1;; 2;; gss-initiator - sandbox profile 3;; Copyright (c) 2010 Apple Inc. All Rights reserved. 4;; 5;; WARNING: The sandbox rules in this file currently constitute 6;; Apple System Private Interface and are subject to change at any time and 7;; without notice. The contents of this file are also auto-generated and not 8;; user editable; it may be overwritten at any time. 9;; 10;; This file is meant to be included in a sandbox that needs access to be an gss-acceptor 11 12(version 1) 13 14(import "com.apple.corefoundation.sb") 15(import "opendirectory.sb") 16 17(corefoundation) 18 19(allow mach-lookup 20 (global-name "org.h5l.kcm") 21 (global-name "org.h5l.ntlm-service") 22 (global-name "org.h5l.kdc") 23 (global-name "com.apple.SecurityServer") 24 (global-name "com.apple.SystemConfiguration.SCNetworkReachability") 25 (global-name "com.apple.system.logger") 26 (global-name "com.apple.system.notification_center")) 27 28(allow network-outbound 29 (literal "/private/var/run/mDNSResponder") 30 (literal "/private/var/rpc/ncalrpc/NETLOGON") 31 (remote udp) 32 (remote tcp)) 33 34(allow file-read* 35 (subpath "/System/Library/KerberosPlugins") 36 (subpath "/Library/KerberosPlugins") 37 (subpath "/Library/Frameworks") 38 (literal "/etc/krb5.conf") 39 (subpath "/Library/Preferences") 40 (literal "/dev/random") 41 (literal "/etc") 42 (literal "/var") 43 (literal "/private/etc/hosts") 44 (literal "/private/etc/services") 45 (literal "/private/etc/localtime") 46 (subpath "/private/var/db/mds")) 47 48(allow sysctl-read) 49