;; ;; ntpd - sandbox profile ;; Copyright (c) 2006-2009 Apple Inc. All Rights reserved. ;; ;; WARNING: The sandbox rules in this file currently constitute ;; Apple System Private Interface and are subject to change at any time and ;; without notice. The contents of this file are also auto-generated and not ;; user editable; it may be overwritten at any time. ;; (version 1) (deny default) (allow process-fork) (allow iokit-open (iokit-user-client-class "RootDomainUserClient")) ;;; Allow NTP specific files (allow file-read-data file-read-metadata (literal "/private/etc/ntp-restrict.conf") (literal "/private/etc/ntp_opendirectory.conf") (regex "^/private/etc/ntp\\.(conf|keys)$") (literal "/private/var/mobile/Library/Preferences/ntp.conf") (regex "^/private/etc/(services|hosts)$") (regex "^/private/var/run/tmpntp.conf.*")) (allow file-write* file-read-data file-read-metadata (literal "/private/var/run/ntpd.pid") (regex "^/private/var/(db|mobile/Library/Preferences)/ntp\\.drift(\\.TEMP)?$") (subpath "/private/tmp") (subpath "/private/var/tmp")) (allow network-inbound (local udp "*:123")) (allow network-outbound (control-name "com.apple.netsrc") (control-name "com.apple.network.statistics") (literal "/private/var/run/mDNSResponder") (remote udp)) (allow mach-lookup (global-name "com.apple.networkd") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.SystemConfiguration.DNSConfiguration") (global-name "com.apple.SystemConfiguration.SCNetworkReachability")) (allow system-set-time) (allow system-socket) (import "bsd.sb")