;; ;; ntpd - sandbox profile ;; Copyright (c) 2006-2007 Apple Inc. All Rights reserved. ;; ;; WARNING: The sandbox rules in this file currently constitute ;; Apple System Private Interface and are subject to change at any time and ;; without notice. The contents of this file are also auto-generated and not ;; user editable; it may be overwritten at any time. ;; (version 1) (debug deny) (deny default) (allow process*) ; These were commented out, I think that was a pre-WWDC bug that has been fixed ; and they can be brought back, and the above line removed: ; (allow process-fork) ; (allow process-exec (regex "^/usr/sbin/ntpd$")) (deny signal) (allow sysctl-read) ; This might be able to be tightened up (I think networ filters were ; broken pre-WWDC). See named.sb for examples. (allow network*) ;;; Allow NTP specific files (allow file-read-data file-read-metadata (regex "^(/private)?/etc/ntp\\.(conf|keys)$")) (allow file-read-data file-read-metadata file-write-data (regex "^(/private)?/var/db/ntp\\.drift(\\.TEMP)?$")) (allow file-write* file-read-data file-read-metadata (regex "^(/private)?/var/run/ntpd\\.pid$")) (allow time-set) (import "bsd.sb")