ipmb · March 18, 2022 16:06
diff --git a/sandbox.sb b/sandbox.sb
 (version 1)
 (allow default)
 (debug deny)

 (define (home-subpath home-relative-subpath)
  ;; should be able to use something like (param "HOME_DIR") here, but it's not working for me
  (subpath (string-append "/Users/pete" home-relative-subpath)))

 ;; can't write anywhere or read /Users by default
 (deny file-write*)
 (deny file-read*
  (subpath "/Users")
 )

 (allow file-read*
  ;; access package manager (pdm)
  (home-subpath "/.local/bin")
  (home-subpath "/.local/pipx")
  ;; access python
  (home-subpath "/.asdf")
  (home-subpath "/.tool-versions")
 )

 (allow file-read* file-write*
  ;; only needed for install
  (home-subpath "/Library/Caches/pdm")
  ;; project dir
  (home-subpath "/projects/my-project")
  ;; temp
  (regex "^(/private)?/tmp/")
  (regex "^(/private)?/var/folders")
  (subpath "/dev/null")
 )
	(version 1)
	(allow default)
	(debug deny)

	(define (home-subpath home-relative-subpath)
	;; should be able to use something like (param "HOME_DIR") here, but it's not working for me
	(subpath (string-append "/Users/pete" home-relative-subpath)))

	;; can't write anywhere or read /Users by default
	(deny file-write*)
	(deny file-read*
	(subpath "/Users")
	)

	(allow file-read*
	;; access package manager (pdm)
	(home-subpath "/.local/bin")
	(home-subpath "/.local/pipx")
	;; access python
	(home-subpath "/.asdf")
	(home-subpath "/.tool-versions")
	)

	(allow file-read* file-write*
	;; only needed for install
	(home-subpath "/Library/Caches/pdm")
	;; project dir
	(home-subpath "/projects/my-project")
	;; temp
	(regex "^(/private)?/tmp/")
	(regex "^(/private)?/var/folders")
	(subpath "/dev/null")
	)