;;; Copyright (c) 2017 Apple Inc.  All Rights reserved.
;;;
;;; WARNING: The sandbox rules in this file currently constitute
;;; Apple System Private Interface and are subject to change at any time and
;;; without notice.
;;;
(version 1)

(deny default)

(import "system.sb")
(import "com.apple.corefoundation.sb")
(corefoundation)

;;; Homedir-relative path filters
(define (home-regex home-relative-regex)
    (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)))

(define (home-subpath home-relative-subpath)
    (subpath (string-append (param "HOME") home-relative-subpath)))

(define (home-prefix home-relative-prefix)
    (prefix (string-append (param "HOME") home-relative-prefix)))

(define (home-literal home-relative-literal)
    (literal (string-append (param "HOME") home-relative-literal)))


(allow process-info* (target self))

;; For resolving symlinks, realpath(3), and equivalents.
(allow file-read-metadata)

;; For validating the entitlements of clients.
(allow process-info-codesignature)

;; Your preference domain
(allow user-preference-read user-preference-write
       (preference-domain "com.apple.settings.storage")
       (preference-domain "StorageManagementService")
       (preference-domain "com.apple.StorageManagement.Service"))

;; Even scoped CFPreferencesGetAppBooleanValue reads need access to AnyApp, and multiple frameworks use that.
(allow user-preference-read (preference-domain "kCFPreferencesAnyApplication"))

;; Read/write access to a temporary directory.
(allow file-read* file-write*
       (subpath (param "TMPDIR"))
       (subpath (param "DARWIN_CACHE_DIR")))

;; Read/write cache access
(let ((cache-path-filter (home-subpath "/Library/Caches/com.apple.StorageManagement.Service")))
  (allow file-read* file-write* cache-path-filter)
  (allow file-issue-extension
    (require-all
      (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write")
      cache-path-filter)))

(allow file-read-xattr)

(allow mach-lookup
    (global-name "com.apple.DiskArbitration.diskarbitrationd")
    (global-name "com.apple.diskmanagementd")
    (global-name "com.apple.storagekitd.dm")
    (global-name "com.apple.FSEvents")
    (global-name "com.apple.DiscRecording:registrar")
    (global-name "com.apple.coreservices.launchservicesd")
    (global-name "com.apple.photos.service")
    (global-name "com.apple.cache_delete")
    (global-name "com.apple.pluginkit.pkd")
    (global-name "com.apple.lsd.mapdb")
    (global-name "com.apple.SystemConfiguration.configd")
    (global-name "com.apple.bird")
    (global-name "com.apple.coreservices.quarantine-resolver")
    (global-name "com.apple.metadata.mds")
    (global-name "com.apple.pbs.fetch_services")
    (global-name "com.apple.pasteboard.1")
    (global-name "com.apple.DesktopServicesHelper")
    (global-name "com.apple.finder.ServiceProvider")
    (global-name "com.apple.cache_delete.public")
    (global-name "StorageManagementService.ServiceProvider")
    (global-name "com.apple.windowserver.active")
    (global-name "com.apple.tccd.system")
    (global-name "com.apple.dock.server")
    (global-name "com.apple.coreservices.appleevents")
    (global-name "com.apple.CARenderServer")
    (global-name "com.apple.lsd.modifydb")
    (global-name "com.apple.askpermissiond")
    (global-name "com.apple.bird.token") ; enable Store in iCloud
    (xpc-service-name "com.apple.StorageManagement.CloudStorageHelper")
    (xpc-service-name "com.apple.StorageManagement.MessagesHelper")
)

(allow lsopen)
(allow appleevent-send (appleevent-destination "com.apple.finder"))

(allow mach-register
    (global-name "com.apple.DiscRecording:registrar")
    (global-name "StorageManagementService.ServiceProvider")
)
    
(allow file-read-data
    (home-subpath "/")
    (subpath "/Applications")
    (subpath "/AppleInternal")
    (subpath "/private/tmp")
    (subpath "/Library/Filesystems")
    (subpath "/.Trashes")
    (subpath "/Library/Application Support/GarageBand")
    (subpath "/Library/Application Support/Logic")
    (subpath "/Library/Audio")
    (mount-relative-regex "^/\\.Trashes(/|$)")
    (prefix "/dev/disk") ; isUserDataVolume
)

; this UI can be used to delete large files located at any location on the system
(allow file-write-unlink)

(allow file-read-xattr
    (home-subpath "/")
)

(allow iokit-open-user-client
    (iokit-user-client-class "AppleAPFSUserClient")
    (iokit-user-client-class "RootDomainUserClient"))

(allow system-fsctl (fsctl-command APFSIOC_GET_CLONE_INFO))

(allow file-issue-extension
    (require-all
        (extension-class "com.apple.app-sandbox.read")
        (require-any
            (subpath "/System")
            (subpath "/Applications")
            (home-subpath "/")
            (mount-relative-regex "^/\\.Trashes(/.*)"))))