;;; Copyright (c) 2019 Apple Inc.  All Rights Reserved.
;;;
;;; WARNING: The sandbox rules in this file currently constitute
;;; Apple System Private Interface and are subject to change at any time and
;;; without notice.
;;;
(version 1)

(deny default)
(deny file-map-executable process-info* nvram*)
(deny dynamic-code-generation)
(deny mach-priv-host-port)

(import "system.sb")
(import "com.apple.corefoundation.sb")
(corefoundation)

(allow process-info* (target self))

;; Preference domain
(allow user-preference-read user-preference-write
       (preference-domain "com.apple.desktopservices.ArchiveService"))
       
(allow user-preference-read
       (preference-domain "com.apple.finder")
	   (preference-domain "com.apple.iclouddrive.features"))
       
;; Alias for .GlobalPreferences
(allow user-preference-read (preference-domain "kCFPreferencesAnyApplication"))

(allow mach-lookup
       (global-name "com.apple.FileCoordination"
					"com.apple.FileProvider"
					"com.apple.ProgressReporting"
					"com.apple.lsd.mapdb"
					"com.apple.coreservices.quarantine-resolver"
                    "com.apple.securityd.xpc"
                    "com.apple.CoreAuthentication.agent"
                    "com.apple.CoreAuthentication.agent.libxpc"
                    "com.apple.bird"
                    "com.apple.lsd.modifydb"
                    "com.apple.containermanagerd"))

;; For resolving symlinks, realpath(3), and equivalents.
(allow file-read-metadata)
	
;; allow accessing files for which we have app-sandbox extensions
(allow file-read* (extension "com.apple.app-sandbox.read"))
(allow file-read* file-write* (extension "com.apple.app-sandbox.read-write"))

;; Read/write access to a temporary directory.
(allow file-read* file-write*
       (subpath (param "TMPDIR"))
       (subpath (param "DARWIN_CACHE_DIR")))

; Allow file access to paths vended via an application group extension
(allow file-read* file-write*
    (extension "com.apple.sandbox.application-group"))

;; Issue extensions in temp directory
(allow file-issue-extension
       (require-all
              (subpath (param "TMPDIR"))
              (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write")))

;; Allow access to other volume temp dirs we may need
(allow file-read* file-write* (mount-relative-regex #"^/\.TemporaryItems(/|$)"))
(allow file-issue-extension
       (require-all
              (mount-relative-regex #"^/\.TemporaryItems(/|$)")
              (extension-class "com.apple.app-sandbox.read" "com.apple.app-sandbox.read-write")))
              
(allow system-fsctl
       (fsctl-command HFSIOC_SET_HOTFILE_STATE)
       (fsctl-command APFSIOC_GET_CLONE_INFO))