Cargoify servo

etc/servo.sb

@@ -0,0 +1,32 @@
+(version 1)
+
+(deny default)
+
+(allow file*
+    (literal "/dev/dtracehelper")
+    (literal "/dev/urandom")
+    (literal "/dev/null"))
+
+(allow file-read*
+    (subpath ""))
+
+(allow file-write*
+    (regex #"^/Users/[^/]+/Library/Autosave Information")
+    (subpath "/private/var"))
+
+; This is unfortunate...
+(allow process-exec
+    (regex #"/servo$"))
+
+(deny file-write*
+    (regex #"/servo$"))
+
+(allow sysctl-read)
+(allow sysctl-write)
+(allow ipc-posix-shm)
+(allow process-fork)
+(allow mach-lookup)
+(allow network-outbound)
+
+(debug deny)
+