| ; -*- Mode: Scheme; tab-width: 4 -*- |
| ; |
| ; Copyright (c) 2007 Apple Inc. All rights reserved. |
| ; |
| ; Redistribution and use in source and binary forms, with or without |
| ; modification, are permitted provided that the following conditions are met: |
| ; |
| ; 1. Redistributions of source code must retain the above copyright notice, |
| ; this list of conditions and the following disclaimer. |
| ; 2. Redistributions in binary form must reproduce the above copyright notice, |
| ; this list of conditions and the following disclaimer in the documentation |
| ; and/or other materials provided with the distribution. |
| ; 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of its |
| ; contributors may be used to endorse or promote products derived from this |
| ; software without specific prior written permission. |
| ; |
| ; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY |
| ; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
| ; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
| ; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY |
| ; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
| ; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| ; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
| ; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| ; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
| ; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| ; |
| ; $Log: mDNSResponder.sb,v $ |
| ; Revision 1.38 2009/04/16 16:03:08 mcguire |
| ; <rdar://problem/6792024> abort() causes high CPU usage instead of crash & restart |
| ; |
| ; Revision 1.37 2009/04/02 22:21:17 mcguire |
| ; <rdar://problem/6577409> Adopt IOPM APIs |
| ; |
| ; Revision 1.36 2009/03/02 01:32:20 mcguire |
| ; <rdar://problem/6623264> Seatbelt: Add rule to allow raw sockets |
| ; |
| ; Revision 1.35 2009/02/07 02:51:10 cheshire |
| ; <rdar://problem/6084043> Sleep Proxy: Need to adopt IOPMConnection |
| ; Allow mDNSResponder to access IOPMConnection API |
| ; |
| ; Revision 1.34 2008/11/11 00:55:08 mcguire |
| ; <rdar://problem/6357957> sandbox: need to allow Mach port com.apple.system.DirectoryService.membership_v1 |
| ; |
| ; Revision 1.33 2008/10/24 02:03:30 cheshire |
| ; So we can watch for Internet Sharing changes, allow read access to |
| ; /Library/Preferences/SystemConfiguration/com.apple.nat.plist |
| ; |
| ; Revision 1.32 2008/10/07 23:06:58 mcguire |
| ; <rdar://problem/6276444> Seatbelt: Policy denied Mach service lookup: com.apple.system.logger |
| ; |
| ; Revision 1.31 2008/09/24 23:57:27 mcguire |
| ; <rdar://problem/6227808> need read access to /private/var/db/crls/crlcache.db |
| ; |
| ; Revision 1.30 2008/09/11 22:01:51 mcguire |
| ; re-add accidentally removed log comment |
| ; |
| ; Revision 1.29 2008/09/11 20:46:08 mcguire |
| ; <rdar://problem/6208848> can't write to -Caches- |
| ; |
| ; Revision 1.28 2008/09/11 20:04:14 mcguire |
| ; <rdar://problem/6211355> Instances of \. in regex exprs don't do what is intended |
| ; |
| ; Revision 1.27 2008/07/24 21:18:14 cheshire |
| ; <rdar://problem/3988320> Should use randomized source ports and transaction IDs to avoid DNS cache poisoning |
| ; Need to allow access to /dev/urandom |
| ; |
| ; Revision 1.26 2008/06/03 01:21:12 mcguire |
| ; <rdar://problem/5902470> add /var/db/mds to sb profile |
| ; |
| ; Revision 1.25 2008/03/17 18:04:41 mcguire |
| ; <rdar://problem/5800476> SC now reads preference file |
| ; |
| ; Revision 1.24 2007/09/20 22:33:17 cheshire |
| ; Tidied up inconsistent and error-prone naming -- used to be mDNSResponderHelper in |
| ; some places and mDNSResponder.helper in others; now mDNSResponderHelper everywhere |
| ; |
| ; Revision 1.23 2007/09/04 22:26:18 mcguire |
| ; <rdar://problem/5442826> Seatbelt: mDNSResponder needs to be allowed to access "/Library/Security/Trust Settings/" etc. |
| ; |
| ; Revision 1.22 2007/08/24 22:01:56 mcguire |
| ; <rdar://problem/5141606> BTMM: Task: Change mDNSResponder Seatbelt settings to "deny default" instead of "signal FPE" just prior to GM candidate |
| ; |
| ; Revision 1.21 2007/08/18 01:02:03 mcguire |
| ; <rdar://problem/5415593> No Bonjour services are getting registered at boot |
| ; |
| ; Revision 1.20 2007/08/08 22:34:59 mcguire |
| ; <rdar://problem/5197869> Security: Run mDNSResponder as user id mdnsresponder instead of root |
| ; |
| ; Revision 1.19 2007/07/02 23:37:50 cheshire |
| ; <rdar://problem/5267615> Need to list of allowed mach-lookup operations explicitly in mDNSResponder.sb |
| ; |
| ; Revision 1.18 2007/06/28 20:43:35 cheshire |
| ; <rdar://problem/5298202> Seatbelt: mDNSResponder needs to be able to access /dev/autofs_nowait |
| ; |
| ; Revision 1.17 2007/06/28 20:34:45 cheshire |
| ; Updated comments to reflect new seatbelt language syntax |
| ; |
| ; Revision 1.16 2007/05/29 23:32:46 cheshire |
| ; Rearrange file so SPI warning isn't deleted when CVS history is trimmed from installed copy |
| ; |
| ; Revision 1.15 2007/05/25 22:45:17 jvidrine |
| ; <rdar://problem/5227658> Update mDNSResponder.sb to Seatbelt Profile Language version 1 |
| ; |
| ; Revision 1.14 2007/05/23 17:40:08 cheshire |
| ; <rdar://problem/5221397> Seatbelt killed mDNSResponder trying to read X509Anchors and X509Certificates |
| ; |
| ; Revision 1.13 2007/05/23 01:47:59 cheshire |
| ; Need to list fs_read_data permission explicitly -- |
| ; unlike fs_read/fs_write, fs_read_data does NOT automatically inherit from fs_write_data |
| ; |
| ; Revision 1.12 2007/05/21 23:52:27 cheshire |
| ; <rdar://problem/5216638> Seatbelt killed mDNSResponder generating Module Directory Services cache |
| ; |
| ; Revision 1.11 2007/05/20 16:29:06 cheshire |
| ; <rdar://problem/5213725> Seatbelt killed mDNSResponder trying to access /usr/share/icu/icudt36l.dat |
| ; |
| ; Revision 1.10 2007/05/15 00:21:39 cheshire |
| ; <rdar://problem/5202374> Seatbelt killed mDNSResponder reading /private/var/root/Library/Preferences/com.apple.security.plist |
| ; |
| ; Revision 1.9 2007/05/14 22:08:26 cheshire |
| ; <rdar://problem/5200986> Seatbelt: Need to escape literal dots in filename patterns |
| ; |
| ; Revision 1.8 2007/05/14 19:39:31 cheshire |
| ; <rdar://problem/5198345> Seatbelt killed mDNSResponder in CFTimeZoneCopyDefault |
| ; <rdar://problem/5199456> Seatbelt killed mDNSResponder in SecKeychainOpen |
| ; |
| ; Revision 1.7 2007/05/12 01:57:56 cheshire |
| ; <rdar://problem/5197938> Seatbelt: mDNSResponder needs to be able to access preferences.plist-lock |
| ; |
| ; Revision 1.6 2007/05/10 21:12:14 cheshire |
| ; <rdar://problem/5149833> Start using "debug deny" mode in Seatbelt |
| ; |
| ; Revision 1.5 2007/05/10 19:41:25 cheshire |
| ; <rdar://problem/5182549> Have to use "deny mach_lookup_default" because "signal" doesn't work |
| ; |
| ; Revision 1.4 2007/04/27 20:46:31 cheshire |
| ; Additional requirements: allow mDNSResponder to read /dev/random and /System/Library/Keychains/System.* |
| ; |
| ; Revision 1.3 2007/04/20 19:42:14 cheshire |
| ; Condense rules a bit to bring file under Seatbelt's 4K limit |
| ; |
| ; Revision 1.2 2007/04/19 01:47:49 cheshire |
| ; Refinements to sandbox profile, e.g. allow writing to /dev/console early in the boot process |
| ; |
| ; Revision 1.1 2007/04/18 00:50:47 cheshire |
| ; <rdar://problem/5141540> Sandbox mDNSResponder |
| ; |
| ;############################################################################ |
| |
| ; WARNING! SEATBELT CURRENTLY CAN'T HANDLE PROFILES LARGER THAN 16K |
| ; MAKE SURE THE SIZE OF THIS FILE FROM "version" TO THE END DOESN'T EXCEED 16K |
| |
| (version 1) |
| |
| ; WARNING: The sandbox rule capabilities and syntax used in this file are currently an |
| ; Apple SPI (System Private Interface) and are subject to change at any time without notice. |
| ; Apple may in future announce an official public supported sandbox API, but until then Developers |
| ; are cautioned not to build products that use or depend on the sandbox facilities illustrated here. |
| |
| ; Use "debug all" to log all operations examined by seatbelt, whether allowed or not. |
| ; Use "debug deny" to log only operations that are denied by seatbelt |
| ; to discover what specific attempted operation is causing an exception. |
| |
| ;(debug all) |
| (debug deny) |
| |
| ; To help debugging, "with send-signal SIGFPE" will trigger a fake floating-point exception, |
| ; which will crash the process and show the call stack leading to the offending operation. |
| ; For the shipping version "deny" is probably better because it vetoes the operation |
| ; without killing the process. |
| |
| (deny default) |
| ;(deny default (with send-signal SIGFPE)) |
| |
| ; Special exception: "send-signal" command does not apply to the mach-* operations, |
| ; so for those we have to use a plain unadorned "deny" instead |
| ; (which means we may not get any notification of unintentional mach-* denials) |
| (deny mach-lookup) |
| (deny mach-priv-host-port) |
| |
| ; Mach communications |
| ; These are needed for things like getpwnam, hostname changes, & keychain |
| (allow mach-lookup (global-name |
| "com.apple.bsd.dirhelper" |
| "com.apple.distributed_notifications.2" |
| "com.apple.ocspd" |
| "com.apple.PowerManagement.control" |
| "com.apple.mDNSResponderHelper" |
| "com.apple.SecurityServer" |
| "com.apple.SystemConfiguration.configd" |
| "com.apple.system.DirectoryService.libinfo_v1" |
| "com.apple.system.DirectoryService.membership_v1" |
| "com.apple.system.notification_center" |
| "com.apple.system.logger")) |
| |
| ; Rules to allow the operations mDNSResponder needs start here |
| |
| (allow signal (target self)) |
| (allow network*) ; Allow networking, including Unix Domain Sockets |
| (if (defined? 'system-socket) |
| (allow system-socket)) ; To create raw sockets |
| (allow sysctl-read) ; To get hardware model information |
| (allow file-read-metadata) ; Needed for dyld to work |
| (allow ipc-posix-shm) ; Needed for POSIX shared memory |
| |
| (allow file-read-data (regex #"^/dev/random$")) |
| (allow file-read-data file-write-data (regex #"^/dev/console$")) ; Needed for syslog early in the boot process |
| (allow file-read-data (regex #"^/dev/autofs_nowait$")) ; Used by CF to circumvent automount triggers |
| |
| ; Allow us to read and write our socket |
| (allow file-read* file-write* (regex #"^/private/var/run/mDNSResponder$")) |
| |
| ; Allow us to read system version, settings, and other miscellaneous necessary file system accesses |
| (allow file-read-data (regex #"^/dev/urandom$")) |
| (allow file-read-data (regex #"^/usr/sbin(/mDNSResponder)?$")) ; Needed for CFCopyVersionDictionary() |
| (allow file-read-data (regex #"^/usr/share/icu/.*$")) |
| (allow file-read-data (regex #"^/usr/share/zoneinfo/.*$")) |
| (allow file-read-data (regex #"^/Library/Preferences/SystemConfiguration/preferences\.plist$")) |
| (allow file-read-data (regex #"^/Library/Preferences/SystemConfiguration/com\.apple\.nat\.plist$")) |
| (allow file-read-data (regex #"^/Library/Preferences/(ByHost/)?\.GlobalPreferences.*\.plist$")) |
| (allow file-read-data (regex #"^/Library/Preferences/com\.apple\.security.*\.plist$")) |
| (allow file-read-data (regex #"^/Library/Preferences/com\.apple\.crypto\.plist$")) |
| (allow file-read-data (regex #"^/Library/Security/Trust Settings/Admin\.plist$")) |
| (allow file-read-data (regex #"^/System/Library/CoreServices/SystemVersion.*$")) |
| (allow file-read-data (regex #"^/System/Library/Preferences/com\.apple\.security.*\.plist$")) |
| (allow file-read-data (regex #"^/System/Library/Preferences/com\.apple\.crypto\.plist$")) |
| (allow file-read-data (regex #"^/System/Library/SystemConfiguration/PowerManagement\.bundle(/|$)")) |
| (allow file-read-data (regex #"^/Library/Preferences/SystemConfiguration/com\.apple\.PowerManagement\.plist$")) |
| |
| ; Allow access to System Keychain |
| (allow file-read-data (regex #"^/System/Library/Security$")) |
| (allow file-read-data (regex #"^/System/Library/Keychains/.*$")) |
| (allow file-read-data (regex #"^/Library/Keychains/System\.keychain$")) |
| ; Our Module Directory Services cache |
| (allow file-read-data (regex #"^/private/var/tmp/mds/")) |
| (allow file-read* file-write* (regex #"^/private/var/tmp/mds/[0-9]+(/|$)")) |
| (allow file-read-data (regex #"^/private/var/db/mds/")) |
| (allow file-read* file-write* (regex #"^/private/var/db/mds/[0-9]+(/|$)")) |
| (allow file-read* file-write* (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)")) |
| ; CRL Cache for SSL/TLS connections |
| (allow file-read-data (regex #"^/private/var/db/crls/crlcache\.db$")) |