Add more exceptions to the sandbox profile.

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11599 a1ca3aef-8c08-0410-bb20-df032aa958be

diff --git a/scheduler/process.c b/scheduler/process.c
index 469e77a682821de3d6304d94e5c29658cdc1faa0..6e28dc7ad8034fa1255ab00cb520fd8230b5dd28 100644 (file)
--- a/scheduler/process.c
+++ b/scheduler/process.c
@@ -170,6 +170,7 @@ cupsdCreateProfile(int job_id,              /* I - Job ID or 0 for none */
                 " #\"^%s/\""           /* TempDir/... */
                 " #\"^%s$\""           /* CacheDir */
                 " #\"^%s/\""           /* CacheDir/... */
+                " #\"^/private/var/db/\""
                 " #\"^/private/var/folders/\""
                 " #\"^/Library/Application Support/\""
                 " #\"^/Library/Caches/\""
@@ -182,6 +183,8 @@ cupsdCreateProfile(int job_id,              /* I - Job ID or 0 for none */
                  "(allow file-read-data file-read-metadata\n"
                  "  (literal \"/private/etc/services\")\n"
                  "  (regex"
+                 " #\"^/AppleInternal$\""
+                 " #\"^/AppleInternal/\""
                  " #\"^/bin$\""                /* /bin */
                  " #\"^/bin/\""                /* /bin/... */
                  " #\"^/usr/bin$\""    /* /usr/bin */
@@ -290,6 +293,10 @@ cupsdCreateProfile(int job_id,             /* I - Job ID or 0 for none */
     cupsFilePuts(fp, "(allow network*\n"
                     "       (local udp \"*:*\")\n"
                     "       (remote udp \"*:*\"))\n");
+
+    /* Also allow access to Bluetooth, USB, and SMB */
+    cupsFilePuts(fp, "(allow iokit-open)\n");
+    cupsFilePuts(fp, "(allow file-read-* file-write (literal \"/dev/nsmb0\"))\n");
   }
   else
   {