(version 1)
(deny default)

(import "system.sb")

(define (home-regex home-relative-regex)
    (regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex)))
(define (home-subpath home-relative-subpath)
    (subpath (string-append (param "_HOME") home-relative-subpath)))
(define (home-literal home-relative-literal)
    (literal (string-append (param "_HOME") home-relative-literal)))

(allow file-read-metadata)

(allow file-read* file-write*
    (subpath "/Library/Caches/GeoServices/Navd")
    (subpath "/Library/Caches/com.apple.MapsSupport")
    (home-subpath "/Library/Caches/com.apple.MapsSupport")
    (home-subpath "/Library/Caches/GeoServices")
    (home-subpath "/Library/Logs/Maps")
    (home-subpath "/Library/Maps"))

(allow user-preference-read
    (preference-domain "com.apple.GEO.plist"))

(allow file-read*
    (literal "/Library/Preferences/.GlobalPreferences.plist")
    (home-literal "/Library/Preferences/.GlobalPreferences.plist")
    (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\..*\.plist$")
    (home-literal "/Library/Preferences/com.apple.GEO.plist")
    (literal "/Library/Keychains/System.keychain")
    (literal "/")
    (home-subpath "/Library/Keychains")
    (literal "/Library/Preferences/com.apple.security.plist")
    (subpath "/private/var/db/mds"))

(allow file-write* file-read*
    (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/|$)")
    (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)")
    (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains"))

(allow file-issue-extension
    (require-all 
    	(extension-class "com.apple.app-sandbox.read-write") 
    	(home-subpath "/Library/Caches/com.apple.MapsSupport")))

(allow mach-lookup
    (global-name "com.apple.CoreServices.coreservicesd")
    (global-name "com.apple.distributed_notifications@Uv3")
    (global-name "com.apple.DiskArbitration.diskarbitrationd")
    (global-name "com.apple.locationd.desktop.registration")
    (global-name "com.apple.SystemConfiguration.configd")
    (global-name "com.apple.networkd")
    (global-name "com.apple.nsurlstorage-cache")
    (global-name "com.apple.cookied")
    (global-name "com.apple.SecurityServer")
    (global-name "com.apple.ocspd")
    (global-name "com.apple.locationd.desktop.synchronous")
    (global-name "com.apple.CoreLocation.agent")
    (global-name "com.apple.Maps.mapspushd"))

(allow ipc-posix-shm
    (ipc-posix-name "com.apple.AppleDatabaseChanged"))

(allow iokit-open
    (iokit-user-client-class "RootDomainUserClient"))

(system-network)
(allow network-outbound
    (literal "/private/var/run/mDNSResponder")
    (remote tcp))
(allow system-fsctl)