From 111e564a77248646b0decc63db5931ecd69cedca Mon Sep 17 00:00:00 2001
From: Kate <kit.ty.kate@disroot.org>
Date: Thu, 12 Aug 2021 11:15:55 +0100
Subject: [PATCH] Relax the macOS sandbox (fixes #4389)

---
 src/state/shellscripts/sandbox_exec.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/state/shellscripts/sandbox_exec.sh b/src/state/shellscripts/sandbox_exec.sh
index 370bb58167a..7e2be685f5c 100644
--- a/src/state/shellscripts/sandbox_exec.sh
+++ b/src/state/shellscripts/sandbox_exec.sh
@@ -4,6 +4,7 @@ set -ue
 POL='(version 1)(allow default)(deny network*)(deny file-write*)'
 POL="$POL"'(allow network* (remote unix))'
 POL="$POL"'(allow file-write* (literal "/dev/null") (literal "/dev/dtracehelper"))'
+POL="$POL"'(deny file-read* (regex #"^(/private)?/var/folders/"))'
 
 add_mounts() {
     if [ -d "$2" ]; then