(version 1)
(deny default)
;;(allow default (with report))

(import "system.sb")
(import "bsd.sb")
(import "com.apple.corefoundation.sb")

(system-network)
;;; initialize CF sandbox actions
(corefoundation)

;; Sandbox Extensions
(with-filter (extension "com.apple.app-sandbox.read")
        (allow file-read*))
(with-filter (extension "com.apple.app-sandbox.read-write")
        (allow file-read* file-write*))

(allow file-read* file-write*
        (subpath (param "DARWIN_TEMP_DIR"))
        (subpath (param "DARWIN_CACHE_DIR"))
        (literal "/private/var/root/Library/Preferences/com.apple.coreduetd.plist")
        (subpath "/private/var/db/CoreDuet"))
        
(allow file-write-create
        (subpath "/Library/Logs/DiagnosticReports"))
        
(allow file-write-unlink
        (subpath "/Library/Logs/DiagnosticReports"))

(allow file-read*
        (subpath "/usr/share/CoreDuetDaemonConfig.bundle")
        (literal "/usr/libexec")
        (literal "/private/var/db/.AppleSetupDone")
        (subpath "/usr/libexec/coreduetd"))

(when (param "EXEC_DIR")
        (allow file-read*
                (subpath (param "EXEC_DIR"))))

(allow file-read-data
        (subpath "/System/Library/Preferences/Logging")
        (subpath "/AppleInternal/Library/Preferences/Logging")
        (subpath "/Library/Preferences/Logging")
        (literal "/Library/Preferences/com.apple.timezone.auto.plist")
        (subpath "/Library/Logs/DiagnosticReports"))

(allow file-read-metadata
    (subpath "/usr"))

(allow user-preference-read user-preference-write
       (preference-domain "com.apple.coreduetd")
       (preference-domain "com.apple.CoreDuet"))

(allow user-preference-read
       (preference-domain "com.apple.suggestions")
       (preference-domain "kCFPreferencesAnyApplication"))


(allow mach-lookup
        (global-name "com.apple.DuetHeuristic-thermald")
        (global-name "com.apple.coreservices.launchservicesd")
        (global-name "com.apple.lsd.mapdb")
        (global-name "com.apple.metadata.mds")
        (global-name "com.apple.apsd")
        (global-name "com.apple.CompanionLink")
        (global-name "com.apple.cookied")
        (global-name "com.apple.coreduetd.knowledge")
        (global-name "com.apple.coreduetd.people")
        (global-name "com.apple.coreservices.quarantine-resolver")
        (global-name "com.apple.iokit.powerdxpc")
        (global-name "com.apple.coreduetd.context")
        (global-name "com.apple.rapport.people")
        (global-name "com.apple.SystemConfiguration.configd")
        (global-name "com.apple.symptom_analytics")
        (global-name "com.apple.windowserver")
        (global-name "com.apple.windowserver.active")
        (global-name "com.apple.mediaremoted.xpc")
        (global-name "com.apple.CoreLocation.agent")
        (global-name "com.apple.locationd.desktop.registration")
        (global-name "com.apple.locationd.desktop.synchronous")
        (global-name "com.apple.SharingServices")
        (global-name "com.apple.SystemConfiguration.configd")
        (global-name "com.apple.CrashReporterSupportHelper")
        (global-name "com.apple.system.opendirectoryd.api")
        (global-name "com.apple.biome.access.system")
        (global-name "com.apple.biome.compute.source")
        (global-name "com.apple.coreservices.lsuseractivitymanager.xpc"))

(allow mach-register
        (global-name "com.apple.coreduet.knowledge.sync.push"))

(allow ipc-posix-shm*
        (ipc-posix-name "coreduetd")
        (ipc-posix-name "/CDCSS")
        (ipc-posix-name "com.apple.coreduetd"))

(allow network-outbound
    (literal "/private/var/run/mDNSResponder"))                                                ; to resolve host names

(allow ipc-posix-shm-read-data
    (ipc-posix-name "FNetwork.defaultStorageSession"))

(allow network-outbound
       (remote ip))

(allow system-audit)