3 (define (home-subpath home-relative-subpath)
 
   4     (subpath (string-append (param "HOME") home-relative-subpath)))
 
   7 (deny file-map-executable iokit-get-properties process-info* nvram*)
 
   8 (deny dynamic-code-generation)
 
  10 (deny mach-priv-host-port)
 
  12 (import "com.apple.corefoundation.sb")
 
  15 (allow distributed-notification-post)
 
  17 (allow process-info* (target self))
 
  18 (allow process-info-codesignature)
 
  20 (allow file-read-metadata)
 
  22 (allow file-read* file-write*
 
  23     (home-subpath "/Library/Keychains/"))
 
  26     (global-name "com.apple.cloudd")
 
  27     (global-name "com.apple.apsd")
 
  28     (global-name "com.apple.securityd.xpc")
 
  29     (global-name "com.apple.security.sfkeychainserver")
 
  30     (global-name "com.apple.SecurityServer")
 
  31     (global-name "com.apple.lsd.mapdb")
 
  34 (allow user-preference-read
 
  35     (preference-domain "kCFPreferencesAnyApplication")
 
  38 (allow file-read* file-write*
 
  39     (subpath "/private/var/db/mds/")
 
  40     (subpath "/Library/Keychains/")