macOS: App sandboxing via sandbox-exec

It isn’t widely advertised, but macOS ships with a standalone sandboxing utility out of the box: sandbox-exec. While the very short manpage says the utility has been marked deprecated, and for quite a few major releases now, it’s used heavily by internal systems so it’s unlikely go away anytime soon.

Sandbox configurations are writen in a subset of Scheme. A minimal useful starter example for wrapping a modern application might look something like this:

(version 1)
;; Disallow everything by default
(deny default)

;;
;; This system profile grants access to a number of things, such as:
;;
;;  - locale info
;;  - system libraries (/System/Library, /usr/lib, etc)
;;  - access to to basic tools (/etc, /dev/urandom, etc)
;;  - Apple services (com.apple.system, com.apple.dyld, etc)
;;
;; and more, see bsd.sb and system.sb in the corresponding directory.
;;
(import "/System/Library/Sandbox/Profiles/bsd.sb")

Saving the above as config.sb, you can use it to sandbox an app as follows:

$ sandbox-exec -f config.sb /Applications/Foo.app/Contents/MacOS/Foo

To see all the operations that were denied, open Applications → Utilities → Console and search for sandbox and the application name. Historically, you could use the (trace "output") command, but this seems dysfunctional on the latest macOS.

Most modern applications will not function with such limited permissions, so expect some back and forth before your sandbox profile works.

Depending on your OS version, you can find some system sandbox examples in some of the following locations:

• /Library/Sandbox/Profiles
• /System/Library/Sandbox/Profiles
• /usr/share/sandbox

The tool has virtually no official documentation so some hacker insight can come very handy. There’s a number of useful examples here:

• “Mac Sandbox V2 Design Doc” on chromium.googlesource.com
• “macOS: How to run your Applications in a Mac OS X sandbox to enhance security” on paolozaino.wordpress.com
• “A quick glance at macOS’ sandbox-exec” on jmmv.dev

Further historical background and technical details can be found here:

• “Sandbox/OS X Rule Set” on the Mozilla wiki
• Ozymandias42/macOS-Sandbox-Profiles
• “Test The MacOS Sandbox” on craftware.xyz
• “OS X sandbox quickstart” on blog.squarelemon.com
• This answer by Eskimo on the Apple Developer Forums

Setting up a Sandbox from scratch can often be largely trial and error — disallow everything, and then follow the trail of errors to see what you need to enable as a bare minimum to make the app work.

On the upside, it’s a great way to gain insight into what closed source binaries are trying to do on your system.