;; Copyright (c) 2015-2019 Apple Inc.  All Rights reserved.
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice.
;;

(version 1)

(disable-callouts)

(deny default)
(deny file-map-executable iokit-get-properties nvram*)
(deny dynamic-code-generation)

(import "system.sb")

(allow process-info* system-kext-query)

(allow iokit-get-properties (iokit-property "Role"))
(allow iokit-open (iokit-user-client-class "RootDomainUserClient"))

;; For resolving symlinks, realpath(3), and equivalents.
(allow file-read-metadata)

;; logd watches for power button events, talk to its helper daemon,
;; and talk to TTR to spawn radar drafts.
(allow mach-lookup
    (global-name "com.apple.iohideventsystem")
    (global-name "com.apple.logd_helper")
    (global-name "com.apple.TapToRadarKit.service"))

;; logd needs read/write access to the logging preferences
(allow file-read* file-write*
    (subpath "/Library/Preferences/Logging"))

(define (logd-diagnostic-paths)
    (require-any
        (subpath "/private/var/db/diagnostics")
        (subpath "/private/var/db/uuidtext")
        (regex #"^/System/Volumes/Preboot/[a-zA-Z0-9-]+/PreLoginData/(diagnostics|uuidtext)")))

;; logd needs read/write access to the system logs
(allow file-read* file-write* (logd-diagnostic-paths))

;; logd needs read/write/ioctl access to the kernel firehose
(allow file-read* file-write-data file-ioctl
    (literal "/dev/oslog"))

;; allow logd to write the com.apple.logd.metadata xattr
(allow file-read-xattr file-write-xattr
    (xattr "com.apple.logd.metadata"))

;; logd can grant read-only access to the system logs
(allow file-issue-extension
    (require-all
        (extension-class "com.apple.logd.read-only")
        (logd-diagnostic-paths)))

(allow iokit-get-properties
    (iokit-property "boot-objects-path")
    (iokit-property "Content")
    (iokit-property "IOClassNameOverride")
    (iokit-property "Protocol Characteristics")
)