1; Copyright 2018 The Chromium Authors. All rights reserved.
2; Use of this source code is governed by a BSD-style license that can be
3; found in the LICENSE file.
4
5; --- The contents of common.sb implicitly included here. ---
6
7; Injected parameters.
8(define network-service-storage-paths-count "NETWORK_SERVICE_STORAGE_PATHS_COUNT")
9(define network-service-storage-path-n "NETWORK_SERVICE_STORAGE_PATH_")
10(define network-service-test-certs-dir "NETWORK_SERVICE_TEST_CERTS_DIR")
11
12; Allow access to the [0,N) storage location paths.
13(let ((count (string->number (param network-service-storage-paths-count))))
14  (let loop ((i 0))
15    (if (< i count)
16      (begin
17        (allow file* (subpath
18          (param (string-append network-service-storage-path-n (number->string i)))))
19        (loop (+ i 1))))))
20
21; DNS configuration watcher entries. This is a nesty mess of symlinks.
22(allow file-read*
23  (path "/")
24  (path "/etc")
25  (path "/etc/hosts")
26  (path "/etc/resolv.conf")
27  (path "/private")
28  (path "/private/etc")
29  (path "/private/etc/hosts")
30  (path "/private/etc/resolv.conf")
31  (path "/private/var")
32  (path "/private/var/run")
33  (path "/private/var/run/resolv.conf")
34  (path "/var")
35  (path "/var/run")
36)
37
38; Local preferences.
39(allow file-read*
40  (path (user-homedir-path (string-append "/Library/Preferences/" (param bundle-id) ".plist")))
41)
42
43; Certificate databases.
44(allow file-read*
45  (path "/Library/Preferences/com.apple.security.plist")
46  ; https://crbug.com/1024000
47  (path (user-homedir-path "/Library/Preferences/com.apple.security.revocation.plist"))
48  (subpath "/Library/Keychains")
49  (subpath "/System/Library/Keychains")
50  (subpath "/System/Library/Security")
51  (subpath "/private/var/db/mds")
52  (subpath (user-homedir-path "/Library/Keychains"))
53)
54(allow file-read* file-write*
55  (subpath (param darwin-user-cache-dir))
56  (subpath (param darwin-user-temp-dir))
57)
58(if (param-defined? network-service-test-certs-dir)
59  (allow file-read* (subpath (param network-service-test-certs-dir))))
60
61; Network socket access.
62(allow network-outbound
63  (control-name "com.apple.netsrc")
64  (literal "/private/var/run/mDNSResponder")
65  (remote tcp)
66  (remote udp)
67)
68(allow network-bind network-inbound
69  (local tcp)
70  (local udp)
71)
72
73; DNS resolution.
74(allow system-socket
75  (require-all (socket-domain AF_SYSTEM)
76               (socket-protocol 2)) ; SYSPROTO_CONTROL
77  (socket-domain AF_ROUTE)
78)
79
80; Distributed notifications memory.
81(allow ipc-posix-shm-read-data
82  (ipc-posix-name "apple.shm.notification_center")
83)
84
85; Notification data from the security server database.
86(allow ipc-posix-shm
87  (ipc-posix-name "com.apple.AppleDatabaseChanged")
88)
89
90(allow mach-lookup
91  ; Set backup exclusion on cache files.
92  (global-name "com.apple.backupd.sandbox.xpc")
93
94  ; Used to look up the _CS_DARWIN_USER_CACHE_DIR in the sandbox.
95  (global-name "com.apple.bsd.dirhelper")
96  (global-name "com.apple.system.opendirectoryd.membership")
97
98  ; Allow notifications of DNS changes.
99  (global-name "com.apple.system.notification_center")
100
101  ; Communicate with the security server for TLS certificate information.
102  (global-name "com.apple.SecurityServer")
103  (global-name "com.apple.networkd") ; https://crbug.com/1024000
104  (global-name "com.apple.ocspd")
105  (global-name "com.apple.trustd.agent")
106
107  ; Read network configuration.
108  (global-name "com.apple.SystemConfiguration.DNSConfiguration")
109  (global-name "com.apple.SystemConfiguration.configd")
110)
111
112(allow sysctl-read
113  (sysctl-name-regex #"^net.routetable")
114)
115
116; Kerberos support. This should be removed after GSS is moved out of the
117; network service. https://crbug.com/1017830
118(allow mach-lookup
119  (global-name "org.h5l.kcm")
120)
121(allow file-read*
122  (path "/private/etc/krb5.conf")
123  (subpath "/System/Library/KerberosPlugins/KerberosFrameworkPlugins")
124)
125