;; OriginatingProject: files
;;
;; common rules for various BSD daemons
;; Copyright (c) 2007-2010 Apple Inc. All Rights reserved.
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice. The contents of this file are also auto-generated and not
;; user editable; it may be overwritten at any time.
;;
(version 1)
(debug deny)
;; allow processes to traverse symlinks
(allow file-read-metadata)
(allow file-read-data file-read-metadata
(regex
; Allow reading system dylibs and frameworks
#"^/usr/lib/.*\.dylib$"
#"^/usr/lib/info/.*\.so$"
#"^/System/"
#"^/private/var/db/dyld/"
#"^(/private)?/etc/hosts\.(allow|deny)$"
))
(allow file-read-data file-write-data
(regex
; Allow files accessed by system dylibs and frameworks
#"^/dev/null$"
#"^(/private)?/var/run/syslog$"
#"^/dev/u?random$"
#"^/dev/autofs_nowait$"
#"^/dev/dtracehelper$"
#"/\.CFUserTextEncoding$"
#"^(/private)?/etc/localtime$"
#"^/usr/share/nls/"
#"^/usr/share/zoneinfo/"
))
(allow file-ioctl
(regex
; Allow access to dtracehelper by dyld
#"^/dev/dtracehelper$"))
(allow mach-lookup
(global-name "com.apple.bsd.dirhelper")
(global-name "com.apple.system.DirectoryService.libinfo_v1")
(global-name "com.apple.system.DirectoryService.membership_v1")
(global-name "com.apple.system.logger")
(global-name "com.apple.system.notification_center"))
(allow ipc-posix-shm) ; Libnotify
(allow sysctl-read)
(allow signal (target self))