;; Copyright (c) 2019 Apple Inc.  All Rights reserved.
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice.
;;

(version 1)

;; Cargo-culted from "How To Sandbox a Daemon on macOS"
(deny default)
(deny file-map-executable iokit-get-properties process-info* nvram*)
(deny dynamic-code-generation)

(import "system.sb")

;; We need to be able to take transactions, which requires proc_set_dirty()
(allow process-info-dirtycontrol (target self))

;; EOS logging is wired up using RSD, so we must talk to remoted
(allow mach-lookup (global-name "com.apple.remoted"))

;; We must be able to write the stream filter file, and to temporary stream
;; filter files we rename over top of the old one
(allow file-write*
    (regex #"/Library/Preferences/Logging/com\.apple\.diagnosticd\.filter\..*"))

;; We call proc_name(), a wrapper for proc_pidinfo(), to get the human-readable
;; name of streaming clients for logging purposes
(allow process-info-pidinfo)

;; We need read-access to the UUID DB for kexts
(allow file-read-data (subpath "/private/var/db/uuidtext"))

;; We need read-access to the kernel streaming device file
(allow file-read-data (literal "/dev/oslog_stream"))

;; We need to query information about loaded kexts
(allow system-kext-query)

;; We need to be able to poke logd to harvest kexts
(allow mach-lookup (global-name "com.apple.logd.admin"))