(version 1)

(deny default)

(import "system.sb")

(system-graphics)

(allow file-read*)
(allow distributed-notification-post)

(define extension-type-read "com.apple.app-sandbox.read")
(define extension-type-read-write "com.apple.app-sandbox.read-write")

(define (apply-write-create-mode-data-unlink op path-filter)
    (op file-write-create path-filter)
    (op file-write-mode path-filter)
    (op file-write-data path-filter)
    (op file-write-owner path-filter)
    (op file-write-unlink path-filter))

(define (apply-write-and-issue-extension op path-filter extension-type)
    (apply-write-create-mode-data-unlink op path-filter)
    (op file-issue-extension (require-all (extension-class extension-type) path-filter)))

(apply-write-and-issue-extension allow (subpath (param "IS_CACHE_PATH")) extension-type-read)

(apply-write-and-issue-extension allow (subpath (param "METAL_CACHE_PATH")) extension-type-read-write)
(apply-write-and-issue-extension allow (subpath (param "METALFE_CACHE_PATH")) extension-type-read-write)
(apply-write-and-issue-extension allow (subpath (param "GPU_ARCHIVER_CACHE_PATH")) extension-type-read-write)

(apply-write-create-mode-data-unlink allow (subpath (param "TEMPORARY_ITEMS_PATH")))
(apply-write-create-mode-data-unlink allow (subpath (param "TEMPORARY_DIRECTORY_PATH")))
(apply-write-create-mode-data-unlink allow (subpath (param "CACHE_DIRECTORY_PATH")))

(allow file-write-xattr (subpath (param "METAL_CACHE_PATH")))

(allow mach-lookup
	(global-name (param "ICONSERVICES_STORE_SERVICE_NAME"))
	(global-name "com.apple.CoreServices.coreservicesd")
	(global-name "com.apple.KernelExtensionServer")
	(global-name "com.apple.coreservices.quarantine-resolver")
	(global-name "com.apple.lsd.mapdb")
	(global-name "com.apple.lsd.modifydb")
    (global-name "com.apple.fonts"))
       
(allow system-sched)
(allow system-fsctl)

(allow mach-lookup 
	(global-name "com.apple.distributed_notifications@Uv3")
	(global-name "com.apple.distributed_notifications@1v3"))

(allow ipc-posix-shm-read* (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\."))

;; FIXME: Should be removed once <rdar://problem/16329087> is fixed.
(deny file-write-xattr (xattr "com.apple.quarantine") (with no-log))

;; Reserve a namespace for additional protected extended attributes.
(if (defined? 'xattr-regex)
	(deny file-read-xattr file-write-xattr (xattr-regex #"^com\.apple\.security\.private\."))
	(deny file-read-xattr file-write-xattr (xattr #"^com\.apple\.security\.private\.")))