kcm.sb   [plain text]

;;
;; kcm - sandbox profile
;; Copyright (c) 2010 - 2011 Apple Inc.  All Rights reserved.
;;
;; WARNING: The sandbox rules in this file currently constitute 
;; Apple System Private Interface and are subject to change at any time and
;; without notice. The contents of this file are also auto-generated and not
;; user editable; it may be overwritten at any time.
;;
(version 1)

(deny default (with no-callout))

(import "com.apple.corefoundation.sb")
(import "opendirectory.sb")

(corefoundation)

(allow file-ioctl
       (literal "/dev/dtracehelper"))

(deny file*
       (subpath "/var/root")
       (subpath "/private/var/root")
       (with no-log))

(allow file-read*
       (literal "/")
       (literal "/etc/krb5.conf")
       (subpath "/Library/Preferences")
       (literal "/dev/dtracehelper")
       (literal "/dev/null")
       (literal "/dev/random")
       (literal "/tmp")
       (literal "/etc")
       (literal "/var")
       (literal "/private/etc/hosts")
       (literal "/private/etc/services")
       (literal "/private/etc/localtime")
       (subpath "/private/var/db/mds")
       (subpath "/Library/KerberosPlugins")
       (subpath "/Library/Frameworks")
       (subpath "/System")
       (subpath "/usr/lib")
       (subpath "/usr/share"))

(allow file-write* file-read*
       (literal "/dev/random")
       (literal "/private/var/db/kcm-dump.bin")
       (literal "/private/var/db/kcm-dump.uuid")
       (literal "/private/var/run/kcm.pid"))

(allow file-write-data
       (literal "/dev/dtracehelper")
       (literal "/private/var/db/mds/system/mds.lock"))

(allow ipc-posix-shm)

(allow mach-lookup
       (global-name "com.apple.SecurityServer")
       (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
       (global-name "com.apple.SystemConfiguration.configd")
       (global-name "com.apple.TrustEvaluationAgent")
       (global-name "com.apple.ocspd")
       (global-name "com.apple.system.logger")
       (global-name "com.apple.system.notification_center"))

(allow network-outbound
       (literal "/private/var/run/mDNSResponder")
       (remote udp)
       (remote tcp))

(allow sysctl-read)

(allow iokit-open (iokit-user-client-class "AppleKeyStoreUserClient"))

(allow system-socket (socket-domain AF_ROUTE))
(allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2))) ; SYSPROTO_CONTROL
(allow network-outbound
    (control-name "com.apple.network.statistics")
    (control-name "com.apple.netsrc"))