;;; Sandbox profile for /System/Library/PrivateFrameworks/CacheDelete.framework/deleted

(version 1)

(deny default)
(import "system.sb")

;;; initialize CF sandbox actions
(import "com.apple.corefoundation.sb")
(corefoundation)

;;; Copied from util.sb for home-relative stuff.
(define (home-literal . relative-subpaths)
  (apply literal (map home-relative-path relative-subpaths)))

(define (home-subpath . relative-subpaths)
  (apply subpath (map home-relative-path relative-subpaths)))

(define (home-prefix . relative-subpaths)
  (apply prefix (map home-relative-path relative-subpaths)))
(define (home-regex . relative-regexes)
  (require-all
    (apply any-home-regex relative-regexes)
    (home-subpath "")))

(define (home-relative-path relative-subpath)
  (string-append (param "_HOME") relative-subpath))
;;; end util.sb


(if (positive? (string-length (param "_HOME")))
    (begin
        (allow file-read* file-write*
            (home-subpath "/Library/Containers")
            (home-subpath "/Library/Group\ Containers")
            (home-subpath "/Library/Caches/com.apple.cache_delete")
            (home-subpath "/Library/Caches/com.apple.CacheDelete"))))

(allow file-write*
    (regex "^/private/tmp/deleted.*profraw")
    (regex #"^/private/var/folders/[^/]+/[^/]+/C/[^/]+/mds/mds\.lock$"))

(allow file-read*
	(literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
    (literal "/Library/Preferences/.GlobalPreferences.plist")
    (regex "^/Users/[^/]+/Library/Preferences/\.GlobalPreferences\.plist$")
    (regex "^/Users/[^/]+/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
    (regex "^/Applications/.*$")
    (regex "^/private/var/folders/.*/mds/mds\.lock$")
    (regex "^/private/var/folders/.*/com.apple.LaunchServices-.*\.csstore$")
    (regex "^.*/[^/]*\.appex$")
    (regex "^/private/tmp/CDTestVol_.*_mountPoint")
    (subpath "/System/Library/CacheDelete")
    (subpath "/AppleInternal/Library/CacheDelete"))

;;; Various patterns used by cache-delete services.
(allow mach-lookup
	(global-name-regex #"^com\.apple\.cache_delete_.+")
	(global-name-regex #"^com\.apple\..+cache-delete$")
	(global-name-regex #"^com\.apple\..+[cC]ache[dD]elete$")
    (global-name "com.apple.pluginkit.pkd")
    (global-name "com.apple.runningboard")
    (global-name "com.apple.SecurityServer")
    (global-name "com.apple.lsd.modifydb")
    (global-name "com.apple.lsd.mapdb")
    (global-name "com.apple.diskspaced")
    (global-name "com.apple.DiskArbitration.diskarbitrationd")
    (global-name "com.apple.diskmanagementd")
    (global-name "com.apple.storagekitd.dm")
    (global-name "com.apple.windowserver.active")
    (global-name "com.apple.cookied")
    (global-name "com.apple.deleted_helper")
    (global-name "com.apple.containermanagerd")
    (global-name "com.apple.coreduetd.knowledge")
    (global-name "com.apple.coreduetd.knowledge.user")
    (global-name "com.apple.biome.access.user")
    (global-name "com.apple.mobile.keybagd.UserManager.xpc")
    (global-name "com.apple.mobile.usermanagerd.xpc")
    (global-name "com.apple.FSEvents"))

(allow iokit-open (iokit-user-client-class "AppleAPFSUserClient"))

(allow file-read-metadata)

(allow user-preference*
    (preference-domain "com.apple.cache_delete"))

(allow system-fsctl
       (fsctl-command APFSIOC_DIR_STATS_OP)
       (fsctl-command APFSIOC_GET_NEAR_LOW_DISK)    ; required for fs_snapshot_list
       (fsctl-command APFSIOC_GET_PURGEABLE_STATS)
       (fsctl-command APFSIOC_PURGEABLE_GET_DETAILED_STATS)
       (fsctl-command APFSIOC_MARK_PURGEABLE)
       (fsctl-command APFSIOC_PURGE_FILES)
       (fsctl-command APFSIOC_GET_CLONE_INFO)
       (fsctl-command HFSIOC_GET_DESIRED_DISK)
       (fsctl-command HFSIOC_GET_LOW_DISK)          ; low disk space fsctls
       (fsctl-command HFSIOC_GET_VERY_LOW_DISK)
       (fsctl-command HFSIOC_VOLUME_STATUS)
       (fsctl-command (_IO "J"  2))    ; APFSIOC_MAINTAIN_DIR_STATS
       (fsctl-command (_IO "J"  32))    ; APFSIOC_GET_DIR_STATS_EXT
)

(allow ipc-posix-sem)


;;; Required for networking / cert checking / cert pinning
;;; Obtained via sandbox trace command
(if (positive? (string-length (param "_HOME")))
    (allow file-issue-extension
        (home-literal "/Library/Caches/com.apple.CacheDelete")))
        
(allow file-read* file-write*
       (regex #"^/Volumes/[^/]+/.CacheDeleteDiscardedCaches")
       (regex #"^/Volumes/[^/]+/Library/Group Containers/.+/Library/Caches")
       (regex #"^/Volumes/[^/]+/Library/Containers/.+/Data/tmp")
       (regex #"^/Volumes/[^/]+/Library/Containers/.+/Data/Library/Caches"))

(allow file-read*
    (path "/Library/Keychains/System.keychain")
    (path "/Library/Preferences/com.apple.security.plist")
    (path "/private/var/db/mds/messages/se_SecurityMessages")
    (path "/private/var/db/mds/system/mdsDirectory.db"))

;;; Required to list the snapshots on all of the
;;;  user-visible volumes
(allow file-read*
       (path "/")
       (regex #"^/Volumes/[^/]+$"))

(if (positive? (string-length (param "_HOME")))
    (begin
        (home-literal "/Library/Keychains/login.keychain-db")))

(allow file-read* file-write*
    (path "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist"))

(allow ipc-posix-shm-read-data ipc-posix-shm-write-data
    (ipc-posix-name "com.apple.AppleDatabaseChanged"))

(allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2))) ; SYSPROTO_CONTROL

(allow network-outbound
  (literal "/private/var/run/mDNSResponder")
  (remote tcp "*:80")
  (remote tcp "*:443"))

(allow user-preference-read user-preference-write
       (preference-domain "com.apple.CacheDelete"))