;
; Copyright (C) 2015 Apple Inc. All Rights reserved.
;
; Sandbox profile for /usr/libexec/swcd.
;

(version 1)
(deny default)

(import "system.sb")
(import "com.apple.corefoundation.sb")

(define (home-subpath home-relative-subpath)
	(subpath (string-append (param "_HOME") home-relative-subpath)))

(allow file-read*
	(subpath "/"))

(allow file-write*
	(literal "/private/var/db/mds/system/mds.lock")
	(regex #"^/private/var/folders/[^/]+/[^/]+/C/mds/mds\.lock$")
	(regex #"^(/private)?/var/folders/[^/]+/[^/]+/C($|/)")
	(regex #"^(/private)?/var/folders/[^/]+/[^/]+/T($|/)")
	(regex #"^(/private)?/var/folders/[^/]+/[^/]+/0($|/)")
)

(allow ipc-posix-shm-read-data ipc-posix-shm-write-data
	(ipc-posix-name "com.apple.AppleDatabaseChanged")
	(ipc-posix-name "FNetwork.defaultStorageSession")
)

(allow mach-lookup
	(global-name "com.apple.CoreServices.coreservicesd")
	(global-name "com.apple.cookied")
	(global-name "com.apple.coresymbolicationd")
	(global-name "com.apple.lsd.mapdb")
	(global-name "com.apple.lsd.modifydb")
	(global-name "com.apple.metadata.mds")
	(global-name "com.apple.networkd")
	(global-name "com.apple.nsurlstorage-cache")
	(global-name "com.apple.nsurlsessiond")
	(global-name "com.apple.ocspd")
	(global-name "com.apple.securityd.xpc")
	(global-name "com.apple.SecurityServer")
	(global-name-regex #"^com\.apple\.distributed_notifications")
	(global-name "com.apple.mdmclient.agent.unrestricted")
    (global-name "com.apple.cfnetwork.cfnetworkagent")
)

(system-network)
(allow network-outbound)

(allow system-socket)

(allow user-preference-read user-preference-write
	(preference-domain "com.apple.SharedWebCredentials")
)

(allow distributed-notification-post)

(allow authorization-right-obtain
	(right-name "com.apple.swc.developer-mode")
)