1;;
2;; kcm - sandbox profile
3;; Copyright (c) 2010 - 2011 Apple Inc.  All Rights reserved.
4;;
5;; WARNING: The sandbox rules in this file currently constitute 
6;; Apple System Private Interface and are subject to change at any time and
7;; without notice. The contents of this file are also auto-generated and not
8;; user editable; it may be overwritten at any time.
9;;
10(version 1)
11
12(deny default (with no-callout))
13
14(import "com.apple.corefoundation.sb")
15(import "opendirectory.sb")
16
17(corefoundation)
18
19(allow file-ioctl
20       (literal "/dev/dtracehelper"))
21
22(deny file*
23       (subpath "/var/root")
24       (subpath "/private/var/root")
25       (with no-log))
26
27(allow file-read*
28       (literal "/")
29       (literal "/etc/krb5.conf")
30       (subpath "/Library/Preferences")
31       (literal "/dev/dtracehelper")
32       (literal "/dev/null")
33       (literal "/dev/random")
34       (literal "/tmp")
35       (literal "/etc")
36       (literal "/var")
37       (literal "/private/etc")
38       (literal "/private/var")
39       (literal "/private/etc/hosts")
40       (literal "/private/etc/resolv.conf")
41       (literal "/private/etc/krb5.conf")
42       (literal "/private/etc/services")
43       (literal "/private/etc/localtime")
44       (literal "/private/var/run/resolv.conf")
45       (subpath "/private/var/db/mds")
46       (subpath "/Library/KerberosPlugins")
47       (subpath "/Library/Frameworks")
48       (subpath "/System")
49       (subpath "/usr/lib")
50       (subpath "/usr/share"))
51
52(allow file-write* file-read*
53       (literal "/private/var/db/kcm-dump.bin")
54       (literal "/private/var/db/kcm-dump.uuid")
55       (literal "/private/var/run/kcm.pid"))
56
57(allow file-write-data
58       (literal "/dev/dtracehelper")
59       (literal "/private/var/db/mds/system/mds.lock"))
60
61(allow ipc-posix-shm)
62
63(allow mach-lookup
64       (global-name "com.apple.SecurityServer")
65       (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
66       (global-name "com.apple.SystemConfiguration.DNSConfiguration")
67       (global-name "com.apple.SystemConfiguration.configd")
68       (global-name "com.apple.TrustEvaluationAgent")
69       (global-name "com.apple.ocspd")
70       (global-name "com.apple.espd")
71       (global-name "com.apple.networkd")
72       (global-name "com.apple.system.logger")
73       (global-name "com.apple.system.notification_center"))
74
75(allow network-outbound
76       (literal "/private/var/run/mDNSResponder")
77       (remote udp)
78       (remote tcp))
79
80(allow sysctl-read)
81
82(allow iokit-open (iokit-user-client-class "AppleFDEKeyStoreUserClient"))
83
84(allow system-socket (socket-domain AF_ROUTE))
85(allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2))) ; SYSPROTO_CONTROL
86(allow network-outbound
87    (control-name "com.apple.network.statistics")
88    (control-name "com.apple.netsrc"))
89