Why

As a security engineer, I only want processes from specific directory paths to be approved and executed so that my team can prevent applications located in other directories on the device's hard drive from running.

Acceptance Criteria

• Only allow processes from the /Applications/, /Downloads/, and /Desktop/ directories to be executed.
• Allow security engineers to edit / manage the list of approved source directories

Dev Notes

E.g., "do not allow execution from Trash" (~/.Trash/)

Allow selective enforcement by executable path. Initially our enforcement will be scoped to the /Applications/ directory. (We know this comes with plenty of workarounds, but this is just the first phase).
We should be able to express something like:
{
“default_action”: “allow_all”,
“execution_rule”:
{ “type”: “path”, “path_prefix”: “/Applications/”, “action”: “enforce”}
}
Ability to specify configuration “types” based off of the relevant ESF metadata. In the example above “path” is a rule type which is associated with an action. Our immediate need is to be able to allow specific developer certificates.