1;; 2;; ntpd - sandbox profile 3;; Copyright (c) 2006-2009, 2014 Apple Inc. All Rights reserved. 4;; 5;; WARNING: The sandbox rules in this file currently constitute 6;; Apple System Private Interface and are subject to change at any time and 7;; without notice. The contents of this file are also auto-generated and not 8;; user editable; it may be overwritten at any time. 9;; 10(version 1) 11 12(deny default) 13 14(allow process-fork) 15 16(allow iokit-open (iokit-user-client-class "RootDomainUserClient")) 17 18(allow file-read-data file-read-metadata 19 (literal "/private/etc/ntp-restrict.conf") 20 (literal "/private/etc/ntp_opendirectory.conf") 21 (literal "/private/var/run/resolv.conf") 22 (regex "^/private/etc/ntp\\.(conf|keys)$") 23 (regex "^/private/etc/(services|hosts)$") 24 (regex "^/private/var/run/tmpntp.conf.*")) 25 26(allow file-write* file-read-data file-read-metadata 27 (literal "/private/var/run/ntpd.pid") 28 (regex "^/private/var/db/ntp\\.drift(\\.TEMP)?$") 29 (subpath "/private/tmp") 30 (subpath "/private/var/tmp")) 31 32(allow network-inbound 33 (local udp "*:123")) 34 35(allow network-outbound 36 (control-name "com.apple.netsrc") 37 (control-name "com.apple.network.statistics") 38 (literal "/private/var/run/mDNSResponder") 39 (remote udp)) 40 41(allow mach-lookup 42 (global-name "com.apple.networkd") 43 (global-name "com.apple.SystemConfiguration.configd") 44 (global-name "com.apple.SystemConfiguration.DNSConfiguration") 45 (global-name "com.apple.SystemConfiguration.SCNetworkReachability")) 46 47(allow system-set-time) 48(allow system-socket) 49(import "bsd.sb") 50