Skip to content

Instantly share code, notes, and snippets.

Last active May 8, 2023 13:28
Show Gist options
  • Save mauron85/67fbf015fc095506d511ade9f07e2f8c to your computer and use it in GitHub Desktop.
Save mauron85/67fbf015fc095506d511ade9f07e2f8c to your computer and use it in GitHub Desktop.
OSX Sandbox profile for
# Move to your profile Application folder
# so you don't accidentally run in outside sanbox
# Replace all references of /Users/finch with your username in!
# Always use this shell script to launch!
sandbox-exec -f ~/sandbox/ ~/Applications/
;; sandbox profile
;; based on Tor WEB Browser Bundle sandbox by Paolo Fabio Zaino
;; License GPL v2
;; Get this file and hack it to perfection 😉
(version 1)
(debug deny)
;; allow processes to traverse symlinks
(allow file-read-metadata)
(allow file-read-data file-read-metadata
; Allow reading system dylibs and frameworks
(allow file-read-data file-write-data
; Allow files accessed by system dylibs and frameworks
(allow file-ioctl
; Allow access to dtracehelper by dyld
(allow mach-lookup
(global-name "")
(global-name "")
(global-name "")
(global-name "")
(global-name ""))
(allow ipc-posix-shm) ; Libnotify
;; (allow sysctl-read)
(allow signal (target self))
(deny default)
(allow file-write* file-read-data file-read-metadata
(regex "^/Users/finch/Library/Saved Application State/com.Haiku.HaikuForDesignersAndEngineers")
(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/com\.Haiku\.HaikuForDesignersAndEngineers")
(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/\.org.chromium.Chromium")
(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/tmp.*")
(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/mds/mds.lock")
(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/")
(regex "^/Users/finch/Library/Application Support/haiku")
(regex "^/Users/finch/Library/Preferences/com.Haiku.HaikuForDesignersAndEngineers.helper.plist")
(regex "^/Users/finch/Library/Preferences/com.Haiku.HaikuForDesignersAndEngineers.plist")
(regex "^/Users/finch/Library/Logs/Haiku")
(regex "^/Applications/")
(regex "^/Users/finch/.haiku")
(regex "^(/private)?/tmp/"))
(allow file-read-data file-read-metadata
(literal "/")
(subpath "/")
(regex "^/dev")
(regex "^/dev/autofs.*")
(regex "^/Library/Preferences")
(regex "^/Library/Fonts")
;; (regex "^/Library/Application Support/CrashReporter/")
;; (regex "^/Library/MessageTracer/")
(regex "^/usr/share/icu")
(regex "^/usr/share/locale")
(regex "^/System/Library")
(regex "^/Applications/")
(regex "^/usr/lib")
(regex "^/usr/local/lib")
(regex "^/var")
(regex "^/private/var/tmp/")
(regex "^/private/etc/hosts")
(regex "^/private/var/db/timezone/tz/")
(regex "^/private/tmp/")
(regex "^/private/etc")
(regex "^/private/var/run/resolv.conf")
(regex "^/Users/finch")
(regex #"Frameworks/SDL.framework"))
(allow file-read-xattr
(regex "^/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist")
(regex "^/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist"))
(allow mach* sysctl-read)
(deny file-write-data
(regex #"^(/private)?/etc/localtime$"
(allow process-exec*
(regex "^/Applications/"))
(allow process-exec*)
(allow network*)
(allow iokit-open)
(allow ipc-posix-shm)
(allow process-fork)
(allow system-socket)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment