(version 1)

(deny default)

(allow file*
    (literal "/dev/dtracehelper")
    (literal "/dev/urandom")
    (literal "/dev/null"))

(allow file-read*
    (subpath ""))

(allow file-write*
    (regex #"^/Users/[^/]+/Library/Autosave Information")
    (subpath "/private/var"))

; This is unfortunate...
(allow process-exec
    (regex #"/servo$"))

(deny file-write*
    (regex #"/servo$"))

(allow sysctl-read)
(allow sysctl-write)
(allow ipc-posix-shm)
(allow process-fork)
(allow mach-lookup)
(allow network-outbound)

(debug deny)