Last active
May 8, 2023 13:28
-
-
Save mauron85/67fbf015fc095506d511ade9f07e2f8c to your computer and use it in GitHub Desktop.
OSX Sandbox profile for Haiku.app
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Move Haiku.app to your profile Application folder | |
# so you don't accidentally run in outside sanbox | |
# Replace all references of /Users/finch with your username in haiku.sb! | |
# Always use this shell script to launch! | |
sandbox-exec -f ~/sandbox/haiku.sb ~/Applications/Haiku.app/Contents/MacOS/Haiku |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
;; Haiku.app sandbox profile | |
;; based on Tor WEB Browser Bundle sandbox by Paolo Fabio Zaino | |
;; https://paolozaino.wordpress.com/2015/08/04/how-to-run-your-applications-in-a-mac-os-x-sandbox-to-enhance-security/ | |
;; License GPL v2 | |
;; Get this file and hack it to perfection 😉 | |
(version 1) | |
(debug deny) | |
;; allow processes to traverse symlinks | |
(allow file-read-metadata) | |
(allow file-read-data file-read-metadata | |
(regex | |
; Allow reading system dylibs and frameworks | |
#"^/usr/lib/.*\.dylib$" | |
#"^/usr/lib/info/.*\.so$" | |
#"^/System/" | |
#"^/private/var/db/dyld/" | |
#"^(/private)?/etc/hosts\.(allow|deny)$" | |
)) | |
(allow file-read-data file-write-data | |
(regex | |
; Allow files accessed by system dylibs and frameworks | |
#"^/dev/null$" | |
#"^(/private)?/var/run/syslog$" | |
#"^/dev/u?random$" | |
#"^/dev/autofs_nowait$" | |
#"^/dev/dtracehelper$" | |
#"/\.CFUserTextEncoding$" | |
#"^(/private)?/etc/localtime$" | |
#"^/usr/share/nls/" | |
#"^/usr/share/zoneinfo/" | |
)) | |
(allow file-ioctl | |
(regex | |
; Allow access to dtracehelper by dyld | |
#"^/dev/dtracehelper$")) | |
(allow mach-lookup | |
(global-name "com.apple.bsd.dirhelper") | |
(global-name "com.apple.system.DirectoryService.libinfo_v1") | |
(global-name "com.apple.system.DirectoryService.membership_v1") | |
(global-name "com.apple.system.logger") | |
(global-name "com.apple.system.notification_center")) | |
(allow ipc-posix-shm) ; Libnotify | |
;; (allow sysctl-read) | |
(allow signal (target self)) | |
(deny default) | |
(allow file-write* file-read-data file-read-metadata | |
(regex "^/Users/finch/Library/Saved Application State/com.Haiku.HaikuForDesignersAndEngineers") | |
(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/com\.Haiku\.HaikuForDesignersAndEngineers") | |
(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/\.org.chromium.Chromium") | |
(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/tmp.*") | |
(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/mds/mds.lock") | |
(regex "^/private/var/folders/[^/]+/[^/]+/[^/]+/com.apple.iconservices/store.index") | |
(regex "^/Users/finch/Library/Application Support/haiku") | |
(regex "^/Users/finch/Library/Preferences/com.Haiku.HaikuForDesignersAndEngineers.helper.plist") | |
(regex "^/Users/finch/Library/Preferences/com.Haiku.HaikuForDesignersAndEngineers.plist") | |
(regex "^/Users/finch/Library/Logs/Haiku") | |
(regex "^/Applications/Haiku.app") | |
(regex "^/Users/finch/.haiku") | |
(regex "^(/private)?/tmp/")) | |
(allow file-read-data file-read-metadata | |
(literal "/") | |
(subpath "/") | |
(regex "^/dev") | |
(regex "^/dev/autofs.*") | |
(regex "^/Library/Preferences") | |
(regex "^/Library/Fonts") | |
;; (regex "^/Library/Application Support/CrashReporter/SubmitDiagInfo.domains") | |
;; (regex "^/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree") | |
(regex "^/usr/share/icu") | |
(regex "^/usr/share/locale") | |
(regex "^/System/Library") | |
(regex "^/Applications/Haiku.app") | |
(regex "^/usr/lib") | |
(regex "^/usr/local/lib") | |
(regex "^/var") | |
(regex "^/private/var/tmp/") | |
(regex "^/private/etc/hosts") | |
(regex "^/private/var/db/timezone/tz/") | |
(regex "^/private/tmp/") | |
(regex "^/private/etc") | |
(regex "^/private/var/run/resolv.conf") | |
(regex "^/Users/finch") | |
(regex #"Frameworks/SDL.framework")) | |
(allow file-read-xattr | |
(regex "^/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist") | |
(regex "^/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist")) | |
(allow mach* sysctl-read) | |
(deny file-write-data | |
(regex #"^(/private)?/etc/localtime$" | |
#"^/usr/share/nls/" | |
#"^/usr/share/zoneinfo/")) | |
(allow process-exec* | |
(regex "^/Applications/Haiku.app")) | |
(allow process-exec*) | |
(allow network*) | |
(allow iokit-open) | |
(allow ipc-posix-shm) | |
(allow process-fork) | |
(allow system-socket) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment