(version 1)

; clamav.sb - ClamAV clamd(8) Sandbox Policy
; Used when clamd(8) is run by launchd (the default).
; Mac OS X Server only
(debug deny)
(deny default)

; When the sandbox takes root, we're in the sandbox-exec(1) helper.  The helper needs to be able to
; actually start clamd.
(allow process-fork)
(allow process-exec (regex #"^/usr/sbin/clamd$"))

; Allow read access to several files...
(allow file-read* 
	(regex #"^/(etc|var)$")
	(regex #"^/dev/(null|random)$")
	(regex #"^/dev/(null|urandom)$")
	(regex #"^/private/etc/(clamd.conf|localtime)$")
	(regex #"^/private/var/log/clamav.log$")
	(regex #"^/usr/(lib|share)/")
	(regex #"^/private/var/clamav/")
	(regex #"^/private/var/clamav$")
)

; Allow write access to a few files...
(allow file*
	(regex #"^/private/var/amavis/tmp")
	(regex #"^/private/var/log/clamav.log$")
)

; Allow (or silently deny) dtracing clamav within the sandbox...
;(allow file* (regex #"^/dev/dtracehelper$"))
(deny file* (regex #"^/dev/dtracehelper$") (with no-log))

; Allow access to the Unix socket...
(allow file-write* network-bind (regex #"^/private/var/amavis/clamd"))

; Allow sysctl reads...
(allow sysctl-read)