sandbox-exec: macOS’s Little-Known Command-Line Sandboxing Tool | Igor’s Techno Club sandbox-exec: macOS’s Little-Known Command-Line Sandboxing Tool 17 Apr, 2025 EARLY ACCESS If you want a deeper, up-to-date treatment of sandbox-exec —including modern macOS pitfalls, Mach/XPC failures, and working profiles—I’m documenting it as an extended handbook, sandbox-exec: The Missing Handbook (early access, $12) . What is sandbox-exec ? sandbox-exec is a built-in macOS command-line utility that enables users to execute applications within a sandboxed environment. In essence, it creates a secure, isolated space where applications can run with limited access to system resources – only accessing what you explicitly permit. The concept behind sandboxing is fundamental to modern security: by restricting what an application can access, you minimize the potential damage from malicious code or unintended behavior. Think of it as putting an application in a secure room where it can only interact with specific objects you’ve placed there. Benefits of Application Sandboxing Before diving into usage, let’s understand why sandboxing matters: Protection from malicious code : If you’re testing an unfamiliar application or script, sandboxing can prevent it from accessing sensitive files or sending data across the network. Damage limitation : Even trusted applications can have vulnerabilities. Sandboxing limits the potential impact if an application is compromised. Privacy control : You can explicitly deny applications access to personal directories like Documents, Photos, or Contacts. Testing environment : Developers can test how applications function with limited permissions before implementing formal App Sandbox entitlements. Resource restriction : Beyond security, sandboxing can limit an application’s resource consumption or network access. Getting Started with sandbox-exec Using sandbox-exec requires creating a sandbox profile (configuration file) that defines the rules for your secure environment. The basic syntax is: sandbox-exec -f profile.sb command_to_run Where profile.sb contains the rules defining what the sandboxed application can and cannot do, and command_to_run is the application you want to run within those constraints. Understanding Sandbox Profiles Sandbox profiles use a Scheme-like syntax (a LISP dialect) with parentheses grouping expressions. The basic structure includes: A version declaration: (version 1) Default policy: (deny default) or (allow default) Specific rules allowing or denying operations Rules can target specific resources using: Literal paths: (literal “/path/to/file”) Regular expressions: (regex “^/System”) Glob patterns: (subpath “/Library”) See Appendix for more complete list of available rules Two Fundamental Approaches to Sandboxing There are two primary philosophies when creating sandbox profiles: 1. Deny by Default (Most Secure) This approach starts by denying everything and explicitly allowing only required operations: (version 1

Source: Hacker News | Original Link