rtems/rtems-libbsd
1
0
Fork 0
mirror of https://git.rtems.org/rtems-libbsd/ synced 2025-06-05 17:20:52 +08:00
Code Issues Packages Projects Releases Wiki Activity
rtems-libbsd/mDNSResponder/mDNSMacOSX/mDNSResponder.sb
Sebastian Huber a6b1d332b1 mDNSResponder: Update to v878.200.35 
The sources can be obtained via:

https://opensource.apple.com/tarballs/mDNSResponder/mDNSResponder-878.200.35.tar.gz

Update #4010.
2020-06-23 18:17:22 +02:00

178 lines
7.5 KiB
Scheme
Raw Permalink Blame History

; -*- Mode: Scheme; tab-width: 4 -*-
;
; Copyright (c) 2012-2018 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions are met:
;
; 1. Redistributions of source code must retain the above copyright notice,
; this list of conditions and the following disclaimer.
; 2. Redistributions in binary form must reproduce the above copyright notice,
; this list of conditions and the following disclaimer in the documentation
; and/or other materials provided with the distribution.
; 3. Neither the name of Apple Inc. ("Apple") nor the names of its
; contributors may be used to endorse or promote products derived from this
; software without specific prior written permission.
;
; THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
; EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
; DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
; DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
; ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
; (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
; SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
;
;############################################################################
; WARNING: The sandbox rule capabilities and syntax used in this file are currently an
; Apple SPI (System Private Interface) and are subject to change at any time without notice.
(version 1)
; When mDNSResponder is denied access, we want to avoid symoblification of mDNSResponder
; to get the stack trace as that can get into deadlock. no-callout will prevent
; symbolification.
(deny default (with no-callout))
(import "system.sb")
; Baseline
(allow file-read-metadata ipc-posix-shm)
; Mach communications
; These are needed for things like getpwnam, hostname changes, & keychain
(allow mach-lookup
(global-name "com.apple.analyticsd")
(global-name "com.apple.awdd")
(global-name "com.apple.bsd.dirhelper")
(global-name "com.apple.CoreServices.coreservicesd")
(global-name "com.apple.coreservices.quarantine-resolver")
(global-name "com.apple.distributed_notifications.2")
(global-name "com.apple.distributed_notifications@1v3")
(global-name "com.apple.lsd.mapdb")
(global-name "com.apple.ocspd")
(global-name "com.apple.PowerManagement.control")
(global-name "com.apple.mDNSResponderHelper")
(global-name "com.apple.mDNSResponder_Helper")
(global-name "com.apple.SecurityServer")
(global-name "com.apple.SystemConfiguration.configd")
(global-name "com.apple.SystemConfiguration.SCNetworkReachability")
(global-name "com.apple.SystemConfiguration.DNSConfiguration")
(global-name "com.apple.SystemConfiguration.NetworkInformation")
(global-name "com.apple.system.notification_center")
(global-name "com.apple.system.logger")
(global-name "com.apple.usymptomsd")
(global-name "com.apple.webcontentfilter.dns")
(global-name "com.apple.server.bluetooth")
(global-name "com.apple.server.bluetooth.le.att.xpc")
(global-name "com.apple.awacs")
(global-name "com.apple.networkd")
(global-name "com.apple.securityd")
(global-name "com.apple.wifi.manager")
; "com.apple.blued" is the name used in pre Lobo builds,
; leave it in place while still running roots on pre Lobo targets
(global-name "com.apple.blued")
(global-name "com.apple.bluetoothd")
(global-name "com.apple.mobilegestalt.xpc")
(global-name "com.apple.ReportCrash.SimulateCrash")
(global-name "com.apple.snhelper"))
(allow mach-register
(global-name "com.apple.d2d.ipc"))
; Networking, including Unix Domain Sockets
(allow network*)
; Raw sockets
(if (defined? 'system-socket)
(allow system-socket))
; Hardware model information
(allow sysctl-read)
; Syslog early in the boot process
(allow file-read-data file-write-data (literal "/dev/console"))
(allow file-read-data
; /etc/hosts support
(literal "/private/etc/hosts")
(literal "/private/etc"))
; Our socket
(allow file-read* file-write* (literal "/private/var/run/mDNSResponder"))
; BPF control for sleep proxy server
(allow file-ioctl (prefix "/dev/bpf"))
; Used by CoreCrypto AES routines.
(allow file-read* file-write-data file-ioctl
(literal "/dev/aes_0"))
; System version, settings, and other miscellaneous necessary file system accesses
(allow file-read-data
; Needed for CFCopyVersionDictionary()
(literal "/usr/sbin")
(literal "/usr/sbin/mDNSResponder")
(literal "/Library/Preferences/com.apple.mDNSResponder.plist")
(literal "/Library/Preferences/SystemConfiguration/preferences.plist")
(literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist")
(regex #"^/Library/Preferences/(ByHost/)?\.GlobalPreferences\.")
(literal "/Library/Preferences/com.apple.crypto.plist")
(literal "/Library/Security/Trust Settings/Admin.plist")
(regex #"^/Library/Preferences/com\.apple\.security\.")
(literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist")
(literal "/private/var/preferences/SystemConfiguration/preferences.plist")
(subpath "/System/Library/Preferences/Logging")
(subpath "/AppleInternal/Library/Preferences/Logging")
(subpath "/private/var/preferences/Logging")
(subpath "/private/var/db/timezone")
(subpath "/Library/Preferences/Logging"))
; For MAC Address
(allow system-info (info-type "net.link.addr"))
; We just need access to System.keychain. But we don't want errors logged if other keychains are
; accessed under /Library/Keychains. Other keychains may be accessed as part of setting up an SSL
; connection. Instead of adding access to it here (to things which we don't need), we disable any
; logging that might happen during the access
(deny file-read-data (regex #"^/Library/Keychains/") (with no-log))
(allow file-read-data (literal "/Library/Keychains/System.keychain"))
; Our Module Directory Services cache
(allow file-read-data
(subpath "/private/var/tmp/mds")
(subpath "/private/var/db/mds"))
(allow file-read* file-write*
(regex #"^/private/var/tmp/mds/[0-9]+(/|$)")
(regex #"^/private/var/db/mds/[0-9]+(/|$)")
(regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)")
; Required on 10.5 and 10.6
(regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/mds(/|$)"))
; CRL Cache for SSL/TLS connections
(allow file-read-data (literal "/private/var/db/crls/crlcache.db"))
; For mDNS sleep proxy offload and IOPMConnectionCreate
(if (defined? 'iokit-open)
(begin
(allow iokit-open
(iokit-user-client-class "NVEthernetUserClientMDNS")
(iokit-user-client-class "mDNSOffloadUserClient")
(iokit-user-client-class "wlDNSOffloadUserClient")
(iokit-user-client-class "RootDomainUserClient")
(iokit-user-client-class "AppleMobileFileIntegrityUserClient"))))
; Internal builds only
(with-filter (system-attribute apple-internal)
(allow sysctl-read sysctl-write
(sysctl-name "vm.footprint_suspend"))) ; dyld performance reporting
Reference in New Issue View Git Blame Copy Permalink