Created
April 10, 2018 19:06
-
-
Save fkorotkov/531dd517ccae0a0a22cdd47898cb6dfe to your computer and use it in GitHub Desktop.
Base security profile for sandboxing applications on Mac OS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (version 1) | |
| (debug deny) | |
| ;; by default deny everything | |
| (deny default) | |
| ;; allow sending signals to itself and processes in the same group | |
| (allow signal (target same-sandbox)) | |
| ;; allow outbound internet | |
| (allow network-outbound) | |
| ;; lookup of IPC communications/messages like PowerManagement | |
| (allow mach-lookup) | |
| ;; allow execution of programs | |
| (allow process*) | |
| (allow process-exec (subpath "/bin")) | |
| (allow process-exec (subpath "/usr")) | |
| ;; packages installed via Nix | |
| (allow process-exec (subpath "/nix/store")) | |
| ;; Xcode, etc. | |
| (allow process-exec (subpath "/Applications")) | |
| ; Allow reading system information like #CPUs, etc. | |
| (allow sysctl-read) | |
| ;; make FS read only | |
| (allow file-read* (subpath "/")) | |
| ; allow writes to standard devices like /dev/null | |
| (allow file* (subpath "/dev")) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment