-
Notifications
You must be signed in to change notification settings - Fork 0
/
dnscrypt-proxy.sb
223 lines (204 loc) · 6.97 KB
/
dnscrypt-proxy.sb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
(version 1)
;(trace "dnscrypt.sb")
(import "bsd.sb")
(deny default)
(allow signal (target self))
(allow ipc-posix-shm-read*
ipc-posix-shm-write-create
ipc-posix-shm-write-data
(ipc-posix-name "com.apple.AppleDatabaseChanged")
)
;
; from com.apple.coreservices.appleevents.appleeventsd.sb
;
;(allow system-audit)
(allow file-read-data
(subpath "/private/var/tmp/mds")
(subpath "/private/var/db/mds")
(literal "/usr/local/Cellar/dnscrypt-proxy/2.1.1/sbin")
(literal "/usr/local/Cellar/dnscrypt-proxy/2.1.1/sbin/dnscrypt-proxy"))
(allow file-read* file-write*
(regex #"^/private/var/tmp/mds/[0-9]+(/|$)")
(regex #"^/private/var/db/mds/[0-9]+(/|$)")
(regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)"))
(allow file-read*
(regex #"^.*/Library/Preferences/(ByHost/)?\.GlobalPreferences.*\.plist$")
(regex #"^/private/var/db/mds/")
(literal "/Library/Preferences/com.apple.security.plist")
(literal "/usr/libexec")
(literal "/usr/libexec/xscertd"))
(allow file-read-metadata
(literal "/Library")
(literal "/Library/Keychains")
(literal "/Library/Keychains/System.keychain")
(literal "/private/var/empty")
(literal "/private/var/run/systemkeychaincheck.done"))
; KSS I added these to the list from the Radar, because they seem necessary
(allow file-read-metadata (literal "/private") (literal "/private/var") (literal "/private/var/db") )
(allow file-read* (literal "/private/var/db/DetachedSignatures"))
; END com.apple.coreservices.appleevents.appleeventsd.sb
(allow file-read* file-write*
(subpath "/private/var/root/Library/Application Support/Certificate Authority")
(literal "/private/var/db/mds/messages/se_SecurityMessages") ;; Security.framework
(literal "/private/var/db/mds/system/mdsObject.db") ;; Security.framework
(literal "/private/var/db/mds/system/mds.lock")
)
(allow mach-lookup
(global-name "com.apple.trustd.agent") ;; Certificate validation.
(global-name "com.apple.security")
(global-name "com.apple.xscertd.helper")
(global-name "com.apple.SecurityServer")
(global-name "com.apple.ocspd")
(global-name "com.apple.securityd")
)
(allow network-bind (local tcp "*:3000"))
(allow network-bind (local tcp "*:53"))
(allow network-bind (local udp "*:53"))
(allow network-inbound (local ip))
(allow network-outbound)
; if logging to stdout
(allow file-write*
(literal "/dev/stdout")
(literal "/dev/fd/1")
)
(allow file-read*
(literal "/dev/urandom")
)
(allow file-write*
(literal "/usr/local/etc")
(regex #"^/usr/local/etc/.*\.log")
(regex #"^/usr/local/etc/.*\.md*")
(regex #"^/usr/local/etc/.*\.tmp*")
)
(allow file-read*
(literal "/usr/local/etc")
(literal "/usr/local/etc/dnscrypt-proxy.toml")
(literal "/usr/local/etc/localhost.pem")
(regex #"^/usr/local/etc/.*\.log")
(regex #"^/usr/local/etc/.*\.md*")
(regex #"^/usr/local/etc/.*\.tmp*")
(regex #"^/usr/local/etc/allowed.*\.txt")
(regex #"^/usr/local/etc/blocked.*\.txt")
)
(allow process-exec
(literal "/usr/local/Cellar/dnscrypt-proxy/2.1.1/sbin/dnscrypt-proxy")
(literal "/usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy")
(literal "/usr/local/sbin/dnscrypt-proxy")
)
;
; from cvmsServer.sb
;
(when (defined? 'syscall-unix)
(deny syscall-unix (with send-signal SIGKILL))
(allow syscall-unix
;; System Call allow list
(syscall-number SYS___disable_threadsignal
SYS___mac_syscall
SYS___pthread_canceled
SYS___pthread_kill
SYS___pthread_sigmask
SYS___semwait_signal
SYS_accept
SYS_access
SYS_bind
SYS_bsdthread_create
SYS_bsdthread_ctl
SYS_bsdthread_register
SYS_bsdthread_terminate
SYS_change_fdguard_np
SYS_chdir
SYS_close
SYS_close_nocancel
SYS_connect
SYS_csops
SYS_csops_audittoken
SYS_csrctl
SYS_execve
SYS_exit
SYS_fcntl
SYS_fcntl_nocancel
SYS_fgetattrlist
SYS_flock
SYS_fsgetpath
SYS_fstat64
SYS_fstatfs64
SYS_ftruncate
SYS_getattrlist
SYS_getaudit_addr
SYS_getdirentries64
SYS_getegid
SYS_getentropy
SYS_geteuid
SYS_getpeername
SYS_getpid
SYS_getppid
SYS_getrlimit
SYS_getsockname
SYS_getsockopt
SYS_gettid
SYS_gettimeofday
SYS_getuid
SYS_ioctl
SYS_issetugid
SYS_kdebug_trace64
SYS_kdebug_trace_string
SYS_kdebug_typefilter
SYS_kevent
SYS_kevent_id
SYS_kevent_qos
SYS_kqueue
SYS_listen
SYS_lseek
SYS_lstat64
SYS_madvise
SYS_mkdir
SYS_mmap
SYS_mprotect
SYS_munmap
SYS_necp_open
SYS_open
SYS_open_nocancel
SYS_openat
SYS_pipe
SYS_pread
SYS_proc_info
SYS_psynch_cvclrprepost
SYS_psynch_cvsignal
SYS_psynch_cvwait
SYS_psynch_mutexdrop
SYS_psynch_mutexwait
SYS_read
SYS_read_nocancel
SYS_recvfrom
SYS_recvfrom_nocancel
SYS_rename
SYS_select_nocancel
SYS_sendmsg_nocancel
SYS_sendto
SYS_sendto_nocancel
SYS_setattrlist
SYS_setsockopt
SYS_shared_region_check_np
SYS_shm_open
SYS_sigaction
SYS_sigaltstack
SYS_sigreturn
SYS_socket
SYS_socketpair
SYS_stat64
SYS_statfs64
SYS_sysctl
SYS_sysctlbyname
SYS_thread_selfid
SYS_ulock_wait
SYS_ulock_wake
SYS_workq_kernreturn
SYS_workq_open
SYS_write)
)
;; Comment deny-syscall above and uncomment line below to allow
;; the system call but report in the log to determine allow call list.
; (allow (with report) syscall-unix)
)
;
(debug all)