inC3ASE · October 14, 2016 01:45
diff --git a/racoon.sb b/racoon.sb
 ;; OriginatingProject: ipsec
 (version 1)
 (deny default)

 (import "system.sb")

 (allow system-socket sysctl-read sysctl-write)

 (allow system-info (info-type "net.link.addr"))

 (allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
 (allow ipc-posix-shm
    (ipc-posix-name "apple.shm.notification_center")
    (ipc-posix-name "com.apple.AppleDatabaseChanged"))

 (allow file-read* file-ioctl
    (subpath "/private/etc/master.passwd")
    (subpath "/private/var/run/racoon")
    (literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist")
    (subpath "/private/etc/racoon"))

 (allow file-read*
    (subpath "/Library/Managed\ Preferences")
    (subpath "/Library/Preferences")
    (subpath "/private/var/root")
    (literal "/private/var/mobile/Library/Caches/com.apple.MobileGestalt.plist")
    (literal "/private/var/db/mds/messages/se_SecurityMessages")
    (literal "/private/var/db/icu"))

 (allow file-write*
    (literal "/private/var/run/racoon.sock")
    (literal "/private/var/run/racoon.pid"))

 (allow file*
    (literal "/var/log/racoon.log")
    (literal "/private/var/log/racoon.log"))

 (allow iokit-open (iokit-user-client-class "RootDomainUserClient"))

 (allow network-outbound (subpath "/private/var/tmp/launchd"))
 (allow network*
    (local udp "*:500" "*:4500")
    (remote udp "*:*")
    (literal "/private/var/run/racoon.sock"))

 (allow file*
    (literal "/Library/Keychains/System.keychain")
    (literal "/private/var/db/mds/system/mdsObject.db")
    (literal "/private/var/db/mds/system/mds.lock")
    (literal "/private/var/db/mds/system/mdsDirectory.db"))

 (allow mach-lookup
    (global-name "com.apple.SecurityServer")
    (global-name "com.apple.SystemConfiguration.configd")
    (global-name "com.apple.ocspd")
    (global-name "com.apple.commcenter.xpc")
    (global-name "com.apple.aggregated")
    (global-name "com.apple.cfprefsd.daemon")
    (global-name "com.apple.cfprefsd.agent")
    (local-name "com.apple.cfprefsd.agent")
    (global-name "com.apple.nehelper"))
 	
 (allow ipc-posix-shm-read*
    (ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))

 ;;;;;; Common system sandbox rules
 ;;;;;;
 ;;;;;; Copyright (c) 2008-2010 Apple Inc.  All Rights reserved.
 ;;;;;;
 ;;;;;; WARNING: The sandbox rules in this file currently constitute
 ;;;;;; Apple System Private Interface and are subject to change at any time and
 ;;;;;; without notice. The contents of this file are also auto-generated and
 ;;;;;; not user editable; it may be overwritten at any time.

 ;;; Allow read access to standard system paths.

 (allow file-read*
       (require-all (file-mode #o0004)
                    (require-any (subpath "/System")
                                 (subpath "/usr/lib")
                                 (subpath "/usr/sbin")
                                 (subpath "/usr/share"))))

 (allow file-read-metadata
       (literal "/etc")
       (literal "/tmp")
       (literal "/var"))

 ;;; Allow access to standard special files.

 (allow file-read*
       (subpath "/usr/share")
       (subpath "/private/var/db/timezone")
       (literal "/dev/random")
       (literal "/dev/urandom"))

 (allow file-read*
       file-write-data
       (literal "/dev/null")
       (literal "/dev/zero"))

 (allow file-read*
       file-write-data
       file-ioctl
       (literal "/dev/aes_0")
       (literal "/dev/sha1_0")
       (literal "/dev/dtracehelper"))

 (allow network-outbound
       (literal "/private/var/run/asl_input")
       (literal "/private/var/run/syslog"))

 ;;; Allow IPC to standard system agents.

 (allow mach-lookup
       (global-name "com.apple.securityd")
       (global-name "com.apple.bsd.dirhelper")
       (global-name "com.apple.system.logger")
       (global-name "com.apple.system.notification_center"))
       
 ;;; Allow creating an ipsec interface
       (allow network-outbound
       (control-name "com.apple.net.ipsec_control"))

 ;;; Allow racoon to check entitlements
       (allow iokit-open
       (iokit-user-client-class "AppleMobileFileIntegrityUserClient"))
	;; OriginatingProject: ipsec
	(version 1)
	(deny default)

	(import "system.sb")

	(allow system-socket sysctl-read sysctl-write)

	(allow system-info (info-type "net.link.addr"))

	(allow ipc-posix* (ipc-posix-name "com.apple.securityd"))
	(allow ipc-posix-shm
	(ipc-posix-name "apple.shm.notification_center")
	(ipc-posix-name "com.apple.AppleDatabaseChanged"))

	(allow file-read* file-ioctl
	(subpath "/private/etc/master.passwd")
	(subpath "/private/var/run/racoon")
	(literal "/private/var/preferences/SystemConfiguration/com.apple.ipsec.plist")
	(subpath "/private/etc/racoon"))

	(allow file-read*
	(subpath "/Library/Managed\ Preferences")
	(subpath "/Library/Preferences")
	(subpath "/private/var/root")
	(literal "/private/var/mobile/Library/Caches/com.apple.MobileGestalt.plist")
	(literal "/private/var/db/mds/messages/se_SecurityMessages")
	(literal "/private/var/db/icu"))

	(allow file-write*
	(literal "/private/var/run/racoon.sock")
	(literal "/private/var/run/racoon.pid"))

	(allow file*
	(literal "/var/log/racoon.log")
	(literal "/private/var/log/racoon.log"))

	(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))

	(allow network-outbound (subpath "/private/var/tmp/launchd"))
	(allow network*
	(local udp ":500" ":4500")
	(remote udp ":")
	(literal "/private/var/run/racoon.sock"))

	(allow file*
	(literal "/Library/Keychains/System.keychain")
	(literal "/private/var/db/mds/system/mdsObject.db")
	(literal "/private/var/db/mds/system/mds.lock")
	(literal "/private/var/db/mds/system/mdsDirectory.db"))

	(allow mach-lookup
	(global-name "com.apple.SecurityServer")
	(global-name "com.apple.SystemConfiguration.configd")
	(global-name "com.apple.ocspd")
	(global-name "com.apple.commcenter.xpc")
	(global-name "com.apple.aggregated")
	(global-name "com.apple.cfprefsd.daemon")
	(global-name "com.apple.cfprefsd.agent")
	(local-name "com.apple.cfprefsd.agent")
	(global-name "com.apple.nehelper"))

	(allow ipc-posix-shm-read*
	(ipc-posix-name-regex #"^apple\.shm\.cfprefsd\."))

	;;;;;; Common system sandbox rules
	;;;;;;
	;;;;;; Copyright (c) 2008-2010 Apple Inc. All Rights reserved.
	;;;;;;
	;;;;;; WARNING: The sandbox rules in this file currently constitute
	;;;;;; Apple System Private Interface and are subject to change at any time and
	;;;;;; without notice. The contents of this file are also auto-generated and
	;;;;;; not user editable; it may be overwritten at any time.

	;;; Allow read access to standard system paths.

	(allow file-read*
	(require-all (file-mode #o0004)
	(require-any (subpath "/System")
	(subpath "/usr/lib")
	(subpath "/usr/sbin")
	(subpath "/usr/share"))))

	(allow file-read-metadata
	(literal "/etc")
	(literal "/tmp")
	(literal "/var"))

	;;; Allow access to standard special files.

	(allow file-read*
	(subpath "/usr/share")
	(subpath "/private/var/db/timezone")
	(literal "/dev/random")
	(literal "/dev/urandom"))

	(allow file-read*
	file-write-data
	(literal "/dev/null")
	(literal "/dev/zero"))

	(allow file-read*
	file-write-data
	file-ioctl
	(literal "/dev/aes_0")
	(literal "/dev/sha1_0")
	(literal "/dev/dtracehelper"))

	(allow network-outbound
	(literal "/private/var/run/asl_input")
	(literal "/private/var/run/syslog"))

	;;; Allow IPC to standard system agents.

	(allow mach-lookup
	(global-name "com.apple.securityd")
	(global-name "com.apple.bsd.dirhelper")
	(global-name "com.apple.system.logger")
	(global-name "com.apple.system.notification_center"))

	;;; Allow creating an ipsec interface
	(allow network-outbound
	(control-name "com.apple.net.ipsec_control"))

	;;; Allow racoon to check entitlements
	(allow iokit-open
	(iokit-user-client-class "AppleMobileFileIntegrityUserClient"))