fkorotkov · April 10, 2018 19:06
diff --git a/base-chamber.sb b/base-chamber.sb
 (version 1)
 (debug deny)

 ;; by default deny everything
 (deny default)

 ;; allow sending signals to itself and processes in the same group
 (allow signal (target same-sandbox))

 ;; allow outbound internet
 (allow network-outbound)

 ;; lookup of IPC communications/messages like PowerManagement
 (allow mach-lookup)

 ;; allow execution of programs
 (allow process*)
 (allow process-exec (subpath "/bin"))
 (allow process-exec (subpath "/usr"))

 ;; packages installed via Nix
 (allow process-exec (subpath "/nix/store"))
 ;; Xcode, etc.
 (allow process-exec (subpath "/Applications"))

 ; Allow reading system information like #CPUs, etc.
 (allow sysctl-read)

 ;; make FS read only
 (allow file-read* (subpath "/"))

 ; allow writes to standard devices like /dev/null
 (allow file* (subpath "/dev"))
	(version 1)
	(debug deny)

	;; by default deny everything
	(deny default)

	;; allow sending signals to itself and processes in the same group
	(allow signal (target same-sandbox))

	;; allow outbound internet
	(allow network-outbound)

	;; lookup of IPC communications/messages like PowerManagement
	(allow mach-lookup)

	;; allow execution of programs
	(allow process*)
	(allow process-exec (subpath "/bin"))
	(allow process-exec (subpath "/usr"))

	;; packages installed via Nix
	(allow process-exec (subpath "/nix/store"))
	;; Xcode, etc.
	(allow process-exec (subpath "/Applications"))

	; Allow reading system information like #CPUs, etc.
	(allow sysctl-read)

	;; make FS read only
	(allow file-read* (subpath "/"))

	; allow writes to standard devices like /dev/null
	(allow file* (subpath "/dev"))