1;;
2;; kdc - sandbox profile
3;; Copyright (c) 2009 Apple Inc.  All Rights reserved.
4;;
5;; WARNING: The sandbox rules in this file currently constitute 
6;; Apple System Private Interface and are subject to change at any time and
7;; without notice. The contents of this file are also auto-generated and not
8;; user editable; it may be overwritten at any time.
9;;
10(version 1)
11
12(deny default)
13
14(import "com.apple.corefoundation.sb")
15(import "system.sb")
16(import "opendirectory.sb")
17 
18(corefoundation)
19
20(allow file-ioctl
21       (literal "/dev/dtracehelper"))
22
23(if (defined? 'mach-register)
24    (allow mach-register
25    	   (global-name "org.h5l.kdc")
26	   (global-name "org.h5l.ntlm-service")))
27
28;; This is needed for realpath on system keychain
29(allow file-read-metadata
30       (literal "/private")
31       (literal "/private/var")
32       (literal "/private/var/db"))
33
34(allow file-read*
35       (literal "/")
36       (literal "/Library")
37       (literal "/Library/Keychains")
38       (literal "/Library/Keychains/System.keychain")
39       (literal "/Library/Security/Trust Settings/Admin.plist")
40       (literal "/Library/Preferences/edu.mit.Kerberos")
41       (literal "/Library/Preferences/com.apple.Kerberos.plist")
42       (regex #"^/Library/Preferences/com\.apple\.GSS\.")
43       (literal "/Library/Preferences/com.apple.security.plist")
44       (literal "/Library/Preferences/.GlobalPreferences.plist")
45       (literal "/Library/Preferences/SystemConfiguration/preferences.plist")
46       (literal "/dev/dtracehelper")
47       (literal "/dev/null")
48       (literal "/dev/random")
49       (literal "/tmp")
50       (literal "/etc")
51       (literal "/var")
52       (literal "/private/etc/hosts")
53       (literal "/private/etc/services")
54       (literal "/private/etc/localtime")
55       (literal "/private/etc/openldap/ldap.conf")
56       (subpath "/private/var/db/krb5kdc")
57       (subpath "/private/var/db/mds")
58       (subpath "/System/Library/KerberosPlugins")
59       (subpath "/Library/KerberosPlugins")
60       (subpath "/Library/Frameworks"))
61
62(allow file-write*
63       (literal "/private/var/log/krb5kdc/kdc.log")
64       (literal "/private/var/run/kdc.pid"))
65
66(allow file-write-data
67       (literal "/dev/dtracehelper")
68       (literal "/private/var/db/mds/system/mds.lock")
69       (literal "/private/var/log/krb5kdc/kdc.log"))
70
71(allow ipc-posix-shm)
72
73(allow mach-lookup
74	(global-name "com.apple.CoreServices.coreservicesd")
75	(global-name "com.apple.SecurityServer")
76	(global-name "com.apple.SystemConfiguration.SCNetworkReachability")
77	(global-name "com.apple.SystemConfiguration.configd")
78	(global-name "com.apple.TrustEvaluationAgent")
79	(global-name "com.apple.ocspd")
80	(global-name "com.apple.networkd")
81	(global-name "com.apple.system.logger")
82	(global-name "com.apple.system.notification_center"))
83
84(allow network-inbound
85       (local tcp "*:88")
86       (local udp "*:88"))
87
88(allow network-outbound
89       (literal "/private/var/run/mDNSResponder")
90       (literal "/private/var/rpc/ncalrpc/NETLOGON")
91       (literal "/private/var/run/ldapi")
92       (remote udp)
93       (remote tcp))
94
95(allow process-exec
96       (literal "/usr/local/heimdal/libexec/kdc"))
97
98(allow sysctl-read)
99
100;;
101;; Make more kdc quiet in syslog
102;;
103
104(deny file*
105      (subpath "/private/var/root")
106      (with no-log))
107