System.keychain. But we don't want errors logged if other keychains are |
| ; accessed under /Library/Keychains. Other keychains may be accessed as part of setting up an SSL |
| ; connection. Instead of adding access to it here (to things which we don't need), we disable any |
| ; logging that might happen during the access |
| (deny file-read-data (regex #"^/Library/Keychains/") (with no-log)) |
| (allow file-read-data (literal "/Library/Keychains/System.keychain")) |
| |
| ; Our Module Directory Services cache |
| (allow file-read-data |
| (subpath "/private/var/tmp/mds") |
| (subpath "/private/var/db/mds")) |
| |
| (allow file-read* file-write* |
| (regex #"^/private/var/tmp/mds/[0-9]+(/|$)") |
| (regex #"^/private/var/db/mds/[0-9]+(/|$)") |
| (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)") |
| |
| ; Required on 10.5 and 10.6 |
| (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)")) |
| |
| ; CRL Cache for SSL/TLS connections |
| (allow file-read-data (literal "/private/var/db/crls/crlcache.db")) |
| |
| ; For mDNS sleep proxy offload and IOPMConnectionCreate |
| (if (defined? 'iokit-open) |
| (begin |
| (allow iokit-open |
| (iokit-user-client-class "NVEthernetUserClientMDNS") |
| (iokit-user-client-class "mDNSOffloadUserClient") |
| (iokit-user-client-class "RootDomainUserClient")))) |