1;; 2;; kpasswdd - sandbox profile 3;; Copyright (c) 2009 Apple Inc. All Rights reserved. 4;; 5;; WARNING: The sandbox rules in this file currently constitute 6;; Apple System Private Interface and are subject to change at any time and 7;; without notice. The contents of this file are also auto-generated and not 8;; user editable; it may be overwritten at any time. 9;; 10(version 1) 11 12(deny default) 13 14(import "opendirectory.sb") 15 16(allow file-ioctl 17 (literal "/dev/dtracehelper")) 18 19(allow file-read* 20 (literal "/Library/Preferences/edu.mit.Kerberos") 21 (literal "/Library/Preferences/com.apple.Kerberos.plist") 22 (literal "/Library/Preferences/SystemConfiguration/preferences.plist") 23 (literal "/dev/dtracehelper") 24 (literal "/dev/null") 25 (literal "/dev/random") 26 (literal "/tmp") 27 (literal "/etc") 28 (literal "/var") 29 (literal "/private/etc/localtime") 30 (subpath "/private/var/db/mds") 31 (subpath "/private/var/var/db/krb5kdc") 32 (subpath "/System") 33 (subpath "/usr/lib") 34 (subpath "/usr/share") 35 ) 36 37(allow file-write* 38 (literal "/private/var/log/krb5kdc/kadmin.log") 39 (literal "/private/var/run/kadmin.pid") 40 (subpath "/private/var/db/krb5kdc") 41 ) 42 43(allow file-write-data 44 (literal "/dev/dtracehelper") 45 (literal "/private/var/db/mds/system/mds.lock") 46 (literal "/private/var/log/krb5kdc/kadmin.log")) 47 48(allow ipc-posix-shm) 49 50(allow mach-lookup 51 (global-name "com.apple.SecurityServer") 52 (global-name "com.apple.SystemConfiguration.configd") 53 (global-name "com.apple.system.logger") 54 (global-name "com.apple.system.notification_center")) 55 56(allow network-inbound 57 (local tcp "*:749") 58 (local udp "*:749")) 59 60(allow network-outbound 61 (literal "/private/var/run/mDNSResponder") 62 (literal "/var/run/passwordserver") 63 (literal "/var/run/ldapi") 64 (remote udp) 65 (remote tcp)) 66 67(allow sysctl-read) 68