[plain text]

(version 1)

(deny default)
(deny file-map-executable iokit-get-properties process-info* nvram*)
(deny dynamic-code-generation)

(import "")
(import "")

(allow process-info* (target self))

;; For resolving symlinks, realpath(3), and equivalents.
(allow file-read-metadata)

;; For validating the entitlements of clients (for keychain and trust settings)
;; see 31353815
(allow process-info-codesignature)
(allow process-info-pidinfo)
(allow file-read*)

;; ${PRODUCT_NAME}’s preference domain.
(allow user-preference-read user-preference-write
    (preference-domain ""))

;; Global and security preferences
(allow user-preference-read
	(preference-domain "")
	(preference-domain ".GlobalPreferences")
	(preference-domain ""))

;; Read/write access to a temporary directory.
(allow file-read* file-write*
    (subpath (param "_TMPDIR"))
    (subpath (param "_DARWIN_CACHE_DIR")))

;; Read/write access to keychains and caches
(allow file-read* file-write*
	(subpath "/private/var/db/mds/")
	(subpath "/private/var/db/crls/")
	(subpath "/System/Library/Security/")
	(subpath "/Library/Keychains/")
	(subpath "/private/var/root/Library/Caches/"))

(allow file-read*
	(literal "/usr/libexec")
	(literal "/usr/libexec/trustd")
	(literal "/Library/Preferences/")
	(regex #"/.GlobalPreferences[^/]*\.plist")
	(literal "/Library/Preferences/")
    (literal "/Library/Application Support/CrashReporter/"))

(allow file-map-executable
    (regex #"/CoreServicesInternal")
    (regex #"/csparser"))

(allow mach-lookup
	(global-name "")
	(global-name "")
	(global-name "")
	(global-name "")
    (global-name "")
    (global-name "")
    (global-name "")
    (xpc-service-name "")
    (global-name ""))

(allow ipc-posix-shm
	(ipc-posix-name ""))

(allow network-outbound)
(allow system-socket)