├── AppSandbox-notes.md
├── profiles
├── adium.sb
├── firefox.sb
├── vienna.sb
├── tweetie.sb
├── template.sb
├── Ventrilo-profile.sb
├── firefox-profile.sb
├── firefox-profile-10.7.sb
├── VLC-profile.sb
├── firefox-profile-10.5.sb
├── Tweetdeck-profile.sb
└── Skype.sb
├── Readme.md
└── buckleup.py
/AppSandbox-notes.md:
--------------------------------------------------------------------------------
1 | In OS X 10.7 it is advised to use App Sandbox instead of sandbox-exec.
2 | App sandbox exposes only a subset of the features that sandbox-exec profiles did
3 | but they should be good for most applications and profiles.
4 |
5 | These are just some random notes that still need to be structured:
6 |
7 | To specify app sandbox parameters you use entitlments. These give certain
8 | permissions to your applications. An entitlement is a .plist file and it looks
9 | something like this:
10 |
11 |
12 |
13 |
14 | com.apple.security.app-sandbox
15 | com.apple.security.network.client
16 | com.apple.security.network.server
17 |
18 |
19 |
20 | To apply the entitlement to your application you use the `codesign` command. To self
21 | sign applications you can run `codesign -s -`.
22 |
23 | To apply the entitlement to you app do this:
24 |
25 | codesign -s - -f --entitlements entitlement.plist /Applications/MyApp.app/
26 |
27 | WARNING: the -f flag overrites the signature present in your file.
28 |
29 | Once an application is sandboxed it may be necessary to regenerate its container.
30 | The container is a special part of your Library folder dedicated to that applications
31 | resources (this means that an app cannot read other applications resources).
32 |
33 | To do so run this:
34 |
35 | asctl container acl update /Applications/MyApp.app/
36 |
37 |
38 |
--------------------------------------------------------------------------------
/profiles/adium.sb:
--------------------------------------------------------------------------------
1 | ;:buckleup:0.1:adium:Adium default:/Applications/Adium.app/Contents/MacOS/Adium:
2 | ;
3 | ; This is the seatbelt profile for Adium
4 | ; by Arturo Filasto'
5 | ;
6 |
7 | (version 1)
8 | (debug allow)
9 |
10 | ; Log to adium.sb.log
11 | ; (trace "adium.sb.log")
12 |
13 | ; This is needed for IPC on OSX >= 10.6
14 | (allow ipc-posix-shm)
15 |
16 | ; Allow inbound and outbound connections
17 | (allow network-outbound)
18 | (allow network-inbound)
19 |
20 | ; Allow reading with sysctl
21 | (allow sysctl-read)
22 |
23 | ; Allow it to read metadata
24 | (allow file-read-metadata)
25 |
26 | ; Allow it to run processes and fork
27 | (allow process*)
28 |
29 | ; Allow it to signal self
30 | (allow signal)
31 |
32 | (allow iokit-open)
33 |
34 | (allow mach-lookup)
35 |
36 | (allow system-socket)
37 |
38 | ; These are required to send growl notifications
39 | (allow appleevent-send)
40 | (allow distributed-notification-post)
41 |
42 | ; Allow file reading
43 | (allow file-read*
44 | (regex
45 | #"^/Users/[^.]+/Library"
46 | #"^/Applications/Adium.app"
47 | #"^/Library/*"
48 | #"^/System/Library/*"
49 | #"^/usr/lib/*"
50 | #"^/usr/share/*"
51 | #"^/private/*"
52 | #"^/dev/*"
53 | )
54 | )
55 |
56 | ; Allow write access to a subset of the above
57 | (allow file-write*
58 | (regex
59 | #"/Users/[^.]+/Library/Application Support/*"
60 | #"/Users/[^.]+/Library/Saved Application State/com.adiumX*"
61 | #"/Users/[^.]+/Preferences/ByHost"
62 | #"/Users/[^.]+/Library/Caches/Adium/"
63 | #"/Users/[^.]+/Library/Preferences/com.adiumX.adiumX*"
64 | #"^/dev/dtracehelper"
65 | #"^/private/var/*"
66 | #"^/private/tmp/*"
67 | #"^/var/folders/th/*"
68 | )
69 | )
70 |
71 | (allow file-issue-extension
72 | (regex
73 | #"^/private/var/*"
74 | )
75 | )
76 |
77 | (allow file-ioctl
78 | (regex
79 | #"^/dev/dtracehelper"
80 | )
81 | )
82 |
83 | (deny default)
84 |
--------------------------------------------------------------------------------
/profiles/firefox.sb:
--------------------------------------------------------------------------------
1 | ;:buckleup:0.1:firefox:Firefox default:/Applications/Firefox.app/Contents/MacOS/firefox:
2 | ; Firefox sandboxing profile
3 | ; based on : http://hints.macworld.com/article.php?story=20100318044558156
4 | ; and : http://codereview.chromium.org/379019/diff/1/2
5 |
6 | (version 1)
7 | (deny default)
8 |
9 | (allow file-write* file-read-data file-read-metadata
10 | (regex
11 | #"^/Users/[^.]+/Downloads"
12 | #"^/Users/[^.]+/Library/Application Support/Mozilla"
13 | #"^/Users/[^.]+/Library/Application Support/Firefox"
14 | #"^/Users/[^.]+/Library/Preferences"
15 | #"^/Users/[^.]+/Library/PreferencePanes"
16 | #"^/Users/[^.]+/Library/Caches/Firefox"
17 | #"^/Users/[^.]+/Library/Caches/TemporaryItems"
18 | #"^/Applications/Firefox.app"
19 | #"^/private/tmp/"
20 | #"^/private/var/tmp/"
21 | )
22 | )
23 |
24 | (allow file-read-data file-read-metadata
25 | (regex
26 | #"^/dev/autofs.*"
27 | #"^/Library/Preferences"
28 | #"^/Library/Internet Plug-Ins"
29 | #"^/Library/PreferencePanes"
30 | #"^/Library/Fonts"
31 | #"^/Library/Caches"
32 | #"^/usr/share/icu"
33 | #"^/usr/share/locale"
34 | #"^/System/Library"
35 | #"^/Applications/Firefox.app"
36 | #"^/usr/lib"
37 | #"^/var"
38 | #"Frameworks/SDL.framework"
39 | ; Our Module Directory Services cache
40 | #"^/private/var/tmp/mds/"
41 | #"^/private/var/tmp/mds/[0-9]+(/|$)"
42 | #"^/Users/[^.]+/Library/"
43 | ; Maybe this should be disabled, need to do more testing.
44 | #"^/Users/[^.]+/"
45 | )
46 | )
47 |
48 | (allow iokit-open)
49 |
50 | (allow mach* sysctl-read)
51 |
52 | (import "/usr/share/sandbox/bsd.sb")
53 | (deny file-write-data
54 | (regex
55 | #"^(/private)?/etc/localtime$"
56 | #"^/usr/share/nls/"
57 | #"^/usr/share/zoneinfo/"
58 | )
59 | )
60 |
61 | (allow process-exec
62 | (regex "^/Applications/Firefox.app")
63 | )
64 |
65 | (allow network*)
66 |
67 |
--------------------------------------------------------------------------------
/Readme.md:
--------------------------------------------------------------------------------
1 | # Buckle Up!
2 | The aim of this project is raise sensibility of security on OS X
3 | and develop seatbelt profiles for all of the common used OSX applications.
4 |
5 | ## The Buckle Up script
6 | Buckle Up is also a python script that assists you in patching your applications to
7 | run with seatbelt profiles.
8 |
9 | Here is it's help banner:
10 |
11 | Buckle Up!
12 | -------
13 | Mac OS X sandboxing helper scripts
14 | by Arturo Filasto'
15 |
16 | Usage: buckleup.py [options]
17 |
18 | Options:
19 | -h, --help show this help message and exit
20 | -l, --list list all application profiles
21 | -p APP, --patch=APP patch the desired application
22 | -a APP, --application=APP
23 | explicitly set the application location
24 | -u APP, --unpatch=APP
25 | remove patch from the desired application
26 | -r APP, --run=APP run the desired application in sandbox
27 |
28 | To list the currently available profiles run `./buckleup.py -l`:
29 |
30 | [-] Listing Buckle Up sandbox profiles...
31 | Name: Adium default (APP: adium)
32 | App Location: /Applications/Adium.app/Contents/MacOS/Adium
33 |
34 | Name: Firefox default (APP: firefox)
35 | App Location: /Applications/Firefox.app/Contents/MacOS/firefox
36 |
37 | You can then either run the application from Buckle Up with `./buckleup.py -r adium`
38 | or patch it to use seatbelt every time your run it `./buckleup.py -p adium`.
39 |
40 | To remove the patch you should run `./buckleup.py -u adium`
41 |
42 | ## Manually running apps with seatbelt profiles
43 |
44 | To run an app with sandboxing enabled all you have to do is:
45 |
46 | sandbox-exec -f .sb /path/to/the/app
47 |
48 | For example to run the Adium sandbox plugin do this:
49 |
50 | sandbox-exec -f adium.sb /Applications/Adium.app/Contents/MacOS/Adium
51 |
52 |
53 | ## Buckle Up header
54 |
55 | Sandbox profiles for Buckle Up include a special header that allows the shell script to offer a pretty output
56 | to the user and automagically install the application.
57 |
58 | When writing an application profile for Buckle up you should use this format. The header should be on the first
59 | line of the sandbox profile:
60 |
61 | ;:buckleup:::::
62 |
63 | _buckleup version number_: (default 0.1) This is the Buckle Up version number for the app profile
64 |
65 | _app short name_: This is the shortname of the profile, it is what the user will provide as arugment to
66 | buckle up to patch the application or run it
67 |
68 | _app long name_: This is the full name of the profile, it controls what will show in the list view
69 |
70 | _path to executable_: This is the full path of the executable that should be patched, it is generally
71 | something like /Applications/MyApp.app/Contents/MacOS/MyApp
72 |
73 | ## How to write a sandbox profile
74 |
75 |
76 | ### They easy way
77 |
78 | Use the example.sb sandbox file that contains in particular the line
79 |
80 | (trace "profile.sb")
81 |
82 | This instructs sandbox-exec to output a profile.sb file that will contain
83 | the raw output of what resources are being accessed during the runtime of the
84 | target application.
85 |
86 | You would therefore start the application with:
87 |
88 | sandbox-exec -f example.sb /Path/To/The/Application/
89 |
90 | Then run sandbox-simplify on the profile.sb and pipe it to another file:
91 |
92 | sandbox-simplify profile.sb > simplified.sb
93 |
94 | You can then start editing that simplified file to see what makes sense to keep,
95 | what can be compacted more and what should be changed.
96 |
97 | A useful vi macro to keep handly is this:
98 |
99 | %s/literal "\/Users\/replace_with_your_username/regex #"^\/Users\/[^\.]+/gc
100 |
101 | This basically makes your profile work for people that don't have your same username.
102 |
103 | ### Boring way
104 |
105 | You want to start from a basic sandbox profile that contains the bare minimum necessary to start the application.
106 | Something along the lines of this is a good starting point:
107 |
108 | (version 1)
109 | (debug allow)
110 | (allow process*)
111 | (deny default)
112 |
113 | What this does it it allow processes to run and it is a whitelist based profile (i.e. the default policy is
114 | to not allow).
115 |
116 | The next thing that you want to do is start
117 |
118 | tail -f /var/log/system.log
119 |
120 | All the denied by policy lines will end up in that file. Then start your application with your sandbox profile:
121 |
122 | sandbox-exec -f .sb /path/to/the/app
123 |
124 | You will then see in the `tail -f` terminal lines containing something like:
125 |
126 | Dec 22 14:58:08 x sandboxd[12281] ([12280]): firefox-bin(12280) deny file-read-data /private/tmp
127 |
128 | This is saying, for example, that firefox was denied "file-read-data" access to the file in /private/tmp.
129 | You should then evaluate if you want to allow that or not and in the first case add the entry that allows
130 | that in your sandbox file, like so:
131 |
132 | (file-read-data
133 | (regex "^/private/tmp")
134 | )
135 |
136 | Continue iteratively until you reach a point where your application runs properly and all the error messages
137 | are thing you don't want to happen.
138 |
139 | Safe hacking and remember to fasten your seatbelt :)
140 |
141 | ## Resources
142 |
143 | - Apple's Sandbox Guide - http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf
144 |
145 | - Chromium sandboxing - http://www.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design
146 |
147 | - http://techjournal.318.com/security/a-brief-introduction-to-mac-os-x-sandbox-technology/
148 |
149 | - Iron Suite - https://www.romab.com/ironsuite/
150 |
151 |
--------------------------------------------------------------------------------
/profiles/vienna.sb:
--------------------------------------------------------------------------------
1 | ;
2 | ; Vienna 2.5.x Sandbox profile
3 | ; (c) fG!, 2011
4 | ; reverser@put.as
5 | ; v0.1 - 13/09/2011 ;
6 | ;
7 |
8 | (version 1)
9 | ; well this doesn't seem to work...
10 | (debug all)
11 |
12 | ; (trace "trace.sb")
13 | ; stuff we allow to execute
14 | (allow process-exec (literal "/Applications/Vienna.app/Contents/MacOS/Vienna"))
15 |
16 | ; no need for forks? great :-)
17 | ;(allow process-fork)
18 | ; it needs to read some sysctl variables
19 |
20 | (allow sysctl-read)
21 |
22 | ; where?
23 | (allow sysctl-write)
24 | ; ----------------
25 | ; READ PERMISSIONS
26 | ; ----------------
27 | ; allow read system libraries and frameworks (from bsd.sb)
28 | (allow file-read-data file-read-metadata
29 | (regex
30 | #"^/usr/lib/.*\.dylib$"
31 | #"^/usr/lib/info/.*\.so$"
32 | #"^/private/var/db/dyld/"
33 | #"^/System/Library/Frameworks/*"
34 | #"^/System/Library/PrivateFrameworks/*"
35 | #"^/System/Library/*"
36 | )
37 | )
38 | ; Vienna Frameworks
39 |
40 | (allow file-read*
41 | (regex
42 | ; Vienna itself
43 | #"^/Applications/Vienna.app/*"
44 | ; Growl
45 | #"^/Library/PreferencePanes/Growl.prefPane/*"
46 | )
47 | )
48 | ; allow read to required system stuff
49 | (allow file-read*
50 | (regex
51 | #"^/usr/share/zoneinfo/*"
52 | #"^/dev/*"
53 | #"^/usr/share/icu/*"
54 | )
55 | (regex
56 | #"^/private/var/folders/*"
57 | ; do we really need access to keychains ?
58 | #"^/Users/[^.]+/Library/Keychains/*"
59 | #"^/Library/Fonts/*"
60 | #"^/Users/[^.]+/Library/Caches/*"
61 | #"^/Users/[^.]+/Library/InputManagers/*"
62 | ; what's this ???
63 | #"^/private/var/db/mds/system/*"
64 | )
65 | (literal "/private/etc/localtime")
66 | (literal "/Users/[^.]+/Library/Preferences/com.apple.security.plist")
67 | (literal "/private/var/db/mds/messages/se_SecurityMessages")
68 | (literal "/Users/[^.]+/Library/Preferences/com.apple.systemuiserver.plist")
69 | (literal "/Users/[^.]+/Library/Cookies/Cookies.plist")
70 | (literal "/Users/[^.]+/Library/Preferences/com.apple.LaunchServices.plist")
71 | (literal "/Users/[^.]+/Library/Preferences/pbs.plist")
72 | )
73 |
74 | (allow file-read-metadata
75 | (literal "/")
76 | (literal "/var")
77 | (literal "/Applications")
78 | (literal "/etc")
79 | (literal "/Users")
80 | (literal "/Users/[^.]+")
81 | (literal "/System")
82 | (literal "/Users/[^.]+/Library/Preferences") (literal "/Library")
83 | (literal "/Users/[^.]+/Library")
84 | (literal "/Library/PreferencePanes")
85 | )
86 |
87 | ; allow read application data
88 | (allow file-read*
89 | (regex
90 | #"^/Users/[^.]+/Library/Application Support/Vienna/*"
91 | )
92 | )
93 |
94 | ; allow read to preferences files
95 | (allow file-read-data file-read-metadata
96 | (regex #"^/Users/[^.]+/Library/Preferences/ByHost/.GlobalPreferences.*")
97 | (literal "/Users/[^.]+/Library/Preferences/.GlobalPreferences.plist")
98 | (literal "/Users/[^.]+/Library/Preferences/uk.co.opencommunity.vienna2.plist")
99 | (literal "/Library/Preferences/.GlobalPreferences.plist")
100 | )
101 |
102 | ; web browsing related
103 | (allow file-read*
104 | (regex
105 | #"^/Users/[^.]+/Library/Icons/*"
106 | #"^/Users/[^.]+/Library/Internet Plug-Ins/*"
107 | #"^/Library/Internet Plug-Ins/*"
108 | )
109 | ; still missing some? well we could even remove quicktime and java :-)
110 | (literal "/Users/[^.]+/Library/Preferences/com.github.rentzsch.clicktoflash.plist")
111 | (literal "/Users/[^.]+/Library/Preferences/com.apple.java.JavaPreferences.plist")
112 | (literal "/Users/[^.]+/Library/Preferences/com.apple.quicktime.plugin.preferences.plist")
113 | )
114 |
115 | ; -----------------
116 | ; WRITE PERMISSIONS
117 | ; -----------------
118 | ; allow write to dtrace related stuff
119 | (allow file-write* file-ioctl
120 | (regex #"^/dev/dtracehelper$")
121 | )
122 | (allow file-write*
123 | (regex
124 | #"^/Users/[^.]+/Library/Application Support/Vienna/*"
125 | #"^/Users/[^.]+/Library/Caches/*"
126 | #"/Users/Shared/SC Info" #"^/Users/[^.]+/Library/Cookies/*"
127 | #"^/private/var/tmp/tmp.*"
128 | #"^/private/var/folders/*"
129 | #"^/Users/[^.]+/Library/Preferences/uk.co.opencommunity.vienna2.plist*"
130 | )
131 | )
132 | ; web browsing related
133 | (allow file-write-data
134 | (literal "/Users/[^.]+/Library/Icons/WebpageIcons.db")
135 | )
136 |
137 | (allow file-write*
138 | (literal "/Users/[^.]+/Library/Icons/WebpageIcons.db-journal")
139 | )
140 |
141 | ; ----------------
142 | ; MACH PERMISSIONS
143 | ; ----------------
144 | (allow mach-lookup
145 | (global-name #"^com.apple.bsd.dirhelper")
146 | (global-name "com.apple.system.logger")
147 | (global-name "com.apple.system.notification_center")
148 | (global-name "com.apple.CoreServices.coreservicesd")
149 | (global-name "com.apple.SecurityServer")
150 | (global-name "com.apple.dock.server")
151 | (global-name "com.apple.distributed_notifications.2")
152 | (global-name "com.apple.audio.coreaudiod")
153 | (global-name "com.apple.audio.systemsoundserver")
154 | (global-name "com.apple.metadata.mds")
155 | (global-name "com.apple.ocspd")
156 | (global-name "com.apple.SystemConfiguration.PPPController")
157 | (global-name "en (Apple)_OpenStep")
158 | (global-name "com.apple.system.DirectoryService.libinfo_v1")
159 | (global-name "com.apple.system.DirectoryService.membership_v1")
160 | (global-name "com.apple.windowserver.session")
161 | (global-name "com.apple.windowserver.active")
162 | (global-name "com.apple.FontServer")
163 | (global-name "com.apple.pasteboard.1")
164 | (global-name "com.apple.tsm.uiserver")
165 | (global-name "com.apple.SystemConfiguration.configd")
166 | (global-name "com.apple.VoiceOver.running")
167 | (global-name "com.apple.FontObjectsServer")
168 | (global-name "com.apple.FSEvents")
169 | (global-name "com.apple.cvmsServ")
170 | (global-name "GrowlApplicationBridgePathway")
171 | )
172 | ; ------------------------------
173 | ; MEMORY AND NETWORK PERMISSIONS
174 | ; ------------------------------
175 | ;
176 | (allow ipc-posix-shm)
177 | ; network related stuff
178 | ; add other ports if needed
179 | (allow network-outbound
180 | (remote tcp "*:80")
181 | (remote tcp "*:443")
182 | (remote unix-socket (path-literal "/private/var/run/mDNSResponder"))
183 | )
184 | ;
185 | (allow system-socket)
186 | ; deny everything else :-)
187 | (deny default)
188 |
189 |
190 |
--------------------------------------------------------------------------------
/profiles/tweetie.sb:
--------------------------------------------------------------------------------
1 | ;:buckleup:0.1:tweetie:Tweetie:/Applications/Tweetie.app/Contents/MacOS/Tweetie:
2 | ;; This is the seatbelt teamplate for profiling your own apps
3 | ;; based on Vienna sandbox profile by @osxreverser
4 | ;; and Arturo Filasto'
5 | ;;
6 | ;; This Tweetie sandbox by: sk@mr-sk.com aka mr-sk aka sk
7 | ;; Pretty locked down.
8 |
9 | (version 1)
10 | (debug all)
11 | (import "bsd.sb")
12 | ;; (trace "trace.sb")
13 | (deny default)
14 |
15 | (allow network-outbound
16 | (remote tcp4 "*:443")
17 | (remote tcp4 "*:80")
18 | )
19 |
20 | (allow sysctl-write)
21 |
22 | (allow process-exec (literal "/Applications/Tweetie.app/Contents/MacOS/Tweetie"))
23 |
24 | ;; Read priv
25 | (allow file-read-data
26 | (regex "^/Applications/Tweetie.app/*")
27 | (literal "/usr/share/icu/icudt40l.dat")
28 | (regex "/Users/.*/Library/Preferences/com.atebits.tweetie-mac.plist")
29 | (regex "/Users/.*/Library/Preferences/ByHost/.GlobalPreferences.*\.plist")
30 | (regex "/Users/.*/Library/Preferences/.GlobalPreferences.plist")
31 | (literal "/Library/Preferences/.GlobalPreferences.plist")
32 | (regex "/Users/.*/Library/Caches/com.atebits.tweetie.profile-images/")
33 | (literal "/Library/Fonts/Arial Unicode.ttf")
34 | (regex "/Users/.*/Library/Caches/com.atebits.tweetie-mac/*")
35 | )
36 |
37 | ;; Write privs
38 | (allow file-write*
39 | (regex "/Users/.*/Library/Preferences/com.atebits.tweetie-mac.plist")
40 | (regex "/Users/.*/Library/Caches/com.atebits.tweetie-mac/Cache*")
41 | (regex "/Users/.*/Library/Caches/com.atebits.tweetie.profile-images/*")
42 | )
43 |
44 | ;; Here are all the other calls Tweetie wants to make that I've NOT allowed
45 | ;; and the application still seems to work. Included here for your reference.
46 |
47 | ; (allow mach-lookup (global-name "com.apple.distributed_notifications.2"))
48 | ; (allow mach-lookup (global-name "com.apple.SecurityServer"))
49 | ; (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd"))
50 | ; (allow mach-lookup (global-name "com.apple.windowserver.session"))
51 | ; (allow mach-lookup (global-name "com.apple.dock.server"))
52 | ; (allow mach-lookup (global-name "com.apple.pasteboard.1"))
53 | ; (allow file-read-data (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/com.apple.IntlDataCache.le"))
54 | ; (allow file-write-data (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/com.apple.IntlDataCache.le"))
55 | ; (allow file-read-data (literal "/Users/.*/Library/Keyboard Layouts"))
56 | ; (allow file-read-data (literal "/Users/.*/Library/Input Methods"))
57 | ; (allow mach-lookup (global-name "com.apple.FontServer"))
58 | ; (allow file-read-xattr (literal "/Users/.*/Library/PreferencePanes"))
59 | ; (allow file-read-data (literal "/Users/.*/Library/PreferencePanes"))
60 | ; (allow file-read-data (literal "/Users/.*/Library/PreferencePanes/MySQL.prefPane"))
61 | ; (allow file-read-xattr (literal "/Library/PreferencePanes"))
62 | ; (allow file-read-data (literal "/Library/PreferencePanes"))
63 | ; (allow file-read-data (literal "/Library/PreferencePanes/MacFUSE.prefPane"))
64 | ; (allow file-read-data (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/mds/mds.lock"))
65 | ; (allow file-write-data (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/mds/mds.lock"))
66 | ; (allow file-write* (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/mds/mdsObject.db"))
67 | ; (allow file-write* (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/mds/mdsObject.db_"))
68 | ; (allow file-write-mode (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/mds/mdsObject.db_"))
69 | ; (allow file-read-data (literal "/private/var/db/mds/system/mdsObject.db"))
70 | ; (allow file-write* (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/mds/mdsObject.db_"))
71 | ; (allow file-write* (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/mds/mdsObject.db"))
72 | ; (allow file-write* (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/mds/mdsDirectory.db_"))
73 | ; (allow file-write-mode (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/mds/mdsDirectory.db_"))
74 | ; (allow file-read-data (literal "/private/var/db/mds/system/mdsDirectory.db"))
75 | ; (allow file-write* (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/mds/mdsDirectory.db_"))
76 | ; (allow file-write* (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/mds/mdsDirectory.db"))
77 | ; (allow file-read-data (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/mds/mdsObject.db"))
78 | ; (allow file-read-data (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/mds/mdsDirectory.db"))
79 | ; (allow file-read-data (literal "/private/var/db/mds/messages/se_SecurityMessages"))
80 | ; (allow file-read-data (literal "/Users/.*/Library/Keychains/login.keychain"))
81 | ; (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd"))
82 | ; (allow system-socket)
83 | ; (allow file-read-data (literal "/Library/Keychains/System.keychain"))
84 | ; (allow mach-lookup (global-name "com.apple.SystemConfiguration.configd"))
85 | ; (allow network-outbound (literal "/private/var/run/mDNSResponder"))
86 | ; (allow mach-lookup (global-name "com.apple.cvmsServ"))
87 | ; (allow system-socket)
88 | ; (allow mach-lookup (global-name "com.apple.tsm.uiserver"))
89 | ; (allow mach-lookup (global-name "com.apple.ocspd"))
90 | ; (allow system-socket)
91 | ; (allow file-read-data (literal "/Users/.*/Library/Cookies/Cookies.plist"))
92 | ; (allow file-read-data (literal "/Users/.*/Library/KeyBindings/DefaultKeyBinding.dict"))
93 | ; (allow file-read-data (literal "/Users/.*/Library/Preferences/pbs.plist"))
94 | ; (allow file-read-data (literal "/Users/.*/Library/Spelling"))
95 | ; (allow file-read-data (literal "/Library/Spelling"))
96 | ; (allow file-read-data (literal "/Users/.*/Library/Preferences/ByHost/com.apple.iWork.Pages.2643F3AC-25EC-5A24-8E44-45C33127C7E5.plist"))
97 | ; (allow file-read-data (literal "/Users/.*/Library/Preferences/com.apple.iWork.Pages.plist"))
98 | ; (allow file-read-data (literal "/usr/share/langid/langid.inv"))
99 | ; (allow mach-lookup (global-name "Multilingual (Apple)_OpenStep"))
100 | ; (allow file-read-data (literal "/private/var/folders/39/39j2ZEPGGxeMpbKFRp0uBk+++TI/-Caches-/com.apple.DataDetectors.little_endian.1dac5f15f4677617"))
101 | ; (allow mach-lookup (global-name "en (Apple)_OpenStep"))
102 | ; (allow file-read-data (literal "/Users/.*/Library/Keychains/login.keychain"))
103 | ; (allow file-read-data (literal "/Library/Keychains/System.keychain"))
104 | ; (allow system-socket)
105 |
--------------------------------------------------------------------------------
/profiles/template.sb:
--------------------------------------------------------------------------------
1 | ;:buckleup:0.1:myapp:My App:/Applications/MyApp.app/Contents/MacOS/MyApp:
2 | ;; This is the seatbelt teamplate for profiling your own apps
3 | ;; based on Vienna sandbox profile by @osxreverser
4 | ;; by Arturo Filasto'
5 | ;;
6 |
7 | (version 1)
8 | (debug allow)
9 |
10 | ; Enable this to write to trace.sb the rules that trigger a deny
11 | ; (trace "trace.sb")
12 |
13 | (allow process-exec (literal "/Applications/.app/Contents/MacOS/"))
14 |
15 | ; Some applications require to fork. Start by disabling this
16 | ; (allow process-fork)
17 |
18 | ; it needs to read some sysctl variables
19 | ; (allow sysctl-read)
20 |
21 | ; where?
22 | ; (allow sysctl-write)
23 |
24 | ; ----------------
25 | ; READ PERMISSIONS
26 | ; ----------------
27 |
28 | ;
29 | ; MyApp specific reading permissions
30 | ; ----------------
31 |
32 | (allow file-read*
33 | (regex
34 | ; MyApp itself
35 | #"^/Applications/MyApp.app/*"
36 | ; Growl
37 | #"^/Library/PreferencePanes/Growl.prefPane/*"
38 | )
39 | )
40 |
41 | ; read the applications metadata
42 | (allow file-read-data file-read-metadata
43 | (literal "/Users/[^.]+/Library/Preferences/myapp.plist")
44 | )
45 |
46 | ; allow read application data
47 | (allow file-read*
48 | (regex
49 | #"^/Users/[^.]+/Library/Application Support/MyApp/*"
50 | )
51 | )
52 | ; ----------------
53 |
54 |
55 |
56 | ; System read permission
57 | ; -----------------
58 | ; allow read system libraries and frameworks (from bsd.sb)
59 | ; these are generally ok left like this
60 |
61 | (allow file-read-data file-read-metadata
62 | (regex
63 | #"^/usr/lib/.*\.dylib$"
64 | #"^/usr/lib/info/.*\.so$"
65 | #"^/private/var/db/dyld/"
66 | #"^/System/Library/Frameworks/*"
67 | #"^/System/Library/PrivateFrameworks/*"
68 | #"^/System/Library/*"
69 | )
70 | )
71 |
72 | (allow file-read*
73 | (regex
74 | #"^/usr/share/zoneinfo/*"
75 | #"^/dev/*"
76 | #"^/usr/share/icu/*"
77 | )
78 | (regex
79 | #"^/private/var/folders/*"
80 | ; do we really need access to keychains ?
81 | #"^/Users/[^.]+/Library/Keychains/*"
82 | #"^/Library/Fonts/*"
83 | #"^/Users/[^.]+/Library/Caches/*"
84 | #"^/Users/[^.]+/Library/InputManagers/*"
85 | ; what's this ???
86 | #"^/private/var/db/mds/system/*"
87 | )
88 | (literal "/private/etc/localtime")
89 | (literal "/Users/[^.]+/Library/Preferences/com.apple.security.plist")
90 | (literal "/private/var/db/mds/messages/se_SecurityMessages")
91 | (literal "/Users/[^.]+/Library/Preferences/com.apple.systemuiserver.plist")
92 | (literal "/Users/[^.]+/Library/Cookies/Cookies.plist")
93 | (literal "/Users/[^.]+/Library/Preferences/com.apple.LaunchServices.plist")
94 | (literal "/Users/[^.]+/Library/Preferences/pbs.plist")
95 | )
96 |
97 | (allow file-read-metadata
98 | (literal "/")
99 | (literal "/var")
100 | (literal "/Applications")
101 | (literal "/etc")
102 | (literal "/Users")
103 | (literal "/Users/[^.]+")
104 | (literal "/System")
105 | (literal "/Users/[^.]+/Library/Preferences")
106 | (literal "/Library")
107 | (literal "/Users/[^.]+/Library")
108 | (literal "/Library/PreferencePanes")
109 | )
110 |
111 | ; allow read to preferences files
112 | (allow file-read-data file-read-metadata
113 | (regex #"^/Users/[^.]+/Library/Preferences/ByHost/.GlobalPreferences.*")
114 | (literal "/Users/[^.]+/Library/Preferences/.GlobalPreferences.plist")
115 | (literal "/Library/Preferences/.GlobalPreferences.plist")
116 | )
117 |
118 | ; web browsing related
119 | (allow file-read*
120 | (regex
121 | #"^/Users/[^.]+/Library/Icons/*"
122 | #"^/Users/[^.]+/Library/Internet Plug-Ins/*"
123 | #"^/Library/Internet Plug-Ins/*"
124 | )
125 | ; still missing some? well we could even remove quicktime and java :-)
126 | (literal "/Users/[^.]+/Library/Preferences/com.github.rentzsch.clicktoflash.plist")
127 | (literal "/Users/[^.]+/Library/Preferences/com.apple.java.JavaPreferences.plist")
128 | (literal "/Users/[^.]+/Library/Preferences/com.apple.quicktime.plugin.preferences.plist")
129 | )
130 | ; -----------------
131 |
132 |
133 | ; -----------------
134 | ; WRITE PERMISSIONS
135 | ; -----------------
136 | ; allow write to dtrace related stuff
137 | (allow file-write* file-ioctl
138 | (regex #"^/dev/dtracehelper$")
139 | )
140 | (allow file-write*
141 | (regex
142 | #"^/Users/[^.]+/Library/Application Support/Vienna/*"
143 | #"^/Users/[^.]+/Library/Caches/*"
144 | #"/Users/Shared/SC Info" #"^/Users/[^.]+/Library/Cookies/*"
145 | #"^/private/var/tmp/tmp.*"
146 | #"^/private/var/folders/*"
147 | #"^/Users/[^.]+/Library/Preferences/uk.co.opencommunity.vienna2.plist*"
148 | )
149 | )
150 | ; web browsing related
151 | (allow file-write-data
152 | (literal "/Users/[^.]+/Library/Icons/WebpageIcons.db")
153 | )
154 |
155 | (allow file-write*
156 | (literal "/Users/[^.]+/Library/Icons/WebpageIcons.db-journal")
157 | )
158 |
159 | ; ----------------
160 | ; MACH PERMISSIONS
161 | ; ----------------
162 | (allow mach-lookup
163 | (global-name #"^com.apple.bsd.dirhelper")
164 | (global-name "com.apple.system.logger")
165 | (global-name "com.apple.system.notification_center")
166 | (global-name "com.apple.CoreServices.coreservicesd")
167 | (global-name "com.apple.SecurityServer")
168 | (global-name "com.apple.dock.server")
169 | (global-name "com.apple.distributed_notifications.2")
170 | (global-name "com.apple.audio.coreaudiod")
171 | (global-name "com.apple.audio.systemsoundserver")
172 | (global-name "com.apple.metadata.mds")
173 | (global-name "com.apple.ocspd")
174 | (global-name "com.apple.SystemConfiguration.PPPController")
175 | (global-name "en (Apple)_OpenStep")
176 | (global-name "com.apple.system.DirectoryService.libinfo_v1")
177 | (global-name "com.apple.system.DirectoryService.membership_v1")
178 | (global-name "com.apple.windowserver.session")
179 | (global-name "com.apple.windowserver.active")
180 | (global-name "com.apple.FontServer")
181 | (global-name "com.apple.pasteboard.1")
182 | (global-name "com.apple.tsm.uiserver")
183 | (global-name "com.apple.SystemConfiguration.configd")
184 | (global-name "com.apple.VoiceOver.running")
185 | (global-name "com.apple.FontObjectsServer")
186 | (global-name "com.apple.FSEvents")
187 | (global-name "com.apple.cvmsServ")
188 | (global-name "GrowlApplicationBridgePathway")
189 | )
190 | ; ------------------------------
191 | ; MEMORY AND NETWORK PERMISSIONS
192 | ; ------------------------------
193 |
194 | ; network related stuff
195 | ; add other ports if needed
196 | (allow network-outbound
197 | (remote tcp "*:80")
198 | (remote tcp "*:443")
199 | (remote unix-socket (path-literal "/private/var/run/mDNSResponder"))
200 | )
201 |
202 | ; required to build sockets
203 | (allow system-socket)
204 |
205 | (allow ipc-posix-shm)
206 |
207 |
208 | ; Make this profile whitelist based
209 | (deny default)
210 |
--------------------------------------------------------------------------------
/profiles/Ventrilo-profile.sb:
--------------------------------------------------------------------------------
1 | ;:buckleup:0.1:ironventrilo:Iron Ventrilo:/Applications/Ventrilo.app/Contents/MacOS/Ventrilo:
2 | ;;
3 | ;; MacOSX Sandbox profile for the Ventrilo client
4 | ;;
5 | ;; Copyright 2010 Robert Malmgren AB. All rights reserved.
6 | ;;
7 | ;; Redistribution and use in source and binary forms, with or without modification, are
8 | ;; permitted provided that the following conditions are met:
9 | ;;
10 | ;; 1. Redistributions of source code must retain the above copyright notice, this list of
11 | ;; conditions and the following disclaimer.
12 | ;;
13 | ;; 2. Redistributions in binary form must reproduce the above copyright notice, this list
14 | ;; of conditions and the following disclaimer in the documentation and/or other materials
15 | ;; provided with the distribution.
16 | ;;
17 | ;; THIS SOFTWARE IS PROVIDED BY Robert Malmgren AB ``AS IS'' AND ANY EXPRESS OR IMPLIED
18 | ;; WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
19 | ;; FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL OR
20 | ;; CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | ;; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
22 | ;; SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
23 | ;; ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
24 | ;; NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
25 | ;; ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 | ;;
27 | ;; The views and conclusions contained in the software and documentation are those of the
28 | ;; authors and should not be interpreted as representing official policies, either expressed
29 | ;; or implied, of Robert Malmgren AB.
30 | ;;
31 | ;;
32 |
33 | (version 1)
34 |
35 | (deny default)
36 | (debug deny)
37 |
38 | (allow file-ioctl
39 | (literal "/dev/dtracehelper"))
40 |
41 | (allow file-read-data
42 | (literal "/Applications/Ventrilo.app")
43 | (literal "/Applications/Ventrilo.app/Contents")
44 | (literal "/Applications/Ventrilo.app/Contents/Info.plist")
45 | (literal "/Applications/Ventrilo.app/Contents/MacOS/Ventrilo")
46 | (literal "/Applications/Ventrilo.app/Contents/Resources")
47 | (literal "/Applications/Ventrilo.app/Contents/Resources/English.lproj")
48 | (literal "/Applications/Ventrilo.app/Contents/Resources/English.lproj/InfoPlist.strings")
49 | (literal "/Applications/Ventrilo.app/Contents/Resources/English.lproj/main.nib/objects.xib")
50 | (literal "/Applications/Ventrilo.app/Contents/Resources/Ventrilo.rsrc")
51 | (literal "/Applications/Ventrilo.app/Contents/Resources/Ventrilo.rsrc/..namedfork/rsrc")
52 | (literal "/Library/Audio/Plug-Ins/HAL")
53 | (literal "/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin")
54 | (literal "/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin/Contents")
55 | (literal "/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin/Contents/Info.plist")
56 | (subpath "/Library/Preferences/Ventrilo/wav")
57 | (literal "/Library/Preferences/.GlobalPreferences.plist")
58 | (literal "/Users/[^.]+/Library/Preferences/.GlobalPreferences.plist")
59 | (regex "^/Users/[^.]+/Library/Preferences/ByHost/.GlobalPreferences.*$")
60 | (literal "/Users/[^.]+/Library/Preferences/Ventrilo/.ventrilo.pwc")
61 | (literal "/Users/[^.]+/Library/Preferences/Ventrilo/default.vet")
62 | (literal "/Users/[^.]+/Library/Preferences/Ventrilo/ventrilo2.ini")
63 | (literal "/dev/dtracehelper")
64 | (literal "/dev/null")
65 | (literal "/dev/urandom")
66 | (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/com\.apple\.IntlDataCache\.le$")
67 | (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/com\.apple\.IntlDataCache\.le\.sbdl$")
68 | (subpath "/System")
69 | (subpath "/tmp")
70 | (subpath "/private/tmp")
71 | (subpath "/usr/share"))
72 |
73 | (allow file-read-metadata
74 | (literal "/")
75 | (literal "/Applications")
76 | (subpath "/Applications/Ventrilo.app")
77 | (subpath "/Library/Preferences/Ventrilo/wav")
78 | (literal "/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin")
79 | (literal "/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin/Contents")
80 | (literal "/Library/Preferences/.GlobalPreferences.plist")
81 | (subpath "/Library/Preferences/Ventrilo/wav")
82 | (literal "/Users/[^.]+")
83 | (literal "/Users/[^.]+/Library")
84 | (literal "/Users/[^.]+/Library/Audio/Plug-Ins/Components")
85 | (literal "/Users/[^.]+/Library/Preferences")
86 | (literal "/Users/[^.]+/Library/Preferences/.GlobalPreferences.plist")
87 | (regex "^/Users/[^.]+/Library/Preferences/ByHost/.GlobalPreferences.*$")
88 | (literal "/etc")
89 | (literal "/private/etc/localtime")
90 | (literal "/private/var/db/.AppleSetupDone")
91 | (subpath "/private/var/folders/Fm")
92 | (literal "/tmp")
93 | (literal "/var")
94 | (subpath "/System")
95 | (subpath "/usr/lib")
96 | (subpath "/tmp")
97 | (subpath "/private/tmp")
98 | (subpath "/usr/share"))
99 |
100 | (allow file-write*
101 | (subpath "/tmp")
102 | (subpath "/private/tmp")
103 | (subpath "/Users/[^.]+/Library/Application Support/Skype")
104 | (literal "/Users/[^.]+/Library/Preferences/.GlobalPreferences.plist")
105 | (literal "/Users/[^.]+/Library/Preferences/Ventrilo/ventrilo.log")
106 | (regex "^/Users/[^.]+/Library/Preferences/.GlobalPreferences.plist.*$"))
107 |
108 | (allow file-write-data
109 | (literal "/Users/[^.]+/Library/Preferences/Ventrilo/.ventrilo.pwc")
110 | (literal "/Users/[^.]+/Library/Preferences/Ventrilo/ventrilo2.ini")
111 | (literal "/dev/dtracehelper")
112 | (regex #"^/private/var/folders/[^/]+/[^/]+/-Caches-/com\.apple\.IntlDataCache\.le$"))
113 |
114 | (allow ipc-posix-shm)
115 |
116 | (allow mach-lookup
117 | (global-name "com.apple.CoreServices.coreservicesd")
118 | (global-name "com.apple.FontObjectsServer")
119 | (global-name "com.apple.FontServer")
120 | (global-name "com.apple.SecurityServer")
121 | (global-name "com.apple.SystemConfiguration.configd")
122 | (global-name "com.apple.audio.coreaudiod")
123 | (global-name "com.apple.distributed_notifications.2")
124 | ;; (global-name "com.apple.dock.server")
125 | (global-name "com.apple.pasteboard.1")
126 | (global-name "com.apple.system.DirectoryService.libinfo_v1")
127 | (global-name "com.apple.system.DirectoryService.membership_v1")
128 | (global-name "com.apple.system.notification_center")
129 | (global-name "com.apple.tsm.uiserver")
130 | (global-name "com.apple.windowserver.session"))
131 |
132 | (allow network-inbound
133 | (local udp "*:*")
134 | (local udp "*:59503")
135 | (local udp "*:60615"))
136 |
137 | (allow network-outbound
138 | (literal "/private/var/run/mDNSResponder")
139 | (remote tcp "*:4203")
140 | (remote tcp "*:52674")
141 | (remote udp "*:4203")
142 | (remote udp "*:5000")
143 | (remote udp "*:52674")
144 | (remote udp "*:6100"))
145 |
146 | (allow process-exec
147 | (literal "/Applications/Ventrilo.app/Contents/MacOS/Ventrilo"))
148 |
149 | (allow sysctl-read)
150 |
--------------------------------------------------------------------------------
/profiles/firefox-profile.sb:
--------------------------------------------------------------------------------
1 | ;:buckleup:0.1:ironfox:Iron Fox:/Applications/Firefox.app/Contents/MacOS/firefox:
2 | ;; MacOSX Sandbox profile for ironfox
3 | ;;
4 | ;; Copyright 2010 Robert Malmgren AB. All rights reserved.
5 | ;;
6 | ;; Redistribution and use in source and binary forms, with or without modification, are
7 | ;; permitted provided that the following conditions are met:
8 | ;;
9 | ;; 1. Redistributions of source code must retain the above copyright notice, this list of
10 | ;; conditions and the following disclaimer.
11 | ;;
12 | ;; 2. Redistributions in binary form must reproduce the above copyright notice, this list
13 | ;; of conditions and the following disclaimer in the documentation and/or other materials
14 | ;; provided with the distribution.
15 | ;;
16 | ;; THIS SOFTWARE IS PROVIDED BY Robert Malmgren AB ``AS IS'' AND ANY EXPRESS OR IMPLIED
17 | ;; WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
18 | ;; FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL OR
19 | ;; CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20 | ;; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21 | ;; SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
22 | ;; ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
23 | ;; NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
24 | ;; ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 | ;;
26 | ;; The views and conclusions contained in the software and documentation are those of the
27 | ;; authors and should not be interpreted as representing official policies, either expressed
28 | ;; or implied, of Robert Malmgren AB.
29 | ;;
30 | ;; Written by andreas@romab.com
31 | ;; adapted for plugin-system by
32 | ;; rom@romab.com
33 | ;;
34 | (version 1)
35 |
36 | (deny default)
37 |
38 | (allow network-outbound)
39 |
40 | (allow file-ioctl
41 | (literal "/Applications/Firefox.app/Contents/MacOS/firefox")
42 | (literal "/dev/urandom")
43 | (literal "/dev/dtracehelper"))
44 |
45 | (allow file-read-data file-read-metadata
46 | (subpath "/Library/Application Support/Mozilla/Extensions")
47 | (subpath "%%homedir%%/Library/Caches/TemporaryItems")
48 | (subpath "%%homedir%%/Library/Internet Plug-Ins")
49 | (subpath "/Library/ColorSync/Profiles/Displays")
50 | (subpath "/Library/Fonts")
51 | (subpath "/Applications/IronFox.app")
52 | (subpath "/Applications/Firefox.app")
53 | (literal "/Library/Preferences/.GlobalPreferences.plist")
54 | (subpath "%%homedir%%/Downloads")
55 | (subpath "%%homedir%%/Library/Application Support/Firefox")
56 | (subpath "%%homedir%%/Library/Caches/Firefox")
57 | (regex "^%%homedir%%/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist")
58 | (literal "%%homedir%%/Library/Preferences/.GlobalPreferences.plist")
59 | (literal "%%homedir%%/Library/Preferences/org.mozilla.firefox.plist")
60 | (literal "%%homedir%%/Library/Preferences/com.apple.internetconfigpriv.plist")
61 | (literal "%%homedir%%/Library/Preferences/com.apple.LaunchServices.plist")
62 | (subpath "%%homedir%%/Library/Application Support/Mozilla")
63 | (literal "/dev/urandom")
64 | (literal "/usr")
65 | (literal "/private")
66 | (subpath "%%tmpdir%%")
67 | (subpath "/private%%tmpdir%%")
68 | ; ugly rules, should be more finegrained.
69 | (subpath "/System")
70 | (subpath "/usr/lib")
71 | (subpath "/usr/share"))
72 |
73 | (allow file-read-data
74 | (literal "/dev/dtracehelper")
75 | (literal "/dev/null")
76 | (literal "/dev/tty")
77 | (literal "/usr/bin/open/..namedfork/rsrc"))
78 | ; this disables lots of loggin
79 | ;(deny file-read-metadata (with no-log))
80 | (allow file-read-metadata
81 | (literal "/private/etc/localtime")
82 | (literal "/")
83 | (literal "/Applications")
84 | (literal "/Library")
85 | (literal "/Users")
86 | (literal "%%homedir%%")
87 | (literal "%%homedir%%/Library")
88 | (literal "%%homedir%%/Library/Application Support")
89 | (literal "%%homedir%%/Library/Caches")
90 | (literal "%%homedir%%/Library/PreferencePanes")
91 | (literal "/Library/Application Support")
92 | (subpath "/Library/Application Support/Mozilla")
93 | (literal "/Library/PreferencePanes")
94 | (subpath "/Library/PreferencePanes/Growl.prefPane")
95 | (literal "/etc")
96 | (literal "/usr/bin/open")
97 | (subpath "%%homedir%%/Library/Preferences")
98 | (literal "/private/etc/passwd")
99 | (literal "/tmp")
100 | (literal "/var"))
101 |
102 | (allow file-write-data
103 |
104 | (literal "/dev/dtracehelper")
105 | (literal "/dev/tty"))
106 |
107 | ; we don't want to know about .globalprefrences.
108 | ;(deny file-write* (regex "^%%homedir%%/Library/Preferences/\.GlobalPreferences.*$") (with no-log))
109 |
110 | (allow file-write*
111 | (subpath "%%homedir%%/Library/Caches/TemporaryItems")
112 | (subpath "%%homedir%%/Library/Caches/Firefox")
113 | (subpath "%%tmpdir%%")
114 | (subpath "/private%%tmpdir%%")
115 | (subpath "%%homedir%%/Library/Application Support/Firefox/Crash Reports")
116 | (regex "^%%homedir%%/Library/Preferences/org.mozilla.firefox.*$")
117 | (regex "^%%homedir%%/Library/Preferences/.GlobalPreferences.plist\..*$")
118 | (subpath "%%homedir%%/Downloads")
119 | (subpath "%%homedir%%/Library/Application Support/Firefox/Profiles"))
120 |
121 | (allow ipc-posix-shm)
122 |
123 | (allow mach-lookup
124 | (global-name "com.apple.CoreServices.coreservicesd")
125 | (global-name "com.apple.SecurityServer")
126 | (global-name "com.apple.SystemConfiguration.configd")
127 | (global-name "com.apple.distributed_notifications.2")
128 | (global-name "com.apple.dock.server")
129 | (global-name "com.apple.FontServer")
130 | (global-name "com.apple.FontObjectsServer")
131 | (global-name "com.apple.metadata.mds")
132 | (global-name "com.apple.tsm.uiserver")
133 | (global-name "com.apple.system.DirectoryService.libinfo_v1")
134 | (global-name "com.apple.system.DirectoryService.membership_v1")
135 | (global-name "com.apple.system.logger")
136 | (global-name "com.apple.system.notification_center")
137 | (global-name "com.apple.pasteboard.1")
138 | (global-name "com.apple.windowserver.session")
139 | (global-name "com.apple.windowserver.active"))
140 |
141 | (allow process-exec
142 | (literal "/Applications/Firefox.app/Contents/MacOS/firefox-bin")
143 | ;; nss uses this for random data. probably a bug in nss_lib for ff for mac.
144 | (literal "/usr/sbin/netstat")
145 | (literal "/usr/bin/basename"))
146 |
147 | (allow process-fork)
148 | (allow job-creation)
149 |
150 | (allow sysctl-read)
151 |
152 | (allow system-socket)
153 |
154 | ; this is needed otherwise ff won't be able to rename files in
155 | ; ~/download
156 | (allow file-read-data
157 | (literal "%%homedir%%"))
158 | ;ff needs to kill pluginhelper
159 | (allow signal)
160 |
161 | (allow process-exec
162 | (literal "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" )
163 | (literal "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container-real" ))
164 | (allow file-read-data file-read-metadata
165 | (literal "/dev/fd")
166 | (literal "/Library")
167 | (literal "%%homedir%%/Library")
168 | (literal "%%homedir%%/Library/Caches")
169 | (literal "%%homedir%%/Library/Application Support"))
170 |
171 | (allow mach-lookup
172 | (global-name "com.apple.cvmsServ")
173 | (global-name "com.apple.audio.coreaudiod")
174 | (global-name-regex "^gecko-crash-server-pipe.*")
175 | (global-name-regex "^org.mozilla.machname.*"))
176 |
--------------------------------------------------------------------------------
/profiles/firefox-profile-10.7.sb:
--------------------------------------------------------------------------------
1 | ;:buckleup:0.1:ironfox10.7:Iron Fox 10.7:/Applications/Firefox.app/Contents/MacOS/firefox:
2 | ;; MacOSX Sandbox profile for ironfox
3 | ;;
4 | ;; Copyright 2010 Robert Malmgren AB. All rights reserved.
5 | ;;
6 | ;; Redistribution and use in source and binary forms, with or without modification, are
7 | ;; permitted provided that the following conditions are met:
8 | ;;
9 | ;; 1. Redistributions of source code must retain the above copyright notice, this list of
10 | ;; conditions and the following disclaimer.
11 | ;;
12 | ;; 2. Redistributions in binary form must reproduce the above copyright notice, this list
13 | ;; of conditions and the following disclaimer in the documentation and/or other materials
14 | ;; provided with the distribution.
15 | ;;
16 | ;; THIS SOFTWARE IS PROVIDED BY Robert Malmgren AB ``AS IS'' AND ANY EXPRESS OR IMPLIED
17 | ;; WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
18 | ;; FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL OR
19 | ;; CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20 | ;; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21 | ;; SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
22 | ;; ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
23 | ;; NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
24 | ;; ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 | ;;
26 | ;; The views and conclusions contained in the software and documentation are those of the
27 | ;; authors and should not be interpreted as representing official policies, either expressed
28 | ;; or implied, of Robert Malmgren AB.
29 | ;;
30 | ;; Written by andreas@romab.com
31 | ;; adapted for plugin-system by
32 | ;; rom@romab.com
33 | ;;
34 | (version 1)
35 |
36 | (deny default)
37 |
38 | (allow network-outbound)
39 |
40 | (allow file-ioctl
41 | (literal "/Applications/Firefox.app/Contents/MacOS/firefox")
42 | (literal "/dev/urandom")
43 | (literal "/dev/dtracehelper"))
44 |
45 | (allow file-read-data file-read-metadata
46 | (subpath "/Library/Application Support/Mozilla/Extensions")
47 | (subpath "%%homedir%%/Library/Caches/TemporaryItems")
48 | (subpath "%%homedir%%/Library/Internet Plug-Ins")
49 | (subpath "/Library/ColorSync/Profiles/Displays")
50 | (subpath "/Library/Fonts")
51 | (subpath "/Applications/IronFox.app")
52 | (subpath "/Applications/Firefox.app")
53 | (literal "/Library/Preferences/.GlobalPreferences.plist")
54 | (subpath "%%homedir%%/Downloads")
55 | (subpath "%%homedir%%/Library/Application Support/Firefox")
56 | (subpath "%%homedir%%/Library/Caches/Firefox")
57 | (regex "^%%homedir%%/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist")
58 | (literal "%%homedir%%/Library/Preferences/.GlobalPreferences.plist")
59 | (literal "%%homedir%%/Library/Preferences/org.mozilla.firefox.plist")
60 | (literal "%%homedir%%/Library/Preferences/com.apple.internetconfigpriv.plist")
61 | (literal "%%homedir%%/Library/Preferences/com.apple.LaunchServices.plist")
62 | (subpath "%%homedir%%/Library/Application Support/Mozilla")
63 | (literal "/dev/urandom")
64 | (literal "/usr")
65 | (literal "/private")
66 | (subpath "%%tmpdir%%")
67 | (subpath "/private%%tmpdir%%")
68 | ; ugly rules, should be more finegrained.
69 | (subpath "/System")
70 | (subpath "/usr/lib")
71 | (subpath "/usr/share"))
72 |
73 | (allow file-read-data
74 | (literal "/dev/dtracehelper")
75 | (literal "/dev/null")
76 | (literal "/dev/tty")
77 | (literal "/usr/bin/open/..namedfork/rsrc"))
78 | ; this disables lots of loggin
79 | ;(deny file-read-metadata (with no-log))
80 | (allow file-read-metadata
81 | (literal "/private/etc/localtime")
82 | (literal "/")
83 | (literal "/Applications")
84 | (literal "/Library")
85 | (literal "/Users")
86 | (literal "%%homedir%%")
87 | (literal "%%homedir%%/Library")
88 | (literal "%%homedir%%/Library/Application Support")
89 | (literal "%%homedir%%/Library/Caches")
90 | (literal "%%homedir%%/Library/PreferencePanes")
91 | (literal "/Library/Application Support")
92 | (subpath "/Library/Application Support/Mozilla")
93 | (literal "/Library/PreferencePanes")
94 | (subpath "/Library/PreferencePanes/Growl.prefPane")
95 | (literal "/etc")
96 | (literal "/usr/bin/open")
97 | (subpath "%%homedir%%/Library/Preferences")
98 | (literal "/private/etc/passwd")
99 | (literal "/tmp")
100 | (literal "/var"))
101 |
102 | (allow file-write-data
103 |
104 | (literal "/dev/dtracehelper")
105 | (literal "/dev/tty"))
106 |
107 | ; we don't want to know about .globalprefrences.
108 | ;(deny file-write* (regex "^%%homedir%%/Library/Preferences/\.GlobalPreferences.*$") (with no-log))
109 |
110 | (allow file-write*
111 | (subpath "%%homedir%%/Library/Caches/TemporaryItems")
112 | (subpath "%%homedir%%/Library/Caches/Firefox")
113 | (subpath "%%tmpdir%%")
114 | (subpath "/private%%tmpdir%%")
115 | (subpath "%%homedir%%/Library/Application Support/Firefox/Crash Reports")
116 | (regex "^%%homedir%%/Library/Preferences/org.mozilla.firefox.*$")
117 | (regex "^%%homedir%%/Library/Preferences/.GlobalPreferences.plist\..*$")
118 | (subpath "%%homedir%%/Downloads")
119 | (subpath "%%homedir%%/Library/Application Support/Firefox/Profiles"))
120 |
121 | (allow ipc-posix-shm)
122 |
123 | (allow mach-lookup
124 | (global-name "com.apple.CoreServices.coreservicesd")
125 | (global-name "com.apple.SecurityServer")
126 | (global-name "com.apple.SystemConfiguration.configd")
127 | (global-name "com.apple.distributed_notifications.2")
128 | (global-name "com.apple.dock.server")
129 | (global-name "com.apple.FontServer")
130 | (global-name "com.apple.FontObjectsServer")
131 | (global-name "com.apple.metadata.mds")
132 | (global-name "com.apple.tsm.uiserver")
133 | (global-name "com.apple.system.DirectoryService.libinfo_v1")
134 | (global-name "com.apple.system.DirectoryService.membership_v1")
135 | (global-name "com.apple.system.logger")
136 | (global-name "com.apple.system.notification_center")
137 | (global-name "com.apple.pasteboard.1")
138 | (global-name "com.apple.windowserver.session")
139 | (global-name "com.apple.windowserver.active"))
140 |
141 | (allow process-exec
142 | (literal "/Applications/Firefox.app/Contents/MacOS/firefox-bin")
143 | ;; nss uses this for random data. probably a bug in nss_lib for ff for mac.
144 | (literal "/usr/sbin/netstat")
145 | (literal "/usr/bin/basename"))
146 |
147 | (allow process-fork)
148 | (allow job-creation)
149 |
150 | (allow sysctl-read)
151 |
152 | (allow system-socket)
153 |
154 | ; this is needed otherwise ff won't be able to rename files in
155 | ; ~/download
156 | (allow file-read-data
157 | (literal "%%homedir%%"))
158 | ;ff needs to kill pluginhelper
159 | (allow signal)
160 |
161 | (allow process-exec
162 | (literal "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" )
163 | (literal "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container-real" ))
164 | (allow file-read-data file-read-metadata
165 | (literal "/dev/fd")
166 | (literal "/Library")
167 | (literal "%%homedir%%/Library")
168 | (literal "%%homedir%%/Library/Caches")
169 | (literal "%%homedir%%/Library/Application Support"))
170 |
171 | (allow mach-lookup
172 | (global-name "com.apple.pbs.fetch_services")
173 | (global-name "com.apple.window_proxies")
174 | (global-name "com.apple.audio.audiohald")
175 | (global-name "com.apple.cvmsServ")
176 | (global-name "com.apple.audio.coreaudiod")
177 | (global-name-regex "^gecko-crash-server-pipe.*")
178 | (global-name-regex "^org.mozilla.machname.*"))
179 |
180 | (allow iokit-open)
181 |
--------------------------------------------------------------------------------
/profiles/VLC-profile.sb:
--------------------------------------------------------------------------------
1 | ;:buckleup:0.1:ironvlc:Iron VLC:/Applications/VLC.app/Contents/MacOS/VLC:
2 | ;;
3 | ;; MacOSX Sandbox profile - shared definitions and requirements for most standard programs.
4 | ;;
5 | ;; Version 0.1
6 | ;;
7 | ;; Copyright 2010 Robert Malmgren AB. All rights reserved.
8 | ;;
9 | ;; Redistribution and use in source and binary forms, with or without modification, are
10 | ;; permitted provided that the following conditions are met:
11 | ;;
12 | ;; 1. Redistributions of source code must retain the above copyright notice, this list of
13 | ;; conditions and the following disclaimer.
14 | ;;
15 | ;; 2. Redistributions in binary form must reproduce the above copyright notice, this list
16 | ;; of conditions and the following disclaimer in the documentation and/or other materials
17 | ;; provided with the distribution.
18 | ;;
19 | ;; THIS SOFTWARE IS PROVIDED BY Robert Malmgren AB ``AS IS'' AND ANY EXPRESS OR IMPLIED
20 | ;; WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
21 | ;; FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL OR
22 | ;; CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 | ;; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24 | ;; SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
25 | ;; ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
26 | ;; NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
27 | ;; ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | ;;
29 | ;; The views and conclusions contained in the software and documentation are those of the
30 | ;; authors and should not be interpreted as representing official policies, either expressed
31 | ;; or implied, of Robert Malmgren AB.
32 | ;;
33 |
34 | (version 1)
35 |
36 | (deny default)
37 | (debug deny)
38 |
39 | (allow file-ioctl
40 | (literal "/dev/dtracehelper"))
41 |
42 | (allow file-read-data
43 | (subpath "/Applications/VLC.app")
44 | (subpath "/Applications/QuickTime Player.app")
45 | (subpath "/Applications/Flip4Mac")
46 |
47 | (subpath "/Volumes")
48 |
49 | (subpath "/Users/[^.]+/.dvdcss")
50 | (subpath "/Users/[^.]+/.dvdnav")
51 | (subpath "/Users/[^.]+/Library/Preferences/VLC")
52 | (literal "/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist")
53 | (regex "^/Users/[^.]+/Library/Preferences/org.videolan.vlc.*$")
54 | (literal "/dev/dtracehelper")
55 | (subpath "/System")
56 | (subpath "/usr/share"))
57 |
58 | (allow file-read-metadata
59 | ;;
60 | ;; First off, some bug compliance things to not break VLC when reading network streams
61 | ;;
62 | (literal "/home")
63 | (literal "/net")
64 |
65 | (literal "/")
66 | (literal "/Applications/Utilities")
67 | (subpath "/Applications/QuickTime Player.app")
68 | (subpath "/Applications/Flip4Mac")
69 | (literal "/Users")
70 | (subpath "/Applications/VLC.app")
71 | (subpath "/Volumes")
72 | (subpath "/Users/[^.]+/.dvdcss")
73 | (subpath "/Users/[^.]+/.dvdnav")
74 | (literal "/Users/[^.]+/Library")
75 | (literal "/Users/[^.]+/Library/Preferences/VLC/ml.xspf")
76 | (literal "/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist")
77 | (regex "^/Users/[^.]+/Library/Preferences/org.videolan.vlc.*$")
78 | (literal "/etc")
79 | (literal "/var")
80 | (literal "/tmp")
81 | (subpath "/System")
82 | (subpath "/usr/lib")
83 | (subpath "/usr/share"))
84 |
85 | (allow file-read-data file-read-metadata
86 | (literal "/dev/urandom")
87 | (subpath "/private/var/folders")
88 | (subpath "/private/var/db/mds")
89 | (literal "/private/var/db/.AppleSetupDone")
90 | (literal "/private/etc/localtime")
91 | (literal "/dev/random")
92 | (literal "/dev/null")
93 | (literal "/Applications")
94 | (literal "/Users/[^.]+")
95 | (literal "/Users/[^.]+/Library/Preferences")
96 | (subpath "/Users/[^.]+/Library/Audio")
97 |
98 | (literal "/Library/Preferences/.GlobalPreferences.plist")
99 | (subpath "/Library/Fonts")
100 | (subpath "/Library/Audio/Plug-Ins/HAL")
101 | (subpath "/Library/Internet Plug-Ins")
102 | (subpath "/tmp")
103 | (subpath "/private/tmp")
104 |
105 | (subpath "/Users/[^.]+/Library/Autosave Information")
106 | (literal "/Users/[^.]+/Library/Logs/CrashReporter")
107 | (literal "/Users/[^.]+/Library/Preferences/pbs.plist")
108 | (literal "/Users/[^.]+/Library/Preferences/com.apple.security.plist")
109 | (regex "^/Users/[^.]+/Library/Preferences/.GlobalPreferences.plist.*$")
110 | (regex "^/Users/[^.]+/Library/Preferences/ByHost/.GlobalPreferences.*$"))
111 |
112 | (allow file-write-data file-write*
113 | (subpath "/Users/[^.]+/.dvdcss")
114 | (subpath "/Users/[^.]+/Library/Preferences/VLC")
115 | (regex "^/Users/[^.]+/Library/Preferences/.GlobalPreferences.plist.*$")
116 | (regex "^/Users/[^.]+/Library/Preferences/ByHost/.GlobalPreferences.*$")
117 | (regex "^/Users/[^.]+/Library/Preferences/org.videolan.vlc.*$")
118 | (subpath "/tmp")
119 | (subpath "/private/tmp")
120 | (literal "/dev/dtracehelper"))
121 |
122 | (allow ipc-posix-shm)
123 |
124 | ;; Almost all mach-lookup is done in common-profile.sb
125 |
126 | (allow process-exec
127 | (literal "/Applications/VLC.app/Contents/MacOS/VLC"))
128 |
129 | (allow process-fork)
130 |
131 | ;; ***
132 | ;; *** YOU MIGHT WANT TO CHANGE THIS TO SOMETHING MORE RESTRICTIVE
133 | ;; ***
134 |
135 | (allow network-inbound (local ip4 "*:*"))
136 | (allow network-bind (local ip4 "*:*"))
137 | (allow network-outbound (remote unix-socket (path-literal "/private/var/run/mDNSResponder")))
138 | (allow network-outbound (remote ip4 "*:*"))
139 | (allow network-outbound (remote ip6 "*:*"))
140 |
141 | (allow sysctl-read)
142 | (allow sysctl-write)
143 | (allow system-socket)
144 |
145 | (allow file-ioctl
146 | (literal "/dev/urandom"))
147 |
148 | (allow mach-lookup
149 | (global-name "com.apple.SystemConfiguration.PPPController")
150 | (global-name "com.apple.SystemConfiguration.configd")
151 | (global-name "com.apple.audio.coreaudiod")
152 | (global-name "com.apple.ocspd")
153 | (global-name "com.apple.pasteboard.1")
154 | (global-name "com.apple.FontObjectsServer")
155 | (global-name "com.apple.windowserver.session")
156 | (global-name "com.apple.windowserver.active")
157 | (global-name "com.apple.system.logger")
158 | (global-name "com.apple.dock.server")
159 | (global-name "com.apple.FontServer")
160 | (global-name "com.apple.CoreServices.coreservicesd")
161 | (global-name "com.apple.SecurityServer")
162 | (global-name "com.apple.distributed_notifications.2")
163 | (global-name "com.apple.metadata.mds")
164 | (global-name "com.apple.system.DirectoryService.libinfo_v1")
165 | (global-name "com.apple.system.DirectoryService.membership_v1")
166 | (global-name "com.apple.system.notification_center")
167 | (global-name "com.apple.tsm.uiserver")
168 | (global-name "com.apple.ocspd")
169 | (global-name "com.apple.cvmsServ")
170 | (global-name "com.apple.SystemConfiguration.configd")
171 | (global-name "com.apple.pbs.fetch_services")
172 | (global-name "com.apple.metadata.mds")
173 | (global-name "com.apple.FontServer")
174 | (global-name "com.apple.FontObjectsServer")
175 | (global-name "com.apple.dock.server")
176 | (global-name "com.apple.windowserver.session")
177 | (global-name "com.apple.windowserver.active")
178 | (global-name "com.apple.CoreServices.coreservicesd")
179 | (global-name "com.apple.audio.coreaudiod")
180 | (global-name "com.apple.SecurityServer")
181 | (global-name "com.apple.distributed_notifications.2")
182 | (global-name "com.apple.system.DirectoryService.libinfo_v1")
183 | (global-name "com.apple.system.DirectoryService.membership_v1")
184 | (global-name "com.apple.system.logger")
185 | (global-name "com.apple.system.notification_center"))
186 |
--------------------------------------------------------------------------------
/profiles/firefox-profile-10.5.sb:
--------------------------------------------------------------------------------
1 | ;:buckleup:0.1:ironfox10.5:Iron Fox 10.5:/Applications/Firefox.app/Contents/MacOS/firefox:
2 | ;; MacOSX Sandbox profile for ironfox
3 | ;;
4 | ;; Copyright 2010 Robert Malmgren AB. All rights reserved.
5 | ;;
6 | ;; Redistribution and use in source and binary forms, with or without modification, are
7 | ;; permitted provided that the following conditions are met:
8 | ;;
9 | ;; 1. Redistributions of source code must retain the above copyright notice, this list of
10 | ;; conditions and the following disclaimer.
11 | ;;
12 | ;; 2. Redistributions in binary form must reproduce the above copyright notice, this list
13 | ;; of conditions and the following disclaimer in the documentation and/or other materials
14 | ;; provided with the distribution.
15 | ;;
16 | ;; THIS SOFTWARE IS PROVIDED BY Robert Malmgren AB ``AS IS'' AND ANY EXPRESS OR IMPLIED
17 | ;; WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
18 | ;; FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL OR
19 | ;; CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20 | ;; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
21 | ;; SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
22 | ;; ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
23 | ;; NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
24 | ;; ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 | ;;
26 | ;; The views and conclusions contained in the software and documentation are those of the
27 | ;; authors and should not be interpreted as representing official policies, either expressed
28 | ;; or implied, of Robert Malmgren AB.
29 | ;;
30 | ;; Written by andreas@romab.com
31 | ;; adapted for plugin-system by
32 | ;; rom@romab.com
33 | ;;
34 | (version 1)
35 | ;; ugly hack to 'backport' subpath to 10.5
36 | ;; it sucks, any schemers have any suggestions? :-)
37 | (define (subpath-hack str)
38 | (define regchars "\\[]^.$()|-*+?{}")
39 | ;; define the regexp special characters
40 |
41 | (define (instr str char)
42 | (cond
43 | ((equal? 0 (string-length str)) #f)
44 | ((equal? char (substring str 0 1)) #t)
45 | (else
46 | (instr (substring str 1) char)) ;; recursion roxx
47 | )
48 | )
49 |
50 |
51 | (let sproc ((str str) (rest ""))
52 | (if (equal? 0 (string-length str))
53 | rest
54 | (sproc (substring str 1) ;; use a helper function
55 | (let ((char (substring str 0 1)))
56 | (if (instr regchars char)
57 | ;; Quote any regexp chars to not screw the call to regex with a file name containing special characters
58 | (string-append rest "\\" char)
59 | (string-append rest char)
60 | )
61 | )
62 | )
63 | )
64 | )
65 | )
66 |
67 | (define (subpath dir) ;; Re-implement a 10.6 compatible "subpath"
68 | (regex (string-append "^" (subpath-hack dir ) "($|/)")))
69 |
70 |
71 | (debug deny)
72 | (deny default)
73 |
74 | (allow network-outbound)
75 |
76 | (allow file-read-data file-read-metadata
77 | (subpath "/Library/Application Support/Mozilla/Extensions")
78 | (subpath "%%homedir%%/Library/Caches/TemporaryItems")
79 | (subpath "%%homedir%%/Library/Internet Plug-Ins")
80 | (subpath "/Library/ColorSync/Profiles/Displays")
81 | (subpath "/Library/Fonts")
82 | (literal "/Library")
83 | (subpath "/Applications/IronFox.app")
84 | (subpath "/Applications/Firefox.app")
85 | (literal "/Library/Preferences/.GlobalPreferences.plist")
86 | (subpath "%%homedir%%/Downloads")
87 | (literal "%%homedir%%/Library")
88 | (subpath "%%homedir%%/Library/Application Support/Firefox")
89 | (literal "%%homedir%%/Library/Application Support")
90 | (literal "%%homedir%%/Library/Caches")
91 | (subpath "%%homedir%%/Library/Caches/Firefox")
92 | (literal "/Users")
93 | (literal "%%homedir%%")
94 | (regex "^%%homedir%%/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist")
95 | (literal "%%homedir%%/Library/Preferences/.GlobalPreferences.plist")
96 | (literal "%%homedir%%/Library/Preferences/org.mozilla.firefox.plist")
97 | (literal "%%homedir%%/Library/Preferences/com.apple.internetconfigpriv.plist")
98 | (literal "%%homedir%%/Library/Preferences/com.apple.LaunchServices.plist")
99 | (subpath "%%homedir%%/Library/Application Support/Mozilla")
100 | (literal "/dev/urandom")
101 | (literal "/usr")
102 | (literal "/private")
103 | (subpath "%%tmpdir%%")
104 | (subpath "/private%%tmpdir%%")
105 | ; ugly rules, should be more finegrained.
106 | (subpath "/System")
107 | (subpath "/usr/lib")
108 | (subpath "/usr/share"))
109 |
110 | (allow file-read-data
111 | (literal "/dev/dtracehelper")
112 | (literal "/dev/null")
113 | (literal "/dev/tty")
114 | (literal "/usr/bin/open/..namedfork/rsrc"))
115 | ; this disables lots of loggin
116 | ;(deny file-read-metadata (with no-log))
117 | (allow file-read-metadata
118 | (literal "/private/etc/localtime")
119 | (literal "/")
120 | (literal "/Applications")
121 | (literal "/Library")
122 | (literal "%%homedir%%/Library")
123 | (literal "%%homedir%%/Library/Application Support")
124 | (literal "%%homedir%%/Library/Caches")
125 | (literal "%%homedir%%/Library/PreferencePanes")
126 | (literal "/Library/Application Support")
127 | (subpath "/Library/Application Support/Mozilla")
128 | (literal "/Library/PreferencePanes")
129 | (subpath "/Library/PreferencePanes/Growl.prefPane")
130 | (literal "/etc")
131 | (literal "/usr/bin/open")
132 | (subpath "%%homedir%%/Library/Preferences")
133 | (literal "/private/etc/passwd")
134 | (literal "/tmp")
135 | (literal "/var"))
136 |
137 | (allow file-write-data
138 |
139 | (literal "/dev/dtracehelper")
140 | (literal "/dev/tty"))
141 |
142 | ; we don't want to know about .globalprefrences.
143 | ;(deny file-write* (regex "^%%homedir%%/Library/Preferences/\.GlobalPreferences.*$") (with no-log))
144 |
145 | (allow file-write*
146 | (subpath "%%homedir%%/Library/Caches/TemporaryItems")
147 | (subpath "%%homedir%%/Library/Caches/Firefox")
148 | (subpath "%%tmpdir%%")
149 | (subpath "/private%%tmpdir%%")
150 | (subpath "%%homedir%%/Library/Application Support/Firefox/Crash Reports")
151 | (regex "^%%homedir%%/Library/Preferences/org.mozilla.firefox.*$")
152 | (regex "^%%homedir%%/Library/Preferences/.GlobalPreferences.plist\..*$")
153 | (subpath "%%homedir%%/Downloads")
154 | (subpath "%%homedir%%/Library/Application Support/Firefox/Profiles"))
155 |
156 | (allow ipc-posix-shm)
157 |
158 | (allow mach-lookup
159 | (global-name "com.apple.CoreServices.coreservicesd")
160 | (global-name "com.apple.SecurityServer")
161 | (global-name "com.apple.SystemConfiguration.configd")
162 | (global-name "com.apple.distributed_notifications.2")
163 | (global-name "com.apple.dock.server")
164 | (global-name "com.apple.FontServer")
165 | (global-name "com.apple.FontObjectsServer")
166 | (global-name "com.apple.metadata.mds")
167 | (global-name "com.apple.tsm.uiserver")
168 | (global-name "com.apple.system.DirectoryService.libinfo_v1")
169 | (global-name "com.apple.system.DirectoryService.membership_v1")
170 | (global-name "com.apple.system.logger")
171 | (global-name "com.apple.system.notification_center")
172 | (global-name "com.apple.pasteboard.1")
173 | (global-name "com.apple.windowserver.session")
174 | (global-name "com.apple.DiskArbitration.diskarbitrationd")
175 | (global-name "com.apple.bsd.dirhelper")
176 | (global-name "com.apple.pasteboard.666")
177 | (global-name "com.apple.windowserver.active"))
178 |
179 | (allow process-exec
180 | (literal "/Applications/Firefox.app/Contents/MacOS/firefox-bin")
181 | ;; nss uses this for random data. probably a bug in nss_lib for ff for mac.
182 | (literal "/usr/sbin/netstat")
183 | (literal "/usr/bin/basename"))
184 |
185 | (allow process-fork)
186 | (allow sysctl-read)
187 |
--------------------------------------------------------------------------------
/buckleup.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # Buckle Up
3 | # -----------
4 | # Mac OS X sandboxing helper scripts
5 | # by Arturo Filasto'
6 | #
7 |
8 | import os
9 | import shutil
10 | from optparse import OptionParser
11 | from subprocess import Popen, PIPE
12 |
13 | class BuckleUp(object):
14 | """Buckle Up assists in the patching and running of Mac OS X
15 | applications in a sandboxed environment.
16 | """
17 | def __init__(self):
18 | # Debugging
19 | self.debug = True
20 | # Where the script should look for sandbox file to be installed
21 | self.sb_file_location = os.path.join(os.getcwd(),"profiles/")
22 | # Where sandbox files should be installed to
23 | self.bu_dir = os.path.expanduser("~/.buckleup")
24 | if not os.path.exists(self.bu_dir):
25 | print "[-] First run, creating buckleup config dir"
26 | os.mkdir(self.bu_dir)
27 | # Already parsed sandbox files
28 | self.sbs = []
29 | self.app_path = None
30 | self.argument_parser()
31 |
32 | def parse_sb(self, file):
33 | """Parse a sandbox file written using the Buckle Up header ;:
34 | The format for Buckle Up headers is:
35 | ;:buckleup:::::
36 | return
37 | False if the file does not start with the magic header
38 | Dict containing bu_version, shortname, name, file (sb file),
39 | patched (True|False), patch_location (patched app filename)
40 | """
41 | sb = False
42 | try:
43 | f = open(os.path.join(self.sb_file_location,file), 'r')
44 | line = f.readline()
45 | if line.startswith(';:buckleup'):
46 | sb = {}
47 | v = line.split(":")
48 | sb['version'] = v[2]
49 | sb['shortname'] = v[3]
50 | sb['name'] = v[4]
51 | if self.app_path:
52 | sb['app_location'] = self.app_path
53 | else:
54 | sb['app_location'] = v[5]
55 | sb['file'] = os.path.join(self.sb_file_location,file)
56 | sb['patched'] = False
57 | sb['patch_location'] = sb['app_location'] + "-sandboxed"
58 | if os.path.exists(sb['patch_location']):
59 | sb['patched'] = True
60 |
61 | finally:
62 | f.close()
63 | return sb
64 |
65 | def unpatch(self, app):
66 | """Remove a patch from a patched application. Looks in the apps
67 | directory for the application_name-sandbox, removes the wrapper
68 | and renames the patched application
69 | """
70 | print "[-] Removing patch from %s" % app
71 | sb = self.get_sb(app)
72 | # Check to see if the sandboxing profile exists
73 | if not sb:
74 | print "[!] Error! sandboxing profile not found. Exiting..."
75 | return False
76 | if sb['patched']:
77 | os.rename(sb['patch_location'], sb['app_location'])
78 | print "[+] Patch removed from %s (%s)" % (sb['name'],sb['patch_location'])
79 | else:
80 | print "[!] No patch detected. No changes made to file system. Exiting..."
81 |
82 | def patch(self, app):
83 | """Creates a simple shell script wrapper in place of the original application
84 | and renames the original executable to name-sandboxed
85 | """
86 | print "[-] Patching %s" % app
87 | sb = self.get_sb(app)
88 | # Check to see if the sandboxing profile exists
89 | if not sb:
90 | print "[!] Error! sandboxing profile not found. Exiting..."
91 | return False
92 |
93 | if sb['patched']:
94 | print "[!] Application already patched. Try running it!"
95 |
96 | else:
97 | sb_file_dst = os.path.join(self.bu_dir,sb['file'].split("/")[-1])
98 |
99 | if self.debug:
100 | print "Copying the sandbox profile to home config %s %s" % (sb['file'], sb_file_dst)
101 | shutil.copyfile(sb['file'], sb_file_dst)
102 |
103 | cmd = "sandbox-exec -f " + str(sb_file_dst) + " " + str(sb['patch_location'])
104 | if self.debug:
105 | print "renaming sandbox application to -sandboxed"
106 | os.rename(sb['app_location'], sb['patch_location'])
107 |
108 | try:
109 | patch = open(sb['app_location'], 'w')
110 | patch.write("#!/bin/sh\n")
111 | patch.write("# This patch was written by Buckle Up ")
112 | patch.write("v 0.1 (http://github.com/hellais/Buckle-Up/)\n")
113 | patch.write(cmd)
114 | patch.write("\n")
115 | except Exception, e:
116 | print "[!] Error in writing patch, reverting %s" % e
117 | os.rename(sb['patch_location'], sb['app_location'])
118 | finally:
119 | os.chmod(sb['app_location'], 0755)
120 | patch.close()
121 | print "[+] Patch successful!"
122 |
123 | def get_sb(self, name):
124 | for sb in self.sb_list():
125 | if sb['shortname'] == name:
126 | return sb
127 | return None
128 |
129 | def sb_list(self):
130 | list = []
131 |
132 | if len(self.sbs) > 0:
133 | return self.sbs
134 |
135 | for file in os.listdir(self.sb_file_location):
136 | if file.endswith(".sb"):
137 | sb = self.parse_sb(file)
138 | if sb:
139 | list.append(sb)
140 | self.sbs = list
141 | return list
142 |
143 | def list(self):
144 | print "[-] Listing Buckle Up sandbox profiles..."
145 | for sb in self.sb_list():
146 | print " Name: %s (APP: %s)" % (sb['name'], sb['shortname'])
147 | print " App Location: %s\n" % sb['app_location']
148 |
149 |
150 | def run(self, app):
151 | print "[-] Running %s" % app
152 | sb = self.get_sb(app)
153 |
154 | # Check to see if the sandboxing profile exists
155 | if not sb:
156 | print "[!] Error! sandboxing profile not found. Exiting..."
157 | return False
158 |
159 | if sb['patched']:
160 | print "[!] Detected a patched version of %s" % app
161 | app = sb['patch_location']
162 | else:
163 | app = sb['app_location']
164 | cmd = ["sandbox-exec", "-f", sb['file'], app]
165 | print " launch command %s" % ' '.join(cmd)
166 | p = Popen(cmd, stdout=PIPE)
167 | while p:
168 | o = p.stdout.readline()
169 | if o == '' and p.poll() != None:
170 | break
171 |
172 | def argument_parser(self):
173 | description="""Buckle Up!
174 | -------
175 | Mac OS X sandboxing helper scripts
176 | by Arturo Filasto'
177 | """
178 | parser = OptionParser()
179 |
180 | parser.add_option("-l", "--list", dest="list", action="store_true",
181 | help="list all application profiles")
182 |
183 | parser.add_option("-p", "--patch", dest="patch",
184 | help="patch the desired application",
185 | metavar="APP")
186 |
187 | parser.add_option("-a", "--application", dest="app",
188 | help="explicitly set the application location")
189 |
190 | parser.add_option("-u", "--unpatch", dest="unpatch",
191 | help="remove patch from the desired application",
192 | metavar="APP")
193 |
194 | parser.add_option("-r", "--run", dest="run",
195 | help="run the desired application in sandbox",
196 | metavar="APP")
197 |
198 | (o, args) = parser.parse_args()
199 |
200 | if o.app:
201 | self.app_path = o.app
202 |
203 | if o.list:
204 | self.list()
205 |
206 | elif o.patch:
207 | self.patch(o.patch)
208 |
209 | elif o.unpatch:
210 | self.unpatch(o.unpatch)
211 |
212 | elif o.run:
213 | self.run(o.run)
214 |
215 | else:
216 | print description
217 | parser.print_help()
218 |
219 | if __name__ == "__main__":
220 | b = BuckleUp()
221 |
222 |
223 |
--------------------------------------------------------------------------------
/profiles/Tweetdeck-profile.sb:
--------------------------------------------------------------------------------
1 | ;:buckleup:0.1:tweetdeck:Tweetdeck:/Applications/TweetDeck.app/Contents/MacOS/TweetDeck:
2 | ;;
3 | ;; MacOSX Sandbox profile for the Tweetdeck twitter client
4 | ;;
5 | ;; Copyright 2010 Robert Malmgren AB. All rights reserved.
6 | ;;
7 | ;; Redistribution and use in source and binary forms, with or without modification, are
8 | ;; permitted provided that the following conditions are met:
9 | ;;
10 | ;; 1. Redistributions of source code must retain the above copyright notice, this list of
11 | ;; conditions and the following disclaimer.
12 | ;;
13 | ;; 2. Redistributions in binary form must reproduce the above copyright notice, this list
14 | ;; of conditions and the following disclaimer in the documentation and/or other materials
15 | ;; provided with the distribution.
16 | ;;
17 | ;; THIS SOFTWARE IS PROVIDED BY Robert Malmgren AB ``AS IS'' AND ANY EXPRESS OR IMPLIED
18 | ;; WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
19 | ;; FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL OR
20 | ;; CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | ;; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
22 | ;; SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
23 | ;; ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
24 | ;; NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
25 | ;; ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 | ;;
27 | ;; The views and conclusions contained in the software and documentation are those of the
28 | ;; authors and should not be interpreted as representing official policies, either expressed
29 | ;; or implied, of Robert Malmgren AB.
30 | ;;
31 | ;;
32 | ;;
33 |
34 | (version 1)
35 |
36 | (deny default)
37 | (debug deny)
38 |
39 | (allow file-ioctl
40 | (literal "/dev/dtracehelper"))
41 |
42 | (allow file-read-data
43 | (subpath "/Applications/TweetDeck.app")
44 | (literal "/Library/Keychains/System.keychain")
45 | (literal "/Library/Preferences/.GlobalPreferences.plist")
46 | (literal "/Library/Preferences/com.apple.HIToolbox.plist")
47 | (literal "/Library/Audio/Plug-Ins/HAL")
48 | (subpath "/Library/Frameworks/Adobe AIR.framework")
49 | (subpath "/Library/Fonts")
50 | (literal "/Users")
51 | (literal "/Users/[^.]+")
52 | (regex "^/Users/[^.]+/Library/Caches/TweetDeckFast.*$")
53 | (literal "/Users/[^.]+/Library/Cookies/Cookies.plist")
54 | (literal "/Users/[^.]+/Library/Keychains/Microsoft_Intermediate_Certificates")
55 | (literal "/Users/[^.]+/Library/Keychains/login.keychain")
56 | (literal "/Users/[^.]+/Library/Preferences/.GlobalPreferences.plist")
57 | (regex "^/Users/[^.]+/Library/Preferences/ByHost/.GlobalPreferences.*$")
58 | (literal "/Users/[^.]+/Library/Preferences/com.apple.LaunchServices.plist")
59 | (literal "/Users/[^.]+/Library/Preferences/QuickTime Preferences")
60 | (literal "/Users/[^.]+/Library/Preferences/com.apple.security.plist")
61 | (literal "/Users/[^.]+/Library/Preferences/com.apple.security.revocation.plist")
62 | (literal "/Users/[^.]+/Library/Preferences/com.apple.DownloadAssessment.plist")
63 | (literal "/Users/[^.]+/Library/Preferences/com.apple.WebFoundation.plist")
64 | (subpath "/Users/[^.]+/Library/Preferences/Macromedia")
65 | (regex "^/Users/[^.]+/Library/Preferences/TweetDeckFast.*$")
66 | (regex "^/Users/[^.]+/Library/Preferences/ByHost/com.apple.HIToolbox.*$")
67 | (subpath "/Users/[^.]+/Library/Keyboard Layouts")
68 | (subpath "/Users/[^.]+/Library/Input Methods")
69 | (subpath "/Users/[^.]+/Library/Application Support/Adobe")
70 | (subpath "/Users/[^.]+/Library/Caches/Adobe")
71 | (literal "/Users/[^.]+/Sandboxes")
72 | (literal "/dev/dtracehelper")
73 | (literal "/dev/null")
74 | (literal "/dev/urandom")
75 | (literal "/dev/random")
76 | (literal "/usr/bin")
77 | (literal "/usr/bin/open")
78 | (literal "/usr/bin/open/..namedfork/rsrc")
79 | (literal "/private/etc/localtime")
80 | (literal "/private/var/db/mds/system/mdsObject.db")
81 | (literal "/private/var/db/mds/system/mdsDirectory.db")
82 | (literal "/private/var/db/mds/messages/se_SecurityMessages")
83 | (subpath "/tmp")
84 | (subpath "/private/tmp")
85 | (subpath "/private/var/folders/Fm")
86 | (subpath "/usr/share")
87 | (subpath "/usr/lib")
88 | (subpath "/System"))
89 |
90 | (allow file-read-xattr
91 | (subpath "/Users/[^.]+/Library/Application Support/Adobe/AIR"))
92 |
93 | (allow file-read-metadata
94 | (literal "/")
95 | (literal "/Applications")
96 | (subpath "/Applications/TweetDeck.app")
97 | (literal "/Applications/Utilities")
98 | (literal "/Library/Preferences/.GlobalPreferences.plist")
99 | (subpath "/Library/Frameworks/Adobe AIR.framework")
100 | (regex "^/Library/Preferences/com.apple.HIToolbox.*$")
101 | (literal "/private/etc/localtime")
102 | (literal "/Network")
103 | (literal "/Library")
104 | (subpath "/Library/Application Support")
105 | (subpath "/Library/Components")
106 | (literal "/Library/Frameworks")
107 | (subpath "/Library/Fonts")
108 | (subpath "/Library/Keyboard Layouts")
109 | (subpath "/Library/Input Methods")
110 | (literal "/Users")
111 | (literal "/Users/[^.]+")
112 | (literal "/Users/[^.]+/Library")
113 | (literal "/Users/[^.]+/Library/Caches")
114 | (subpath "/Users/[^.]+/Library/Caches/Adobe")
115 | (regex "/Users/[^.]+/Library/Caches/TweetDeckFast.*$")
116 | (literal "/Users/[^.]+/Library/Preferences")
117 | (subpath "/Users/[^.]+/Library/Preferences/Macromedia")
118 | (regex "^/Users/[^.]+/Library/Preferences/TweetDeckFast.*$")
119 | (literal "/Users/[^.]+/Library/Preferences/.GlobalPreferences.plist")
120 | (regex "^/Users/[^.]+/Library/Preferences/ByHost/.GlobalPreferences.*$")
121 | (literal "/Users/[^.]+/Library/Preferences/ByHost")
122 | (literal "/Users/[^.]+/Library/Preferences/com.apple.LaunchServices.plist")
123 | (literal "/Users/[^.]+/Library/Preferences/com.apple.security.plist")
124 | (literal "/Users/[^.]+/Library/Preferences/com.apple.security.revocation.plist")
125 | (literal "/Users/[^.]+/Library/Preferences/com.apple.WebFoundation.plist")
126 | (literal "/Users/[^.]+/Library/Preferences/QuickTime Preferences")
127 | (subpath "/Users/[^.]+/Library/Audio")
128 | (subpath "/Users/[^.]+/Library/Keyboard Layouts")
129 | (subpath "/Users/[^.]+/Library/Input Methods")
130 | (subpath "/Users/[^.]+/Library/Application Support")
131 | (subpath "/Users/[^.]+/Library/Autosave Information")
132 | (regex "^/Users/[^.]+/Library/Preferences/ByHost/com.apple.HIToolbox.*$")
133 | (literal "/Users/[^.]+/Sandboxes")
134 | (literal "/etc")
135 | (literal "/var")
136 | (literal "/tmp")
137 | (literal "/usr/bin")
138 | (literal "/usr/bin/open")
139 | (literal "/private/var/db/.AppleSetupDone")
140 | (literal "/private/var/db/mds/system/mdsObject.db")
141 | (subpath "/private/var/folders/Fm")
142 | (subpath "/System")
143 | (subpath "/usr/share")
144 | (subpath "/tmp")
145 | (subpath "/private/tmp")
146 | (subpath "/usr/lib"))
147 |
148 | (allow file-write-data
149 | (literal "/dev/dtracehelper"))
150 |
151 | (allow file-write*
152 | (subpath "/var/folders/Fm")
153 | (subpath "/private/var/folders")
154 | (subpath "/tmp")
155 | (subpath "/private/tmp")
156 | (regex "^/Users/[^.]+/Library/Caches/TweetDeckFast.*$")
157 | (literal "/Users/[^.]+/Library/Preferences/Macromedia/Flash Player/#Security/FlashPlayerTrust/air.1.0.trust.cfg")
158 | (regex "^/Users/[^.]+/Library/Preferences/TweetDeckFast.*$")
159 | (literal "/Users/[^.]+/Library/Cookies/Cookies.plist")
160 | (regex "^/Users/[^.]+/Library/Cookies/Cookies.plist_tmp_.*$")
161 | (regex "^/Users/[^.]+/Library/Application Support/Adobe/AIR/ELS/TweetDeckFast.*$")
162 | (regex "^/Users/[^.]+/Library/Preferences/ByHost/com.apple.HIToolbox.*$"))
163 |
164 | (allow ipc-posix-shm)
165 | (allow ipc-posix-sem)
166 | (allow ipc-sysv-shm)
167 |
168 | (allow system-socket)
169 | (allow network-outbound (remote tcp "*:443" )) ;; Twitter messages
170 | (allow network-outbound (remote tcp "*:80" )) ;; Twitter pictures + "Twitter recommends messages"
171 | (allow network-outbound
172 | (remote unix-socket (path-literal "/private/var/run/mDNSResponder")))
173 |
174 | (allow mach-lookup
175 | (global-name "com.apple.SystemConfiguration.configd")
176 | (global-name "com.apple.audio.coreaudiod")
177 | (global-name "com.apple.ocspd")
178 | (global-name "com.apple.pasteboard.1")
179 | (global-name "com.apple.FontObjectsServer")
180 | (global-name "com.apple.FontServer")
181 | (global-name "com.apple.tsm.uiserver")
182 | (global-name "com.apple.windowserver.session")
183 | (global-name "com.apple.windowserver.active")
184 | (global-name "com.apple.system.logger")
185 | (global-name "com.apple.dock.server")
186 | (global-name "com.apple.CoreServices.coreservicesd")
187 | (global-name "com.apple.SecurityServer")
188 | (global-name "com.apple.distributed_notifications.2")
189 | (global-name "com.apple.metadata.mds")
190 | (global-name "com.apple.system.DirectoryService.libinfo_v1")
191 | (global-name "com.apple.system.DirectoryService.membership_v1")
192 | (global-name "com.apple.system.notification_center")
193 | )
194 |
195 | (allow process-exec
196 | ;; Different versions of Tweetdeck seem to have different spelling of the DECK part...
197 | (regex "^/Applications/TweetDeck.app/Contents/MacOS/Tweet[Dd]eck$"))
198 |
199 | (allow job-creation)
200 |
201 | (allow sysctl-read)
202 |
--------------------------------------------------------------------------------
/profiles/Skype.sb:
--------------------------------------------------------------------------------
1 | ;:buckleup:0.1:skype:Skype (broken) only port 80 profile:/Applications/Skype.app/Contents/MacOS/Skype:
2 | ;WARNING! This Skype profile is currently broken. I am just uploading it so that somebody can plan with
3 | ;it and hopefully figure out what is wrong.
4 |
5 | (version 1)
6 |
7 | (deny default)
8 | (debug allow)
9 |
10 | (allow appleevent-send
11 | (appleevent-destination "com.Growl.GrowlHelperApp"))
12 |
13 | (allow file-ioctl
14 | (literal "/dev/dtracehelper"))
15 |
16 | (allow file-issue-extension
17 | (regex #"^/private/var/folders/[^/]+/[^/]+/T/Skype-18493-0CCD7C71-53E7-4D4B-A925-6C2CEA228CAE\.growlRegDict$"))
18 |
19 | (allow file-read*
20 | (literal "/Applications/Skype.app")
21 | (literal "/Applications/Skype.app/Contents")
22 |
23 | (regex #"^/Applications/Skype.app/Contents/Frameworks/Growl.framework/*")
24 | (regex #"^/Applications/Skype.app/Contents/Frameworks/Skype.framework/*")
25 | (literal "/Applications/Skype.app/Contents/Info.plist")
26 | (literal "/Applications/Skype.app/Contents/MacOS/")
27 | (literal "/Applications/Skype.app/Contents/MacOS/Skype")
28 | (literal "/Applications/Skype.app/Contents/PkgInfo")
29 | (regex
30 | #"^/Applications/Skype.app/Contents/Resources/*"
31 | )
32 |
33 | (regex
34 | #"^/Library/Application Support/ProApps/SharedA/Frameworks/"
35 | )
36 | (literal "/Library/Audio/Plug-Ins/HAL")
37 | (literal "/Library/Audio/Plug-Ins/HAL/DVCPROHDAudio.plugin")
38 | (literal "/Library/Audio/Plug-Ins/HAL/DVCPROHDAudio.plugin/Contents")
39 | (literal "/Library/Audio/Plug-Ins/HAL/DVCPROHDAudio.plugin/Contents/Info.plist")
40 | (literal "/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin")
41 | (literal "/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin/Contents")
42 | (literal "/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin/Contents/Info.plist")
43 | (literal "/Library/Caches/com.nvidia.OpenGL")
44 | (literal "/Library/Caches/com.nvidia.OpenGL/1570AD94-BFF7-3660-A6C5-64F3004B2572")
45 | (literal "/Library/Caches/com.nvidia.OpenGL/1570AD94-BFF7-3660-A6C5-64F3004B2572/A0A341DD4F718E23")
46 | (literal "/Library/Caches/com.nvidia.OpenGL/1570AD94-BFF7-3660-A6C5-64F3004B2572/A0A341DD4F718E23/31534A5A-BB34-CB61-4E72-89E14E8545C8.bin")
47 | (literal "/Library/Caches/com.nvidia.OpenGL/1570AD94-BFF7-3660-A6C5-64F3004B2572/A0A341DD4F718E23/31534A5A-BB34-CB61-4E72-89E14E8545C8.toc")
48 | (literal "/Library/Caches/com.nvidia.OpenGL/F5C45580-0C5E-372B-946A-7F44E25BC8A0")
49 | (literal "/Library/Caches/com.nvidia.OpenGL/F5C45580-0C5E-372B-946A-7F44E25BC8A0/A0A341DD4F718E23")
50 | (literal "/Library/Fonts/Arial Bold.ttf")
51 | (literal "/Library/Fonts/Arial.ttf")
52 | (regex #"^/Library/Frameworks/Motion.framework/*")
53 | (literal "/Library/Internet Plug-Ins")
54 | (literal "/Library/Internet Plug-Ins/Flash Player.plugin")
55 | (literal "/Library/Internet Plug-Ins/Flash Player.plugin/Contents")
56 | (literal "/Library/Internet Plug-Ins/Flash Player.plugin/Contents/Info.plist")
57 | (literal "/Library/Internet Plug-Ins/Flash Player.plugin/Contents/MacOS/Flash Player")
58 | (literal "/Library/Internet Plug-Ins/Quartz Composer.webplugin")
59 | (literal "/Library/Internet Plug-Ins/Quartz Composer.webplugin/Contents")
60 | (literal "/Library/Internet Plug-Ins/Quartz Composer.webplugin/Contents/Info.plist")
61 | (literal "/Library/Internet Plug-Ins/Quartz Composer.webplugin/Contents/MacOS/Quartz Composer")
62 | (literal "/Library/Internet Plug-Ins/QuickTime Plugin.plugin")
63 | (literal "/Library/Internet Plug-Ins/QuickTime Plugin.plugin/Contents")
64 | (literal "/Library/Internet Plug-Ins/QuickTime Plugin.plugin/Contents/Info.plist")
65 | (literal "/Library/Internet Plug-Ins/QuickTime Plugin.plugin/Contents/MacOS/QuickTime Plugin")
66 | (literal "/Library/Internet Plug-Ins/QuickTime Plugin.plugin/Contents/PkgInfo")
67 | (literal "/Library/Keychains/System.keychain")
68 | (literal "/Library/PreferencePanes/Growl.prefPane/Contents/Resources/GrowlHelperApp.app")
69 | (literal "/Library/PreferencePanes/Growl.prefPane/Contents/Resources/GrowlHelperApp.app/Contents")
70 | (literal "/Library/PreferencePanes/Growl.prefPane/Contents/Resources/GrowlHelperApp.app/Contents/Info.plist")
71 | (literal "/Library/Preferences/.GlobalPreferences.plist")
72 | (literal "/Library/QuickTime/DVCPROHDMuxer.component")
73 | (literal "/Library/QuickTime/DVCPROHDMuxer.component/Contents")
74 | (literal "/Library/QuickTime/DVCPROHDMuxer.component/Contents/Info.plist")
75 | (literal "/Library/QuickTime/DVCPROHDMuxer.component/Contents/MacOS/DVCPROHDMuxer")
76 | (literal "/Library/QuickTime/DVCPROHDVideoDigitizer.component")
77 | (literal "/Library/QuickTime/DVCPROHDVideoDigitizer.component/Contents")
78 | (literal "/Library/QuickTime/DVCPROHDVideoDigitizer.component/Contents/Info.plist")
79 | (literal "/Library/QuickTime/DVCPROHDVideoDigitizer.component/Contents/MacOS/DVCPROHDVideoDigitizer")
80 | (literal "/Library/QuickTime/DVCPROHDVideoDigitizer.component/Contents/Resources")
81 | (literal "/Library/QuickTime/DVCPROHDVideoDigitizer.component/Contents/Resources/DVCPROHDVideoDigitizer.rsrc")
82 | (literal "/Library/QuickTime/LiveType.component")
83 | (literal "/Library/QuickTime/LiveType.component/Contents")
84 | (literal "/Library/QuickTime/LiveType.component/Contents/Info.plist")
85 | (literal "/Library/QuickTime/LiveType.component/Contents/MacOS/LiveType")
86 | (literal "/Library/QuickTime/Motion.component")
87 | (literal "/Library/QuickTime/Motion.component/Contents")
88 | (literal "/Library/QuickTime/Motion.component/Contents/Info.plist")
89 | (literal "/Library/QuickTime/Motion.component/Contents/MacOS/Motion")
90 | (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/.database.lockN")
91 | (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/AddressBook-v22.abcddb")
92 | (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/Configuration.plist")
93 | (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/Metadata/.MetaData.lock")
94 | (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/Metadata/.info")
95 | (regex #"^/Users/[^.]+/Library/Application Support/Adobe/AIR/ELS/TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1/PrivateEncryptedDatak")
96 | (regex #"^/Users/[^.]+/Library/Application Support/Skype/*")
97 | (regex #"^/Users/[^.]+/Library/Application Support/CrashReporter/Skype*")
98 | (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype")
99 | (regex #"^/Users/[^.]+/Library/Input Methods")
100 | (regex #"^/Users/[^.]+/Library/Internet Plug-Ins")
101 | (regex #"^/Users/[^.]+/Library/Keyboard Layouts")
102 | (regex #"^/Users/[^.]+/Library/Keychains/*")
103 | (regex #"^/Users/[^.]+/Library/Preferences/.GlobalPreferences.plist")
104 | (regex #"^/Users/[^.]+/Library/Preferences/ByHost/*")
105 | (regex #"^/Users/[^.]+/Library/Preferences/Macromedia/Flash Player/#SharedObjects")
106 | (regex #"^/Users/[^.]+/Library/Preferences/QuickTime Preferences")
107 | (regex #"^/Users/[^.]+/Library/Preferences/com.apple.AddressBook.plist")
108 | (regex #"^/Users/[^.]+/Library/Preferences/com.apple.quicktime.plugin.preferences.plist")
109 | (regex #"^/Users/[^.]+/Library/Preferences/com.apple.security.plist")
110 | (regex #"^/Users/[^.]+/Library/Preferences/com.apple.universalaccess.plist")
111 | (regex #"^/Users/[^.]+/Library/Preferences/pbs.plist")
112 | (regex #"^/Users/[^.]+/Library/Saved Application State/com.skype.skype.savedState")
113 | (regex #"^/Users/[^.]+/Library/Saved Application State/com.skype.skype.savedState/data.data")
114 | (regex #"^/Users/[^.]+/Library/Saved Application State/com.skype.skype.savedState/window_5.data")
115 | (regex #"^/Users/[^.]+/Library/Saved Application State/com.skype.skype.savedState/windows.plist")
116 | (literal "/dev/dtracehelper")
117 | (literal "/dev/random")
118 | (literal "/dev/urandom")
119 |
120 | (literal "/private/var/db/mds/messages/se_SecurityMessages")
121 | (literal "/private/var/db/mds/system/mdsDirectory.db")
122 | (literal "/private/var/db/mds/system/mdsObject.db")
123 | (regex #"^/Users/y/Library/Preferences/com\.skype\.skype\.plist(\.[^/]+)?$")
124 | (regex #"^/private/var/folders/[^/]+/[^/]+/C/com\.apple\.scriptmanager\.le\.cache$")
125 | (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
126 | (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
127 | (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
128 | (subpath "/System")
129 | (subpath "/usr/lib")
130 | (subpath "/usr/share")
131 | (regex #"^/private/var/folders/[^/]+/[^/]+/T/*.growlRegDict$")
132 | )
133 |
134 | (allow file-read-metadata
135 | (literal "/")
136 | (literal "/Applications")
137 | (literal "/Applications/Growl.app")
138 | (literal "/Applications/Growl.app/Contents/MacOS/Growl")
139 | (literal "/Applications/Skype.app/Contents/MacOS")
140 | (literal "/Applications/Skype.app/Contents/Frameworks")
141 | (literal "/Applications/Utilities")
142 | (literal "/Library")
143 | (literal "/Library/Application Support")
144 | (regex #"^/Library/Application Support/ProApps/*")
145 | (literal "/Library/Caches")
146 | (regex
147 | #"^/Library/Caches/com.nvidia.OpenGL/"
148 | )
149 | (literal "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin")
150 | (literal "/Library/Internet Plug-Ins/flashplayer.xpt")
151 | (literal "/Library/Internet Plug-Ins/nsIQTScriptablePlugin.xpt")
152 | (literal "/Library/Keychains")
153 | (literal "/Library/PreferencePanes")
154 | (literal "/Library/PreferencePanes/Growl.prefPane")
155 | (literal "/Library/PreferencePanes/Growl.prefPane/Contents")
156 | (literal "/Library/PreferencePanes/Growl.prefPane/Contents/Resources")
157 | (literal "/Library/PreferencePanes/Growl.prefPane/Contents/Resources/GrowlHelperApp.app/Contents/MacOS/GrowlHelperApp")
158 | (literal "/Library/Security/Trust Settings/Admin.plist")
159 | (literal "/Network")
160 | (literal "/Users")
161 | (regex #"^/Users/[^.]+")
162 | (regex #"^/Users/[^.]+/Downloads/*")
163 | (regex #"^/Users/[^.]+/Library")
164 | (regex #"^/Users/[^.]+/Library/Address Book Plug-Ins/SkypeABDialer.bundle")
165 | (regex #"^/Users/[^.]+/Library/Address Book Plug-Ins/SkypeABSMS.bundle")
166 | (regex #"^/Users/[^.]+/Library/Application Support")
167 | (regex #"^/Users/[^.]+/Library/Application Support/AddressBook")
168 | (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/Metadata")
169 | (regex #"^/Users/[^.]+/Library/Application Support/Adobe")
170 | (regex #"^/Users/[^.]+/Library/Application Support/Adobe/AIR")
171 | (regex #"^/Users/[^.]+/Library/Application Support/Adobe/AIR/ELS")
172 | (regex #"^/Users/[^.]+/Library/Application Support/Adobe/AIR/ELS/TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1")
173 | (regex #"^/Users/[^.]+/Library/Application Support/Skype/")
174 | (regex #"^/Users/[^.]+/Library/Audio/Plug-Ins/Components")
175 | (regex #"^/Users/[^.]+/Library/Autosave Information")
176 | (regex #"^/Users/[^.]+/Library/Caches/*")
177 | (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype/SkypeIndexCaches")
178 | (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype/com.apple.opencl")
179 | (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype/hellais/SKAvatarCache")
180 | (regex #"^/Users/[^.]+/Library/Keychains/*")
181 | (regex #"^/Users/[^.]+/Library/Preferences")
182 | (regex #"^/Users/[^.]+/Library/Preferences/ByHost")
183 | (regex #"^/Users/[^.]+/Library/Preferences/Macromedia/Flash Player/#SharedObjects/9QYSRLPJ")
184 | (regex #"^/Users/[^.]+/Library/Preferences/Macromedia/Flash Player/#SharedObjects/9QYSRLPJ/skype.com")
185 | (regex #"^/Users/[^.]+/Library/Preferences/Macromedia/Flash Player/#SharedObjects/9QYSRLPJ/skype.com/#ui")
186 | (regex #"^/Users/[^.]+/Library/Preferences/Macromedia/Flash Player/#SharedObjects/9QYSRLPJ/skype.com/#ui/preferences.sol")
187 | (regex #"^/Users/[^.]+/Library/Preferences/com.skype.skype.plist")
188 | (regex #"^/Users/[^.]+/Library/Preferences/com.apple.ServicesMenu.Services.plist")
189 | (regex #"^/Users/[^.]+/Library/QuickTime")
190 |
191 | (regex #"^/Users/[^.]+/Library/Saved Application State/com.skype.skype.savedState/restorecount.txt")
192 | (literal "/etc")
193 | (literal "/private")
194 | (literal "/private/etc/localtime")
195 | (literal "/private/var")
196 | (literal "/private/var/db/.AppleSetupDone")
197 | (literal "/private/var/folders")
198 | (literal "/private/var/folders/th")
199 | (literal "/private/var/folders/th/ftm_xkbs68s6vkxhg6wdyjbc0000gn")
200 | (literal "/private/var/run/systemkeychaincheck.done")
201 | (literal "/usr")
202 | (literal "/usr/bin/atos")
203 | (literal "/var")
204 | (regex "^/private/var/folders/[^/]+/[^/]+/C$")
205 | (regex "^/private/var/folders/[^/]+/[^/]+/C/mds$")
206 | (regex #"^/private/var/folders/*")
207 | )
208 | (allow file-issue-extension
209 | (regex #"^/private/var/folders/*")
210 | )
211 |
212 | (allow file-write*
213 | (regex #"^/Library/Caches/com.nvidia.OpenGL/*")
214 | (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/.database.lockN")
215 | (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/AddressBook-v22.abcddb")
216 | (regex #"^/Users/[^.]+/Library/Application Support/AddressBook/Metadata/.info")
217 | (regex #"^/Users/[^.]+/Library/Application Support/Skype/*")
218 | (regex #"^/Users/[^.]+/Library/Preferences/com.skype.skype*")
219 | (regex #"^/Users/[^.]+/Library/Preferences/ByHost/*")
220 | ; XXX fix this regex
221 | ;(regex #"^/private/var/folders/th/*.growlRegDict$")
222 | (regex #"^/private/var/folders/th/*")
223 | (regex #"^/Users/[^.]+/Library/Saved Application State/com.skype.skype.savedState/*")
224 | (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype/Cache.db")
225 | (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype/com.apple.opencl/com.apple.ocl.32.data")
226 | (regex #"^/Users/[^.]+/Library/Caches/com.skype.skype/com.apple.opencl/com.apple.ocl.32.maps")
227 | (literal "/dev/dtracehelper")
228 | ; To allow downloads
229 | (regex #"^/Users/[^.]+/Downloads/*")
230 | (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
231 | )
232 |
233 | (allow iokit-open
234 | (iokit-user-client-class "AGPMClient")
235 | (iokit-user-client-class "IOAudioControlUserClient")
236 | (iokit-user-client-class "IOAudioEngineUserClient")
237 | (iokit-user-client-class "IOBluetoothHCIUserClient")
238 | (iokit-user-client-class "IOFramebufferSharedUserClient")
239 | (iokit-user-client-class "IOHIDParamUserClient")
240 | (iokit-user-client-class "IOUSBDeviceUserClientV2")
241 | (iokit-user-client-class "IOUSBInterfaceUserClientV2")
242 | (iokit-user-client-class "RootDomainUserClient")
243 | (iokit-user-client-class "nvDevice")
244 | (iokit-user-client-class "nvTeslaGLContext")
245 | )
246 |
247 | (allow ipc-posix-shm
248 | (ipc-posix-name "/tmp/com.apple.csseed.62")
249 | (ipc-posix-name "CFPBS:DD:")
250 | (ipc-posix-name "FNetwork.defaultStorageSession")
251 | (ipc-posix-name "_00D0000000501")
252 | (ipc-posix-name "_CGM0000000501")
253 | (ipc-posix-name "_CSGENGPROFILE")
254 | (ipc-posix-name "_CSGENRPROFILE")
255 | (ipc-posix-name "_CS_DSHMEMLOCK")
256 | (ipc-posix-name "_CS_GSHMEMLOCK")
257 | (ipc-posix-name "apple.shm.notification_center")
258 | (ipc-posix-name "com.apple.AppleDatabaseChanged")
259 | (ipc-posix-name "ls.62.186a5.643c9869")
260 | )
261 |
262 | (allow mach-lookup
263 | (global-name "com.apple.CoreServices.coreservicesd")
264 | (global-name "com.apple.FontObjectsServer")
265 | (global-name "com.apple.FontServer")
266 | (global-name "com.apple.inputmethodkit.launchagent")
267 | (global-name "com.apple.inputmethodkit.launcher")
268 | (global-name "Multilingual (Apple)_OpenStep")
269 | (global-name "com_apple_palette_pressandhold_connection")
270 |
271 | (global-name "com.apple.pbs.fetch_services")
272 |
273 | (global-name "com.apple.SecurityServer")
274 | (global-name "com.apple.SystemConfiguration.configd")
275 | (global-name "com.apple.audio.audiohald")
276 | (global-name "com.apple.audio.coreaudiod")
277 | (global-name "com.apple.cmio.VDCAssistant")
278 | (global-name "com.apple.cookied")
279 | (global-name "com.apple.cvmsServ")
280 | (global-name "com.apple.decalog4.incoming")
281 | (global-name "com.apple.distributed_notifications@Uv3")
282 | (global-name "com.apple.dock.server")
283 | (global-name "com.apple.ls.boxd")
284 | (global-name "com.apple.ocspd")
285 | (global-name "com.apple.pasteboard.1")
286 | (global-name "com.apple.quicklook.ui.helper.active")
287 | (global-name "com.apple.system.DirectoryService.libinfo_v1")
288 | (global-name "com.apple.system.DirectoryService.membership_v1")
289 | (global-name "com.apple.system.logger")
290 | (global-name "com.apple.system.notification_center")
291 | (global-name "com.apple.system.opendirectoryd.api")
292 | (global-name "com.apple.tsm.uiserver")
293 | (global-name "com.apple.window_proxies")
294 | (global-name "com.apple.windowserver.active")
295 | (global-name "com.skype.skype.ServiceProvider")
296 | )
297 |
298 | (allow network-inbound
299 | (local udp "localhost:*")
300 | (local tcp "*:80")
301 | (local udp "*:80")
302 | )
303 |
304 | (allow network-outbound
305 | (literal "/private/var/run/mDNSResponder")
306 | (remote tcp "*:80")
307 | (remote udp "*:80")
308 | (remote udp "localhost:*")
309 | )
310 |
311 | (allow process-exec
312 | (literal "/Applications/Skype.app/Contents/MacOS/Skype")
313 | )
314 |
315 | (allow sysctl-read)
316 |
317 | (allow system-socket)
318 |
--------------------------------------------------------------------------------