;; macmark.de 2010-09-01 ;; ;; Restrictions to sandbox Safari.app. ;; It goes from top to bottom and the later rule can overrule an earlier rule. ;; The default rules are only used, if no matching other rule is found. (version 1) (debug deny) (deny default) (allow network-outbound) (allow signal) (allow ipc-posix-shm) ; Needed for POSIX shared memory ;(allow process-exec (regex #"^/Applications/Safari.app/*")) (allow sysctl-read) (allow sysctl-write) (allow file-read-metadata) (allow file-read-xattr) ;(allow file-read-data) (allow file-ioctl) (allow signal) (allow system-socket) (allow process*) ;(allow mach*) (allow mach-lookup) ;(allow process-exec (regex "^/System/Library/CoreServices/*")) ;; Allow starting of programs, for example System Preferences or Software Update via Apple menu. ;(allow job-creation) ;; Allow to read these files: (allow file-read-data (regex #"^/Users/macmark/$" #"^/Users/macmark/Library/Autosave Information" #"^/Users/macmark/Downloads" #"^/Users/macmark/Library/Application Support/AddressBook/*" #"^/Users/macmark/Library/Cookies/*" #"^/Users/macmark/Library/Safari/*" #"^/Users/macmark/Library/Logs/Sync/syncservices.log" #"^/Users/macmark/Library/Caches/com.apple.Safari/*" #"^/Users/macmark/Library/Caches/Metadata/Safari/*" #"^/Users/macmark/Library/Fonts/*" #"^/Users/macmark/Library/Keychains/*" #"^/Users/macmark/Library/Preferences/com.apple.Safari*" #"^/Users/macmark/Library/Preferences/com.apple.java*" #"^/Users/macmark/Library/Preferences/.GlobalPreferences.plist*" #"^/Users/macmark/Library/Preferences/com.github.rentzsch.clicktoflash*" #"^/Users/macmark/Library/PubSub/Database/Database.sqlite3" #"^/Users/macmark/Public" #"^/Users/macmark/Sites" #"^/Applications/Safari.app" #"^/Library/*" #"^/System/Library/*" #"^/usr/lib/*" #"^/usr/share/*" #"^/var/*" #"^/private/*" #"^/dev/*" ) ) ;; Allow to write these files: (allow file-write* (regex #"^/Users/macmark/Downloads/*" #"^/Users/macmark/Library/Cookies/*" #"^/Users/macmark/Library/Application Support/AddressBook/*" #"^/Users/macmark/Library/Application Support/CrashReporter" #"^/Users/macmark/Library/Caches/Metadata/Safari/*" #"^/Users/macmark/Library/Keychains/*" #"^/Users/macmark/Library/Logs/Sync/syncservices.log" #"^/Users/macmark/Library/Safari/*" #"^/Users/macmark/Library/Caches/com.apple.Safari/*" #"^/Users/macmark/Library/Preferences/com.apple.Safari*" #"^/Users/macmark/Library/Preferences/com.apple.java*" #"^/Users/macmark/Library/Preferences/.GlobalPreferences.plist*" #"^/Users/macmark/Library/Preferences/com.github.rentzsch.clicktoflash*" #"^/Users/macmark/Library/PubSub/Database/Database.sqlite3" #"^/var/*" #"^/Library/Caches/Epson/*" #"^/private/var/*" #"^/dev/dtracehelper" #"^/usr/share/icu/*" ) )