(version 1)

(deny default)

(import "system.sb")

(allow file-write-data
    (literal "/dev/random"))

(allow file-read* file-write*
    (subpath "/private/var/db/mds")
    (regex #"^/private/var/folders/[^/]+/[^/]+/T(/|$)")
    (regex (string-append "^" (regex-quote (param "_HOME")) #"/Library/Keychains(/|$)")))

(allow file-read*
    (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.imessage.bag.plist"))
    (literal (string-append (param "_HOME") "/Library/Preferences/com.apple.facetime.bag.plist")))


;;;;;; will be fully fixed in 29465717
(allow file-read* (subpath "/"))

(allow user-preference-read
    (preference-domain ".GlobalPreferences"))
(allow user-preference-read
    (preference-domain "com.apple.security"))
(allow user-preference-read
    (preference-domain "com.apple.imessage.bag"))
(allow user-preference-read
    (preference-domain "com.apple.facetime.bag"))
(allow user-preference-read user-preference-write
    (preference-domain "com.apple.security.sosaccount"))

(allow distributed-notification-post)

(allow iokit-open
   (iokit-user-client-class "AppleKeyStoreUserClient")
   (iokit-user-client-class "AppleAPFSUserClient")
   (iokit-user-client-class "RootDomainUserClient"))


(allow file-read*
    (literal "/usr/libexec/secd")
    (literal "/Library/Preferences/com.apple.security.plist")
    (literal "/Library/Preferences/.GlobalPreferences.plist")
    (literal "/AppleInternal")
    (literal "/usr/libexec"))

(allow mach-lookup
        (global-name "com.apple.system.opendirectoryd.api")
        (global-name "com.apple.SystemConfiguration.configd")
        (global-name "com.apple.security.cloudkeychainproxy3")
        (global-name "com.apple.accountsd.accountmanager")
        (global-name "com.apple.CoreServices.coreservicesd")
        (global-name "com.apple.distributed_notifications@Uv3")
        (global-name "com.apple.ak.auth.xpc")
        (global-name "com.apple.cdp.daemon")
        (global-name "com.apple.cloudd")
        (global-name "com.apple.apsd")
        (global-name "com.apple.analyticsd")
        (global-name "com.apple.symptom_diagnostics")
        (global-name "com.apple.ak.anisette.xpc")
        (global-name "com.apple.corefollowup.agent")
        (global-name "com.apple.windowserver.active")
        (global-name "com.apple.powerlog.plxpclogger.xpc")
        (global-name "com.apple.SecureBackupDaemon")
        (global-name "com.apple.SecureBackupDaemon.concurrent")
)

;; Used to send logs for MoiC.
(allow mach-lookup
        (global-name "com.apple.imagent.desktop.auth"))

(allow iokit-get-properties (iokit-registry-entry-class "IOPlatformExpertDevice"))

(allow ipc-posix-shm
    (ipc-posix-name "com.apple.AppleDatabaseChanged"))

(allow network-outbound)
(allow system-socket)

;; to be deleted once SecTrustEvaluate and SecTrustCopyKey can avoid touching legacy cert and keychain stack
(allow file-read* file-write*
    (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsDirectory\.db$")
    (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mdsObject\.db$")
    (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$"))
(allow mach-lookup
    (global-name "com.apple.SecurityServer"))

(allow system-fsctl (fsctl-command afpfsByteRangeLock2FSCTL))