; Copyright © 2020-2023 Apple Inc. All rights reserved.
;
; Sandbox profile for nexusd.

(version 1)
(deny default)

(import "com.apple.corefoundation.sb")
(import "system.sb")

(corefoundation)

; Darwin user directory defines.
(define (darwin-user-cache-subpath relative)
    (subpath (string-append (param "_DARWIN_USER_CACHE") relative))
)
(define (darwin-user-temp-subpath relative)
    (subpath (string-append (param "_DARWIN_USER_TEMP") relative))
)

; Home directory defines.
(define (home-literal relative)
    (literal (string-append (param "_HOME") relative))
)
(define (home-prefix relative)
    (prefix (string-append (param "_HOME") relative))
)
(define (home-subpath relative)
    (subpath (string-append (param "_HOME") relative))
)
(define (home-regex relative-regex)
    (regex (string-append "^" (regex-quote (param "_HOME")) relative-regex))
)

; Rules.
(allow file-read-data
    (subpath "/usr/libexec")
)
(allow file-read-metadata)
(allow mach-lookup
    (global-name "com.apple.CompanionLink")
    (global-name "com.apple.SystemConfiguration.configd")
)
(allow network*)
(allow process-info-pidinfo)
(allow user-preference-read
    (preference-domain "com.apple.nexus")
    (preference-domain "kCFPreferencesAnyApplication")
)