inC3ASE · October 14, 2016 01:47
diff --git a/navd-OSX.sb b/navd-OSX.sb
 (version 1)
 (import "system.sb")
 (deny default)

 (define (home-regex home-relative-regex)
    (regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex)))
 (define (home-subpath home-relative-subpath)
    (subpath (string-append (param "_HOME") home-relative-subpath)))
 (define (home-literal home-relative-literal)
    (literal (string-append (param "_HOME") home-relative-literal)))

 (allow file-read-metadata)

 (allow file-read* file-write*
    (literal #"/Library/Caches/GeoServices/Navd/navd")
    (literal #"/Library/Caches/GeoServices/Navd/navd.cache")
    (literal #"/Library/Caches/GeoServices/Navd/navd-journal")
    (literal #"/Library/Caches/GeoServices/Navd/navd.cache-journal")
    (literal #"/Library/Caches/com.apple.MapsSupport/")
    (home-regex #"/Library/Caches/com\.apple\.MapsSupport")
    (home-regex #"/Library/Caches/GeoServices/")
    (home-regex #"/Library/Logs/Maps(/|$)"))

 (allow file-read*
    (literal #"/Library/Keychains/System.keychain")
    (literal #"/")
    (home-regex #"/Library/Keychains/")
    (literal #"/Library/Preferences/com.apple.security.plist")
    (literal #"/private/var/db/mds/messages/se_SecurityMessages")
    (literal #"/private/var/db/mds/system/mdsDirectory.db")
    (literal #"/private/var/db/mds/system/mdsObject.db"))

 (allow file-write* file-read*
    (regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/|$)")
    (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)")
    (regex #"/Library/Application\ Support/CrashReporter/SubmitDiagInfo.domains"))

 (allow file-issue-extension
    (home-regex #"/Library/Caches/com\.apple\.MapsSupport"))

 (allow mach-lookup
    (global-name #"com.apple.CoreServices.coreservicesd")
    (global-name #"com.apple.distributed_notifications@Uv3")
    (global-name #"com.apple.DiskArbitration.diskarbitrationd")
    (global-name #"com.apple.locationd.desktop.registration")
    (global-name #"com.apple.SystemConfiguration.configd")
    (global-name #"com.apple.networkd")
    (global-name #"com.apple.nsurlstorage-cache")
    (global-name #"com.apple.cookied")
    (global-name #"com.apple.SecurityServer")
    (global-name #"com.apple.ocspd")
    (global-name #"com.apple.locationd.desktop.synchronous")
    (global-name #"com.apple.CoreLocation.agent"))

 (allow ipc-posix-shm
    (ipc-posix-name #"com.apple.AppleDatabaseChanged"))


 (allow iokit-open
    (iokit-user-client-class #"RootDomainUserClient"))

 (system-network)
 (allow network-outbound
    (literal #"/private/var/run/mDNSResponder")
    (remote tcp))
 (allow system-fsctl)
	(version 1)
	(import "system.sb")
	(deny default)

	(define (home-regex home-relative-regex)
	(regex (string-append "^" (regex-quote (param "_HOME")) home-relative-regex)))
	(define (home-subpath home-relative-subpath)
	(subpath (string-append (param "_HOME") home-relative-subpath)))
	(define (home-literal home-relative-literal)
	(literal (string-append (param "_HOME") home-relative-literal)))

	(allow file-read-metadata)

	(allow file-read* file-write*
	(literal #"/Library/Caches/GeoServices/Navd/navd")
	(literal #"/Library/Caches/GeoServices/Navd/navd.cache")
	(literal #"/Library/Caches/GeoServices/Navd/navd-journal")
	(literal #"/Library/Caches/GeoServices/Navd/navd.cache-journal")
	(literal #"/Library/Caches/com.apple.MapsSupport/")
	(home-regex #"/Library/Caches/com\.apple\.MapsSupport")
	(home-regex #"/Library/Caches/GeoServices/")
	(home-regex #"/Library/Logs/Maps(/\|$)"))

	(allow file-read*
	(literal #"/Library/Keychains/System.keychain")
	(literal #"/")
	(home-regex #"/Library/Keychains/")
	(literal #"/Library/Preferences/com.apple.security.plist")
	(literal #"/private/var/db/mds/messages/se_SecurityMessages")
	(literal #"/private/var/db/mds/system/mdsDirectory.db")
	(literal #"/private/var/db/mds/system/mdsObject.db"))

	(allow file-write* file-read*
	(regex #"^/private/var/folders/[^/]+/[^/]+/[A-Z]/TemporaryItems(/\|$)")
	(regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/\|$)")
	(regex #"/Library/Application\ Support/CrashReporter/SubmitDiagInfo.domains"))

	(allow file-issue-extension
	(home-regex #"/Library/Caches/com\.apple\.MapsSupport"))

	(allow mach-lookup
	(global-name #"com.apple.CoreServices.coreservicesd")
	(global-name #"com.apple.distributed_notifications@Uv3")
	(global-name #"com.apple.DiskArbitration.diskarbitrationd")
	(global-name #"com.apple.locationd.desktop.registration")
	(global-name #"com.apple.SystemConfiguration.configd")
	(global-name #"com.apple.networkd")
	(global-name #"com.apple.nsurlstorage-cache")
	(global-name #"com.apple.cookied")
	(global-name #"com.apple.SecurityServer")
	(global-name #"com.apple.ocspd")
	(global-name #"com.apple.locationd.desktop.synchronous")
	(global-name #"com.apple.CoreLocation.agent"))

	(allow ipc-posix-shm
	(ipc-posix-name #"com.apple.AppleDatabaseChanged"))


	(allow iokit-open
	(iokit-user-client-class #"RootDomainUserClient"))

	(system-network)
	(allow network-outbound
	(literal #"/private/var/run/mDNSResponder")
	(remote tcp))
	(allow system-fsctl)