More sandbox profile tweaks.
git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11609 a1ca3aef-8c08-0410-bb20-df032aa958be
diff --git a/scheduler/process.c b/scheduler/process.c
index 76b029a..1ef14cf 100644
--- a/scheduler/process.c
+++ b/scheduler/process.c
@@ -172,6 +172,7 @@
" #\"^%s/\"" /* CacheDir/... */
" #\"^/private/var/db/\""
" #\"^/private/var/folders/\""
+ " #\"^/private/var/run/\""
" #\"^/Library/Application Support/\""
" #\"^/Library/Caches/\""
" #\"^/Library/Preferences/\""
@@ -181,12 +182,16 @@
/* Read common folders */
cupsFilePrintf(fp,
"(allow file-read-data file-read-metadata\n"
- " (literal \"/private/etc/services\")\n"
" (regex"
" #\"^/AppleInternal$\""
" #\"^/AppleInternal/\""
" #\"^/bin$\"" /* /bin */
" #\"^/bin/\"" /* /bin/... */
+ " #\"^/private$\""
+ " #\"^/private/etc/services$\""
+ " #\"^/private/var$\""
+ " #\"^/private/var/db$\""
+ " #\"^/private/var/spool$\""
" #\"^/usr/bin$\"" /* /usr/bin */
" #\"^/usr/bin/\"" /* /usr/bin/... */
" #\"^/usr/libexec/cups$\"" /* /usr/libexec/cups */
@@ -196,8 +201,10 @@
" #\"^/Library/Caches$\""
" #\"^/Library/Fonts$\""
" #\"^/Library/Fonts/\""
+ " #\"^/Library/Keychains$\""
+ " #\"^/Library/Keychains/\""
" #\"^/Library/Printers$\""
- " #\"^/Library/Printers/.*$\""
+ " #\"^/Library/Printers/\""
" #\"^%s/Library$\"" /* RequestRoot/Library */
" #\"^%s/Library/\"" /* RequestRoot/Library/... */
" #\"^%s$\"" /* ServerBin */
@@ -273,9 +280,9 @@
" (literal \"/usr/sbin/sendmail\")\n"
" (with no-sandbox))\n");
}
- /* Allow outbound networking to local mDNSResponder and cupsd */
+ /* Allow outbound networking to local services */
cupsFilePuts(fp, "(allow network-outbound"
- "\n (literal \"/private/var/run/mDNSResponder\")");
+ "\n (regex #\"^/private/var/run/\")");
for (lis = (cupsd_listener_t *)cupsArrayFirst(Listeners);
lis;
lis = (cupsd_listener_t *)cupsArrayNext(Listeners))