macOS: App Sandboxing by means of Sandbox-Exec

It isn’t extensively marketed, however macOS ships with a standalone sandboxing energy out of package: sandbox-exec While the extremely brief manpage states the energy has actually been significant deprecated, and for many significant releases now, it’s utilized greatly by internal systems so it’s not likely disappear anytime quickly.

Sandbox setups are writen in a subset of Scheme. A very little beneficial starter example for covering a modern-day application may look something like this:

( variation 1);; Disallow whatever by default( reject default);;-LRB-  ;; This system profile grants access to a variety of things, such as:  ;;-LRB-  ;; - area details;; - system libraries (/ System/Library,/ usr/lib, and so on);; - access to standard tools (/ and so on,/ dev/urandom, and so on);; - Apple services (com.apple.system, com.apple.dyld, and so on);;-LRB-  ;; and more, see bsd.sb and system.sb in the matching directory site.;;-LRB-  ( import"/ System/Library/Sandbox/ Profiles/bsd. sb")

Saving the above as config.sb, you can utilize it to sandbox an app as follows:

$  sandbox-exec - f config.sb/ Applications/Foo. app/Contents/MacOS/ Foo 

To see all the operations that were rejected, open Applications → Utilities → Console and look for sandbox and the application name. Historically, you might utilize the ( trace "output") command, however this appears inefficient on the current macOS.

Most contemporary applications will not work with such restricted consents, so anticipate some backward and forward prior to your sandbox profile works.

Depending on your OS variation, you can discover some system sandbox examples in a few of the following places:

• / Library/Sandbox/Profiles
• / System/Library/Sandbox/ Profiles
• / usr/share/sandbox

The tool has practically no main paperwork so some hacker insight can come really helpful. There’s a variety of helpful examples here:

• ” Mac Sandbox V2 Design Doc” on chromium.googlesource.com
• ” macOS: How to run your Applications in a Mac OS X sandbox to improve security” on paolozaino.wordpress.com
• ” A fast look at macOS’ sandbox-exec” on jmmv.dev

Further historic background and technical information can be discovered here:

• ” Sandbox/OS X Rule Set” on the Mozilla wiki
• Ozymandias42/ macOS-Sandbox-Profiles
• ” Test The MacOS Sandbox” on craftware.xyz
• ” OS X sandbox quickstart” on blog.squarelemon.com
• This response by Eskimo on the Apple Developer Forums

Setting up a Sandbox from scratch can frequently be mainly experimentation– prohibit whatever, and after that follow the path of mistakes to see what you require to allow as a bare minimum to make the app work.

On the benefit, it’s a fantastic method to get insight into what closed source binaries are attempting to do on your system.