(version 1)

(deny default)

(import "system.sb")

(allow file-read*)

(allow file-read*
        (literal "/usr/libexec")
        (literal "/usr/libexec/applekeystored")
        (literal "/usr/sbin")
        (literal "/usr/sbin/securityd"))

(allow file-read* file-write*
       (regex #"/Preboot($|/)")
       (subpath "/System/Volumes/iSCPreboot")
       (mount-relative-subpath "/private/var/keybags")
       (regex #"/Keychains($|/)")
       (subpath "/private/var/db/mds"))

(allow file-write*
       (mount-relative-subpath "/private/var/db/dslocal/nodes/Default")
       (subpath                "/private/var/db/dslocal/nodes/Default"))

(allow mach-lookup
       (global-name "com.apple.mobileactivationd")
       (global-name "com.apple.SecurityServer")
       (global-name "com.apple.ocspd")
       (global-name "com.apple.mobile.keybagd.xpc"))

(allow iokit-open
       (iokit-user-client-class "AppleAPFSUserClient")
       (iokit-user-client-class "AppleCredentialManagerUserClient")
       (iokit-user-client-class "AppleKeyStoreUserClient")
       (iokit-user-client-class "BootPolicyUserClient"))

(allow ipc-posix-shm
       (ipc-posix-name "apple.shm.notification_center")
       (ipc-posix-name "com.apple.AppleDatabaseChanged"))

(allow system-audit)