;; Copyright (c) 2015 Apple Inc.  All Rights reserved.
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice.
;;

(version 1)
(deny default)
(deny file-map-executable process-info* nvram*)
(deny dynamic-code-generation)
(import "system.sb")

(allow system-audit)
(allow process-info-dirtycontrol (target self))

;; Allow files to be read
(allow file-read*)

;; Allow debug status files to be written
(allow file-read* file-write*
       (literal "/private/var/log/notifyd.log")
       (prefix "/private/var/run/notifyd_"))

;; Allow needed utilities
(allow signal)
(allow ipc-posix-shm-read* ipc-posix-shm-write*
       (ipc-posix-name "apple.shm.notification_center"))
(allow ipc-posix-shm)
(allow process-info-codesignature)
(allow process-info-pidinfo)
(allow sysctl-read
       (sysctl-name "hw.ephemeral_storage"
                    "kern.osbuildconfig"))