1; -*- Mode: Scheme; tab-width: 4 -*-
2;
3; Copyright (c) 2012 Apple Inc. All rights reserved.
4;
5; Redistribution and use in source and binary forms, with or without 
6; modification, are permitted provided that the following conditions are met:
7;
8; 1.  Redistributions of source code must retain the above copyright notice, 
9;     this list of conditions and the following disclaimer. 
10; 2.  Redistributions in binary form must reproduce the above copyright notice, 
11;     this list of conditions and the following disclaimer in the documentation 
12;     and/or other materials provided with the distribution. 
13; 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of its 
14;     contributors may be used to endorse or promote products derived from this 
15;     software without specific prior written permission. 
16;
17; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 
18; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 
19; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
20; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 
21; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 
22; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
23; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 
24; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
25; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
26; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27;
28;############################################################################
29
30
31; WARNING: The sandbox rule capabilities and syntax used in this file are currently an
32; Apple SPI (System Private Interface) and are subject to change at any time without notice.
33
34(version 1)
35; When mDNSResponder is denied access, we want to avoid symoblification of mDNSResponder
36; to get the stack trace as that can get into deadlock. no-callout will prevent
37; symbolification.
38(deny default (with no-callout))
39
40(import "system.sb")
41
42; Baseline
43(allow file-read-metadata ipc-posix-shm)
44
45; Mach communications
46; These are needed for things like getpwnam, hostname changes, & keychain
47(allow mach-lookup
48       (global-name "com.apple.bsd.dirhelper")
49       (global-name "com.apple.distributed_notifications.2")
50       (global-name "com.apple.ocspd")
51       (global-name "com.apple.PowerManagement.control")
52       (global-name "com.apple.mDNSResponderHelper")
53       (global-name "com.apple.SecurityServer")
54       (global-name "com.apple.SystemConfiguration.configd")
55       (global-name "com.apple.SystemConfiguration.SCNetworkReachability")
56       (global-name "com.apple.SystemConfiguration.DNSConfiguration")
57       (global-name "com.apple.SystemConfiguration.NetworkInformation")
58       (global-name "com.apple.system.notification_center")
59       (global-name "com.apple.system.logger")
60       (global-name "com.apple.webcontentfilter.dns")
61       (global-name "com.apple.server.bluetooth")
62       (global-name "com.apple.awacs")
63       (global-name "com.apple.networkd")
64       (global-name "com.apple.securityd")
65       (global-name "com.apple.wifi.manager")
66       (global-name "com.apple.commcenter.cupolicy.xpc")
67       (global-name "com.apple.blued")
68       (global-name "com.apple.snhelper"))
69
70(allow mach-register
71       (global-name "com.apple.d2d.ipc"))
72
73; Networking, including Unix Domain Sockets
74(allow network*)
75
76; Raw sockets
77(if (defined? 'system-socket)
78    (allow system-socket))
79
80; Hardware model information
81(allow sysctl-read)
82
83; Syslog early in the boot process
84(allow file-read-data file-write-data (literal "/dev/console"))
85
86(allow file-read-data
87       ; /etc/hosts support
88       (literal "/private/etc/hosts")
89       (literal "/private/etc"))
90
91; Our socket
92(allow file-read* file-write* (literal "/private/var/run/mDNSResponder"))
93
94; System version, settings, and other miscellaneous necessary file system accesses
95(allow file-read-data
96       ; Needed for CFCopyVersionDictionary()
97       (literal "/usr/sbin")
98       (literal "/usr/sbin/mDNSResponder")
99
100       (literal "/Library/Preferences/SystemConfiguration/preferences.plist")
101       (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist")
102       (regex #"^/Library/Preferences/(ByHost/)?\.GlobalPreferences\.")
103       (literal "/Library/Preferences/com.apple.crypto.plist")
104       (literal "/Library/Security/Trust Settings/Admin.plist")
105       (regex #"^/Library/Preferences/com\.apple\.security\.")
106       (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
107       (literal "/private/var/preferences/SystemConfiguration/preferences.plist"))
108
109; For MAC Address
110(allow system-info (info-type "net.link.addr"))
111
112; We just need access to System.keychain. But we don't want errors logged if other keychains are
113; accessed under /Library/Keychains. Other keychains may be accessed as part of setting up an SSL
114; connection. Instead of adding access to it here (to things which we don't need), we disable any
115; logging that might happen during the access
116(deny file-read-data (regex #"^/Library/Keychains/") (with no-log))
117(allow file-read-data (literal "/Library/Keychains/System.keychain"))
118
119; Access to mDNSResponder Managed Preferences profile
120; instead of using (mobile-preferences-read "com.apple.mDNSResponder") we use the lines below for OSX compatibility
121(allow file-read* (literal "/private/var/Managed Preferences/mobile"))
122(allow file-read* (literal "/private/var/Library/Preferences/"))
123(allow file-read* (literal "/Library/Managed Preferences"))
124(allow file-read* (literal "/private/var/Managed Preferences/mobile/com.apple.mDNSResponder.plist"))
125
126; Our Module Directory Services cache
127(allow file-read-data
128       (subpath "/private/var/tmp/mds")
129       (subpath "/private/var/db/mds"))
130
131(allow file-read* file-write*
132       (regex #"^/private/var/tmp/mds/[0-9]+(/|$)")
133       (regex #"^/private/var/db/mds/[0-9]+(/|$)")
134       (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)")
135
136       ; Required on 10.5 and 10.6
137       (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)"))
138
139; CRL Cache for SSL/TLS connections
140(allow file-read-data (literal "/private/var/db/crls/crlcache.db"))
141
142; For mDNS sleep proxy offload and IOPMConnectionCreate
143(if (defined? 'iokit-open)
144   (begin
145     (allow iokit-open
146        (iokit-user-client-class "NVEthernetUserClientMDNS")
147        (iokit-user-client-class "mDNSOffloadUserClient")
148        (iokit-user-client-class "wlDNSOffloadUserClient")
149        (iokit-user-client-class "RootDomainUserClient")
150        (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))))
151