(version 1) (deny default) (import "system.sb") (import "com.apple.corefoundation.sb") (corefoundation) (system-graphics) (define (home-subpath home-relative-subpath) (subpath (string-append (param "HOME") home-relative-subpath))) (allow file-read-metadata) (allow file-issue-extension (subpath "/Library/Documentation/Help/MacHelp.help") (regex #"[a-z0-9]+\.app(/|$)")) (allow file-read* (regex #"\.app(/|$)") (regex #"/CommerceKit\.framework") (literal "/") (literal "/private/etc/hosts") (literal "/Library/Preferences/.GlobalPreferences.plist") (literal "/private/var/db/mds/messages/se_SecurityMessages") (literal "/private/var/db/.MASManifest") (literal "/private/var/db/mds/system/mdsDirectory.db") (literal "/private/var/db/mds/system/mdsObject.db") (literal "/Library/Preferences/com.apple.iWork09.Installer.plist") (literal "/Library/Preferences/com.apple.iWork.Installer.plist") (literal "/Library/Preferences/com.apple.AECT.plist") (literal "/Library/Preferences/SystemConfiguration/com.apple.PowerManagement.plist") (literal "/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") (literal "/Library/Preferences/com.apple.loginwindow.plist") (literal "/private/var/db/PreviousSystemVersion.plist") (subpath "/Library/Documentation/Help/MacHelp.help") (subpath "/Users/Shared") (regex #"/Library/Preferences/com\.apple\.appstore\.plist$") (regex #"/Library/Preferences/com.apple.LaunchServices.plist$") (regex #"/Library/Preferences/\.GlobalPreferences\.plist$") (regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.") (regex #"/Library/Preferences/com\.apple\.universalaccess\.plist$") (regex #"/Library/Preferences/com\.apple\.HIToolbox\.plist$") (regex #"/Library/Preferences/com.apple.security\.plist$") (regex #"/\.CFUserTextEncoding$") (regex #"/Library/Caches/com\.apple\.commerce/updates-com\.apple\.appstore\.updateQueue\.plist$") (regex #"/Library/Keyboard Layouts(/|$)") (regex #"/Library/Input Methods(/|$)")) (allow file-read* file-write* (home-subpath "/Library/Caches/com.apple.AppleMediaServices") (home-subpath "/Library/Logs/com.apple.StoreServices") (literal "/Library/Caches/com.apple.DiagnosticReporting.Networks.plist") (literal "/Library/Caches/com.apple.DiagnosticReporting.HasBeenAppleInternal") (literal "/private/var/db/mds/system/mds.lock") (subpath "/private/var/root/Library/Caches/com.apple.commerce") (subpath "/Applications") (subpath "/Users/Shared/SC Info") (subpath "/private/var/tmp") (subpath "/private/var/folders") (subpath "/private/tmp") (subpath "/Users/Shared/adi") (regex #"/Library/Caches/com\.apple\.WebKit\.WebContent$") (regex #"/Library/Application Support/App Store(/|$)") (regex #"/Library/Logs/appstore\.log$") (regex #"/Library/Logs/storeagent(/|$)") (regex #"/Library/Logs/commerce(/|$)") (regex #"/Library/Logs/store[a-z]+(/|$)") (regex #"/Library/Caches/commerce") (regex #"/Library/Caches/storeuid") (regex #"/Library/Caches/storeuid.app") (regex #"/Library/Caches/com\.apple\.commerce") (regex #"/Library/Caches/com\.apple\.storeagent") (regex #"/Library/Caches/com\.apple\.WebKit2\.WebProcessService$") (regex #"Data/Library/Caches/receipts") (regex #"/Library/Cookies") (regex #"/Library/Preferences/com\.apple\.storeagent\.plist$") (regex #"/Library/Preferences/com\.apple\.appstore\.plist$") (regex #"/Library/Preferences/com\.apple\.commerce\.plist$") (regex #"/Library/Preferences/com\.apple\.commerce\.knownclients\.plist$") (regex #"Library/Preferences/com\.apple\.security\.revocation\.plist") (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/com\.apple\.appstore") (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/|$)") (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/mds(/|$)") (regex #"/\.TemporaryItems(/|$)") (regex #"/Library/Keychains/") (regex #"/(macOS|OS X) Install Data(/|$)") (regex #"\.appdownload(/|$)") (regex #"^/etilqs_")) (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist") (regex #"/Library/Preferences/com\.apple\.LaunchServices/com\.apple\.launchservices\.secure\.plist$")) (allow user-preference-read (preference-domain "com.apple.AppleMediaServices") (preference-domain "com.apple.AppleMultitouchTrackpad") (preference-domain "com.apple.ServicesMenu.Services")) (allow user-preference* (preference-domain "com.apple.storeuid")) (allow ipc-posix-shm-read-data (ipc-posix-name "/com.apple.AppSSO.version") (ipc-posix-name "FNetwork.defaultStorageSession") (ipc-posix-name-regex #"ls\.[a-f0-9\.]+") (ipc-posix-name "apple.shm.notification_center") (ipc-posix-name-regex #"^/tmp/com.apple.csseed.[0-9]+$")) (allow ipc-posix-shm-read* ipc-posix-shm-write* (ipc-posix-name "com.apple.AppleDatabaseChanged")) (allow mach-register (global-name "com.apple.storeuid") (global-name "com.apple.storeagent.storekit")) (allow mach-lookup (global-name "com.apple.adid") (global-name "com.apple.xpc.amsengagementd") (global-name "com.apple.CoreAuthentication.agent.libxpc") (global-name "com.apple.xpc.amsaccountsd") (global-name "com.apple.windowmanager.server") (global-name "com.apple.uiintelligencesupport.agent") (global-name "com.apple.accountsd.accountmanager") (global-name "com.apple.ak.authorizationservices.xpc") (global-name "com.apple.iohideventsystem") (global-name "com.apple.tsm.uiserver") (global-name "com.apple.touchbarserver.mig") (global-name "com.apple.touchbar.agent") (global-name "com.apple.pbs.fetch_services") (global-name "com.apple.coreservices.launcherror-handler") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.commerce") (global-name "com.apple.storeassetd") (global-name "com.apple.storeaccountd") (global-name "com.apple.storedownloadd") (global-name "com.apple.storeainappd") (global-name "com.apple.storeuid") (global-name "com.apple.storeagent.pushservice-xpc") (global-name "com.apple.maspushagent-xpc") (global-name "com.apple.lateragent-xpc") (global-name "com.apple.SystemConfiguration.SCNetworkReachability") (global-name "com.apple.networkd") (global-name "com.apple.storehelper") (global-name "com.apple.SecurityServer") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.distributed_notifications@Uv3") (global-name "com.apple.usernoted.daemon_client") (global-name "com.apple.metadata.mds") (global-name "com.apple.CoreServices.coreservicesd") (global-name "com.apple.ls.boxd") (global-name "com.apple.FileCoordination") (global-name "com.apple.ocspd") (global-name "com.apple.dock.appstore") (global-name "com.apple.dock.server") (global-name "com.apple.installd") (global-name "com.apple.ProgressReporting") (global-name "com.apple.storereceiptinstaller") (global-name "com.apple.windowserver.active") (global-name "com.apple.dock.launchpad") (global-name "com.apple.coreservices.launchservicesd") (global-name "com.apple.coreservices.appleevents") (global-name "com.apple.coreservices.sharedfilelistd.xpc") (global-name "com.apple.coreservices.sharedfilelistd.mig") (global-name "com.apple.coreservices.sharedfilelistd.async-mig") (global-name "com.apple.lsd.mapdb") (global-name "com.apple.lsd.modifydb") (global-name "com.apple.cookied") (global-name "com.apple.FontServer") (global-name "com.apple.fonts") (global-name "com.apple.DiskArbitration.diskarbitrationd") (global-name "com.apple.cvmsServ") (global-name "com.apple.logind") (global-name "com.apple.coreservices.quarantine-resolver") (global-name "com.apple.familycontrols") (global-name "com.apple.pasteboard.1") (global-name "com.apple.nsurlstorage-cache") (global-name "com.apple.window_proxies") (global-name "com.apple.tccd.system") (global-name "com.apple.ak.auth.xpc") (global-name "com.apple.ak.anisette.xpc") (global-name "com.apple.CrashReporterSupportHelper") (global-name "com.apple.dock.fullscreen") (global-name "com.apple.cfnetwork.AuthBrokerAgent") (global-name "com.apple.cfnetwork.cfnetworkagent") (global-name "com.apple.iconservices") (global-name "com.apple.AppSSO.service-xpc") (global-name "com.apple.analyticsd") (global-name "com.apple.CARenderServer") (global-name "com.apple.CoreDisplay.master") (global-name "com.apple.securityd.xpc") (global-name "com.apple.appstoreagent.xpc") (global-name "com.apple.nesessionmanager.content-filter")) (allow authorization-right-obtain (right-name "system.install.app-store-software") (right-name "system.install.apple-software") (right-name "system.install.app-store-software.standard-user") (right-name "system.install.apple-software.standard-user") (right-name "system.install.apple-config-data") (right-name "system.install.software") (right-name "system.install.software.iap")) (allow iokit-open (iokit-user-client-class "IOSurfaceSendRight") (iokit-user-client-class "IOSurfaceRootUserClient") (iokit-user-client-class "IGAccelCommandQueue") (iokit-user-client-class "AppleMultitouchDeviceUserClient") (iokit-user-client-class "IOFramebufferSharedUserClient") (iokit-user-client-class "RootDomainUserClient") (iokit-user-client-class-regex #"AccelDevice$") (iokit-user-client-class-regex #"SharedUserClient$") (iokit-user-client-class-regex #"GLContext$") (iokit-user-client-class "IOHIDParamUserClient") (iokit-user-client-class "AGXDevice") (iokit-user-client-class "AGXCommandQueue")) (allow network-outbound) (allow system-socket) (allow distributed-notification-post) (allow appleevent-send) (allow lsopen)