nix/subprojects/libstore/unix/build/sandbox-network.sb

R""(

; Allow local and remote network traffic.
(allow network* (local ip) (remote ip))

; Allow access to /etc/resolv.conf (which is a symlink to
; /private/var/run/resolv.conf).
(allow file-read-metadata
       (literal "/var")
       (literal "/etc")
       (literal "/etc/resolv.conf")
       (literal "/private/etc/resolv.conf"))

(allow file-read*
       (literal "/private/var/run/resolv.conf"))

; Allow DNS lookups.
(allow network-outbound (remote unix-socket (path-literal "/private/var/run/mDNSResponder")))

; Allow access to trustd.
(allow mach-lookup (global-name "com.apple.trustd"))
(allow mach-lookup (global-name "com.apple.trustd.agent"))

)""