;;; Copyright (c) 2022 Apple Inc.  All Rights reserved.
;;;
;;; WARNING: The sandbox rules in this file currently constitute
;;; Apple System Private Interface and are subject to change at any time and
;;; without notice.
;;;
(version 1)

(deny default)
(deny file-map-executable process-info* nvram*)
(deny dynamic-code-generation)

(deny mach-priv-host-port)

(import "system.sb")
(import "com.apple.corefoundation.sb")
(corefoundation)

;; Homedir-relative path filters
(define (home-subpath home-relative-subpath)
    (subpath (string-append (param "HOME") home-relative-subpath)))

(allow process-info* (target self))

;; For resolving symlinks, realpath(3), and equivalents.
(allow file-read-metadata)

;; Read/write cache access.
;; Observed within CFNetwork.framework.
(let ((cache-path-filter (home-subpath "/Library/Caches/SubmitDiagInfo/")))
    (allow file-read* file-write* cache-path-filter))

;; Read/write access to Darwin temporary directory.
;; Observed as intermediate step when saving *.results files in /Library/OSAnalytics/Diagnostics on internal installs.
(allow file-read* file-write*
    (subpath (param "TMPDIR")))

;; Read-only preferences
(allow user-preference-read
    (preference-domain "com.apple.osanalytics.factoryproxysync")    ;; Factory sync configuration domain
    (preference-domain "com.apple.security")                        ;; Observed via Security framework
    (preference-domain "kCFPreferencesAnyApplication"))             ;; Global preferences; observed via CFNetwork.

;; Read/write preferences
(allow user-preference-read user-preference-write
    (preference-domain "SubmitDiagInfo")            ;; Our own domain
    (preference-domain "com.apple.da")              ;; One of the domains SDI tasking writes values to
    (preference-domain "com.apple.CrashReporter"))  ;; Fallback mechanism for crash reporter key within CRS.f

;; Mach lookups
(allow mach-lookup
    (global-name "com.apple.remoted")                            ;; RemoteXPC
    (global-name "com.apple.rtcreportingd")                      ;; RTCReporting
    (global-name "com.apple.DumpPanic.Accessory.PanicReceived")  ;; Notify DumpPanic after syncing a remote panic log
    (global-name "com.apple.PowerManagement.control")            ;; Take a power assertion
    (global-name "com.apple.backupd.sandbox.xpc")                ;; Check for NSURLIsExcludedFromBackupKey
    (global-name "com.apple.system.opendirectoryd.api")          ;; Within OSASanitizePath()
    (global-name "com.apple.bird")                               ;; For BRGetCloudDocsRootURL() in  OSASanitizePath()
    (global-name "com.apple.accountsd.accountmanager")           ;; Email address in internal key
    (global-name "com.apple.metadata.mds")                       ;; Observed as part of CFNetwork usage
    (global-name "com.apple.nesessionmanager.content-filter"))   ;; Observed as part of CFNetwork usage

;; To attach a system profile to submissions
(allow process-fork)
(allow process-exec
    (with no-sandbox) (literal "/usr/sbin/system_profiler"))

;; Read/write access to the CrashReporter directory for legacy tasking (SubmitDiagInfo.config) and the crash reporter key (AnonymousIdentifier*.plist)
(allow file-read*
    (subpath "/Library/Application Support/CrashReporter/"))
(with-filter (require-not (file-attribute has-multiple-names))
    (allow file-write*
        (subpath "/Library/Application Support/CrashReporter")))

;; Log submission from per-system directory. Need to write for retiring logs.
(allow file-read* file-write*
    (subpath "/Library/Logs/DiagnosticReports/"))

;; Receive sandbox extension for log writing within the user's home directory
(with-filter (extension "com.apple.osanalytics-sandbox.read-write")
    (allow file-read* file-write*))

;; Read/write access to OSAnalytics directory with read access to parent in case it needs to be created.
(allow file-read* file-write*
    (subpath "/Library/OSAnalytics/"))

;; CA tasking
(allow file-read* file-write*
    (subpath "/Library/CoreAnalytics/"))

;; Legacy hotship tasking
(allow file-read*
    (subpath "/System/Library/PrivateFrameworks/CrashReporterSupport.framework/Resources/SubmitDiagInfo.default.config"))

;; To cleanup old MessageTracer data.
(allow file-read* file-write*
    (subpath "/private/var/log/DiagnosticMessages/"))

;; Read-write access for the opt-in and preferences plist
(allow file-read* file-write*
    (subpath "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist"))

;; Dump submission results in debug mode
(allow file-write*
    (subpath "/private/var/SubmitDiagInfo_output/"))

;; Security framework
;; Unclear exactly where this comes from, but observed after interactions with CFNetwork.
;; May be able to remove this and the "com.apple.security" preference after modernizing the SPIs used for submission.
(allow file-read*
    (subpath "/Library/Preferences/com.apple.security.plist"))

;; CFNetwork
(allow file-read*
    (subpath "/private/var/db/mds/messages/se_SecurityMessages"))
(allow file-read* file-write*
    (home-subpath "/Library/HTTPStorages/SubmitDiagInfo/"))

;; Network.framework outbound connections
(system-network)
(allow network-outbound)

;; Issue sandbox extension for reading and writing to the OSA custom preferences location
(allow file-issue-extension
     (require-all
         (extension-class "com.apple.cfprefsd.read-write")
         (subpath "/Library/OSAnalytics/Preferences/Library/Preferences/")))

;; For reading device recovery mode entry reason
(allow nvram-get
       (nvram-variable "device-recovery-boot-reason"))
(allow file-read*
    (subpath "/private/var/db/com.apple.DeviceRecovery.entryInfo"))