1;; 2;; ntpd - sandbox profile 3;; Copyright (c) 2006-2009 Apple Inc. All Rights reserved. 4;; 5;; WARNING: The sandbox rules in this file currently constitute 6;; Apple System Private Interface and are subject to change at any time and 7;; without notice. The contents of this file are also auto-generated and not 8;; user editable; it may be overwritten at any time. 9;; 10(version 1) 11 12(deny default) 13 14(allow process-fork) 15 16(allow iokit-open (iokit-user-client-class "RootDomainUserClient")) 17 18;;; Allow NTP specific files 19(allow file-read-data file-read-metadata 20 (literal "/private/etc/ntp-restrict.conf") 21 (literal "/private/etc/ntp_opendirectory.conf") 22 (regex "^/private/etc/ntp\\.(conf|keys)$") 23 (literal "/private/var/mobile/Library/Preferences/ntp.conf") 24 (regex "^/private/etc/(services|hosts)$") 25 (regex "^/private/var/run/tmpntp.conf.*")) 26 27(allow file-write* file-read-data file-read-metadata 28 (literal "/private/var/run/ntpd.pid") 29 (regex "^/private/var/(db|mobile/Library/Preferences)/ntp\\.drift(\\.TEMP)?$") 30 (subpath "/private/tmp") 31 (subpath "/private/var/tmp")) 32 33(allow network-inbound 34 (local udp "*:123")) 35 36(allow network-outbound 37 (control-name "com.apple.netsrc") 38 (control-name "com.apple.network.statistics") 39 (literal "/private/var/run/mDNSResponder") 40 (remote udp)) 41 42(allow mach-lookup 43 (global-name "com.apple.networkd") 44 (global-name "com.apple.SystemConfiguration.configd") 45 (global-name "com.apple.SystemConfiguration.DNSConfiguration") 46 (global-name "com.apple.SystemConfiguration.SCNetworkReachability")) 47 48(allow system-set-time) 49(allow system-socket) 50(import "bsd.sb") 51