;;; Copyright (c) 2017 Apple Inc.  All Rights reserved.
;;;
;;; WARNING: The sandbox rules in this file currently constitute
;;; Apple System Private Interface and are subject to change at any time and
;;; without notice.
;;;
(version 2)

(import "cryptex-session-default.sb")

;; Enable ruby by allowing access to /Library/Ruby (rdar://103148445)
;;
;; !!! THIS IS INSECURE !!!
;;
;; By doing this, we are letting ruby execute unauthenticated code from the
;; data volume. Getting a proper fix is tracked by rdar://45240835 (Move system
;; content from /Library/Ruby to a system-owned location).

(allow file-read* file-test-existence
	(literal "/Library")
	(subpath "/Library/Ruby")
)