From 9c74a6449035fefbe26234159b53e88f47c75761 Mon Sep 17 00:00:00 2001
From: Kate <kit.ty.kate@disroot.org>
Date: Thu, 12 Aug 2021 11:15:55 +0100
Subject: [PATCH] Make the macOS sandbox stricter to workaround a macOS bug
 (fixes #4389)

---
 src/state/shellscripts/sandbox_exec.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/state/shellscripts/sandbox_exec.sh b/src/state/shellscripts/sandbox_exec.sh
index 55fd9784735..9a754b2ca7b 100644
--- a/src/state/shellscripts/sandbox_exec.sh
+++ b/src/state/shellscripts/sandbox_exec.sh
@@ -4,6 +4,7 @@ set -ue
 POL='(version 1)(allow default)(deny network*)(deny file-write*)'
 POL="$POL"'(allow network* (remote unix))'
 POL="$POL"'(allow file-write* (literal "/dev/null") (literal "/dev/dtracehelper"))'
+POL="$POL"'(deny file-read* (regex #"^(/private)?/var/folders/"))'
 
 add_mounts() {
     if [ -d "$2" ]; then