mDNSMacOSX/mDNSResponder.sb - third_party/mdnsresponder - Git at Google

 ; -*- Mode: Scheme; tab-width: 4 -*-
 ;
 ; Copyright (c) 2012 Apple Inc. All rights reserved.
 ;
 ; Redistribution and use in source and binary forms, with or without
 ; modification, are permitted provided that the following conditions are met:
 ;
 ; 1.  Redistributions of source code must retain the above copyright notice,
 ;     this list of conditions and the following disclaimer.
 ; 2.  Redistributions in binary form must reproduce the above copyright notice,
 ;     this list of conditions and the following disclaimer in the documentation
 ;     and/or other materials provided with the distribution.
 ; 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of its
 ;     contributors may be used to endorse or promote products derived from this
 ;     software without specific prior written permission.
 ;
 ; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
 ; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 ; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 ; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
 ; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 ; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 ; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 ; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 ; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 ; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 ;
 ;############################################################################


 ; WARNING: The sandbox rule capabilities and syntax used in this file are currently an
 ; Apple SPI (System Private Interface) and are subject to change at any time without notice.

 (version 1)
 ; When mDNSResponder is denied access, we want to avoid symoblification of mDNSResponder
 ; to get the stack trace as that can get into deadlock. no-callout will prevent
 ; symbolification.
 (deny default (with no-callout))

 (import "system.sb")

 ; Baseline
 (allow file-read-metadata ipc-posix-shm)

 ; Mach communications
 ; These are needed for things like getpwnam, hostname changes, & keychain
 (allow mach-lookup
        (global-name "com.apple.bsd.dirhelper")
        (global-name "com.apple.distributed_notifications.2")
        (global-name "com.apple.ocspd")
        (global-name "com.apple.PowerManagement.control")
        (global-name "com.apple.mDNSResponderHelper")
        (global-name "com.apple.SecurityServer")
        (global-name "com.apple.SystemConfiguration.configd")
        (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
        (global-name "com.apple.system.notification_center")
        (global-name "com.apple.system.logger")
        (global-name "com.apple.webcontentfilter.dns")
        (global-name "com.apple.server.bluetooth")
        (global-name "com.apple.awacs")
        (global-name "com.apple.networkd")
        (global-name "com.apple.securityd")
        (global-name "com.apple.wifi.manager")
        (global-name "com.apple.blued"))

 ; Networking, including Unix Domain Sockets
 (allow network*)

 ; Raw sockets
 (if (defined? 'system-socket)
     (allow system-socket))

 ; Hardware model information
 (allow sysctl-read)

 ; Syslog early in the boot process
 (allow file-read-data file-write-data (literal "/dev/console"))

 (allow file-read-data
        ; /etc/hosts support
        (literal "/private/etc/hosts")
        (literal "/private/etc"))

 ; Our socket
 (allow file-read* file-write* (literal "/private/var/run/mDNSResponder"))

 ; System version, settings, and other miscellaneous necessary file system accesses
 (allow file-read-data
        ; Needed for CFCopyVersionDictionary()
        (literal "/usr/sbin")
        (literal "/usr/sbin/mDNSResponder")

        (literal "/Library/Preferences/SystemConfiguration/preferences.plist")
        (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist")
        (regex #"^/Library/Preferences/(ByHost/)?\.GlobalPreferences\.")
        (literal "/Library/Preferences/com.apple.crypto.plist")
        (literal "/Library/Security/Trust Settings/Admin.plist")
        (regex #"^/Library/Preferences/com\.apple\.security\.")
        (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
        (literal "/private/var/preferences/SystemConfiguration/preferences.plist"))

 ; We just need access to System.keychain. But we don't want errors logged if other keychains are
 ; accessed under /Library/Keychains. Other keychains may be accessed as part of setting up an SSL
 ; connection. Instead of adding access to it here (to things which we don't need), we disable any
 ; logging that might happen during the access
 (deny file-read-data (regex #"^/Library/Keychains/") (with no-log))
 (allow file-read-data (literal "/Library/Keychains/System.keychain"))

 ; Our Module Directory Services cache
 (allow file-read-data
        (subpath "/private/var/tmp/mds")
        (subpath "/private/var/db/mds"))

 (allow file-read* file-write*
        (regex #"^/private/var/tmp/mds/[0-9]+(/|$)")
        (regex #"^/private/var/db/mds/[0-9]+(/|$)")
        (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)")

        ; Required on 10.5 and 10.6
        (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)"))

 ; CRL Cache for SSL/TLS connections
 (allow file-read-data (literal "/private/var/db/crls/crlcache.db"))

 ; For mDNS sleep proxy offload and IOPMConnectionCreate
 (if (defined? 'iokit-open)
    (begin
      (allow iokit-open
         (iokit-user-client-class "NVEthernetUserClientMDNS")
         (iokit-user-client-class "mDNSOffloadUserClient")
         (iokit-user-client-class "RootDomainUserClient"))))
	; -- Mode: Scheme; tab-width: 4 --
	;
	; Copyright (c) 2012 Apple Inc. All rights reserved.
	;
	; Redistribution and use in source and binary forms, with or without
	; modification, are permitted provided that the following conditions are met:
	;
	; 1. Redistributions of source code must retain the above copyright notice,
	; this list of conditions and the following disclaimer.
	; 2. Redistributions in binary form must reproduce the above copyright notice,
	; this list of conditions and the following disclaimer in the documentation
	; and/or other materials provided with the distribution.
	; 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of its
	; contributors may be used to endorse or promote products derived from this
	; software without specific prior written permission.
	;
	; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
	; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
	; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
	; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
	; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
	; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
	; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	;
	;############################################################################


	; WARNING: The sandbox rule capabilities and syntax used in this file are currently an
	; Apple SPI (System Private Interface) and are subject to change at any time without notice.

	(version 1)
	; When mDNSResponder is denied access, we want to avoid symoblification of mDNSResponder
	; to get the stack trace as that can get into deadlock. no-callout will prevent
	; symbolification.
	(deny default (with no-callout))

	(import "system.sb")

	; Baseline
	(allow file-read-metadata ipc-posix-shm)

	; Mach communications
	; These are needed for things like getpwnam, hostname changes, & keychain
	(allow mach-lookup
	(global-name "com.apple.bsd.dirhelper")
	(global-name "com.apple.distributed_notifications.2")
	(global-name "com.apple.ocspd")
	(global-name "com.apple.PowerManagement.control")
	(global-name "com.apple.mDNSResponderHelper")
	(global-name "com.apple.SecurityServer")
	(global-name "com.apple.SystemConfiguration.configd")
	(global-name "com.apple.SystemConfiguration.SCNetworkReachability")
	(global-name "com.apple.system.notification_center")
	(global-name "com.apple.system.logger")
	(global-name "com.apple.webcontentfilter.dns")
	(global-name "com.apple.server.bluetooth")
	(global-name "com.apple.awacs")
	(global-name "com.apple.networkd")
	(global-name "com.apple.securityd")
	(global-name "com.apple.wifi.manager")
	(global-name "com.apple.blued"))

	; Networking, including Unix Domain Sockets
	(allow network*)

	; Raw sockets
	(if (defined? 'system-socket)
	(allow system-socket))

	; Hardware model information
	(allow sysctl-read)

	; Syslog early in the boot process
	(allow file-read-data file-write-data (literal "/dev/console"))

	(allow file-read-data
	; /etc/hosts support
	(literal "/private/etc/hosts")
	(literal "/private/etc"))

	; Our socket
	(allow file-read* file-write* (literal "/private/var/run/mDNSResponder"))

	; System version, settings, and other miscellaneous necessary file system accesses
	(allow file-read-data
	; Needed for CFCopyVersionDictionary()
	(literal "/usr/sbin")
	(literal "/usr/sbin/mDNSResponder")

	(literal "/Library/Preferences/SystemConfiguration/preferences.plist")
	(literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist")
	(regex #"^/Library/Preferences/(ByHost/)?\.GlobalPreferences\.")
	(literal "/Library/Preferences/com.apple.crypto.plist")
	(literal "/Library/Security/Trust Settings/Admin.plist")
	(regex #"^/Library/Preferences/com\.apple\.security\.")
	(literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
	(literal "/private/var/preferences/SystemConfiguration/preferences.plist"))

	; We just need access to System.keychain. But we don't want errors logged if other keychains are
	; accessed under /Library/Keychains. Other keychains may be accessed as part of setting up an SSL
	; connection. Instead of adding access to it here (to things which we don't need), we disable any
	; logging that might happen during the access
	(deny file-read-data (regex #"^/Library/Keychains/") (with no-log))
	(allow file-read-data (literal "/Library/Keychains/System.keychain"))

	; Our Module Directory Services cache
	(allow file-read-data
	(subpath "/private/var/tmp/mds")
	(subpath "/private/var/db/mds"))

	(allow file-read* file-write*
	(regex #"^/private/var/tmp/mds/[0-9]+(/\|$)")
	(regex #"^/private/var/db/mds/[0-9]+(/\|$)")
	(regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/\|$)")

	; Required on 10.5 and 10.6
	(regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/\|$)"))

	; CRL Cache for SSL/TLS connections
	(allow file-read-data (literal "/private/var/db/crls/crlcache.db"))

	; For mDNS sleep proxy offload and IOPMConnectionCreate
	(if (defined? 'iokit-open)
	(begin
	(allow iokit-open
	(iokit-user-client-class "NVEthernetUserClientMDNS")
	(iokit-user-client-class "mDNSOffloadUserClient")
	(iokit-user-client-class "RootDomainUserClient"))))