(version 1)
(debug allow)

(define rack-home "RACK_HOME")

; This is needed for IPC on OSX >= 10.6
(allow ipc-posix-shm)

; Allow inbound and outbound connections
(allow network-outbound)
(allow network-inbound)

; Allow reading with sysctl
(allow sysctl-read)

; Allow it to read metadata
(allow file-read-metadata)

; Allow it to run processes and fork
(allow process*)

; Allow it to signal self
(allow signal)

(allow iokit-open)

(allow mach-lookup)

(allow system-socket)

(allow file-read* file-write* (subpath (param rack-home)))

; Allow file reading
(allow file-read*
    (regex
        #"^/Applications/Rack.app"
        #"^/Library/*"
        #"^/System/Library/*"
        #"^/usr/*"
        #"^/dev/*"
        #"/Users/jon/Projects/Rack"
        #"/Users/[^.]+/Library/Saved Application State/com.vcvrack.rack.savedState"
    )
)

; Allow write access to a subset of the above
(allow file-write*
    (regex
        #"^/private/var/*"
        #"^/private/tmp/*"
        #"^/var/folders/th/*"
    )
)

(allow file-issue-extension
    (regex
        #"^/private/var/*"
    )
)

(deny default)