;;
;;  framework.sb
;;  SoftwareUpdateMacController
;;
;;  Sandbox Profile for the SoftwareUpdateMacController Framework
;;
;;  Created by Erik Phillips on 11/12/19.
;;  Copyright © 2019 Apple Inc. All rights reserved.
;;
;;  WARNING: The sandbox rules in this file currently constitute
;;  Apple System Private Interface and are subject to change at
;;  any time and without notice.
;;
;; MacOS Install location:
;;   /System/Library/PrivateFrameworks/SoftwareUpdateMacController.framework/Versions/A/Resources/framework.sb
;;

(version 1)

(import "system.sb")
(import "com.apple.corefoundation.sb")
(import "/System/Library/PrivateFrameworks/SoftwareUpdateCoreSupport.framework/Versions/A/Resources/framework.sb")
(import "/System/Library/PrivateFrameworks/SoftwareUpdateCore.framework/Versions/A/Resources/framework.sb")
(corefoundation)

(allow process-info* (target self))

;; For resolving symlinks, realpath(3), and equivalents.
(allow file-read-metadata)

;; For validating the entitlements of clients.
(allow process-info-codesignature)

;; Allow access to read the NVRAM variables
(allow nvram*)

;; SUMacController preference domain
(allow user-preference-read user-preference-write
    (preference-domain "com.apple.SoftwareUpdateMacController"))

;; Allow access to the SUMacController directory
(allow file-read* file-write*
    (subpath "/Library/Preferences/com.apple.SoftwareUpdateMacController.plist")
    (subpath "/var/MobileSoftwareUpdate/Controller/")
    (subpath "/AppleInternal/CoreOS/tests/SoftwareUpdateMacController"))

;; Allow the following MACH service names to be registered/exported
(allow mach-register
    (global-name "com.apple.sumaccontroller"))

;; Allow the following MACH service names to be looked up
(allow mach-lookup
    (global-name "com.apple.mobile.NRDUpdated")
    (global-name "com.apple.cache_delete.public")
    (global-name "com.apple.CoreAuthentication.daemon")
    (global-name "com.apple.sumaccontroller")
    (global-name "com.apple.mobileassetd")
    (global-name "com.apple.mobileassetd.v2"))