mauron85/haiku

## haiku
#!/bin/bash

# Move Haiku.app to your profile Application folder
# so you don't accidentally run in outside sanbox
# Replace all references of /Users/finch with your username in haiku.sb!
# Always use this shell script to launch!

sandbox-exec -f ~/sandbox/haiku.sb ~/Applications/Haiku.app/Contents/MacOS/Haiku

## haiku.sb
;; Haiku.app sandbox profile
;; based on Tor WEB Browser Bundle sandbox by Paolo Fabio Zaino
;; https://paolozaino.wordpress.com/2015/08/04/how-to-run-your-applications-in-a-mac-os-x-sandbox-to-enhance-security/
;; License GPL v2
;; Get this file and hack it to perfection 😉
(version 1)
(debug deny)

;; allow processes to traverse symlinks
(allow file-read-metadata)

(allow file-read-data file-read-metadata
  (regex
    ; Allow reading system dylibs and frameworks
    #"^/usr/lib/.*\.dylib$"
    #"^/usr/lib/info/.*\.so$"
    #"^/System/"
    #"^/private/var/db/dyld/"
    #"^(/private)?/etc/hosts\.(allow|deny)$"
  ))

(allow file-read-data file-write-data
  (regex
    ; Allow files accessed by system dylibs and frameworks
    #"^/dev/null$"
    #"^(/private)?/var/run/syslog$"
    #"^/dev/u?random$"
    #"^/dev/autofs_nowait$"
    #"^/dev/dtracehelper$"
    #"/\.CFUserTextEncoding$"
    #"^(/private)?/etc/localtime$"
    #"^/usr/share/nls/"
    #"^/usr/share/zoneinfo/"
  ))

(allow file-ioctl
  (regex
    ; Allow access to dtracehelper by dyld
    #"^/dev/dtracehelper$"))

(allow mach-lookup
  (global-name "com.apple.bsd.dirhelper")
  (global-name "com.apple.system.DirectoryService.libinfo_v1")
  (global-name "com.apple.system.DirectoryService.membership_v1")
  (global-name "com.apple.system.logger")
  (global-name "com.apple.system.notification_center"))

(allow ipc-posix-shm) ; Libnotify

;; (allow sysctl-read)

(allow signal (target self))

(deny default)

(allow file-write* file-read-data file-read-metadata
  (regex "^/Users/finch/Library/Saved Application State/com.Haiku.HaikuForDesignersAndEngineers")
  (regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/com\.Haiku\.HaikuForDesignersAndEngineers")
  (regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/\.org.chromium.Chromium")
  (regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/tmp.*")
  (regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/mds/mds.lock")
  (regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/com.apple.iconservices/store.index")
  (regex "^/Users/finch/Library/Application Support/haiku")
  (regex "^/Users/finch/Library/Preferences/com.Haiku.HaikuForDesignersAndEngineers.helper.plist")
  (regex "^/Users/finch/Library/Preferences/com.Haiku.HaikuForDesignersAndEngineers.plist")
  (regex "^/Users/finch/Library/Logs/Haiku")
  (regex "^/Applications/Haiku.app")
  (regex "^/Users/finch/.haiku")
  (regex "^(/private)?/tmp/"))

(allow file-read-data file-read-metadata
  (literal "/")
  (subpath "/")
  (regex "^/dev")
  (regex "^/dev/autofs.*")
  (regex "^/Library/Preferences")
  (regex "^/Library/Fonts")
;;  (regex "^/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
;;  (regex "^/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
  (regex "^/usr/share/icu")
  (regex "^/usr/share/locale")
  (regex "^/System/Library")
  (regex "^/Applications/Haiku.app")
  (regex "^/usr/lib")
  (regex "^/usr/local/lib")
  (regex "^/var")
  (regex "^/private/var/tmp/")
  (regex "^/private/etc/hosts")
  (regex "^/private/var/db/timezone/tz/")
  (regex "^/private/tmp/")
  (regex "^/private/etc")
  (regex "^/private/var/run/resolv.conf")
  (regex "^/Users/finch")
  (regex #"Frameworks/SDL.framework"))

(allow file-read-xattr
  (regex "^/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist")
  (regex "^/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist"))

(allow mach* sysctl-read)

(deny file-write-data
   (regex #"^(/private)?/etc/localtime$"
     #"^/usr/share/nls/"
	 #"^/usr/share/zoneinfo/"))

(allow process-exec*
  (regex "^/Applications/Haiku.app"))

(allow process-exec*)

(allow network*)
(allow iokit-open)
(allow ipc-posix-shm)
(allow process-fork)
(allow system-socket)
	#!/bin/bash

	# Move Haiku.app to your profile Application folder
	# so you don't accidentally run in outside sanbox
	# Replace all references of /Users/finch with your username in haiku.sb!
	# Always use this shell script to launch!

	sandbox-exec -f ~/sandbox/haiku.sb ~/Applications/Haiku.app/Contents/MacOS/Haiku
	;; Haiku.app sandbox profile
	;; based on Tor WEB Browser Bundle sandbox by Paolo Fabio Zaino
	;; https://paolozaino.wordpress.com/2015/08/04/how-to-run-your-applications-in-a-mac-os-x-sandbox-to-enhance-security/
	;; License GPL v2
	;; Get this file and hack it to perfection 😉
	(version 1)
	(debug deny)

	;; allow processes to traverse symlinks
	(allow file-read-metadata)

	(allow file-read-data file-read-metadata
	(regex
	; Allow reading system dylibs and frameworks
	#"^/usr/lib/.*\.dylib$"
	#"^/usr/lib/info/.*\.so$"
	#"^/System/"
	#"^/private/var/db/dyld/"
	#"^(/private)?/etc/hosts\.(allow\|deny)$"
	))

	(allow file-read-data file-write-data
	(regex
	; Allow files accessed by system dylibs and frameworks
	#"^/dev/null$"
	#"^(/private)?/var/run/syslog$"
	#"^/dev/u?random$"
	#"^/dev/autofs_nowait$"
	#"^/dev/dtracehelper$"
	#"/\.CFUserTextEncoding$"
	#"^(/private)?/etc/localtime$"
	#"^/usr/share/nls/"
	#"^/usr/share/zoneinfo/"
	))

	(allow file-ioctl
	(regex
	; Allow access to dtracehelper by dyld
	#"^/dev/dtracehelper$"))

	(allow mach-lookup
	(global-name "com.apple.bsd.dirhelper")
	(global-name "com.apple.system.DirectoryService.libinfo_v1")
	(global-name "com.apple.system.DirectoryService.membership_v1")
	(global-name "com.apple.system.logger")
	(global-name "com.apple.system.notification_center"))

	(allow ipc-posix-shm) ; Libnotify

	;; (allow sysctl-read)

	(allow signal (target self))

	(deny default)

	(allow file-write* file-read-data file-read-metadata
	(regex "^/Users/finch/Library/Saved Application State/com.Haiku.HaikuForDesignersAndEngineers")
	(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/com\.Haiku\.HaikuForDesignersAndEngineers")
	(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/\.org.chromium.Chromium")
	(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/tmp.*")
	(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/mds/mds.lock")
	(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/com.apple.iconservices/store.index")
	(regex "^/Users/finch/Library/Application Support/haiku")
	(regex "^/Users/finch/Library/Preferences/com.Haiku.HaikuForDesignersAndEngineers.helper.plist")
	(regex "^/Users/finch/Library/Preferences/com.Haiku.HaikuForDesignersAndEngineers.plist")
	(regex "^/Users/finch/Library/Logs/Haiku")
	(regex "^/Applications/Haiku.app")
	(regex "^/Users/finch/.haiku")
	(regex "^(/private)?/tmp/"))

	(allow file-read-data file-read-metadata
	(literal "/")
	(subpath "/")
	(regex "^/dev")
	(regex "^/dev/autofs.*")
	(regex "^/Library/Preferences")
	(regex "^/Library/Fonts")
	;; (regex "^/Library/Application Support/CrashReporter/SubmitDiagInfo.domains")
	;; (regex "^/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
	(regex "^/usr/share/icu")
	(regex "^/usr/share/locale")
	(regex "^/System/Library")
	(regex "^/Applications/Haiku.app")
	(regex "^/usr/lib")
	(regex "^/usr/local/lib")
	(regex "^/var")
	(regex "^/private/var/tmp/")
	(regex "^/private/etc/hosts")
	(regex "^/private/var/db/timezone/tz/")
	(regex "^/private/tmp/")
	(regex "^/private/etc")
	(regex "^/private/var/run/resolv.conf")
	(regex "^/Users/finch")
	(regex #"Frameworks/SDL.framework"))

	(allow file-read-xattr
	(regex "^/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist")
	(regex "^/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist"))

	(allow mach* sysctl-read)

	(deny file-write-data
	(regex #"^(/private)?/etc/localtime$"
	#"^/usr/share/nls/"
	#"^/usr/share/zoneinfo/"))

	(allow process-exec*
	(regex "^/Applications/Haiku.app"))

	(allow process-exec*)

	(allow network*)
	(allow iokit-open)
	(allow ipc-posix-shm)
	(allow process-fork)
	(allow system-socket)