etc/servo.sb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

(version 1)

(deny default)

(allow file*
    (literal "/dev/dtracehelper")
    (literal "/dev/urandom")
    (literal "/dev/null"))

(allow file-read*
    (subpath ""))

(allow file-write*
    (regex #"^/Users/[^/]+/Library/Autosave Information")
    (subpath "/private/var"))

; This is unfortunate...
(allow process-exec
    (regex #"/servo$"))

(deny file-write*
    (regex #"/servo$"))

(allow sysctl-read)
(allow sysctl-write)
(allow ipc-posix-shm)
(allow process-fork)
(allow mach-lookup)
(allow network-outbound)

(debug deny)