;; ;; kcm - sandbox profile ;; Copyright (c) 2010 - 2011 Apple Inc. All Rights reserved. ;; ;; WARNING: The sandbox rules in this file currently constitute ;; Apple System Private Interface and are subject to change at any time and ;; without notice. The contents of this file are also auto-generated and not ;; user editable; it may be overwritten at any time. ;; (version 1) (deny default (with no-callout)) (import "com.apple.corefoundation.sb") (import "opendirectory.sb") (import "system.sb") (corefoundation) (system-network) (allow file-ioctl (literal "/dev/dtracehelper")) (deny file* (subpath "/var/root") (subpath "/private/var/root") (with no-log)) (allow file-read* (literal "/") (literal "/etc/krb5.conf") (subpath "/Library/Preferences") (literal "/dev/dtracehelper") (literal "/dev/null") (literal "/private/etc") (literal "/private/var") (literal "/private/etc/hosts") (literal "/private/etc/resolv.conf") (literal "/private/etc/krb5.conf") (literal "/private/etc/services") (literal "/private/etc/localtime") (literal "/private/var/run/resolv.conf") (subpath "/private/var/db/mds") (subpath "/Library/KerberosPlugins") (subpath "/Library/Frameworks")) (allow file-write* file-read* (literal "/private/var/db/kcm-dump.bin") (literal "/private/var/db/kcm-dump.uuid") (literal "/private/var/run/kcm.pid")) (allow file-write-data (literal "/dev/dtracehelper") (literal "/private/var/db/mds/system/mds.lock")) (allow ipc-posix-shm) (allow mach-lookup (global-name "com.apple.SecurityServer") (global-name "com.apple.SystemConfiguration.DNSConfiguration") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.TrustEvaluationAgent") (global-name "com.apple.ocspd") (global-name "com.apple.networkd")) (allow network-outbound (literal "/private/var/run/mDNSResponder") (remote udp) (remote tcp)) (allow sysctl-read) (allow iokit-open (iokit-user-client-class "AppleFDEKeyStoreUserClient")) (allow network-outbound (control-name "com.apple.network.statistics") (control-name "com.apple.netsrc"))