Permalink
Browse files

Bugfixing, Doc and profile writing

  • Loading branch information...
1 parent fb5c358 commit cb0810025862533b8c67c48b20c568883cb746a8 @hellais committed Feb 5, 2012
Showing with 360 additions and 13 deletions.
  1. +41 −11 Readme.md
  2. +2 −2 buckleup.py
  3. +317 −0 profiles/Skype.sb
View
52 Readme.md
@@ -3,8 +3,8 @@ The aim of this project is raise sensibility of security on OS X
and develop seatbelt profiles for all of the common used OSX applications.
## The Buckle Up script
-Buckle Up is also a python script that assists you in patching your applications to
-run with seatbelt profiles.
+Buckle Up is also a python script that assists you in patching your applications to
+run with seatbelt profiles.
Here is it's help banner:
@@ -34,7 +34,7 @@ To list the currently available profiles run `./buckleup.py -l`:
Name: Firefox default (APP: firefox)
App Location: /Applications/Firefox.app/Contents/MacOS/firefox
-You can then either run the application from Buckle Up with `./buckleup.py -r adium`
+You can then either run the application from Buckle Up with `./buckleup.py -r adium`
or patch it to use seatbelt every time your run it `./buckleup.py -p adium`.
To remove the patch you should run `./buckleup.py -u adium`
@@ -53,7 +53,7 @@ For example to run the Adium sandbox plugin do this:
## Buckle Up header
Sandbox profiles for Buckle Up include a special header that allows the shell script to offer a pretty output
-to the user and automagically install the application.
+to the user and automagically install the application.
When writing an application profile for Buckle up you should use this format. The header should be on the first
line of the sandbox profile:
@@ -62,25 +62,55 @@ line of the sandbox profile:
_buckleup version number_: (default 0.1) This is the Buckle Up version number for the app profile
-_app short name_: This is the shortname of the profile, it is what the user will provide as arugment to
+_app short name_: This is the shortname of the profile, it is what the user will provide as arugment to
buckle up to patch the application or run it
_app long name_: This is the full name of the profile, it controls what will show in the list view
-_path to executable_: This is the full path of the executable that should be patched, it is generally
+_path to executable_: This is the full path of the executable that should be patched, it is generally
something like /Applications/MyApp.app/Contents/MacOS/MyApp
## How to write a sandbox profile
-You want to start from a basic sandbox profile that contains the bare minimum necessary to start the application.
+
+### They easy way
+
+Use the example.sb sandbox file that contains in particular the line
+
+ (trace "profile.sb")
+
+This instructs sandbox-exec to output a profile.sb file that will contain
+the raw output of what resources are being accessed during the runtime of the
+target application.
+
+You would therefore start the application with:
+
+ sandbox-exec -f example.sb /Path/To/The/Application/
+
+Then run sandbox-simplify on the profile.sb and pipe it to another file:
+
+ sandbox-simplify profile.sb > simplified.sb
+
+You can then start editing that simplified file to see what makes sense to keep,
+what can be compacted more and what should be changed.
+
+A useful vi macro to keep handly is this:
+
+ %s/literal "\/Users\/replace_with_your_username/regex #"^\/Users\/[^\.]+/gc
+
+This basically makes your profile work for people that don't have your same username.
+
+### Boring way
+
+You want to start from a basic sandbox profile that contains the bare minimum necessary to start the application.
Something along the lines of this is a good starting point:
(version 1)
(debug allow)
(allow process*)
(deny default)
-What this does it it allow processes to run and it is a whitelist based profile (i.e. the default policy is
+What this does it it allow processes to run and it is a whitelist based profile (i.e. the default policy is
to not allow).
The next thing that you want to do is start
@@ -95,15 +125,15 @@ You will then see in the `tail -f` terminal lines containing something like:
Dec 22 14:58:08 x sandboxd[12281] ([12280]): firefox-bin(12280) deny file-read-data /private/tmp
-This is saying, for example, that firefox was denied "file-read-data" access to the file in /private/tmp.
-You should then evaluate if you want to allow that or not and in the first case add the entry that allows
+This is saying, for example, that firefox was denied "file-read-data" access to the file in /private/tmp.
+You should then evaluate if you want to allow that or not and in the first case add the entry that allows
that in your sandbox file, like so:
(file-read-data
(regex "^/private/tmp")
)
-Continue iteratively until you reach a point where your application runs properly and all the error messages
+Continue iteratively until you reach a point where your application runs properly and all the error messages
are thing you don't want to happen.
Safe hacking and remember to fasten your seatbelt :)
View
4 buckleup.py
@@ -94,10 +94,10 @@ def patch(self, app):
print "[!] Application already patched. Try running it!"
else:
- sb_file_dst = os.path.join(self.bu_dir,sb['file'])
+ sb_file_dst = os.path.join(self.bu_dir,sb['file'].split("/")[-1])
if self.debug:
- print "Copying the sandbox profile to home config"
+ print "Copying the sandbox profile to home config %s %s" % (sb['file'], sb_file_dst)
shutil.copyfile(sb['file'], sb_file_dst)
cmd = "sandbox-exec -f " + str(sb_file_dst) + " " + str(sb['patch_location'])
View
317 profiles/Skype.sb
@@ -0,0 +1,317 @@
+;:buckleup:0.1:skype:Skype (broken) only port 80 profile:/Applications/Skype.app/Contents/MacOS/Skype:
+;WARNING! This Skype profile is currently broken. I am just uploading it so that somebody can plan with
+;it and hopefully figure out what is wrong.
+
+(version 1)
+
+(deny default)
+(debug allow)
+
+(allow appleevent-send
+ (appleevent-destination "com.Growl.GrowlHelperApp"))
+
+(allow file-ioctl
+ (literal "/dev/dtracehelper"))
+
+(allow file-issue-extension
+ (regex #"^/private/var/folders/[^/]+/[^/]+/T/Skype-18493-0CCD7C71-53E7-4D4B-A925-6C2CEA228CAE\.growlRegDict$"))
+
+(allow file-read*
+ (literal "/Applications/Skype.app")
+ (literal "/Applications/Skype.app/Contents")
+
+ (regex #"^/Applications/Skype.app/Contents/Frameworks/Growl.framework/*")
+ (regex #"^/Applications/Skype.app/Contents/Frameworks/Skype.framework/*")
+ (literal "/Applications/Skype.app/Contents/Info.plist")
+ (literal "/Applications/Skype.app/Contents/MacOS/")
+ (literal "/Applications/Skype.app/Contents/MacOS/Skype")
+ (literal "/Applications/Skype.app/Contents/PkgInfo")
+ (regex
+ #"^/Applications/Skype.app/Contents/Resources/*"
+ )
+
+ (regex
+ #"^/Library/Application Support/ProApps/SharedA/Frameworks/"
+ )
+ (literal "/Library/Audio/Plug-Ins/HAL")
+ (literal "/Library/Audio/Plug-Ins/HAL/DVCPROHDAudio.plugin")
+ (literal "/Library/Audio/Plug-Ins/HAL/DVCPROHDAudio.plugin/Contents")
+ (literal "/Library/Audio/Plug-Ins/HAL/DVCPROHDAudio.plugin/Contents/Info.plist")
+ (literal "/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin")
+ (literal "/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin/Contents")
+ (literal "/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin/Contents/Info.plist")
+ (literal "/Library/Caches/com.nvidia.OpenGL")
+ (literal "/Library/Caches/com.nvidia.OpenGL/1570AD94-BFF7-3660-A6C5-64F3004B2572")
+ (literal "/Library/Caches/com.nvidia.OpenGL/1570AD94-BFF7-3660-A6C5-64F3004B2572/A0A341DD4F718E23")
+ (literal "/Library/Caches/com.nvidia.OpenGL/1570AD94-BFF7-3660-A6C5-64F3004B2572/A0A341DD4F718E23/31534A5A-BB34-CB61-4E72-89E14E8545C8.bin")
+ (literal "/Library/Caches/com.nvidia.OpenGL/1570AD94-BFF7-3660-A6C5-64F3004B2572/A0A341DD4F718E23/31534A5A-BB34-CB61-4E72-89E14E8545C8.toc")
+ (literal "/Library/Caches/com.nvidia.OpenGL/F5C45580-0C5E-372B-946A-7F44E25BC8A0")
+ (literal "/Library/Caches/com.nvidia.OpenGL/F5C45580-0C5E-372B-946A-7F44E25BC8A0/A0A341DD4F718E23")
+ (literal "/Library/Fonts/Arial Bold.ttf")
+ (literal "/Library/Fonts/Arial.ttf")
+ (regex #"^/Library/Frameworks/Motion.framework/*")
+ (literal "/Library/Internet Plug-Ins")
+ (literal "/Library/Internet Plug-Ins/Flash Player.plugin")
+ (literal "/Library/Internet Plug-Ins/Flash Player.plugin/Contents")
+ (literal "/Library/Internet Plug-Ins/Flash Player.plugin/Contents/Info.plist")
+ (literal "/Library/Internet Plug-Ins/Flash Player.plugin/Contents/MacOS/Flash Player")
+ (literal "/Library/Internet Plug-Ins/Quartz Composer.webplugin")
+ (literal "/Library/Internet Plug-Ins/Quartz Composer.webplugin/Contents")
+ (literal "/Library/Internet Plug-Ins/Quartz Composer.webplugin/Contents/Info.plist")
+ (literal "/Library/Internet Plug-Ins/Quartz Composer.webplugin/Contents/MacOS/Quartz Composer")
+ (literal "/Library/Internet Plug-Ins/QuickTime Plugin.plugin")
+ (literal "/Library/Internet Plug-Ins/QuickTime Plugin.plugin/Contents")
+ (literal "/Library/Internet Plug-Ins/QuickTime Plugin.plugin/Contents/Info.plist")
+ (literal "/Library/Internet Plug-Ins/QuickTime Plugin.plugin/Contents/MacOS/QuickTime Plugin")
+ (literal "/Library/Internet Plug-Ins/QuickTime Plugin.plugin/Contents/PkgInfo")
+ (literal "/Library/Keychains/System.keychain")
+ (literal "/Library/PreferencePanes/Growl.prefPane/Contents/Resources/GrowlHelperApp.app")
+ (literal "/Library/PreferencePanes/Growl.prefPane/Contents/Resources/GrowlHelperApp.app/Contents")
+ (literal "/Library/PreferencePanes/Growl.prefPane/Contents/Resources/GrowlHelperApp.app/Contents/Info.plist")
+ (literal "/Library/Preferences/.GlobalPreferences.plist")
+ (literal "/Library/QuickTime/DVCPROHDMuxer.component")
+ (literal "/Library/QuickTime/DVCPROHDMuxer.component/Contents")
+ (literal "/Library/QuickTime/DVCPROHDMuxer.component/Contents/Info.plist")
+ (literal "/Library/QuickTime/DVCPROHDMuxer.component/Contents/MacOS/DVCPROHDMuxer")
+ (literal "/Library/QuickTime/DVCPROHDVideoDigitizer.component")
+ (literal "/Library/QuickTime/DVCPROHDVideoDigitizer.component/Contents")
+ (literal "/Library/QuickTime/DVCPROHDVideoDigitizer.component/Contents/Info.plist")
+ (literal "/Library/QuickTime/DVCPROHDVideoDigitizer.component/Contents/MacOS/DVCPROHDVideoDigitizer")
+ (literal "/Library/QuickTime/DVCPROHDVideoDigitizer.component/Contents/Resources")
+ (literal "/Library/QuickTime/DVCPROHDVideoDigitizer.component/Contents/Resources/DVCPROHDVideoDigitizer.rsrc")
+ (literal "/Library/QuickTime/LiveType.component")
+ (literal "/Library/QuickTime/LiveType.component/Contents")
+ (literal "/Library/QuickTime/LiveType.component/Contents/Info.plist")
+ (literal "/Library/QuickTime/LiveType.component/Contents/MacOS/LiveType")
+ (literal "/Library/QuickTime/Motion.component")
+ (literal "/Library/QuickTime/Motion.component/Contents")
+ (literal "/Library/QuickTime/Motion.component/Contents/Info.plist")
+ (literal "/Library/QuickTime/Motion.component/Contents/MacOS/Motion")
+ (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/.database.lockN")
+ (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/AddressBook-v22.abcddb")
+ (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/Configuration.plist")
+ (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/Metadata/.MetaData.lock")
+ (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/Metadata/.info")
+ (regex #"^/Users/[^.]+/Library/Application Support/Adobe/AIR/ELS/TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1/PrivateEncryptedDatak")
+ (regex #"^/Users/[^.]+/Library/Application Support/Skype/*")
+ (regex #"^/Users/[^.]+/Library/Application Support/CrashReporter/Skype*")
+ (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype")
+ (regex #"^/Users/[^.]+/Library/Input Methods")
+ (regex #"^/Users/[^.]+/Library/Internet Plug-Ins")
+ (regex #"^/Users/[^.]+/Library/Keyboard Layouts")
+ (regex #"^/Users/[^.]+/Library/Keychains/*")
+ (regex #"^/Users/[^.]+/Library/Preferences/.GlobalPreferences.plist")
+ (regex #"^/Users/[^.]+/Library/Preferences/ByHost/*")
+ (regex #"^/Users/[^.]+/Library/Preferences/Macromedia/Flash Player/#SharedObjects")
+ (regex #"^/Users/[^.]+/Library/Preferences/QuickTime Preferences")
+ (regex #"^/Users/[^.]+/Library/Preferences/com.apple.AddressBook.plist")
+ (regex #"^/Users/[^.]+/Library/Preferences/com.apple.quicktime.plugin.preferences.plist")
+ (regex #"^/Users/[^.]+/Library/Preferences/com.apple.security.plist")
+ (regex #"^/Users/[^.]+/Library/Preferences/com.apple.universalaccess.plist")
+ (regex #"^/Users/[^.]+/Library/Preferences/pbs.plist")
+ (regex #"^/Users/[^.]+/Library/Saved Application State/com.skype.skype.savedState")
+ (regex #"^/Users/[^.]+/Library/Saved Application State/com.skype.skype.savedState/data.data")
+ (regex #"^/Users/[^.]+/Library/Saved Application State/com.skype.skype.savedState/window_5.data")
+ (regex #"^/Users/[^.]+/Library/Saved Application State/com.skype.skype.savedState/windows.plist")
+ (literal "/dev/dtracehelper")
+ (literal "/dev/random")
+ (literal "/dev/urandom")
+
+ (literal "/private/var/db/mds/messages/se_SecurityMessages")
+ (literal "/private/var/db/mds/system/mdsDirectory.db")
+ (literal "/private/var/db/mds/system/mdsObject.db")
+ (regex #"^/Users/y/Library/Preferences/com\.skype\.skype\.plist(\.[^/]+)?$")
+ (regex #"^/private/var/folders/[^/]+/[^/]+/C/com\.apple\.scriptmanager\.le\.cache$")
+ (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
+ (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
+ (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
+ (subpath "/System")
+ (subpath "/usr/lib")
+ (subpath "/usr/share")
+ (regex #"^/private/var/folders/[^/]+/[^/]+/T/*.growlRegDict$")
+)
+
+(allow file-read-metadata
+ (literal "/")
+ (literal "/Applications")
+ (literal "/Applications/Growl.app")
+ (literal "/Applications/Growl.app/Contents/MacOS/Growl")
+ (literal "/Applications/Skype.app/Contents/MacOS")
+ (literal "/Applications/Skype.app/Contents/Frameworks")
+ (literal "/Applications/Utilities")
+ (literal "/Library")
+ (literal "/Library/Application Support")
+ (regex #"^/Library/Application Support/ProApps/*")
+ (literal "/Library/Caches")
+ (regex
+ #"^/Library/Caches/com.nvidia.OpenGL/"
+ )
+ (literal "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin")
+ (literal "/Library/Internet Plug-Ins/flashplayer.xpt")
+ (literal "/Library/Internet Plug-Ins/nsIQTScriptablePlugin.xpt")
+ (literal "/Library/Keychains")
+ (literal "/Library/PreferencePanes")
+ (literal "/Library/PreferencePanes/Growl.prefPane")
+ (literal "/Library/PreferencePanes/Growl.prefPane/Contents")
+ (literal "/Library/PreferencePanes/Growl.prefPane/Contents/Resources")
+ (literal "/Library/PreferencePanes/Growl.prefPane/Contents/Resources/GrowlHelperApp.app/Contents/MacOS/GrowlHelperApp")
+ (literal "/Library/Security/Trust Settings/Admin.plist")
+ (literal "/Network")
+ (literal "/Users")
+ (regex #"^/Users/[^.]+")
+ (regex #"^/Users/[^.]+/Downloads/*")
+ (regex #"^/Users/[^.]+/Library")
+ (regex #"^/Users/[^.]+/Library/Address Book Plug-Ins/SkypeABDialer.bundle")
+ (regex #"^/Users/[^.]+/Library/Address Book Plug-Ins/SkypeABSMS.bundle")
+ (regex #"^/Users/[^.]+/Library/Application Support")
+ (regex #"^/Users/[^.]+/Library/Application Support/AddressBook")
+ (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/Metadata")
+ (regex #"^/Users/[^.]+/Library/Application Support/Adobe")
+ (regex #"^/Users/[^.]+/Library/Application Support/Adobe/AIR")
+ (regex #"^/Users/[^.]+/Library/Application Support/Adobe/AIR/ELS")
+ (regex #"^/Users/[^.]+/Library/Application Support/Adobe/AIR/ELS/TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1")
+ (regex #"^/Users/[^.]+/Library/Application Support/Skype/")
+ (regex #"^/Users/[^.]+/Library/Audio/Plug-Ins/Components")
+ (regex #"^/Users/[^.]+/Library/Autosave Information")
+ (regex #"^/Users/[^.]+/Library/Caches/*")
+ (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype/SkypeIndexCaches")
+ (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype/com.apple.opencl")
+ (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype/hellais/SKAvatarCache")
+ (regex #"^/Users/[^.]+/Library/Keychains/*")
+ (regex #"^/Users/[^.]+/Library/Preferences")
+ (regex #"^/Users/[^.]+/Library/Preferences/ByHost")
+ (regex #"^/Users/[^.]+/Library/Preferences/Macromedia/Flash Player/#SharedObjects/9QYSRLPJ")
+ (regex #"^/Users/[^.]+/Library/Preferences/Macromedia/Flash Player/#SharedObjects/9QYSRLPJ/skype.com")
+ (regex #"^/Users/[^.]+/Library/Preferences/Macromedia/Flash Player/#SharedObjects/9QYSRLPJ/skype.com/#ui")
+ (regex #"^/Users/[^.]+/Library/Preferences/Macromedia/Flash Player/#SharedObjects/9QYSRLPJ/skype.com/#ui/preferences.sol")
+ (regex #"^/Users/[^.]+/Library/Preferences/com.skype.skype.plist")
+ (regex #"^/Users/[^.]+/Library/Preferences/com.apple.ServicesMenu.Services.plist")
+ (regex #"^/Users/[^.]+/Library/QuickTime")
+
+ (regex #"^/Users/[^.]+/Library/Saved Application State/com.skype.skype.savedState/restorecount.txt")
+ (literal "/etc")
+ (literal "/private")
+ (literal "/private/etc/localtime")
+ (literal "/private/var")
+ (literal "/private/var/db/.AppleSetupDone")
+ (literal "/private/var/folders")
+ (literal "/private/var/folders/th")
+ (literal "/private/var/folders/th/ftm_xkbs68s6vkxhg6wdyjbc0000gn")
+ (literal "/private/var/run/systemkeychaincheck.done")
+ (literal "/usr")
+ (literal "/usr/bin/atos")
+ (literal "/var")
+ (regex "^/private/var/folders/[^/]+/[^/]+/C$")
+ (regex "^/private/var/folders/[^/]+/[^/]+/C/mds$")
+ (regex #"^/private/var/folders/*")
+)
+(allow file-issue-extension
+ (regex #"^/private/var/folders/*")
+)
+
+(allow file-write*
+ (regex #"^/Library/Caches/com.nvidia.OpenGL/*")
+ (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/.database.lockN")
+ (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/AddressBook-v22.abcddb")
+ (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/Metadata/.info")
+ (regex #"^/Users/[^.]+/Library/Application Support/Skype/*")
+ (regex #"^/Users/[^.]+/Library/Preferences/com.skype.skype*")
+ (regex #"^/Users/[^.]+/Library/Preferences/ByHost/*")
+ ; XXX fix this regex
+ ;(regex #"^/private/var/folders/th/*.growlRegDict$")
+ (regex #"^/private/var/folders/th/*")
+ (regex #"^/Users/[^.]+/Library/Saved Application State/com.skype.skype.savedState/*")
+ (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype/Cache.db")
+ (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype/com.apple.opencl/com.apple.ocl.32.data")
+ (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype/com.apple.opencl/com.apple.ocl.32.maps")
+ (literal "/dev/dtracehelper")
+ ; To allow downloads
+ (regex #"^/Users/[^.]+/Downloads/*")
+ (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
+)
+
+(allow iokit-open
+ (iokit-user-client-class "AGPMClient")
+ (iokit-user-client-class "IOAudioControlUserClient")
+ (iokit-user-client-class "IOAudioEngineUserClient")
+ (iokit-user-client-class "IOBluetoothHCIUserClient")
+ (iokit-user-client-class "IOFramebufferSharedUserClient")
+ (iokit-user-client-class "IOHIDParamUserClient")
+ (iokit-user-client-class "IOUSBDeviceUserClientV2")
+ (iokit-user-client-class "IOUSBInterfaceUserClientV2")
+ (iokit-user-client-class "RootDomainUserClient")
+ (iokit-user-client-class "nvDevice")
+ (iokit-user-client-class "nvTeslaGLContext")
+)
+
+(allow ipc-posix-shm
+ (ipc-posix-name "/tmp/com.apple.csseed.62")
+ (ipc-posix-name "CFPBS:DD:")
+ (ipc-posix-name "FNetwork.defaultStorageSession")
+ (ipc-posix-name "_00D0000000501")
+ (ipc-posix-name "_CGM0000000501")
+ (ipc-posix-name "_CSGENGPROFILE")
+ (ipc-posix-name "_CSGENRPROFILE")
+ (ipc-posix-name "_CS_DSHMEMLOCK")
+ (ipc-posix-name "_CS_GSHMEMLOCK")
+ (ipc-posix-name "apple.shm.notification_center")
+ (ipc-posix-name "com.apple.AppleDatabaseChanged")
+ (ipc-posix-name "ls.62.186a5.643c9869")
+)
+
+(allow mach-lookup
+ (global-name "com.apple.CoreServices.coreservicesd")
+ (global-name "com.apple.FontObjectsServer")
+ (global-name "com.apple.FontServer")
+ (global-name "com.apple.inputmethodkit.launchagent")
+ (global-name "com.apple.inputmethodkit.launcher")
+ (global-name "Multilingual (Apple)_OpenStep")
+ (global-name "com_apple_palette_pressandhold_connection")
+
+ (global-name "com.apple.pbs.fetch_services")
+
+ (global-name "com.apple.SecurityServer")
+ (global-name "com.apple.SystemConfiguration.configd")
+ (global-name "com.apple.audio.audiohald")
+ (global-name "com.apple.audio.coreaudiod")
+ (global-name "com.apple.cmio.VDCAssistant")
+ (global-name "com.apple.cookied")
+ (global-name "com.apple.cvmsServ")
+ (global-name "com.apple.decalog4.incoming")
+ (global-name "com.apple.distributed_notifications@Uv3")
+ (global-name "com.apple.dock.server")
+ (global-name "com.apple.ls.boxd")
+ (global-name "com.apple.ocspd")
+ (global-name "com.apple.pasteboard.1")
+ (global-name "com.apple.quicklook.ui.helper.active")
+ (global-name "com.apple.system.DirectoryService.libinfo_v1")
+ (global-name "com.apple.system.DirectoryService.membership_v1")
+ (global-name "com.apple.system.logger")
+ (global-name "com.apple.system.notification_center")
+ (global-name "com.apple.system.opendirectoryd.api")
+ (global-name "com.apple.tsm.uiserver")
+ (global-name "com.apple.window_proxies")
+ (global-name "com.apple.windowserver.active")
+ (global-name "com.skype.skype.ServiceProvider")
+)
+
+(allow network-inbound
+ (local udp "localhost:*")
+ (local tcp "*:80")
+ (local udp "*:80")
+)
+
+(allow network-outbound
+ (literal "/private/var/run/mDNSResponder")
+ (remote tcp "*:80")
+ (remote udp "*:80")
+ (remote udp "localhost:*")
+ )
+
+(allow process-exec
+ (literal "/Applications/Skype.app/Contents/MacOS/Skype")
+)
+
+(allow sysctl-read)
+
+(allow system-socket)

0 comments on commit cb08100

Please sign in to comment.