More 'allowed_application_directories' in config.json

[JayBrown]

Please note: this is just a proposal; however, I do believe that at the very least /sbin should be added to the list.

Missing:

• /sbin

Subdirectories missing in /usr/local:

• ./sbin
• ./libexec

Support for Homebrew:

• /usr/local/Cellar

Support for specific locations incl. subdirectories in system default /opt path:

• MacPorts: /opt/local
• Fink: /opt/sw
• X11: /opt/X11

Support for (a) system default app location (NSAllDomainsMask > NSAllApplicationsDirectory) and for (b) system default library locations (NSAllDomainsMask > NSAllLibrariesDirectory) in:

• /Network/Applications
• /Library (lots of processes launched from here, incl. Apple processes like ath, plus e.g. helper apps, updaters, Java bin directory etc. pp.)
• /Developer (incl. macOS default app directory /Developer/Applications)
• /Network/Library
• /Network/Developer (incl. macOS default app directory /Network/Developer/Applications)

FURTHER PATHS NOT (YET) ADDED (with explanations)

• /usr/lib: some processes actually run from here (directly or subdirectory, e.g. /usr/lib/system/wordexp-helper)

[CLAassistant]

All committers have signed the CLA.

[alessandrogario]

Hello @JayBrown

it does make sense to include the list of paths you added to the configuration file, thanks for updating it!

[JayBrown]

There's another problem: several apps tend to update while launching "intermediate" processes from /private/tmp or some folder nested in the user library etc. But I think there has to be a limit to how many execution paths you allow. At some point it has to be manged by the individual sys admin, which paths he will add to the default ones.