(version 1)

(deny default)

(import "system.sb")

(deny process-info*)
(deny file-write* (subpath #"/cores"))
(deny file-write* (literal "/private/var/empty/Library") (with no-log))

(allow process-info-dirtycontrol)

(allow file-read-metadata (literal "/"))
(allow file-read-metadata (literal "/Volumes"))
(allow file-read-metadata (literal "/private"))
(allow file-read-metadata (subpath "/private/var"))
(allow file-read-metadata (subpath "/private/var/folders"))

(allow file-read-data (subpath "/private/var/folders"))

(allow file-read* (literal "/Library/Preferences/.GlobalPreferences.plist"))

(define (apply-write-and-issue-extension op path-filter)
	(op file-write-create path-filter)
	(op file-write-data path-filter)
	(op file-write-unlink path-filter)
	(op file-write-mode path-filter)
	(op file-read* path-filter)
	(op file-issue-extension (require-all (extension-class "com.apple.app-sandbox.read") path-filter)))

(apply-write-and-issue-extension allow
	(subpath (param "STORE_PATH")))

(allow mach-lookup
	(global-name "com.apple.CoreServices.coreservicesd")
	(global-name "com.apple.lsd.mapdb"))

(allow mach-lookup 
	(global-name "com.apple.distributed_notifications@Uv3")
	(global-name "com.apple.distributed_notifications@1v3"))

(allow ipc-posix-shm-read* (ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\."))

;; FIXME: Should be removed after <rdar://problem/10463881> is fixed.
(deny file-read* file-write* (with no-log)
    (literal "/private/var/root/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2"))