Skip to content

Instantly share code, notes, and snippets.

@fishman

fishman/sample Secret

Created Feb 10, 2014
Embed
What would you like to do?
(version 1)
(deny default)
(import "system.sb")
(allow file-read-data file-read-metadata
(regex "^/Library/Frameworks")
(regex "^/System/Library")
(regex "^/usr/lib"))
(deny mach* sysctl-read)
(allow mach-lookup
(global-name "com.apple.CoreServices.coreservicesd")
(global-name "com.apple.FontServer")
(global-name "com.apple.FontObjectsServer")
(global-name "com.apple.coreservices.launchservicesd") ; new for 10.9
(global-name "com.apple.pbs.fetch_services"); new for 10.9
(global-name "com.apple.pasteboard.1")
(global-name "com.apple.audio.coreaudiod")
(global-name "com.apple.audio.audiohald")
(global-name "com.apple.windowserver.active"))
(allow mach-register
(local-name "com.apple.CFPasteboardClient"))
(allow file-read-data file-read-metadata
(regex ".*/somename.app"))
(allow process-exec
(regex ".*/somename.app/Contents/MacOS/somename"))
(allow ipc-posix-shm-read-data
(ipc-posix-name-regex #"^AudioIO")
(ipc-posix-name-regex #"^/tmp/com\.apple\.csseed\.")
(ipc-posix-name-regex "CFPBS:[0-9a-fA-F]+:")
(ipc-posix-name-regex "ls\.[0-9]+\.[0-9a-f]+\.[0-9a-f]+"))
(allow ipc-posix-shm-read-metadata
(ipc-posix-name-regex #"^AudioIO"))
(allow ipc-posix-shm-write-data
(ipc-posix-name-regex #"^AudioIO")
(ipc-posix-name-regex "CFPBS:[0-9a-fA-F]+:"))
(deny network*)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment