1111import Foundation
1212import TSCBasic
1313
14- /// A sandbox profile representing the desired restrictions. The implementation can vary between platforms.
14+ /// A sandbox profile representing the desired restrictions. The implementation can vary between platforms. Currently
15+ /// the only control a client has is in the path rules, but in the future there should also be options for controlling
16+ /// blocking of network access and process launching.
1517public struct SandboxProfile : Equatable {
1618 /// An ordered list of path rules, where the last rule to cover a particular path "wins". These will be resolved
1719 /// to absolute paths at the time the profile is applied. They are applied after any of the implicit directories
@@ -25,14 +27,10 @@ public struct SandboxProfile: Equatable {
2527 case writable( AbsolutePath )
2628 }
2729
28- /// Whether to allow outbound and inbound network access.
29- public var allowNetwork : Bool
30-
3130 /// Configures a SandboxProfile for blocking network access and writing to the file system except to specifically
3231 /// permitted locations.
33- public init ( _ pathAccessRules: [ PathAccessRule ] = [ ] , allowNetwork : Bool = false ) {
32+ public init ( _ pathAccessRules: [ PathAccessRule ] = [ ] ) {
3433 self . pathAccessRules = pathAccessRules
35- self . allowNetwork = allowNetwork
3634 }
3735}
3836
@@ -66,12 +64,6 @@ fileprivate extension SandboxProfile {
6664 // Allow operations on subprocesses.
6765 contents += " (allow process*) \n "
6866
69- // Optionally allow network access (inbound and outbound).
70- if allowNetwork {
71- contents += " (system-network) \n "
72- contents += " (allow network*) \n "
73- }
74-
7567 // Allow reading any file that isn't protected by TCC or permissions (ideally we'd only allow a specific set
7668 // of readable locations, and can maybe tighten this in the future).
7769 contents += " (allow file-read*) \n "
0 commit comments