More sandbox tweaking for IOKit access of USB/Bluetooth.

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11702 a1ca3aef-8c08-0410-bb20-df032aa958be

diff --git a/scheduler/process.c b/scheduler/process.c
index 7746de3eef0d3b0dfa793f6541fa73b4187d1f7c..be6610819cc954d496e393c2aa01652ed719c93f 100644 (file)
--- a/scheduler/process.c
+++ b/scheduler/process.c
@@ -313,7 +313,7 @@ cupsdCreateProfile(int job_id,              /* I - Job ID or 0 for none */
                     "       (remote udp \"*:*\"))\n");
 
     /* Also allow access to Bluetooth, USB, device files, etc. */
-    cupsFilePuts(fp, "(allow iokit-open)\n");
+    cupsFilePuts(fp, "(allow iokit*)\n");
     cupsFilePuts(fp, "(allow file-write* file-read-data file-read-metadata file-ioctl\n"
                      "       (regex #\"^/dev/\"))\n");
     cupsFilePuts(fp, "(allow distributed-notification-post)\n");
@@ -326,6 +326,7 @@ cupsdCreateProfile(int job_id,              /* I - Job ID or 0 for none */
                     "       (remote udp \"*:161\"))\n");
     cupsFilePuts(fp, "(allow network-inbound\n"
                     "       (local udp \"localhost:*\"))\n");
+    cupsFilePuts(fp, "(deny iokit* (with no-report))\n");
   }
   cupsFileClose(fp);