1Policy: @@PROG@@, Emulation: native 2 native-__getcwd: permit 3 native-__semctl: permit 4 native-__sysctl: permit 5 native-accept: permit 6 native-bind: sockaddr match "/tmp" then permit 7 native-bind: sockaddr match "/var/tmp" then permit 8 native-bind: sockaddr match "@@RO_DIR@@" then deny[eperm] 9 native-bind: sockaddr match "@@RW_DIR@@" then permit 10 native-bind: sockaddr match "/<non-existent filename>: *" then deny[enoent] 11 native-break: permit 12 native-chdir: permit 13 native-chflags: filename match "/tmp" then permit 14 native-chflags: filename match "/var/tmp" then permit 15 native-chflags: filename match "@@RO_DIR@@" then deny[eperm] 16 native-chflags: filename match "@@RW_DIR@@" then permit 17 native-chflags: filename match "/<non-existent filename>: *" then deny[enoent] 18 native-chmod: filename match "/tmp" then permit 19 native-chmod: filename match "/var/tmp" then permit 20 native-chmod: filename match "@@RO_DIR@@" then deny[eperm] 21 native-chmod: filename match "@@RW_DIR@@" then permit 22 native-chmod: filename match "/<non-existent filename>: *" then deny[enoent] 23 native-chown: filename match "/tmp" then permit 24 native-chown: filename match "/var/tmp" then permit 25 native-chown: filename match "@@RO_DIR@@" then deny[eperm] 26 native-chown: filename match "@@RW_DIR@@" then permit 27 native-chown: filename match "/<non-existent filename>: *" then deny[enoent] 28 native-chroot: permit 29 native-clock_getres: permit 30 native-clock_gettime: permit 31 native-close: permit 32 native-closefrom: permit 33 native-compat_43_ogetdtablesize: permit 34 native-compat_43_ogetpagesize: permit 35 native-compat_43_olseek: permit 36 native-connect: sockaddr eq "family(0)" then permit 37 native-connect: sockaddr match "/dev/log" then permit 38 native-connect: sockaddr match "/tmp" then permit 39 native-connect: sockaddr match "/var/tmp" then permit 40 native-connect: sockaddr match "@@RO_DIR@@" then deny[eperm] 41 native-connect: sockaddr match "@@RW_DIR@@" then permit 42 native-connect: sockaddr match "/<non-existent filename>: *" then deny[enoent] 43 native-dup2: permit 44 native-dup: permit 45 native-execve: true then permit 46 native-exit: permit 47 native-fchdir: permit 48 native-fchflags: permit 49 native-fchmod: permit 50 native-fchown: permit 51 native-fcntl: permit 52 native-flock: permit 53 native-fork: permit 54 native-fsread: filename eq "" then deny[enoent] 55 native-fsread: true then permit 56 native-fstat: permit 57 native-fstatfs: permit 58 native-fswrite: filename eq "" then deny[enoent] 59 native-fswrite: filename eq "/dev/crypto" then permit 60 native-fswrite: filename eq "/dev/null" then permit 61 native-fswrite: filename eq "/dev/stdout" then permit 62 native-fswrite: filename eq "/dev/tty" then permit 63 native-fswrite: filename eq "/dev/zero" then permit 64 native-fswrite: filename match "/tmp" then permit 65 native-fswrite: filename match "/var/tmp" then permit 66 native-fswrite: filename match "@@RO_DIR@@" then deny[eperm] 67 native-fswrite: filename match "@@RW_DIR@@" then permit 68 native-fswrite: filename match "/<non-existent filename>: *" then deny[enoent] 69 native-fsync: permit 70 native-ftruncate: permit 71 native-futimes: permit 72 native-getdirentries: permit 73 native-getegid: permit 74 native-geteuid: permit 75 native-getfsstat: permit 76 native-getgid: permit 77 native-getgroups: permit 78 native-getlogin: permit 79 native-getpeername: permit 80 native-getpgid: permit 81 native-getpgrp: permit 82 native-getpid: permit 83 native-getppid: permit 84 native-getpriority: permit 85 native-getrlimit: permit 86 native-getrusage: permit 87 native-getsid: permit 88 native-getsockname: permit 89 native-getsockopt: permit 90 native-getthrid: permit 91 native-gettimeofday: permit 92 native-getuid: permit 93 native-ioctl: permit 94 native-issetugid: permit 95 native-kevent: permit 96 native-kill: permit 97 native-kqueue: permit 98 native-lchown: filename match "/tmp" then permit 99 native-lchown: filename match "/var/tmp" then permit 100 native-lchown: filename match "@@RO_DIR@@" then deny[eperm] 101 native-lchown: filename match "@@RW_DIR@@" then permit 102 native-lchown: filename match "/<non-existent filename>: *" then deny[enoent] 103 native-link: filename match "/tmp" and filename[1] match "/tmp" then permit 104 native-link: filename match "/var/tmp" and filename[1] match "/var/tmp" then permit 105 native-link: filename match "@@RO_DIR@@" or filename[1] match "@@RO_DIR@@" then deny[eperm] 106 native-link: filename match "@@RW_DIR@@" and filename[1] match "@@RW_DIR@@" then permit 107 native-link: filename match "/<non-existent filename>: *" then deny[enoent] 108 native-listen: permit 109 native-lseek: permit 110 native-madvise: permit 111 native-mknod: filename match "/tmp" then permit 112 native-mknod: filename match "/var/tmp" then permit 113 native-mknod: filename match "@@RO_DIR@@" then deny[eperm] 114 native-mknod: filename match "@@RW_DIR@@" then permit 115 native-mlock: permit 116 native-mlockall: permit 117 native-mmap: permit 118 native-mprotect: permit 119 native-mquery: permit 120 native-msync: permit 121 native-munmap: permit 122 native-nanosleep: permit 123 native-osigaltstack: permit 124 native-pathconf: permit 125 native-pipe: permit 126 native-poll: permit 127 native-pread: permit 128 native-pwrite: permit 129 native-quotactl: permit 130 native-read: permit 131 native-readv: permit 132 native-recvfrom: permit 133 native-recvmsg: permit 134 native-rename: filename match "/tmp" and filename[1] match "/tmp" then permit 135 native-rename: filename match "/tmp" and filename[1] match "/var/tmp" then permit 136 native-rename: filename match "@@RO_DIR@@" or filename[1] match "@@RO_DIR@@" then deny[eperm] 137 native-rename: filename match "/tmp" and filename[1] match "@@RW_DIR@@" then permit 138 native-rename: filename match "/var/tmp" and filename[1] match "/var/tmp" then permit 139 native-rename: filename match "/var/tmp" and filename[1] match "@@RW_DIR@@" then permit 140 native-rename: filename match "@@RW_DIR@@" and filename[1] match "@@RW_DIR@@" then permit 141 native-rename: filename match "/<non-existent filename>: *" then deny[enoent] 142 native-rfork: permit 143 native-sched_yield: permit 144 native-select: permit 145 native-semctl: permit 146 native-semget: permit 147 native-semop: permit 148 native-sendmsg: permit 149 native-sendto: permit 150 native-setegid: permit 151 native-setgid: permit 152 native-setgroups: permit 153 native-setitimer: permit 154 native-setpgid: permit 155 native-setpriority: permit 156 native-setregid: permit 157 native-setresgid: permit 158 native-setresuid: permit 159 native-setreuid: permit 160 native-setrlimit: permit 161 native-setsid: permit 162 native-setsockopt: permit 163 native-setuid: permit 164 native-shmat: permit 165 native-shmctl: permit 166 native-shmdt: permit 167 native-shmget: permit 168 native-shutdown: permit 169 native-sigaction: permit 170 native-sigaltstack: permit 171 native-sigprocmask: permit 172 native-sigreturn: permit 173 native-sigsuspend: permit 174 native-socket: permit 175 native-socketpair: permit 176 native-statfs: permit 177 native-symlink: filename match "/tmp" then permit 178 native-symlink: filename match "/var/tmp" then permit 179 native-symlink: filename match "@@RO_DIR@@" then deny[eperm] 180 native-symlink: filename match "@@RW_DIR@@" then permit 181 native-symlink: string eq "" and filename eq "" then deny[enoent] 182 native-sync: permit 183 native-threxit: permit 184 native-thrsigdivert: permit 185 native-thrsleep: permit 186 native-thrwakeup: permit 187 native-umask: permit 188 native-utimes: permit 189 native-vfork: permit 190 native-wait4: permit 191 native-write: permit 192 native-writev: permit 193 194