ipmb/sandbox.sb

## sandbox.sb
(version 1)
(allow default)
(debug deny)

(define (home-subpath home-relative-subpath)
  ;; should be able to use something like (param "HOME_DIR") here, but it's not working for me
  (subpath (string-append "/Users/pete" home-relative-subpath)))

;; can't write anywhere or read /Users by default
(deny file-write*)
(deny file-read*
  (subpath "/Users")
)

(allow file-read*
  ;; access package manager (pdm)
  (home-subpath "/.local/bin")
  (home-subpath "/.local/pipx")
  ;; access python
  (home-subpath "/.asdf")
  (home-subpath "/.tool-versions")
)

(allow file-read* file-write*
  ;; only needed for install
  (home-subpath "/Library/Caches/pdm")
  ;; project dir
  (home-subpath "/projects/my-project")
  ;; temp
  (regex "^(/private)?/tmp/")
  (regex "^(/private)?/var/folders")
  (subpath "/dev/null")
)
	(version 1)
	(allow default)
	(debug deny)

	(define (home-subpath home-relative-subpath)
	;; should be able to use something like (param "HOME_DIR") here, but it's not working for me
	(subpath (string-append "/Users/pete" home-relative-subpath)))

	;; can't write anywhere or read /Users by default
	(deny file-write*)
	(deny file-read*
	(subpath "/Users")
	)

	(allow file-read*
	;; access package manager (pdm)
	(home-subpath "/.local/bin")
	(home-subpath "/.local/pipx")
	;; access python
	(home-subpath "/.asdf")
	(home-subpath "/.tool-versions")
	)

	(allow file-read* file-write*
	;; only needed for install
	(home-subpath "/Library/Caches/pdm")
	;; project dir
	(home-subpath "/projects/my-project")
	;; temp
	(regex "^(/private)?/tmp/")
	(regex "^(/private)?/var/folders")
	(subpath "/dev/null")
	)