;; OriginatingProject: ipsec (version 1) (deny default) (import "system.sb") (allow system-socket sysctl-read sysctl-write) (allow system-info (info-type "net.link.addr")) (allow ipc-posix* (ipc-posix-name "com.apple.securityd")) (allow ipc-posix-shm (ipc-posix-name "apple.shm.notification_center") (ipc-posix-name "com.apple.AppleDatabaseChanged")) (allow file-read* file-ioctl (subpath "/private/etc/master.passwd") (subpath "/private/var/run/racoon") (literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist") (subpath "/private/etc/racoon")) (allow file-read* (subpath "/Library/Managed\ Preferences") (subpath "/Library/Preferences") (subpath "/private/var/root") (literal "/private/var/mobile/Library/Caches/com.apple.MobileGestalt.plist") (literal "/private/var/db/mds/messages/se_SecurityMessages") (literal "/private/var/db/icu")) (allow file-write* (literal "/private/var/run/racoon.sock") (literal "/private/var/run/racoon.pid")) (allow file* (literal "/var/log/racoon.log") (literal "/private/var/log/racoon.log")) (allow iokit-open (iokit-user-client-class "RootDomainUserClient")) (allow network-outbound (subpath "/private/var/tmp/launchd")) (allow network* (local udp "*:500" "*:4500") (remote udp "*:*") (literal "/private/var/run/racoon.sock")) (allow file* (literal "/Library/Keychains/System.keychain") (literal "/private/var/db/mds/system/mdsObject.db") (literal "/private/var/db/mds/system/mds.lock") (literal "/private/var/db/mds/system/mdsDirectory.db")) (allow mach-lookup (global-name "com.apple.SecurityServer") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.ocspd") (global-name "com.apple.commcenter.xpc") (global-name "com.apple.aggregated") (global-name "com.apple.cfprefsd.daemon") (global-name "com.apple.cfprefsd.agent") (local-name "com.apple.cfprefsd.agent") (global-name "com.apple.nehelper")) (allow ipc-posix-shm-read* (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\.")) ;;;;;; Common system sandbox rules ;;;;;; ;;;;;; Copyright (c) 2008-2010 Apple Inc. All Rights reserved. ;;;;;; ;;;;;; WARNING: The sandbox rules in this file currently constitute ;;;;;; Apple System Private Interface and are subject to change at any time and ;;;;;; without notice. The contents of this file are also auto-generated and ;;;;;; not user editable; it may be overwritten at any time. ;;; Allow read access to standard system paths. (allow file-read* (require-all (file-mode #o0004) (require-any (subpath "/System") (subpath "/usr/lib") (subpath "/usr/sbin") (subpath "/usr/share")))) (allow file-read-metadata (literal "/etc") (literal "/tmp") (literal "/var")) ;;; Allow access to standard special files. (allow file-read* (subpath "/usr/share") (subpath "/private/var/db/timezone") (literal "/dev/random") (literal "/dev/urandom")) (allow file-read* file-write-data (literal "/dev/null") (literal "/dev/zero")) (allow file-read* file-write-data file-ioctl (literal "/dev/aes_0") (literal "/dev/sha1_0") (literal "/dev/dtracehelper")) (allow network-outbound (literal "/private/var/run/asl_input") (literal "/private/var/run/syslog")) ;;; Allow IPC to standard system agents. (allow mach-lookup (global-name "com.apple.securityd") (global-name "com.apple.bsd.dirhelper") (global-name "com.apple.system.logger") (global-name "com.apple.system.notification_center")) ;;; Allow creating an ipsec interface (allow network-outbound (control-name "com.apple.net.ipsec_control")) ;;; Allow racoon to check entitlements (allow iokit-open (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))