1;;
2;; named - sandbox profile
3;; Copyright (c) 2006-2007 Apple Inc.  All Rights reserved.
4;;
5;; WARNING: The sandbox rules in this file currently constitute 
6;; Apple System Private Interface and are subject to change at any time and
7;; without notice. The contents of this file are also auto-generated and not
8;; user editable; it may be overwritten at any time.
9;;
10(version 1)
11(debug deny)
12
13(import "bsd.sb")
14
15(deny default)
16(allow process*)
17(deny signal)
18(allow sysctl-read)
19(allow network*)
20
21;; Allow named-specific files
22(allow file-write* file-read-data file-read-metadata
23  (regex "^(/private)?/var/run/named\\.pid$"
24         "^/Library/Logs/named\\.log$"))
25
26(allow file-read-data file-read-metadata
27  (regex "^(/private)?/etc/rndc\\.key$"
28         "^(/private)?/etc/resolv\\.conf$"
29         "^(/private)?/etc/named\\.conf$"
30         "^(/private)?/var/named/"))
31