ntpd.sb   [plain text]

;; ntpd - sandbox profile
;; Copyright (c) 2006-2009 Apple Inc.  All Rights reserved.
;; WARNING: The sandbox rules in this file currently constitute 
;; Apple System Private Interface and are subject to change at any time and
;; without notice. The contents of this file are also auto-generated and not
;; user editable; it may be overwritten at any time.
(version 1)

(deny default)

(allow process-fork)

(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))

;;; Allow NTP specific files
(allow file-read-data file-read-metadata
       (literal "/private/etc/ntp-restrict.conf")
       (regex "^/private/etc/ntp\\.(conf|keys)$")
       (literal "/private/var/mobile/Library/Preferences/ntp.conf")
       (regex "^/private/etc/(services|hosts)$")
       (regex "^/private/var/run/tmpntp.conf.*"))

(allow file-write* file-read-data file-read-metadata
       (literal "/private/var/run/ntpd.pid")
       (regex "^/private/var/(db|mobile/Library/Preferences)/ntp\\.drift(\\.TEMP)?$")
       (subpath "/private/tmp")
       (subpath "/private/var/tmp"))

(allow network-inbound
       (local udp "*:123"))

(allow network-outbound
       (control-name "com.apple.netsrc")
       (control-name "com.apple.network.statistics")
       (literal "/private/var/run/mDNSResponder")
       (remote udp))

(allow mach-lookup
       (global-name "com.apple.SystemConfiguration.configd"))

(allow system-set-time)
(allow system-socket)
(import "bsd.sb")