;;
;; ntpd - sandbox profile
;; Copyright (c) 2006-2009, 2014 Apple Inc. All Rights reserved.
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice. The contents of this file are also auto-generated and not
;; user editable; it may be overwritten at any time.
;;
(version 1)
(deny default)
(allow process-fork)
(allow signal (target same-sandbox))
(allow iokit-open (iokit-user-client-class "RootDomainUserClient")
(iokit-user-client-class "AppleSMCClient"))
(allow file-read-data file-read-metadata
(literal "/private/etc/ntp-restrict.conf")
(literal "/private/etc/ntp_opendirectory.conf")
(literal "/private/var/run/resolv.conf")
(regex "^/private/etc/ntp\\.(conf|keys)$")
(regex "^/private/etc/(services|hosts)$")
(regex "^/private/var/run/tmpntp.conf.*"))
(allow file-write* file-read-data file-read-metadata
(literal "/private/var/run/ntpd.pid")
(regex "^/private/var/db/ntp\\.drift(\\.TEMP)?$"))
(allow network-inbound
(local udp "*:123"))
(allow network-outbound
(control-name "com.apple.netsrc")
(control-name "com.apple.network.statistics")
(literal "/private/var/run/mDNSResponder")
(remote udp))
(allow mach-lookup
(global-name "com.apple.networkd")
(global-name "com.apple.SystemConfiguration.configd")
(global-name "com.apple.SystemConfiguration.DNSConfiguration")
(global-name "com.apple.SystemConfiguration.SCNetworkReachability"))
(allow system-set-time)
(allow system-socket)
(import "bsd.sb")