; Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
;
; Redistribution and use in source and binary forms, with or without
; modification, are permitted provided that the following conditions
; are met:
; 1. Redistributions of source code must retain the above copyright
;    notice, this list of conditions and the following disclaimer.
; 2. Redistributions in binary form must reproduce the above copyright
;    notice, this list of conditions and the following disclaimer in the
;    documentation and/or other materials provided with the distribution.
;
; THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
; PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
; BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
; CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
; SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
; INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
; CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
; ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
; THE POSSIBILITY OF SUCH DAMAGE.

(allow mach-lookup
    (global-name "com.apple.ist.ds.appleconnect2.service.admin")
    (global-name "com.apple.ist.ds.appleconnect2.service.agent")
    (global-name "com.apple.ist.ds.appleconnect2.service.kdctunnelcontroller")
    (global-name "com.apple.ist.ds.appleconnect2.service.menuextra")
    (global-name "com.apple.wifi.anqp")
    (global-name "com.apple.GSSCred")
    (global-name "org.h5l.kcm"))
(allow mach-lookup
    (global-name-regex #"^com\.apple\.ist\.ds\.appleconnect2\.service\.com\.apple\.WebKit\.Plugin\.(32|64|Development)\[[0-9]+\]$")
    (global-name-regex #"^com\.apple\.ist\.ds\.appleconnect2\.service\.PluginProcess\[[0-9]+\]$"))

(shared-preferences-read
    "com.apple.GSS"
    "com.apple.ist.ds.appleconnect2"
    "com.apple.ist.ds.appleconnect2.acceptanceTest"
    "com.apple.ist.ds.appleconnect2.production"
    "com.apple.ist.ds.appleconnect2.uat"
    "com.apple.Kerberos"
    "com.apple.networkConnect"
    "edu.mit.Kerberos")

(allow file-read*
    (subpath "/Library/KerberosPlugins/GSSAPI")
    (subpath "/Library/KerberosPlugins/KerberosFrameworkPlugins")
    (literal "/Library/Preferences/edu.mit.Kerberos")
    (literal "/Library/Preferences/SystemConfiguration/preferences.plist")
    (home-library-preferences-literal "/edu.mit.Kerberos"))

(allow file-read*
    (literal "/private/etc/services"))

(if (defined? 'mach-register)
    (allow mach-register
        (global-name-regex #"^com\.apple\.ist\.ds\.appleconnect2\.service\.com\.apple\.WebKit\.Plugin\.(32|64|Development)\[[0-9]+\]$")
        (global-name-regex #"^com\.apple\.ist\.ds\.appleconnect2\.service\.PluginProcess\[[0-9]+\]$")))

(allow system-socket)
(allow network-outbound
   (remote udp "*:4160" "*:88"))
(allow network-inbound
   (local udp))