Allow network.sb to access Kerberos files and Mach services.

Bug: 1017830 Change-Id: I1c0c69b130bc048ec75a70a65e22e7d73fad0158 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1906632 Commit-Queue: Robert Sesek <rsesek@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#713980}

Allow network.sb to access Kerberos files and Mach services.
Bug: 1017830 Change-Id: I1c0c69b130bc048ec75a70a65e22e7d73fad0158 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1906632 Commit-Queue: Robert Sesek <rsesek@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#713980}
e615bdb3 · Robert Sesek · Commit Bot · fa5d575a · e615bdb3
Commit e615bdb3 authored Nov 08, 2019 by Robert Sesek Committed by Commit Bot Nov 08, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 0 deletions

services/service_manager/sandbox/mac/network.sb services/service_manager/sandbox/mac/network.sb +10 -0

No files found.
--- a/services/service_manager/sandbox/mac/network.sb
+++ b/services/service_manager/sandbox/mac/network.sb
@@ -108,3 +108,13 @@
 (allow sysctl-read
  (sysctl-name-regex #"^net.routetable")
 )
+; Kerberos support. This should be removed after GSS is moved out of the
+; network service. https://crbug.com/1017830
+(allow mach-lookup
+  (global-name "org.h5l.kcm")
+)
+(allow file-read*
+  (path "/private/etc/krb5.conf")
+  (subpath "/System/Library/KerberosPlugins/KerberosFrameworkPlugins")
+)