Cargoify servo

author: Jack Moffitt <jack@metajack.im> 2014-08-28 09:34:23 -0600
committer: Jack Moffitt <jack@metajack.im> 2014-09-08 20:21:42 -0600
commit: c6ab60dbfc6da7b4f800c9e40893c8b58413960c (patch)
tree: d1d74076cf7fa20e4f77ec7cb82cae98b67362cb /etc/servo.sb
parent: db2f642c32fc5bed445bb6f2e45b0f6f0b4342cf (diff)
download: servo-c6ab60dbfc6da7b4f800c9e40893c8b58413960c.tar.gz
servo-c6ab60dbfc6da7b4f800c9e40893c8b58413960c.zip
1 files changed, 32 insertions, 0 deletions
diff --git a/etc/servo.sb b/etc/servo.sb
new file mode 100644
index 00000000000..a77706c7edf
--- /dev/null
+++ b/etc/servo.sb
@@ -0,0 +1,32 @@
+(version 1)
+
+(deny default)
+
+(allow file*
+    (literal "/dev/dtracehelper")
+    (literal "/dev/urandom")
+    (literal "/dev/null"))
+
+(allow file-read*
+    (subpath ""))
+
+(allow file-write*
+    (regex #"^/Users/[^/]+/Library/Autosave Information")
+    (subpath "/private/var"))
+
+; This is unfortunate...
+(allow process-exec
+    (regex #"/servo$"))
+
+(deny file-write*
+    (regex #"/servo$"))
+
+(allow sysctl-read)
+(allow sysctl-write)
+(allow ipc-posix-shm)
+(allow process-fork)
+(allow mach-lookup)
+(allow network-outbound)
+
+(debug deny)
+
author	Jack Moffitt <jack@metajack.im>	2014-08-28 09:34:23 -0600
committer	Jack Moffitt <jack@metajack.im>	2014-09-08 20:21:42 -0600
commit	c6ab60dbfc6da7b4f800c9e40893c8b58413960c (patch)
tree	d1d74076cf7fa20e4f77ec7cb82cae98b67362cb /etc/servo.sb
parent	db2f642c32fc5bed445bb6f2e45b0f6f0b4342cf (diff)
download	servo-c6ab60dbfc6da7b4f800c9e40893c8b58413960c.tar.gz servo-c6ab60dbfc6da7b4f800c9e40893c8b58413960c.zip