pkgsrc/security/openssh/files/org.openssh.sshd.sb.in

;;	$NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $
;;
;; Copyright (c) 2008 Apple Inc.  All Rights reserved.
;;
;; sshd - profile for privilege separated children
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice.
;;

(version 1)

(deny default)

(allow file-chroot)
(allow file-read-metadata (literal "@VARBASE@"))

(allow sysctl-read)
(allow mach-per-user-lookup)
(allow mach-lookup
	(global-name "com.apple.system.notification_center")
	(global-name "com.apple.system.logger"))
Fix a bug introduced 9 years ago in patch-sshd.c which has meant that privilege separation has been disabled all that time. The logic was changed such that it was only enabled on Interix, instead of only being disabled on Interix as originally intended. While here, pull in patches from MacPorts to enable privsep on Darwin. Bump PKGREVISION. 2015-08-14 10:57:00 +02:00			`;; $NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $`
			`;;`
			`;; Copyright (c) 2008 Apple Inc. All Rights reserved.`
			`;;`
			`;; sshd - profile for privilege separated children`
			`;;`
			`;; WARNING: The sandbox rules in this file currently constitute`
			`;; Apple System Private Interface and are subject to change at any time and`
			`;; without notice.`
			`;;`

			`(version 1)`

			`(deny default)`

			`(allow file-chroot)`
			`(allow file-read-metadata (literal "@VARBASE@"))`

			`(allow sysctl-read)`
			`(allow mach-per-user-lookup)`
			`(allow mach-lookup`
			`(global-name "com.apple.system.notification_center")`
			`(global-name "com.apple.system.logger"))`