;;
;;  framework.sb
;;  MobileSoftwareUpdate
;;
;;  Sandbox Profile for the MobileSoftwareUpdate Framework
;;
;;  Created by Erik Phillips on 11/15/19.
;;  Copyright © 2019 Apple Inc. All rights reserved.
;;
;;  WARNING: The sandbox rules in this file currently constitute
;;  Apple System Private Interface and are subject to change at
;;  any time and without notice.
;;
;; MacOS Install location:
;;   /System/Library/PrivateFrameworks/MobileSoftwareUpdate.framework/Versions/A/Resources/framework.sb
;;

(version 1)

(import "system.sb")
(import "com.apple.corefoundation.sb")
(corefoundation)

(allow process-info* (target self))

;; For resolving symlinks, realpath(3), and equivalents.
(allow file-read-metadata)

;; For validating the entitlements of clients.
(allow process-info-codesignature)

;; UpdateMetrics preference domain
(allow user-preference-read user-preference-write
    (preference-domain "com.apple.UpdateMetrics")
    (preference-domain "com.apple.mobile.softwareupdated"))

;; Allow access to read the NVRAM variables
(allow nvram*)

;; Allow access to the restore log directory
;; TODO: The correct file paths will need to be allowed here [see: rdar://problem/57248425]
(allow file-read* file-write*
    (subpath "/private/var/mobile/MobileSoftwareUpdate/")
    (subpath "/private/var/MobileSoftwareUpdate/")
    (subpath "/private/var/db/UpdateMetrics/"))

;; Allow the following MACH service names to be looked up
(allow mach-lookup
    (global-name "com.apple.mobileassetd.v2")
    (global-name "com.apple.mobile.softwareupdated")
    (global-name "com.apple.MobileSoftwareUpdate.UpdateBrainService"))