;; OriginatingProject: ipsec
(version 1)
(deny default)
(allow system-socket sysctl-read sysctl-write)
(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
(allow ipc-posix-shm
(ipc-posix-name "apple.shm.notification_center")
(ipc-posix-name "com.apple.AppleDatabaseChanged"))
(allow file-read* file-ioctl
(subpath "/private/etc/master.passwd")
(subpath "/private/var/run/racoon")
(literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist")
(subpath "/private/etc/racoon"))
(allow file-read*
(subpath "/Library/Managed\ Preferences")
(subpath "/Library/Preferences")
(subpath "/private/var/root")
(literal "/private/var/db/mds/messages/se_SecurityMessages"))
(allow file-write*
(literal "/private/var/run/racoon.sock")
(literal "/private/var/run/racoon.pid"))
(allow file*
(literal "/var/log/racoon.log")
(literal "/private/var/log/racoon.log"))
(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))
(allow network-outbound (subpath "/private/var/tmp/launchd"))
(allow network*
(local udp "*:500" "*:4500")
(remote udp "*:*")
(literal "/private/var/run/racoon.sock"))
(allow file*
(literal "/Library/Keychains/System.keychain")
(literal "/private/var/db/mds/system/mdsObject.db")
(literal "/private/var/db/mds/system/mds.lock")
(literal "/private/var/db/mds/system/mdsDirectory.db"))
(allow mach-lookup
(global-name "com.apple.SecurityServer")
(global-name "com.apple.ocspd"))
;;;;;; Common system sandbox rules
;;;;;;
;;;;;; Copyright (c) 2008-2010 Apple Inc. All Rights reserved.
;;;;;;
;;;;;; WARNING: The sandbox rules in this file currently constitute
;;;;;; Apple System Private Interface and are subject to change at any time and
;;;;;; without notice. The contents of this file are also auto-generated and
;;;;;; not user editable; it may be overwritten at any time.
;;; Allow read access to standard system paths.
(allow file-read*
(require-all (file-mode #o0004)
(require-any (subpath "/System")
(subpath "/usr/lib")
(subpath "/usr/sbin")
(subpath "/usr/share"))))
(allow file-read-metadata
(literal "/etc")
(literal "/tmp")
(literal "/var"))
;;; Allow access to standard special files.
(allow file-read*
(literal "/private/var/db/timezone/localtime")
(literal "/dev/random")
(literal "/dev/urandom"))
(allow file-read*
file-write-data
(literal "/dev/null")
(literal "/dev/zero"))
(allow file-read*
file-write-data
file-ioctl
(literal "/dev/aes_0")
(literal "/dev/sha1_0")
(literal "/dev/dtracehelper"))
(allow network-outbound
(literal "/private/var/run/asl_input")
(literal "/private/var/run/syslog"))
;;; Allow IPC to standard system agents.
(allow mach-lookup
(global-name "com.apple.securityd")
(global-name "com.apple.bsd.dirhelper")
(global-name "com.apple.system.DirectoryService.libinfo_v1")
(global-name "com.apple.system.DirectoryService.membership_v1")
(global-name "com.apple.system.logger")
(global-name "com.apple.system.notification_center"))