Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to sandbox third party applications when `sandbox-exec` is deprecated now?

Tags:

security

macos

deprecated

sandbox

I've noticed that in the newest MacOS the sandbox-exec command is deprecated. According to it's manual:

The sandbox-exec command is DEPRECATED. Developers who wish to sandbox an app should instead adopt the App Sandbox feature described in the App Sandbox Design Guide. [...]

Moreover, a few commands were removed, like sandbox-simplify. Also, it seems that the trace function is not working anymore, the following config just does not produce output anymore (while it did in earlier versions):

(version 1) 
(debug all)
(trace "/tmp/trace.sb")
(deny default)

My question is, what is the "new" way of sandboxing third-party apps? I'm not asking this question from the perspective of a developer. I'm asking it as a power user who wants to add additional sandboxing limits to apps I don't trust.

like image 875
Wojciech Danilo Avatar asked Jun 21 '19 12:06

Wojciech Danilo

People also ask

Are macOS applications sandboxed?

The App Sandbox is an access control technology that macOS provides and enforces at the kernel level. The sandbox's primary function is to contain damage to the system and the user's data if the user executes a compromised app.

What is sandbox exec on mac?

macOS includes a sandboxing mechanism to closely control what processes can do on the system. Sandboxing can restrict file system accesses on a path level, control which host/port pairs can be reached over the network, limit which binaries can be executed, and much more.

1 Answers

While Apple claims this older style of sandboxing via profiles (sometimes called "Seatbelt") is deprecated, it's still used heavily across macOS by both Apple and third-party developers as of 2020. You can find sandboxing profiles in various places such as:

  • /System/Library/Sandbox/Profiles for various macOS system components
  • Firefox's content process profile
  • Chrome's renderer process profile

The new approach is the similarly-named App Sandbox feature (more details in the design guide). This newer sandboxing is controlled by "entitlements", which are various flags an app developer can set as part of the code signature when building the app. Internally, it makes use of the older sandboxing profile system above by applying the profile /System/Library/Sandbox/Profiles/application.sb during app startup. App Sandbox is much more limited than the full profile system, relying only on a few flags and lists, which can't offer the same flexibility as using profiles directly. As far as I know, there's no way to control this newer system as a user, since you'd needed repackage and resign an app to do so.

As a user, sandboxing profiles for sandbox-exec are still your main and only option on macOS. While it may say deprecated, it doesn't look like they are going away any time soon either, since it's still widely used in both profile form and as an internal layer for the newer App Sandbox feature.

like image 188
J. Ryan Stinnett Avatar answered Oct 13 '22 02:10

J. Ryan Stinnett
Sign in to Comment

Related questions

NSControl's setCellClass is deprecated in OS X 10.10 what's the alternative for overriding NSTextField's cell class?
Mac OS X: is it possible to imbue a non-main thread to become "The Main Thread" of a process?
Any way to programmatically disable hardware accelerated h.264 video decoding in silverlight 5?
Trouble installing MySQL on Mavericks with Homebrew
QT5 font rendering different on various platforms
Two versions of icu4c installed by Homebrew
Identifying the preferred IPv6 source address for an adapter
How to setup for record and playback audio on Mac. VOIP app on Mac
Xcode distributed build not working
How to develop an Excel Macro that contains regular expressions so it will work in Windows and Mac
how to disable LookUp (Dictionary, Thesaurus, Wikipedia) functionality within a NSTextView?
App Sandbox: document-scoped bookmark not resolving; not returning any error
JPEG Compression Quality using CGImage
Why do static inline data members not end up in a .bss section on Macos?
How to profile from the command line on Mac OS X?
No, really. What is the proper way to handle keyboard input in a game using Cocoa?
How can I install a newer version of make on Mac OS?
Using wget to download an entire folder from github [closed]
Activate a window using its Window ID

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!