Monday, November 7, 2011

HOWTO write an OS X (seatbelt) sandbox profile

To create a simple seatbelt sandbox profile, start with a trace by saving this as

(version 1)
(trace "/tmp/")
sandbox-exec -f binary_to_be_sandboxed
sandbox-simplify /tmp/ > ./
Simplify crunches down the verbose log into a more compact profile. Edit it (you especially want to remove any spurious dtrace lines that are artifacts of the capture process) and run the binary in its sandbox:
sandbox-exec -f binary_to_be_sandboxed
This blog has a simple shell script to automate the above process, but you probably want to manually inspect and edit your profile before using it for real.

You can see a bunch of built-in sandboxes in
and you can view which running processes are sandboxed by adding the sandbox column to the activity monitor gui.

No comments: