(version 1)

(deny default)

(import "system.sb")
(import "com.apple.corefoundation.sb")
(corefoundation)

(allow process-info* (target self))

;; For resolving symlinks, realpath(3), and equivalents.
(allow file-read-metadata)

;; For validating the entitlements of clients.
(allow process-info-codesignature)

;; Your preference domain
(allow user-preference-read user-preference-write
    (preference-domain "com.apple.AppStoreDaemon.StorePrivilegedODRService")
)

(allow user-preference-read
    (preference-domain "kCFPreferencesAnyApplication")
)

(allow file-read*
        (subpath "/private/var/folders")
)

(allow file-read* file-write*
    (subpath "/System/Library/Caches/com.apple.appstored")
    (subpath "/System/Library/Caches/OnDemandResources")
    
    ;; Writing files atomically will write them in the tmp directory initially, used for ODR
    (subpath (param "_TMPDIR"))
    
    ;; Needed to move asset packs from appstoreagent's download directory
    (regex #"^/private/var/folders/.*com.apple.appstore/ODR/")
)