Add a simple Servo sandbox profile for Mac.

This does not yet enter the sandbox.

src/etc/servo.sb

@@ -0,0 +1,29 @@
+(version 1)
+
+(deny default)
+
+(allow file*
+    (literal "/dev/dtracehelper")
+    (literal "/dev/urandom")
+    (literal "/dev/null"))
+
+(allow file-read*
+    (subpath ""))
+
+(allow file-write*
+    (regex #"^/Users/[^/]+/Library/Autosave Information")
+    (subpath "/private/var"))
+
+; This is unfortunate...
+(allow process-exec
+    (regex #"/servo$"))
+
+(allow sysctl-read)
+(allow sysctl-write)
+(allow ipc-posix-shm)
+(allow process-fork)
+(allow mach-lookup)
+(allow network-outbound)
+
+(debug deny)
+