Did you know that OSX has a native sandbox? It does! It’s called sandbox-exec and it’s pretty cool. The rules are written in a language called sbx and it’s pretty easy to use. Here’s an example of a simple sandbox rule that allows everything by default.
; Indicate the version of the sandbox profile language.
; As of my knowledge cutoff in September 2021, the only version is 1.
(version 1)
; Allow all operations by default.
; This means that processes running under this profile have all permissions
; except those explicitly denied in the rules that follow.
(allow default)
You can write an explicit allow all by listing all of the rules you want to allow.
(version 1)
(deny default)
(allow process*)
(allow file*)
(allow network*)
(allow signal)
(allow ipc*)
(allow sysctl*)
(allow system*)
(allow mach*)
(allow iokit*)
(allow user-preference*)
(allow lsopen)
(allow nvram*)
Lets write some rules to restrict a bash shell from network access.
(version 1)
(allow default)
(deny network*)
% sandbox-exec -f sandbox.sb /bin/bash
bash-3.2$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
Request timeout for icmp_seq 0
ping: sendto: Operation not permitted
You can also specify the rules on the command line.
bash-3.2$ sandbox-exec -p '(version 1) (allow default) (deny file-write*)' touch foo
sandbox-exec: sandbox_apply: Operation not permitted
Finally heres a simple profile to prevent file writes outside of a directory.
; Indicate the version of the sandbox profile language.
; As of my knowledge cutoff in September 2021, the only version is 1.
(version 1)
; Allow all operations by default.
; This means that processes running under this profile have all permissions
; except those explicitly denied in the rules that follow.
(allow default)
; Deny all file-write operations.
; This includes writing data to a file, creating new files, and deleting files.
; This rule is applied to all files on the system because no path is specified.
(deny file-write*)
; Allow file-write operations to a specific directory.
; Despite the earlier rule that denies all file-write operations,
; this rule allows processes to write to files in the specified directory
; and any of its subdirectories.
; The rules in a sandbox profile are evaluated from top to bottom,
; and the last matching rule for an operation is the one that takes effect.
; So for paths under "/Users/glitch/sandbox", this rule will be the last one that matches,
; and so file-write operations are allowed.
(allow file-write*
(subpath "/Users/glitch/sandbox")
)
glitch@ahive sandbox % sandbox-exec -f sandbox.sb /bin/bash
bash-3.2$ echo "hello world" > test.file
bash-3.2$ cat test.file
hello world
bash-3.2$ echo "hello world" > /tmp/test.file
bash: /tmp/test.file: Operation not permitted
bash-3.2$ exit
Well thats it for now. Theres lots to learn about this sandbox, but I’m going to leave it here for now. I’ll probably write more about this in the future. Sending good vibes your way.