

OS X Lion using Scheme to define sandbox configuration? - phren0logy
http://www.reddit.com/r/apple/comments/sht8r/os_x_lion_using_scheme_to_define_sandbox/

======
phren0logy
From the linked page:

Here's the contents of /usr/share/sandbox/sshd.sb:

    
    
      ;; Copyright (c) 2008 Apple Inc.  All Rights reserved.
      ;;
      ;; sshd - profile for privilege separated children
      ;;
      ;; WARNING: The sandbox rules in this file currently constitute 
      ;; Apple System Private Interface and are subject to change at any time and
      ;; without notice.
      ;;
    
      (version 1)
      
      (deny default)
      
      (allow file-chroot)
      (allow file-read-metadata (literal "/var"))
    
      (allow sysctl-read)
      (allow mach-per-user-lookup)
      (allow mach-lookup
        (global-name "com.apple.system.notification_center")
        (global-name "com.apple.system.logger"))

