azinman/jail.sb

## jail.sb
(version 1)

(deny default)
(allow network*)
(allow file-write* file-read-data file-read-metadata
  (regex "^/Users/zinman/vanadium")
  (regex "^(/private)?/tmp"))

(allow file-read-data file-read-metadata
  (regex "^/dev/autofs.*")
  (regex "^/Library/Preferences")
  (regex "^/Library/Internet Plug-Ins")
  (regex "^/Library/PreferencePanes")
  (regex "^/usr/share/icu")
  (regex "^/usr/share/locale")
  (regex "^/System/Library")
  (regex "^/Applications/Xcode.app")
  (regex "^/usr/bin")
  (regex "^/usr/lib")
  (regex "^/var"))

(allow mach* sysctl-read)

(allow signal (target same-sandbox))

(allow process-fork)

(allow process-exec
  (regex "^/bin")
  (regex "^/usr/bin")
  (regex "^(/private?)/tmp")
  (regex "^/Users/zinman/vanadium")
  (regex "^/Applications/Xcode.app"))
	(version 1)

	(deny default)
	(allow network*)
	(allow file-write* file-read-data file-read-metadata
	(regex "^/Users/zinman/vanadium")
	(regex "^(/private)?/tmp"))

	(allow file-read-data file-read-metadata
	(regex "^/dev/autofs.*")
	(regex "^/Library/Preferences")
	(regex "^/Library/Internet Plug-Ins")
	(regex "^/Library/PreferencePanes")
	(regex "^/usr/share/icu")
	(regex "^/usr/share/locale")
	(regex "^/System/Library")
	(regex "^/Applications/Xcode.app")
	(regex "^/usr/bin")
	(regex "^/usr/lib")
	(regex "^/var"))

	(allow mach* sysctl-read)

	(allow signal (target same-sandbox))

	(allow process-fork)

	(allow process-exec
	(regex "^/bin")
	(regex "^/usr/bin")
	(regex "^(/private?)/tmp")
	(regex "^/Users/zinman/vanadium")
	(regex "^/Applications/Xcode.app"))