;;
;; common rules for various BSD daemons
;; Copyright (c) 2007 Apple Inc.  All Rights reserved.
;;
;; WARNING: The sandbox rules in this file currently constitute
;; Apple System Private Interface and are subject to change at any time and
;; without notice. The contents of this file are also auto-generated and not
;; user editable; it may be overwritten at any time.
;;
(version 1)

(debug deny)

(define (bsd.traverse-symlinks)
  (allow file-read-metadata))

(define (bsd.dylibs-and-frameworks)
  (allow file-read-data file-write-data
    (regex
      ; Allow files accessed by system dylibs and frameworks
      #"^/dev/null$"
      #"^(/private)?/var/run/syslog$"
      #"^/dev/u?random$"
      #"^/dev/dtracehelper$"
      #"/\.CFUserTextEncoding$"
      #"^(/private)?/etc/localtime$"
      #"^/usr/share/nls/"
      #"^/usr/share/zoneinfo/"))
  
  (allow file-read-data file-read-metadata
    (regex
      ; Allow reading system dylibs and frameworks
      #"^/usr/lib/.*\.dylib$"
      #"^/System/"))

  (allow ipc-posix-shm) ; Libnotify
)

(bsd.traverse-symlinks)
(bsd.dylibs-and-frameworks)