1(version 1) 2(deny default) 3(import "system.sb") 4 5; System is read only 6(allow file-read*) 7 8; Crypto devices 9(allow file-read* file-write* (regex "^/dev/(random|urandom)$")) 10 11; Legacy, statically allocated PTYs 12(allow file-read* file-write* (regex "^/dev/(ttyp[0-9a-f]|ptyp[0-9a-f])$")) 13 14;; Dynamically allocated PTYs using openpty() 15(allow pseudo-tty) 16(allow file-read* file-write* file-ioctl (literal "/dev/ptmx")) 17(allow file-read* file-write* 18 (require-all 19 (regex #"^/dev/ttys[0-9]*") 20 (extension "com.apple.sandbox.pty"))) 21 22; NOTE: Later rules override earlier rules. 23 24(system-network) 25 26; Plug-in code signature checking 27(allow file-write* (regex #"^/private/var/folders/[^/]+/[^/]+/C/mds(/|$)")) 28 29(allow file-read* 30 (literal "/Library/Preferences/.GlobalPreferences.plist")) 31 32(allow mach-lookup) 33 34(allow network*) 35 36; To allow crash reporter / exceptions to kill the process 37(allow signal (target self)) 38 39(allow ipc-posix-shm) 40(allow ipc-posix-sem) 41 42(allow file-read* file-write* (extension "com.apple.app-sandbox.read-write")) 43 44(allow mach-register) 45