1  (version 1)
 2  
 3  (deny default)
 4  (deny file-map-executable process-info* nvram*)
 5  (deny dynamic-code-generation)
 6  
 7  (import "system.sb")
 8  (import "com.apple.corefoundation.sb")
 9  (corefoundation)
10  
11  (allow process-info-dirtycontrol (target self))
12  
13  (allow mach-lookup (global-name "com.apple.securityd.xpc"))
14  
15  (allow file-read-metadata)
16  
17  (if (param "ANALYTICSDIR")
18      (allow file-read* file-write* (subpath (param "ANALYTICSDIR"))))
19  
20  (allow file-read* (subpath "/usr/libexec"))
21  
22  (allow user-preference-read (preference-domain "kCFPreferencesAnyApplication"))