;; Copyright (c) 2008 Apple Inc.  All Rights reserved.
;;
;; sshd - profile for privilege separated children
;;
;; WARNING: The sandbox rules in this file currently constitute 
;; Apple System Private Interface and are subject to change at any time and
;; without notice.
;;

(version 1)
(deny default)

(import "system.sb")

(deny file-read*
      (literal "/")
      (subpath "/dev")
      (with no-log))

(allow file-chroot)
(allow file-read-metadata
 	(literal "/var"))

(allow signal)
(allow sysctl-read)
(allow system-audit)

(allow file-read* 
 	(literal "/dev"))
(allow file-read* 
 	(literal "/dev/urandom"))
(allow file-read* file-write* 
 	(literal "/dev/null"))
(allow file-read* file-write* 
 	(literal "/private/var/run/utmpx"))
(allow file-read* file-write* file-ioctl 
 	(literal "/dev/ptmx"))
(allow file-read* file-write* file-ioctl 
 	(regex #"^/dev/ttys"))

(allow file-read*
	(regex #"^/private/var/log/asl(/|$)"))

(allow mach-lookup
       (global-name "com.apple.DirectoryService")
       (global-name "com.apple.system.DirectoryService.libinfo_v1")
       (global-name "com.apple.system.DirectoryService.membership_v1")
       (global-name "com.apple.system.logger")
       (global-name "com.apple.system.notification_center"))