macOS: App sandboxing via sandbox-exec (2020)

[+] jmmv|3 years ago|reply

A pretty “similar” article (in spirit?) I wrote a few years back: https://jmmv.dev/2019/11/macos-sandbox-exec.html

[+] Etheryte|3 years ago|reply

Author of the submitted article here. Your write-up was one of many I went through when I first stumbled upon sandbox-exec and it was tremendously helpful, so thank you. I believe it should also be linked from the blog post I made. The main reason I wrote a separate blog post instead of adding a few bookmarks here and there is that I use my blog as open lab notes. It's easy to find and go back to ideas I've previously visited, and also to find references for more sources if I need to dig deeper into something.

[+] 7402|3 years ago|reply

I found your article useful and referenced it in (yet another) exploration of the sandbox here https://7402.org/blog/2020/macos-sandboxing-of-folder.html

[+] iansinnott|3 years ago|reply

Readers might also be interested in this script wrapper [0], which I believe was inspired by the linked blog post.

[0]: https://github.com/lynaghk/sandboxtron

[+] staticfloat|3 years ago|reply

We actually use this in our CI system to limit write access outside of the build environment’s build folder.

You can see some Julia code that generates the sandbox config rules here: https://github.com/JuliaCI/sandboxed-buildkite-agent/blob/ma...

[+] 0x69420|3 years ago|reply

oh, yeah, sandbox-exec is fun. for the record, the exact scheme they use is tinyscheme. the whole facility is largely undocumented, but it still somehow manages to be friendlier than seccomp -- i remember learning about it in a talk on the nix macos effort

you can “enjoy” the sight of some c++ directly generating scheme here: https://github.com/NixOS/nix/blob/2.9.2/src/libstore/build/l...

[+] shepting|3 years ago|reply

Do you happen to have a link to the talk about Nix on macOS you heard about it from? Or event the title/details so I could search?

[+] astrange|3 years ago|reply

This is a confusing title because “App Sandbox” is the name of the (somewhat different) sandboxing and container mechanism used by, well, apps.

[+] meatjuice|3 years ago|reply

LGTM. Is it really deprecated?

[+] jmillikin|3 years ago|reply

The macOS sandbox isn't "deprecated", but it's treated as an internal detail of the OS subject to change without warning. Maybe the message is intended to warn people away from using the "sandbox-exec" tool?

Periodically some third-party software will inadvisedly try to use sandbox-exec and encounter problems when the policy changes. Some examples I've run into with Bazel:

https://github.com/bazelbuild/bazel/issues/10068

https://github.com/bazelbuild/bazel/issues/13766

[+] traceroute66|3 years ago|reply

As per RTFM ...

     > man sandbox-exec
     > The sandbox-exec command is DEPRECATED.
     > Developers who wish to sandbox an app should instead adopt the App Sandbox feature described in the App Sandbox Design Guide.

(Their all-caps, not mine)

[+] saagarjha|3 years ago|reply

No. It’s the recommended way to sandbox software on macOS. The “this is deprecated” comment is just to keep the undesirables out.

[+] xnyhps|3 years ago|reply

I think Apple doesn’t want third-party developers to compose their own sandboxing rules, because it’s pretty hard to do that in a way that can’t be escaped and that doesn’t break Apple’s frameworks. They provide the Mac Application Sandbox profile for third-party developers. That profile is quite flexible, and if you’re not targeting the Mac App Store there are some ways to add rule exceptions.

[+] GoOnThenDoTell|3 years ago|reply

Can this provide something like linux’s unshare?

22 comments