(version 1)
(deny default)

(import "system.sb")

(define (home-subpath home-relative-subpath)
       (subpath (string-append (param "_HOME") home-relative-subpath)))
(define (home-literal home-relative-literal) 
       (literal (string-append (param "_HOME") home-relative-literal)))
(define (home-regex home-relative-regex)                                           
       (regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex)))

(define (darwin-user-cache-regex darwin-user-cache-relative-regex)
       (regex (string-append "^" (regex-quote (param "_DARWIN_USER_CACHE_DIR")) darwin-user-cache-relative-regex)))
(define (darwin-user-temp-subpath darwin-user-temp-relative-subpath)
       (subpath (string-append (param "_DARWIN_USER_TEMP_DIR") darwin-user-temp-relative-subpath)))

(allow file-read-metadata)

(allow file-write-create
       (require-all
           (vnode-type DIRECTORY)
           (home-literal "/Library/Caches")))

(allow file-read* file-write*
       (darwin-user-cache-regex #"/mds/mdsDirectory\.db_?$")
       (darwin-user-cache-regex #"/mds/mdsObject\.db_?$")
       (darwin-user-cache-regex #"/mds/mds\.lock$")
       (home-subpath "/Library/Caches/rtcreportingd")
       (home-subpath "/Library/Logs/RTCReports")
       (home-subpath "/logs/mediaserverd")
       (literal "/Library/Application Support/CrashReporter/DiagnosticMessagesHistory.plist")
       (literal "/private/var/db/mds/system/mds.lock")
       (darwin-user-temp-subpath #"/TemporaryItems")
       (mount-relative-regex #"^/\.TemporaryItems(/|$)"))   ;; NSData atomic write

(allow file-read*
       (literal "/Library/Keychains/System.keychain")
       (home-literal "/Library/Keychains/login.keychain")

       (literal "/Library/Preferences/.GlobalPreferences.plist")
       (literal "/Library/Preferences/com.apple.security.plist")
       (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")                           ; for CrashReporter
       (home-literal "/Library/Preferences/.GlobalPreferences.plist")
       (home-literal "/Library/Preferences/com.apple.security.revocation.plist")
       (home-literal "/Library/Preferences/rtcreportingd.plist")
       (home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")

       (literal "/private/var/db/mds/messages/se_SecurityMessages")
       (literal "/private/var/db/mds/system/mdsDirectory.db")
       (literal "/private/var/db/mds/system/mdsObject.db")
       (literal "/usr/libexec")
       (literal "/usr/libexec/rtcreportingd"))

(allow user-preference-read user-preference-write (preference-domain "com.apple.rtcreporting"))
(allow user-preference-read user-preference-write (preference-domain "com.apple.rtcreportingd"))

(allow ipc-posix-shm-read-data
       (ipc-posix-name "FNetwork.defaultStorageSession"))
(allow ipc-posix-shm-read-data ipc-posix-shm-write-create ipc-posix-shm-write-data
       (ipc-posix-name "com.apple.AppleDatabaseChanged"))

(allow mach-lookup
       (global-name "com.apple.CoreServices.coreservicesd")
       (global-name "com.apple.DiskArbitration.diskarbitrationd")   ;; NSData atomic write
       (global-name "com.apple.SecurityServer")
       (global-name "com.apple.awdd")
       (global-name "com.apple.cfnetwork.cfnetworkagent")
       (global-name "com.apple.cookied")
       (global-name "com.apple.distributed_notifications@1v3")
       (global-name "com.apple.ocspd")
       (global-name "com.apple.duetactivityscheduler")
       (global-name "com.apple.CrashReporterSupportHelper")
       (global-name "com.apple.powerlog.plxpclogger.xpc")
       (global-name "com.apple.rtclocalbackendd"))

(allow system-fsctl
       (fsctl-command (_IO "h" 47)))  ; HFSIOC_SET_HOTFILE_STATE

(system-network)
(allow network-outbound)
(allow network-inbound (local udp))