;;; Copyright (c) 2017 Apple Inc.  All Rights reserved.
;;;
;;; WARNING: The sandbox rules in this file currently constitute
;;; Apple System Private Interface and are subject to change at any time and
;;; without notice.
;;;
(version 1)

(deny default)
(deny file-map-executable process-info* nvram*)
(deny dynamic-code-generation)

(deny mach-priv-host-port)

(import "system.sb")
(import "com.apple.corefoundation.sb")
(corefoundation)

;;; Homedir-relative path filters
(define (home-regex home-relative-regex)
    (regex (string-append "^" (regex-quote (param "HOME")) home-relative-regex)))

(define (home-subpath home-relative-subpath)
    (subpath (string-append (param "HOME") home-relative-subpath)))

(define (home-prefix home-relative-prefix)
    (prefix (string-append (param "HOME") home-relative-prefix)))

(define (home-literal home-relative-literal)
    (literal (string-append (param "HOME") home-relative-literal)))


(allow process-info* (target self))

;; For resolving symlinks, realpath(3), and equivalents.
(allow file-read-metadata)

;; For validating the entitlements of clients.
(allow process-info-codesignature)

(allow user-preference-read user-preference-write
    (preference-domain "analyticsd"))
(allow user-preference-read
    (preference-domain "kCFPreferencesAnyApplication"))

;; Read/write access to a temporary directory.
(allow file-read* file-write*
       (subpath (param "TMPDIR"))
       (subpath (param "DARWIN_CACHE_DIR")))

;; Read/write cache access
(let ((cache-path-filter (home-subpath "/Library/Caches/com.apple.analyticsd")))
  (allow file-read* file-write* cache-path-filter)
  (allow file-issue-extension
    (require-all
      (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write")
      cache-path-filter)))

;; Read/write preferences access. These are outside cfprefsd's sandbox so we need to be able to issue sandbox extensions.
(let ((preferences-path-filter (home-subpath "/Library/Preferences/analyticsd.plist")))
  (allow file-read* file-write* preferences-path-filter)
  (allow file-issue-extension
    (require-any
      (extension-class "com.apple.cfprefsd.read")
      (extension-class "com.apple.cfprefsd.read-write")
      preferences-path-filter)))

;; for CoreLocation / CommCenter (which doesn't exist on macOS yet)
(allow mach-lookup
    (global-name "com.apple.locationd.desktop.synchronous")
    (global-name "com.apple.locationd.desktop.registration")
    (global-name "com.apple.locationd.desktop.spi")
    (global-name "com.apple.CoreLocation.agent")
    (global-name "com.apple.commcenter.coretelephony.xpc")
    (global-name "com.apple.commcenter.xpc")
    (global-name "com.apple.rtcreportingd")
    (global-name "com.apple.analyticsagent"))

;; analyticsd's role account home directory is /private/var/db/analyticsd
(allow file-read* file-write*
    (subpath "/private/var/db/analyticsd"))

;; config locations
(allow file-read*
    (subpath "/Library/CoreAnalytics")
    (subpath "/AppleInternal/Library/CoreAnalytics"))

;; to read the crash reporter key
(allow file-read*
    (regex #"/Library/Application Support/CrashReporter/AnonymousIdentifier_.*\.plist"))

;; to read the opt in status
(allow file-read*
    (literal "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist")
    (regex #"^/Volumes/[^/]+/Library/Application Support/CrashReporter/DiagnosticMessagesHistory\.plist$"))

;; for instrumentation
(allow mach-lookup
    (global-name "com.apple.analyticsd"))

;; for messagetracer. Should remove in the future
(allow file-read*
    (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
    (literal "/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree"))

;; for kernel events and Trial
(allow iokit-open
    (iokit-user-client-class
        "CoreAnalyticsUserClient"   ; expect_iokit_open(true, "CoreAnalyticsHub");
        "IOReportUserClient"        ; expect_iokit_open(true, "IOReportHub");
        "AppleKeyStoreUserClient")) ; Trial;

;; for -[NSURL setResourceValue:forKey:NSURLIsExcludedFromBackupKey error:]
(allow mach-lookup
    (global-name "com.apple.metadata.mds")
    (global-name "com.apple.backupd.sandbox.xpc")
    (global-name "com.apple.biome.access.system"))

;; For writing out logs
(allow file-read* file-write*
    (subpath "/Library/OSAnalytics"))
(allow user-preference-read user-preference-write
    (preference-domain "com.apple.CrashReporter"))
(allow mach-lookup
    (global-name "com.apple.osanalytics.osanalyticshelper"))

;; For early data submission
(allow mach-lookup
    (global-name "com.apple.OSASubmission.client"))

;; For app usage instrumentation
(allow mach-lookup
    (global-name "com.apple.coreduetd.knowledge"))

;; For trial instrumentation
(allow mach-lookup
    (global-name "com.apple.trial.status"))

;; for access to NWPath.
(allow file-read*
    (literal "/Library/Preferences/com.apple.networkd.plist"))

;; For wiFiRadioTech queried event field
(allow mach-lookup
    (global-name "com.apple.private.corewifi-xpc"))

;; For wiFiLQM and Trial queried event fields
(allow mach-lookup
    (global-name "com.apple.SystemConfiguration.configd")
    (global-name "com.apple.triald.system.namespace-management"))

;; For wiFiLQM queried event field
(allow sysctl-read
       (sysctl-name-prefix "net.routetable."))

;; For access to RegulatoryDomain cache needed for currentCountry common dimension
(allow file-read*
    (literal "/private/var/db/com.apple.countryd/countryCodeCache.plist"))
    
;; Allow read-only access to $HOME/Library/Trial
(allow file-read*
    (home-subpath "/Library/Trial"))

;; Allow read-only access to /Library/Trial
(allow file-read*
    (subpath "/Library/Trial"))