krb5kdc.sb   [plain text]


;;
;; krb5kdc - sandbox profile
;; Copyright (c) 2007 Apple Inc.  All Rights reserved.
;;
;; WARNING: The sandbox rules in this file currently constitute 
;; Apple System Private Interface and are subject to change at any time and
;; without notice. The contents of this file are also auto-generated and not
;; user editable; it may be overwritten at any time.
;;
(version 1)

(deny default)
(debug deny)

(allow mach-lookup (global-name
    "com.apple.DirectoryService"
    "com.apple.ocspd"
    "com.apple.SecurityServer"
    "com.apple.system.notification_center"
    "com.apple.system.DirectoryService.libinfo_v1"))

(allow file-read* (literal "/dev/autofs_nowait")
                  (regex "^/dev/u?random$")
                  (regex "^(/private)?/var/db/dyld/dyld_shared_")
                  (regex "^(/private)?/var/root/\\.CFUserTextEncoding$")
                  (literal "/usr/sbin")
                  (literal "/usr/sbin/krb5kdc")
                  (regex "^/usr/lib/krb5(/|$)")
                  (regex "^/usr/share/zoneinfo/")
                  (regex "^(/private)?/var/root/Library/Preferences/ByHost/\\.GlobalPreferences\\..*\\.plist$")
                  (regex "^(/private)?/var/root/Library/Preferences/\\.GlobalPreferences\\.plist\$")
                  (literal "/Library/Preferences/.GlobalPreferences.plist")
                  (literal "/Library/Preferences/edu.mit.Kerberos")
                  (literal "/Library/Preferences/com.apple.security.systemidentities.plist")
                  (literal "/Library/Keychains/System.keychain")
                  (regex "^/System/Library/Frameworks/")
                  (regex "^/System/Library/Keychains/")
                  (regex "^/System/Library/KerberosPlugins/")
                  (regex "^/System/Library/PrivateFrameworks/")
		  (regex "^/usr/lib/lib.*\.dylib$")
                  (regex "^/System/Library/Security(/|$)")
                  (regex "/Library/Keychains/login\\.keychain$")
                  (regex "/Library/Preferences/com\\.apple\\.security\\.revocation\\.plist$"))

(allow file-read-metadata)

(allow file-read* file-write* (regex "^(/private)?/var/db/krb5kdc(/|$)")
                              (regex "^(/private)?/var/log/krb5kdc/kdc\\.log$")
                              (regex "^(/private)?/var/tmp/krb5_RC")
                              (regex "^(/private)?/var/tmp/krb5kdc_rcache")
                              (regex "^(/private)?/var/tmp/mds(/|$)"))
							  
(allow file-write-data (literal #"/dev/dtracehelper"))

(allow process-exec (glob "/usr/sbin/krb5kdc"))

(allow network*)

(allow sysctl-read)