;;;
;;; /System/Library/PrivateFrameworks/ApplePushService.framework/apsd
;;;
(version 1)

(deny default)
(deny dynamic-code-generation file-map-executable nvram* process-info*)
(allow process-info-pidinfo)
(allow process-info-setcontrol (target self))
(allow socket-ioctl)

;;; Imports
(import "system.sb")
(import "opendirectory.sb")

(allow file-read-metadata)

(allow file-read* file-write*
       (subpath (param "TMPDIR")))

(allow user-preference-read
       (preference-domain "com.apple.apsd")
       (preference-domain "kCFPreferencesAnyApplication"))

(allow managed-preference-read
       (preference-domain "com.apple.SystemConfiguration"))

(allow file-read* file-write*
       (subpath "/Library/Application Support/ApplePushService")
       (regex #"^/Library/Keychains/\.fl[0-9A-F]+$")                        ; .fl[0-9A-F]{8}
       (literal "/Library/Preferences/com.apple.apsd.launchd")
       (regex #"^/Library/Preferences/com\.apple\.apsd\.plist(\.[^/]+)?$")
       (literal "/private/var/db/mds/system/mds.lock")
       (extension "com.apple.sandbox.application-group"))

(allow file-read* file-write*
       (regex #"^/Library/Keychains/apsd\.keychain([-.][^/]+)?$")) ; <security.mac.sandbox.sentinel>-<suffix>

(allow file-read*
       (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
       (literal "/Library/Keychains/apsd.keychain")
       (literal "/Library/Preferences/com.apple.security.plist")
       (literal "/System/Library/OpenDirectory/request-schema.plist")
       (literal "/private/etc/hosts")
       (literal "/private/var/db/Detachedsignatures")
       (literal "/private/var/db/mds/messages/se_SecurityMessages")
       (literal "/private/var/db/mds/system/mdsDirectory.db")
       (literal "/private/var/db/mds/system/mdsObject.db")
       (literal "/private/var/root/Library/Preferences/com.apple.security.plist")
       (literal "/Library/Keychains/System.keychain")
       (literal "/Library/Managed Preferences/com.apple.SystemConfiguration.plist"))

(allow system-fsctl
       (fsctl-command HFSIOC_SET_HOTFILE_STATE))

(allow file-write-create
    (require-all
    (vnode-type DIRECTORY)
    (literal "/private/var/root/Library/Caches"))) ;; <rdar://problem/13685892>

(allow iokit-open
    (iokit-user-client-class "AppleSMCClient") ;; <rdar://problem/13570125>
    (iokit-user-client-class "RootDomainUserClient") ;; <rdar://problem/34563633>
    (iokit-user-client-class "AppleKeyStoreUserClient"))

(allow ipc-posix-shm
    (ipc-posix-name "com.apple.AppleDatabaseChanged"))

(allow mach-lookup
       (global-name-prefix "com.apple.aps.")
       (global-name "com.apple.AddressBook.PushNotification")
       (global-name "com.apple.AOSPushRelay.push")
       (global-name "com.apple.CallHistorySyncHelper.aps")
       (global-name "com.apple.CoreServices.coreservicesd")
       (global-name "com.apple.Maps.mapspushd.icloud")
       (global-name "com.apple.PowerManagement.control")
       (global-name "com.apple.SafariBookmarksSyncAgent.Push")
       (global-name "com.apple.SafariCloudHistoryPushAgent.Push")
       (global-name "com.apple.SecurityServer")
       (global-name "com.apple.ak.aps")
       (global-name "com.apple.analyticsd")
       (global-name "com.apple.apsctl.login")
       (global-name "com.apple.cfnetwork.cfnetworkagent")
       (global-name "com.apple.askpermission.aps")
       (global-name "com.apple.assistantd.aps")
       (global-name "com.apple.backupd.xpc")
       (global-name "com.apple.bird.push")
       (global-name "com.apple.cloudphotosd.push")
       (global-name "com.apple.coreduet.knowledge.sync.push")
       (global-name "com.apple.coreservices.appleid.aps")
       (global-name "com.apple.distributed_notifications@1v3")
       (global-name "com.apple.gamed.aps")
       (global-name "com.apple.icloud.findmydeviced.aps-development")
       (global-name "com.apple.icloud.findmydeviced.aps-production")
       (global-name "com.apple.icloud.fmfd.aps")
       (global-name "com.apple.identityservicesd.aps")
       (global-name "com.apple.keyboardServices.textReplacementServer.aps")
       (global-name "com.apple.mdmclient.agent.push.development")
       (global-name "com.apple.mdmclient.agent.push.production")
       (global-name "com.apple.mdmclient.daemon.push.development")
       (global-name "com.apple.mdmclient.daemon.push.production")
       (global-name "com.apple.ocspd")
       (global-name "com.apple.passd.aps")
       (global-name "com.apple.power.abc")
       (global-name "com.apple.safaridavclient.push")
       (global-name "com.apple.securityd.aps")
       (global-name "com.apple.securityd.xpc")
       (global-name "com.apple.siriknowledged.aps")
       (global-name "com.apple.suggestd.aps")
       (global-name "com.apple.syncdefaultsd.push")
       (global-name "com.apple.windowserver.active")
       (global-name "com.apple.timed.xpc")
       (global-name "com.apple.ManagedClient.enroll")
       (global-name "com.apple.AOSPushRelay.push.dev")
       (global-name "com.apple.AdSheetPhone.push")
       (global-name "com.apple.AddressBook.PushNotification.dev")
       (global-name "com.apple.SocialPushAgent")
       (global-name "com.apple.ak.aps.sim")
       (global-name "com.apple.appstoreagent.aps")
       (global-name "com.apple.appstoreagent.aps.dev")
       (global-name "com.apple.gamed.apsdev")
       (global-name "com.apple.homed.aps")
       (global-name "com.apple.seld.aps")
       (global-name "com.apple.appstored.aps")
       (global-name "com.apple.itunesstored.aps.dev")
       (global-name "com.apple.mobile.itesterdAPS")
       (global-name "com.apple.nanopassd.payment.aps")
       (global-name "com.apple.progressd.aps")
       (global-name "com.apple.coreduetd.context")
       (global-name "com.apple.coreduetd")
       (global-name "com.apple.mediastream.mstreamd.sharing.push-prod")
       (global-name "com.apple.mediastream.mstreamd.sharing.push-dev")
       (global-name "com.apple.mediastream.mstreamd.push-dev")
       (global-name "com.apple.mediastream.mstreamd.push-prod")
       (global-name "com.apple.photos.cloud.pushnotification")
       (global-name "com.apple.powerlog.plxpclogger.xpc")
       (global-name "com.apple.ind.aps")
       (global-name "com.apple.SystemConfiguration.NetworkInformation")
       (global-name "com.apple.dataaccess.dataaccessd.aps")
       (global-name "com.apple.aps.triald")
       (global-name "com.apple.dataaccess.dataaccessd.aps.dev")
       (global-name "com.apple.StatusKit.apsd")
       (global-name "com.apple.aps.diagnosticpipeline.tasking")
       (global-name "com.apple.securityd.systemkeychain")
       (global-name "com.apple.aps.podcasts")
           (global-name "com.apple.mobileactivationd")
           (global-name "com.apple.CoreAuthentication.daemon")
       (global-name "com.apple.powerd.coresmartpowernap")
       (global-name "com.apple.apns.dangerzone.dznd")
       (global-name "com.apple.PerfPowerTelemetryClientRegistrationService")
       (global-name "com.apple.containermanagerd")
       (global-name "com.apple.fileprovider.extension.push.development")
       (global-name "com.apple.icloud.searchpartyd.aps"))

; <rdar://problem/35011620> Restore sandbox-check for mach-per-user-lookup?
(allow mach-per-user-lookup)

(system-network)

(allow network-outbound
       (literal "/private/var/run/mDNSResponder")
       (literal "/private/var/run/systemkeychaincheck.socket") ;; <rdar://problem/13685943>
       (remote tcp))