;;; Copyright (c) 2017 Apple Inc.  All Rights reserved.
;;;
;;; WARNING: The sandbox rules in this file currently constitute
;;; Apple System Private Interface and are subject to change at any time and
;;; without notice.
;;;
(version 1)
(import "system.sb")

;;; Denials

;; Swap these in for debugging
; (allow (with report) default)
; (allow (with report) file-map-executable iokit-get-properties process-info* nvram*)
; (allow (with report) dynamic-code-generation)

(deny default)
(deny file-map-executable iokit-get-properties process-info* nvram*)
(deny dynamic-code-generation)

;;; Constants

(define home-directory (param "HOME_DIR"))
(define temp-directory (param "TEMP_DIR"))
(define cache-directory (param "CACHE_DIR"))

(define users-path "/Users")
(define library-path "/Library")
(define keychains-path "/Library/Keychains")
(define private-path "/private")

(define view-bridge-path "/Library/Preferences/com.apple.ViewBridge.plist")
(define security-path "/Library/Preferences/com.apple.security.plist")

(define login-keychain-db-path "/Library/Keychains/login.keychain-db")
(define system-keychain-path "/Library/Keychains/System.keychain")
(define keychain-check-path "/private/var/run/systemkeychaincheck.done")

(define classroom-mcx-service-path "/System/Library/PrivateFrameworks/"
    "ConfigurationProfiles.framework/XPCServices/ClassroomMCXService.xpc/"
    "Contents/MacOS/ClassroomMCXService")

;;; Helper functions

(define (home-subpath home-relative-subpath)
    (subpath (string-append home-directory home-relative-subpath)))

;;; Permissions

(allow mach-priv-host-port)

(allow user-preference-read)

(allow process-info-dirtycontrol
    (target self))

(allow process-info-pidinfo
    (target self))

(allow file-read-data
    (literal view-bridge-path)
    (literal security-path)
    (home-subpath security-path))

(allow file-read-metadata
    (literal users-path)
    (literal home-directory)
    (literal library-path)
    (literal keychains-path)
    (literal classroom-mcx-service-path)
    (literal keychain-check-path)
    (literal security-path)
    (home-subpath security-path)
    (home-subpath library-path))

(allow file-read*
    (literal system-keychain-path)
    (literal "/private")
    (literal "/private/var")
    (literal "/private/var/db")
    (literal "/private/var/db/mds")
    (literal "/private/var/db/mds/system")
    (literal "/private/var/db/mds/system/mdsDirectory.db")
    (literal "/private/var/db/mds/system/mdsObject.db")
    (home-subpath login-keychain-db-path))

(allow file-write* file-read*
    (subpath temp-directory)
    (subpath cache-directory))

(allow ipc-posix-shm*
    (ipc-posix-name "com.apple.AppleDatabaseChanged"))

(allow mach-lookup
    (global-name "com.apple.FileCoordination")
    (global-name "com.apple.CoreServices.coreservicesd")
    (global-name "com.apple.securityd.xpc")
    (global-name "com.apple.SecurityServer")
    (global-name "com.apple.studentd"))