;; Copyright (c) 2007,2010-2018 Apple Inc.  All Rights reserved.
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice. The contents of this file are also auto-generated and not
;; user editable; it may be overwritten at any time.
;;
(version 1)

(deny default)

(import "bsd.sb")

;; Allow restarting statd, rquotad, nfsd and lockd via when launchctl it crashes.
(allow process-fork)
(allow file-read*
       (literal "/private/var/run/statd.pid")
       (literal "/private/var/run/rquotad.pid")
       (literal "/private/var/run/nfsd.pid")
       (literal "/private/var/run/lockd.pid"))

;; Allow creating/reading the PID file
(allow file* (literal "/private/var/run/rpcbind_init.pid"))

(allow process-exec*
	(literal "/bin/launchctl"))

;; Allow os_log to read rpcbind
(allow file-read* (literal "/usr/sbin/rpcbind"))

;; Allow rpcbind to manipulate its local tansport sockets
(allow file* (regex #"/private/var/run/rpcb\..*"))

;; Allow to send on local domain sockets
;;  -- suports indirect and callit
;;  -- allows replies from local domain transports
;;  -- allows replies from our tickler socket
(allow network-outbound (vnode-type SOCKET) (local udp) (local tcp) (remote udp) (remote tcp))

;; Allow receiving on our tickler socket
(allow network-inbound (literal "/var/run/portmap.socket") (local udp) (local tcp) (remote udp) (remote tcp))

;; Allow binding on our ticotsord transport
(allow network-bind (literal "/private/var/run/rpcb.ticotsord"))
;; Allow receiving on our ticotsord transport
(allow network-inbound (literal "/var/run/rpcb.ticotsord") (local tcp) (remote tcp))

;; Allow binding on our ticlts transport
(allow network-bind (literal "/private/var/run/rpcb.ticlts"))
;; Allow receiving on our ticlts transport
(allow network-inbound (literal "/var/run/rpcb.ticlts") (local udp) (remote udp))