diff options
| author | Olcan <[email protected]> | 2025-05-07 20:03:29 -0700 |
|---|---|---|
| committer | GitHub <[email protected]> | 2025-05-07 20:03:29 -0700 |
| commit | d524309e3c66a0c1f2e0a5038c204735eb81683b (patch) | |
| tree | 1947fa74d9c8f7c4b0deec8972b0382f8b862a87 /packages/cli/src/utils/sandbox-macos-minimal.sb | |
| parent | 34fe142894fb5ce3f6800745a70e382684ea8101 (diff) | |
use seatbelt on macos, with two profiles: minimal (default) which only restricts writes, and strict, which is deny-by-default and only allows specific operations (#283)
Diffstat (limited to 'packages/cli/src/utils/sandbox-macos-minimal.sb')
| -rw-r--r-- | packages/cli/src/utils/sandbox-macos-minimal.sb | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/packages/cli/src/utils/sandbox-macos-minimal.sb b/packages/cli/src/utils/sandbox-macos-minimal.sb new file mode 100644 index 00000000..c304b838 --- /dev/null +++ b/packages/cli/src/utils/sandbox-macos-minimal.sb @@ -0,0 +1,15 @@ +(version 1) + +;; allow everything by default +(allow default) + +;; deny all writes EXCEPT under project directory, temp directory, stdout/stderr and /dev/null +(deny file-write*) +(allow file-write* + (subpath (param "TARGET_DIR")) + (subpath (param "TMP_DIR")) + (literal "/dev/stdout") + (literal "/dev/stderr") + (literal "/dev/null") +) + |