etc/servo.sb - servo - Git at Google

 (version 1)

 (deny default)

 (allow file*
     (literal "/dev/dtracehelper")
     (literal "/dev/urandom")
     (literal "/dev/null"))

 (allow file-read*
     (subpath ""))

 (allow file-write*
     (regex #"^/Users/[^/]+/Library/Autosave Information")
     (subpath "/private/var"))

 ; This is unfortunate...
 (allow process-exec
     (regex #"/servo$"))

 (deny file-write*
     (regex #"/servo$"))

 (allow sysctl-read)
 (allow sysctl-write)
 (allow ipc-posix-shm)
 (allow process-fork)
 (allow mach-lookup)
 (allow network-outbound)

 (debug deny)
	(version 1)

	(deny default)

	(allow file*
	(literal "/dev/dtracehelper")
	(literal "/dev/urandom")
	(literal "/dev/null"))

	(allow file-read*
	(subpath ""))

	(allow file-write*
	(regex #"^/Users/[^/]+/Library/Autosave Information")
	(subpath "/private/var"))

	; This is unfortunate...
	(allow process-exec
	(regex #"/servo$"))

	(deny file-write*
	(regex #"/servo$"))

	(allow sysctl-read)
	(allow sysctl-write)
	(allow ipc-posix-shm)
	(allow process-fork)
	(allow mach-lookup)
	(allow network-outbound)

	(debug deny)