/
kadmind.sb
81 lines (66 loc) · 2.88 KB
/
kadmind.sb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
;
;; kadmind - sandbox profile
;; Copyright (c) 2007, 2008, 2009 Apple Inc. All Rights reserved.
;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice. The contents of this file are also auto-generated and not
;; user editable; it may be overwritten at any time.
;
(version 1)
(deny default)
(debug deny)
(allow mach-lookup
(global-name "com.apple.system.notification_center")
(global-name "com.apple.CoreServices.coreservicesd")
(global-name "com.apple.system.logger")
(global-name "com.apple.system.DirectoryService.membership_v1")
(global-name "com.apple.system.DirectoryService.libinfo_v1"))
(allow file-read*
(literal "/private/etc/master.passwd")
(literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist")
(literal "/dev/autofs_nowait")
(literal "/Library/Preferences/edu.mit.Kerberos")
(literal "/Library/Preferences/.GlobalPreferences.plist")
(regex #"^/private/var/root/Library/Preferences/ByHost/\.GlobalPreferences\.[^/]+\.plist$")
(regex #"^/private/var/db/dyld/dyld_shared_")
(regex #"^/usr/share/zoneinfo(/|$)")
(regex #"^/usr/share/icu(/|$)")
(regex #"^/System/Library/CFMSupport(/|$)")
(regex #"^/System/Library/Frameworks(/|$)")
(regex #"^/System/Library/KerberosPlugins(/|$)")
(regex #"^/System/Library/PrivateFrameworks/KAdminServer\.framework(/|$)")
(regex #"^/System/Library/PrivateFrameworks/PasswordServer\.framework(/|$)")
(regex #"^/System/Library/PrivateFrameworks/KDB5\.framework(/|$)")
(regex #"^/System/Library/PrivateFrameworks/GSSRPC\.framework(/|$)")
(regex #"^/usr/lib/")
(regex #"^/usr/sbin(/kadmind)?$")
(regex #"^/dev/u?random$")
(literal "/dev/null")
)
(allow file-read-metadata)
(allow file-write*
(literal "/private/var/log/krb5kdc/kadmin.log")
(literal "/Library/Preferences/edu.mit.Kerberos"))
(allow file-read* file-write*
(literal "/private/var/db/authserver/authservermain") ; mkpassdb
(literal "/private/var/run/passwordserver") ; mkpassdb
(literal "/Library/Preferences/com.apple.passwordserver.plist")
(regex "^/private/var/db/krb5kdc(/|$)")
(regex "^/private/var/tmp/kadmin_")
(regex "^/private/var/tmp/krb5_RC")
(regex "^(/private)?/var/run/kadmind.pid$"))
(allow file-read* file-write* file-ioctl
(literal "/dev/dtracehelper"))
(allow process-fork)
(allow process-exec
(literal "/usr/sbin/kadmind")
(literal "/usr/sbin/mkpassdb"))
(allow sysctl-read)
(allow ipc-posix-shm)
(allow network*
(local ip "*:749") ; kerberos-adm
(local ip "*:464") ; kpasswd
(remote unix "^/private/var/run/passwordserver$")
)
(allow sysctl-read) ; serialnumberd