I've noticed that in the newest MacOS the sandbox-exec
command is deprecated. According to it's manual:
The sandbox-exec command is DEPRECATED. Developers who wish to sandbox an app should instead adopt the App Sandbox feature described in the App Sandbox Design Guide. [...]
Moreover, a few commands were removed, like sandbox-simplify
. Also, it seems that the trace function is not working anymore, the following config just does not produce output anymore (while it did in earlier versions):
(version 1)
(debug all)
(trace "/tmp/trace.sb")
(deny default)
My question is, what is the "new" way of sandboxing third-party apps? I'm not asking this question from the perspective of a developer. I'm asking it as a power user who wants to add additional sandboxing limits to apps I don't trust.
The App Sandbox is an access control technology that macOS provides and enforces at the kernel level. The sandbox's primary function is to contain damage to the system and the user's data if the user executes a compromised app.
macOS includes a sandboxing mechanism to closely control what processes can do on the system. Sandboxing can restrict file system accesses on a path level, control which host/port pairs can be reached over the network, limit which binaries can be executed, and much more.
While Apple claims this older style of sandboxing via profiles (sometimes called "Seatbelt") is deprecated, it's still used heavily across macOS by both Apple and third-party developers as of 2020. You can find sandboxing profiles in various places such as:
/System/Library/Sandbox/Profiles
for various macOS system componentsThe new approach is the similarly-named App Sandbox feature (more details in the design guide). This newer sandboxing is controlled by "entitlements", which are various flags an app developer can set as part of the code signature when building the app. Internally, it makes use of the older sandboxing profile system above by applying the profile /System/Library/Sandbox/Profiles/application.sb
during app startup. App Sandbox is much more limited than the full profile system, relying only on a few flags and lists, which can't offer the same flexibility as using profiles directly. As far as I know, there's no way to control this newer system as a user, since you'd needed repackage and resign an app to do so.
As a user, sandboxing profiles for sandbox-exec
are still your main and only option on macOS. While it may say deprecated, it doesn't look like they are going away any time soon either, since it's still widely used in both profile form and as an internal layer for the newer App Sandbox feature.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With