From: msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
Date: Tue, 18 Mar 2014 17:50:41 +0000 (+0000)
Subject: More sandbox tweaking for IOKit access of USB/Bluetooth.
X-Git-Tag: v2.2b1~710
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c12b983aa4c497a827ae987299ffbed6e07d65b0;p=thirdparty%2Fcups.git

More sandbox tweaking for IOKit access of USB/Bluetooth.


git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11702 a1ca3aef-8c08-0410-bb20-df032aa958be
---

diff --git a/scheduler/process.c b/scheduler/process.c
index 7746de3eef..be6610819c 100644
--- a/scheduler/process.c
+++ b/scheduler/process.c
@@ -313,7 +313,7 @@ cupsdCreateProfile(int job_id,		/* I - Job ID or 0 for none */
 		     "       (remote udp \"*:*\"))\n");
 
     /* Also allow access to Bluetooth, USB, device files, etc. */
-    cupsFilePuts(fp, "(allow iokit-open)\n");
+    cupsFilePuts(fp, "(allow iokit*)\n");
     cupsFilePuts(fp, "(allow file-write* file-read-data file-read-metadata file-ioctl\n"
                      "       (regex #\"^/dev/\"))\n");
     cupsFilePuts(fp, "(allow distributed-notification-post)\n");
@@ -326,6 +326,7 @@ cupsdCreateProfile(int job_id,		/* I - Job ID or 0 for none */
 		     "       (remote udp \"*:161\"))\n");
     cupsFilePuts(fp, "(allow network-inbound\n"
 		     "       (local udp \"localhost:*\"))\n");
+    cupsFilePuts(fp, "(deny iokit* (with no-report))\n");
   }
   cupsFileClose(fp);