;; Generated from EDL for macOS Seatbelt-style sandboxing.
(version 1)
(deny default)
(allow process*)
(allow sysctl-read)
(allow file-read* (subpath "/usr") (subpath "/bin") (subpath "/System") (subpath "/Library"))
(allow file-read* (subpath "/workspace/repo"))
(allow file-write* (subpath "/workspace/repo"))
(allow file-write* (subpath "/tmp"))
(deny file-read* (subpath (string-append (param "HOME") "/.ssh")))
(deny file-read* (subpath (string-append (param "HOME") "/.git-credentials")))
(deny file-read* (subpath (string-append (param "HOME") "/.config/gh")))
(deny file-read* (subpath "/var/run/docker.sock"))
;; Use a firewall or egress proxy for hostname-precise network policy.
(allow network-outbound (remote tcp "doorkeeper.internal"))
(deny network-outbound)