(version 1)
(deny default)
(import "bsd.sb")
(import "com.apple.corefoundation.sb")
(corefoundation)
(allow file-read*
	   (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist")								; for reading Internet Sharing prefs
	   (literal "/Library/Preferences/SystemConfiguration/preferences.plist")								; for reading network intefaces configs
	   (literal "/Library/Preferences/.GlobalPreferences.plist")											; for reading NSUserDefaults
	   (literal "/private/var/root/Library/Preferences/.GlobalPreferences.plist")							; for reading NSUserDefaults
	   (literal "/Library/Preferences/com.apple.usbmuxd.plist")												; for reading usbmux prefs
	   (literal "/Library/Preferences/com.apple.MobileDevice.plist")										; for reading MobileDevice prefs
	   (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")						; for CrashReporter
		(literal "/private/etc/hosts")
		(literal "/private/var/root/Library/Application Support/Astris/astris_prefs.plist")					; panic handling in libMobileRestoreInternalExtensions
)

(allow file-write*
	   (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist")								; for writing Internet Sharing prefs
	   (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist-lock")						; for writing Internet Sharing prefs
	   (literal "/Library/Preferences/SystemConfiguration/com.apple.nat.plist-new")							; for writing Internet Sharing prefs
)

(allow file-read* file-write*
	   (literal "/private/var/root/Library/Preferences/com.apple.AssetCacheTetheratorService.plist")		; for read and writing NSUserDefaults
)

(allow user-preference-read user-preference-write
	(preference-domain "kCFPreferencesAnyApplication")
)

(allow iokit-open-user-client																				; for talking with iokit
	(iokit-user-client-class "AppleUSBHostDeviceUserClient")
	(iokit-user-client-class "AppleUSBHostInterfaceUserClient")
)

(allow mach-lookup
	   (global-name "com.apple.AssetCacheC.builtin")														; for obtaining information about the content cache
	   (global-name "com.apple.SystemConfiguration.configd")												; for using Internet Sharing
	   (global-name "com.apple.wifi.sharekit")																; for using Internet Sharing
	   (global-name "com.apple.PowerManagement.control")													; for power assertions
	   (global-name "com.apple.analyticsd")																	; for CoreAnalytics
	   (global-name "com.apple.TrustEvaluationAgent")														; for the pairing code
)

(allow network-outbound
		(literal "/private/var/run/usbmuxd")																; for using usbmux
		(literal "/private/var/run/mDNSResponder")
		(remote ip "localhost:62078")																		; ramrod port for usbmux ?"*.62078"
)