]> git.ipfire.org Git - thirdparty/cups.git/commitdiff
projects / thirdparty / cups.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e268512)
More sandbox profile tweaks.
authormsweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
Wed, 19 Feb 2014 16:04:18 +0000 (16:04 +0000)
committermsweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
Wed, 19 Feb 2014 16:04:18 +0000 (16:04 +0000)
git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11609 a1ca3aef-8c08-0410-bb20-df032aa958be

scheduler/process.c patch | blob | blame | history

diff --git a/scheduler/process.c b/scheduler/process.c
index 76b029aa61bb43a2f16875f338e8e64dd575950f..1ef14cf01656576fc4ed143ef163fbe1b51dae9d 100644 (file)
--- a/scheduler/process.c
+++ b/scheduler/process.c
@@ -172,6 +172,7 @@ cupsdCreateProfile(int job_id,              /* I - Job ID or 0 for none */
                 " #\"^%s/\""           /* CacheDir/... */
                 " #\"^/private/var/db/\""
                 " #\"^/private/var/folders/\""
+                 " #\"^/private/var/run/\""
                 " #\"^/Library/Application Support/\""
                 " #\"^/Library/Caches/\""
                 " #\"^/Library/Preferences/\""
@@ -181,12 +182,16 @@ cupsdCreateProfile(int job_id,            /* I - Job ID or 0 for none */
   /* Read common folders */
   cupsFilePrintf(fp,
                  "(allow file-read-data file-read-metadata\n"
-                 "  (literal \"/private/etc/services\")\n"
                  "  (regex"
                  " #\"^/AppleInternal$\""
                  " #\"^/AppleInternal/\""
                  " #\"^/bin$\""                /* /bin */
                  " #\"^/bin/\""                /* /bin/... */
+                 " #\"^/private$\""
+                 " #\"^/private/etc/services$\""
+                 " #\"^/private/var$\""
+                 " #\"^/private/var/db$\""
+                 " #\"^/private/var/spool$\""
                  " #\"^/usr/bin$\""    /* /usr/bin */
                  " #\"^/usr/bin/\""    /* /usr/bin/... */
                  " #\"^/usr/libexec/cups$\""   /* /usr/libexec/cups */
@@ -196,8 +201,10 @@ cupsdCreateProfile(int job_id,             /* I - Job ID or 0 for none */
                 " #\"^/Library/Caches$\""
                 " #\"^/Library/Fonts$\""
                 " #\"^/Library/Fonts/\""
+                " #\"^/Library/Keychains$\""
+                " #\"^/Library/Keychains/\""
                 " #\"^/Library/Printers$\""
-                " #\"^/Library/Printers/.*$\""
+                " #\"^/Library/Printers/\""
                 " #\"^%s/Library$\""   /* RequestRoot/Library */
                 " #\"^%s/Library/\""   /* RequestRoot/Library/... */
                 " #\"^%s$\""           /* ServerBin */
@@ -273,9 +280,9 @@ cupsdCreateProfile(int job_id,              /* I - Job ID or 0 for none */
                 "  (literal \"/usr/sbin/sendmail\")\n"
                 "  (with no-sandbox))\n");
   }
-  /* Allow outbound networking to local mDNSResponder and cupsd */
+  /* Allow outbound networking to local services */
   cupsFilePuts(fp, "(allow network-outbound"
-                  "\n       (literal \"/private/var/run/mDNSResponder\")");
+                  "\n       (regex #\"^/private/var/run/\")");
   for (lis = (cupsd_listener_t *)cupsArrayFirst(Listeners);
        lis;
        lis = (cupsd_listener_t *)cupsArrayNext(Listeners))
Unnamed repository; edit this file 'description' to name the repository.