dnscrypt-proxy.sb

(version 1)
;(trace "dnscrypt.sb")
(import "bsd.sb")
(deny default)

(allow signal (target self))

(allow ipc-posix-shm-read*
   ipc-posix-shm-write-create
   ipc-posix-shm-write-data
   (ipc-posix-name "com.apple.AppleDatabaseChanged")
)

;
; from com.apple.coreservices.appleevents.appleeventsd.sb
;
;(allow system-audit)

(allow file-read-data
  (subpath "/private/var/tmp/mds")
  (subpath "/private/var/db/mds")
  (literal "/usr/local/Cellar/dnscrypt-proxy/2.1.1/sbin")
  (literal "/usr/local/Cellar/dnscrypt-proxy/2.1.1/sbin/dnscrypt-proxy"))


(allow file-read* file-write*
  (regex #"^/private/var/tmp/mds/[0-9]+(/|$)")
  (regex #"^/private/var/db/mds/[0-9]+(/|$)")
  (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)"))

(allow file-read*
  (regex #"^.*/Library/Preferences/(ByHost/)?\.GlobalPreferences.*\.plist$")
  (regex #"^/private/var/db/mds/")
  (literal "/Library/Preferences/com.apple.security.plist")
  (literal "/usr/libexec")
  (literal "/usr/libexec/xscertd"))

(allow file-read-metadata
  (literal "/Library")
  (literal "/Library/Keychains")
  (literal "/Library/Keychains/System.keychain")
  (literal "/private/var/empty")
  (literal "/private/var/run/systemkeychaincheck.done"))

; KSS I added these to the list from the Radar, because they seem necessary
(allow file-read-metadata (literal "/private") (literal "/private/var") (literal "/private/var/db") )
(allow file-read* (literal "/private/var/db/DetachedSignatures"))

; END com.apple.coreservices.appleevents.appleeventsd.sb

(allow file-read* file-write*
  (subpath "/private/var/root/Library/Application Support/Certificate Authority")
  (literal "/private/var/db/mds/messages/se_SecurityMessages") ;; Security.framework
  (literal "/private/var/db/mds/system/mdsObject.db") ;; Security.framework
  (literal "/private/var/db/mds/system/mds.lock")
)

(allow mach-lookup
  (global-name "com.apple.trustd.agent") ;; Certificate validation.
  (global-name "com.apple.security")
  (global-name "com.apple.xscertd.helper")
  (global-name "com.apple.SecurityServer")
  (global-name "com.apple.ocspd")
  (global-name "com.apple.securityd")
)

(allow network-bind (local tcp "*:3000"))
(allow network-bind (local tcp "*:53"))
(allow network-bind (local udp "*:53"))
(allow network-inbound (local ip))
(allow network-outbound)

; if logging to stdout
(allow file-write*
   (literal "/dev/stdout")
   (literal "/dev/fd/1")
)

(allow file-read*
  (literal "/dev/urandom")
)

(allow file-write*
  (literal "/usr/local/etc")
  (regex #"^/usr/local/etc/.*\.log")
  (regex #"^/usr/local/etc/.*\.md*")
  (regex #"^/usr/local/etc/.*\.tmp*")
)

(allow file-read*
  (literal "/usr/local/etc")
  (literal "/usr/local/etc/dnscrypt-proxy.toml")
  (literal "/usr/local/etc/localhost.pem")
  (regex #"^/usr/local/etc/.*\.log")
  (regex #"^/usr/local/etc/.*\.md*")
  (regex #"^/usr/local/etc/.*\.tmp*")
  (regex #"^/usr/local/etc/allowed.*\.txt")
  (regex #"^/usr/local/etc/blocked.*\.txt")
)

(allow process-exec
  (literal "/usr/local/Cellar/dnscrypt-proxy/2.1.1/sbin/dnscrypt-proxy")
  (literal "/usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy")
  (literal "/usr/local/sbin/dnscrypt-proxy")
)

;
; from cvmsServer.sb
;
(when (defined? 'syscall-unix)
  (deny syscall-unix (with send-signal SIGKILL))
  (allow syscall-unix
    ;; System Call allow list
    (syscall-number SYS___disable_threadsignal
                    SYS___mac_syscall
                    SYS___pthread_canceled
                    SYS___pthread_kill
                    SYS___pthread_sigmask
                    SYS___semwait_signal
                    SYS_accept
                    SYS_access
                    SYS_bind
                    SYS_bsdthread_create
                    SYS_bsdthread_ctl
                    SYS_bsdthread_register
                    SYS_bsdthread_terminate
                    SYS_change_fdguard_np
                    SYS_chdir
                    SYS_close
                    SYS_close_nocancel
                    SYS_connect
                    SYS_csops
                    SYS_csops_audittoken
                    SYS_csrctl
                    SYS_execve
                    SYS_exit
                    SYS_fcntl
                    SYS_fcntl_nocancel
                    SYS_fgetattrlist
                    SYS_flock
                    SYS_fsgetpath
                    SYS_fstat64
                    SYS_fstatfs64
                    SYS_ftruncate
                    SYS_getattrlist
                    SYS_getaudit_addr
                    SYS_getdirentries64
                    SYS_getegid
                    SYS_getentropy
                    SYS_geteuid
                    SYS_getpeername
                    SYS_getpid
                    SYS_getppid
                    SYS_getrlimit
                    SYS_getsockname
                    SYS_getsockopt
                    SYS_gettid
                    SYS_gettimeofday
                    SYS_getuid
                    SYS_ioctl
                    SYS_issetugid
                    SYS_kdebug_trace64
                    SYS_kdebug_trace_string
                    SYS_kdebug_typefilter
                    SYS_kevent
                    SYS_kevent_id
                    SYS_kevent_qos
                    SYS_kqueue
                    SYS_listen
                    SYS_lseek
                    SYS_lstat64
                    SYS_madvise
                    SYS_mkdir
                    SYS_mmap
                    SYS_mprotect
                    SYS_munmap
                    SYS_necp_open
                    SYS_open
                    SYS_open_nocancel
                    SYS_openat
                    SYS_pipe
                    SYS_pread
                    SYS_proc_info
                    SYS_psynch_cvclrprepost
                    SYS_psynch_cvsignal
                    SYS_psynch_cvwait
                    SYS_psynch_mutexdrop
                    SYS_psynch_mutexwait
                    SYS_read
                    SYS_read_nocancel
                    SYS_recvfrom
                    SYS_recvfrom_nocancel
                    SYS_rename
                    SYS_select_nocancel
                    SYS_sendmsg_nocancel
                    SYS_sendto
                    SYS_sendto_nocancel
                    SYS_setattrlist
                    SYS_setsockopt
                    SYS_shared_region_check_np
                    SYS_shm_open
                    SYS_sigaction
                    SYS_sigaltstack
                    SYS_sigreturn
                    SYS_socket
                    SYS_socketpair
                    SYS_stat64
                    SYS_statfs64
                    SYS_sysctl
                    SYS_sysctlbyname
                    SYS_thread_selfid
                    SYS_ulock_wait
                    SYS_ulock_wake
                    SYS_workq_kernreturn
                    SYS_workq_open
                    SYS_write)
  )
  ;; Comment deny-syscall above and uncomment line below to allow
  ;; the system call but report in the log to determine allow call list.
  ; (allow (with report) syscall-unix)
)
;
(debug all)