1; -*- Mode: Scheme; tab-width: 4 -*- 2; 3; Copyright (c) 2012 Apple Inc. All rights reserved. 4; 5; Redistribution and use in source and binary forms, with or without 6; modification, are permitted provided that the following conditions are met: 7; 8; 1. Redistributions of source code must retain the above copyright notice, 9; this list of conditions and the following disclaimer. 10; 2. Redistributions in binary form must reproduce the above copyright notice, 11; this list of conditions and the following disclaimer in the documentation 12; and/or other materials provided with the distribution. 13; 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of its 14; contributors may be used to endorse or promote products derived from this 15; software without specific prior written permission. 16; 17; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 18; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 21; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 24; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 26; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27; 28;############################################################################ 29 30 31; WARNING: The sandbox rule capabilities and syntax used in this file are currently an 32; Apple SPI (System Private Interface) and are subject to change at any time without notice. 33 34(version 1) 35; When mDNSResponder is denied access, we want to avoid symoblification of mDNSResponder 36; to get the stack trace as that can get into deadlock. no-callout will prevent 37; symbolification. 38(deny default (with no-callout)) 39 40(import "system.sb") 41 42; Baseline 43(allow file-read-metadata ipc-posix-shm) 44 45; Mach communications 46; These are needed for things like getpwnam, hostname changes, & keychain 47(allow mach-lookup 48 (global-name "com.apple.bsd.dirhelper") 49 (global-name "com.apple.distributed_notifications.2") 50 (global-name "com.apple.ocspd") 51 (global-name "com.apple.PowerManagement.control") 52 (global-name "com.apple.mDNSResponderHelper") 53 (global-name "com.apple.SecurityServer") 54 (global-name "com.apple.SystemConfiguration.configd") 55 (global-name "com.apple.SystemConfiguration.SCNetworkReachability") 56 (global-name "com.apple.SystemConfiguration.DNSConfiguration") 57 (global-name "com.apple.SystemConfiguration.NetworkInformation") 58 (global-name "com.apple.system.notification_center") 59 (global-name "com.apple.system.logger") 60 (global-name "com.apple.webcontentfilter.dns") 61 (global-name "com.apple.server.bluetooth") 62 (global-name "com.apple.awacs") 63 (global-name "com.apple.networkd") 64 (global-name "com.apple.securityd") 65 (global-name "com.apple.wifi.manager") 66 (global-name "com.apple.commcenter.cupolicy.xpc") 67 (global-name "com.apple.blued") 68 (global-name "com.apple.snhelper")) 69 70(allow mach-register 71 (global-name "com.apple.d2d.ipc")) 72 73; Networking, including Unix Domain Sockets 74(allow network*) 75 76; Raw sockets 77(if (defined? 'system-socket) 78 (allow system-socket)) 79 80; Hardware model information 81(allow sysctl-read) 82 83; Syslog early in the boot process 84(allow file-read-data file-write-data (literal "/dev/console")) 85 86(allow file-read-data 87 ; /etc/hosts support 88 (literal "/private/etc/hosts") 89 (literal "/private/etc")) 90 91; Our socket 92(allow file-read* file-write* (literal "/private/var/run/mDNSResponder")) 93 94; System version, settings, and other miscellaneous necessary file system accesses 95(allow file-read-data 96 ; Needed for CFCopyVersionDictionary() 97 (literal "/usr/sbin") 98 (literal "/usr/sbin/mDNSResponder") 99 100 (literal "/Library/Preferences/SystemConfiguration/preferences.plist") 101 (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist") 102 (regex #"^/Library/Preferences/(ByHost/)?\.GlobalPreferences\.") 103 (literal "/Library/Preferences/com.apple.crypto.plist") 104 (literal "/Library/Security/Trust Settings/Admin.plist") 105 (regex #"^/Library/Preferences/com\.apple\.security\.") 106 (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist") 107 (literal "/private/var/preferences/SystemConfiguration/preferences.plist")) 108 109; For MAC Address 110(allow system-info (info-type "net.link.addr")) 111 112; We just need access to System.keychain. But we don't want errors logged if other keychains are 113; accessed under /Library/Keychains. Other keychains may be accessed as part of setting up an SSL 114; connection. Instead of adding access to it here (to things which we don't need), we disable any 115; logging that might happen during the access 116(deny file-read-data (regex #"^/Library/Keychains/") (with no-log)) 117(allow file-read-data (literal "/Library/Keychains/System.keychain")) 118 119; Access to mDNSResponder Managed Preferences profile 120; instead of using (mobile-preferences-read "com.apple.mDNSResponder") we use the lines below for OSX compatibility 121(allow file-read* (literal "/private/var/Managed Preferences/mobile")) 122(allow file-read* (literal "/private/var/Library/Preferences/")) 123(allow file-read* (literal "/Library/Managed Preferences")) 124(allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.mDNSResponder.plist")) 125 126; Our Module Directory Services cache 127(allow file-read-data 128 (subpath "/private/var/tmp/mds") 129 (subpath "/private/var/db/mds")) 130 131(allow file-read* file-write* 132 (regex #"^/private/var/tmp/mds/[0-9]+(/|$)") 133 (regex #"^/private/var/db/mds/[0-9]+(/|$)") 134 (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)") 135 136 ; Required on 10.5 and 10.6 137 (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)")) 138 139; CRL Cache for SSL/TLS connections 140(allow file-read-data (literal "/private/var/db/crls/crlcache.db")) 141 142; For mDNS sleep proxy offload and IOPMConnectionCreate 143(if (defined? 'iokit-open) 144 (begin 145 (allow iokit-open 146 (iokit-user-client-class "NVEthernetUserClientMDNS") 147 (iokit-user-client-class "mDNSOffloadUserClient") 148 (iokit-user-client-class "wlDNSOffloadUserClient") 149 (iokit-user-client-class "RootDomainUserClient") 150 (iokit-user-client-class "AppleMobileFileIntegrityUserClient")))) 151