(version 1)

(deny default)

(import "system.sb")

(allow file-read* file-write*
    (subpath "/private/var/db/mds")
    (regex #"^/private/var/folders/[^/]+/[^/]+/T(/|$)")
    (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Keychains(/|$)")))


;;;;;; will be fully fixed in 29465717
(allow file-read* (subpath "/"))

(allow user-preference-read
    (preference-domain ".GlobalPreferences"))
(allow user-preference-read
    (preference-domain "com.apple.security"))

(allow file-read*
    (literal "/usr/libexec/secd")
    (literal "/Library/Preferences/com.apple.security.plist")
    (literal "/Library/Preferences/.GlobalPreferences.plist")
    (literal "/AppleInternal")
    (literal "/usr/libexec"))


(allow mach-lookup
        (global-name "com.apple.system.opendirectoryd.api")
        (global-name "com.apple.SystemConfiguration.configd")
        (global-name "com.apple.security.cloudkeychainproxy3")
        (global-name "com.apple.accountsd.accountmanager")
        (global-name "com.apple.ak.auth.xpc")
        (global-name "com.apple.cdp.daemon")
        (global-name "com.apple.cloudd")
        (global-name "com.apple.apsd")
        (global-name "com.apple.ak.anisette.xpc")
        (global-name "com.apple.windowserver.active"))

;; Used to send logs for MoiC.
(allow mach-lookup
        (global-name "com.apple.imagent.desktop.auth"))

(allow iokit-open
    (iokit-user-client-class "AppleKeyStoreUserClient"))

(allow iokit-get-properties (iokit-registry-entry-class "IOPlatformExpertDevice"))

(allow ipc-posix-shm
    (ipc-posix-name "com.apple.AppleDatabaseChanged"))

(allow network-outbound)
(allow system-socket)