1 | ; -*- Mode: Scheme; tab-width: 4 -*- |
---|
2 | ; |
---|
3 | ; Copyright (c) 2012-2015 Apple Inc. All rights reserved. |
---|
4 | ; |
---|
5 | ; Redistribution and use in source and binary forms, with or without |
---|
6 | ; modification, are permitted provided that the following conditions are met: |
---|
7 | ; |
---|
8 | ; 1. Redistributions of source code must retain the above copyright notice, |
---|
9 | ; this list of conditions and the following disclaimer. |
---|
10 | ; 2. Redistributions in binary form must reproduce the above copyright notice, |
---|
11 | ; this list of conditions and the following disclaimer in the documentation |
---|
12 | ; and/or other materials provided with the distribution. |
---|
13 | ; 3. Neither the name of Apple Inc. ("Apple") nor the names of its |
---|
14 | ; contributors may be used to endorse or promote products derived from this |
---|
15 | ; software without specific prior written permission. |
---|
16 | ; |
---|
17 | ; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY |
---|
18 | ; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
---|
19 | ; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
---|
20 | ; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY |
---|
21 | ; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
---|
22 | ; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
---|
23 | ; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
---|
24 | ; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
---|
25 | ; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
---|
26 | ; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
---|
27 | ; |
---|
28 | ;############################################################################ |
---|
29 | |
---|
30 | |
---|
31 | ; WARNING: The sandbox rule capabilities and syntax used in this file are currently an |
---|
32 | ; Apple SPI (System Private Interface) and are subject to change at any time without notice. |
---|
33 | |
---|
34 | (version 1) |
---|
35 | ; When mDNSResponder is denied access, we want to avoid symoblification of mDNSResponder |
---|
36 | ; to get the stack trace as that can get into deadlock. no-callout will prevent |
---|
37 | ; symbolification. |
---|
38 | (deny default (with no-callout)) |
---|
39 | |
---|
40 | (import "system.sb") |
---|
41 | |
---|
42 | ; Baseline |
---|
43 | (allow file-read-metadata ipc-posix-shm) |
---|
44 | |
---|
45 | ; Mach communications |
---|
46 | ; These are needed for things like getpwnam, hostname changes, & keychain |
---|
47 | (allow mach-lookup |
---|
48 | (global-name "com.apple.awdd") |
---|
49 | (global-name "com.apple.bsd.dirhelper") |
---|
50 | (global-name "com.apple.CoreServices.coreservicesd") |
---|
51 | (global-name "com.apple.coreservices.quarantine-resolver") |
---|
52 | (global-name "com.apple.distributed_notifications.2") |
---|
53 | (global-name "com.apple.distributed_notifications@1v3") |
---|
54 | (global-name "com.apple.lsd.mapdb") |
---|
55 | (global-name "com.apple.ocspd") |
---|
56 | (global-name "com.apple.PowerManagement.control") |
---|
57 | (global-name "com.apple.mDNSResponderHelper") |
---|
58 | (global-name "com.apple.mDNSResponder_Helper") |
---|
59 | (global-name "com.apple.SecurityServer") |
---|
60 | (global-name "com.apple.SystemConfiguration.configd") |
---|
61 | (global-name "com.apple.SystemConfiguration.SCNetworkReachability") |
---|
62 | (global-name "com.apple.SystemConfiguration.DNSConfiguration") |
---|
63 | (global-name "com.apple.SystemConfiguration.NetworkInformation") |
---|
64 | (global-name "com.apple.system.notification_center") |
---|
65 | (global-name "com.apple.system.logger") |
---|
66 | (global-name "com.apple.usymptomsd") |
---|
67 | (global-name "com.apple.webcontentfilter.dns") |
---|
68 | (global-name "com.apple.server.bluetooth") |
---|
69 | (global-name "com.apple.awacs") |
---|
70 | (global-name "com.apple.networkd") |
---|
71 | (global-name "com.apple.securityd") |
---|
72 | (global-name "com.apple.wifi.manager") |
---|
73 | (global-name "com.apple.blued") |
---|
74 | (global-name "com.apple.mobilegestalt.xpc") |
---|
75 | (global-name "com.apple.snhelper")) |
---|
76 | |
---|
77 | (allow mach-register |
---|
78 | (global-name "com.apple.d2d.ipc")) |
---|
79 | |
---|
80 | ; Networking, including Unix Domain Sockets |
---|
81 | (allow network*) |
---|
82 | |
---|
83 | ; Raw sockets |
---|
84 | (if (defined? 'system-socket) |
---|
85 | (allow system-socket)) |
---|
86 | |
---|
87 | ; Hardware model information |
---|
88 | (allow sysctl-read) |
---|
89 | |
---|
90 | ; Syslog early in the boot process |
---|
91 | (allow file-read-data file-write-data (literal "/dev/console")) |
---|
92 | |
---|
93 | (allow file-read-data |
---|
94 | ; /etc/hosts support |
---|
95 | (literal "/private/etc/hosts") |
---|
96 | (literal "/private/etc")) |
---|
97 | |
---|
98 | ; Our socket |
---|
99 | (allow file-read* file-write* (literal "/private/var/run/mDNSResponder")) |
---|
100 | |
---|
101 | ; System version, settings, and other miscellaneous necessary file system accesses |
---|
102 | (allow file-read-data |
---|
103 | ; Needed for CFCopyVersionDictionary() |
---|
104 | (literal "/usr/sbin") |
---|
105 | (literal "/usr/sbin/mDNSResponder") |
---|
106 | |
---|
107 | (literal "/Library/Preferences/com.apple.mDNSResponder.plist") |
---|
108 | (literal "/Library/Preferences/SystemConfiguration/preferences.plist") |
---|
109 | (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist") |
---|
110 | (regex #"^/Library/Preferences/(ByHost/)?\.GlobalPreferences\.") |
---|
111 | (literal "/Library/Preferences/com.apple.crypto.plist") |
---|
112 | (literal "/Library/Security/Trust Settings/Admin.plist") |
---|
113 | (regex #"^/Library/Preferences/com\.apple\.security\.") |
---|
114 | (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist") |
---|
115 | (literal "/private/var/preferences/SystemConfiguration/preferences.plist") |
---|
116 | (subpath "/System/Library/Preferences/Logging") |
---|
117 | (subpath "/AppleInternal/Library/Preferences/Logging") |
---|
118 | (subpath "/Library/Preferences/Logging")) |
---|
119 | |
---|
120 | |
---|
121 | ; For MAC Address |
---|
122 | (allow system-info (info-type "net.link.addr")) |
---|
123 | |
---|
124 | ; We just need access to System.keychain. But we don't want errors logged if other keychains are |
---|
125 | ; accessed under /Library/Keychains. Other keychains may be accessed as part of setting up an SSL |
---|
126 | ; connection. Instead of adding access to it here (to things which we don't need), we disable any |
---|
127 | ; logging that might happen during the access |
---|
128 | (deny file-read-data (regex #"^/Library/Keychains/") (with no-log)) |
---|
129 | (allow file-read-data (literal "/Library/Keychains/System.keychain")) |
---|
130 | |
---|
131 | |
---|
132 | ; Our Module Directory Services cache |
---|
133 | (allow file-read-data |
---|
134 | (subpath "/private/var/tmp/mds") |
---|
135 | (subpath "/private/var/db/mds")) |
---|
136 | |
---|
137 | (allow file-read* file-write* |
---|
138 | (regex #"^/private/var/tmp/mds/[0-9]+(/|$)") |
---|
139 | (regex #"^/private/var/db/mds/[0-9]+(/|$)") |
---|
140 | (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)") |
---|
141 | |
---|
142 | ; Required on 10.5 and 10.6 |
---|
143 | (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)")) |
---|
144 | |
---|
145 | ; CRL Cache for SSL/TLS connections |
---|
146 | (allow file-read-data (literal "/private/var/db/crls/crlcache.db")) |
---|
147 | |
---|
148 | ; For mDNS sleep proxy offload and IOPMConnectionCreate |
---|
149 | (if (defined? 'iokit-open) |
---|
150 | (begin |
---|
151 | (allow iokit-open |
---|
152 | (iokit-user-client-class "NVEthernetUserClientMDNS") |
---|
153 | (iokit-user-client-class "mDNSOffloadUserClient") |
---|
154 | (iokit-user-client-class "wlDNSOffloadUserClient") |
---|
155 | (iokit-user-client-class "RootDomainUserClient") |
---|
156 | (iokit-user-client-class "AppleMobileFileIntegrityUserClient")))) |
---|