(version 1)
(deny default)
(import "system.sb")
(allow file-read* file-write*
(subpath "/private/var/db/mds")
(regex #"^/private/var/folders/[^/]+/[^/]+/T(/|$)")
(regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Keychains(/|$)")))
;;;;;; will be fully fixed in 29465717
(allow file-read* (subpath "/"))
(allow user-preference-read
(preference-domain ".GlobalPreferences"))
(allow user-preference-read
(preference-domain "com.apple.security"))
(allow file-read*
(literal "/usr/libexec/secd")
(literal "/Library/Preferences/com.apple.security.plist")
(literal "/Library/Preferences/.GlobalPreferences.plist")
(literal "/AppleInternal")
(literal "/usr/libexec"))
(allow mach-lookup
(global-name "com.apple.system.opendirectoryd.api")
(global-name "com.apple.SystemConfiguration.configd")
(global-name "com.apple.security.cloudkeychainproxy3")
(global-name "com.apple.accountsd.accountmanager")
(global-name "com.apple.ak.auth.xpc")
(global-name "com.apple.cdp.daemon")
(global-name "com.apple.cloudd")
(global-name "com.apple.apsd")
(global-name "com.apple.ak.anisette.xpc")
(global-name "com.apple.windowserver.active"))
;; Used to send logs for MoiC.
(allow mach-lookup
(global-name "com.apple.imagent.desktop.auth"))
(allow iokit-open
(iokit-user-client-class "AppleKeyStoreUserClient"))
(allow iokit-get-properties (iokit-registry-entry-class "IOPlatformExpertDevice"))
(allow ipc-posix-shm
(ipc-posix-name "com.apple.AppleDatabaseChanged"))
(allow network-outbound)
(allow system-socket)