;;; Copyright (c) 2021 Apple Inc.  All Rights reserved.
;;;
;;; WARNING: The sandbox rules in this file currently constitute
;;; Apple System Private Interface and are subject to change at any time and
;;; without notice.
;;;
(version 1)

(deny default)
(deny file-map-executable process-info* nvram*)
(deny dynamic-code-generation)
(deny mach-priv-host-port)

(import "system.sb")
(import "com.apple.corefoundation.sb")
(corefoundation)

(allow process-info* (target self))
(allow process-info-pidinfo) ;; to display client name in logs
(allow process-info-codesignature) ;; For validating the entitlements of clients.

;; For resolving symlinks, realpath(3), and equivalents.
(allow file-read-metadata)

;; Your preference domain
(allow user-preference-read user-preference-write
    (preference-domain "com.apple.biomed"))

;; .GlobalPreferences
(allow user-preference-read
       (preference-domain "com.apple.applicationaccess")
       (preference-domain "kCFPreferencesAnyApplication"))

;; Read for NSBundle
(allow file-read*
    (literal "/System/Library/PrivateFrameworks/BiomeStreams.framework/Support")
    (literal "/System/Library/PrivateFrameworks/BiomeStreams.framework/Support/biomed"))

;; Read/write access to HOME and suffixed darwin directories
(allow file-read* file-write*
       (subpath (param "HOME"))
       (subpath (param "DARWIN_USER_DIR"))
       (subpath (param "DARWIN_USER_TMP_DIR"))
       (subpath (param "DARWIN_USER_CACHE_DIR")))

;; Issue extensions to HOME
(allow file-issue-extension
    (require-all
        (subpath (param "HOME"))
        (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write")))

(allow mach-lookup
    ;; Service lookup
    (global-name "com.apple.lsd.mapdb")
    (global-name "com.apple.lsd.modifydb")
    (global-name "com.apple.metadata.mds")

    ;; Allow connections to system access service
    (global-name "com.apple.biome.access.system")
    (global-name "com.apple.biome.compute.source")
    
    ;; Allow connections to user access service for proxying
    (global-name "com.apple.biome.access.user")
    (global-name "com.apple.biome.compute.source.user")

    ;; Allow connections to Cascade Diff Update service
    (global-name "com.apple.SetStoreUpdateService")
    
    ;; Allow lookup for SpaceAttribution framework
    (global-name "com.apple.spaceattributiond")
    
    ;; BackgroundSystemTasks (for telemetry)
    (global-name "com.apple.duetactivityscheduler")

    ;; To exclude files from backup
    (global-name "com.apple.backupd.sandbox.xpc")

    ;; To fetch the local IDS device identifier
    (global-name "com.apple.identityservicesd.embedded.auth")
)

;; AppleKeyStore
(allow iokit-open
    (iokit-user-client-class "AppleKeyStoreUserClient")
)