(version 1)

(deny default)

(import "system.sb")

(system-network)

(define (home-regex home-relative-regex)
       (regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex)))
(define (home-literal home-relative-literal)
       (literal (string-append (param "_HOME") home-relative-literal)))

(allow file-read-metadata)

(allow file-read*
       (home-literal "")
       (home-literal "/Library/Preferences/.GlobalPreferences.plist")
       (home-literal "/Library/Preferences/com.apple.icloud.findmydeviced.findmydevice-user-agent.plist")

       (literal "/Library/Preferences/.GlobalPreferences.plist")
       (literal "/AppleInternal")
       (literal "/usr/libexec")
       (literal "/usr/libexec/findmydevice-user-agent")

       (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.[-\w.]*"))

(allow file-write*
       (home-literal "")
       (home-literal "/Library/Preferences/com.apple.icloud.findmydeviced.notbackedup.plist"))

(allow file-read* file-write*
    (extension "com.apple.sandbox.application-group"))

(allow mach-lookup
       (global-name "com.apple.accountsd.accountmanager")
       (global-name "com.apple.distributed_notifications@Uv3")
       (global-name "com.apple.icloud.findmydeviced")
       (global-name "com.apple.icloud.findmydeviced.ua-services")
       (global-name "com.apple.CoreServices.coreservicesd")
       (global-name "com.apple.distributed_notifications")  
       (global-name "com.apple.UNCUserNotification")
       (global-name "com.apple.securityd.ckks")
       (global-name "com.apple.security.octagon")
       (global-name "com.apple.identityservicesd.desktop.auth")
       (global-name "com.apple.containermanagerd")
       (global-name "com.apple.ak.anisette.xpc")
       (global-name "com.apple.ak.auth.xpc")
       (global-name "com.apple.cfnetwork.cfnetworkagent")
       (global-name "com.apple.CoreAuthentication.agent"))

(allow authorization-right-obtain
       (right-name "admin"))

(allow network-outbound)