source: rtems-libbsd/mDNSResponder/mDNSMacOSX/mDNSResponder.sb @ f01edf1

55-freebsd-126-freebsd-12
Last change on this file since f01edf1 was f01edf1, checked in by Sebastian Huber <sebastian.huber@…>, on 09/19/18 at 06:53:26

mDNSResponder: Update to v765.1.2

The sources can be obtained via:

https://opensource.apple.com/tarballs/mDNSResponder/mDNSResponder-765.1.2.tar.gz

Move mDNS_StartResolveService() and mDNS_StopResolveService() to an
RTEMS-specific file (rtemsbsd/mdns/mDNSResolveService.c) using the
v576.30.4 implementation. Apple removed these functions without
explanation.

Update #3522.
  • Property mode set to 100644
File size: 6.7 KB
Line 
1; -*- Mode: Scheme; tab-width: 4 -*-
2;
3; Copyright (c) 2012-2015 Apple Inc. All rights reserved.
4;
5; Redistribution and use in source and binary forms, with or without
6; modification, are permitted provided that the following conditions are met:
7;
8; 1.  Redistributions of source code must retain the above copyright notice,
9;     this list of conditions and the following disclaimer.
10; 2.  Redistributions in binary form must reproduce the above copyright notice,
11;     this list of conditions and the following disclaimer in the documentation
12;     and/or other materials provided with the distribution.
13; 3.  Neither the name of Apple Inc. ("Apple") nor the names of its
14;     contributors may be used to endorse or promote products derived from this
15;     software without specific prior written permission.
16;
17; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
26; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27;
28;############################################################################
29
30
31; WARNING: The sandbox rule capabilities and syntax used in this file are currently an
32; Apple SPI (System Private Interface) and are subject to change at any time without notice.
33
34(version 1)
35; When mDNSResponder is denied access, we want to avoid symoblification of mDNSResponder
36; to get the stack trace as that can get into deadlock. no-callout will prevent
37; symbolification.
38(deny default (with no-callout))
39
40(import "system.sb")
41
42; Baseline
43(allow file-read-metadata ipc-posix-shm)
44
45; Mach communications
46; These are needed for things like getpwnam, hostname changes, & keychain
47(allow mach-lookup
48       (global-name "com.apple.awdd")
49       (global-name "com.apple.bsd.dirhelper")
50       (global-name "com.apple.CoreServices.coreservicesd")
51       (global-name "com.apple.coreservices.quarantine-resolver")
52       (global-name "com.apple.distributed_notifications.2")
53       (global-name "com.apple.distributed_notifications@1v3")
54       (global-name "com.apple.lsd.mapdb")
55       (global-name "com.apple.ocspd")
56       (global-name "com.apple.PowerManagement.control")
57       (global-name "com.apple.mDNSResponderHelper")
58       (global-name "com.apple.mDNSResponder_Helper")
59       (global-name "com.apple.SecurityServer")
60       (global-name "com.apple.SystemConfiguration.configd")
61       (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
62       (global-name "com.apple.SystemConfiguration.DNSConfiguration")
63       (global-name "com.apple.SystemConfiguration.NetworkInformation")
64       (global-name "com.apple.system.notification_center")
65       (global-name "com.apple.system.logger")
66       (global-name "com.apple.usymptomsd")
67       (global-name "com.apple.webcontentfilter.dns")
68       (global-name "com.apple.server.bluetooth")
69       (global-name "com.apple.awacs")
70       (global-name "com.apple.networkd")
71       (global-name "com.apple.securityd")
72       (global-name "com.apple.wifi.manager")
73       (global-name "com.apple.blued")
74       (global-name "com.apple.mobilegestalt.xpc")
75       (global-name "com.apple.snhelper"))
76
77(allow mach-register
78       (global-name "com.apple.d2d.ipc"))
79
80; Networking, including Unix Domain Sockets
81(allow network*)
82
83; Raw sockets
84(if (defined? 'system-socket)
85    (allow system-socket))
86
87; Hardware model information
88(allow sysctl-read)
89
90; Syslog early in the boot process
91(allow file-read-data file-write-data (literal "/dev/console"))
92
93(allow file-read-data
94       ; /etc/hosts support
95       (literal "/private/etc/hosts")
96       (literal "/private/etc"))
97
98; Our socket
99(allow file-read* file-write* (literal "/private/var/run/mDNSResponder"))
100
101; System version, settings, and other miscellaneous necessary file system accesses
102(allow file-read-data
103       ; Needed for CFCopyVersionDictionary()
104       (literal "/usr/sbin")
105       (literal "/usr/sbin/mDNSResponder")
106
107       (literal "/Library/Preferences/com.apple.mDNSResponder.plist")
108       (literal "/Library/Preferences/SystemConfiguration/preferences.plist")
109       (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist")
110       (regex #"^/Library/Preferences/(ByHost/)?\.GlobalPreferences\.")
111       (literal "/Library/Preferences/com.apple.crypto.plist")
112       (literal "/Library/Security/Trust Settings/Admin.plist")
113       (regex #"^/Library/Preferences/com\.apple\.security\.")
114       (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
115       (literal "/private/var/preferences/SystemConfiguration/preferences.plist")
116       (subpath "/System/Library/Preferences/Logging")
117       (subpath "/AppleInternal/Library/Preferences/Logging")
118       (subpath "/Library/Preferences/Logging"))
119
120
121; For MAC Address
122(allow system-info (info-type "net.link.addr"))
123
124; We just need access to System.keychain. But we don't want errors logged if other keychains are
125; accessed under /Library/Keychains. Other keychains may be accessed as part of setting up an SSL
126; connection. Instead of adding access to it here (to things which we don't need), we disable any
127; logging that might happen during the access
128(deny file-read-data (regex #"^/Library/Keychains/") (with no-log))
129(allow file-read-data (literal "/Library/Keychains/System.keychain"))
130
131
132; Our Module Directory Services cache
133(allow file-read-data
134       (subpath "/private/var/tmp/mds")
135       (subpath "/private/var/db/mds"))
136
137(allow file-read* file-write*
138       (regex #"^/private/var/tmp/mds/[0-9]+(/|$)")
139       (regex #"^/private/var/db/mds/[0-9]+(/|$)")
140       (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)")
141
142       ; Required on 10.5 and 10.6
143       (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)"))
144
145; CRL Cache for SSL/TLS connections
146(allow file-read-data (literal "/private/var/db/crls/crlcache.db"))
147
148; For mDNS sleep proxy offload and IOPMConnectionCreate
149(if (defined? 'iokit-open)
150   (begin
151     (allow iokit-open
152        (iokit-user-client-class "NVEthernetUserClientMDNS")
153        (iokit-user-client-class "mDNSOffloadUserClient")
154        (iokit-user-client-class "wlDNSOffloadUserClient")
155        (iokit-user-client-class "RootDomainUserClient")
156        (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))))
Note: See TracBrowser for help on using the repository browser.