Google Git
Sign in
fuchsia / third_party / mdnsresponder / 48b82ad86a167282233d0c04ad1c43288caf9c26 / . / mDNSMacOSX / mDNSResponder.sb
blob: b4a09226070863b26cbffcbfd44ae8451ded0a6a [file] [log] [blame]
; -*- Mode: Scheme; tab-width: 4 -*-
;
; Copyright (c) 2007 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions are met:
;
; 1. Redistributions of source code must retain the above copyright notice,
; this list of conditions and the following disclaimer.
; 2. Redistributions in binary form must reproduce the above copyright notice,
; this list of conditions and the following disclaimer in the documentation
; and/or other materials provided with the distribution.
; 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of its
; contributors may be used to endorse or promote products derived from this
; software without specific prior written permission.
;
; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
;
; $Log: mDNSResponder.sb,v $
; Revision 1.38 2009/04/16 16:03:08 mcguire
; <rdar://problem/6792024> abort() causes high CPU usage instead of crash & restart
;
; Revision 1.37 2009/04/02 22:21:17 mcguire
; <rdar://problem/6577409> Adopt IOPM APIs
;
; Revision 1.36 2009/03/02 01:32:20 mcguire
; <rdar://problem/6623264> Seatbelt: Add rule to allow raw sockets
;
; Revision 1.35 2009/02/07 02:51:10 cheshire
; <rdar://problem/6084043> Sleep Proxy: Need to adopt IOPMConnection
; Allow mDNSResponder to access IOPMConnection API
;
; Revision 1.34 2008/11/11 00:55:08 mcguire
; <rdar://problem/6357957> sandbox: need to allow Mach port com.apple.system.DirectoryService.membership_v1
;
; Revision 1.33 2008/10/24 02:03:30 cheshire
; So we can watch for Internet Sharing changes, allow read access to
; /Library/Preferences/SystemConfiguration/com.apple.nat.plist
;
; Revision 1.32 2008/10/07 23:06:58 mcguire
; <rdar://problem/6276444> Seatbelt: Policy denied Mach service lookup: com.apple.system.logger
;
; Revision 1.31 2008/09/24 23:57:27 mcguire
; <rdar://problem/6227808> need read access to /private/var/db/crls/crlcache.db
;
; Revision 1.30 2008/09/11 22:01:51 mcguire
; re-add accidentally removed log comment
;
; Revision 1.29 2008/09/11 20:46:08 mcguire
; <rdar://problem/6208848> can't write to -Caches-
;
; Revision 1.28 2008/09/11 20:04:14 mcguire
; <rdar://problem/6211355> Instances of \. in regex exprs don't do what is intended
;
; Revision 1.27 2008/07/24 21:18:14 cheshire
; <rdar://problem/3988320> Should use randomized source ports and transaction IDs to avoid DNS cache poisoning
; Need to allow access to /dev/urandom
;
; Revision 1.26 2008/06/03 01:21:12 mcguire
; <rdar://problem/5902470> add /var/db/mds to sb profile
;
; Revision 1.25 2008/03/17 18:04:41 mcguire
; <rdar://problem/5800476> SC now reads preference file
;
; Revision 1.24 2007/09/20 22:33:17 cheshire
; Tidied up inconsistent and error-prone naming -- used to be mDNSResponderHelper in
; some places and mDNSResponder.helper in others; now mDNSResponderHelper everywhere
;
; Revision 1.23 2007/09/04 22:26:18 mcguire
; <rdar://problem/5442826> Seatbelt: mDNSResponder needs to be allowed to access "/Library/Security/Trust Settings/" etc.
;
; Revision 1.22 2007/08/24 22:01:56 mcguire
; <rdar://problem/5141606> BTMM: Task: Change mDNSResponder Seatbelt settings to "deny default" instead of "signal FPE" just prior to GM candidate
;
; Revision 1.21 2007/08/18 01:02:03 mcguire
; <rdar://problem/5415593> No Bonjour services are getting registered at boot
;
; Revision 1.20 2007/08/08 22:34:59 mcguire
; <rdar://problem/5197869> Security: Run mDNSResponder as user id mdnsresponder instead of root
;
; Revision 1.19 2007/07/02 23:37:50 cheshire
; <rdar://problem/5267615> Need to list of allowed mach-lookup operations explicitly in mDNSResponder.sb
;
; Revision 1.18 2007/06/28 20:43:35 cheshire
; <rdar://problem/5298202> Seatbelt: mDNSResponder needs to be able to access /dev/autofs_nowait
;
; Revision 1.17 2007/06/28 20:34:45 cheshire
; Updated comments to reflect new seatbelt language syntax
;
; Revision 1.16 2007/05/29 23:32:46 cheshire
; Rearrange file so SPI warning isn't deleted when CVS history is trimmed from installed copy
;
; Revision 1.15 2007/05/25 22:45:17 jvidrine
; <rdar://problem/5227658> Update mDNSResponder.sb to Seatbelt Profile Language version 1
;
; Revision 1.14 2007/05/23 17:40:08 cheshire
; <rdar://problem/5221397> Seatbelt killed mDNSResponder trying to read X509Anchors and X509Certificates
;
; Revision 1.13 2007/05/23 01:47:59 cheshire
; Need to list fs_read_data permission explicitly --
; unlike fs_read/fs_write, fs_read_data does NOT automatically inherit from fs_write_data
;
; Revision 1.12 2007/05/21 23:52:27 cheshire
; <rdar://problem/5216638> Seatbelt killed mDNSResponder generating Module Directory Services cache
;
; Revision 1.11 2007/05/20 16:29:06 cheshire
; <rdar://problem/5213725> Seatbelt killed mDNSResponder trying to access /usr/share/icu/icudt36l.dat
;
; Revision 1.10 2007/05/15 00:21:39 cheshire
; <rdar://problem/5202374> Seatbelt killed mDNSResponder reading /private/var/root/Library/Preferences/com.apple.security.plist
;
; Revision 1.9 2007/05/14 22:08:26 cheshire
; <rdar://problem/5200986> Seatbelt: Need to escape literal dots in filename patterns
;
; Revision 1.8 2007/05/14 19:39:31 cheshire
; <rdar://problem/5198345> Seatbelt killed mDNSResponder in CFTimeZoneCopyDefault
; <rdar://problem/5199456> Seatbelt killed mDNSResponder in SecKeychainOpen
;
; Revision 1.7 2007/05/12 01:57:56 cheshire
; <rdar://problem/5197938> Seatbelt: mDNSResponder needs to be able to access preferences.plist-lock
;
; Revision 1.6 2007/05/10 21:12:14 cheshire
; <rdar://problem/5149833> Start using "debug deny" mode in Seatbelt
;
; Revision 1.5 2007/05/10 19:41:25 cheshire
; <rdar://problem/5182549> Have to use "deny mach_lookup_default" because "signal" doesn't work
;
; Revision 1.4 2007/04/27 20:46:31 cheshire
; Additional requirements: allow mDNSResponder to read /dev/random and /System/Library/Keychains/System.*
;
; Revision 1.3 2007/04/20 19:42:14 cheshire
; Condense rules a bit to bring file under Seatbelt's 4K limit
;
; Revision 1.2 2007/04/19 01:47:49 cheshire
; Refinements to sandbox profile, e.g. allow writing to /dev/console early in the boot process
;
; Revision 1.1 2007/04/18 00:50:47 cheshire
; <rdar://problem/5141540> Sandbox mDNSResponder
;
;############################################################################
; WARNING! SEATBELT CURRENTLY CAN'T HANDLE PROFILES LARGER THAN 16K
; MAKE SURE THE SIZE OF THIS FILE FROM "version" TO THE END DOESN'T EXCEED 16K
(version 1)
; WARNING: The sandbox rule capabilities and syntax used in this file are currently an
; Apple SPI (System Private Interface) and are subject to change at any time without notice.
; Apple may in future announce an official public supported sandbox API, but until then Developers
; are cautioned not to build products that use or depend on the sandbox facilities illustrated here.
; Use "debug all" to log all operations examined by seatbelt, whether allowed or not.
; Use "debug deny" to log only operations that are denied by seatbelt
; to discover what specific attempted operation is causing an exception.
;(debug all)
(debug deny)
; To help debugging, "with send-signal SIGFPE" will trigger a fake floating-point exception,
; which will crash the process and show the call stack leading to the offending operation.
; For the shipping version "deny" is probably better because it vetoes the operation
; without killing the process.
(deny default)
;(deny default (with send-signal SIGFPE))
; Special exception: "send-signal" command does not apply to the mach-* operations,
; so for those we have to use a plain unadorned "deny" instead
; (which means we may not get any notification of unintentional mach-* denials)
(deny mach-lookup)
(deny mach-priv-host-port)
; Mach communications
; These are needed for things like getpwnam, hostname changes, & keychain
(allow mach-lookup (global-name
"com.apple.bsd.dirhelper"
"com.apple.distributed_notifications.2"
"com.apple.ocspd"
"com.apple.PowerManagement.control"
"com.apple.mDNSResponderHelper"
"com.apple.SecurityServer"
"com.apple.SystemConfiguration.configd"
"com.apple.system.DirectoryService.libinfo_v1"
"com.apple.system.DirectoryService.membership_v1"
"com.apple.system.notification_center"
"com.apple.system.logger"))
; Rules to allow the operations mDNSResponder needs start here
(allow signal (target self))
(allow network*) ; Allow networking, including Unix Domain Sockets
(if (defined? 'system-socket)
(allow system-socket)) ; To create raw sockets
(allow sysctl-read) ; To get hardware model information
(allow file-read-metadata) ; Needed for dyld to work
(allow ipc-posix-shm) ; Needed for POSIX shared memory
(allow file-read-data (regex #"^/dev/random$"))
(allow file-read-data file-write-data (regex #"^/dev/console$")) ; Needed for syslog early in the boot process
(allow file-read-data (regex #"^/dev/autofs_nowait$")) ; Used by CF to circumvent automount triggers
; Allow us to read and write our socket
(allow file-read* file-write* (regex #"^/private/var/run/mDNSResponder$"))
; Allow us to read system version, settings, and other miscellaneous necessary file system accesses
(allow file-read-data (regex #"^/dev/urandom$"))
(allow file-read-data (regex #"^/usr/sbin(/mDNSResponder)?$")) ; Needed for CFCopyVersionDictionary()
(allow file-read-data (regex #"^/usr/share/icu/.*$"))
(allow file-read-data (regex #"^/usr/share/zoneinfo/.*$"))
(allow file-read-data (regex #"^/Library/Preferences/SystemConfiguration/preferences\.plist$"))
(allow file-read-data (regex #"^/Library/Preferences/SystemConfiguration/com\.apple\.nat\.plist$"))
(allow file-read-data (regex #"^/Library/Preferences/(ByHost/)?\.GlobalPreferences.*\.plist$"))
(allow file-read-data (regex #"^/Library/Preferences/com\.apple\.security.*\.plist$"))
(allow file-read-data (regex #"^/Library/Preferences/com\.apple\.crypto\.plist$"))
(allow file-read-data (regex #"^/Library/Security/Trust Settings/Admin\.plist$"))
(allow file-read-data (regex #"^/System/Library/CoreServices/SystemVersion.*$"))
(allow file-read-data (regex #"^/System/Library/Preferences/com\.apple\.security.*\.plist$"))
(allow file-read-data (regex #"^/System/Library/Preferences/com\.apple\.crypto\.plist$"))
(allow file-read-data (regex #"^/System/Library/SystemConfiguration/PowerManagement\.bundle(/|$)"))
(allow file-read-data (regex #"^/Library/Preferences/SystemConfiguration/com\.apple\.PowerManagement\.plist$"))
; Allow access to System Keychain
(allow file-read-data (regex #"^/System/Library/Security$"))
(allow file-read-data (regex #"^/System/Library/Keychains/.*$"))
(allow file-read-data (regex #"^/Library/Keychains/System\.keychain$"))
; Our Module Directory Services cache
(allow file-read-data (regex #"^/private/var/tmp/mds/"))
(allow file-read* file-write* (regex #"^/private/var/tmp/mds/[0-9]+(/|$)"))
(allow file-read-data (regex #"^/private/var/db/mds/"))
(allow file-read* file-write* (regex #"^/private/var/db/mds/[0-9]+(/|$)"))
(allow file-read* file-write* (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)"))
; CRL Cache for SSL/TLS connections
(allow file-read-data (regex #"^/private/var/db/crls/crlcache\.db$"))