;;
;; kdc - sandbox profile
;; Copyright (c) 2009 Apple Inc. All Rights reserved.
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice. The contents of this file are also auto-generated and not
;; user editable; it may be overwritten at any time.
;;
(version 1)
(deny default)
(import "com.apple.corefoundation.sb")
(import "system.sb")
(import "opendirectory.sb")
(corefoundation)
(allow file-ioctl
(literal "/dev/dtracehelper"))
(if (defined? 'mach-register)
(allow mach-register
(global-name "org.h5l.kdc")
(global-name "org.h5l.ntlm-service")))
;; This is needed for realpath on system keychain
(allow file-read-metadata
(literal "/private")
(literal "/private/var")
(literal "/private/var/db"))
(allow file-read*
(literal "/")
(literal "/Library")
(literal "/Library/Keychains")
(literal "/Library/Keychains/System.keychain")
(literal "/Library/Security/Trust Settings/Admin.plist")
(literal "/Library/Preferences/edu.mit.Kerberos")
(literal "/Library/Preferences/com.apple.Kerberos.plist")
(regex #"^/Library/Preferences/com\.apple\.GSS\.")
(literal "/Library/Preferences/com.apple.security.plist")
(literal "/Library/Preferences/.GlobalPreferences.plist")
(literal "/Library/Preferences/SystemConfiguration/preferences.plist")
(literal "/dev/dtracehelper")
(literal "/dev/null")
(literal "/dev/random")
(literal "/tmp")
(literal "/etc")
(literal "/var")
(literal "/private/etc/hosts")
(literal "/private/etc/services")
(literal "/private/etc/localtime")
(literal "/private/etc/openldap/ldap.conf")
(subpath "/private/var/db/krb5kdc")
(subpath "/private/var/db/mds")
(subpath "/System/Library/KerberosPlugins")
(subpath "/Library/KerberosPlugins")
(subpath "/Library/Frameworks"))
(allow file-write*
(literal "/dev/random")
(literal "/private/var/log/krb5kdc/kdc.log")
(literal "/private/var/run/kdc.pid"))
(allow file-write-data
(literal "/dev/dtracehelper")
(literal "/private/var/db/mds/system/mds.lock")
(literal "/private/var/log/krb5kdc/kdc.log"))
(allow ipc-posix-shm)
(allow mach-lookup
(global-name "com.apple.CoreServices.coreservicesd")
(global-name "com.apple.SecurityServer")
(global-name "com.apple.SystemConfiguration.SCNetworkReachability")
(global-name "com.apple.SystemConfiguration.configd")
(global-name "com.apple.TrustEvaluationAgent")
(global-name "com.apple.ocspd")
(global-name "com.apple.system.logger")
(global-name "com.apple.system.notification_center"))
(allow network-inbound
(local tcp "*:88")
(local udp "*:88"))
(allow network-outbound
(literal "/private/var/run/mDNSResponder")
(literal "/private/var/rpc/ncalrpc/NETLOGON")
(literal "/private/var/run/ldapi")
(remote udp)
(remote tcp))
(allow process-exec
(literal "/usr/local/heimdal/libexec/kdc"))
(allow sysctl-read)
;;
;; Make more kdc quiet in syslog
;;
(deny file*
(subpath "/private/var/root")
(with no-log))